├── .gitignore ├── README.md ├── TODO.md ├── dependency-inferer ├── infer_dependency.py ├── infer_dependency.sh └── readme.md ├── fans.template.cfg ├── fuzzer-engine ├── debug_fuzzer.sh ├── fuzzer │ ├── Android.bp │ ├── include │ │ └── fuzzer │ │ │ ├── constraint_checker.h │ │ │ ├── dependency_solver.h │ │ │ ├── executor.h │ │ │ ├── generator.h │ │ │ ├── interface │ │ │ ├── IAAudioClient.h │ │ │ ├── IAppOpsCallback.h │ │ │ ├── IAudioFlingerClient.h │ │ │ ├── IAudioPolicyServiceClient.h │ │ │ ├── ICamera.h │ │ │ ├── ICameraDeviceCallbacks.h │ │ │ ├── ICameraRecordingProxy.h │ │ │ ├── ICameraRecordingProxyListener.h │ │ │ ├── IDisplay.h │ │ │ ├── IDrmClient.h │ │ │ ├── IDrmServiceListener.h │ │ │ ├── IEffectClient.h │ │ │ ├── IGraphicBufferConsumer.h │ │ │ ├── IGraphicBufferProducer.h │ │ │ ├── IIncidentReportStatusListener.h │ │ │ ├── IInterfaceEventCallback.h │ │ │ ├── IMediaHTTPService.h │ │ │ ├── IMediaLogService.h │ │ │ ├── IMediaPlayerClient.h │ │ │ ├── IMediaRecorderClient.h │ │ │ ├── IOMX.h │ │ │ ├── IPlayer.h │ │ │ ├── IResourceManagerClient.h │ │ │ ├── ISoundTriggerClient.h │ │ │ ├── IStreamSource.h │ │ │ ├── camera.h │ │ │ └── interface.h │ │ │ ├── parcel_reader.h │ │ │ ├── parcel_reader_writer.h │ │ │ ├── parcel_writer.h │ │ │ ├── service.h │ │ │ ├── test.h │ │ │ ├── transaction.h │ │ │ ├── types │ │ │ ├── array_type.h │ │ │ ├── base_type.h │ │ │ ├── binder_type.h │ │ │ ├── blob_type.h │ │ │ ├── bool_type.h │ │ │ ├── double_type.h │ │ │ ├── enum_type.h │ │ │ ├── file_descriptor_type.h │ │ │ ├── float_type.h │ │ │ ├── function_type.h │ │ │ ├── int_type.h │ │ │ ├── string_type.h │ │ │ ├── structure_type.h │ │ │ ├── types.h │ │ │ └── union_type.h │ │ │ └── utils │ │ │ ├── java_vm.h │ │ │ ├── log.h │ │ │ ├── random.h │ │ │ ├── thread.h │ │ │ └── util.h │ ├── misc │ │ ├── audio_effects.xml │ │ ├── codec.py │ │ └── extract_audio_effects.py │ ├── src │ │ ├── constraint_checker.cpp │ │ ├── dependency_solver.cpp │ │ ├── executor.cpp │ │ ├── generator.cpp │ │ ├── interface │ │ │ ├── IAAudioClient.cpp │ │ │ ├── IAppOpsCallback.cpp │ │ │ ├── IAudioFlingerClient.cpp │ │ │ ├── IAudioPolicyServiceClient.cpp │ │ │ ├── ICamera.cpp │ │ │ ├── ICameraDeviceCallbacks.cpp │ │ │ ├── ICameraRecordingProxy.cpp │ │ │ ├── ICameraRecordingProxyListener.cpp │ │ │ ├── IDisplay.cpp │ │ │ ├── IDrmClient.cpp │ │ │ ├── IDrmServiceListener.cpp │ │ │ ├── IEffectClient.cpp │ │ │ ├── IGraphicBufferConsumer.cpp │ │ │ ├── IGraphicBufferProducer.cpp │ │ │ ├── IIncidentReportStatusListener.cpp │ │ │ ├── IInterfaceEventCallback.cpp │ │ │ ├── IInterfaceEventCallback_impl.cpp │ │ │ ├── IMediaHTTPService.cpp │ │ │ ├── IMediaLogService.cpp │ │ │ ├── IMediaPlayerClient.cpp │ │ │ ├── IMediaRecorderClient.cpp │ │ │ ├── IOMX.cpp │ │ │ ├── IPlayer.cpp │ │ │ ├── IResourceManagerClient.cpp │ │ │ ├── ISoundTriggerClient.cpp │ │ │ ├── IStreamSource.cpp │ │ │ ├── IWifiScannerImpl.cpp │ │ │ ├── camera.cpp │ │ │ └── interface.cpp │ │ ├── main.cpp │ │ ├── parcel_reader.cpp │ │ ├── parcel_reader_writer.cpp │ │ ├── parcel_writer.cpp │ │ ├── service.cpp │ │ ├── test │ │ │ └── test.cpp │ │ ├── transaction.cpp │ │ ├── types │ │ │ ├── array_type.cpp │ │ │ ├── binder_type.cpp │ │ │ ├── blob_type.cpp │ │ │ ├── bool_type.cpp │ │ │ ├── double_type.cpp │ │ │ ├── enum_type.cpp │ │ │ ├── file_descriptor_type.cpp │ │ │ ├── float_type.cpp │ │ │ ├── function_type.cpp │ │ │ ├── int_type.cpp │ │ │ ├── string_type.cpp │ │ │ ├── structure_type.cpp │ │ │ ├── types.cpp │ │ │ └── union_type.cpp │ │ └── utils │ │ │ ├── java_vm.cpp │ │ │ ├── log.cpp │ │ │ ├── mythread.cpp │ │ │ ├── random.cpp │ │ │ └── util.cpp │ └── version-script.txt ├── manager │ ├── flash.py │ ├── flash.template.cfg │ ├── fuzzer.template.cfg │ ├── get_device_list.py │ ├── manager.py │ ├── readme.md │ ├── restart_adbd.sh │ ├── restart_device.sh │ └── util.py ├── readme.md ├── setup.template.sh └── test_fuzzer.template.sh ├── interface-model-extractor ├── post-process │ ├── adjust_structure.py │ ├── ast_visitor.py │ ├── copy.sh │ ├── copy_enumeration_type.py │ ├── data │ │ ├── basic_type.txt │ │ ├── black_interface_list.txt │ │ ├── customized_interface_list.txt │ │ ├── func2svcname.json │ │ ├── not_related_interface_list.txt │ │ └── special_type.json │ ├── init.py │ ├── init.sh │ ├── jsonutil.py │ ├── manually │ │ ├── flattenable │ │ │ ├── data │ │ │ │ ├── class android::Fence.json │ │ │ │ ├── class android::GraphicBuffer.json │ │ │ │ ├── class android:Region.json │ │ │ │ └── struct android::IGraphicBufferProducer::QueueBufferInput.json │ │ │ └── reply │ │ │ │ ├── class android::Fence.json │ │ │ │ ├── class android::GraphicBuffer.json │ │ │ │ ├── class android::Region.json │ │ │ │ └── struct android::IGraphicBufferProducer::QueueBufferInput.json │ │ ├── light_flattenable │ │ │ ├── data │ │ │ │ ├── class android::FrameStats.json │ │ │ │ ├── class android::HdrCapabilities.json │ │ │ │ ├── class android::Rect.json │ │ │ │ └── struct android::HdrMetadata.json │ │ │ └── reply │ │ │ │ ├── class android::FrameStats.json │ │ │ │ ├── class android::HdrCapabilities.json │ │ │ │ ├── class android::Rect.json │ │ │ │ └── struct android::HdrMetadata.json │ │ └── parcelable │ │ │ ├── data │ │ │ └── struct native_handle.json │ │ │ └── reply │ │ │ └── struct native_handle.json │ ├── parcel.py │ ├── parse.sh │ ├── parse_interface.py │ ├── parse_parcel_function.py │ ├── parse_raw_structure.py │ ├── parse_structure.py │ ├── postprocess.sh │ ├── readme.md │ ├── save_type_map.py │ └── variable_type.py ├── pre-process │ ├── BinderIface │ │ ├── BinderIface.cpp │ │ ├── BinderIface.exports │ │ └── CMakeLists.txt │ ├── extract_from_ast.py │ ├── gen_all_related_cc1_cmd.py │ ├── misc.md │ ├── misc │ │ └── SurfaceFlinger.cpp │ └── readme.md └── readme.md ├── seed ├── files │ ├── apk │ │ └── com.compass.digital-1.0.apk │ ├── media │ │ └── centaur_2.mpg │ └── misc │ │ ├── test1.txt │ │ └── test2.txt ├── media_url_list.txt ├── package_list.txt └── permission_list.txt ├── service-related-file-collector ├── collector.py └── readme.md └── workdir └── service-related-file ├── misc_parcel_related_function.txt └── special_parcelable_function.txt /.gitignore: -------------------------------------------------------------------------------- 1 | # vscode 2 | .vscode 3 | 4 | # python 5 | __pycache__/ 6 | 7 | *.py[cod] 8 | 9 | ##### ignore personal configs, scripts and data ##### 10 | fans.cfg 11 | 12 | interface-model-extractor/pre-process/BinderIface/compile_commands.json 13 | 14 | fuzzer-engine/setup.sh 15 | fuzzer-engine/test_fuzzer.sh 16 | fuzzer-engine/manager/flash.cfg 17 | fuzzer-engine/manager/device.cfg 18 | fuzzer-engine/manager/fuzzer.cfg 19 | 20 | workdir/service-related-file/interface2file.json 21 | workdir/service-related-file/service_related_file.txt 22 | 23 | workdir/interface-model-extractor/* 24 | 25 | workdir/interface-dependency/* -------------------------------------------------------------------------------- /TODO.md: -------------------------------------------------------------------------------- 1 | # TODO 2 | 3 | Although FANS can find many vulnerabilities, it can still be improved. 4 | 5 | ## Code 6 | 7 | Improve the code to make FANS more readable and easier to use. 8 | 9 | ## Interface Model Extractor 10 | 11 | Improve the interface model extractor to handle complex situations. 12 | 13 | ## Fuzzer 14 | ### Improve Fuzzer Implementation 15 | 16 | - Although we have already provided some input generation strategies according to the variable name and variable type, it is not complete. 17 | - As for the loop or the array whose size is undetermined, what value should we generate for the corresponding size? 18 | - We need to generate the variable with more semantics (e.g., satisfy dependency) with larger probability, but what should the probability be? 19 | - etc. 20 | 21 | ### Fuzzing Efficiency 22 | 23 | The reflash process is still not fully automated. We still need to do some operations manually. So we'd better provide a fully automated solution to reflash the mobile phone. 24 | 25 | ### Coverage Guided Fuzzing 26 | 27 | Integrate coverage into FANS. 28 | 29 | ## Fuzzing Other Android Services 30 | 31 | For instance, we can extend FANS to fuzz the following services in Android 32 | - Hardware services located in the hardware domain 33 | - Vendor services located in vendor domain 34 | - Java system services 35 | 36 | Besides, we may extend FANS to fuzz services which are closed source. We may need to utilize some similar binary analysis techniques to extract the interface model. -------------------------------------------------------------------------------- /dependency-inferer/infer_dependency.sh: -------------------------------------------------------------------------------- 1 | mkdir ../workdir/interface-dependency 2 | python infer_dependency.py 3 | dot -Kdot -Tpng -o ../workdir/interface-dependency/interface_dependency.png ../workdir/interface-dependency/interface_dependency.txt 4 | dot -Kdot -Tpdf -o ../workdir/interface-dependency/interface_dependency.pdf ../workdir/interface-dependency/interface_dependency.txt -------------------------------------------------------------------------------- /dependency-inferer/readme.md: -------------------------------------------------------------------------------- 1 | # Dependency Inferer 2 | 3 | Dependency inferer will infer inter-transaction variable dependency and interface dependency. 4 | 5 | > Note, we have improved the dependency inferer after submitting the paper. For instance, for array variable sessionId in IDrm interface, we will generate dependency according to variable name and variable type. 6 | 7 | Before inferring the dependency, please install the following package dependency so as to generate the corresponding interface dependency graph. 8 | 9 | ```bash 10 | sudo apt install graphviz 11 | ``` 12 | 13 | Then you can run `sh infer_dependency.sh` to infer these dependencies and get the interface dependency graph. 14 | 15 | These dependencies will be directed integrated into the model, located in `workdir/interface-model-extractor/model`. 16 | 17 | Also, the simplified interface dependency can be seen at `workdir/interface-dependency`. -------------------------------------------------------------------------------- /fans.template.cfg: -------------------------------------------------------------------------------- 1 | { 2 | "fans_dir":"/path/to/fans", 3 | "aosp_dir":"/path/to/aosp", 4 | "aosp_sanitizer_dir":"/path/to/aosp_asan", 5 | "aosp_compilation_cmd_file":"/path/to/aosp/cmd.txt", 6 | "lunch_command":"lunch 50", 7 | "aosp_clang_location":"/path/to/aosp/clang", 8 | "manually_build_clang_location":"/path/to/llvm-android/build/bin/clang-6.0", 9 | "clang_plugin_option":"-load /path/to/llvm-android/build/lib/BinderIface.so -plugin -extract-binder-iface", 10 | "service_related_file_collector_workdir":"workdir/service-related-file", 11 | "service_related_filepath_storage_location":"workdir/service-related-file/service_related_file.txt", 12 | "misc_parcel_related_function_storage_location":"workdir/service-related-file/misc_parcel_related_function.txt", 13 | "special_parcelable_function_storage_location":"workdir/service-related-file/special_parcelable_function.txt", 14 | "aosp_compilation_cc1_cmd_file":"workdir/interface-model-extractor/cc1_cmd.json", 15 | "already_preprocessed_files_storage_location":"workdir/interface-model-extractor/already_preprocessed_files.txt", 16 | "rough_interface_related_data_dir":"/path/to/aosp/data", 17 | "already_parsed_interfaces_storage_location":"workdir/interface-model-extractor/already_parsed_interfaces.txt", 18 | "interface_model_extractor_tmp_dir":"workdir/interface-model-extractor/tmp", 19 | "interface_model_extractor_dir":"workdir/interface-model-extractor", 20 | "interface_dependency_dir":"workdir/interface-dependency" 21 | } -------------------------------------------------------------------------------- /fuzzer-engine/debug_fuzzer.sh: -------------------------------------------------------------------------------- 1 | adb -s $1 shell "su 0 gdbserver64 :5039 /data/fuzzer/native_service_fuzzer" -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/Android.bp: -------------------------------------------------------------------------------- 1 | cc_binary { 2 | name: "native_service_fuzzer", 3 | 4 | srcs: [ 5 | "src/interface/*", 6 | "src/types/*", 7 | "src/utils/*", 8 | "src/*", 9 | "src/test/*" 10 | ], 11 | 12 | shared_libs: [ 13 | "libutils", 14 | "libbinder", 15 | "liblog", 16 | "libmedia", 17 | "libmedia_omx", 18 | "libaudioutils", 19 | "libcamera_client", 20 | "libcutils", 21 | "libdl", 22 | "libdrmframework", 23 | "libgui", 24 | "libion", 25 | "libaudioclient", 26 | "libmediaextractor", 27 | "libmediametrics", 28 | "libmediautils", 29 | "libnetd_client", 30 | "libui", 31 | "libmedia_helper", 32 | "libstagefright_codecbase", 33 | "libstagefright_foundation", 34 | "libstagefright_omx_utils", 35 | "libstagefright_xmlparser", 36 | "libstagefright_http_support", 37 | "libRScpp", 38 | "libhidlallocatorutils", 39 | "libhidlbase", 40 | "libhidlmemory", 41 | "libziparchive", 42 | "libstagefright", 43 | "libaaudio", 44 | "libandroid_runtime", 45 | "libsoundtrigger", 46 | "libaudioclient", 47 | "libdrmframework", 48 | "libmediandk", 49 | // "libcamera2ndk", 50 | "libnativehelper", 51 | "libwilhelm", 52 | "libmedialogservice", 53 | "libmediadrm" 54 | ], 55 | // local_share_library:[ 56 | // ] 57 | // header_libs: [ 58 | // ], 59 | // runtime_libs:[ 60 | // ], 61 | static_libs:[ 62 | "libjsoncpp", 63 | ], 64 | whole_static_libs: ["libsigchain"], 65 | local_include_dirs: ["include"], 66 | include_dirs:["frameworks/wilhelm/src","frameworks/av/services/medialog","out/target/product/taimen/obj/STATIC_LIBRARIES/libwificond_ipc_intermediates/aidl-generated/include","system/connectivity"], 67 | cflags: [ 68 | "-DXP_UNIX", 69 | "-Wall", 70 | "-g", 71 | "-Wextra", 72 | "-Wno-unused-parameter", 73 | "-DLI_API=__attribute__((visibility(\"default\")))" 74 | ], 75 | ldflags: [ 76 | "-Wl,--export-dynamic" 77 | ], 78 | version_script: "version-script.txt", 79 | cppflags: [ 80 | ] 81 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/constraint_checker.h: -------------------------------------------------------------------------------- 1 | #ifndef CONSTRAINT_CHECKER_H 2 | #define CONSTRAINT_CHECKER_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | using namespace std; 9 | class ConstraintChecker { 10 | ParcelReaderWriter *parcelReaderWriter; 11 | 12 | public: 13 | ConstraintChecker(ParcelReaderWriter *parcelReaderWriter); 14 | bool check(const string &constraintName); 15 | bool check(const Json::Value &constraint); 16 | bool checkNot(Json::Value constraint); 17 | bool checkSelf(Json::Value constraint); 18 | 19 | template 20 | bool compare(string opcode, const T1 &left, const T2 &right); 21 | bool checkConstraintSet(vector constraintSet); 22 | 23 | int32_t getSpecialSelfConstraintIdx(vector constraintSet); 24 | bool 25 | shouldGenerateValueFromSpecialSelfConstraint(const Json::Value &constraint); 26 | // template 27 | // bool getValueFromSpecialSelfConstraint(vector constraintSet, T 28 | // &value); 29 | bool getValueFromSpecialSelfConstraint(vector constraintSet, 30 | int32_t &value); 31 | bool getValueFromSpecialSelfConstraint(vector constraintSet, 32 | int64_t &value); 33 | bool getValueFromSpecialSelfConstraint(vector constraintSet, 34 | unsigned long &value); 35 | bool getValueFromSpecialSelfConstraint(vector constraintSet, 36 | uint32_t &value); 37 | bool getValueFromSpecialSelfConstraint(vector constraintSet, 38 | float &value); 39 | bool getValueFromSpecialSelfConstraint(vector constraintSet, 40 | double &value); 41 | bool getValueFromSpecialSelfConstraint(vector constraintSet, 42 | string &value); 43 | bool getValueFromSpecialSelfConstraint(vector constraintSet, 44 | bool &value); 45 | uint32_t getTryCount(vector constraintSet); 46 | 47 | bool random = false; 48 | }; 49 | 50 | #endif // CONSTRAINT_CHECKER_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/dependency_solver.h: -------------------------------------------------------------------------------- 1 | #ifndef DEPENDENCY_SOLVER_H 2 | #define DEPENDENCY_SOLVER_H 3 | 4 | #include 5 | #include 6 | #include 7 | typedef enum { 8 | COMMON_DEPENDENCY, 9 | BINDER_DEPENDENCY, 10 | STRUCTURE_ITEM_DEPENDENCY 11 | } DependencyType; 12 | 13 | class DependencySolver { 14 | Json::Value dependency; 15 | Parcel *targetParcel; 16 | DependencyType dependencyType; 17 | 18 | public: 19 | DependencySolver(Parcel *targetParcel, DependencyType dependencyType, 20 | const Json::Value &dependencySet); 21 | 22 | bool canUseDependency(); 23 | void solveStructDependency(); 24 | void solveTxDependency(); 25 | void solve(); 26 | sp binder; 27 | }; 28 | 29 | #endif // DEPENDENCY_SOLVER_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/executor.h: -------------------------------------------------------------------------------- 1 | #ifndef EXECUTOR_H 2 | #define EXECUTOR_H 3 | 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | class Executor { 21 | public: 22 | status_t run(Transaction &tx); 23 | }; 24 | 25 | #endif // EXECUTOR_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/generator.h: -------------------------------------------------------------------------------- 1 | #ifndef GENERATOR_H 2 | #define GENERATOR_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | class Generator { 9 | public: 10 | Transaction generateTx(); 11 | }; 12 | #endif // GENERATOR_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IAAudioClient.h: -------------------------------------------------------------------------------- 1 | #ifndef IAAUDIOCLIENT_H 2 | #define IAAUDIOCLIENT_H 3 | #include 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | 16 | #include 17 | using namespace android; 18 | using namespace aaudio; 19 | // using android::sp; 20 | extern sp generateIAAudioClient(); 21 | 22 | #endif // IAAUDIOCLIENT_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IAppOpsCallback.h: -------------------------------------------------------------------------------- 1 | #ifndef IAPP_OPS_CALL_BACK_H 2 | #define IAPP_OPS_CALL_BACK_H 3 | 4 | #include 5 | #include 6 | 7 | using namespace android; 8 | 9 | extern sp generateIAppOpsCallback(); 10 | 11 | #endif // IAPP_OPS_CALL_BACK_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IAudioFlingerClient.h: -------------------------------------------------------------------------------- 1 | #ifndef IAUDIO_FLINGER_CLIENT_H 