-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Field information of struct qitem_lte_rrc
#2
Comments
|
Thank you for your comment.
gl = self.get_peripheral('glink')
asn_pl = b"\x20\x1b\x3f\x80\x00\x00\x00\x01\xa9\x08\x80\x00\x00\x29\x00\x97\x80\x00\x00\x00\x01\x04\x22\x14\x00\xf8\x02\x0a\xc0\x60\x00\xa0\x0c\x80\x42\x02\x9f\x43\x07\xda\xbc\xf8\x4b\x32\x18\x34\xc0\x00\x2d\x68\x08\x5e\x18\x00\x16\x80\x00"
# 1
gl.send_rrc(asn_pl, 0)
# 2
gl.send_rrc(asn_pl, 0xc3a0)
# 3
op = 0xc3a0
qitem_size = 0x10
unused = 0
pdu_type = 0
gl.send_rrc(struct.pack("<IIIII", op, qitem_size, unused, pdu_type, len(asn_pl)) + asn_pl, 0xc3a0) All of the cases resulted in the following lines from [LteRrc] 0x414dd023 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]DrxStart: gDrxRrc_Flag 0 gDrxL1_Flag 1 gDrxRrc_SaveL1Flag 1
[LteRrc] 0x40cc09b3 0b1: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommDb.c] - [MAIN]LTERRC_WRONG_ARGUMENT(ConvertMsgId:933237)
[LteRrc] 0x414dbabd 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][ProcessMsg] Fored Set -> main to Main
[LteRrc] 0x40d96bdd 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_SuppSvcFrameworkCore.c] - [MAIN]_SuppSvcSetCurrentActive To NULL
[LteRrc] 0x414dbb19 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][ProcessMsg] Fored Set -> main to cur active
[LteRrc] 0x40d95695 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_SuppSvcFrameworkCore.c] - [MAIN]_SuppSvcNo Active Scv Force to LTERRC_SUPP_SVC_MAIN
[LteRrc] 0x414e7dab 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_ProcDsds.c] - [MAIN][LTE RRC DSRC] LteRrcDsds_CheckIsProcStart msgtype(10)
[LteRrc] 0x414e8039 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_ProcDsds.c] - [MAIN]LteRrcDsds_CheckIsProcStart :: Invalid Message Type[10]
[LteRrc] 0x40d95695 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_SuppSvcFrameworkCore.c] - [MAIN]_SuppSvcNo Active Scv Force to LTERRC_SUPP_SVC_MAIN
[LteRrc] 0x414dd32f 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]SET OPFLAG :(MAIN-SUPP_SVC_CANCLE_DISPATCH)
[LteRrc] 0x40d95695 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_SuppSvcFrameworkCore.c] - [MAIN]_SuppSvcNo Active Scv Force to LTERRC_SUPP_SVC_MAIN
[LteRrc] 0x414d4b71 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Free LinkMsg : 0xff000000
[LteRrc] 0x414d4bc5 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Free Rx Msg
[LteRrc] 0x414dd7e9 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]CLEAR OPFLAG :(MAIN-STATE_CHANGE_TRIGGER)
[LteRrc] 0x40d97c8d 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_SuppSvcFrameworkCore.c] - [MAIN]_SuppSvcReleaseActiveList
[LteRrc] 0x414db999 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]CLEAR OPFLAG :(MAIN-SUPP_SVC_CANCLE_DISPATCH)
[LteRrc] 0x414dba49 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][ProcessMsg] LTERRC_MSG_EMPTY
[LteRrc] 0x40d5aebb 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_ProcSysInfo.c] - [MAIN]NOT in Background operation (M_state: 1)
[LteRrc] 0x414dd8df 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]DrxEnd: gDrxRrc_Flag 0 gDrxL1_Flag 1 gDrxRrc_SaveL1Flag 1
[LteRrc] 0x414dd917 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Support Band num(0) band1(0) band2(0) ALPSS REL(2) Capa REL(4)
[LteRrc] 0x414dd937 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Entity (83) (19) (201) It doesn't look like the message has touched a decoder. Can you give a concrete example of a queue item for any RRC messages? |
Unfortunately, it's a bit more complex in this scenario. There are two important things to consider here
We never really injected # change logging to only include relevant parts
self.guest_logger.task_log_disable_all()
self.guest_logger.task_log_enable('LteRrc')
# our variables
asn_pl = b"\x20\x1b\x3f\x80\x00\x00\x00\x01\xa9\x08\x80\x00\x00\x29\x00\x97\x80\x00\x00\x00\x01\x04\x22\x14\x00\xf8\x02\x0a\xc0\x60\x00\xa0\x0c\x80\x42\x02\x9f\x43\x07\xda\xbc\xf8\x4b\x32\x18\x34\xc0\x00\x2d\x68\x08\x5e\x18\x00\x16\x80\x00"
unused = 0
pdu = 0 # You will need to change this. Either static baseband RE, or trying and checking FirmWire's output
op = self.loader.symbol_table.lookup('SYM_LTERRC_INT_MOB_CMD_HO_FROM_IRAT_MSG_ID').address
# create clean working state
self.restore_snapshot('interactive')
gl = self.get_peripheral('glink')
# we will need a allocated chunk in memory to hold the ASN payload
gl.create_block(len(asn_pl))
self.run_for(1)
block_addr = gl.access
self.qemu.wm(block_addr, 1, asn_pl, raw=True)
# Create message as described in fuzz task header
pl = struct.pack('<IIII', unused, pdu, len(asn_pl), block_addr)
# Send the message in the right format (which is, a "direct" message whose pl is UNUSED+PDU+LEN+*ASN_PL)
gl.send_queue_op(False, 'LTERRC', op, 0, pl)
gl.set_event('LTE_RRC_') # LTE RRC messages need to have an event set
self.run_for(1) Running above code from the console results, on my end, to the following output:
Note that it attempts ASN decoding, but fails, as the wrong PDU for your payload was set. (Looking at the look, pdu 0 seems to encode //edit: Also, we would happily accept a PR which extends guest-link with a |
Hi, @mariusmue @grant-h , I have the following code and console output. #include <common.h> char buf[] = "\x22\x12\x15\xe8\x00\x04\x05\x84\xc9\x00\x41\x6e\x1a\x6d\xc4\x0f" const char TASK_NAME[] = "AFL_LTE_RRC\0"; static uint32_t qid; void task_main()
} Console output |
How do you access the firmware DBG messages while running in Console mode? The documentation does not make this clear. |
I am reading the fuzz task for LTE RRC, and I have some questions about the queue item structure used in this fuzzer.
pdu_type
?asn_pl
follows the following ASN1 format fromRRCConnectionReconfiguration
payload? sourceCan you provide an example queue item?
The text was updated successfully, but these errors were encountered: