1*7eba2f3bSAndroid Build Coastguard Worker #include "fuzz.h"
2*7eba2f3bSAndroid Build Coastguard Worker
hal_inject_event(uint8_t hal_evt,tHAL_NFC_STATUS status)3*7eba2f3bSAndroid Build Coastguard Worker void hal_inject_event(uint8_t hal_evt, tHAL_NFC_STATUS status) {
4*7eba2f3bSAndroid Build Coastguard Worker tNFC_HAL_EVT_MSG msg = {};
5*7eba2f3bSAndroid Build Coastguard Worker
6*7eba2f3bSAndroid Build Coastguard Worker msg.hdr.len = 0;
7*7eba2f3bSAndroid Build Coastguard Worker msg.hdr.event = BT_EVT_TO_NFC_MSGS;
8*7eba2f3bSAndroid Build Coastguard Worker msg.hdr.offset = 0;
9*7eba2f3bSAndroid Build Coastguard Worker msg.hdr.layer_specific = 0;
10*7eba2f3bSAndroid Build Coastguard Worker msg.hal_evt = hal_evt;
11*7eba2f3bSAndroid Build Coastguard Worker msg.status = status;
12*7eba2f3bSAndroid Build Coastguard Worker
13*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG("Injecting event to NFC code: event=%d, status=%d", hal_evt, status);
14*7eba2f3bSAndroid Build Coastguard Worker nfc_main_handle_hal_evt(&msg);
15*7eba2f3bSAndroid Build Coastguard Worker }
16*7eba2f3bSAndroid Build Coastguard Worker
hal_inject_data(const uint8_t * p_data,uint16_t data_len)17*7eba2f3bSAndroid Build Coastguard Worker bool hal_inject_data(const uint8_t* p_data, uint16_t data_len) {
18*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG("Injecting data to NFC stack: %s",
19*7eba2f3bSAndroid Build Coastguard Worker BytesToHex(p_data, data_len).c_str());
20*7eba2f3bSAndroid Build Coastguard Worker
21*7eba2f3bSAndroid Build Coastguard Worker // For NCI responses, nfc_ncif_process_event checks the response OID matches
22*7eba2f3bSAndroid Build Coastguard Worker // the command being sent last time. So mimic this by always copying the first
23*7eba2f3bSAndroid Build Coastguard Worker // two bytes into last header.
24*7eba2f3bSAndroid Build Coastguard Worker if (data_len >= sizeof(nfc_cb.last_hdr)) {
25*7eba2f3bSAndroid Build Coastguard Worker memcpy(nfc_cb.last_hdr, p_data, sizeof(nfc_cb.last_hdr));
26*7eba2f3bSAndroid Build Coastguard Worker }
27*7eba2f3bSAndroid Build Coastguard Worker
28*7eba2f3bSAndroid Build Coastguard Worker NFC_HDR* p_msg;
29*7eba2f3bSAndroid Build Coastguard Worker p_msg = (NFC_HDR*)GKI_getbuf(sizeof(NFC_HDR) + NFC_RECEIVE_MSGS_OFFSET +
30*7eba2f3bSAndroid Build Coastguard Worker data_len);
31*7eba2f3bSAndroid Build Coastguard Worker if (p_msg != nullptr) {
32*7eba2f3bSAndroid Build Coastguard Worker /* Initialize NFC_HDR */
33*7eba2f3bSAndroid Build Coastguard Worker p_msg->len = data_len;
34*7eba2f3bSAndroid Build Coastguard Worker p_msg->event = BT_EVT_TO_NFC_NCI;
35*7eba2f3bSAndroid Build Coastguard Worker p_msg->offset = NFC_RECEIVE_MSGS_OFFSET;
36*7eba2f3bSAndroid Build Coastguard Worker
37*7eba2f3bSAndroid Build Coastguard Worker uint8_t* p = (uint8_t*)(p_msg + 1) + p_msg->offset;
38*7eba2f3bSAndroid Build Coastguard Worker memcpy(p, p_data, p_msg->len);
39*7eba2f3bSAndroid Build Coastguard Worker
40*7eba2f3bSAndroid Build Coastguard Worker if (nfc_ncif_process_event(p_msg)) {
41*7eba2f3bSAndroid Build Coastguard Worker GKI_freebuf(p_msg);
42*7eba2f3bSAndroid Build Coastguard Worker }
43*7eba2f3bSAndroid Build Coastguard Worker return true;
44*7eba2f3bSAndroid Build Coastguard Worker } else {