2 | #define IAUDIO_FLINGER_CLIENT_H 3 | 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include 28 | #include 29 | using namespace android; 30 | 31 | extern sp generateIAudioFlingerClient(); 32 | 33 | #endif // IAUDIO_FLINGER_CLIENT_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IAudioPolicyServiceClient.h: -------------------------------------------------------------------------------- 1 | #ifndef AUDIO_POLICY_SERVICE_CLIENT_H 2 | #define AUDIO_POLICY_SERVICE_CLIENT_H 3 | 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include 28 | #include 29 | using namespace android; 30 | 31 | extern sp generateIAudioPolicyServiceClient(); 32 | 33 | #endif // AUDIO_POLICY_SERVICE_CLIENT_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/ICamera.h: -------------------------------------------------------------------------------- 1 | #ifndef CAMERA_H 2 | #define CAMERA_H 3 | 4 | #include 5 | 6 | extern sp generateICamera(); 7 | 8 | #endif // CAMERA_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/ICameraDeviceCallbacks.h: -------------------------------------------------------------------------------- 1 | #ifndef ICAMERA_DEVICE_CALLINGBACK_H 2 | #define ICAMERA_DEVICE_CALLINGBACK_H 3 | 4 | #include 5 | #include 6 | 7 | // #include 8 | // #include 9 | // #include 10 | // #include 11 | // #include 12 | // #include 13 | // #include 14 | // #include 15 | // #include 16 | // #include 17 | // #include 18 | // #include 19 | // #include 20 | 21 | // #include 22 | // #include 23 | 24 | using namespace android; 25 | extern sp generateICameraDeviceCallbacks(); 26 | #endif // ICAMERA_DEVICE_CALLINGBACK_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/ICameraRecordingProxy.h: -------------------------------------------------------------------------------- 1 | #ifndef ICAMERA_RECORDING_PROXY_H 2 | #define ICAMERA_RECORDING_PROXY_H 3 | 4 | #include 5 | 6 | using namespace android; 7 | extern sp generateICameraRecordingProxy(); 8 | #endif // ICAMERA_RECORDING_PROXY_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/ICameraRecordingProxyListener.h: -------------------------------------------------------------------------------- 1 | #ifndef ICAMERA_RECORDING_PROXY_LISTENER_H 2 | #define ICAMERA_RECORDING_PROXY_LISTENER_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | using namespace android; 18 | 19 | class MyCameraSource : public CameraSource { 20 | public: 21 | static MyCameraSource *Create(const String16 &clientName); 22 | void mydataCallbackTimestamp(nsecs_t timestamp, int32_t msgType, 23 | const sp &dataPtr); 24 | void myrecordingFrameHandleCallbackTimestamp(nsecs_t timestamp, 25 | native_handle_t *handle); 26 | void myrecordingFrameHandleCallbackTimestampBatch( 27 | const std::vector ×tampsUs, 28 | const std::vector &handles); 29 | 30 | protected: 31 | MyCameraSource(const sp &camera, 32 | const sp &proxy, int32_t cameraId, 33 | const String16 &clientName, uid_t clientUid, pid_t clientPid, 34 | Size videoSize, int32_t frameRate, 35 | const sp &surface, 36 | bool storeMetaDataInVideoBuffers); 37 | }; 38 | 39 | class ProxyListener : public BnCameraRecordingProxyListener { 40 | public: 41 | ProxyListener(const sp &source); 42 | virtual void dataCallbackTimestamp(int64_t timestampUs, int32_t msgType, 43 | const sp &data); 44 | virtual void recordingFrameHandleCallbackTimestamp(int64_t timestampUs, 45 | native_handle_t *handle); 46 | virtual void recordingFrameHandleCallbackTimestampBatch( 47 | const std::vector ×tampsUs, 48 | const std::vector &handles); 49 | 50 | private: 51 | sp mSource; 52 | }; 53 | 54 | sp generateICameraRecordingProxyListener(); 55 | #endif // ICAMERA_RECORDING_PROXY_LISTENER_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IDisplay.h: -------------------------------------------------------------------------------- 1 | #ifndef DISPLAY_H 2 | #define DISPLAY_H 3 | 4 | #include 5 | 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | #include 16 | 17 | using namespace android; 18 | extern sp generateIDisplay(); 19 | 20 | #endif // DISPLAY_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IDrmClient.h: -------------------------------------------------------------------------------- 1 | #ifndef IDRM_CLIENT_H 2 | #define IDRM_CLIENT_H 3 | 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | using namespace android; 25 | 26 | extern sp generateIDrmClient(); 27 | #endif // IDRM_CLIENT_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IDrmServiceListener.h: -------------------------------------------------------------------------------- 1 | #ifndef DRM_SERVICE_LISTENER_H 2 | #define DRM_SERVICE_LISTENER_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | using namespace android; 11 | extern sp generateIDrmServiceListener(); 12 | #endif // DRM_SERVICE_LISTENER_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IEffectClient.h: -------------------------------------------------------------------------------- 1 | #ifndef IEFFECT_CLIENT_H 2 | #define IEFFECT_CLIENT_H 3 | 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | 22 | #include 23 | #include 24 | 25 | #include 26 | #include 27 | 28 | using namespace android; 29 | 30 | extern sp generateIEffectClient(); 31 | #endif // IEFFECT_CLIENT_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IGraphicBufferConsumer.h: -------------------------------------------------------------------------------- 1 | #ifndef IGRAPHIC_BUFFER_CONSUMER_H 2 | #define IGRAPHIC_BUFFER_CONSUMER_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | using namespace android; 10 | 11 | extern sp generateIGraphicBufferConsumer(); 12 | #endif // IGRAPHIC_BUFFER_CONSUMER_H 13 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IGraphicBufferProducer.h: -------------------------------------------------------------------------------- 1 | #ifndef IGRAPHIC_BUFFER_PRODUCER_H 2 | #define IGRAPHIC_BUFFER_PRODUCER_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | using namespace android; 15 | 16 | extern sp generateIGraphicBufferProducer(); 17 | #endif // IGRAPHIC_BUFFER_PRODUCER_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IIncidentReportStatusListener.h: -------------------------------------------------------------------------------- 1 | #ifndef IINCIDENT_REPORT_STATUS_LISTENER_H 2 | #define IINCIDENT_REPORT_STATUS_LISTENER_H 3 | 4 | // #include 5 | // #include 6 | 7 | // #include 8 | 9 | // using namespace std; 10 | 11 | // extern sp generateIIncidentReportStatusListener(); 12 | #endif // IINCIDENT_REPORT_STATUS_LISTENER_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IInterfaceEventCallback.h: -------------------------------------------------------------------------------- 1 | #ifndef IINTERFACE_EVENT_CALLBACK_H 2 | #define IINTERFACE_EVENT_CALLBACK_H 3 | #include 4 | 5 | #include 6 | 7 | #include 8 | #include 9 | 10 | #include 11 | #include 12 | using namespace android; 13 | 14 | extern sp generateIInterfaceEventCallback(); 15 | #endif // IINTERFACE_EVENT_CALLBACK_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IMediaHTTPService.h: -------------------------------------------------------------------------------- 1 | #ifndef IMEDIA_HTTP_SERVICE_H 2 | #define IMEDIA_HTTP_SERVICE_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | using namespace android; 9 | extern sp generateIMediaHTTPService(); 10 | 11 | #endif // IMEDIA_HTTP_SERVICE_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IMediaLogService.h: -------------------------------------------------------------------------------- 1 | #ifndef I_MEDIA_LOG_SERVICE_H 2 | #define I_MEDIA_LOG_SERVICE_H 3 | #include "MediaLogService.h" 4 | using namespace android; 5 | 6 | extern sp generateIMediaLogService(); 7 | #endif // I_MEDIA_LOG_SERVICE_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IMediaPlayerClient.h: -------------------------------------------------------------------------------- 1 | #ifndef IMEDIA_PLAYER_CLIENT 2 | #define IMEDIA_PLAYER_CLIENT 3 | 4 | #include 5 | #include // for property_get 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include 28 | #include 29 | 30 | using namespace android; 31 | extern sp generateIMediaPlayerClient(); 32 | #endif // IMEDIA_PLAYER_CLIENT -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IMediaRecorderClient.h: -------------------------------------------------------------------------------- 1 | #ifndef IMEDIA_RECORDER_CLIENT_H 2 | #define IMEDIA_RECORDER_CLIENT_H 3 | 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include // for MEDIA_ERROR_SERVER_DIED 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | using namespace android; 17 | extern sp generateIMediaRecorderClient(); 18 | #endif // IMEDIA_RECORDER_CLIENT_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IOMX.h: -------------------------------------------------------------------------------- 1 | #ifndef IOMX_H 2 | #define IOMX_H 3 | #include 4 | #include 5 | 6 | #include 7 | #include 8 | 9 | #include 10 | 11 | #include 12 | 13 | using namespace android; 14 | extern sp generateIOMX(); 15 | #endif // IOMX_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IPlayer.h: -------------------------------------------------------------------------------- 1 | #ifndef IPLAYER_H 2 | #define IPLAYER_H 3 | #include 4 | #include 5 | 6 | using namespace android; 7 | extern sp generateIPlayer(); 8 | #endif // IPLAYER_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IResourceManagerClient.h: -------------------------------------------------------------------------------- 1 | #ifndef RESOURCE_MANAGER_CLIENT_H 2 | #define RESOURCE_MANAGER_CLIENT_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | extern Vector mimeVector; 40 | extern Vector componentNameVector; 41 | 42 | enum { 43 | kWhatInit = 'init', 44 | kWhatConfigure = 'conf', 45 | kWhatSetSurface = 'sSur', 46 | kWhatCreateInputSurface = 'cisf', 47 | kWhatSetInputSurface = 'sisf', 48 | kWhatStart = 'strt', 49 | kWhatStop = 'stop', 50 | kWhatRelease = 'rele', 51 | kWhatDequeueInputBuffer = 'deqI', 52 | kWhatQueueInputBuffer = 'queI', 53 | kWhatDequeueOutputBuffer = 'deqO', 54 | kWhatReleaseOutputBuffer = 'relO', 55 | kWhatSignalEndOfInputStream = 'eois', 56 | kWhatGetBuffers = 'getB', 57 | kWhatFlush = 'flus', 58 | kWhatGetOutputFormat = 'getO', 59 | kWhatGetInputFormat = 'getI', 60 | kWhatDequeueInputTimedOut = 'dITO', 61 | kWhatDequeueOutputTimedOut = 'dOTO', 62 | kWhatCodecNotify = 'codc', 63 | kWhatRequestIDRFrame = 'ridr', 64 | kWhatRequestActivityNotification = 'racN', 65 | kWhatGetName = 'getN', 66 | kWhatGetCodecInfo = 'gCoI', 67 | kWhatSetParameters = 'setP', 68 | kWhatSetCallback = 'setC', 69 | kWhatSetNotification = 'setN', 70 | kWhatDrmReleaseCrypto = 'rDrm', 71 | }; 72 | 73 | extern void initCodecInfo(); 74 | 75 | extern sp generateIResourceManagerClient(); 76 | #endif // RESOURCE_MANAGER_CLIENT_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/ISoundTriggerClient.h: -------------------------------------------------------------------------------- 1 | #ifndef ISOUND_TRIGGER_CLIENT_H 2 | #define ISOUND_TRIGGER_CLIENT_H 3 | #include 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | using namespace android; 11 | extern sp generateISoundTriggerClient(); 12 | 13 | #endif // ISOUND_TRIGGER_CLIENT_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/IStreamSource.h: -------------------------------------------------------------------------------- 1 | #ifndef STREAM_SOURCE_H 2 | #define STREAM_SOURCE_H 3 | 4 | #include "sles_allinclusive.h" 5 | 6 | #include "android/android_StreamPlayer.h" 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | using namespace android; 15 | 16 | extern sp generateIStreamSource(); 17 | #endif // STREAM_SOURCE_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/camera.h: -------------------------------------------------------------------------------- 1 | #ifndef FUZZER_CAMERA_H 2 | #define FUZZER_CAMERA_H 3 | #include 4 | 5 | #include 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | using namespace android; 17 | extern sp generateCamera(); 18 | #endif // FUZZER_CAMERA_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/interface/interface.h: -------------------------------------------------------------------------------- 1 | #ifndef FUZZER_INTERFACE 2 | #define FUZZER_INTERFACE 3 | #include 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include 25 | 26 | #include 27 | 28 | #include 29 | 30 | #include 31 | 32 | #include 33 | 34 | #include 35 | 36 | #include 37 | 38 | #include 39 | 40 | extern sp generateInterface(string interfaceName, string varName); 41 | #endif // FUZZER_INTERFACE -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/parcel_reader.h: -------------------------------------------------------------------------------- 1 | #ifndef PARCEL_READER_H 2 | #define PARCEL_READER_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | using namespace std; 10 | using namespace android; 11 | class ParcelReader { 12 | public: 13 | ParcelReader(ParcelReaderWriter *parcelReaderWriter, const Json::Value &info) 14 | : parcelReaderWriter(parcelReaderWriter), variable(info) { 15 | varName = variable["name"].asString(); 16 | varType = variable["type"].asString(); 17 | isRaw = parcelReaderWriter->getIsRaw(); 18 | } 19 | void read(); 20 | 21 | private: 22 | ParcelReaderWriter *parcelReaderWriter; 23 | const Json::Value &variable; 24 | string varName; 25 | string varType; 26 | bool isRaw = false; 27 | 28 | void readRawFromReply(void *buffer, size_t len); 29 | void writeRawToData(void *buffer, size_t len); 30 | void checkIsRaw(); 31 | 32 | void readInt8(); 33 | void readUint8(); 34 | 35 | void readInt16(); 36 | void readUint16(); 37 | 38 | void readInt32(); 39 | 40 | void readUint32(); 41 | void readIntegerLiteral(); 42 | 43 | void readInt64(); 44 | 45 | void readUint64(); 46 | 47 | void readString16(); 48 | 49 | void readString8(); 50 | 51 | void readCString(); 52 | 53 | void readFileDescriptor(); 54 | void readFloat(); 55 | void readDouble(); 56 | 57 | void readBool(); 58 | 59 | void readBlob(); 60 | void readParcelStructure(); 61 | void readFlattenableStructure(); 62 | void readLightFlattenableStructure(); 63 | void readRawStructure(); 64 | 65 | void readUnion(); 66 | 67 | void readStrongBinder(); 68 | void readArray(); 69 | void readFunction(); 70 | }; 71 | 72 | #endif // PARCEL_READER_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/parcel_writer.h: -------------------------------------------------------------------------------- 1 | #ifndef PARCEL_WRITER_H 2 | #define PARCEL_WRITER_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | using namespace std; 11 | using namespace android; 12 | class ParcelWriter { 13 | public: 14 | ParcelWriter(ParcelReaderWriter *parcelReaderWriter, 15 | const Json::Value &variable) 16 | : parcelReaderWriter(parcelReaderWriter), variable(variable) { 17 | varName = variable["name"].asString(); 18 | varType = variable["type"].asString(); 19 | isRaw = parcelReaderWriter->getIsRaw(); 20 | } 21 | void write(); 22 | 23 | private: 24 | ParcelReaderWriter *parcelReaderWriter; 25 | const Json::Value &variable; 26 | string varName; 27 | string varType; 28 | bool isRaw = 29 | false; // default is false, true when dealing raw structure/array. 30 | template T generate(BaseType *type); 31 | 32 | void generateManually(VarType varTypeEnum); 33 | 34 | void writeRawToData(const void *buffer, size_t len); 35 | 36 | void writeInt8(); 37 | void writeUint8(); 38 | 39 | void writeInt16(); 40 | void writeUint16(); 41 | 42 | void writeInt32(); 43 | void writeUint32(); 44 | 45 | void writeInt64(); 46 | 47 | void writeUint64(); 48 | 49 | void writeString16(); 50 | 51 | void writeString8(); 52 | 53 | void writeCString(); 54 | 55 | void writeFileDescriptor(); 56 | void writeFloat(); 57 | void writeDouble(); 58 | 59 | void writeBool(); 60 | 61 | void writeParcelStructure(); 62 | void writeFlattenableStructure(); 63 | void writeLightFlattenableStructure(); 64 | void writeRawStructure(); 65 | 66 | void writeFunction(); 67 | 68 | void writeUnion(); 69 | 70 | void writeStrongBinder(); 71 | void writeArray(); 72 | 73 | void writeBlob(); 74 | }; 75 | 76 | #endif // PARCEL_WRITER_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/service.h: -------------------------------------------------------------------------------- 1 | #ifndef SERVICE_H 2 | #define SERVICE_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | using namespace android; 12 | using namespace std; 13 | extern map svcInfo; 14 | extern map targetTransactionInfo; 15 | 16 | #define SERVICE_INFO_DIR FUZZER_PATH "model/service" 17 | 18 | class NativeServiceManager 19 | { 20 | sp sm; 21 | sp generateInterfaceManually(string serviceName); 22 | 23 | public: 24 | NativeServiceManager(); 25 | sp getService(Transaction &tx); 26 | static String16 getInterfaceName(sp service); 27 | }; 28 | extern void loadServiceInfo(char *serviceInfoDir, char *targetInterface, 29 | char *targetTransaction); 30 | #endif // SERVICE_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/test.h: -------------------------------------------------------------------------------- 1 | #ifndef FUZZER_TEST_H 2 | #define FUZZER_TEST_H 3 | 4 | void testIsCryptoSchemeSupported(); 5 | void testIsCryptoSchemeSupportedForMimeType(); 6 | void testOpenSeesion(); 7 | void testCloseSession(); 8 | #endif // FUZZER_TEST_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/transaction.h: -------------------------------------------------------------------------------- 1 | #ifndef TRANSACTION_H 2 | #define TRANSACTION_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | using namespace std; 8 | using namespace android; 9 | class Transaction { 10 | public: 11 | string txName; 12 | string serviceName; 13 | string interfaceName; 14 | string interfaceToken; 15 | uint64_t code; 16 | Json::Value info; 17 | Json::Value dependency; 18 | Json::Value variable; 19 | Json::Value constraint; 20 | Json::Value loop; 21 | Parcel data; 22 | Parcel reply; 23 | uint64_t flags; 24 | status_t ret; 25 | 26 | // vector txSeq; 27 | Transaction(); 28 | Transaction(const Transaction &); 29 | Transaction(string &txName, Json::Value &txMeta, uint32_t &possIdx); 30 | }; 31 | extern map usedTxs; 32 | #endif // TRANSACTION_H 33 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/array_type.h: -------------------------------------------------------------------------------- 1 | #ifndef ARRAY_TYPE_H 2 | #define ARRAY_TYPE_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | using namespace