Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AFL++ gets stuck in forkserver initialization #26

Open
Mem2019 opened this issue Feb 20, 2023 · 8 comments
Open

AFL++ gets stuck in forkserver initialization #26

Mem2019 opened this issue Feb 20, 2023 · 8 comments

Comments

@Mem2019
Copy link

Mem2019 commented Feb 20, 2023

Hello, we are trying to use FirmWire for fuzzing. Based on the docker image provided, we also compile AFL++ with unicorn mode enabled as shown below.

RUN apt-get -y install gdb lz4 cmake
RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /AFLplusplus && \
  cd /AFLplusplus && make clean all && cd unicorn_mode && ./build_unicorn_support.sh

However, running command /AFLplusplus/afl-fuzz -i in/ -o /tmp/out -U -- ./firmwire.py --fuzz gsm_cc --fuzz-input @@ ./modem/modem.bin according to documentation with large AFL_FORKSRV_INIT_TMOUT gets stuck in forkserver initialization for more than 12 hours. I would like to know how such situation can be solved.

Thank you very much.
@mariusmue
Copy link
Contributor

Hi,

It's likely that your modem is not fully supported and hangs somewhere during bootup/initial emulation. To debug this issue, I would recommend to enable debug output by modifying the commandline as follows:

AFL_DEBUG_CHILD=1 /AFLplusplus/afl-fuzz -i in/ -o /tmp/out -U -- ./firmwire.py --fuzz-triage gsm_cc --fuzz-input @@ ./modem/modem.bin

@Mem2019
Copy link
Author

Mem2019 commented Feb 21, 2023

Hi,

It's likely that your modem is not fully supported and hangs somewhere during bootup/initial emulation. To debug this issue, I would recommend to enable debug output by modifying the commandline as follows:

AFL_DEBUG_CHILD=1 /AFLplusplus/afl-fuzz -i in/ -o /tmp/out -U -- ./firmwire.py --fuzz-triage gsm_cc --fuzz-input @@ ./modem/modem.bin

Thanks for replying. The modem.bin is decompressed from here, which comes from documentation.

In addition, the output when AFL_DEBUG_CHILD=1 is shown as follows:

*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:input'...
[*] Spinning up the fork server...
              ___            __      _
-.     .-.   | __|(+) _ _ _ _\ \    / /(+) _ _ ___    .-.     .-
  \   /   \  | _|  | | '_| '  \ \/\/ /  | | '_/ -_)  /   \   /
   '-'     '-|_|   | |_| |_|_|_\_/\_/   | |_| \___|-'     '-'
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                A  baseband  analysis  platform
                   https://github.com/FirmWire

