s922x works

.gitignore

@@ -0,0 +1,167 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+#
+dump/
+
+# Ignore remote_devices/ folder. These should be added by the user
+remote_devices/
+external/
+reven/

Readme.md

@@ -1,3 +1,5 @@
 # Amlogic Research
-Some R&D research on the Amlogic BootROM. Goal is/was to find a bug to exploit the Chromecast. 
+Some R&D research on the Amlogic BootROM. 
+Goal is/was to find a bug to exploit the Chromecast. 
+
 The USB command handling was fuzzed for bugs in the fastboot packet handling in the BootROM but no bugs were found.

source/bootrom_emulator/.vscode/launch.json

@@ -13,12 +13,22 @@
             "justMyCode": false
         },
         {
-            "name": "Run Fuzzer",
+            "name": "Test Fuzzer command S905X3",
             "type": "python",
             "request": "launch",
             "program": "fuzzer.py",
             "console": "integratedTerminal",
             "justMyCode": false,
+            "args": ["--device", "S905X3", "--test"]
+        },
+        {
+            "name": "Test Fuzzer command S922",
+            "type": "python",
+            "request": "launch",
+            "program": "fuzzer.py",
+            "console": "integratedTerminal",
+            "justMyCode": false,
+            "args": ["--device", "S922", "--test"]
         }
     ]
 }

source/bootrom_emulator/amlogic_rom_db.py

@@ -4,16 +4,22 @@ TEST_CONTEXT_BUFFER = TEST_OFFSET + 0x9000
 
 amlogic_rom_db = {
     "S905X3" : {
+        "name" : "S905X3",
+        "path" : "bin/BootROM_s905x3.bin",
         "ENTRY_POINT" : 0xffff0000,
         "STACK_ADDRESS" : 0xfffe3800,
         "FASTBOOT_CMD_HANDLER" : 0xffff9758,
-        "fastboot_response" : 0xffff8c04,
+        "fastboot_tx_write": 0xffff8c04,
+        "fastboot_response" : 0xffff8c78,
         "usb_ep_queue" : 0xffff8998
     },
     "S922" : {
+        "name" : "S922",
+        "path" : "bin/S922X_bootrom.bin",
         "ENTRY_POINT" : 0xffff0000,
         "STACK_ADDRESS" : 0xfffe3800,
         "FASTBOOT_CMD_HANDLER" : 0xffff815c,
+        "fastboot_tx_write": 0xffff76cc,
         "fastboot_response" : 0xffff7740,
         "usb_ep_queue" : 0xffff7474
     },

source/bootrom_emulator/emulator.py

@@ -12,7 +12,7 @@ from amlogic_rom_db import *
 ENTRY_POINT = 0xffff0000
 STACK_ADDRESS = 0xfffe3800
     
-FASTBOOT_CMD_HANDLER = 0xffff9758
+# FASTBOOT_CMD_HANDLER = 0xffff9758
 TEST_OFFSET = 0xfffa0000 + 0x8000
 TEST_REQ_BUFFER = TEST_OFFSET + 0x800
 TEST_CONTEXT_BUFFER = TEST_OFFSET + 0x9000
@@ -26,15 +26,16 @@ class Amlogic_Emulator(ARM64UC_Emulator):
             Amlogic bootrom emulator.
         '''
         super().__init__(True)
+        self.device_offsets = amlogic_rom_db[device]
+        self.file = self.device_offsets['path']
         
         self.logger = setup_logger("GSCEmulator")
         self.logger.setLevel(logging.DEBUG)
         self.debug = debug
 
-        self.bootrom = open(file, 'rb').read()
+        self.bootrom = open(self.file, 'rb').read()
         self.uc = Uc(UC_ARCH_ARM64, UC_MODE_LITTLE_ENDIAN)
         self.sc = ShellcodeCrafterARM64(None, None)
-        self.device_offsets = amlogic_rom_db[device]
         self.setup_memory()
         self.setup_registers()
         self.setup_hooks()
@@ -57,7 +58,7 @@ class Amlogic_Emulator(ARM64UC_Emulator):
         return bytes(self.uc.mem_read(address, size))
     
     def apply_patches(self):
-        self.write(self.device_offsets['fastboot_response'], self.sc.ret_ins)
+        self.write(self.device_offsets['fastboot_tx_write'], self.sc.ret_ins)
         self.write(self.device_offsets['usb_ep_queue'], self.sc.ret_ins)
 
     def setup_memory(self):
@@ -242,6 +243,7 @@ class Amlogic_Emulator(ARM64UC_Emulator):
         '''
         if self.enable_trace:
             self.pc_trace.append(hex(self.pc))
+        return
         # Reset expects value in DRAM
         if self.pc == 0xffff00b0:
             self.write_ptr(0xff800228, uc.reg_read(UC_ARM64_REG_X1))
@@ -330,9 +332,9 @@ class Amlogic_Emulator(ARM64UC_Emulator):
                 hexdump(em.read(em.X0, em.X1))
             # em.uc.emu_stop()
             return True
-        self.uc.hook_add(UC_HOOK_CODE, _hook_fastboot_tx_write, self, self.device_offsets['fastboot_response'], self.device_offsets['fastboot_response'] + 1)
+        self.uc.hook_add(UC_HOOK_CODE, _hook_fastboot_tx_write, self, self.device_offsets['fastboot_tx_write'], self.device_offsets['fastboot_tx_write'] + 1)
         
-        self.pc = FASTBOOT_CMD_HANDLER
+        self.pc = self.device_offsets['FASTBOOT_CMD_HANDLER']
         self.sp = STACK_ADDRESS
         
         # Run 

source/bootrom_emulator/fuzzer.py

@@ -5,7 +5,7 @@ import argparse
 ENTRY_POINT = 0xffff0000
 STACK_ADDRESS = 0xfffe3800
     
-FASTBOOT_CMD_HANDLER = 0xffff9758
+# FASTBOOT_CMD_HANDLER = 0xffff9758
 TEST_OFFSET = 0xfffa0000 + 0x8000
 TEST_REQ_BUFFER = TEST_OFFSET + 0x800
 TEST_CONTEXT_BUFFER = TEST_OFFSET + 0x9000
@@ -17,7 +17,7 @@ debug_functions = [
 ]
   
 def test_fb_cmd(cmd=b'getvar:version', device="S905X3"):
-    emulator = Amlogic_Emulator(device=device)
+    emulator = Amlogic_Emulator(device=device, debug=True)
     emulator.debug = True
     emulator.place_fastboot_command(cmd)
     res = emulator.run_fastboot_cmd()
@@ -45,13 +45,19 @@ def afl_fuzzer():
     
 if __name__ == "__main__":
     args = argparse.ArgumentParser("Amlogic BootROM Fuzzer")
-    # test_fb_cmd(device="S905X3")
+    args.add_argument("--device", "-d", help="Device to test", default="S905X3")
-    test_fb_cmd(device="S922")
+    args.add_argument("--test", "-t", help="Test fastboot command", default=False, action="store_true")
-    # afl_fuzzer()
-    # exit(0)
     args.add_argument("--input", "-i", help="Input file for crash", default=None)
-    arg = args.parse_args()
+    
-    if arg.input:
+    args = args.parse_args()
-        test_fb_cmd(open(arg.input, 'rb').read())
+    
+    if args.test:
+        test_fb_cmd(device=args.device)
+        exit(0)
+        
+    if args.input:
+        # Run a single comand
+        test_fb_cmd(open(args.input, 'rb').read())
     else:
+        # Run AFL
         afl_fuzzer()