std; 11 | 12 | class ArrayType { 13 | public: 14 | ArrayType(ParcelReaderWriter *parcelReaderWriter, const Json::Value &varInfo) 15 | : parcelReaderWriter(parcelReaderWriter), variable(varInfo) { 16 | varName = variable["name"].asString(); 17 | varType = variable["type"].asString(); 18 | } 19 | 20 | void generate(); 21 | void generateRaw(vector *rawData); 22 | void read(); 23 | 24 | private: 25 | ParcelReaderWriter *parcelReaderWriter; 26 | const Json::Value &variable; 27 | string varName; 28 | string varType; 29 | uint32_t varSize; 30 | }; 31 | 32 | #endif // ARRAY_TYPE_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/base_type.h: -------------------------------------------------------------------------------- 1 | #ifndef BASE_TYPE_H 2 | #define BASE_TYPE_H 3 | template class BaseType { 4 | public: 5 | virtual ~BaseType(){}; 6 | virtual T generate() = 0; 7 | 8 | 9 | protected: 10 | BaseType(string varName, string varType) 11 | : varName(varName), varType(varType) {} 12 | string varName; 13 | string varType; 14 | T value; 15 | 16 | private: 17 | }; 18 | #endif // BASE_TYPE_H 19 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/binder_type.h: -------------------------------------------------------------------------------- 1 | #ifndef BINDER_TYPE_H 2 | #define BINDER_TYPE_H 3 | #include 4 | #include 5 | #include 6 | 7 | class BinderType { 8 | 9 | public: 10 | BinderType(string varName, string varType, string interfaceName) 11 | : varName(varName), varType(varType), interfaceName(interfaceName) {} 12 | sp generate(); 13 | 14 | private: 15 | string varName; 16 | string varType; 17 | string interfaceName; 18 | }; 19 | #endif // BINDER_TYPE_H 20 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/blob_type.h: -------------------------------------------------------------------------------- 1 | #ifndef BLOB_TYPE_H 2 | #define BLOB_TYPE_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | using namespace std; 11 | 12 | class BlobType { 13 | public: 14 | BlobType(ParcelReaderWriter *parcelReaderWriter, const Json::Value &varInfo) 15 | : parcelReaderWriter(parcelReaderWriter), variable(varInfo) { 16 | blobSize = this->parcelReaderWriter->getVarSize(variable); 17 | } 18 | 19 | void generate(); 20 | void read(); 21 | 22 | private: 23 | ParcelReaderWriter *parcelReaderWriter; 24 | const Json::Value &variable; 25 | uint64_t blobSize; 26 | }; 27 | 28 | #endif // BLOB_TYPE_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/bool_type.h: -------------------------------------------------------------------------------- 1 | #ifndef BOOL_TYPE_H 2 | #define BOOL_TYPE_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | class BoolType : public BaseType { 9 | 10 | public: 11 | BoolType(string varName, string varType) : BaseType(varName, varType) {} 12 | bool generate(); 13 | }; 14 | #endif // BOOL_TYPE_H 15 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/double_type.h: -------------------------------------------------------------------------------- 1 | #ifndef DOUBLE_TYPE_H 2 | #define DOUBLE_TYPE_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | class DoubleType : public BaseType { 8 | 9 | public: 10 | DoubleType(string varName, string varType) 11 | : BaseType(varName, varType) {} 12 | double generate(); 13 | }; 14 | 15 | #endif // DOUBLE_TYPE_H 16 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/enum_type.h: -------------------------------------------------------------------------------- 1 | #ifndef ENUMERATION_TYPE_H 2 | #define ENUMERATION_TYPE_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | using namespace std; 10 | 11 | #define ENUMERATION_INFO_DIR FUZZER_PATH "model/enumeration/" 12 | 13 | extern map> enumInfo; 14 | 15 | extern int64_t randomEnum(string varType); 16 | extern void initEnumInfo(char *enumInfoDir); 17 | #endif // ENUMERATION_TYPE_H 18 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/file_descriptor_type.h: -------------------------------------------------------------------------------- 1 | #ifndef FILE_DESCRIPTOR_H 2 | #define FILE_DESCRIPTOR_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | using namespace std; 11 | 12 | #define FILE_SEED_PATH FUZZER_PATH "seed/files/" 13 | #define MEDIA_FILE_SEED_PATH FILE_SEED_PATH "media/" 14 | #define APK_FILE_SEED_PATH FILE_SEED_PATH "apk/" 15 | #define MISC_FILE_SEED_PATH FILE_SEED_PATH "misc/" 16 | class FDType : public BaseType { 17 | 18 | public: 19 | FDType(string varName, string varType) 20 | : BaseType(varName, varType) {} 21 | int32_t generate(); 22 | int32_t generateRandomFD(map &FDPool); 23 | }; 24 | 25 | extern map apkFDPool; 26 | extern map mediaFDPool; 27 | extern map miscFDPool; 28 | 29 | extern void initFDPool(); 30 | 31 | #endif // FILE_DESCRIPTOR_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/float_type.h: -------------------------------------------------------------------------------- 1 | #ifndef FLOAT_TYPE_H 2 | #define FLOAT_TYPE_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | class FloatType : public BaseType { 9 | 10 | public: 11 | FloatType(string varName, string varType) 12 | : BaseType(varName, varType) {} 13 | float generate(); 14 | }; 15 | #endif // FLOAT_TYPE_H 16 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/string_type.h: -------------------------------------------------------------------------------- 1 | #ifndef STRING_TYPE_H 2 | #define STRING_TYPE_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | using namespace std; 14 | 15 | #define PACKAGE_LIST_PATH FUZZER_PATH "/seed/package_list.txt" 16 | #define PERMISSION_LIST_PATH FUZZER_PATH "/seed/permission_list.txt" 17 | #define MEDIA_URL_LIST_PATH FUZZER_PATH "/seed/media_url_list.txt" 18 | 19 | extern vector packageList; 20 | extern void initPackageNameList(); 21 | 22 | extern vector permissionList; 23 | extern void initPermissionNameList(); 24 | 25 | extern vector mediaUrlList; 26 | extern void initMediaUrlList(); 27 | 28 | extern vector split(const string &str, const string &pattern); 29 | 30 | class StringType : public BaseType { 31 | 32 | bool isPackage(string varName); 33 | bool isPermission(string varName); 34 | bool isNetworkInterfaceName(string varName); 35 | bool isChainName(string varName); 36 | bool isUrl(string varName); 37 | bool isPath(string varName); 38 | 39 | public: 40 | StringType(string varName, string varType) 41 | : BaseType(varName, varType) {} 42 | 43 | static string generatePackageName(); 44 | static string generatePermissionName(); 45 | static string generateNetworkInterfaceName(); 46 | static string generateAudioParameterKeyPair(); 47 | static string generataKeyValuePairs(); 48 | static string generateChainName(); 49 | static string generateIP(); 50 | static string generateOp(); 51 | static string generateUrl(string varName); 52 | static string generatePath(string varName); 53 | string generate(); 54 | }; 55 | 56 | #endif // STRING_TYPE_H 57 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/structure_type.h: -------------------------------------------------------------------------------- 1 | #ifndef STRUCTURE_TYPE_H 2 | #define STRUCTURE_TYPE_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | using namespace std; 10 | 11 | #define STRUCUTURE_INFO_DIR FUZZER_PATH "model/structure/" 12 | 13 | extern map parcelableStructureDataInfo; 14 | extern map parcelableStructureReplyInfo; 15 | 16 | extern map flattenableStructureDataInfo; 17 | extern map flattenableStructureReplyInfo; 18 | 19 | extern map lightFlattenableStructureDataInfo; 20 | extern map lightFlattenableStructureReplyInfo; 21 | 22 | extern map structureRawInfo; 23 | 24 | extern void loadStructureInfo(char *structureInfoDir); 25 | 26 | class StructureType { 27 | 28 | public: 29 | StructureType(ParcelReaderWriter *parentParcelReaderWriter, string varName, 30 | string varType) 31 | : parentParcelReaderWriter(parentParcelReaderWriter), varName(varName), 32 | varType(varType) { 33 | if (parentParcelReaderWriter->operation == WRITE_DATA) { 34 | if (parcelableStructureDataInfo.count(varType)) { 35 | structure = parcelableStructureDataInfo[varType]; 36 | } else if (lightFlattenableStructureDataInfo.count(varType)) { 37 | structure = lightFlattenableStructureDataInfo[varType]; 38 | } else if (flattenableStructureDataInfo.count(varType)) { 39 | structure = flattenableStructureDataInfo[varType]; 40 | } else if (structureRawInfo.count(varType)) { 41 | structure = structureRawInfo[varType]; 42 | } else { 43 | FUZZER_LOGE("No such type %s for variable %s.", varType.c_str(), 44 | varName.c_str()); 45 | exit(0); 46 | } 47 | } else { 48 | if (parcelableStructureReplyInfo.count(varType)) { 49 | structure = parcelableStructureReplyInfo[varType]; 50 | } else if (lightFlattenableStructureReplyInfo.count(varType)) { 51 | structure = lightFlattenableStructureReplyInfo[varType]; 52 | } else if (flattenableStructureReplyInfo.count(varType)) { 53 | structure = flattenableStructureReplyInfo[varType]; 54 | } else if (structureRawInfo.count(varType)) { 55 | structure = structureRawInfo[varType]; 56 | } else { 57 | FUZZER_LOGE("No such type %s for variable %s.", varType.c_str(), 58 | varName.c_str()); 59 | exit(0); 60 | } 61 | } 62 | // which possibility should we use? 63 | // maybe the last one. 64 | info = structure["possibility"][structure["possibility"].size() - 1]; 65 | if (structureRawInfo.count(varType)) { 66 | // copy information from data part when dealing with raw structure. 67 | info["reply"] = info["data"]; 68 | } 69 | variable = structure["variable"]; 70 | loop = structure["loop"]; 71 | constraint = structure["constraint"]; 72 | } 73 | void read(); 74 | void generate(); 75 | void generateFlattenable(); 76 | void readFlattenable(); 77 | void generateLightFlattenable(); 78 | void readLightFlattenable(); 79 | void generateRaw(vector *rawData); 80 | 81 | private: 82 | ParcelReaderWriter *parentParcelReaderWriter; 83 | string varName; 84 | string varType; 85 | Json::Value structure; 86 | Json::Value info; 87 | Json::Value variable; 88 | Json::Value loop; 89 | Json::Value constraint; 90 | 91 | void initStruct(); 92 | }; 93 | 94 | #endif // STRUCTURE_TYPE_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/types.h: -------------------------------------------------------------------------------- 1 | #ifndef TYPE_H 2 | #define TYPE_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | typedef enum { 19 | INTEGER_LITERAL, 20 | UINT8_TYPE, 21 | INT8_TYPE, 22 | INT16_TYPE, 23 | UINT16_TYPE, 24 | INT32_TYPE, 25 | INT64_TYPE, 26 | UINT32_TYPE, 27 | UINT64_TYPE, 28 | FILE_DESCRIPTOR_TYPE, 29 | FLOAT_TYPE, 30 | DOUBLE_TYPE, 31 | STRING16_TYPE, 32 | STRING8_TYPE, 33 | CSTRING_TYPE, 34 | STRONG_BINDER_TYPE, 35 | BOOL_TYPE, 36 | PARCEL_STRUCTURE_TYPE, 37 | FLATTENABLE_STRUCTURE_TYPE, 38 | LIGHT_FLATTENABLE_STRUCTURE_TYPE, 39 | RAW_STRUCTURE_TYPE, 40 | UNION_TYPE, 41 | ARRAY_TYPE, 42 | FUNCTION_TYPE, 43 | BLOB_TYPE 44 | } VarType; 45 | 46 | #define TYPE_MAP_PATH FUZZER_PATH "model/typemap.txt" 47 | 48 | // map type string to Enum varType 49 | // e.g. typeMap["int32"]=INT 50 | extern map varTypeMap; 51 | void initVarTypeMap(); 52 | VarType getVarTypeEnum(string varType); 53 | 54 | #endif // TYPE_H 55 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/types/union_type.h: -------------------------------------------------------------------------------- 1 | #ifndef UNION_TYPE_H 2 | #define UNION_TYPE_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | using namespace std; 10 | 11 | #define UNION_INFO_DIR FUZZER_PATH "model/union/" 12 | 13 | extern map unionInfo; 14 | 15 | extern void loadUnionInfo(char *unionInfoDir); 16 | 17 | class UnionType { 18 | 19 | public: 20 | UnionType(ParcelReaderWriter *parentParcelReaderWriter, string varName, 21 | string varType) 22 | : parentParcelReaderWriter(parentParcelReaderWriter), varName(varName), 23 | varType(varType) { 24 | Json::Value uInfo = unionInfo[varType]; 25 | initUnion(uInfo); 26 | } 27 | 28 | void generateRaw(vector *rawData); 29 | 30 | private: 31 | ParcelReaderWriter *parentParcelReaderWriter; 32 | string varName; 33 | string varType; 34 | Json::Value info; 35 | Json::Value variable; 36 | Json::Value loop; 37 | Json::Value constraint; 38 | void initUnion(const Json::Value &uInfo); 39 | }; 40 | 41 | #endif // UNION_TYPE_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/utils/java_vm.h: -------------------------------------------------------------------------------- 1 | #ifndef FUZZER_JAVA_VM 2 | #define FUZZER_JAVA_VM 3 | 4 | #include 5 | #include 6 | #include 7 | // #include 8 | 9 | typedef int (*JNI_CreateJavaVM_t)(void *, void *, void *); 10 | typedef jint (*registerNatives_t)(JNIEnv *env, jclass clazz); 11 | 12 | extern JavaVM *vm; 13 | extern JNIEnv *env; 14 | int init_jvm(JavaVM **p_vm, JNIEnv **p_env); 15 | 16 | #endif // FUZZER_JAVA_VM -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/utils/log.h: -------------------------------------------------------------------------------- 1 | #ifndef NATIVE_SERVICE_FUZZER_LOG_H 2 | #define NATIVE_SERVICE_FUZZER_LOG_H 3 | #include 4 | #include 5 | #include 6 | #define FUZZER_LOG_TAG "NativeServiceFuzzer" 7 | 8 | extern int spaceNum; 9 | 10 | typedef enum { DEBUG_LEVEL, INFO_LEVEL, ERROR_LEVEL } LOG_LEVEL; 11 | extern LOG_LEVEL logLevel; 12 | #define FUZZER_LOGD(...) \ 13 | { \ 14 | if (DEBUG_LEVEL >= logLevel) { \ 15 | printf("%*s", spaceNum, ""); \ 16 | printf(__VA_ARGS__); \ 17 | printf("\n"); \ 18 | } \ 19 | } 20 | #define FUZZER_LOGI(...) \ 21 | { \ 22 | if (INFO_LEVEL >= logLevel) { \ 23 | printf("%*s", spaceNum, ""); \ 24 | printf(__VA_ARGS__); \ 25 | printf("\n"); \ 26 | } \ 27 | } 28 | 29 | #define FUZZER_LOGE(...) \ 30 | { \ 31 | if (ERROR_LEVEL >= logLevel) { \ 32 | printf("%*s", spaceNum, ""); \ 33 | printf("Failed at %s:%d (%s)\n", __FILE__, __LINE__, __FUNCTION__); \ 34 | printf("%*s", spaceNum, ""); \ 35 | printf(__VA_ARGS__); \ 36 | printf("\n"); \ 37 | } \ 38 | } 39 | 40 | // #define FUZZER_LOGV(...) ((void)ALOG(LOG_VERBOSE, FUZZER_LOG_TAG, 41 | // __VA_ARGS__)) #define FUZZER_LOGD(...) ((void)ALOG(LOG_DEBUG, FUZZER_LOG_TAG, 42 | // __VA_ARGS__)) #define FUZZER_LOGI(...) ((void)ALOG(LOG_INFO, FUZZER_LOG_TAG, 43 | // __VA_ARGS__)) 44 | // #define FUZZER_LOGE(...) \ 45 | // ALOGE("Failed at %s:%d (%s)", __FILE__, __LINE__, __FUNCTION__); \ 46 | // ((void)ALOG(LOG_ERROR, FUZZER_LOG_TAG, __VA_ARGS__)) 47 | #endif // NATIVE_SERVICE_FUZZER_LOG_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/utils/random.h: -------------------------------------------------------------------------------- 1 | #ifndef RANDOM_H 2 | #define RANDOM_H 3 | #include 4 | #include 5 | #include 6 | /** 7 | * @brief return a random int64 between [min,max]. 8 | * 9 | * @param min 10 | * @param max 11 | * @return uint64_t 12 | */ 13 | uint64_t randomUInt64(uint64_t min, uint64_t max); 14 | float randomFloat(float min, float max); 15 | double randomDouble(double min, double max); 16 | #endif // RANDOM_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/utils/thread.h: -------------------------------------------------------------------------------- 1 | #ifndef FUZZER_THREAD_H 2 | #define FUZZER_THREAD_H 3 | #include 4 | #include 5 | #include 6 | extern void thread_exit_handler(int sig); 7 | extern void my_thread_init(); 8 | 9 | #endif // FUZZER_THREAD_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/include/fuzzer/utils/util.h: -------------------------------------------------------------------------------- 1 | #ifndef FUZZER_UTIL_H 2 | #define FUZZER_UTIL_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | using namespace std; 12 | 13 | #define FUZZER_PATH "/data/fuzzer/" 14 | extern void loadJsonInfo(const char *infoDir, map &info); 15 | #endif // FUZZER_UTIL_H -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/misc/codec.py: -------------------------------------------------------------------------------- 1 | codecinfo="""OMX.google.aac.decoder 2 | audio/mp4a-latm 3 | ------- 4 | OMX.google.amrnb.decoder 5 | audio/3gpp 6 | ------- 7 | OMX.google.amrwb.decoder 8 | audio/amr-wb 9 | ------- 10 | OMX.google.flac.decoder 11 | audio/flac 12 | ------- 13 | OMX.google.g711.alaw.decoder 14 | audio/g711-alaw 15 | ------- 16 | OMX.google.g711.mlaw.decoder 17 | audio/g711-mlaw 18 | ------- 19 | OMX.google.gsm.decoder 20 | audio/gsm 21 | ------- 22 | OMX.google.mp3.decoder 23 | audio/mpeg 24 | ------- 25 | OMX.google.opus.decoder 26 | audio/opus 27 | ------- 28 | OMX.google.raw.decoder 29 | audio/raw 30 | ------- 31 | OMX.google.vorbis.decoder 32 | audio/vorbis 33 | ------- 34 | OMX.google.aac.encoder 35 | audio/mp4a-latm 36 | ------- 37 | OMX.google.amrnb.encoder 38 | audio/3gpp 39 | ------- 40 | OMX.google.amrwb.encoder 41 | audio/amr-wb 42 | ------- 43 | OMX.google.flac.encoder 44 | audio/flac 45 | ------- 46 | OMX.qcom.video.decoder.avc 47 | video/avc 48 | ------- 49 | OMX.qcom.video.decoder.avc.secure 50 | video/avc 51 | ------- 52 | OMX.google.h264.decoder 53 | video/avc 54 | ------- 55 | OMX.qcom.video.decoder.h263 56 | video/3gpp 57 | ------- 58 | OMX.google.h263.decoder 59 | video/3gpp 60 | ------- 61 | OMX.qcom.video.decoder.hevc 62 | video/hevc 63 | ------- 64 | OMX.qcom.video.decoder.hevc.secure 65 | video/hevc 66 | ------- 67 | OMX.google.hevc.decoder 68 | video/hevc 69 | ------- 70 | OMX.qcom.video.decoder.mpeg4 71 | video/mp4v-es 72 | ------- 73 | OMX.google.mpeg4.decoder 74 | video/mp4v-es 75 | ------- 76 | OMX.qcom.video.decoder.vp8 77 | video/x-vnd.on2.vp8 78 | ------- 79 | OMX.google.vp8.decoder 80 | video/x-vnd.on2.vp8 81 | ------- 82 | OMX.qcom.video.decoder.vp9 83 | video/x-vnd.on2.vp9 84 | ------- 85 | OMX.qcom.video.decoder.vp9.secure 86 | video/x-vnd.on2.vp9 87 | ------- 88 | OMX.google.vp9.decoder 89 | video/x-vnd.on2.vp9 90 | ------- 91 | OMX.qcom.video.encoder.avc 92 | video/avc 93 | ------- 94 | OMX.google.h264.encoder 95 | video/avc 96 | ------- 97 | OMX.qcom.video.encoder.h263 98 | video/3gpp 99 | ------- 100 | OMX.google.h263.encoder 101 | video/3gpp 102 | ------- 103 | OMX.qcom.video.encoder.hevc 104 | video/hevc 105 | ------- 106 | OMX.qcom.video.encoder.mpeg4 107 | video/mp4v-es 108 | ------- 109 | OMX.google.mpeg4.encoder 110 | video/mp4v-es 111 | ------- 112 | OMX.qcom.video.encoder.vp8 113 | video/x-vnd.on2.vp8 114 | ------- 115 | OMX.google.vp8.encoder 116 | video/x-vnd.on2.vp8 117 | ------- 118 | OMX.google.vp9.encoder 119 | video/x-vnd.on2.vp9 120 | ------- 121 | """ 122 | codecinfo =codecinfo.split("-------\n")[:-1] 123 | codecname=[] 124 | mime = [] 125 | for item in codecinfo: 126 | item = item.split("\n") 127 | 128 | codecname.append(item[0]) 129 | mime.append(item[1]) 130 | for i in codecname: 131 | print(i+",") 132 | print("") 133 | for i in mime: 134 | print(i+",") -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/misc/extract_audio_effects.py: -------------------------------------------------------------------------------- 1 | from xml.etree.ElementTree import parse 2 | 3 | doc = parse("audio_effects.xml") 4 | root = doc.getroot() 5 | print(root) 6 | print(root.find("libraries")) 7 | uuid = [] 8 | for item in root.findall("effects/effectProxy"): 9 | uuid.append(item.attrib["uuid"]) 10 | libsw = item.find("libsw") 11 | uuid.append(libsw.attrib["uuid"]) 12 | libhw = item.find("libhw") 13 | uuid.append(libhw.attrib["uuid"]) 14 | for item in root.findall("effects/effect"): 15 | uuid.append(item.attrib["uuid"]) 16 | for item in uuid: 17 | print('"%s",' % item) 18 | print(len(uuid)) -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/executor.