[INFO] firmwire.loader: Reading firmware using ShannonLoader (shannon)
[INFO] firmwire.vendor.shannon.loader: SoC <ShannonSOC S5000AP - 20190103> (automatic)
[INFO] firmwire.emulator.patterndb: Searching for patterns in [40010000 - 425579a0]
[INFO] firmwire.emulator.patterndb: Found symbol boot_mpu_table -> 41777400 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol boot_setup_memory -> 40415088 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol boot_key_check -> 40549f8a [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol OS_fatal_error -> 4054ccb2 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol pal_MemAlloc -> 423916b2 [CACHED]
[INFO] firmwire.vendor.shannon.pattern_handlers: Fixing up TCM region symbol pal_MemAlloc (423916b2 -> 0401581e)
[INFO] firmwire.emulator.patterndb: Found symbol pal_MemFree -> 40cbb1ac [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol pal_MsgSendTo -> 41155e80 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol pal_Sleep -> 40cba1f8 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol log_printf -> 405489ae [CACHED]
[WARN] firmwire.emulator.patterndb: Unable to resolve dynamic symbol log_printf2. Functionality may be affected
[INFO] firmwire.emulator.patterndb: Found symbol pal_SmSetEvent -> 4054d5a2 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol SYM_EVENT_GROUP_LIST -> 416f93ec [CACHED]
[INFO] firmwire.vendor.shannon.pattern_handlers: Dereference [0x416f93ec] -> 0x418385e8
[INFO] firmwire.emulator.patterndb: Found symbol SYM_TASK_LIST -> 0176f534 [CACHED]
[INFO] firmwire.vendor.shannon.pattern_handlers: Found likely task name: b'GMAC\x00\x00\x00\x00UL', keeping task layout
[INFO] firmwire.emulator.patterndb: Found symbol SYM_SCHEDULABLE_TASK_LIST -> 43a36e68 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol SYM_CUR_TASK_ID -> 418385f4 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol SYM_FN_EXCEPTION_SWITCH -> 40c71734 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol SYM_QUEUE_LIST -> 4013d408 [CACHED]
[INFO] firmwire.emulator.patterndb: Skipping symbol QUIRK_SXXXAP_DVFS_HACK for S5000AP
[INFO] firmwire.emulator.patterndb: Skipping symbol QUIRK_S337AP_SHM_HACK for S5000AP
[INFO] firmwire.emulator.patterndb: Found symbol SYM_LTERRC_INT_MOB_CMD_HO_FROM_IRAT_MSG_ID -> 0000c3a3 [CACHED]
[INFO] firmwire.emulator.patterndb: Found symbol DSP_SYNC_WORD_0 -> 4060e214 [CACHED]
[INFO] firmwire.vendor.shannon.pattern_handlers: Retrieved sync word 0: 141
[INFO] firmwire.emulator.patterndb: Found symbol DSP_SYNC_WORD_1 -> 4060e21a [CACHED]
[INFO] firmwire.vendor.shannon.pattern_handlers: Retrieved sync word 1: 286
[INFO] firmwire.emulator.patterndb: Dynamic symbol resolution took 0.02 seconds
[INFO] firmwire.vendor.shannon.loader: Using blank NV data
[INFO] firmwire.loader: Loading complete
[INFO] firmwire: FirmWire initializing ShannonMachine
[INFO] firmwire.emulator.firmwire: FirmWire workspace <Workspace modem/modem.bin_workspace>
[WARN] firmwire.vendor.shannon.machine: No Ghidra symbol table found. Output will be addresses only
[INFO] firmwire.vendor.shannon.machine: Inputs will be provided via /tmp/out/default/.cur_input
[INFO] firmwire.vendor.shannon.machine: AFL panic address set [0x0,0x4,0xc,0x10,0x4054ccb2]
[WARN] firmwire.emulator.firmwire: Memory TOC_BOOT size 0x2e40 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Memory TOC_BOOT_LOW size 0x2e40 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Memory TOC_VSS size 0x5e0660 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Peripheral DSPPeripheral at 0x47389c00 is not page aligned. This may causes crashes
