Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questions About Memory Addresses and Functions in Boot Segment #11

Open
LittleNewton opened this issue Aug 12, 2024 · 1 comment
Open

Questions About Memory Addresses and Functions in Boot Segment #11

LittleNewton opened this issue Aug 12, 2024 · 1 comment

Comments

@LittleNewton
Copy link 

# Description of a successful boot process of the firmware image
boot:
  # A list of addresses required for a successful boot
  required:
    # An address (or symbol) in this list may indicate the if/else branch of a positive check
    - 0x0800052A
    # Or a function which activates a peripheral which is only called in case all checks were successful
    - activate_uart_peripheral
  # A list of addresses which indicate a failed boot
  avoid:
    # if/else branch of a failed check
    - 0x08000518
    # an error output function logging an error condition
    - log_error
  # Address at which the firmware is considered booted (successfully or unsuccessfully based on the previous config attributes)
  target: idle
# This configuration is used to derive a firmware state which is considered to be booted successfully and continue fuzzing from here

Hi there. I am working on understanding memory addresses and functions in the boot segment and have some questions to ensure I am on the right track.

  1. In the required section, we mention addresses and functions. Does address mean that it tells fuzzware which branch to take to avoid errors? For example, if jumping to LABEL in a bne <LABEL> instruction causes a dead loop that fails to start, and not jumping continues correct execution, does the address help fuzzware to find the right jump target in the boot segment?
  2. I’m not clear why we need to specify certain functions. Could you provide an example to help me understand?

The fuzzware documentation is great, but I need a bit more help to fully grasp these points. Thanks in advance for your assistance!
@Scepticz
Copy link
Contributor

Hi LittleNewton,

yes, the required addresses indicate all the basic block addresses that need to be visited so that the boot process is considered valid. An example could be: You want the firmware during boot to initialize the network stack successfully, so the function init_network needs to be called during boot. In this case, you would include init_network as part of the required function. Within the init_network function, there may also be a function network_init_finalize which is called at the very end of network initialization where you know the full network initialization has been performed correctly, without errors. In that case, you could also add network_init_finalize to the required list.

Best
Tobi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LittleNewton @Scepticz