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | status_t Executor::run(Transaction &tx) { 8 | NativeServiceManager nsm; 9 | sp interface = nsm.getService(tx); 10 | if (interface == NULL) { 11 | // clear tx status 12 | usedTxs.erase(tx.txName); 13 | // TODO: consider when this tx is used by some dependency. 14 | return 0; 15 | } 16 | FUZZER_LOGI("Start issuing transaction %s.", tx.txName.c_str()); 17 | status_t ret = interface->transact(tx.code, tx.data, &tx.reply, tx.flags); 18 | FUZZER_LOGI("Transaction return status: %d.", ret); 19 | // clear tx status 20 | usedTxs.erase(tx.txName); 21 | return ret; 22 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/generator.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | Transaction Generator::generateTx() { 6 | map::iterator it; 7 | if (targetTransactionInfo.size() == 0) { 8 | uint64_t r = randomUInt64(0, (uint64_t)svcInfo.size() - 1); 9 | it = svcInfo.begin(); 10 | std::advance(it, r); 11 | } else { 12 | uint64_t r = randomUInt64(0, (uint64_t)targetTransactionInfo.size() - 1); 13 | it = targetTransactionInfo.begin(); 14 | std::advance(it, r); 15 | } 16 | 17 | string txName(it->first); 18 | Json::Value &txMeta = it->second; 19 | uint64_t len = txMeta["possibility"].size(); 20 | uint32_t possIdx = (uint32_t)randomUInt64(0, len - 1); 21 | FUZZER_LOGI("Random choose index %u in transaction %s.", possIdx, 22 | it->first.c_str()); 23 | Transaction tx(txName, txMeta, possIdx); 24 | ParcelReaderWriter parcelReaderWriter(tx.info["data"], tx.variable, tx.loop, 25 | tx.constraint); 26 | parcelReaderWriter.initTxWrite(&tx); 27 | parcelReaderWriter.start(); 28 | return tx; 29 | } 30 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IAAudioClient.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | using namespace android; 5 | 6 | sp generateIAAudioClient() { 7 | AAudioBinderClient aaudioBinderClient; 8 | android::sp mAAudioClient; 9 | mAAudioClient = new AAudioBinderClient::AAudioClient(&aaudioBinderClient); 10 | return IInterface::asBinder(mAAudioClient); 11 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IAppOpsCallback.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // #include 5 | #include 6 | 7 | // class MyBasicClient : public CameraService::BasicClient { 8 | // public: 9 | // AppOpsManager mAppOpsManager; 10 | // MyBasicClient(const sp &cameraService, 11 | // const sp &remoteCallback, 12 | // const String16 &clientPackageName, const String8 13 | // &cameraIdStr, int cameraFacing, int clientPid, uid_t 14 | // clientUid, int servicePid) 15 | // : CameraService::BasicClient(cameraService, 16 | // IInterface::asBinder(cameraClient), 17 | // clientPackageName, cameraIdStr, 18 | // cameraFacing, clientPid, clientUid, 19 | // servicePid) {} 20 | // void opChanged(int32_t op, const String16 &packageName) { 21 | // ATRACE_CALL(); 22 | 23 | // String8 name(packageName); 24 | // String8 myName(mClientPackageName); 25 | 26 | // if (op != AppOpsManager::OP_CAMERA) { 27 | // ALOGW("Unexpected app ops notification received: %d", op); 28 | // return; 29 | // } 30 | 31 | // int32_t res; 32 | // res = mAppOpsManager.checkOp(AppOpsManager::OP_CAMERA, mClientUid, 33 | // mClientPackageName); 34 | // ALOGV("checkOp returns: %d, %s ", res, 35 | // res == AppOpsManager::MODE_ALLOWED 36 | // ? "ALLOWED" 37 | // : res == AppOpsManager::MODE_IGNORED 38 | // ? "IGNORED" 39 | // : res == AppOpsManager::MODE_ERRORED ? "ERRORED" 40 | // : "UNKNOWN"); 41 | 42 | // if (res != AppOpsManager::MODE_ALLOWED) { 43 | // ALOGI("Camera %s: Access for \"%s\" revoked", mCameraIdStr.string(), 44 | // myName.string()); 45 | // block(); 46 | // } 47 | // } 48 | 49 | // class OpsCallback : public BnAppOpsCallback { 50 | // public: 51 | // explicit OpsCallback(wp client); 52 | // virtual void opChanged(int32_t op, const String16 &packageName); 53 | 54 | // private: 55 | // wp mClient; 56 | 57 | // }; // class OpsCallback 58 | // }; // class BasicClient 59 | 60 | // MyBasicClient::OpsCallback::OpsCallback(wp client) 61 | // : mClient(client) {} 62 | 63 | // void MyBasicClient::OpsCallback::opChanged(int32_t op, 64 | // const String16 &packageName) { 65 | // sp client = mClient.promote(); 66 | // if (client != NULL) { 67 | // client->opChanged(op, packageName); 68 | // } 69 | // } 70 | 71 | // sp generateIAppOpsCallback() { 72 | // // sp sm = defaultServiceManager(); 73 | // // sp binder = sm->checkService(String16("media.camera")); 74 | // // if (binder == NULL) { 75 | // // return NULL; 76 | // // } 77 | 78 | // sp cameraService = new CameraService(); 79 | // sp cameraClient = generateCamera(); 80 | 81 | // StringType stringType("cameraIdStr", "String8"); 82 | // String8 cameraIdStr(stringType.generate().c_str()); 83 | 84 | // IntType intType("cameraFacing", "int"); 85 | // sp client(cameraService, cameraClient, 86 | // StringType::generatePackageName(), cameraIdStr, 87 | // intType.generate(), IntType::generatePid(), 88 | // IntType::generateUid(), IntType::generatePid()); 89 | 90 | // } 91 | 92 | sp generateIAppOpsCallback() { return NULL; } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/ICamera.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | sp generateICamera() { 4 | sp mCamera = generateCamera(); 5 | if (mCamera == NULL) { 6 | return NULL; 7 | } else { 8 | return IInterface::asBinder(mCamera->remote()); 9 | } 10 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/ICameraDeviceCallbacks.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | sp generateICameraDeviceCallbacks() { 6 | return NULL; 7 | // // Camera manager 8 | // ACameraManager *mCameraManager{nullptr}; 9 | // ACameraIdList *mCameraIdList{nullptr}; 10 | // // Camera device 11 | // ACameraMetadata *mCameraMetadata{nullptr}; 12 | // ACameraDevice *mDevice{nullptr}; 13 | // // Capture session 14 | // ACaptureSessionOutputContainer *mOutputs{nullptr}; 15 | // ACaptureSessionOutput *mImgReaderOutput{nullptr}; 16 | // ACameraCaptureSession *mSession{nullptr}; 17 | // // Capture request 18 | // ACaptureRequest *mCaptureRequest{nullptr}; 19 | // ACameraOutputTarget *mReqImgReaderOutput{nullptr}; 20 | 21 | // bool mIsCameraReady{false}; 22 | // const char *mCameraId{nullptr}; 23 | 24 | // mCameraManager = ACameraManager_create(); 25 | // if (mCameraManager == nullptr) { 26 | // ALOGE("Failed to create ACameraManager."); 27 | // return -1; 28 | // } 29 | 30 | // int ret = ACameraManager_getCameraIdList(mCameraManager, &mCameraIdList); 31 | // if (ret != AMEDIA_OK) { 32 | // ALOGE("Failed to get cameraIdList: ret=%d", ret); 33 | // return ret; 34 | // } 35 | // if (mCameraIdList->numCameras < 1) { 36 | // ALOGW("Device has no NDK compatible camera."); 37 | // return 0; 38 | // } 39 | // ALOGI("Found %d camera(s).", mCameraIdList->numCameras); 40 | 41 | // // We always use the first camera. 42 | // mCameraId = 43 | // mCameraIdList->cameraIds[randomUInt64(0, mCameraIdList->numCameras - 44 | // 1)]; 45 | // if (mCameraId == nullptr) { 46 | // ALOGE("Failed to get cameraId."); 47 | // return -1; 48 | // } 49 | 50 | // ret = ACameraManager_openCamera(mCameraManager, mCameraId, &mDeviceCb, 51 | // &mDevice); 52 | // if (ret != AMEDIA_OK || mDevice == nullptr) { 53 | // ALOGE("Failed to open camera, ret=%d, mDevice=%p.", ret, mDevice); 54 | // return -1; 55 | // } 56 | 57 | // sp callback = 58 | // mDevice->getServiceCallback(); 59 | // return IInterface::asBinder(callback); 60 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/ICameraRecordingProxy.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | sp generateICameraRecordingProxy() { 3 | sp mCamera = generateCamera(); 4 | if (mCamera == NULL) { 5 | return NULL; 6 | } else { 7 | return IInterface::asBinder(mCamera->getRecordingProxy()); 8 | } 9 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/ICameraRecordingProxyListener.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | MyCameraSource *MyCameraSource::Create(const String16 &clientName) { 21 | Size size; 22 | size.width = -1; 23 | size.height = -1; 24 | 25 | sp camera; 26 | return new MyCameraSource(camera, NULL, 0, clientName, 27 | Camera::USE_CALLING_UID, Camera::USE_CALLING_PID, 28 | size, -1, NULL, false); 29 | } 30 | MyCameraSource::MyCameraSource(const sp &camera, 31 | const sp &proxy, 32 | int32_t cameraId, const String16 &clientName, 33 | uid_t clientUid, pid_t clientPid, Size videoSize, 34 | int32_t frameRate, 35 | const sp &surface, 36 | bool storeMetaDataInVideoBuffers) 37 | : CameraSource(camera, proxy, cameraId, clientName, clientUid, clientPid, 38 | videoSize, frameRate, surface, storeMetaDataInVideoBuffers) { 39 | } 40 | 41 | void MyCameraSource::mydataCallbackTimestamp(nsecs_t timestamp, int32_t msgType, 42 | const sp &dataPtr) { 43 | dataCallbackTimestamp(timestamp / 1000, msgType, dataPtr); 44 | } 45 | void MyCameraSource::myrecordingFrameHandleCallbackTimestamp( 46 | nsecs_t timestamp, native_handle_t *handle) { 47 | recordingFrameHandleCallbackTimestamp(timestamp / 1000, handle); 48 | } 49 | void MyCameraSource::myrecordingFrameHandleCallbackTimestampBatch( 50 | const std::vector ×tampsUs, 51 | const std::vector &handles) { 52 | int n = timestampsUs.size(); 53 | std::vector modifiedTimestamps(n); 54 | for (int i = 0; i < n; i++) { 55 | modifiedTimestamps[i] = timestampsUs[i] / 1000; 56 | } 57 | recordingFrameHandleCallbackTimestampBatch(modifiedTimestamps, handles); 58 | } 59 | 60 | ProxyListener::ProxyListener(const sp &source) { 61 | mSource = source; 62 | } 63 | 64 | void ProxyListener::dataCallbackTimestamp(nsecs_t timestamp, int32_t msgType, 65 | const sp &dataPtr) { 66 | mSource->mydataCallbackTimestamp(timestamp / 1000, msgType, dataPtr); 67 | } 68 | 69 | void ProxyListener::recordingFrameHandleCallbackTimestamp( 70 | nsecs_t timestamp, native_handle_t *handle) { 71 | mSource->myrecordingFrameHandleCallbackTimestamp(timestamp / 1000, handle); 72 | } 73 | 74 | void ProxyListener::recordingFrameHandleCallbackTimestampBatch( 75 | const std::vector ×tampsUs, 76 | const std::vector &handles) { 77 | int n = timestampsUs.size(); 78 | std::vector modifiedTimestamps(n); 79 | for (int i = 0; i < n; i++) { 80 | modifiedTimestamps[i] = timestampsUs[i] / 1000; 81 | } 82 | mSource->myrecordingFrameHandleCallbackTimestampBatch(modifiedTimestamps, 83 | handles); 84 | } 85 | 86 | sp generateICameraRecordingProxyListener() { 87 | sp cameraSource = MyCameraSource::Create( 88 | String16(StringType::generatePackageName().c_str())); 89 | sp listener = new ProxyListener(cameraSource); 90 | return IInterface::asBinder(listener); 91 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IDisplay.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | enum { eDisplayIdMain = 0, eDisplayIdHdmi = 1 }; 4 | 5 | sp generateIDisplay() { 6 | sp sf(ComposerService::getComposerService()); 7 | bool flag = randomUInt64(0, 1); 8 | sp display; 9 | if (flag) { 10 | display = sf->getBuiltInDisplay(ISurfaceComposer::eDisplayIdMain); 11 | } else { 12 | display = sf->getBuiltInDisplay(ISurfaceComposer::eDisplayIdHdmi); 13 | } 14 | return display; 15 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IDrmClient.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // static bool gGotVendorDefinedEvent = false; 4 | 5 | // typedef Vector idvec_t; 6 | 7 | // struct DrmListener : virtual public BnDrmClient { 8 | // private: 9 | // AMediaDrm *mObj; 10 | // AMediaDrmEventListener mListener; 11 | 12 | // public: 13 | // DrmListener(AMediaDrm *obj, AMediaDrmEventListener listener) 14 | // : mObj(obj), mListener(listener) {} 15 | // void notify(DrmPlugin::EventType eventType, int extra, const Parcel *obj); 16 | // }; 17 | 18 | // struct AMediaDrm { 19 | // sp mDrm; 20 | // sp mDrmClient; 21 | // List mIds; 22 | // KeyedVector mQueryResults; 23 | // Vector mKeyRequest; 24 | // Vector mProvisionRequest; 25 | // String8 mProvisionUrl; 26 | // String8 mPropertyString; 27 | // Vector mPropertyByteArray; 28 | // List> mSecureStops; 29 | // sp mListener; 30 | // }; 31 | 32 | // void DrmListener::notify(DrmPlugin::EventType eventType, int extra, 33 | // const Parcel *obj) { 34 | // if (!mListener) { 35 | // return; 36 | // } 37 | 38 | // AMediaDrmSessionId sessionId = {NULL, 0}; 39 | // int32_t sessionIdSize = obj->readInt32(); 40 | // if (sessionIdSize) { 41 | // uint8_t *sessionIdData = new uint8_t[sessionIdSize]; 42 | // sessionId.ptr = sessionIdData; 43 | // sessionId.length = sessionIdSize; 44 | // obj->read(sessionIdData, sessionId.length); 45 | // } 46 | 47 | // int32_t dataSize = obj->readInt32(); 48 | // uint8_t *data = NULL; 49 | // if (dataSize) { 50 | // data = new uint8_t[dataSize]; 51 | // obj->read(data, dataSize); 52 | // } 53 | 54 | // // translate DrmPlugin event types into their NDK equivalents 55 | // AMediaDrmEventType ndkEventType; 56 | // switch (eventType) { 57 | // case DrmPlugin::kDrmPluginEventProvisionRequired: 58 | // ndkEventType = EVENT_PROVISION_REQUIRED; 59 | // break; 60 | // case DrmPlugin::kDrmPluginEventKeyNeeded: 61 | // ndkEventType = EVENT_KEY_REQUIRED; 62 | // break; 63 | // case DrmPlugin::kDrmPluginEventKeyExpired: 64 | // ndkEventType = EVENT_KEY_EXPIRED; 65 | // break; 66 | // case DrmPlugin::kDrmPluginEventVendorDefined: 67 | // ndkEventType = EVENT_VENDOR_DEFINED; 68 | // break; 69 | // default: 70 | // ALOGE("Invalid event DrmPlugin::EventType %d, ignored", (int)eventType); 71 | // goto cleanup; 72 | // } 73 | 74 | // (*mListener)(mObj, &sessionId, ndkEventType, extra, data, dataSize); 75 | 76 | // cleanup: 77 | // delete[] sessionId.ptr; 78 | // delete[] data; 79 | // } 80 | 81 | class MyDrmListener : virtual public BnDrmClient { 82 | public: 83 | MyDrmListener(){}; 84 | void notify(DrmPlugin::EventType eventType, int extra, const Parcel *obj); 85 | }; 86 | void MyDrmListener::notify(DrmPlugin::EventType eventType, int extra, 87 | const Parcel *obj) { 88 | return; 89 | } 90 | 91 | sp generateIDrmClient() { 92 | // AMediaDrm *mObj = new AMediaDrm(); 93 | // AMediaDrmEventListener listener = NULL; 94 | // return NULL; 95 | sp drmListener = new MyDrmListener(); 96 | return IInterface::asBinder(drmListener); 97 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IDrmServiceListener.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | sp generateIDrmServiceListener() { 5 | int32_t pUniqueId; 6 | bool isNative = (bool)randomUInt64(0, 1); 7 | 8 | sp client = 9 | DrmManagerClientImpl::create(&pUniqueId, isNative); 10 | return IInterface::asBinder(client); 11 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IEffectClient.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | // Implements the IEffectClient interface 4 | class MyAudioEffect : public AudioEffect { 5 | public: 6 | MyAudioEffect(String16 packageName) : AudioEffect(packageName) {} 7 | void mycontrolStatusChanged(bool controlGranted) { 8 | controlStatusChanged(controlGranted); 9 | } 10 | void myenableStatusChanged(bool enabled) { enableStatusChanged(enabled); } 11 | void mycommandExecuted(uint32_t cmdCode, uint32_t cmdSize, void *pCmdData, 12 | uint32_t replySize, void *pReplyData) { 13 | commandExecuted(cmdCode, cmdSize, pCmdData, replySize, pReplyData); 14 | } 15 | void mybinderDied(const wp & /*who*/) { 16 | ALOGW("IEffect died"); 17 | mStatus = DEAD_OBJECT; 18 | if (mCbf != NULL) { 19 | status_t status = DEAD_OBJECT; 20 | mCbf(EVENT_ERROR, mUserData, &status); 21 | } 22 | // as mIEffect is private, we can not clear it.. 23 | // mIEffect.clear(); 24 | } 25 | }; 26 | class EffectClient : public android::BnEffectClient, 27 | public android::IBinder::DeathRecipient { 28 | public: 29 | EffectClient(MyAudioEffect *effect) : mEffect(effect) {} 30 | 31 | // IEffectClient 32 | virtual void controlStatusChanged(bool controlGranted) { 33 | sp effect = mEffect.promote(); 34 | if (effect != 0) { 35 | effect->mycontrolStatusChanged(controlGranted); 36 | } 37 | } 38 | virtual void enableStatusChanged(bool enabled) { 39 | sp effect = mEffect.promote(); 40 | if (effect != 0) { 41 | effect->myenableStatusChanged(enabled); 42 | } 43 | } 44 | virtual void commandExecuted(uint32_t cmdCode, uint32_t cmdSize, 45 | void *pCmdData, uint32_t replySize, 46 | void *pReplyData) { 47 | sp effect = mEffect.promote(); 48 | if (effect != 0) { 49 | effect->mycommandExecuted(cmdCode, cmdSize, pCmdData, replySize, 50 | pReplyData); 51 | } 52 | } 53 | 54 | // IBinder::DeathRecipient 55 | virtual void binderDied(const wp & /*who*/) { 56 | sp effect = mEffect.promote(); 57 | if (effect != 0) { 58 | effect->mybinderDied(this); 59 | } 60 | } 61 | 62 | private: 63 | wp mEffect; 64 | }; 65 | 66 | sp generateIEffectClient() { 67 | String16 packageName(StringType::generatePackageName().c_str()); 68 | sp audioEffect = new MyAudioEffect(packageName); 69 | sp mIEffectClient = new EffectClient(audioEffect.get()); 70 | return IInterface::asBinder(mIEffectClient); 71 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IGraphicBufferConsumer.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | sp generateIGraphicBufferConsumer() { 4 | 5 | sp core(new BufferQueueCore()); 6 | LOG_ALWAYS_FATAL_IF(core == NULL, 7 | "BufferQueue: failed to create BufferQueueCore"); 8 | 9 | sp consumer(new BufferQueueConsumer(core)); 10 | LOG_ALWAYS_FATAL_IF(consumer == NULL, 11 | "BufferQueue: failed to create BufferQueueConsumer"); 12 | return IInterface::asBinder(consumer); 13 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IGraphicBufferProducer.