Eljakim/amlogic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
24b535bc7e77df2da9371669f489d54c49ee8dc5
amlogic/source/bootrom_emulator/fuzzer.py
Eljakim Herrewijnen 24b535bc7e started work on s922
2024-04-23 23:04:16 +02:00

57 lines
1.6 KiB
Python
Raw Blame History

from emulator import *
import unicornafl
import argparse
ENTRY_POINT = 0xffff0000
STACK_ADDRESS = 0xfffe3800
FASTBOOT_CMD_HANDLER = 0xffff9758
TEST_OFFSET = 0xfffa0000 + 0x8000
TEST_REQ_BUFFER = TEST_OFFSET + 0x800
TEST_CONTEXT_BUFFER = TEST_OFFSET + 0x9000
debug_functions = [
# (start, end)
# (0xffff9bc4, 0xffff9d6c), # Fastboot
# (0xffff66d8, 0xffff6754),
]
def test_fb_cmd(cmd=b'getvar:version', device="S905X3"):
emulator = Amlogic_Emulator(device=device)
emulator.debug = True
emulator.place_fastboot_command(cmd)
res = emulator.run_fastboot_cmd()
pass
def afl_fuzzer():
emulator = Amlogic_Emulator()
# emulator.debug = True
def _place_fb_command(uc, input, persistent_round, data):
# hexdump(bytes(input), "input")
if len(input) > 0x200:
return False
# Filter some unsupported commands:
if input[:4] == b"boot":
return False
emulator.place_fastboot_command(input)
return True
def _run(uc, data):
emulator.run_fastboot_cmd()
return 0
unicornafl.uc_afl_fuzz_custom(emulator.uc, "input/getvar", _place_fb_command, _run, persistent_iters=1)
if __name__ == "__main__":
args = argparse.ArgumentParser("Amlogic BootROM Fuzzer")
# test_fb_cmd(device="S905X3")
test_fb_cmd(device="S922")
# afl_fuzzer()
# exit(0)
args.add_argument("--input", "-i", help="Input file for crash", default=None)
arg = args.parse_args()
if arg.input:
test_fb_cmd(open(arg.input, 'rb').read())
else:
afl_fuzzer()
Reference in New Issue View Git Blame Copy Permalink