The issue
I am trying to setup fuzzing on one of the firmware binaries that uses freeRTOS. I have referred to the original application's source linker scripts and ensured that all sections are mapped in their respective memory regions.
Running fuzzware's tracing mode I have -
fuzzware emu -c ./config.yml -v -d -M pinetime-app-1.14.0.bin
... redacted trace for readability : last 100 lines of the exectrace
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000ee9b[SP:+1165] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000ee9c[SP:+1164] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000ee9d[SP:+1163] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000ee9e[SP:+1162] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000ee9f[SP:+1161] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea0[SP:+1160] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea1[SP:+115f] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea2[SP:+115e] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea3[SP:+115d] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea4[SP:+115c] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea5[SP:+115b] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea6[SP:+115a] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea7[SP:+1159] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea8[SP:+1158] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eea9[SP:+1157] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eeaa[SP:+1156] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eeab[SP:+1155] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eeac[SP:+1154] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eead[SP:+1153] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eeae[SP:+1152] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
>>> Write: addr= 0x2000eeaf[SP:+1151] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e130 (lr=0x2b3)
Basic Block: addr= 0x00000000000002b2 (lr=0x2b3)
>>> Read: addr= 0x00000000000002ec size=4 data=0x00000000 (pc 0x000002b2)
Basic Block: addr= 0x00000000000002ba (lr=0x2b3)
>>> Read: addr= 0x00000000000002f0 size=4 data=0x00000000 (pc 0x000002ba)
Basic Block: addr= 0x00000000000002c2 (lr=0x2b3)
>>> Read: addr= 0x0000000000000300 size=4 data=0x00000000 (pc 0x000002ca)
Basic Block: addr= 0x00000000000002d6 (lr=0x2b3)
Basic Block: addr= 0x000000000005be08 (lr=0x2db)
>>> Write: addr= 0x2000fff0[SP:+0010] size=4 data=0x00000000 (pc 0x0005be08)
>>> Write: addr= 0x2000fff4[SP:+000c] size=4 data=0x00000000 (pc 0x0005be08)
>>> Write: addr= 0x2000fff8[SP:+0008] size=4 data=0x00000000 (pc 0x0005be08)
>>> Write: addr= 0x2000fffc[SP:+0004] size=4 data=0x000002db (pc 0x0005be08)
>>> Read: addr= 0x000000000005be40 size=4 data=0x20000394 (pc 0x0005be0a)
>>> Read: addr= 0x000000000005be44 size=4 data=0x20000394 (pc 0x0005be0c)
Basic Block: addr= 0x000000000005be18 (lr=0x2db)
>>> Read: addr= 0x000000000005be48 size=4 data=0x20000394 (pc 0x0005be18)
>>> Read: addr= 0x000000000005be4c size=4 data=0x200003a0 (pc 0x0005be1a)
Basic Block: addr= 0x000000000005fb98 (lr=0x5be21)
>>> Write: addr= 0x2000ffd8[SP:+0018] size=4 data=0x00000000 (pc 0x0005fb98)
>>> Write: addr= 0x2000ffdc[SP:+0014] size=4 data=0x200003a0 (pc 0x0005fb98)
>>> Write: addr= 0x2000ffe0[SP:+0010] size=4 data=0x20000394 (pc 0x0005fb98)
>>> Write: addr= 0x2000ffe4[SP:+000c] size=4 data=0x00000000 (pc 0x0005fb98)
>>> Write: addr= 0x2000ffe8[SP:+0008] size=4 data=0x00000000 (pc 0x0005fb98)
>>> Write: addr= 0x2000ffec[SP:+0004] size=4 data=0x0005be21 (pc 0x0005fb98)
>>> Read: addr= 0x2000ffd8[SP:+0000] size=4 data=0x00000000 (pc 0x0005fb9c)
>>> Read: addr= 0x2000ffdc[SP:-0004] size=4 data=0x200003a0 (pc 0x0005fb9c)
>>> Read: addr= 0x2000ffe0[SP:-0008] size=4 data=0x20000394 (pc 0x0005fb9c)
>>> Read: addr= 0x2000ffe4[SP:-000c] size=4 data=0x00000000 (pc 0x0005fb9c)
>>> Read: addr= 0x2000ffe8[SP:-0010] size=4 data=0x00000000 (pc 0x0005fb9c)
>>> Read: addr= 0x2000ffec[SP:+0000] size=4 data=0x0005be21 (pc 0x0005fb9e)
Basic Block: addr= 0x000000000005be20 (lr=0x5be21)
Basic Block: addr= 0x000000000005be36 (lr=0x5be21)
>>> Read: addr= 0x0000000020000394 size=4 data=0x00000000 (pc 0x0005be36)
[FORKSERVER SETUP] It looks like we are not running under AFL, going for single input
[ERROR] Could not retrieve the number of required ticks during discovery forkingThis is my config.yml -
interrupt_triggers:
trigger:
every_nth_tick: 1000 fuzz_mode: fuzzed
memory_map:
ram:
base_addr: 0x20000000
permissions: rw-
size: 0x100000
mmio:
base_addr: 0x40000000
permissions: rw-
size: 0x20000000
nvic:
base_addr: 0xe0000000
permissions: rw-
size: 0x10000000
irq_ret:
base_addr: 0xfffff000
permissions: --x
size: 0x1000
text:
is_entry: true
base_addr: 0x00000000
permissions: r-x
size: 0x7337c
file: pinetime-app-1.14.0.out
file_offset: 0x10000
file_size: 0x7337c
ivt_offset: 0x0
nrf_registers:
base_addr: 0xf0000000
permissions: rw-
size: 0x1000
ficr_region:
base_addr: 0x10000000
permissions: rw-
size: 0x1000
uicr_region:
base_addr: 0x10001000
permissions: rw-
size: 0x1000
symbols:
... symbols follow
...Feels like I'm missing something very trivial here, do let me know if there's anything obvious.
The issue
I am trying to setup fuzzing on one of the firmware binaries that uses freeRTOS. I have referred to the original application's source linker scripts and ensured that all sections are mapped in their respective memory regions.
Running
fuzzware's tracing mode I have -This is my config.yml -
Feels like I'm missing something very trivial here, do let me know if there's anything obvious.