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | sp generateIGraphicBufferProducer() { 4 | sp sm = defaultServiceManager(); 5 | sp MeidaPlayerService = sm->checkService(String16("media.player")); 6 | if (MeidaPlayerService == NULL) { 7 | return NULL; 8 | } 9 | 10 | // get IMediaPlayerService 11 | sp iMPService = 12 | IMediaPlayerService::asInterface(MeidaPlayerService); 13 | // ALOGI("Get iMPService instance, 0x%08lx\n", (unsigned 14 | // long)iMPService.get()); 15 | sp recorder = iMPService->createMediaRecorder( 16 | String16(StringType::generatePackageName().c_str())); 17 | if (recorder == NULL) { 18 | return NULL; 19 | } 20 | // ALOGI("Get recorder instance, 0x%08lx\n", (unsigned long)recorder.get()); 21 | 22 | const char *fileName = "/data/fuzzer/test.txt"; 23 | int fd = open(fileName, O_RDWR | O_CREAT, 0744); 24 | recorder->setVideoSource(2); 25 | recorder->setOutputFile(fd); 26 | IntType of("of", ""); 27 | recorder->setOutputFormat(of.generate()); 28 | recorder->init(); 29 | recorder->prepare(); 30 | recorder->start(); 31 | 32 | // get IGraphicBufferProducer 33 | sp producer = recorder->querySurfaceMediaSource(); 34 | return IInterface::asBinder(producer); 35 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IIncidentReportStatusListener.cpp: -------------------------------------------------------------------------------- 1 | // #include 2 | // #include 3 | 4 | // class SimpleListener : public IIncidentReportStatusListener { 5 | // public: 6 | // SimpleListener(){}; 7 | // virtual ~SimpleListener(){}; 8 | 9 | // virtual Status onReportStarted() { return Status::ok(); }; 10 | // virtual Status onReportSectionStatus(int /*section*/, int /*status*/) { 11 | // return Status::ok(); 12 | // }; 13 | // virtual Status onReportFinished() { return Status::ok(); }; 14 | // virtual Status onReportFailed() { return Status::ok(); }; 15 | // }; 16 | 17 | // sp generateIIncidentReportStatusListener() { 18 | // sp listener = new SimpleListener(); 19 | // return IInterface::asBinder(listener); 20 | // } 21 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IInterfaceEventCallback.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | namespace android { 5 | 6 | namespace net { 7 | 8 | namespace wifi { 9 | 10 | IMPLEMENT_META_INTERFACE(InterfaceEventCallback, 11 | "android.net.wifi.IInterfaceEventCallback") 12 | 13 | } // namespace wifi 14 | 15 | } // namespace net 16 | 17 | } // namespace android 18 | #include 19 | #include 20 | 21 | namespace android { 22 | 23 | namespace net { 24 | 25 | namespace wifi { 26 | 27 | BpInterfaceEventCallback::BpInterfaceEventCallback( 28 | const ::android::sp<::android::IBinder> &_aidl_impl) 29 | : BpInterface(_aidl_impl) {} 30 | 31 | ::android::binder::Status BpInterfaceEventCallback::OnClientInterfaceReady( 32 | const ::android::sp<::android::net::wifi::IClientInterface> 33 | &network_interface) { 34 | // TODO: 35 | android::binder::Status status; 36 | status.fromStatusT(0); 37 | return status; 38 | } 39 | 40 | ::android::binder::Status BpInterfaceEventCallback::OnApInterfaceReady( 41 | const ::android::sp<::android::net::wifi::IApInterface> 42 | &network_interface) { 43 | // TODO: 44 | android::binder::Status status; 45 | status.fromStatusT(0); 46 | return status; 47 | } 48 | 49 | ::android::binder::Status BpInterfaceEventCallback::OnClientTorndownEvent( 50 | const ::android::sp<::android::net::wifi::IClientInterface> 51 | &network_interface) { 52 | // TODO: 53 | android::binder::Status status; 54 | status.fromStatusT(0); 55 | return status; 56 | } 57 | 58 | ::android::binder::Status BpInterfaceEventCallback::OnApTorndownEvent( 59 | const ::android::sp<::android::net::wifi::IApInterface> 60 | &network_interface) { 61 | // TODO: 62 | android::binder::Status status; 63 | status.fromStatusT(0); 64 | return status; 65 | } 66 | 67 | } // namespace wifi 68 | 69 | } // namespace net 70 | 71 | } // namespace android 72 | #include 73 | #include 74 | 75 | namespace android { 76 | 77 | namespace net { 78 | 79 | namespace wifi { 80 | 81 | ::android::status_t BnInterfaceEventCallback::onTransact( 82 | uint32_t _aidl_code, const ::android::Parcel &_aidl_data, 83 | ::android::Parcel *_aidl_reply, uint32_t _aidl_flags) { 84 | ::android::status_t _aidl_ret_status = ::android::OK; 85 | switch (_aidl_code) { 86 | case Call::ONCLIENTINTERFACEREADY: { 87 | // TODO, affected by IClientInterface, the followings are similar 88 | } break; 89 | case Call::ONAPINTERFACEREADY: { 90 | // TODO 91 | } break; 92 | case Call::ONCLIENTTORNDOWNEVENT: { 93 | // TODO 94 | } break; 95 | case Call::ONAPTORNDOWNEVENT: { 96 | // TODO 97 | } break; 98 | default: { 99 | _aidl_ret_status = ::android::BBinder::onTransact(_aidl_code, _aidl_data, 100 | _aidl_reply, _aidl_flags); 101 | } break; 102 | } 103 | if (_aidl_ret_status == ::android::UNEXPECTED_NULL) { 104 | _aidl_ret_status = ::android::binder::Status::fromExceptionCode( 105 | ::android::binder::Status::EX_NULL_POINTER) 106 | .writeToParcel(_aidl_reply); 107 | } 108 | return _aidl_ret_status; 109 | } 110 | 111 | } // namespace wifi 112 | 113 | } // namespace net 114 | 115 | } // namespace android 116 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IInterfaceEventCallback_impl.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | using namespace android::net::wifi; 5 | // This method is messy.. 6 | 7 | class MyInterfaceEventCallback 8 | : public android::net::wifi::BnInterfaceEventCallback, 9 | public IBinder::DeathRecipient { 10 | public: 11 | // TODO: may be we can do bad thing here, listening... 12 | android::binder::Status OnClientInterfaceReady( 13 | const ::android::sp<::android::net::wifi::IClientInterface> 14 | &network_interface) { 15 | android::binder::Status status; 16 | status.fromStatusT(0); 17 | return status; 18 | } 19 | android::binder::Status 20 | OnApInterfaceReady(const ::android::sp<::android::net::wifi::IApInterface> 21 | &network_interface) { 22 | android::binder::Status status; 23 | status.fromStatusT(0); 24 | return status; 25 | } 26 | android::binder::Status OnClientTorndownEvent( 27 | const ::android::sp<::android::net::wifi::IClientInterface> 28 | &network_interface) { 29 | android::binder::Status status; 30 | status.fromStatusT(0); 31 | return status; 32 | } 33 | android::binder::Status 34 | OnApTorndownEvent(const ::android::sp<::android::net::wifi::IApInterface> 35 | &network_interface) { 36 | android::binder::Status status; 37 | status.fromStatusT(0); 38 | return status; 39 | } 40 | void binderDied(const wp &who) {} 41 | virtual ~MyInterfaceEventCallback() {} 42 | }; 43 | 44 | sp generateIInterfaceEventCallback() { 45 | sp callback = new MyInterfaceEventCallback(); 46 | return IInterface::asBinder(callback); 47 | } 48 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IMediaHTTPService.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | sp MyCreateHTTPServiceInCurrentJavaContext() { 9 | ScopedLocalRef clazz( 10 | env, env->FindClass("android/media/MediaHTTPService")); 11 | CHECK(clazz.get() != NULL); 12 | 13 | jmethodID constructID = env->GetMethodID(clazz.get(), "", "()V"); 14 | CHECK(constructID != NULL); 15 | 16 | ScopedLocalRef httpServiceObj( 17 | env, env->NewObject(clazz.get(), constructID)); 18 | 19 | sp httpService; 20 | if (httpServiceObj.get() != NULL) { 21 | jmethodID asBinderID = 22 | env->GetMethodID(clazz.get(), "asBinder", "()Landroid/os/IBinder;"); 23 | CHECK(asBinderID != NULL); 24 | 25 | ScopedLocalRef httpServiceBinderObj( 26 | env, env->CallObjectMethod(httpServiceObj.get(), asBinderID)); 27 | CHECK(httpServiceBinderObj.get() != NULL); 28 | 29 | sp binder = ibinderForJavaObject(env, httpServiceBinderObj.get()); 30 | 31 | httpService = interface_cast(binder); 32 | } 33 | 34 | return httpService; 35 | } 36 | 37 | sp generateIMediaHTTPService() { 38 | sp mediaHTTPService = 39 | MyCreateHTTPServiceInCurrentJavaContext(); 40 | return IInterface::asBinder(mediaHTTPService); 41 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IMediaLogService.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | sp generateIMediaLogService() { 4 | sp mediaLog = new MediaLogService(); 5 | return IInterface::asBinder(mediaLog); 6 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IMediaPlayerClient.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | struct MediaPlayerClient : public BnMediaPlayerClient { 4 | MediaPlayerClient() : mEOS(false) {} 5 | 6 | virtual void notify(int msg, int ext1 __unused, int ext2 __unused, 7 | const Parcel *obj __unused) { 8 | Mutex::Autolock autoLock(mLock); 9 | 10 | if (msg == MEDIA_ERROR || msg == MEDIA_PLAYBACK_COMPLETE) { 11 | mEOS = true; 12 | mCondition.signal(); 13 | } 14 | } 15 | 16 | void waitForEOS() { 17 | Mutex::Autolock autoLock(mLock); 18 | while (!mEOS) { 19 | mCondition.wait(mLock); 20 | } 21 | } 22 | 23 | protected: 24 | virtual ~MediaPlayerClient() {} 25 | 26 | private: 27 | Mutex mLock; 28 | Condition mCondition; 29 | 30 | bool mEOS; 31 | 32 | DISALLOW_EVIL_CONSTRUCTORS(MediaPlayerClient); 33 | }; 34 | 35 | sp generateIMediaPlayerClient() { 36 | sp client = new MediaPlayerClient; 37 | return IInterface::asBinder(client); 38 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IMediaRecorderClient.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | sp generateIMediaRecorderClient() { 4 | String16 opPackageName(StringType::generatePackageName().c_str()); 5 | sp mediaRecorder = new MediaRecorder(opPackageName); 6 | return IInterface::asBinder(mediaRecorder); 7 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IOMX.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | sp generateIOMX() { 4 | OMXClient client; 5 | if (client.connect() != OK) { 6 | ALOGE("Failed to connect to OMX."); 7 | return NULL; 8 | } 9 | sp omx = client.interface(); 10 | return IInterface::asBinder(omx); 11 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/IPlayer.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | sp generateIPlayer() { 4 | sp player = new TrackPlayerBase(); 5 | return IInterface::asBinder(player); 6 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/ISoundTriggerClient.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | sp generateISoundTriggerClient() { 5 | // http://androidxref.com/9.0.0_r3/xref/frameworks/av/soundtrigger/SoundTrigger.cpp#127 6 | 7 | IntType intType("", "sound_trigger_module_handle_t"); 8 | sound_trigger_module_handle_t handle = 9 | (sound_trigger_module_handle_t)intType.generate(); 10 | FUZZER_LOGD("Generate sound_trigger_module_handle_t %d.", (int)handle); 11 | 12 | sp callback; 13 | sp trigger = SoundTrigger::attach(handle, callback); 14 | return IInterface::asBinder(trigger); 15 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/camera.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | 6 | using namespace std; 7 | 8 | sp mCamera = NULL; 9 | 10 | sp generateCamera() { 11 | String16 packageName(StringType::generatePackageName().c_str()); 12 | int32_t cameraNum = Camera::getNumberOfCameras(); 13 | int32_t mCameraIndex = (int32_t)randomUInt64(0, cameraNum - 1); 14 | FUZZER_LOGD("Camera num: %d, choose idx: %d.", cameraNum, mCameraIndex); 15 | mCamera = Camera::connect(mCameraIndex, packageName, Camera::USE_CALLING_UID, 16 | Camera::USE_CALLING_PID); 17 | return mCamera; 18 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/interface/interface.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | sp generateInterface(string interfaceName, string varName) { 4 | sp binder; 5 | if (interfaceName == "IAudioPolicyServiceClient") { 6 | binder = generateIAudioPolicyServiceClient(); 7 | } else if (interfaceName == "IStreamSource") { 8 | binder = generateIStreamSource(); 9 | } else if (interfaceName == "IMediaHTTPService") { 10 | binder = generateIMediaHTTPService(); 11 | } else if (interfaceName == "IMediaPlayerClient") { 12 | binder = generateIMediaPlayerClient(); 13 | } else if (interfaceName == "ISoundTriggerClient") { 14 | binder = generateISoundTriggerClient(); 15 | } else if (interfaceName == "IAAudioClient") { 16 | binder = generateIAAudioClient(); 17 | } else if (interfaceName == "IResourceManagerClient") { 18 | binder = generateIResourceManagerClient(); 19 | } else if (interfaceName == "IDrmServiceListener") { 20 | binder = generateIDrmServiceListener(); 21 | } else if (interfaceName == "IAudioFlingerClient") { 22 | binder = generateIAudioFlingerClient(); 23 | } else if (interfaceName == "IEffectClient") { 24 | binder = generateIEffectClient(); 25 | } else if (interfaceName == "IDrmClient") { 26 | binder = generateIDrmClient(); 27 | } else if (interfaceName == "IMediaRecorderClient") { 28 | binder = generateIMediaRecorderClient(); 29 | } else if (interfaceName == "ICameraRecordingProxy") { 30 | binder = generateICameraRecordingProxy(); 31 | } else if (interfaceName == "ICameraClient") { 32 | binder = generateCamera(); 33 | } else if (interfaceName == "ICameraDeviceCallbacks") { 34 | binder = generateICameraDeviceCallbacks(); 35 | } else if (interfaceName == "ICameraRecordingProxyListener") { 36 | binder = generateICameraRecordingProxyListener(); 37 | } else if (interfaceName == "ICamera") { 38 | binder = generateICamera(); 39 | } else if (interfaceName == "IGraphicBufferProducer") { 40 | binder = generateIGraphicBufferProducer(); 41 | } else if (interfaceName == "IAppOpsCallback") { 42 | binder = generateIAppOpsCallback(); 43 | } else if (interfaceName == "IRemoteDisplayClient") { 44 | FUZZER_LOGI("Remote display client is no longer supported."); 45 | binder = NULL; 46 | } else if (interfaceName == "ICameraServiceListener") { 47 | FUZZER_LOGI("ICameraServiceListener is not supported now."); 48 | binder = NULL; 49 | } else if (interfaceName == "IGraphicBufferConsumer") { 50 | binder = generateIGraphicBufferConsumer(); 51 | } else if (interfaceName == "IPlayer") { 52 | binder = generateIPlayer(); 53 | } else if (interfaceName == "IOMX") { 54 | binder = generateIOMX(); 55 | } else if (interfaceName == "IInterfaceEventCallback") { 56 | binder = generateIInterfaceEventCallback(); 57 | // } else if (interfaceName == "IIncidentReportStatusListener") { 58 | // binder = generateIIncidentReportStatusListener(); 59 | } else if (interfaceName == "IBinder" && varName == "display") { 60 | binder = generateIDisplay(); 61 | } else if (interfaceName == "IBinder") { 62 | binder = new BBinder(); 63 | } else { 64 | binder = NULL; 65 | FUZZER_LOGI("Manaual generation of interface %s hasn't been supported.", 66 | interfaceName.c_str()); 67 | } 68 | return binder; 69 | } 70 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | char *targetInterface = NULL; 14 | char *targetTransaction = NULL; 15 | 16 | void init(char *svcDir, char *structDir) { 17 | loadServiceInfo(svcDir, targetInterface, targetTransaction); 18 | loadStructureInfo(structDir); 19 | loadUnionInfo((char *)UNION_INFO_DIR); 20 | initEnumInfo((char *)ENUMERATION_INFO_DIR); 21 | loadFunctionInfo((char *)FUNCTION_INFO_DIR); 22 | 23 | initPackageNameList(); 24 | initPermissionNameList(); 25 | initMediaUrlList(); 26 | 27 | initFDPool(); 28 | initVarTypeMap(); 29 | 30 | initCodecInfo(); 31 | init_jvm(&vm, &env); 32 | } 33 | void startFuzzing() { 34 | FUZZER_LOGI("Start fuzzing..."); 35 | Generator gen; 36 | Executor executor; 37 | status_t ret; 38 | // string stop = "Y"; 39 | while (true) { 40 | FUZZER_LOGI( 41 | "-------------------------------------------------------------------"); 42 | Transaction tx = gen.generateTx(); 43 | ret = executor.run(tx); 44 | // sleep(1); 45 | // if (stop == "Y") { 46 | // cin >> stop; 47 | // } 48 | FUZZER_LOGI( 49 | "-------------------------------------------------------------------"); 50 | } 51 | } 52 | 53 | int main(int argc, char *argv[]) { 54 | 55 | setvbuf(stdin, NULL, _IONBF, 0); 56 | setvbuf(stdout, NULL, _IONBF, 0); 57 | 58 | const char *optstring = ""; 59 | static struct option long_options[] = { 60 | {"log_level", required_argument, NULL, 'l'}, 61 | {"interface", required_argument, NULL, 'i'}, 62 | {"transaction", required_argument, NULL, 't'}, 63 | {"help", no_argument, NULL, 'h'}, 64 | {0, 0, 0, 0}}; 65 | int opt; 66 | int option_index = 0; 67 | while ((opt = getopt_long(argc, argv, optstring, long_options, 68 | &option_index)) != -1) { 69 | switch (opt) { 70 | case 'l': { 71 | printf("Set log level : %s.\n", optarg); 72 | if (!strncmp(optarg, "info", 4)) { 73 | logLevel = INFO_LEVEL; 74 | } else if (!strncmp(optarg, "debug", 5)) { 75 | logLevel = DEBUG_LEVEL; 76 | } else if (!strncmp(optarg, "error", 5)) { 77 | logLevel = ERROR_LEVEL; 78 | } else { 79 | FUZZER_LOGI("Unknown log option %s.", optarg); 80 | exit(0); 81 | } 82 | break; 83 | } 84 | case 'i': { 85 | printf("Set target interface : %s.\n", optarg); 86 | targetInterface = optarg; 87 | break; 88 | } 89 | case 't': { 90 | printf("Set target transaction: %s.\n", optarg); 91 | targetTransaction = optarg; 92 | break; 93 | } 94 | case '?': 95 | case 'h': { 96 | char *help = 97 | (char *)"Usage: ./native_service_fuzzer [OPTION]\n" 98 | "\n" 99 | " --log_level specify the log level of fuzzer\n" 100 | " --interface specify the target interface to " 101 | "fuzz\n" 102 | " --transaction specify the target transaction to " 103 | "fuzz\n" 104 | " --help help manual\n"; 105 | printf("%s", help); 106 | exit(0); 107 | } 108 | default: 109 | abort(); 110 | } 111 | } 112 | if (targetInterface && targetTransaction) { 113 | FUZZER_LOGE( 114 | "Can not specify interface and transaction options at the same time."); 115 | exit(0); 116 | } 117 | init((char *)FUZZER_PATH "model/service/", 118 | (char *)FUZZER_PATH "model/structure/"); 119 | 120 | // testIsCryptoSchemeSupported(); 121 | // testIsCryptoSchemeSupportedForMimeType(); 122 | // testOpenSeesion(); 123 | // testCloseSession(); 124 | startFuzzing(); 125 | return 0; 126 | } 127 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/test/test.