45*7eba2f3bSAndroid Build Coastguard Worker LOG(ERROR) << StringPrintf("No buffer");
46*7eba2f3bSAndroid Build Coastguard Worker return false;
47*7eba2f3bSAndroid Build Coastguard Worker }
48*7eba2f3bSAndroid Build Coastguard Worker }
49*7eba2f3bSAndroid Build Coastguard Worker
HalInitialize()50*7eba2f3bSAndroid Build Coastguard Worker static void HalInitialize() { FUZZLOG("HAL_OP: type=initialize"); }
51*7eba2f3bSAndroid Build Coastguard Worker
HalTerminate()52*7eba2f3bSAndroid Build Coastguard Worker static void HalTerminate() { FUZZLOG("HAL_OP: type=terminate"); }
53*7eba2f3bSAndroid Build Coastguard Worker
HalOpen(tHAL_NFC_CBACK *,tHAL_NFC_DATA_CBACK *)54*7eba2f3bSAndroid Build Coastguard Worker static void HalOpen(tHAL_NFC_CBACK* /*p_hal_inject_event*/,
55*7eba2f3bSAndroid Build Coastguard Worker tHAL_NFC_DATA_CBACK* /*p_data_cback*/) {
56*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG("HAL_OP, type=open");
57*7eba2f3bSAndroid Build Coastguard Worker hal_inject_event(HAL_NFC_OPEN_CPLT_EVT, HAL_NFC_STATUS_OK);
58*7eba2f3bSAndroid Build Coastguard Worker }
59*7eba2f3bSAndroid Build Coastguard Worker
HalClose()60*7eba2f3bSAndroid Build Coastguard Worker static void HalClose() {
61*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG("HAL_OP, type=close");
62*7eba2f3bSAndroid Build Coastguard Worker hal_inject_event(HAL_NFC_CLOSE_CPLT_EVT, HAL_NFC_STATUS_OK);
63*7eba2f3bSAndroid Build Coastguard Worker }
64*7eba2f3bSAndroid Build Coastguard Worker
65*7eba2f3bSAndroid Build Coastguard Worker const uint8_t reset_req[] = {0x20, 0x00, 0x01, 0x01};
66*7eba2f3bSAndroid Build Coastguard Worker
67*7eba2f3bSAndroid Build Coastguard Worker const uint8_t reset_rsp[] = {0x40, 0x00, 0x01, 0x00};
68*7eba2f3bSAndroid Build Coastguard Worker
69*7eba2f3bSAndroid Build Coastguard Worker const uint8_t reset_ntf[] = {0x60, 0x00, 0x09, 0x02, 0x01, 0x20,
70*7eba2f3bSAndroid Build Coastguard Worker 0x04, 0x04, 0x51, 0x12, 0x01, 0x90};
71*7eba2f3bSAndroid Build Coastguard Worker
72*7eba2f3bSAndroid Build Coastguard Worker const uint8_t init_req[] = {0x20, 0x01, 0x02, 0x00, 0x00};
73*7eba2f3bSAndroid Build Coastguard Worker
74*7eba2f3bSAndroid Build Coastguard Worker const uint8_t init_rsp[] = {
75*7eba2f3bSAndroid Build Coastguard Worker 0x40, 0x01, 0x1E, 0x00, 0x1A, 0x7E, 0x06, 0x01, 0x01, 0x5C, 0x03,
76*7eba2f3bSAndroid Build Coastguard Worker 0xFF, 0xFF, 0x01, 0xFF, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x02,
77*7eba2f3bSAndroid Build Coastguard Worker 0x00, 0x03, 0x00, 0x80, 0x00, 0x82, 0x00, 0x83, 0x00, 0x84, 0x00};
78*7eba2f3bSAndroid Build Coastguard Worker
HalWrite(uint16_t data_len,uint8_t * p_data)79*7eba2f3bSAndroid Build Coastguard Worker static void HalWrite(uint16_t data_len, uint8_t* p_data) {
80*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG("HAL_OP: type=write, data=%s", BytesToHex(p_data, data_len).c_str());
81*7eba2f3bSAndroid Build Coastguard Worker
82*7eba2f3bSAndroid Build Coastguard Worker if (data_len == sizeof(reset_req) &&
83*7eba2f3bSAndroid Build Coastguard Worker memcmp(reset_req, p_data, data_len) == 0) {
84*7eba2f3bSAndroid Build Coastguard Worker hal_inject_data(reset_rsp, sizeof(reset_rsp));
85*7eba2f3bSAndroid Build Coastguard Worker hal_inject_data(reset_ntf, sizeof(reset_ntf));
