1*7eba2f3bSAndroid Build Coastguard Worker #include "fuzz.h"
2*7eba2f3bSAndroid Build Coastguard Worker
3*7eba2f3bSAndroid Build Coastguard Worker #define MODULE_NAME "Type4 Read/Write"
4*7eba2f3bSAndroid Build Coastguard Worker
5*7eba2f3bSAndroid Build Coastguard Worker enum {
6*7eba2f3bSAndroid Build Coastguard Worker SUB_TYPE_DETECT_NDEF,
7*7eba2f3bSAndroid Build Coastguard Worker SUB_TYPE_READ_NDEF,
8*7eba2f3bSAndroid Build Coastguard Worker SUB_TYPE_UPDATE_NDEF,
9*7eba2f3bSAndroid Build Coastguard Worker SUB_TYPE_PRESENCE_CHECK,
10*7eba2f3bSAndroid Build Coastguard Worker SUB_TYPE_SET_READ_ONLY,
11*7eba2f3bSAndroid Build Coastguard Worker SUB_TYPE_FORMAT_NDEF,
12*7eba2f3bSAndroid Build Coastguard Worker
13*7eba2f3bSAndroid Build Coastguard Worker SUB_TYPE_MAX
14*7eba2f3bSAndroid Build Coastguard Worker };
15*7eba2f3bSAndroid Build Coastguard Worker
rw_cback(tRW_EVENT event,tRW_DATA * p_rw_data)16*7eba2f3bSAndroid Build Coastguard Worker static void rw_cback(tRW_EVENT event, tRW_DATA* p_rw_data) {
17*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": rw_cback: event=0x%02x, p_rw_data=%p", event,
18*7eba2f3bSAndroid Build Coastguard Worker p_rw_data);
19*7eba2f3bSAndroid Build Coastguard Worker
20*7eba2f3bSAndroid Build Coastguard Worker if (event == RW_T4T_RAW_FRAME_EVT) {
21*7eba2f3bSAndroid Build Coastguard Worker if (p_rw_data->raw_frame.p_data) {
22*7eba2f3bSAndroid Build Coastguard Worker GKI_freebuf(p_rw_data->raw_frame.p_data);
23*7eba2f3bSAndroid Build Coastguard Worker p_rw_data->raw_frame.p_data = nullptr;
24*7eba2f3bSAndroid Build Coastguard Worker }
25*7eba2f3bSAndroid Build Coastguard Worker } else if (event == RW_T4T_NDEF_READ_EVT ||
26*7eba2f3bSAndroid Build Coastguard Worker event == RW_T4T_NDEF_READ_CPLT_EVT) {
27*7eba2f3bSAndroid Build Coastguard Worker if (p_rw_data->data.p_data) {
28*7eba2f3bSAndroid Build Coastguard Worker GKI_freebuf(p_rw_data->data.p_data);
29*7eba2f3bSAndroid Build Coastguard Worker p_rw_data->data.p_data = nullptr;
30*7eba2f3bSAndroid Build Coastguard Worker }
31*7eba2f3bSAndroid Build Coastguard Worker }
32*7eba2f3bSAndroid Build Coastguard Worker }
33*7eba2f3bSAndroid Build Coastguard Worker
34*7eba2f3bSAndroid Build Coastguard Worker #define TEST_NFCID_VALUE \
35*7eba2f3bSAndroid Build Coastguard Worker { 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 }
36*7eba2f3bSAndroid Build Coastguard Worker
Init(Fuzz_Context &)37*7eba2f3bSAndroid Build Coastguard Worker static bool Init(Fuzz_Context& /*ctx*/) {
38*7eba2f3bSAndroid Build Coastguard Worker tNFC_ACTIVATE_DEVT activate_params = {.protocol = NFC_PROTOCOL_ISO_DEP,
39*7eba2f3bSAndroid Build Coastguard Worker .rf_tech_param = {
40*7eba2f3bSAndroid Build Coastguard Worker .mode = NFC_DISCOVERY_TYPE_POLL_A,
41*7eba2f3bSAndroid Build Coastguard Worker }};
42*7eba2f3bSAndroid Build Coastguard Worker
43*7eba2f3bSAndroid Build Coastguard Worker rw_init();