[WARN] firmwire.emulator.firmwire: Peripheral DSPPeripheral size 0x100 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Memory tim0 size 0x100 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Memory tim1 start address 0x82008100 is not page aligned. This may causes crashes
[WARN] firmwire.emulator.firmwire: Memory tim1 size 0x100 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Memory tim2 start address 0x82008200 is not page aligned. This may causes crashes
[WARN] firmwire.emulator.firmwire: Memory tim2 size 0x100 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Memory tim3 start address 0x82008300 is not page aligned. This may causes crashes
[WARN] firmwire.emulator.firmwire: Memory tim3 size 0x100 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Memory tim4 start address 0x82008400 is not page aligned. This may causes crashes
[WARN] firmwire.emulator.firmwire: Memory tim4 size 0x100 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Memory tim5 start address 0x82008500 is not page aligned. This may causes crashes
[WARN] firmwire.emulator.firmwire: Memory tim5 size 0x100 is not page aligned. Force aligning
[WARN] firmwire.emulator.firmwire: Peripheral TCU size 0x100 is not page aligned. Force aligning
[INFO] firmwire.vendor.shannon.machine: Found RWX region [4b000000 - 4b200000]
[INFO] firmwire.vendor.shannon.machine: Fuzzing mode active (no debug output)
Loading libpanda from /usr/local/lib/python3.8/dist-packages/pandare/data
[PYPANDA] Panda args: [/usr/local/lib/python3.8/dist-packages/pandare/data/arm-softmmu/libpanda-arm.so -L /usr/local/lib/python3.8/dist-packages/pandare/data/pc-bios -machine configurable -kernel modem/modem.bin_workspace/ShannonEMU3334_conf.json -gdb tcp::3333 -S -drive if=none,id=drive0,file=modem/modem.bin_workspace/snapshots.qcow2,format=qcow2 -nographic -qmp tcp:127.0.0.1:3334,server,nowait -m 128M -monitor unix:/tmp/pypanda_m85fmpjwu,server,nowait]
[INFO] firmwire.hw.fifo: SHM raw_tx_buff[QUEUE] \x00\x00\x00\x00\x0d\x90\x00\x00 8
[INFO] firmwire.hw.fifo: SHM raw_tx_buff[QUEUE] \x00\x00\x00\x00\x00\x9f\x00\x00 16
[INFO] firmwire.vendor.shannon.machine: Disabling task 'SHM'
[INFO] firmwire.vendor.shannon.machine: Creating NOP task at 0x4b004000
[INFO] firmwire: Machine initialization time took 0.55 seconds
[INFO] firmwire.vendor.shannon.machine: Found empty task slot 101 for injection
[INFO] firmwire.vendor.shannon.machine: Injecting task <TaskMod 'AFL_GSM_CC' base 0x4b000000> -> slot 101
[INFO] firmwire.vendor.shannon.machine: Resolved dynamic symbol pal_MemAlloc (0x0401581f) -> 0x4b0004a8 (FUNC, 4 bytes)
[INFO] firmwire.vendor.shannon.machine: Resolved dynamic symbol pal_SmSetEvent (0x4054d5a3) -> 0x4b0004a0 (FUNC, 4 bytes)
[INFO] firmwire.vendor.shannon.machine: Resolved dynamic symbol pal_Sleep (0x40cba1f9) -> 0x4b0004a4 (FUNC, 4 bytes)
[INFO] firmwire.vendor.shannon.machine: Resolved dynamic symbol SYM_LTERRC_INT_MOB_CMD_HO_FROM_IRAT_MSG_ID (0x0000c3a3) -> 0x4b000490 (DATA, 2 bytes)
[INFO] firmwire.vendor.shannon.machine: Resolved dynamic symbol pal_MsgSendTo (0x41155e81) -> 0x4b0004ac (FUNC, 4 bytes)
[INFO] firmwire.vendor.shannon.machine: Resolved dynamic symbol SYM_EVENT_GROUP_LIST (0x418385e8) -> 0x4b000494 (DATA, 4 bytes)
[INFO] firmwire.vendor.shannon.machine: Resolved dynamic symbol SYM_QUEUE_LIST (0x4013d408) -> 0x4b000498 (DATA, 4 bytes)
[INFO] firmwire.vendor.shannon.machine: Resolved dynamic symbol pal_MemFree (0x40cbb1ad) -> 0x4b00049c (FUNC, 4 bytes)
[INFO] firmwire.vendor.shannon.machine: Injecting Task at 0x4b000000 (stack: 0x4b0024f0)
