Eljakim/amlogic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added rom header fuzzer

Browse Source
This commit is contained in:
Eljakim Herrewijnen
2025-01-12 22:14:25 +01:00
parent 558248ac82
commit 1d49c6165b
11 changed files with 82 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
source/bootrom_emulator/emulator.py
View File

@@ -3,12 +3,15 @@ from unicorn.arm64_const import *
from ghidra_assistant.utils.utils import * from ghidra_assistant.utils.utils import *
from ghidra_assistant.utils.archs.arm64.arm64_emulator import ARM64UC_Emulator from ghidra_assistant.utils.archs.arm64.arm64_emulator import ARM64UC_Emulator
from ghidra_assistant.utils.archs.arm64.asm_arm64 import ShellcodeCrafterARM64 from ghidra_assistant.utils.archs.arm64.asm_arm64 import ShellcodeCrafterARM64
import sys, pathlib import sys, pathlib, struct
from add_memory_maps import * from add_memory_maps import *
from tools import * from tools import *
from amlogic_devices import * from amlogic_devices import *
from amlogic_rom_db import * from amlogic_rom_db import *
def p8(v):
return struct.pack("<B", v)
ENTRY_POINT = 0xffff0000 ENTRY_POINT = 0xffff0000
STACK_ADDRESS = 0xfffe3800 STACK_ADDRESS = 0xfffe3800
@@ -241,6 +244,10 @@ class Amlogic_Emulator(ARM64UC_Emulator):
''' '''
Hook startup code to continue boot process Hook startup code to continue boot process
''' '''
# if self.pc == 0xffff3520: # Reboo ttod
if self.pc == 0xffff05c4:
pass
if self.enable_trace: if self.enable_trace:
self.pc_trace.append(hex(self.pc)) self.pc_trace.append(hex(self.pc))
return return
@@ -343,7 +350,46 @@ class Amlogic_Emulator(ARM64UC_Emulator):
self.uc.emu_start(self.pc, 0) self.uc.emu_start(self.pc, 0)
return 0 return 0
def place_bootloader(self, data=b"\xbb" * 0x40):
BL_LOCATION = 0xfffa0000 #0x40 size?
OUT_OFFSET = 0xfffa0000 + 0x1000
self.uc.mem_write(BL_LOCATION, data)
def run_check_bootloader_header(self):
BL_LOCATION = 0xfffa0000 #0x40 size?
OUT_OFFSET = 0xfffa0000 + 0x1000
VERIFY_BL = 0xffff1b2c
self.X0 = BL_LOCATION
self.X1 = OUT_OFFSET
self.pc = VERIFY_BL
SOMETHING_WRONG_AND_REBOOT = 0xffff05c4
def _hook_something_wrong(uc : Uc, address, size, em : Amlogic_Emulator):
if hasattr(em, "debug") and em.debug:
em.print_ctx()
em.something_wrong = True
uc.emu_stop()
return True
self.uc.hook_add(UC_HOOK_CODE, _hook_something_wrong, self, SOMETHING_WRONG_AND_REBOOT, SOMETHING_WRONG_AND_REBOOT + 1)
# self.enable_trace = True
self.uc.emu_start(self.pc, 0)
return 0
if __name__ == "__main__": if __name__ == "__main__":
device = "S905X3" device = "S905X3"
emulator = Amlogic_Emulator() # self.uc.mem_write(BL_LOCATION, b"@AML") # Magic
# self.uc.mem_write(BL_LOCATION + 0xa, p8(1)) #unk1
# self.uc.mem_write(BL_LOCATION + 0xb, p8(1)) #unk2
emulator = Amlogic_Emulator(debug=True)
# emulator.place_bootloader(open("fuzz_bl.bin", 'rb').read())
d = bytes.fromhex("4f41 4d4f 414d 104d 4c5c 414d 4c4c")
d += (0x40 - len(d)) * b"\x00"
emulator.place_bootloader(d)
emulator.run_check_bootloader_header()

BIN
source/bootrom_emulator/fuzz_fastboot_input/getvar Normal file
View File

Binary file not shown.

BIN
source/bootrom_emulator/fuzz_fastboot_input/getvar_chipinfo- Normal file
View File

Binary file not shown.

BIN
source/bootrom_emulator/fuzz_fastboot_input/getvar_downloadsize Normal file
View File

Binary file not shown.