44*7eba2f3bSAndroid Build Coastguard Worker if (NFC_STATUS_OK != RW_SetActivatedTagType(&activate_params, rw_cback)) {
45*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": RW_SetActivatedTagType failed");
46*7eba2f3bSAndroid Build Coastguard Worker return false;
47*7eba2f3bSAndroid Build Coastguard Worker }
48*7eba2f3bSAndroid Build Coastguard Worker
49*7eba2f3bSAndroid Build Coastguard Worker return true;
50*7eba2f3bSAndroid Build Coastguard Worker }
51*7eba2f3bSAndroid Build Coastguard Worker
Init_PresenceCheck(Fuzz_Context &)52*7eba2f3bSAndroid Build Coastguard Worker static bool Init_PresenceCheck(Fuzz_Context& /*ctx*/) {
53*7eba2f3bSAndroid Build Coastguard Worker return NFC_STATUS_OK == RW_T4tPresenceCheck(1);
54*7eba2f3bSAndroid Build Coastguard Worker }
55*7eba2f3bSAndroid Build Coastguard Worker
Init_DetectNDef(Fuzz_Context &)56*7eba2f3bSAndroid Build Coastguard Worker static bool Init_DetectNDef(Fuzz_Context& /*ctx*/) {
57*7eba2f3bSAndroid Build Coastguard Worker return NFC_STATUS_OK == RW_T4tDetectNDef();
58*7eba2f3bSAndroid Build Coastguard Worker }
59*7eba2f3bSAndroid Build Coastguard Worker
Init_ReadNDef(Fuzz_Context &)60*7eba2f3bSAndroid Build Coastguard Worker static bool Init_ReadNDef(Fuzz_Context& /*ctx*/) {
61*7eba2f3bSAndroid Build Coastguard Worker return NFC_STATUS_OK == RW_T4tReadNDef();
62*7eba2f3bSAndroid Build Coastguard Worker }
63*7eba2f3bSAndroid Build Coastguard Worker
Init_UpdateNDef(Fuzz_Context & ctx)64*7eba2f3bSAndroid Build Coastguard Worker static bool Init_UpdateNDef(Fuzz_Context& ctx) {
65*7eba2f3bSAndroid Build Coastguard Worker const uint8_t data[] = {0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04,
66*7eba2f3bSAndroid Build Coastguard Worker 0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04};
67*7eba2f3bSAndroid Build Coastguard Worker
68*7eba2f3bSAndroid Build Coastguard Worker auto scratch = ctx.GetBuffer(sizeof(data), data);
69*7eba2f3bSAndroid Build Coastguard Worker return NFC_STATUS_OK == RW_T4tUpdateNDef(sizeof(data), scratch);
70*7eba2f3bSAndroid Build Coastguard Worker }
71*7eba2f3bSAndroid Build Coastguard Worker
Init_FormatNDef(Fuzz_Context &)72*7eba2f3bSAndroid Build Coastguard Worker static bool Init_FormatNDef(Fuzz_Context& /*ctx*/) {
73*7eba2f3bSAndroid Build Coastguard Worker return NFC_STATUS_OK == RW_T4tFormatNDef();
74*7eba2f3bSAndroid Build Coastguard Worker }
75*7eba2f3bSAndroid Build Coastguard Worker
Init_SetNDefReadOnly(Fuzz_Context &)76*7eba2f3bSAndroid Build Coastguard Worker static bool Init_SetNDefReadOnly(Fuzz_Context& /*ctx*/) {
77*7eba2f3bSAndroid Build Coastguard Worker return NFC_STATUS_OK == RW_T4tSetNDefReadOnly();
78*7eba2f3bSAndroid Build Coastguard Worker }
79*7eba2f3bSAndroid Build Coastguard Worker
Fuzz_Init(Fuzz_Context & ctx)80*7eba2f3bSAndroid Build Coastguard Worker static bool Fuzz_Init(Fuzz_Context& ctx) {
81*7eba2f3bSAndroid Build Coastguard Worker if (!Init(ctx)) {
82*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": initialization failed");