[INFO] firmwire.vendor.shannon.machine: Injected!
[INFO] firmwire.vendor.shannon.machine: ==== Task List ====
[INFO] firmwire.vendor.shannon.machine: TASK0: Acpm (0x4103dc47)
[INFO] firmwire.vendor.shannon.machine: TASK1: Default (0x41619e3d)
[INFO] firmwire.vendor.shannon.machine: TASK2: DM (0x40550273)
[INFO] firmwire.vendor.shannon.machine: TASK3: DM_TX (0x405504eb)
[INFO] firmwire.vendor.shannon.machine: TASK4: BDA (0x4165fa5f)
[INFO] firmwire.vendor.shannon.machine: TASK5: CIQD (0x4055094d)
[INFO] firmwire.vendor.shannon.machine: TASK6: CIQD_FE (0x40550965)
[INFO] firmwire.vendor.shannon.machine: TASK7: Background (0x41619e4d)
[INFO] firmwire.vendor.shannon.machine: TASK8: TpTest (0x4161b615)
[INFO] firmwire.vendor.shannon.machine: TASK9: TaskReg (0x40556ba5)
[INFO] firmwire.vendor.shannon.machine: TASK10: DBGUNS (0x4073b83f)
[INFO] firmwire.vendor.shannon.machine: TASK11: DBGCMD (0x4077fb5d)
[INFO] firmwire.vendor.shannon.machine: TASK12: DBGCMD2 (0x4077fb8d)
[INFO] firmwire.vendor.shannon.machine: TASK13: InitPacketHandler (0x4163ac6f)
[INFO] firmwire.vendor.shannon.machine: TASK14: PacketHandler (0x4163a981)
[INFO] firmwire.vendor.shannon.machine: TASK15: PBM (0x416bfb81)
[INFO] firmwire.vendor.shannon.machine: TASK16: DS_PBM (0x416bfb8b)
[INFO] firmwire.vendor.shannon.machine: TASK17: ATI (0x4163cd03)
[INFO] firmwire.vendor.shannon.machine: TASK18: MTI (0x40ee22af)
[INFO] firmwire.vendor.shannon.machine: TASK19: SMS (0x41695f51)
[INFO] firmwire.vendor.shannon.machine: TASK20: CC (0x40e36e33)
[INFO] firmwire.vendor.shannon.machine: TASK21: MM (0x40d18cbb)
[INFO] firmwire.vendor.shannon.machine: TASK22: SM (0x40e0c3b1)
[INFO] firmwire.vendor.shannon.machine: TASK23: SS (0x40f4303d)
[INFO] firmwire.vendor.shannon.machine: TASK24: L1C (0x416092c9)
[INFO] firmwire.vendor.shannon.machine: TASK25: PPP (0x4078f161)
[INFO] firmwire.vendor.shannon.machine: TASK26: GDA (0x41639cdd)
[INFO] firmwire.vendor.shannon.machine: TASK27: CDH (0x407cb8d3)
[INFO] firmwire.vendor.shannon.machine: TASK28: VSUP (0x41635663)
[INFO] firmwire.vendor.shannon.machine: TASK29: VCG (0x407dbecf)
[INFO] firmwire.vendor.shannon.machine: TASK30: VCE (0x407a30cf)
[INFO] firmwire.vendor.shannon.machine: TASK31: SAEL3 (0x415da83f)
[INFO] firmwire.vendor.shannon.machine: TASK32: DS_SAEL3 (0x415daa35)
[INFO] firmwire.vendor.shannon.machine: TASK33: PDNMGR (0x415efff3)
[INFO] firmwire.vendor.shannon.machine: TASK34: SIM (0x40e62fa9)
[INFO] firmwire.vendor.shannon.machine: TASK35: DS_SIM (0x40e62fb5)
[INFO] firmwire.vendor.shannon.machine: TASK36: LteRrm (0x40e18595)
[INFO] firmwire.vendor.shannon.machine: TASK37: LTE_L1LC (0x40cd53fb)
[INFO] firmwire.vendor.shannon.machine: TASK38: LteRrc (0x4122d9d1)
[INFO] firmwire.vendor.shannon.machine: TASK39: LteRrc_DS (0x4122e777)
[INFO] firmwire.vendor.shannon.machine: TASK40: LTEL2LRx (0x40663f97)
[INFO] firmwire.vendor.shannon.machine: TASK41: LTEL2LTx (0x4066bce3)
[INFO] firmwire.vendor.shannon.machine: TASK42: LTEL2TCM (0x0400a0c3)
[INFO] firmwire.vendor.shannon.machine: TASK43: LTEL2IDLE (0x04009ff3)
[INFO] firmwire.vendor.shannon.machine: TASK44: LTEL2HTx (0x40d5b1fb)
[INFO] firmwire.vendor.shannon.machine: TASK45: LTEL2HRx (0x40c3fb65)
[INFO] firmwire.vendor.shannon.machine: TASK46: LTE_TLP (0x4067dd49)
[INFO] firmwire.vendor.shannon.machine: TASK47: LTE_MTM (0x40cd94ed)
[INFO] firmwire.vendor.shannon.machine: TASK48: LTE_DM (0x40bc87c7)
[INFO] firmwire.vendor.shannon.machine: TASK49: EDFS (0x40746333)
[INFO] firmwire.vendor.shannon.machine: TASK50: URRC (0x40eddba3)
[INFO] firmwire.vendor.shannon.machine: TASK51: HSPA_CALIBRATION (0x410ba681)
