From 1d49c6165b83d22cdad8192cc34afea7558cc909 Mon Sep 17 00:00:00 2001
From: Eljakim Herrewijnen <eljakim.herrewijnen@gmail.com>
Date: Sun, 12 Jan 2025 22:14:25 +0100
Subject: [PATCH] added rom header fuzzer

---
 source/bootrom_emulator/emulator.py           |  50 +++++++++++++++++-
 .../fuzz_fastboot_input/getvar                | Bin 0 -> 512 bytes
 .../fuzz_fastboot_input/getvar_chipinfo-      | Bin 0 -> 512 bytes
 .../fuzz_fastboot_input/getvar_downloadsize   | Bin 0 -> 512 bytes
 .../fuzz_fastboot_input/getvar_getchipinfo    | Bin 0 -> 512 bytes
 .../fuzz_fastboot_input/getvar_serialno       | Bin 0 -> 512 bytes
 .../fuzz_fastboot_input/getvar_version        | Bin 0 -> 512 bytes
 .../fuzz_fastboot_input/setkey                | Bin 0 -> 512 bytes
 .../fuzz_verifybl_input/fuzz_bl.bin           | Bin 0 -> 64 bytes
 source/bootrom_emulator/fuzzer.py             |  38 +++++++++++--
 source/bootrom_emulator/run_fuzzer.sh         |   1 +
 11 files changed, 82 insertions(+), 7 deletions(-)
 create mode 100644 source/bootrom_emulator/fuzz_fastboot_input/getvar
 create mode 100644 source/bootrom_emulator/fuzz_fastboot_input/getvar_chipinfo-
 create mode 100644 source/bootrom_emulator/fuzz_fastboot_input/getvar_downloadsize
 create mode 100644 source/bootrom_emulator/fuzz_fastboot_input/getvar_getchipinfo
 create mode 100644 source/bootrom_emulator/fuzz_fastboot_input/getvar_serialno
 create mode 100644 source/bootrom_emulator/fuzz_fastboot_input/getvar_version
 create mode 100644 source/bootrom_emulator/fuzz_fastboot_input/setkey
 create mode 100644 source/bootrom_emulator/fuzz_verifybl_input/fuzz_bl.bin

diff --git a/source/bootrom_emulator/emulator.py b/source/bootrom_emulator/emulator.py
index 253cf79..2460a6c 100644
--- a/source/bootrom_emulator/emulator.py
+++ b/source/bootrom_emulator/emulator.py
@@ -3,12 +3,15 @@ from unicorn.arm64_const import *
 from ghidra_assistant.utils.utils import *
 from ghidra_assistant.utils.archs.arm64.arm64_emulator import ARM64UC_Emulator
 from ghidra_assistant.utils.archs.arm64.asm_arm64 import ShellcodeCrafterARM64
-import sys, pathlib
+import sys, pathlib, struct
 from add_memory_maps import *
 from tools import *
 from amlogic_devices import *
 from amlogic_rom_db import *
 
+def p8(v):
+    return struct.pack("<B", v)
+
 ENTRY_POINT = 0xffff0000
 STACK_ADDRESS = 0xfffe3800
     
@@ -241,6 +244,10 @@ class Amlogic_Emulator(ARM64UC_Emulator):
         '''
         Hook startup code to continue boot process
         '''
+        # if self.pc == 0xffff3520: # Reboo ttod
+            
+        if self.pc == 0xffff05c4:
+            pass
         if self.enable_trace:
             self.pc_trace.append(hex(self.pc))
         return
@@ -342,8 +349,47 @@ class Amlogic_Emulator(ARM64UC_Emulator):
             self.enable_trace = True
         self.uc.emu_start(self.pc, 0)
         return 0
+    
+    def place_bootloader(self, data=b"\xbb" * 0x40):
+        BL_LOCATION = 0xfffa0000 #0x40 size?
+        OUT_OFFSET = 0xfffa0000 + 0x1000
+        
+        self.uc.mem_write(BL_LOCATION, data)
+        
+    def run_check_bootloader_header(self):
+        BL_LOCATION = 0xfffa0000 #0x40 size?
+        OUT_OFFSET = 0xfffa0000 + 0x1000
+        VERIFY_BL = 0xffff1b2c
+        self.X0 = BL_LOCATION
+        self.X1 = OUT_OFFSET
+        self.pc = VERIFY_BL
+        
+        SOMETHING_WRONG_AND_REBOOT = 0xffff05c4
+        
+        def _hook_something_wrong(uc : Uc, address, size, em : Amlogic_Emulator):
+            if hasattr(em, "debug") and em.debug:
+                em.print_ctx()
+                
+            em.something_wrong = True
+            uc.emu_stop()
+            return True
+        
+        self.uc.hook_add(UC_HOOK_CODE, _hook_something_wrong, self, SOMETHING_WRONG_AND_REBOOT, SOMETHING_WRONG_AND_REBOOT + 1)
+        
+        # self.enable_trace = True
+        self.uc.emu_start(self.pc, 0)
+        return 0
 