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | using namespace std; 15 | 16 | void testRun(Transaction &tx) { 17 | Executor executor; 18 | status_t ret; 19 | ParcelReaderWriter parcelReaderWriter(tx.info["data"], tx.variable, tx.loop, 20 | tx.constraint); 21 | parcelReaderWriter.initTxWrite(&tx); 22 | parcelReaderWriter.start(); 23 | tx.flags = 0; // sync 24 | ret = executor.run(tx); 25 | return; 26 | } 27 | 28 | void testIsCryptoSchemeSupported() { 29 | string txName = "ICrypto::2-2"; 30 | Json::Value &txMeta = svcInfo[txName]; 31 | uint32_t possIdx = 1; 32 | Transaction tx(txName, txMeta, possIdx); 33 | testRun(tx); 34 | cout << "dataSize: " << tx.reply.dataSize() << endl; 35 | cout << "dataAvail: " << tx.reply.dataAvail() << endl; 36 | int32_t supported = tx.reply.readInt32(); 37 | cout << "isCryptoSchemeSupported:" << supported << endl; 38 | return; 39 | } 40 | /*IDrm*/ 41 | void testIsCryptoSchemeSupportedForMimeType() { 42 | string txName = "IDrm::2-2"; 43 | Json::Value &txMeta = svcInfo[txName]; 44 | uint32_t possIdx = 1; 45 | Transaction tx(txName, txMeta, possIdx); 46 | testRun(tx); 47 | cout << "dataSize: " << tx.reply.dataSize() << endl; 48 | cout << "dataAvail: " << tx.reply.dataAvail() << endl; 49 | int32_t supported = tx.reply.readInt32(); 50 | cout << "isCryptoSchemeSupported:" << supported << endl; 51 | return; 52 | } 53 | 54 | void testOpenSeesion() { 55 | string txName = "IDrm::3-3"; 56 | uint32_t possIdx = 1; 57 | Transaction tx_pre(txName, svcInfo[txName], possIdx); 58 | testRun(tx_pre); 59 | int32_t createStatus = tx_pre.reply.readInt32(); 60 | cout << "status of createPlugin:" << createStatus << endl; 61 | 62 | txName = "IDrm::5-5"; 63 | possIdx = 1; 64 | Transaction tx(txName, svcInfo[txName], possIdx); 65 | testRun(tx); 66 | cout << "dataSize: " << tx.reply.dataSize() << endl; 67 | cout << "dataAvail: " << tx.reply.dataAvail() << endl; 68 | vector buffer; 69 | tx.reply.readByteVector(&buffer); 70 | FUZZER_LOGD("Array size: %lu", buffer.size()); 71 | string result = ""; 72 | for (auto i : buffer) { 73 | result += to_string(i) + " "; 74 | } 75 | FUZZER_LOGD("Array content: %s", result.c_str()); 76 | int32_t status = tx.reply.readInt32(); 77 | cout << "status of openSession:" << status << endl; 78 | return; 79 | } 80 | void testCloseSession() { 81 | string txName = "IDrm::3-3"; 82 | uint32_t possIdx = 1; 83 | Transaction tx_pre(txName, svcInfo[txName], possIdx); 84 | testRun(tx_pre); 85 | 86 | txName = "IDrm::6-6"; 87 | possIdx = 1; 88 | Transaction tx(txName, svcInfo[txName], possIdx); 89 | testRun(tx); 90 | cout << "dataSize: " << tx.reply.dataSize() << endl; 91 | cout << "dataAvail: " << tx.reply.dataAvail() << endl; 92 | int32_t status = tx.reply.readInt32(); 93 | cout << "status of closeSession:" << status << endl; 94 | return; 95 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/transaction.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | using namespace std; 11 | map usedTxs; 12 | 13 | Transaction::Transaction() {} 14 | Transaction::Transaction(const Transaction &) {} 15 | Transaction::Transaction(string &txName, Json::Value &txMeta, 16 | uint32_t &possIdx) { 17 | FUZZER_LOGI("Start initing the Transaction."); 18 | this->txName = txName; 19 | // record used txs 20 | usedTxs[txName] = true; 21 | serviceName = txMeta["serviceName"].asString(); 22 | interfaceName = txMeta["interfaceName"].asString(); 23 | interfaceToken = txMeta["interfaceToken"].asString(); 24 | uint32_t codeIdx = randomUInt64(0, txMeta["code"].size() - 1); 25 | code = txMeta["code"][codeIdx].asUInt(); 26 | info = txMeta["possibility"][possIdx]; 27 | dependency = txMeta["dependency"]; 28 | variable = txMeta["variable"]; 29 | loop = txMeta["loop"]; 30 | constraint = txMeta["constraint"]; 31 | flags = 1; // default async 32 | FUZZER_LOGD("Basic info about this transaction:"); 33 | FUZZER_LOGD(" txName %s", txName.c_str()); 34 | FUZZER_LOGD(" serviceName %s", serviceName.c_str()); 35 | FUZZER_LOGD(" interfaceName %s", interfaceName.c_str()); 36 | FUZZER_LOGD(" interfaceToken %s", interfaceToken.c_str()); 37 | FUZZER_LOGD(" Code %lu", code); 38 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/binder_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | using namespace std; 12 | 13 | sp BinderType::generate() { 14 | sp binder; 15 | // Using the valid interface with a large probability 16 | if (IntType::nOutOf(7, 10)) { 17 | binder = generateInterface(interfaceName, varName); 18 | if (binder == NULL) { 19 | FUZZER_LOGI( 20 | "Failed to generate interface manually, so we use simple binder."); 21 | binder = new BBinder(); 22 | } else { 23 | FUZZER_LOGD("Manually generate interface successfully."); 24 | } 25 | } else { 26 | // may be we can trigger NULL Pointer dereference? 27 | binder = NULL; 28 | } 29 | return binder; 30 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/blob_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void BlobType::generate() { 8 | int32_t blobType; 9 | 10 | if (blobSize <= 16 * 1024) { 11 | blobType = 0; 12 | } else { 13 | blobType = randomUInt64(1, 2); 14 | } 15 | parcelReaderWriter->data->writeInt32(blobType); 16 | if (blobType == 0) { 17 | // http://androidxref.com/9.0.0_r3/xref/frameworks/native/libs/binder/Parcel.cpp#2269 18 | FUZZER_LOGD("Generating blob inplace."); 19 | 20 | FUZZER_LOGD("Blob size is %lu.", blobSize); 21 | vector tmp; 22 | 23 | for (uint32_t i = 0; i < blobSize && i < 16 * 1024; ++i) { 24 | tmp.push_back((int8_t)randomUInt64(0, 255)); 25 | } 26 | parcelReaderWriter->data->write(tmp.data(), blobSize); 27 | } else { 28 | FUZZER_LOGD("Generating FileDescriptor in blob."); 29 | // TODO: fd means that size is larger than BLOB_INPLACE_LIMIT=16*1024 30 | FDType fdType("in", "int"); 31 | int32_t fd = fdType.generate(); 32 | parcelReaderWriter->data->writeFileDescriptor(fd); 33 | } 34 | } 35 | 36 | void BlobType::read() { 37 | Parcel::ReadableBlob blob; 38 | parcelReaderWriter->reply->readBlob(blobSize, &blob); 39 | if (parcelReaderWriter->isDependency) { 40 | if (blobSize > 16 * 1024) { 41 | FUZZER_LOGE("Blob size is larger than 16*1024, it is not implemented."); 42 | exit(0); 43 | } else { 44 | parcelReaderWriter->targetParcel->write(blob.data(), blobSize); 45 | } 46 | } 47 | blob.release(); 48 | } 49 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/bool_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include 5 | #include 6 | using namespace std; 7 | 8 | bool BoolType::generate() { 9 | 10 | // consider specific semantic meaning 11 | 12 | // random bool; 13 | value = (bool)randomUInt64(0, 1); 14 | 15 | return value; 16 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/double_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | using namespace std; 6 | 7 | double DoubleType::generate() { 8 | // consider specific semantic meaning 9 | 10 | // random Double 11 | value = randomDouble(__DBL_MIN__, __DBL_MAX__); 12 | return value; 13 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/enum_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | using namespace std; 12 | map> enumInfo; 13 | 14 | int64_t randomEnum(string varType) { 15 | FUZZER_LOGD("Generaing enum type: %s.", varType.c_str()); 16 | 17 | if (enumInfo.count(varType) == 0) { 18 | // for those typedef enum.. 19 | if (enumInfo.count("enum " + varType) != 0) { 20 | varType = "enum " + varType; 21 | } else { 22 | FUZZER_LOGE("Unexpected enum %s meeted.", varType.c_str()); 23 | exit(0); 24 | } 25 | } 26 | int32_t size = enumInfo[varType].size(); 27 | if (size == 0) { 28 | return randomUInt64(0, UINT64_MAX); 29 | } else { 30 | int64_t idx = randomUInt64(0, size - 1); 31 | return enumInfo[varType][idx]; 32 | } 33 | } 34 | 35 | void initEnumInfo(char *enumInfoDir) { 36 | struct stat s; 37 | lstat(enumInfoDir, &s); 38 | if (!S_ISDIR(s.st_mode)) { 39 | FUZZER_LOGE("%s is not a valid directory!", enumInfoDir); 40 | exit(0); 41 | } 42 | dirent *filename; 43 | DIR *dir; 44 | dir = opendir(enumInfoDir); 45 | if (NULL == dir) { 46 | FUZZER_LOGE("Can not open dir %s!", enumInfoDir); 47 | exit(0); 48 | } 49 | FUZZER_LOGI("Successfully opened %s.", enumInfoDir); 50 | int64_t value; 51 | while ((filename = readdir(dir)) != NULL) { 52 | FUZZER_LOGD("filename: %s", filename->d_name); 53 | if (strcmp(filename->d_name, ".") == 0 || 54 | strcmp(filename->d_name, "..") == 0 || 55 | strcmp(filename->d_name, "enum minikin::Bidi") == 0) { 56 | continue; 57 | } else { 58 | string filepath = enumInfoDir; 59 | string enumType = filename->d_name; 60 | filepath += enumType; 61 | ifstream ifs(filepath.c_str()); 62 | string promotionType; 63 | getline(ifs, promotionType); 64 | if (promotionType == "int32_t" || promotionType == "int" || 65 | promotionType == "std::int32_t") { 66 | varTypeMap[enumType] = INT32_TYPE; 67 | } else if (promotionType == "unsigned int" || 68 | promotionType == "uint32_t" || promotionType == "size_t") { 69 | // TODO: promotionType is size_t, it is very interestring.. 70 | varTypeMap[enumType] = UINT32_TYPE; 71 | } else if (promotionType == "uint64_t" || 72 | promotionType == "unsigned long long" || 73 | promotionType == "__u64" || promotionType == "unsigned long") { 74 | varTypeMap[enumType] = UINT64_TYPE; 75 | } else if (promotionType == "int64_t" || promotionType == "long long" || 76 | promotionType == "long") { 77 | varTypeMap[enumType] = INT64_TYPE; 78 | } else if (promotionType.find("dependent") != string::npos) { 79 | varTypeMap[enumType] = INT64_TYPE; 80 | } else if (promotionType == "uint8_t" || 81 | promotionType == "unsigned char") { 82 | varTypeMap[enumType] = UINT8_TYPE; 83 | } else if (promotionType == "char") { 84 | varTypeMap[enumType] = INT8_TYPE; 85 | } else if (promotionType == "uint16_t") { 86 | varTypeMap[enumType] = UINT16_TYPE; 87 | } else if (promotionType == "android::vintf::RuntimeInfo::FetchFlags") { 88 | varTypeMap[enumType] = UINT32_TYPE; 89 | } else if (promotionType == "google::protobuf::internal::AtomicWord") { 90 | varTypeMap[enumType] = INT32_TYPE; 91 | } else { 92 | FUZZER_LOGE("PromotionType %s is unknown..", promotionType.c_str()); 93 | continue; 94 | // exit(0); 95 | } 96 | int32_t dependent = 0; 97 | while (!ifs.eof()) { 98 | ifs >> value; 99 | if (promotionType.find("dependent") != string::npos) { 100 | enumInfo[enumType].push_back(dependent); 101 | dependent += 1; 102 | } else { 103 | enumInfo[enumType].push_back(value); 104 | } 105 | } 106 | ifs.close(); 107 | } 108 | } 109 | } 110 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/file_descriptor_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | #include 16 | 17 | map apkFDPool; 18 | map mediaFDPool; 19 | map miscFDPool; 20 | int32_t FDType::generateRandomFD(map &FDPool) { 21 | if (FDPool.size() == 0) { 22 | FUZZER_LOGE("The FDPool is empty."); 23 | exit(0); 24 | } else { 25 | map::iterator it = FDPool.begin(); 26 | uint64_t r = randomUInt64(0, (uint64_t)FDPool.size() - 1); 27 | std::advance(it, r); 28 | FUZZER_LOGI("Used file: %s, FD: %d.", it->first.c_str(), it->second); 29 | return it->second; 30 | } 31 | } 32 | int32_t FDType::generate() { 33 | if (varName == "in" || varName == "out" || varName == "err") { 34 | return generateRandomFD(miscFDPool); 35 | } else { 36 | if (IntType::nOutOf(7, 10)) { 37 | return generateRandomFD(mediaFDPool); 38 | } else { 39 | return generateRandomFD(miscFDPool); 40 | } 41 | } 42 | } 43 | 44 | void _initFDPool(char *dirpath, map &FDPool) { 45 | struct stat s; 46 | lstat(dirpath, &s); 47 | if (!S_ISDIR(s.st_mode)) { 48 | FUZZER_LOGE("%s is not a valid directory!", dirpath); 49 | exit(0); 50 | } 51 | dirent *filename; 52 | DIR *dir; 53 | dir = opendir(dirpath); 54 | if (NULL == dir) { 55 | FUZZER_LOGE("Can not open dir %s!", dirpath); 56 | exit(0); 57 | } 58 | FUZZER_LOGI("Successfully opened %s.", dirpath); 59 | spaceNum += 2; 60 | while ((filename = readdir(dir)) != NULL) { 61 | if (strcmp(filename->d_name, ".") == 0 || 62 | strcmp(filename->d_name, "..") == 0) { 63 | continue; 64 | } else { 65 | string filepath = dirpath; 66 | filepath += filename->d_name; 67 | int fd = open(filepath.c_str(), O_RDWR); 68 | FDPool[filepath] = fd; 69 | FUZZER_LOGD("filepath: %s, FD: %d.", filepath.c_str(), fd); 70 | } 71 | } 72 | spaceNum -= 2; 73 | FUZZER_LOGI(""); 74 | } 75 | 76 | void initFDPool() { 77 | _initFDPool((char *)MEDIA_FILE_SEED_PATH, mediaFDPool); 78 | _initFDPool((char *)APK_FILE_SEED_PATH, apkFDPool); 79 | _initFDPool((char *)MISC_FILE_SEED_PATH, miscFDPool); 80 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/float_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | using namespace std; 6 | 7 | float FloatType::generate() { 8 | // consider specific semantic meaning 9 | 10 | // random float; 11 | value = randomFloat(__FLT_MIN__, __FLT_MAX__); 12 | return value; 13 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/function_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | map functionInfo; 13 | 14 | void FunctionType::initArgv(ParcelReaderWriter *parcelReaderWriter) { 15 | Json::Value parentArg, arg; 16 | string parentArgName, parentArgType, argName, argType; 17 | FUZZER_LOGD("Start initing function argv.") 18 | for (uint32_t i = 0; i < parentArgv.size(); ++i) { 19 | FUZZER_LOGD("Current argv idx %d.", i); 20 | parentArg = parentArgv[i]; 21 | parentArgName = parentArg["name"].asString(); 22 | parentArgType = parentArg["type"].asString(); 23 | arg = argv[i]; 24 | argName = arg["name"].asString(); 25 | argType = arg["type"].asString(); 26 | if (parentArgType.find("android::Parcel") != string::npos) { 27 | FUZZER_LOGD("We do not init android::Parcel from parent argv."); 28 | continue; 29 | } else if (parentArgType.find("*") != string::npos) { 30 | FUZZER_LOGD("We do not init pointer from parent argv."); 31 | continue; 32 | } else if (parentArgType.find("<") != string::npos) { 33 | FUZZER_LOGD("We do not init strong pointer or vector from parent argv."); 34 | continue; 35 | } else if (parentArgType == "android::status_t") { 36 | FUZZER_LOGD("We do not init android::status_t from parent argv."); 37 | continue; 38 | } else if (parentArgType == "_Bool") { 39 | bool value = parentParcelReaderWriter->getVarValue(parentArgName); 40 | parcelReaderWriter->storeValue(argName, value); 41 | } else if (parentArgType == "int") { 42 | int value = parentParcelReaderWriter->getVarValue(parentArgName); 43 | parcelReaderWriter->storeValue(argName, value); 44 | } else if (parentArgType == 45 | "struct android::hardware::hidl_vec") { 46 | FUZZER_LOGD( 47 | "Now we do not consider struct android::hardware::hidl_vec when initing arguments."); 49 | } else { 50 | FUZZER_LOGE("Variable type %s is not supported now in initArgv.", 51 | parentArgType.c_str()); 52 | exit(0); 53 | } 54 | } 55 | if (parentArgv.size() < argv.size()) { 56 | FUZZER_LOGI("Function %s has default value.", funcName.c_str()); 57 | if (funcName == "keystore::readKeymasterBlob") { 58 | // this function's second argv can be default value, i.e., true 59 | argName = argv[1]["name"].asString(); 60 | parcelReaderWriter->storeValue(argName, true); 61 | } else { 62 | FUZZER_LOGE("Function %s is not well supported for default value.", 63 | funcName.c_str()); 64 | exit(0); 65 | } 66 | } 67 | FUZZER_LOGD("Finish initing function argv.") 68 | } 69 | 70 | void FunctionType::generate() { 71 | ParcelReaderWriter parcelReaderWriter(info["data"], variable, loop, 72 | constraint); 73 | parcelReaderWriter.initFunctionWrite(parentParcelReaderWriter->data); 74 | initArgv(&parcelReaderWriter); 75 | parcelReaderWriter.start(); 76 | } 77 | 78 | void FunctionType::read() { 79 | ParcelReaderWriter parcelReaderWriter(info["reply"], variable, loop, 80 | constraint); 81 | parcelReaderWriter.initFunctionRead(parentParcelReaderWriter->reply); 82 | initArgv(&parcelReaderWriter); 83 | if (parentParcelReaderWriter->isDependency) { 84 | parcelReaderWriter.isDependency = parentParcelReaderWriter->isDependency; 85 | parcelReaderWriter.targetParcel = parentParcelReaderWriter->targetParcel; 86 | } 87 | parcelReaderWriter.start(); 88 | } 89 | 90 | void loadFunctionInfo(char *functionInfoDir) { 91 | FUZZER_LOGI("----------------------- Start loading function info. " 92 | "-----------------------"); 93 | loadJsonInfo(functionInfoDir, functionInfo); 94 | FUZZER_LOGI("----------------------- Finish loading function info. " 95 | "-----------------------\n"); 96 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/int_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | using namespace std; 4 | 5 | const uint64_t specialInts[specIntsLen] = {0ULL, 6 | 1ULL, 7 | 2ULL, 8 | 31ULL, 9 | 32ULL, 10 | 33ULL, 11 | 63ULL, 12 | 64ULL, 13 | 65ULL, 14 | 127ULL, 15 | 128ULL, 16 | 129ULL, 17 | 255ULL, 18 | 256ULL, 19 | 257ULL, 20 | 511ULL, 21 | 512ULL, 22 | 1023ULL, 23 | 1024ULL, 24 | 1025ULL, 25 | 2047ULL, 26 | 2048ULL, 27 | 2049ULL, 28 | 4095ULL, 29 | 4096ULL, 30 | 4097ULL, 31 | (1ULL << 15) - 1, 32 | (1ULL << 15), 33 | (1ULL << 15) + 1, 34 | (1ULL << 16) - 1, 35 | (1ULL << 16), 36 | (1ULL << 16) + 1, 37 | (1ULL << 31) - 1, 38 | (1ULL << 31), 39 | (1ULL << 31) + 1, 40 | (1ULL << 32) - 1, 41 | (1ULL << 32), 42 | (1ULL << 32) + 1, 43 | (1ULL << 63) - 1, 44 | (1ULL << 63), 45 | (1ULL << 63) + 1, 46 | 0xFFFFFFFFFFFFFFFFULL}; 47 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/types.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | map varTypeMap; 4 | 5 | void initVarTypeMap() { 6 | 7 | varTypeMap["IntegerLiteral"] = INTEGER_LITERAL; 8 | // int8 9 | varTypeMap["char"] = INT8_TYPE; 10 | varTypeMap["unsigned char"] = UINT8_TYPE; 11 | // int16 12 | varTypeMap["short"] = INT16_TYPE; 13 | varTypeMap["unsigned short"] = UINT16_TYPE; 14 | // int32 15 | varTypeMap["int"] = INT32_TYPE; 16 | varTypeMap["int32_t"] = INT32_TYPE; 17 | varTypeMap["::android::status_t"] = INT32_TYPE; 18 | 19 | // uint32 20 | varTypeMap["uint32_t"] = UINT32_TYPE; 21 | varTypeMap["unsigned int"] = UINT32_TYPE; 22 | 23 | // int64 24 | varTypeMap["const int64_t"] = INT64_TYPE; 25 | varTypeMap["int64_t"] = INT64_TYPE; 26 | varTypeMap["long"] = INT64_TYPE; 27 | varTypeMap["long long"] = INT64_TYPE; 28 | 29 | // uint64 30 | varTypeMap["uint64_t"] = UINT64_TYPE; 31 | varTypeMap["unsigned long"] = UINT64_TYPE; 32 | varTypeMap["unsigned long long"] = UINT64_TYPE; 33 | 34 | // float 35 | varTypeMap["float"] = FLOAT_TYPE; 36 | varTypeMap["FloatingLiteral"] = FLOAT_TYPE; 37 | varTypeMap["class android::half"] = FLOAT_TYPE; 38 | 39 | // double 40 | varTypeMap["double"] = DOUBLE_TYPE; 41 | 42 | // STRING16 43 | varTypeMap["android::String16"] = STRING16_TYPE; 44 | varTypeMap["class android::String16"] = STRING16_TYPE; 45 | // here we consider the following types as String16. 46 | varTypeMap["char16_t *"] = STRING16_TYPE; 47 | 48 | // STRING8 49 | varTypeMap["android::String8"] = STRING8_TYPE; 50 | varTypeMap["class android::String8"] = STRING8_TYPE; 51 | varTypeMap["const class android::String8"] = STRING8_TYPE; 52 | 53 | // STRING 54 | varTypeMap["string"] = CSTRING_TYPE; 55 | varTypeMap["std::string"] = CSTRING_TYPE; 56 | 57 | // when dealing with variable of these types, we consider the type of them as 58 | // CSTRING. 