diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..078d019 --- /dev/null +++ b/.gitignore @@ -0,0 +1,167 @@ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/#use-with-ide +.pdm.toml + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ +# +dump/ + +# Ignore remote_devices/ folder. These should be added by the user +remote_devices/ +external/ +reven/ diff --git a/Readme.md b/Readme.md index 4577d6f..7474f9b 100644 --- a/Readme.md +++ b/Readme.md @@ -1,3 +1,5 @@ # Amlogic Research -Some R&D research on the Amlogic BootROM. Goal is/was to find a bug to exploit the Chromecast. +Some R&D research on the Amlogic BootROM. +Goal is/was to find a bug to exploit the Chromecast. + The USB command handling was fuzzed for bugs in the fastboot packet handling in the BootROM but no bugs were found. \ No newline at end of file diff --git a/source/bootrom_emulator/.vscode/launch.json b/source/bootrom_emulator/.vscode/launch.json index 463b9d1..0af894f 100644 --- a/source/bootrom_emulator/.vscode/launch.json +++ b/source/bootrom_emulator/.vscode/launch.json @@ -13,12 +13,22 @@ "justMyCode": false }, { - "name": "Run Fuzzer", + "name": "Test Fuzzer command S905X3", "type": "python", "request": "launch", "program": "fuzzer.py", "console": "integratedTerminal", "justMyCode": false, + "args": ["--device", "S905X3", "--test"] + }, + { + "name": "Test Fuzzer command S922", + "type": "python", + "request": "launch", + "program": "fuzzer.py", + "console": "integratedTerminal", + "justMyCode": false, + "args": ["--device", "S922", "--test"] } ] } \ No newline at end of file diff --git a/source/bootrom_emulator/amlogic_rom_db.py b/source/bootrom_emulator/amlogic_rom_db.py index 5d7653b..423a64a 100644 --- a/source/bootrom_emulator/amlogic_rom_db.py +++ b/source/bootrom_emulator/amlogic_rom_db.py @@ -4,16 +4,22 @@ TEST_CONTEXT_BUFFER = TEST_OFFSET + 0x9000 amlogic_rom_db = { "S905X3" : { + "name" : "S905X3", + "path" : "bin/BootROM_s905x3.bin", "ENTRY_POINT" : 0xffff0000, "STACK_ADDRESS" : 0xfffe3800, "FASTBOOT_CMD_HANDLER" : 0xffff9758, - "fastboot_response" : 0xffff8c04, + "fastboot_tx_write": 0xffff8c04, + "fastboot_response" : 0xffff8c78, "usb_ep_queue" : 0xffff8998 }, "S922" : { + "name" : "S922", + "path" : "bin/S922X_bootrom.bin", "ENTRY_POINT" : 0xffff0000, "STACK_ADDRESS" : 0xfffe3800, "FASTBOOT_CMD_HANDLER" : 0xffff815c, + "fastboot_tx_write": 0xffff76cc, "fastboot_response" : 0xffff7740, "usb_ep_queue" : 0xffff7474 }, diff --git a/source/bootrom_emulator/emulator.py b/source/bootrom_emulator/emulator.py index 233fcdc..253cf79 100644 --- a/source/bootrom_emulator/emulator.py +++ b/source/bootrom_emulator/emulator.py @@ -12,7 +12,7 @@ from amlogic_rom_db import * ENTRY_POINT = 0xffff0000 STACK_ADDRESS = 0xfffe3800 -FASTBOOT_CMD_HANDLER = 0xffff9758 +# FASTBOOT_CMD_HANDLER = 0xffff9758 TEST_OFFSET = 0xfffa0000 + 0x8000 TEST_REQ_BUFFER = TEST_OFFSET + 0x800 TEST_CONTEXT_BUFFER = TEST_OFFSET + 0x9000 @@ -26,15 +26,16 @@ class Amlogic_Emulator(ARM64UC_Emulator): Amlogic bootrom emulator. ''' super().