This repository contains the BaseSAFE Rust APIs, introduced by "BaseSAFE: Baseband SAnitized Fuzzing through Emulation".
The example/ directory contains two harnesses emulating parts of the firmware for MediaTek’s Helio X10 (MT6795) baseband processor.
_EMM_
demonstrates a crash inside the decoder for ATTACH
/ACCEPT
messages as part of the Mobility Management.
_ERRC_
emulates various ASN.1 decoders which are being used for Radio Resource Control messages. Example inputs can be found inside the _data/_
directories.
Make AFL++ and build AFLplusplus/unicorn_mode.
./build_afl.sh
A single emulation run can be started by navigating into e.g. examples/errc and executing the harness on the provided data:
cd examples/errc/
cargo run data/pcch.raw
The emulated code can be fuzzed with AFL++ in Unicorn mode:
cd examples/errc
cargo build --release
../../AFLplusplus/afl-fuzz -U -i connections/ -o out/ -m none -- target/release/errc_fuzz @@