[FORKSERVER SETUP] It looks like we are not running under AFL, going for single input #47

PwnVerse · 2025-01-19T23:51:16Z

The issue

I am trying to setup fuzzing on one of the firmware binaries that uses freeRTOS. I have referred to the original application's source linker scripts and ensured that all sections are mapped in their respective memory regions.

Running fuzzware's tracing mode I have -

fuzzware emu -c ./config.yml -v -d -M pinetime-app-1.14.0.bin
... redacted trace for readability : last 100 lines of the exectrace
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000ee9b[SP:+1165] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000ee9c[SP:+1164] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000ee9d[SP:+1163] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000ee9e[SP:+1162] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000ee9f[SP:+1161] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea0[SP:+1160] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea1[SP:+115f] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea2[SP:+115e] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea3[SP:+115d] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea4[SP:+115c] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea5[SP:+115b] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea6[SP:+115a] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea7[SP:+1159] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea8[SP:+1158] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eea9[SP:+1157] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eeaa[SP:+1156] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eeab[SP:+1155] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eeac[SP:+1154] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eead[SP:+1153] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eeae[SP:+1152] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e132 (lr=0x2b3)
        >>> Write: addr= 0x2000eeaf[SP:+1151] size=1 data=0x00000000 (pc 0x0005e132)
Basic Block: addr= 0x000000000005e12c (lr=0x2b3)
Basic Block: addr= 0x000000000005e130 (lr=0x2b3)
Basic Block: addr= 0x00000000000002b2 (lr=0x2b3)
        >>> Read: addr= 0x00000000000002ec size=4 data=0x00000000 (pc 0x000002b2)
Basic Block: addr= 0x00000000000002ba (lr=0x2b3)
        >>> Read: addr= 0x00000000000002f0 size=4 data=0x00000000 (pc 0x000002ba)
Basic Block: addr= 0x00000000000002c2 (lr=0x2b3)
        >>> Read: addr= 0x0000000000000300 size=4 data=0x00000000 (pc 0x000002ca)
Basic Block: addr= 0x00000000000002d6 (lr=0x2b3)
Basic Block: addr= 0x000000000005be08 (lr=0x2db)
        >>> Write: addr= 0x2000fff0[SP:+0010] size=4 data=0x00000000 (pc 0x0005be08)
        >>> Write: addr= 0x2000fff4[SP:+000c] size=4 data=0x00000000 (pc 0x0005be08)
        >>> Write: addr= 0x2000fff8[SP:+0008] size=4 data=0x00000000 (pc 0x0005be08)
        >>> Write: addr= 0x2000fffc[SP:+0004] size=4 data=0x000002db (pc 0x0005be08)
        >>> Read: addr= 0x000000000005be40 size=4 data=0x20000394 (pc 0x0005be0a)
        >>> Read: addr= 0x000000000005be44 size=4 data=0x20000394 (pc 0x0005be0c)
Basic Block: addr= 0x000000000005be18 (lr=0x2db)
        >>> Read: addr= 0x000000000005be48 size=4 data=0x20000394 (pc 0x0005be18)
        >>> Read: addr= 0x000000000005be4c size=4 data=0x200003a0 (pc 0x0005be1a)
Basic Block: addr= 0x000000000005fb98 (lr=0x5be21)
        >>> Write: addr= 0x2000ffd8[SP:+0018] size=4 data=0x00000000 (pc 0x0005fb98)
        >>> Write: addr= 0x2000ffdc[SP:+0014] size=4 data=0x200003a0 (pc 0x0005fb98)
        >>> Write: addr= 0x2000ffe0[SP:+0010] size=4 data=0x20000394 (pc 0x0005fb98)
        >>> Write: addr= 0x2000ffe4[SP:+000c] size=4 data=0x00000000 (pc 0x0005fb98)
        >>> Write: addr= 0x2000ffe8[SP:+0008] size=4 data=0x00000000 (pc 0x0005fb98)
        >>> Write: addr= 0x2000ffec[SP:+0004] size=4 data=0x0005be21 (pc 0x0005fb98)
        >>> Read: addr= 0x2000ffd8[SP:+0000] size=4 data=0x00000000 (pc 0x0005fb9c)
        >>> Read: addr= 0x2000ffdc[SP:-0004] size=4 data=0x200003a0 (pc 0x0005fb9c)
        >>> Read: addr= 0x2000ffe0[SP:-0008] size=4 data=0x20000394 (pc 0x0005fb9c)
        >>> Read: addr= 0x2000ffe4[SP:-000c] size=4 data=0x00000000 (pc 0x0005fb9c)
        >>> Read: addr= 0x2000ffe8[SP:-0010] size=4 data=0x00000000 (pc 0x0005fb9c)
        >>> Read: addr= 0x2000ffec[SP:+0000] size=4 data=0x0005be21 (pc 0x0005fb9e)
Basic Block: addr= 0x000000000005be20 (lr=0x5be21)
Basic Block: addr= 0x000000000005be36 (lr=0x5be21)
        >>> Read: addr= 0x0000000020000394 size=4 data=0x00000000 (pc 0x0005be36)
[FORKSERVER SETUP] It looks like we are not running under AFL, going for single input
[ERROR] Could not retrieve the number of required ticks during discovery forking

This is my config.yml -

interrupt_triggers:
  trigger:
    every_nth_tick: 1000                                                                                                                                        fuzz_mode: fuzzed
memory_map:
  ram:
    base_addr: 0x20000000
    permissions: rw-
    size: 0x100000
  mmio:
    base_addr: 0x40000000
    permissions: rw-
    size: 0x20000000
  nvic:
    base_addr: 0xe0000000
    permissions: rw-
    size: 0x10000000
  irq_ret:
    base_addr: 0xfffff000
    permissions: --x
    size: 0x1000
  text:
    is_entry: true
    base_addr: 0x00000000
    permissions: r-x
    size: 0x7337c
    file: pinetime-app-1.14.0.out
    file_offset: 0x10000
    file_size: 0x7337c
    ivt_offset: 0x0

  nrf_registers:
    base_addr: 0xf0000000
    permissions: rw-
    size: 0x1000

  ficr_region:
    base_addr: 0x10000000
    permissions: rw-
    size: 0x1000

  uicr_region:
    base_addr: 0x10001000
    permissions: rw-
    size: 0x1000
symbols:
... symbols follow
...

Feels like I'm missing something very trivial here, do let me know if there's anything obvious.

The text was updated successfully, but these errors were encountered:

Scepticz · 2025-01-24T12:40:03Z

Hi PwnVerse :-)

The firmware seems to crash before reading any input.

The first thing that would be interesting to add to the command line while replaying this input is the -v flag to see the exit reason and -t to see function names. This may provide additional info on what happened.

Best
Tobi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FORKSERVER SETUP] It looks like we are not running under AFL, going for single input #47

[FORKSERVER SETUP] It looks like we are not running under AFL, going for single input #47

PwnVerse commented Jan 19, 2025 •

edited

Loading

Scepticz commented Jan 24, 2025

[FORKSERVER SETUP] It looks like we are not running under AFL, going for single input #47

[FORKSERVER SETUP] It looks like we are not running under AFL, going for single input #47

Comments

PwnVerse commented Jan 19, 2025 • edited Loading

The issue

Scepticz commented Jan 24, 2025

PwnVerse commented Jan 19, 2025 •

edited

Loading