 if __name__ == "__main__":
     device = "S905X3"
     
-    emulator = Amlogic_Emulator()
\ No newline at end of file
+    # self.uc.mem_write(BL_LOCATION, b"@AML") # Magic
+    # self.uc.mem_write(BL_LOCATION + 0xa, p8(1)) #unk1
+    # self.uc.mem_write(BL_LOCATION + 0xb, p8(1)) #unk2
+    
+    emulator = Amlogic_Emulator(debug=True)
+    # emulator.place_bootloader(open("fuzz_bl.bin", 'rb').read())
+    d = bytes.fromhex("4f41 4d4f 414d 104d 4c5c 414d 4c4c")
+    d += (0x40 - len(d)) * b"\x00"
+    emulator.place_bootloader(d)
+    emulator.run_check_bootloader_header()
\ No newline at end of file
diff --git a/source/bootrom_emulator/fuzz_fastboot_input/getvar b/source/bootrom_emulator/fuzz_fastboot_input/getvar
new file mode 100644
index 0000000000000000000000000000000000000000..0a8ecab639087eadb74561ca47b49e167edb452d
GIT binary patch
literal 512
ScmYdKEh$SZVi*M@Gz0(*-U5mM

literal 0
HcmV?d00001

diff --git a/source/bootrom_emulator/fuzz_fastboot_input/getvar_chipinfo- b/source/bootrom_emulator/fuzz_fastboot_input/getvar_chipinfo-
new file mode 100644
index 0000000000000000000000000000000000000000..ec4c8be6c85e7325fba9c00ef4724c940500d816
GIT binary patch
literal 512
ecmYdKEh$SZvPw@aNzTYD$jnR2XBY(|C<Fj%8wXSX

literal 0
HcmV?d00001

diff --git a/source/bootrom_emulator/fuzz_fastboot_input/getvar_downloadsize b/source/bootrom_emulator/fuzz_fastboot_input/getvar_downloadsize
new file mode 100644
index 0000000000000000000000000000000000000000..96e26a330dcca13652eb0851a3c4b3614a9ff7ca
GIT binary patch
literal 512
fcmYdKEh$SZvP#J>&&$bAOexN+N@W-YBPRp^XR8O-

literal 0
HcmV?d00001

diff --git a/source/bootrom_emulator/fuzz_fastboot_input/getvar_getchipinfo b/source/bootrom_emulator/fuzz_fastboot_input/getvar_getchipinfo
new file mode 100644
index 0000000000000000000000000000000000000000..ec4c8be6c85e7325fba9c00ef4724c940500d816
GIT binary patch
literal 512
ecmYdKEh$SZvPw@aNzTYD$jnR2XBY(|C<Fj%8wXSX

literal 0
HcmV?d00001

diff --git a/source/bootrom_emulator/fuzz_fastboot_input/getvar_serialno b/source/bootrom_emulator/fuzz_fastboot_input/getvar_serialno
new file mode 100644
index 0000000000000000000000000000000000000000..65d402a36d0c1dc68143981117582f259f01abc7
GIT binary patch
literal 512
bcmYdKEh$SZvMNq3%1q43%V!t`BP#>|7oP?p

literal 0
HcmV?d00001

diff --git a/source/bootrom_emulator/fuzz_fastboot_input/getvar_version b/source/bootrom_emulator/fuzz_fastboot_input/getvar_version
new file mode 100644
index 0000000000000000000000000000000000000000..35a93ee19d3887f92c82f0564c2e12d55be53afd
GIT binary patch
literal 512
acmYdKEh$SZvMNh0D$dN$V;BV^ECc{<tp&;e