59 | varTypeMap["char *"] = CSTRING_TYPE; 60 | varTypeMap["const char *"] = CSTRING_TYPE; 61 | varTypeMap["unsigned char *"] = CSTRING_TYPE; 62 | 63 | varTypeMap["FileDescriptor"] = FILE_DESCRIPTOR_TYPE; 64 | 65 | // BOOL 66 | varTypeMap["_Bool"] = BOOL_TYPE; 67 | varTypeMap["bool"] = BOOL_TYPE; 68 | 69 | // FILE_DESCRIPTOR 70 | varTypeMap["FileDescriptor"] = FILE_DESCRIPTOR_TYPE; 71 | 72 | varTypeMap["Function"] = FUNCTION_TYPE; 73 | varTypeMap["class android::Parcel::Blob"] = BLOB_TYPE; 74 | 75 | ifstream in((char *)TYPE_MAP_PATH); 76 | if (!in.is_open()) { 77 | FUZZER_LOGE("Error opening type map file."); 78 | exit(0); 79 | } 80 | FUZZER_LOGI("----------------------- Start loading type map. " 81 | "-----------------------"); 82 | string tmp; 83 | while (!in.eof()) { 84 | getline(in, tmp); 85 | if (tmp == "") { 86 | continue; 87 | } 88 | uint32_t plus = tmp.find("+"); 89 | string type = tmp.substr(0, plus); 90 | string under = tmp.substr(plus + 1, tmp.length() - plus - 1); 91 | FUZZER_LOGD("type: %s, under: %s", type.c_str(), under.c_str()); 92 | // only consider when var type is not recorded. 93 | if (varTypeMap.count(type) == 0) { 94 | if (varTypeMap.count(under) != 0) { 95 | varTypeMap[type] = varTypeMap[under]; 96 | } 97 | } 98 | } 99 | in.close(); 100 | FUZZER_LOGI("----------------------- Finish loading type map. " 101 | "-----------------------\n"); 102 | } 103 | VarType getVarTypeEnum(string varType) { 104 | if (varTypeMap.count(varType) != 0) { 105 | return varTypeMap[varType]; 106 | } else if (varType.find("vector<") != string::npos || 107 | varType.find("Vector<") != string::npos || 108 | varType.find("[") != string::npos || 109 | varType.find("*") != string::npos) { 110 | return ARRAY_TYPE; 111 | } else if (varType.find("sp<") != string::npos && 112 | varType.find("::I") != string::npos) { 113 | return STRONG_BINDER_TYPE; 114 | } else { 115 | FUZZER_LOGE("Unexpected variable type %s meeted.", varType.c_str()); 116 | exit(0); 117 | } 118 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/types/union_type.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | map unionInfo; 15 | 16 | void UnionType::initUnion(const Json::Value &uInfo) { 17 | info = uInfo["possibility"][0]; 18 | variable = uInfo["variable"]; 19 | loop = uInfo["loop"]; 20 | constraint = uInfo["constraint"]; 21 | } 22 | 23 | void UnionType::generateRaw(vector *rawData) { 24 | FUZZER_LOGD("Random generate raw union."); 25 | ParcelReaderWriter parcelReaderWriter(info["data"], variable, loop, 26 | constraint); 27 | parcelReaderWriter.initRawStructWrite(parentParcelReaderWriter->data, 28 | rawData); 29 | uint32_t varIdx = randomUInt64(0, info["data"].size() - 1); 30 | parcelReaderWriter.readWriteItem(varIdx); 31 | } 32 | 33 | void loadUnionInfo(char *unionInfoDir) { 34 | FUZZER_LOGI("----------------------- Start loading union info. " 35 | "-----------------------") 36 | loadJsonInfo(unionInfoDir, unionInfo); 37 | for (auto &item : unionInfo) { 38 | varTypeMap[item.first] = UNION_TYPE; 39 | } 40 | 41 | FUZZER_LOGI("----------------------- Finish loading union info. " 42 | "-----------------------\n"); 43 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/utils/java_vm.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | JavaVM *vm = NULL; 4 | JNIEnv *env = NULL; 5 | int init_jvm(JavaVM **p_vm, JNIEnv **p_env) { 6 | 7 | JavaVMOption opt[4]; 8 | 9 | opt[0].optionString = "-verbose:jni"; 10 | opt[1].optionString = "-verbose:gc"; 11 | opt[2].optionString = "-Xcheck:jni"; 12 | opt[3].optionString = "-Xdebug"; 13 | JavaVMInitArgs args; 14 | args.version = JNI_VERSION_1_6; 15 | args.options = opt; 16 | args.nOptions = 1; 17 | args.ignoreUnrecognized = JNI_FALSE; 18 | 19 | // TODO: Should this just link against libnativehelper and use its 20 | // JNI_CreateJavaVM wrapper that essential does this dlopen/dlsym 21 | // work based on the current system default runtime? 22 | void *libart_dso = dlopen("libart.so", RTLD_NOW); 23 | void *libandroid_runtime_dso = dlopen("libandroid_runtime.so", RTLD_NOW); 24 | 25 | if (!libart_dso || !libandroid_runtime_dso) { 26 | return -1; 27 | } 28 | 29 | JNI_CreateJavaVM_t JNI_CreateJavaVM; 30 | JNI_CreateJavaVM = (JNI_CreateJavaVM_t)dlsym(libart_dso, "JNI_CreateJavaVM"); 31 | if (!JNI_CreateJavaVM) { 32 | return -2; 33 | } 34 | registerNatives_t registerNatives; 35 | registerNatives = (registerNatives_t)dlsym( 36 | libandroid_runtime_dso, 37 | "Java_com_android_internal_util_WithFramework_registerNatives"); 38 | if (!registerNatives) { 39 | // Attempt non-legacy version 40 | registerNatives = (registerNatives_t)dlsym(libandroid_runtime_dso, 41 | "registerFrameworkNatives"); 42 | if (!registerNatives) { 43 | return -3; 44 | } 45 | } 46 | if (JNI_CreateJavaVM(&(*p_vm), &(*p_env), &args)) { 47 | return -4; 48 | } 49 | if (registerNatives(*p_env, 0)) { 50 | return -5; 51 | } 52 | FUZZER_LOGD( 53 | " [+] Java Virtual Machine Initialization success (vm=%p, env=%p).\n", 54 | *p_vm, *p_env); 55 | return 0; 56 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/utils/log.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | int spaceNum = 0; 3 | LOG_LEVEL logLevel = INFO_LEVEL; -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/utils/mythread.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | void thread_exit_handler(int sig) { 4 | // printf("this signal is %d \n", sig); 5 | pthread_exit(0); 6 | } 7 | void my_thread_init() { 8 | struct sigaction actions; 9 | memset(&actions, 0, sizeof(actions)); 10 | sigemptyset(&actions.sa_mask); 11 | actions.sa_flags = 0; 12 | actions.sa_handler = thread_exit_handler; 13 | sigaction(SIGUSR1, &actions, NULL); 14 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/utils/random.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | using namespace std; 4 | /** 5 | * @brief return a random int64 between [min,max]. 6 | * 7 | * @param min 8 | * @param max 9 | * @return uint64_t 10 | */ 11 | uint64_t randomUInt64(uint64_t min, uint64_t max) { 12 | random_device rd; 13 | mt19937_64 e(rd()); 14 | uniform_int_distribution u(min, max); 15 | return u(e); 16 | } 17 | 18 | float randomFloat(float min, float max) { 19 | random_device rd; 20 | mt19937_64 e(rd()); 21 | uniform_real_distribution u(min, max); 22 | return u(e); 23 | } 24 | 25 | double randomDouble(double min, double max) { 26 | random_device rd; 27 | mt19937_64 e(rd()); 28 | uniform_real_distribution u(min, max); 29 | return u(e); 30 | } -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/src/utils/util.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | void loadJsonInfo(const char *infoDir, map &info) { 3 | Json::Value root; 4 | Json::Reader reader; 5 | struct stat s; 6 | lstat(infoDir, &s); 7 | if (!S_ISDIR(s.st_mode)) { 8 | FUZZER_LOGE("%s is not a valid directory!", infoDir); 9 | exit(0); 10 | } 11 | dirent *filename; 12 | DIR *dir; 13 | dir = opendir(infoDir); 14 | if (NULL == dir) { 15 | FUZZER_LOGE("Can not open dir %s!", infoDir); 16 | exit(0); 17 | } 18 | FUZZER_LOGI("Successfully opened %s.", infoDir); 19 | spaceNum += 2; 20 | while ((filename = readdir(dir)) != NULL) { 21 | FUZZER_LOGD("filename: %s", filename->d_name) 22 | if (strcmp(filename->d_name, ".") == 0 || 23 | strcmp(filename->d_name, "..") == 0) { 24 | continue; 25 | } else { 26 | string filepath = ""; 27 | filepath = infoDir; 28 | filepath += filename->d_name; 29 | ifstream ifs(filepath.c_str()); 30 | reader.parse(ifs, root); 31 | for (Json::Value::iterator it = root.begin(); it != root.end(); ++it) { 32 | FUZZER_LOGD("key %s", it.key().asCString()); 33 | info[it.key().asString()] = *it; 34 | } 35 | } 36 | FUZZER_LOGD(""); 37 | } 38 | spaceNum -= 2; 39 | } 40 | -------------------------------------------------------------------------------- /fuzzer-engine/fuzzer/version-script.txt: -------------------------------------------------------------------------------- 1 | { 2 | global: 3 | EnsureFrontOfChain; 4 | AddSpecialSignalHandlerFn; 5 | RemoveSpecialSignalHandlerFn; 6 | sigaction; 7 | sigaction64; 8 | signal; 9 | sigprocmask; 10 | sigprocmask64; 11 | local: 12 | *; 13 | }; -------------------------------------------------------------------------------- /fuzzer-engine/manager/flash.template.cfg: -------------------------------------------------------------------------------- 1 | { 2 | "factory_image_path":"/path/to/factory/image", 3 | "original_image_path":"/path/to/aosp", 4 | "sanitizer_image_path":"/path/to/aosp_asan", 5 | "twrp_img_path":"/path/to/twrp/img", 6 | "lunch_command":"lunch 50" 7 | } -------------------------------------------------------------------------------- /fuzzer-engine/manager/fuzzer.template.cfg: -------------------------------------------------------------------------------- 1 | { 2 | "host_fuzzer_path":"/path/to/aosp_asan/out/target/product/taimen/symbols/system/bin/native_service_fuzzer", 3 | "fuzzer_log_level":"error", 4 | "host_model_dir":"/path/to/fans/workdir/interface-model-extractor/model", 5 | "host_seed_dir":"/path/to/fans/seed", 6 | "device_work_dir":"/data/fuzzer", 7 | "max_instance_number":5, 8 | "max_tombstone_count":99999, 9 | "root_log_dir":"/path/to/log", 10 | "adbd_restart_script_path":"/path/to/fans/fuzzer-engine/manager/restart_adbd.sh", 11 | "restart_device_script_path":"/path/to/fans/fuzzer-engine/manager/restart_device.sh" 12 | } -------------------------------------------------------------------------------- /fuzzer-engine/manager/get_device_list.py: -------------------------------------------------------------------------------- 1 | from pwn import process, log, context 2 | import json 3 | def get_device_list(): 4 | bash = process("/bin/bash") 5 | bash.sendline("/usr/bin/adb devices") 6 | bash.recvuntil("List of devices attached\n") 7 | reply = bash.recv().strip().split(b"\n") 8 | serials = dict() 9 | cnt = 0 10 | for line in reply: 11 | fields = line.split() 12 | serial = fields[0] 13 | cnt += 1 14 | serials[serial.decode()] = cnt 15 | print(serials) 16 | data = json.dumps(serials, sort_keys=True, indent=4) 17 | open("device.cfg", "w").write(data) 18 | 19 | 20 | if __name__ == "__main__": 21 | get_device_list() -------------------------------------------------------------------------------- /fuzzer-engine/manager/restart_adbd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | while true 3 | do 4 | procnum=`ps -ef|grep "adbd"|grep -v grep|grep -v restart|wc -l` 5 | if [ $procnum -eq 0 ]; then 6 | adbd& 7 | fi 8 | sleep 30 9 | done -------------------------------------------------------------------------------- /fuzzer-engine/manager/restart_device.sh: -------------------------------------------------------------------------------- 1 | sleep 60m 2 | reboot -------------------------------------------------------------------------------- /fuzzer-engine/manager/util.py: -------------------------------------------------------------------------------- 1 | from pwn import log 2 | import os 3 | from time import sleep 4 | import subprocess 5 | 6 | 7 | def exeute_cmd(cmdline): 8 | log.debug("cmd: %s" % cmdline) 9 | cmdline = cmdline 10 | try: 11 | # p = os.popen(cmdline) 12 | # reply = p.read() 13 | reply = subprocess.check_output( 14 | cmdline, stderr=subprocess.STDOUT, shell=True, executable="/bin/bash").decode('utf-8') 15 | 16 | # p = subprocess.Popen(cmdline, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True) 17 | # reply = p.stdout.read().decode() 18 | except Exception as e: 19 | reply = e.output.decode('utf-8', errors='ignore') 20 | log.debug("reply: %s" % reply) 21 | sleep(1) 22 | return reply 23 | -------------------------------------------------------------------------------- /fuzzer-engine/readme.md: -------------------------------------------------------------------------------- 1 | # Fuzzer Engine 2 | Fuzzer engine consists of two parts. 3 | 4 | - fuzzer, the actual fuzzer to fuzz the Android native system services. 5 | - manager, it manages to fuzz Android native system services automatically to some extent. 6 | - push fuzzer and data to smartphone 7 | - sync crash logs, e.g., logcat logs, tombstone logs 8 | - flash smartphone 9 | - etc. 10 | 11 | ## Prepare Data 12 | Before fuzzing, we should prepare data used by the fuzzer, including 13 | - interface model, locates in `workdir/interface-model-extractor/model` 14 | - various seeds, located in `seed`, e.g., 15 | - files 16 | - media files, located in `seed/files/media`. You can add media files according to your demand, e.g., mp3, mp4. 17 | - apk files, located in `seed/files/apk`. You can add apk files according to your demand. Here we give a simple file, which is from https://www.appsapk.com/compass/. 18 | - misc files, located in `seed/files/misc`. You can add misc files according to your demand. 19 | - media URLs, located in `seed/media_url_list.txt`. You can add URLs according to your demand. 20 | - package name list, located in `seed/package_list.txt`. You can use `adb shell pm list packages |cut -f 2 -d :` to get the packages installed on your device. 21 | - permission list, locates in `seed/permission_list.txt`. You could use `adb shell pm list permissions -g |sed "s/ permission://g" | grep -v "All Permissions:\|group:\|ungrouped:\|^$" > permission_list.txt` to collect the permissions provided by your device. 22 | 23 | 24 | ## Build Fuzzer 25 | 26 | Before building the fuzzer, please modify the option `include_dirs` in `fuzzer-engine/fuzzer/Android.bp`. You need to change `"out/target/product/taimen/obj/STATIC_LIBRARIES/libwificond_ipc_intermediates/aidl-generated/include"` to the corresponding directory of your target mobile phone. This directory is a relative directory related to the AOSP directory. Besides, it is generated when compiling the AOSP. 27 | 28 | Here we provide a handful template `setup.template.sh` to build the fuzzer. You can create `setup.sh` according to your environment. Then you can build the fuzzer with ASan enabled as follows. 29 | ```bash 30 | # create a symbolic link inside the AOSP_ASan dir. 31 | cd /path/to/aosp_asan 32 | ln -s /path/to/fans/fuzzer-engine/setup.sh . 33 | # build 34 | bash 35 | source setup.sh 36 | ``` 37 | 38 | ## Test Fuzzer 39 | Currently, fuzzer supports several options as follows 40 | ```bash 41 | $ ./native_service_fuzzer --help 42 | Usage: ./native_service_fuzzer [OPTION] 43 | 44 | --log_level specify the log level of fuzzer 45 | --interface specify the target interface to fuzz 46 | --transaction specify the target transaction to fuzz 47 | --help help manual 48 | ``` 49 | 50 | For example, after pushing fuzzer and related data to the `/data/fuzzer` dir of the device, we can use the following commands to test `IDrm` interface and `IDrm::13-13` transaction correspondingly. Note that we can not specify the interface option and transaction option at the same time. 51 | 52 | ```bash 53 | adb shell "./data/fuzzer/native_service_fuzzer --log_level=debug --interface=IDrm" 54 | adb shell "./data/fuzzer/native_service_fuzzer --log_level=debug --transaction=IDrm::13-13" 55 | ``` 56 | 57 | Here we also provide a handful template `test_fuzzer.template.sh` to test the fuzzer to check if it works as expected. You can create `test_fuzzer.sh` according to your environment. In the script, 58 | 59 | - `$1` should be the device serial 60 | - If you want to push data and fuzzer to the device, you should set `$2` to "push". 61 | 62 | Here is an example of how to use `test_fuzzer.sh`. 63 | ```bash 64 | # push data and test fuzzer. 65 | # XXXXXXXXXXXXXX should be the serial number of your device 66 | sh test_fuzzer.sh XXXXXXXXXXXXXX push 67 | ``` 68 | 69 | Besides, if you find some problems with fuzzer, you can also use `debug_fuzzer.sh` to debug fuzzer. 70 | 71 | ## Run Fuzzer Manager 72 | Please refer to the [Fuzzer Manager](manager/readme.md). -------------------------------------------------------------------------------- /fuzzer-engine/setup.template.sh: -------------------------------------------------------------------------------- 1 | source build/envsetup.sh 2 | lunch 50 # for taimen 3 | rm -rf frameworks/native/cmds/native-service-fuzzer 4 | cp -r /path/to/fans/fuzzer-engine/fuzzer frameworks/native/cmds/native-service-fuzzer 5 | cd frameworks/native/cmds/native-service-fuzzer 6 | mm -------------------------------------------------------------------------------- /fuzzer-engine/test_fuzzer.template.sh: -------------------------------------------------------------------------------- 1 | adb -s $1 root 2 | sleep 3 3 | adb -s $1 shell setenforce 0 4 | if [ "$2" = "push" ]; then 5 | adb -s $1 shell rm -rf /data/fuzzer/ 6 | adb -s $1 shell mkdir /data/fuzzer/ 7 | adb -s $1 push ../workdir/interface-model-extractor/model /data/fuzzer/ 8 | adb -s $1 push ../seed/ /data/fuzzer 9 | adb -s $1 push /path/to/aosp_asan/out/target/product/taimen/symbols/system/bin/native_service_fuzzer /data/fuzzer 10 | fi 11 | adb -s $1 shell killall native_service_fuzzer 12 | # adb -s $1 shell "./data/fuzzer/native_service_fuzzer --log_level=info --interface=IDrm" 13 | # adb -s $1 shell "./data/fuzzer/native_service_fuzzer --log_level=info --transaction=IDrm::13-13" -------------------------------------------------------------------------------- /interface-model-extractor/post-process/adjust_structure.py: -------------------------------------------------------------------------------- 1 | import os 2 | import json 3 | from jsonutil import replace_attr,replace_name_wapper 4 | import logging 5 | 6 | 7 | cfg = json.load(open("../../fans.cfg")) 8 | 9 | fans_dir = cfg["fans_dir"] 10 | 11 | rough_structure_data_dir = os.path.join( 12 | cfg["rough_interface_related_data_dir"], "structure") 13 | interface_model_extractor_dir = os.path.join( 14 | fans_dir, cfg["interface_model_extractor_dir"]) 15 | precise_parcelable_structure_data_dir = os.path.join(interface_model_extractor_dir,"model","structure","parcelable") 16 | 17 | basic_types = open("data/basic_type.txt").read().split("\n") 18 | logger = logging.getLogger(__name__) 19 | logger.setLevel(logging.ERROR) 20 | 21 | def join_path_list(start, pathList): 22 | for path in pathList: 23 | start = os.path.join(start, path) 24 | return start 25 | 26 | 27 | def is_bad(name): 28 | tmp = name.split("::")[-1] 29 | if tmp == "value" or tmp.startswith("value_") or tmp.startswith("implicit"): 30 | return True 31 | return False 32 | 33 | 34 | def getType(variable, name): 35 | for item in variable: 36 | if item["name"] == name: 37 | return item["type"] 38 | 39 | 40 | dataPath = os.path.join(precise_parcelable_structure_data_dir, "data") 41 | replyPath = os.path.join(precise_parcelable_structure_data_dir, "reply") 42 | 43 | 44 | def getVarIdx(variable, name): 45 | for i in range(len(variable)): 46 | if variable[i]["name"] == name: 47 | return i 48 | 49 | 50 | def try_adjust(data,reply): 51 | dataposs = data["possibility"][-1]["data"] 52 | replyposs = reply["possibility"][-1]["reply"] 53 | if len(dataposs)!