added rom header fuzzer

2025-01-12 22:14:25 +01:00
parent 558248ac82
commit 1d49c6165b
11 changed files with 82 additions and 7 deletions
--- a/source/bootrom_emulator/fuzzer.py
+++ b/source/bootrom_emulator/fuzzer.py
@@ -1,6 +1,6 @@
 from emulator import *
 import unicornafl
-import argparse
+import argparse, os

 ENTRY_POINT = 0xffff0000
 STACK_ADDRESS = 0xfffe3800
@@ -23,7 +23,7 @@ def test_fb_cmd(cmd=b'getvar:version', device="S905X3"):
    res = emulator.run_fastboot_cmd()
    pass

-def afl_fuzzer(device="S905X3"):
+def afl_fuzzer_fastboot(device="S905X3"):
    emulator = Amlogic_Emulator(device=device)
    # emulator.debug = True

@@ -41,7 +41,29 @@ def afl_fuzzer(device="S905X3"):
        emulator.run_fastboot_cmd()
        return 0
        
-    unicornafl.uc_afl_fuzz_custom(emulator.uc, "input/getvar", _place_fb_command, _run, persistent_iters=1)
+    unicornafl.uc_afl_fuzz_custom(emulator.uc, "fuzz_fastboot_input/getvar", _place_fb_command, _run, persistent_iters=1)
+    
+def afl_fuzzer_verifybl(device="S905X3"):
+    emulator = Amlogic_Emulator(device=device)
+    # emulator.debug = True
+
+    def place_bootloader_header(uc, input, persistent_round, data):
+        # hexdump(bytes(input), "input")
+        if len(input) != 0x40:
+            return False
+        # Filter some unsupported commands:
+        if input[:4] == b"@AML":
+            return False
+        emulator = Amlogic_Emulator(device=device)
+        emulator.place_bootloader(input)
+        return True
+
+    def _run(uc, data):
+        emulator.run_check_bootloader_header()
+        return 0
+        
+    unicornafl.uc_afl_fuzz_custom(emulator.uc, "fuzz_verifybl_input/fuzz_bl.bin", place_bootloader_header, _run, persistent_iters=1)
+    
    
 if __name__ == "__main__":
    # print(sys.argv)
@@ -51,7 +73,6 @@ if __name__ == "__main__":
    # args.add_argument("--input", "-i", help="Input file for crash", default=None)
    
    # args = args.parse_args()
-    
    # if args.test:
    #     test_fb_cmd(device=args.device)
    #     print("", flush=True)
@@ -63,4 +84,11 @@ if __name__ == "__main__":
    # else:
    #     pass
    # Run AFL
-    afl_fuzzer()
+    
+    if os.getenv("AFL_FUZZER") == "verifybl":
+        afl_fuzzer_verifybl()
+    elif os.getenv("AFL_FUZZER") == "fastboot":
+        afl_fuzzer_fastboot()
+    else:
+        print("No AFL fuzzer selected")
+        exit(1)