83*7eba2f3bSAndroid Build Coastguard Worker return false;
84*7eba2f3bSAndroid Build Coastguard Worker }
85*7eba2f3bSAndroid Build Coastguard Worker
86*7eba2f3bSAndroid Build Coastguard Worker bool result = false;
87*7eba2f3bSAndroid Build Coastguard Worker switch (ctx.SubType) {
88*7eba2f3bSAndroid Build Coastguard Worker case SUB_TYPE_DETECT_NDEF:
89*7eba2f3bSAndroid Build Coastguard Worker result = Init_DetectNDef(ctx);
90*7eba2f3bSAndroid Build Coastguard Worker break;
91*7eba2f3bSAndroid Build Coastguard Worker case SUB_TYPE_UPDATE_NDEF:
92*7eba2f3bSAndroid Build Coastguard Worker result = Init_UpdateNDef(ctx);
93*7eba2f3bSAndroid Build Coastguard Worker break;
94*7eba2f3bSAndroid Build Coastguard Worker case SUB_TYPE_PRESENCE_CHECK:
95*7eba2f3bSAndroid Build Coastguard Worker result = Init_PresenceCheck(ctx);
96*7eba2f3bSAndroid Build Coastguard Worker break;
97*7eba2f3bSAndroid Build Coastguard Worker case SUB_TYPE_READ_NDEF:
98*7eba2f3bSAndroid Build Coastguard Worker result = Init_ReadNDef(ctx);
99*7eba2f3bSAndroid Build Coastguard Worker break;
100*7eba2f3bSAndroid Build Coastguard Worker case SUB_TYPE_FORMAT_NDEF:
101*7eba2f3bSAndroid Build Coastguard Worker result = Init_FormatNDef(ctx);
102*7eba2f3bSAndroid Build Coastguard Worker break;
103*7eba2f3bSAndroid Build Coastguard Worker case SUB_TYPE_SET_READ_ONLY:
104*7eba2f3bSAndroid Build Coastguard Worker result = Init_SetNDefReadOnly(ctx);
105*7eba2f3bSAndroid Build Coastguard Worker break;
106*7eba2f3bSAndroid Build Coastguard Worker default:
107*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": Unknown command %d", ctx.SubType);
108*7eba2f3bSAndroid Build Coastguard Worker result = false;
109*7eba2f3bSAndroid Build Coastguard Worker break;
110*7eba2f3bSAndroid Build Coastguard Worker }
111*7eba2f3bSAndroid Build Coastguard Worker
112*7eba2f3bSAndroid Build Coastguard Worker if (!result) {
113*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": Initializing command %02X failed", ctx.SubType);
114*7eba2f3bSAndroid Build Coastguard Worker }
115*7eba2f3bSAndroid Build Coastguard Worker
116*7eba2f3bSAndroid Build Coastguard Worker return result;
117*7eba2f3bSAndroid Build Coastguard Worker }
118*7eba2f3bSAndroid Build Coastguard Worker
Fuzz_Deinit(Fuzz_Context &)119*7eba2f3bSAndroid Build Coastguard Worker static void Fuzz_Deinit(Fuzz_Context& /*ctx*/) {
120*7eba2f3bSAndroid Build Coastguard Worker if (rf_cback) {
121*7eba2f3bSAndroid Build Coastguard Worker tNFC_CONN conn = {
122*7eba2f3bSAndroid Build Coastguard Worker .deactivate = {.status = NFC_STATUS_OK,
123*7eba2f3bSAndroid Build Coastguard Worker .type = NFC_DEACTIVATE_TYPE_IDLE,
124*7eba2f3bSAndroid Build Coastguard Worker .is_ntf = true,
125*7eba2f3bSAndroid Build Coastguard Worker .reason = NFC_DEACTIVATE_REASON_DH_REQ_FAILED}};
126*7eba2f3bSAndroid Build Coastguard Worker
127*7eba2f3bSAndroid Build Coastguard Worker rf_cback(NFC_RF_CONN_ID, NFC_DEACTIVATE_CEVT, &conn);
128*7eba2f3bSAndroid Build Coastguard Worker }