86*7eba2f3bSAndroid Build Coastguard Worker } else if (data_len == sizeof(init_req) &&
87*7eba2f3bSAndroid Build Coastguard Worker memcmp(init_req, p_data, data_len) == 0) {
88*7eba2f3bSAndroid Build Coastguard Worker hal_inject_data(init_rsp, sizeof(init_rsp));
89*7eba2f3bSAndroid Build Coastguard Worker }
90*7eba2f3bSAndroid Build Coastguard Worker }
91*7eba2f3bSAndroid Build Coastguard Worker
HalCoreInitialized(uint16_t data_len,uint8_t * p_core_init_rsp_params)92*7eba2f3bSAndroid Build Coastguard Worker static void HalCoreInitialized(uint16_t data_len,
93*7eba2f3bSAndroid Build Coastguard Worker uint8_t* p_core_init_rsp_params) {
94*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG("HAL_OP: type=coreInitialized, data=%s",
95*7eba2f3bSAndroid Build Coastguard Worker BytesToHex(p_core_init_rsp_params, data_len).c_str());
96*7eba2f3bSAndroid Build Coastguard Worker hal_inject_event(HAL_NFC_POST_INIT_CPLT_EVT, HAL_NFC_STATUS_OK);
97*7eba2f3bSAndroid Build Coastguard Worker }
98*7eba2f3bSAndroid Build Coastguard Worker
HalPrediscover()99*7eba2f3bSAndroid Build Coastguard Worker static bool HalPrediscover() {
100*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG("HAL_OP: type=prediscover, return=false");
101*7eba2f3bSAndroid Build Coastguard Worker return false;
102*7eba2f3bSAndroid Build Coastguard Worker }
103*7eba2f3bSAndroid Build Coastguard Worker
HalControlGranted()104*7eba2f3bSAndroid Build Coastguard Worker static void HalControlGranted() { FUZZLOG("HAL_OP: type=controlGranted"); }
105*7eba2f3bSAndroid Build Coastguard Worker
HalPowerCycle()106*7eba2f3bSAndroid Build Coastguard Worker static void HalPowerCycle() { FUZZLOG("HAL_OP: type=powerCycle"); }
107*7eba2f3bSAndroid Build Coastguard Worker
108*7eba2f3bSAndroid Build Coastguard Worker // Magic value from the real NFC code.
109*7eba2f3bSAndroid Build Coastguard Worker #define MAX_NFC_EE 2
HalGetMaxNfcee()110*7eba2f3bSAndroid Build Coastguard Worker static uint8_t HalGetMaxNfcee() {
111*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG("HAL_OP: type=getMaxNfcee, return=%d", MAX_NFC_EE);
112*7eba2f3bSAndroid Build Coastguard Worker return MAX_NFC_EE;
113*7eba2f3bSAndroid Build Coastguard Worker }
114*7eba2f3bSAndroid Build Coastguard Worker
115*7eba2f3bSAndroid Build Coastguard Worker static tHAL_NFC_ENTRY s_halFuncEntries = {
116*7eba2f3bSAndroid Build Coastguard Worker .initialize = HalInitialize,
117*7eba2f3bSAndroid Build Coastguard Worker .terminate = HalTerminate,
118*7eba2f3bSAndroid Build Coastguard Worker .open = HalOpen,
119*7eba2f3bSAndroid Build Coastguard Worker .close = HalClose,
120*7eba2f3bSAndroid Build Coastguard Worker .core_initialized = HalCoreInitialized,
121*7eba2f3bSAndroid Build Coastguard Worker .write = HalWrite,
122*7eba2f3bSAndroid Build Coastguard Worker .prediscover = HalPrediscover,
123*7eba2f3bSAndroid Build Coastguard Worker .control_granted = HalControlGranted,
124*7eba2f3bSAndroid Build Coastguard Worker .power_cycle = HalPowerCycle,
125*7eba2f3bSAndroid Build Coastguard Worker .get_max_ee = HalGetMaxNfcee,
126*7eba2f3bSAndroid Build Coastguard Worker };
127*7eba2f3bSAndroid Build Coastguard Worker
get_hal_func_entries()128*7eba2f3bSAndroid Build Coastguard Worker tHAL_NFC_ENTRY* get_hal_func_entries() { return &s_halFuncEntries; }