BIN
source/bootrom_emulator/fuzz_fastboot_input/getvar_getchipinfo Normal file
View File

Binary file not shown.

BIN
source/bootrom_emulator/fuzz_fastboot_input/getvar_serialno Normal file
View File

Binary file not shown.

BIN
source/bootrom_emulator/fuzz_fastboot_input/getvar_version Normal file
View File

Binary file not shown.

BIN
source/bootrom_emulator/fuzz_fastboot_input/setkey Normal file
View File

Binary file not shown.

BIN
source/bootrom_emulator/fuzz_verifybl_input/fuzz_bl.bin Normal file
View File

Binary file not shown.

38
source/bootrom_emulator/fuzzer.py
View File

@@ -1,6 +1,6 @@
from emulator import * from emulator import *
import unicornafl import unicornafl
import argparse import argparse, os
ENTRY_POINT = 0xffff0000 ENTRY_POINT = 0xffff0000
STACK_ADDRESS = 0xfffe3800 STACK_ADDRESS = 0xfffe3800
@@ -23,7 +23,7 @@ def test_fb_cmd(cmd=b'getvar:version', device="S905X3"):
res = emulator.run_fastboot_cmd() res = emulator.run_fastboot_cmd()
pass pass
def afl_fuzzer(device="S905X3"): def afl_fuzzer_fastboot(device="S905X3"):
emulator = Amlogic_Emulator(device=device) emulator = Amlogic_Emulator(device=device)
# emulator.debug = True # emulator.debug = True
@@ -41,7 +41,29 @@ def afl_fuzzer(device="S905X3"):
emulator.run_fastboot_cmd() emulator.run_fastboot_cmd()
return 0 return 0
unicornafl.uc_afl_fuzz_custom(emulator.uc, "input/getvar", _place_fb_command, _run, persistent_iters=1) unicornafl.uc_afl_fuzz_custom(emulator.uc, "fuzz_fastboot_input/getvar", _place_fb_command, _run, persistent_iters=1)
def afl_fuzzer_verifybl(device="S905X3"):
emulator = Amlogic_Emulator(device=device)
# emulator.debug = True
def place_bootloader_header(uc, input, persistent_round, data):
# hexdump(bytes(input), "input")
if len(input) != 0x40:
return False
# Filter some unsupported commands:
if input[:4] == b"@AML":
return False
emulator = Amlogic_Emulator(device=device)
emulator.place_bootloader(input)
return True
def _run(uc, data):
emulator.run_check_bootloader_header()
return 0
unicornafl.uc_afl_fuzz_custom(emulator.uc, "fuzz_verifybl_input/fuzz_bl.bin", place_bootloader_header, _run, persistent_iters=1)
if __name__ == "__main__": if __name__ == "__main__":
# print(sys.argv) # print(sys.argv)
@@ -51,7 +73,6 @@ if __name__ == "__main__":
# args.add_argument("--input", "-i", help="Input file for crash", default=None) # args.add_argument("--input", "-i", help="Input file for crash", default=None)
# args = args.parse_args() # args = args.parse_args()
# if args.test: # if args.test:
# test_fb_cmd(device=args.device) # test_fb_cmd(device=args.device)
# print("", flush=True) # print("", flush=True)
@@ -63,4 +84,11 @@ if __name__ == "__main__":
# else: # else:
# pass # pass
# Run AFL # Run AFL
afl_fuzzer()
if os.getenv("AFL_FUZZER") == "verifybl":
afl_fuzzer_verifybl()
elif os.getenv("AFL_FUZZER") == "fastboot":
afl_fuzzer_fastboot()
else:
print("No AFL fuzzer selected")
exit(1)

1
source/bootrom_emulator/run_fuzzer.sh
View File

@@ -4,6 +4,7 @@ app_name="amlogic"
target_soc="S922" target_soc="S922"
inputs_dir="/fuzz/input/" inputs_dir="/fuzz/input/"
outputs_dir="/fuzz/fuzz_output/${target_soc}" outputs_dir="/fuzz/fuzz_output/${target_soc}"
export AFL_FUZZER="verifybl"
# generate screenrc # generate screenrc
tmp_screen_rc="/tmp/screenrc.${app_name}" tmp_screen_rc="/tmp/screenrc.${app_name}"