__init__(True) + self.device_offsets = amlogic_rom_db[device] + self.file = self.device_offsets['path'] self.logger = setup_logger("GSCEmulator") self.logger.setLevel(logging.DEBUG) self.debug = debug - self.bootrom = open(file, 'rb').read() + self.bootrom = open(self.file, 'rb').read() self.uc = Uc(UC_ARCH_ARM64, UC_MODE_LITTLE_ENDIAN) self.sc = ShellcodeCrafterARM64(None, None) - self.device_offsets = amlogic_rom_db[device] self.setup_memory() self.setup_registers() self.setup_hooks() @@ -57,7 +58,7 @@ class Amlogic_Emulator(ARM64UC_Emulator): return bytes(self.uc.mem_read(address, size)) def apply_patches(self): - self.write(self.device_offsets['fastboot_response'], self.sc.ret_ins) + self.write(self.device_offsets['fastboot_tx_write'], self.sc.ret_ins) self.write(self.device_offsets['usb_ep_queue'], self.sc.ret_ins) def setup_memory(self): @@ -242,6 +243,7 @@ class Amlogic_Emulator(ARM64UC_Emulator): ''' if self.enable_trace: self.pc_trace.append(hex(self.pc)) + return # Reset expects value in DRAM if self.pc == 0xffff00b0: self.write_ptr(0xff800228, uc.reg_read(UC_ARM64_REG_X1)) @@ -330,9 +332,9 @@ class Amlogic_Emulator(ARM64UC_Emulator): hexdump(em.read(em.X0, em.X1)) # em.uc.emu_stop() return True - self.uc.hook_add(UC_HOOK_CODE, _hook_fastboot_tx_write, self, self.device_offsets['fastboot_response'], self.device_offsets['fastboot_response'] + 1) + self.uc.hook_add(UC_HOOK_CODE, _hook_fastboot_tx_write, self, self.device_offsets['fastboot_tx_write'], self.device_offsets['fastboot_tx_write'] + 1) - self.pc = FASTBOOT_CMD_HANDLER + self.pc = self.device_offsets['FASTBOOT_CMD_HANDLER'] self.sp = STACK_ADDRESS # Run diff --git a/source/bootrom_emulator/fuzzer.py b/source/bootrom_emulator/fuzzer.py index e18228c..e0676aa 100644 --- a/source/bootrom_emulator/fuzzer.py +++ b/source/bootrom_emulator/fuzzer.py @@ -5,7 +5,7 @@ import argparse ENTRY_POINT = 0xffff0000 STACK_ADDRESS = 0xfffe3800 -FASTBOOT_CMD_HANDLER = 0xffff9758 +# FASTBOOT_CMD_HANDLER = 0xffff9758 TEST_OFFSET = 0xfffa0000 + 0x8000 TEST_REQ_BUFFER = TEST_OFFSET + 0x800 TEST_CONTEXT_BUFFER = TEST_OFFSET + 0x9000 @@ -17,7 +17,7 @@ debug_functions = [ ] def test_fb_cmd(cmd=b'getvar:version', device="S905X3"): - emulator = Amlogic_Emulator(device=device) + emulator = Amlogic_Emulator(device=device, debug=True) emulator.debug = True emulator.place_fastboot_command(cmd) res = emulator.run_fastboot_cmd() @@ -45,13 +45,19 @@ def afl_fuzzer(): if __name__ == "__main__": args = argparse.ArgumentParser("Amlogic BootROM Fuzzer") - # test_fb_cmd(device="S905X3") - test_fb_cmd(device="S922") - # afl_fuzzer() - # exit(0) + args.add_argument("--device", "-d", help="Device to test", default="S905X3") + args.add_argument("--test", "-t", help="Test fastboot command", default=False, action="store_true") args.add_argument("--input", "-i", help="Input file for crash", default=None) - arg = args.parse_args() - if arg.input: - test_fb_cmd(open(arg.input, 'rb').read()) + + args = args.parse_args() + + if args.test: + test_fb_cmd(device=args.device) + exit(0) + + if args.input: + # Run a single comand + test_fb_cmd(open(args.input, 'rb').read()) else: + # Run AFL afl_fuzzer() \ No newline at end of file