[INFO] firmwire.vendor.shannon.machine: TASK52: LLC (0x412d7307)
[INFO] firmwire.vendor.shannon.machine: TASK53: GRR (0x41602c75)
[INFO] firmwire.vendor.shannon.machine: TASK54: RLC (0x415ff451)
[INFO] firmwire.vendor.shannon.machine: TASK55: GMAC (0x415ff269)
[INFO] firmwire.vendor.shannon.machine: TASK56: GLAPD (0x41601a1b)
[INFO] firmwire.vendor.shannon.machine: TASK57: SNDCP (0x4080b801)
[INFO] firmwire.vendor.shannon.machine: TASK58: SRM (0x416a3f5d)
[INFO] firmwire.vendor.shannon.machine: TASK59: LCSM (0x416db22f)
[INFO] firmwire.vendor.shannon.machine: TASK60: REG_SAP (0x405b834b)
[INFO] firmwire.vendor.shannon.machine: TASK61: AS_SAP (0x405ba5f7)
[INFO] firmwire.vendor.shannon.machine: TASK62: SMS_SAP (0x405d2633)
[INFO] firmwire.vendor.shannon.machine: TASK63: CC_SS_SAP (0x405c955d)
[INFO] firmwire.vendor.shannon.machine: TASK64: SIM_SAP (0x405bad7b)
[INFO] firmwire.vendor.shannon.machine: TASK65: DBG_SAP (0x406bb41b)
[INFO] firmwire.vendor.shannon.machine: TASK66: DS_REG_SAP (0x405b853b)
[INFO] firmwire.vendor.shannon.machine: TASK67: DS_AS_SAP (0x405ba735)
[INFO] firmwire.vendor.shannon.machine: TASK68: DS_SMS_SAP (0x405d286f)
[INFO] firmwire.vendor.shannon.machine: TASK69: DS_CC_SS_SAP (0x405c97b9)
[INFO] firmwire.vendor.shannon.machine: TASK70: DS_SIM_SAP (0x405bafdb)
[INFO] firmwire.vendor.shannon.machine: TASK71: DS_DBG_SAP (0x406bb5b1)
[INFO] firmwire.vendor.shannon.machine: TASK72: MMC (0x405bb971)
[INFO] firmwire.vendor.shannon.machine: TASK73: MMC_IF (0x4151923b)
[INFO] firmwire.vendor.shannon.machine: TASK74: SR_IF (0x406c548d)
[INFO] firmwire.vendor.shannon.machine: TASK75: LTE_MMC_GL1 (0x416f73c5)
[INFO] firmwire.vendor.shannon.machine: TASK76: USAT (0x416ac071)
[INFO] firmwire.vendor.shannon.machine: TASK77: DS_USAT (0x416ac07b)
[INFO] firmwire.vendor.shannon.machine: TASK78: LTE_TCPIP (0x40731bcd)
[INFO] firmwire.vendor.shannon.machine: TASK79: LTE_SISO_ASYNC (0x40731bcb)
[INFO] firmwire.vendor.shannon.machine: TASK80: IMS_CC (0x406dff51)
[INFO] firmwire.vendor.shannon.machine: TASK81: LPP (0x415ef0a1)
[INFO] firmwire.vendor.shannon.machine: TASK82: SHM [DISABLED]
[INFO] firmwire.vendor.shannon.machine: TASK83: UL2CC (0x412e25d1)
[INFO] firmwire.vendor.shannon.machine: TASK84: UL2DL (0x40a300ab)
[INFO] firmwire.vendor.shannon.machine: TASK85: UL2UL (0x41317b71)
[INFO] firmwire.vendor.shannon.machine: TASK86: UDATA (0x4139ac1b)
[INFO] firmwire.vendor.shannon.machine: TASK87: UBMCTask (0x41384491)
[INFO] firmwire.vendor.shannon.machine: TASK88: ephyFramework (0x415f9f0d)
[INFO] firmwire.vendor.shannon.machine: TASK89: syncTask (0x415fabad)
[INFO] firmwire.vendor.shannon.machine: TASK90: recMailTask (0x415fac09)
[INFO] firmwire.vendor.shannon.machine: TASK91: sendMailTask (0x415fac33)
[INFO] firmwire.vendor.shannon.machine: TASK92: BTL (0x4054e741)
[INFO] firmwire.vendor.shannon.machine: TASK93: CLM (0x40f5e8bd)
[INFO] firmwire.vendor.shannon.machine: TASK94: CLTCP (0x40bfb86d)
[INFO] firmwire.vendor.shannon.machine: TASK95: SecuCh (0x40c7da69)
[INFO] firmwire.vendor.shannon.machine: TASK96: SHUB_MSG (0x40f60d5d)
[INFO] firmwire.vendor.shannon.machine: TASK97: SSH (0x40f53a53)
[INFO] firmwire.vendor.shannon.machine: TASK98: CPCOP (0x40f52693)
[INFO] firmwire.vendor.shannon.machine: TASK99: PROXIMITY (0x40f53615)
[INFO] firmwire.vendor.shannon.machine: TASK100: CMMO (0x40f31a49)
[INFO] firmwire.vendor.shannon.machine: TASK101: AFL_GSM_CC (0x4b000001)
[INFO] firmwire: Starting emulator ShannonEMU3334
==> BOOT
AFL_COMPCOV_LEVEL not set.
[INFO] firmwire.hw.peripheral.ShannonSOCPeripheral.SOC: CHIP_ID read: 50000000