literal 0
HcmV?d00001

diff --git a/source/bootrom_emulator/fuzz_fastboot_input/setkey b/source/bootrom_emulator/fuzz_fastboot_input/setkey
new file mode 100644
index 0000000000000000000000000000000000000000..d83368455d43da018f6622bee3f9aab01cb6b2bd
GIT binary patch
literal 512
ScmXR;Ey+%;WEce_Gz0)8%mS7G

literal 0
HcmV?d00001

diff --git a/source/bootrom_emulator/fuzz_verifybl_input/fuzz_bl.bin b/source/bootrom_emulator/fuzz_verifybl_input/fuzz_bl.bin
new file mode 100644
index 0000000000000000000000000000000000000000..2db9281698b5cd0c0f309d135d8a97ee49218fa8
GIT binary patch
literal 64
OcmZ>8^z~t&0000*0RbBT

literal 0
HcmV?d00001

diff --git a/source/bootrom_emulator/fuzzer.py b/source/bootrom_emulator/fuzzer.py
index 8091e03..441eef9 100644
--- a/source/bootrom_emulator/fuzzer.py
+++ b/source/bootrom_emulator/fuzzer.py
@@ -1,6 +1,6 @@
 from emulator import *
 import unicornafl
-import argparse
+import argparse, os
 
 ENTRY_POINT = 0xffff0000
 STACK_ADDRESS = 0xfffe3800
@@ -23,7 +23,7 @@ def test_fb_cmd(cmd=b'getvar:version', device="S905X3"):
     res = emulator.run_fastboot_cmd()
     pass
 
-def afl_fuzzer(device="S905X3"):
+def afl_fuzzer_fastboot(device="S905X3"):
     emulator = Amlogic_Emulator(device=device)
     # emulator.debug = True
 
@@ -41,7 +41,29 @@ def afl_fuzzer(device="S905X3"):
         emulator.run_fastboot_cmd()
         return 0
         
-    unicornafl.uc_afl_fuzz_custom(emulator.uc, "input/getvar", _place_fb_command, _run, persistent_iters=1)
+    unicornafl.uc_afl_fuzz_custom(emulator.uc, "fuzz_fastboot_input/getvar", _place_fb_command, _run, persistent_iters=1)
+    
+def afl_fuzzer_verifybl(device="S905X3"):
+    emulator = Amlogic_Emulator(device=device)
+    # emulator.debug = True
+
+    def place_bootloader_header(uc, input, persistent_round, data):
+        # hexdump(bytes(input), "input")
+        if len(input) != 0x40:
+            return False
+        # Filter some unsupported commands:
+        if input[:4] == b"@AML":
+            return False
+        emulator = Amlogic_Emulator(device=device)
+        emulator.place_bootloader(input)
+        return True
+
+    def _run(uc, data):
+        emulator.run_check_bootloader_header()
+        return 0
+        
+    unicornafl.uc_afl_fuzz_custom(emulator.uc, "fuzz_verifybl_input/fuzz_bl.bin", place_bootloader_header, _run, persistent_iters=1)
+    
     
 if __name__ == "__main__":
     # print(sys.argv)
@@ -51,7 +73,6 @@ if __name__ == "__main__":
     # args.add_argument("--input", "-i", help="Input file for crash", default=None)
     
     # args = args.parse_args()
-    
     # if args.test:
     #     test_fb_cmd(device=args.device)
     #     print("", flush=True)
@@ -63,4 +84,11 @@ if __name__ == "__main__":
     # else:
     #     pass
     # Run AFL
-    afl_fuzzer()
+    
+    if os.getenv("AFL_FUZZER") == "verifybl":
+        afl_fuzzer_verifybl()
+    elif os.getenv("AFL_FUZZER") == "fastboot":
+        afl_fuzzer_fastboot()
+    else:
+        print("No AFL fuzzer selected")
+        exit(1)
\ No newline at end of file
diff --git a/source/bootrom_emulator/run_fuzzer.sh b/source/bootrom_emulator/run_fuzzer.sh
index 756541c..0fef6fe 100755
--- a/source/bootrom_emulator/run_fuzzer.sh
+++ b/source/bootrom_emulator/run_fuzzer.sh
@@ -4,6 +4,7 @@ app_name="amlogic"
 target_soc="S922"
 inputs_dir="/fuzz/input/"
 outputs_dir="/fuzz/fuzz_output/${target_soc}"
+export AFL_FUZZER="verifybl"
 
 # generate screenrc
 tmp_screen_rc="/tmp/screenrc.${app_name}"