129*7eba2f3bSAndroid Build Coastguard Worker }
130*7eba2f3bSAndroid Build Coastguard Worker
Fuzz_Run(Fuzz_Context & ctx)131*7eba2f3bSAndroid Build Coastguard Worker static void Fuzz_Run(Fuzz_Context& ctx) {
132*7eba2f3bSAndroid Build Coastguard Worker for (auto it = ctx.Data.cbegin() + 1; it != ctx.Data.cend(); ++it) {
133*7eba2f3bSAndroid Build Coastguard Worker NFC_HDR* p_msg;
134*7eba2f3bSAndroid Build Coastguard Worker p_msg = (NFC_HDR*)GKI_getbuf(sizeof(NFC_HDR) + it->size());
135*7eba2f3bSAndroid Build Coastguard Worker if (p_msg == nullptr) {
136*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": GKI_getbuf returns null, size=%zu", it->size());
137*7eba2f3bSAndroid Build Coastguard Worker return;
138*7eba2f3bSAndroid Build Coastguard Worker }
139*7eba2f3bSAndroid Build Coastguard Worker
140*7eba2f3bSAndroid Build Coastguard Worker /* Initialize NFC_HDR */
141*7eba2f3bSAndroid Build Coastguard Worker p_msg->len = it->size();
142*7eba2f3bSAndroid Build Coastguard Worker p_msg->offset = 0;
143*7eba2f3bSAndroid Build Coastguard Worker
144*7eba2f3bSAndroid Build Coastguard Worker uint8_t* p = (uint8_t*)(p_msg + 1) + p_msg->offset;
145*7eba2f3bSAndroid Build Coastguard Worker memcpy(p, it->data(), it->size());
146*7eba2f3bSAndroid Build Coastguard Worker
147*7eba2f3bSAndroid Build Coastguard Worker tNFC_CONN conn = {.data = {
148*7eba2f3bSAndroid Build Coastguard Worker .status = NFC_STATUS_OK,
149*7eba2f3bSAndroid Build Coastguard Worker .p_data = p_msg,
150*7eba2f3bSAndroid Build Coastguard Worker }};
151*7eba2f3bSAndroid Build Coastguard Worker
152*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": SubType=%02X, Response[%zd/%zd]=%s", ctx.SubType,
153*7eba2f3bSAndroid Build Coastguard Worker it - ctx.Data.cbegin(), ctx.Data.size() - 1,
154*7eba2f3bSAndroid Build Coastguard Worker BytesToHex(*it).c_str());
155*7eba2f3bSAndroid Build Coastguard Worker
156*7eba2f3bSAndroid Build Coastguard Worker rf_cback(NFC_RF_CONN_ID, NFC_DATA_CEVT, &conn);
157*7eba2f3bSAndroid Build Coastguard Worker }
158*7eba2f3bSAndroid Build Coastguard Worker }
159*7eba2f3bSAndroid Build Coastguard Worker
Type4_FixPackets(uint8_t,std::vector<bytes_t> &)160*7eba2f3bSAndroid Build Coastguard Worker void Type4_FixPackets(uint8_t /*SubType*/, std::vector<bytes_t>& /*Data*/) {}
161*7eba2f3bSAndroid Build Coastguard Worker
Type4_Fuzz(uint8_t SubType,const std::vector<bytes_t> & Data)162*7eba2f3bSAndroid Build Coastguard Worker void Type4_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Data) {
163*7eba2f3bSAndroid Build Coastguard Worker Fuzz_Context ctx(SubType % SUB_TYPE_MAX, Data);
164*7eba2f3bSAndroid Build Coastguard Worker if (Fuzz_Init(ctx)) {
165*7eba2f3bSAndroid Build Coastguard Worker Fuzz_Run(ctx);
166*7eba2f3bSAndroid Build Coastguard Worker }
167*7eba2f3bSAndroid Build Coastguard Worker
168*7eba2f3bSAndroid Build Coastguard Worker Fuzz_Deinit(ctx);
169*7eba2f3bSAndroid Build Coastguard Worker }
170