s5000ap (Aug  6 2018@==> WAIT SHUTDOWN
13:55:35):SIPCFeG
Mode=424F4F54
#mCMSBoot
[INFO] firmwire.hw.fifo: SHM raw_rx_buff[DEQUEUE] \x00\xd7\x00\x00\x0d\xa0\x00\x00
Ready => [INFO] firmwire.hw.fifo: SHM raw_rx_buff[DEQUEUE] \x00\xd7\x00\x00\x00\xaf\x00\x00
e@Run
[INFO] firmwire.hw.peripheral.ShannonSOCPeripheral.SOC: CHIP_ID read: 50000000

@Mem2019
Copy link
Author

Mem2019 commented Mar 6, 2023
edited

The main problem is that breakpoint at boot_key_check is not handled. The breakpoint should be handled by callback function set by avatar.watchmen.add("BreakpointHit", ...), but when FirmWire is executed, such callback function is not executed, so the emulation hangs at breakpoint location forever. I am not sure if this is a bug of avatar2 or something else.

Mem2019 added a commit to Mem2019/FirmWire-1 that referenced this issue Mar 8, 2023
@Mem2019
Execution should not be stopped for ShannonEMU
68b1157 
`ShannonEMU` also requires breakpoint (https://github.com/FirmWire/FirmWire/blob/490163e6263edeebde11961d7b4a4f3690d5f4d0/firmwire/vendor/shannon/machine.py#L827), if execution is stopped, the execution will hang at breakpoint forever. This solves issue FirmWire#26.
@Mem2019 Mem2019 mentioned this issue Mar 8, 2023
Closed
Mem2019 added a commit to Mem2019/FirmWire-1 that referenced this issue Mar 8, 2023
@Mem2019
qemu.protocols.execution should not be shutted down for ShannonEMU
73e3c9c 
`ShannonEMU` also requires breakpoint here.

https://github.com/FirmWire/FirmWire/blob/490163e6263edeebde11961d7b4a4f3690d5f4d0/firmwire/vendor/shannon/machine.py#L827

If `qemu.protocols.execution` is stopped, the execution will hang at breakpoint forever. This solves issue FirmWire#26.
@Mem2019 Mem2019 mentioned this issue Mar 8, 2023
Open
@mariusmue
Copy link
Contributor

Thanks for looking into it more! Please see my comment in #28 for further discussion

@bond187
Copy link

bond187 commented Apr 19, 2023
edited

Hello! Was there ever a resolution to this issue? I'm stuck at the same point trying to fuzz a Shannon BP.

When I run AFL with fuzz-triage, the issue seems to be resolved, but debugging is then of course output, which I'd assume worsens performance.

@mariusmue
Copy link
Contributor

mariusmue commented Apr 19, 2023
edited

The workaround here is to create a snapshot as fuzzing base, after initialization.

The reason is that in fuzzing (non-triage) mode, firmwire can not deal with breakpoints, but these are needed during init for some of the basebands. So, the workflow is:

  • boot up firmwire with the fuzzing task injected but in triage mode, and the --snapshot-at flag to create a snapshot after initialization
  • start the actual fuzzing from the snapshot (using the --restore-snapshot) flag

@bond187
Copy link

bond187 commented Apr 19, 2023

Great, thank you! How do I know what value to pass to --snapshot-at? I'm pretty new to fuzzing so sorry if it's obvious :)

@mariusmue
Copy link
Contributor

it's a tuple of snapshot_addr, snapshot_name - should be part of the CLI documentation. As address, you want to use one after the initialization.

More about snapshots here: https://firmwire.github.io/docs/workspaces.html

@icryo icryo mentioned this issue May 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bond187 @Mem2019 @mariusmue