• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #include "fuzz.h"
2 #include "nfa_ee_int.h"
3 
4 tNFA_EE_CB nfa_ee_cb;
5 
hal_inject_event(uint8_t hal_evt,tHAL_NFC_STATUS status)6 void hal_inject_event(uint8_t hal_evt, tHAL_NFC_STATUS status) {
7   tNFC_HAL_EVT_MSG msg = {};
8 
9   msg.hdr.len = 0;
10   msg.hdr.event = BT_EVT_TO_NFC_MSGS;
11   msg.hdr.offset = 0;
12   msg.hdr.layer_specific = 0;
13   msg.hal_evt = hal_evt;
14   msg.status = status;
15 
16   FUZZLOG("Injecting event to NFC code: event=%d, status=%d", hal_evt, status);
17   nfc_main_handle_hal_evt(&msg);
18 }
19 
hal_inject_data(const uint8_t * p_data,uint16_t data_len)20 bool hal_inject_data(const uint8_t* p_data, uint16_t data_len) {
21   FUZZLOG("Injecting data to NFC stack: %s",
22           BytesToHex(p_data, data_len).c_str());
23 
24   // For NCI responses, nfc_ncif_process_event checks the response OID matches
25   // the command being sent last time. So mimic this by always copying the first
26   // two bytes into last header.
27   if (data_len >= sizeof(nfc_cb.last_hdr)) {
28     memcpy(nfc_cb.last_hdr, p_data, sizeof(nfc_cb.last_hdr));
29   }
30 
31   NFC_HDR* p_msg;
32   p_msg = (NFC_HDR*)GKI_getbuf(sizeof(NFC_HDR) + NFC_RECEIVE_MSGS_OFFSET +
33                                data_len);
34   if (p_msg != nullptr) {
35     /* Initialize NFC_HDR */
36     p_msg->len = data_len;
37     p_msg->event = BT_EVT_TO_NFC_NCI;
38     p_msg->offset = NFC_RECEIVE_MSGS_OFFSET;
39 
40     uint8_t* p = (uint8_t*)(p_msg + 1) + p_msg->offset;
41     memcpy(p, p_data, p_msg->len);
42 
43     if (nfc_ncif_process_event(p_msg)) {
44       GKI_freebuf(p_msg);
45     }
46     return true;
47   } else {
48     LOG(ERROR) << StringPrintf("No buffer");
49     return false;
50   }
51 }
52 
HalInitialize()53 static void HalInitialize() { FUZZLOG("HAL_OP: type=initialize"); }
54 
HalTerminate()55 static void HalTerminate() { FUZZLOG("HAL_OP: type=terminate"); }
56 
HalOpen(tHAL_NFC_CBACK *,tHAL_NFC_DATA_CBACK *)57 static void HalOpen(tHAL_NFC_CBACK* /*p_hal_inject_event*/,
58                     tHAL_NFC_DATA_CBACK* /*p_data_cback*/) {
59   FUZZLOG("HAL_OP, type=open");
60   hal_inject_event(HAL_NFC_OPEN_CPLT_EVT, HAL_NFC_STATUS_OK);
61 }
62 
HalClose()63 static void HalClose() {
64   FUZZLOG("HAL_OP, type=close");
65   hal_inject_event(HAL_NFC_CLOSE_CPLT_EVT, HAL_NFC_STATUS_OK);
66 }
67 
68 const uint8_t reset_req[] = {0x20, 0x00, 0x01, 0x01};
69 
70 const uint8_t reset_rsp[] = {0x40, 0x00, 0x01, 0x00};
71 
72 const uint8_t reset_ntf[] = {0x60, 0x00, 0x09, 0x02, 0x01, 0x20,
73                              0x04, 0x04, 0x51, 0x12, 0x01, 0x90};
74 
75 const uint8_t init_req[] = {0x20, 0x01, 0x02, 0x00, 0x00};
76 
77 const uint8_t init_rsp[] = {
78     0x40, 0x01, 0x1E, 0x00, 0x1A, 0x7E, 0x06, 0x01, 0x01, 0x5C, 0x03,
79     0xFF, 0xFF, 0x01, 0xFF, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x02,
80     0x00, 0x03, 0x00, 0x80, 0x00, 0x82, 0x00, 0x83, 0x00, 0x84, 0x00};
81 
HalWrite(uint16_t data_len,uint8_t * p_data)82 static void HalWrite(uint16_t data_len, uint8_t* p_data) {
83   FUZZLOG("HAL_OP: type=write, data=%s", BytesToHex(p_data, data_len).c_str());
84 
85   if (data_len == sizeof(reset_req) &&
86       memcmp(reset_req, p_data, data_len) == 0) {
87     hal_inject_data(reset_rsp, sizeof(reset_rsp));
88     hal_inject_data(reset_ntf, sizeof(reset_ntf));
89   } else if (data_len == sizeof(init_req) &&
90              memcmp(init_req, p_data, data_len) == 0) {
91     hal_inject_data(init_rsp, sizeof(init_rsp));
92   }
93 }
94 
HalCoreInitialized(uint16_t data_len,uint8_t * p_core_init_rsp_params)95 static void HalCoreInitialized(uint16_t data_len,
96                                uint8_t* p_core_init_rsp_params) {
97   FUZZLOG("HAL_OP: type=coreInitialized, data=%s",
98           BytesToHex(p_core_init_rsp_params, data_len).c_str());
99   hal_inject_event(HAL_NFC_POST_INIT_CPLT_EVT, HAL_NFC_STATUS_OK);
100 }
101 
HalPrediscover()102 static bool HalPrediscover() {
103   FUZZLOG("HAL_OP: type=prediscover, return=false");
104   return false;
105 }
106 
HalControlGranted()107 static void HalControlGranted() { FUZZLOG("HAL_OP: type=controlGranted"); }
108 
HalPowerCycle()109 static void HalPowerCycle() { FUZZLOG("HAL_OP: type=powerCycle"); }
110 
111 // Magic value from the real NFC code.
112 #define MAX_NFC_EE 2
HalGetMaxNfcee()113 static uint8_t HalGetMaxNfcee() {
114   FUZZLOG("HAL_OP: type=getMaxNfcee, return=%d", MAX_NFC_EE);
115   return MAX_NFC_EE;
116 }
117 
118 static tHAL_NFC_ENTRY s_halFuncEntries = {
119     .initialize = HalInitialize,
120     .terminate = HalTerminate,
121     .open = HalOpen,
122     .close = HalClose,
123     .core_initialized = HalCoreInitialized,
124     .write = HalWrite,
125     .prediscover = HalPrediscover,
126     .control_granted = HalControlGranted,
127     .power_cycle = HalPowerCycle,
128     .get_max_ee = HalGetMaxNfcee,
129 };
130 
get_hal_func_entries()131 tHAL_NFC_ENTRY* get_hal_func_entries() { return &s_halFuncEntries; }