added rom header fuzzer

2025-01-12 22:14:25 +01:00
parent 558248ac82
commit 1d49c6165b
11 changed files with 82 additions and 7 deletions
--- a/source/bootrom_emulator/emulator.py
+++ b/source/bootrom_emulator/emulator.py
@@ -3,12 +3,15 @@ from unicorn.arm64_const import *
 from ghidra_assistant.utils.utils import *
 from ghidra_assistant.utils.archs.arm64.arm64_emulator import ARM64UC_Emulator
 from ghidra_assistant.utils.archs.arm64.asm_arm64 import ShellcodeCrafterARM64
-import sys, pathlib
+import sys, pathlib, struct
 from add_memory_maps import *
 from tools import *
 from amlogic_devices import *
 from amlogic_rom_db import *

+def p8(v):
+    return struct.pack("<B", v)
+
 ENTRY_POINT = 0xffff0000
 STACK_ADDRESS = 0xfffe3800
    
@@ -241,6 +244,10 @@ class Amlogic_Emulator(ARM64UC_Emulator):
        '''
        Hook startup code to continue boot process
        '''
+        # if self.pc == 0xffff3520: # Reboo ttod
+            
+        if self.pc == 0xffff05c4:
+            pass
        if self.enable_trace:
            self.pc_trace.append(hex(self.pc))
        return
@@ -342,8 +349,47 @@ class Amlogic_Emulator(ARM64UC_Emulator):
            self.enable_trace = True
        self.uc.emu_start(self.pc, 0)
        return 0
+    
+    def place_bootloader(self, data=b"\xbb" * 0x40):
+        BL_LOCATION = 0xfffa0000 #0x40 size?
+        OUT_OFFSET = 0xfffa0000 + 0x1000
+        
+        self.uc.mem_write(BL_LOCATION, data)
+        
+    def run_check_bootloader_header(self):
+        BL_LOCATION = 0xfffa0000 #0x40 size?
+        OUT_OFFSET = 0xfffa0000 + 0x1000
+        VERIFY_BL = 0xffff1b2c
+        self.X0 = BL_LOCATION
+        self.X1 = OUT_OFFSET
+        self.pc = VERIFY_BL
+        
+        SOMETHING_WRONG_AND_REBOOT = 0xffff05c4
+        
+        def _hook_something_wrong(uc : Uc, address, size, em : Amlogic_Emulator):
+            if hasattr(em, "debug") and em.debug:
+                em.print_ctx()
+                
+            em.something_wrong = True
+            uc.emu_stop()
+            return True
+        
+        self.uc.hook_add(UC_HOOK_CODE, _hook_something_wrong, self, SOMETHING_WRONG_AND_REBOOT, SOMETHING_WRONG_AND_REBOOT + 1)
+        
+        # self.enable_trace = True
+        self.uc.emu_start(self.pc, 0)
+        return 0

 if __name__ == "__main__":
    device = "S905X3"
    
-    emulator = Amlogic_Emulator()
+    # self.uc.mem_write(BL_LOCATION, b"@AML") # Magic
+    # self.uc.mem_write(BL_LOCATION + 0xa, p8(1)) #unk1
+    # self.uc.mem_write(BL_LOCATION + 0xb, p8(1)) #unk2
+    
+    emulator = Amlogic_Emulator(debug=True)
+    # emulator.place_bootloader(open("fuzz_bl.bin", 'rb').read())
+    d = bytes.fromhex("4f41 4d4f 414d 104d 4c5c 414d 4c4c")
+    d += (0x40 - len(d)) * b"\x00"
+    emulator.place_bootloader(d)
+    emulator.run_check_bootloader_header()