=len(replyposs): 54 | logger.warning("The data's length and the reply's length is not euqal. Wow...") 55 | return 56 | for i in range(len(dataposs)): 57 | logger.debug('%d %s %s' %(i, dataposs[i],replyposs[i])) 58 | dataIdx = getVarIdx(data["variable"], dataposs[i]) 59 | replyIdx = getVarIdx(reply["variable"], replyposs[i]) 60 | 61 | # first we should consider type 62 | dataType = data["variable"][dataIdx]["type"] 63 | replyType = reply["variable"][replyIdx]["type"] 64 | if dataType != replyType: 65 | if dataType in basic_types and replyType in basic_types: 66 | logger.warning("May be something bad happened..") 67 | logger.warning("%s %s" %(dataposs[i], replyposs[i])) 68 | pass 69 | elif dataType in basic_types: 70 | # replace dataType with replyType for dataposs[i] 71 | replace_attr(data, dataposs[i], "type", replyType) 72 | else: 73 | replace_attr(reply, replyposs[i], "type", dataType) 74 | 75 | # then we can consider name 76 | isDataBad = is_bad(dataposs[i]) 77 | isReplyBad = is_bad(replyposs[i]) 78 | if isDataBad == isReplyBad: 79 | logger.info("Name: We can not improve anything.") 80 | elif isDataBad == True: 81 | replace_name_wapper(data, dataposs[i], "name", replyposs[i]) 82 | # dataposs[i] = replyposs[i] 83 | else: 84 | replace_name_wapper(reply, replyposs[i], "name", dataposs[i]) 85 | # replyposs[i]=dataposs[i] 86 | 87 | 88 | 89 | for filename in os.listdir(dataPath): 90 | if not os.path.isdir(filename): 91 | logger.debug("Dealing with "+filename) 92 | dataFile = os.path.join(dataPath, filename) 93 | rawData = json.load(open(dataFile)) 94 | data = rawData[filename[:-5]] 95 | 96 | replyFile = os.path.join(replyPath, filename) 97 | if not os.path.exists(replyFile): 98 | continue 99 | rawReply = json.load(open(replyFile)) 100 | reply = rawReply[filename[:-5]] 101 | try_adjust(data,reply) 102 | # dump it. 103 | parcel = json.dumps(rawData, indent=4, separators=(",", ":")) 104 | open(dataFile, "w").write(parcel) 105 | parcel = json.dumps(rawReply, indent=4, separators=(",", ":")) 106 | open(replyFile, "w").write(parcel) -------------------------------------------------------------------------------- /interface-model-extractor/post-process/copy.sh: -------------------------------------------------------------------------------- 1 | python copy_enumeration_type.py 2 | 3 | cp manually/flattenable/data/* ../../workdir/interface-model-extractor/model/structure/flattenable/data/ 4 | cp manually/flattenable/reply/* ../../workdir/interface-model-extractor/model/structure/flattenable/reply/ 5 | 6 | cp manually/light_flattenable/data/* ../../workdir/interface-model-extractor/model/structure/light_flattenable/data/ 7 | cp manually/light_flattenable/reply/* ../../workdir/interface-model-extractor/model/structure/light_flattenable/reply/ 8 | 9 | cp manually/parcelable/data/* ../../workdir/interface-model-extractor/model/structure/parcelable/data/ 10 | cp manually/parcelable/reply/* ../../workdir/interface-model-extractor/model/structure/parcelable/reply/ 11 | -------------------------------------------------------------------------------- /interface-model-extractor/post-process/copy_enumeration_type.py: -------------------------------------------------------------------------------- 1 | import shutil 2 | import os 3 | import json 4 | 5 | cfg = json.load(open("../../fans.cfg")) 6 | 7 | fans_dir = cfg["fans_dir"] 8 | 9 | rough_enumeration_data_dir = os.path.join( 10 | cfg["rough_interface_related_data_dir"], "enumeration") 11 | interface_model_extractor_dir = os.path.join( 12 | fans_dir, cfg["interface_model_extractor_dir"]) 13 | precise_enumeration_dir = os.path.join(interface_model_extractor_dir,"model","enumeration") 14 | used_types_file = os.path.join(interface_model_extractor_dir,"used_types.txt") 15 | used_types = open(used_types_file).read().split("\n") 16 | 17 | special_enumeration_types = ["audio_source_t","enum android::video_source","enum android::output_format","enum android::audio_encoder","enum android::video_encoder","enum android_pixel_format_t"] 18 | # http://androidxref.com/9.0.0_r3/xref/frameworks/av/media/libaudioclient/aidl/android/media/IAudioRecord.aidl#27 19 | special_enumeration_types.append("enum android::AudioSystem::sync_event_t") 20 | # http://androidxref.com/9.0.0_r3/xref/frameworks/native/include/gui/ISurfaceComposer.h#63 21 | # http://androidxref.com/9.0.0_r3/xref/frameworks/native/libs/gui/ISurfaceComposer.cpp#597 22 | special_enumeration_types.append("enum android::ISurfaceComposer::(anonymous at frameworks.native.libs.gui.include.gui.ISurfaceComposer.h:61:5)") 23 | special_enumeration_types.append("enum (anonymous at hardware.libhardware.include.hardware.hwcomposer_defs.h:277:1)") 24 | special_enumeration_types.append("enum effect_command_e") 25 | special_enumeration_types.append("enum android::(anonymous at frameworks.av.media.libmedia.include.media.mediametadataretriever.h:35:1)") 26 | # audio_devices_t 27 | special_enumeration_types.append("enum (anonymous at system.media.audio.include.system.audio-base.h:289:1)") 28 | special_enumeration_types.append("enum android::hardware::camera2::params::OutputConfiguration::SurfaceType") 29 | special_enumeration_types.append("enum android::MetaDataBase::Type") 30 | def copy_enumeration_type(): 31 | for filename in os.listdir(rough_enumeration_data_dir): 32 | if not os.path.isdir(filename): 33 | if filename in used_types or filename in special_enumeration_types: 34 | absolute_path = os.path.join(rough_enumeration_data_dir, str(filename)) 35 | shutil.copy(absolute_path, precise_enumeration_dir) 36 | 37 | if __name__=="__main__": 38 | copy_enumeration_type() -------------------------------------------------------------------------------- /interface-model-extractor/post-process/data/basic_type.txt: -------------------------------------------------------------------------------- 1 | size_t 2 | ssize_t 3 | IntegerLiteral 4 | float 5 | FloatingLiteral 6 | double 7 | uint32_t 8 | unsigned int 9 | int32_t 10 | int 11 | int64_t 12 | long 13 | long long 14 | uint64_t 15 | unsigned long 16 | unsigned long long 17 | int8_t 18 | char 19 | uint8_t 20 | unsigned char 21 | void 22 | bool 23 | _Bool 24 | uint16_t 25 | unsigned short 26 | int16_t 27 | short -------------------------------------------------------------------------------- /interface-model-extractor/post-process/data/black_interface_list.txt: -------------------------------------------------------------------------------- 1 | BnVrStateCallbacks 2 | BnOMX 3 | BnMountShutdownObserver 4 | BnQClient 5 | BnSoundTriggerClient 6 | BnAAudioClient 7 | BnMediaRecorderClient 8 | BnEffectClient 9 | BnRemoteDisplayClient 10 | BnMediaPlayerClient 11 | BnAudioPolicyServiceClient 12 | BnDrmClient 13 | BnInputFlinger 14 | BnUpdateEngineCallback 15 | BnDumpstate 16 | BnPlayer 17 | BnBluetoothSocketManager 18 | BnShellCallback 19 | BnPersistentVrStateCallbacks 20 | BnOMXBufferSource 21 | BnConfirmationPromptCallback 22 | BnResultReceiver 23 | BnMountServiceListener 24 | BnVoldListener 25 | BnDumpstateListener 26 | BnObbActionListener 27 | BnStreamListener 28 | BnIncidentReportStatusListener 29 | BnThermalEventListener 30 | BnCameraServiceListener 31 | BnVoldTaskListener 32 | BnConsumerListener 33 | BnProducerListener 34 | BnDrmServiceListener 35 | BnCameraRecordingProxyListener 36 | BnMediaLogService 37 | BnApInterfaceEventCallback 38 | BnInterfaceEventCallback 39 | BnCameraDeviceCallbacks 40 | BnCameraRecordingProxy 41 | BnScanEvent 42 | BnMidiDeviceServer 43 | BnGraphicBufferConsumer 44 | BnCameraClient 45 | BnQHDMIClient 46 | BnAppOpsCallback 47 | BnResourceManagerClient 48 | BnOMXObserver 49 | BnUidObserver 50 | BnAudioFlingerClient 51 | BnPnoScanEvent 52 | BnStreamSource 53 | BnGraphicBufferSource 54 | BnOMXNode 55 | BnDumpstateToken -------------------------------------------------------------------------------- /interface-model-extractor/post-process/data/customized_interface_list.txt: -------------------------------------------------------------------------------- 1 | BnShellCallback 2 | BnSoundTriggerClient 3 | BnAAudioClient 4 | BnAppOpsCallback 5 | BnAudioFlingerClient 6 | BnAudioPolicyServiceClient 7 | BnCameraRecordingProxyListener 8 | BnCameraRecordingProxy 9 | BnDrmServiceListener 10 | BnEffectClient 11 | BnGraphicBufferConsumer 12 | BnGraphicBufferSource 13 | BnMediaPlayerClient 14 | BnMediaRecorderClient 15 | BnRemoteDisplayClient 16 | BnResourceManagerClient 17 | BnResultReceiver 18 | BnCameraClient 19 | BnCameraServiceListener 20 | BnApInterfaceEventCallback 21 | BnInterfaceEventCallback 22 | BnPnoScanEvent 23 | BnScanEvent 24 | BnIncidentReportStatusListener 25 | BnThermalEventListener 26 | BnUpdateEngineCallback 27 | BnVoldListener 28 | BnVoldTaskListener 29 | BnStreamSource 30 | BnDrmClient 31 | BnCameraDeviceCallbacks 32 | BnProducerListener -------------------------------------------------------------------------------- /interface-model-extractor/post-process/data/not_related_interface_list.txt: -------------------------------------------------------------------------------- 1 | BBinder 2 | BnBluetoothSocketManager 3 | BnConsumerListener 4 | BnMountServiceListener 5 | BnMountShutdownObserver 6 | BnObbActionListener 7 | BnOMXBufferSource 8 | BnOMXNode 9 | BnOMXObserver 10 | BnOMX 11 | BnPersistentVrStateCallbacks 12 | BnUidObserver 13 | BnVrStateCallbacks 14 | BnPlayer 15 | BnMidiDeviceServer 16 | BnDumpstateListener 17 | BnDumpstate 18 | BnDumpstateToken 19 | BnConfirmationPromptCallback 20 | BnQClient 21 | BnQHDMIClient 22 | BnStreamListener 23 | BnInputFlinger 24 | BnMediaLogService -------------------------------------------------------------------------------- /interface-model-extractor/post-process/data/special_type.json: -------------------------------------------------------------------------------- 1 | { 2 | "class std::__1::basic_string":"string", 3 | "class std::__1::unique_ptr, struct std::__1::default_delete > >":"string" 4 | } 5 | 6 | -------------------------------------------------------------------------------- /interface-model-extractor/post-process/init.py: -------------------------------------------------------------------------------- 1 | import json 2 | import os 3 | 4 | cfg = json.load(open("../../fans.cfg")) 5 | fans_dir = cfg["fans_dir"] 6 | 7 | rough_typemap_file = os.path.join(cfg["rough_interface_related_data_dir"],"typemap.txt") 8 | simplified_typemap_file = os.path.join(fans_dir,cfg["interface_model_extractor_dir"],"simplified_typemap_file.txt") 9 | 10 | 11 | def simpilify_type_map(): 12 | type_map = dict() 13 | with open(rough_typemap_file) as f: 14 | for line in f.readlines(): 15 | line = line.strip() 16 | if line == "" or "type-parameter" in line or "decltype" in line or "typename" in line or line.startswith( 17 | "Eigen::"): 18 | continue 19 | name, under = line.split("+") 20 | if name in type_map: 21 | continue 22 | # e.g. ::std::android 23 | name = name.strip("::") 24 | # map to the true type 25 | while under in type_map: 26 | under = type_map[under] 27 | type_map[name] = under 28 | 29 | with open(simplified_typemap_file, "w") as f: 30 | for key, value in type_map.items(): 31 | f.write(key + "+" + value + "\n") 32 | 33 | 34 | if __name__ == "__main__": 35 | simpilify_type_map() -------------------------------------------------------------------------------- /interface-model-extractor/post-process/init.sh: -------------------------------------------------------------------------------- 1 | # rm old files and dirs 2 | rm -rf ../../workdir/interface-model-extractor/model/ 3 | rm ../../workdir/interface-model-extractor/already_parsed_* 4 | rm -rf ../../workdir/interface-model-extractor/tmp 5 | rm ../../workdir/interface-model-extractor/raw_structure_types.txt 6 | rm ../../workdir/interface-model-extractor/simplified_typemap_file.txt 7 | rm ../../workdir/interface-model-extractor/used_types.txt 8 | 9 | # create related files and dirs 10 | touch ../../workdir/interface-model-extractor/used_types.txt 11 | touch ../../workdir/interface-model-extractor/raw_structure_types.txt 12 | touch ../../workdir/interface-model-extractor/simplified_typemap_file.txt 13 | mkdir -p ../../workdir/interface-model-extractor/model/service/ 14 | mkdir -p ../../workdir/interface-model-extractor/model/function/ 15 | mkdir -p ../../workdir/interface-model-extractor/model/structure/parcelable/data/ 16 | mkdir -p ../../workdir/interface-model-extractor/model/structure/parcelable/reply/ 17 | mkdir -p ../../workdir/interface-model-extractor/model/structure/flattenable/data/ 18 | mkdir -p ../../workdir/interface-model-extractor/model/structure/flattenable/reply/ 19 | mkdir -p ../../workdir/interface-model-extractor/model/structure/light_flattenable/data/ 20 | mkdir -p ../../workdir/interface-model-extractor/model/structure/light_flattenable/reply/ 21 | mkdir -p ../../workdir/interface-model-extractor/model/structure/raw/ 22 | mkdir -p ../../workdir/interface-model-extractor/model/union/ 23 | mkdir -p ../../workdir/interface-model-extractor/model/enumeration/ 24 | 25 | mkdir -p ../../workdir/interface-model-extractor/tmp 26 | 27 | python init.py -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/flattenable/data/class android::Fence.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::Fence": { 3 | "code": 0, 4 | "constraint": [ 5 | ], 6 | "possibility": [ 7 | { 8 | "return": "", 9 | "reply": [ 10 | ], 11 | "data": [ 12 | "numFds", 13 | "mFenceFd" 14 | ], 15 | "id": 0 16 | } 17 | ], 18 | "dependency": [], 19 | "variable": [ 20 | { 21 | "count": 1, 22 | "self_constraint": [], 23 | "name": "numFds", 24 | "under_constraint": [], 25 | "dependency": [], 26 | "relation": [], 27 | "serialization_type": 1, 28 | "usedBy": [], 29 | "type": "int", 30 | "loop": [] 31 | }, 32 | { 33 | "count": 1, 34 | "self_constraint": [], 35 | "name": "mFenceFd", 36 | "under_constraint": [], 37 | "dependency": [], 38 | "relation": [], 39 | "serialization_type": 1, 40 | "usedBy": [], 41 | "type": "FileDescriptor", 42 | "loop": [] 43 | } 44 | ], 45 | "loop": [ 46 | ] 47 | } 48 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/flattenable/data/class android:Region.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::Region": { 3 | "code": 0, 4 | "possibility": [ 5 | { 6 | "return": "", 7 | "reply": [ 8 | ], 9 | "data": [ 10 | "numRects", 11 | "rect" 12 | ], 13 | "id": 0 14 | } 15 | ], 16 | "dependency": [], 17 | "variable": [ 18 | { 19 | "count": 1, 20 | "self_constraint": [], 21 | "name": "numRects", 22 | "under_constraint": [], 23 | "dependency": [], 24 | "relation": [], 25 | "serialization_type": 1, 26 | "usedBy": [], 27 | "type": "int", 28 | "loop": [] 29 | }, 30 | { 31 | "count": 1, 32 | "self_constraint": [], 33 | "name": "i", 34 | "under_constraint": [], 35 | "dependency": [], 36 | "relation": [], 37 | "serialization_type": 0, 38 | "usedBy": [], 39 | "type": "int", 40 | "loop": [] 41 | }, 42 | { 43 | "count": 1, 44 | "self_constraint": [], 45 | "name": "rect", 46 | "under_constraint": [], 47 | "dependency": [], 48 | "relation": [], 49 | "serialization_type": 1, 50 | "usedBy": [], 51 | "type": "class android::Rect", 52 | "loop": ["loop0"] 53 | } 54 | ], 55 | "constraint": [ 56 | { 57 | "lhs": { 58 | "type": "int", 59 | "name": "i" 60 | }, 61 | "rhs": { 62 | "type": "int", 63 | "name": "numRects" 64 | }, 65 | "opcode": "<", 66 | "name": "constraint0" 67 | } 68 | ], 69 | "loop": [ 70 | { 71 | "name": "loop0", 72 | "counter": { 73 | "type": "int", 74 | "name": "i", 75 | "value": 0 76 | }, 77 | "constraint": "constraint0", 78 | "inc": { 79 | "type": "int", 80 | "opcode": "++", 81 | "name": "i" 82 | } 83 | } 84 | ] 85 | } 86 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/flattenable/reply/class android::Fence.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::Fence": { 3 | "code": 0, 4 | "constraint": [ 5 | ], 6 | "possibility": [ 7 | { 8 | "return": "", 9 | "reply": [ 10 | "numFds", 11 | "mFenceFd" 12 | ], 13 | "data": [], 14 | "id": 0 15 | } 16 | ], 17 | "dependency": [], 18 | "variable": [ 19 | { 20 | "count": 1, 21 | "self_constraint": [], 22 | "name": "numFds", 23 | "under_constraint": [], 24 | "dependency": [], 25 | "relation": [], 26 | "serialization_type": 2, 27 | "usedBy": [], 28 | "type": "int", 29 | "loop": [] 30 | }, 31 | { 32 | "count": 1, 33 | "self_constraint": [], 34 | "name": "mFenceFd", 35 | "under_constraint": [], 36 | "dependency": [], 37 | "relation": [], 38 | "serialization_type": 2, 39 | "usedBy": [], 40 | "type": "FileDescriptor", 41 | "loop": [] 42 | } 43 | ], 44 | "loop": [ 45 | ] 46 | } 47 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/flattenable/reply/class android::Region.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::Region": { 3 | "code": 0, 4 | "possibility": [ 5 | { 6 | "return": "", 7 | "reply": [ 8 | "numRects", 9 | "rect" 10 | ], 11 | "data": [], 12 | "id": 0 13 | } 14 | ], 15 | "dependency": [], 16 | "variable": [ 17 | { 18 | "count": 1, 19 | "self_constraint": [], 20 | "name": "numRects", 21 | "under_constraint": [], 22 | "dependency": [], 23 | "relation": [], 24 | "serialization_type": 2, 25 | "usedBy": [], 26 | "type": "int", 27 | "loop": [] 28 | }, 29 | { 30 | "count": 1, 31 | "self_constraint": [], 32 | "name": "i", 33 | "under_constraint": [], 34 | "dependency": [], 35 | "relation": [], 36 | "serialization_type": 0, 37 | "usedBy": [], 38 | "type": "int", 39 | "loop": [] 40 | }, 41 | { 42 | "count": 1, 43 | "self_constraint": [], 44 | "name": "rect", 45 | "under_constraint": [], 46 | "dependency": [], 47 | "relation": [], 48 | "serialization_type": 2, 49 | "usedBy": [], 50 | "type": "class android::Rect", 51 | "loop": ["loop0"] 52 | } 53 | ], 54 | "constraint": [ 55 | { 56 | "lhs": { 57 | "type": "int", 58 | "name": "i" 59 | }, 60 | "rhs": { 61 | "type": "int", 62 | "name": "numRects" 63 | }, 64 | "opcode": "<", 65 | "name": "constraint0" 66 | } 67 | ], 68 | "loop": [ 69 | { 70 | "name": "loop0", 71 | "counter": { 72 | "type": "int", 73 | "name": "i", 74 | "value": 0 75 | }, 76 | "constraint": "constraint0", 77 | "inc": { 78 | "type": "int", 79 | "opcode": "++", 80 | "name": "i" 81 | } 82 | } 83 | ] 84 | } 85 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/light_flattenable/data/class android::FrameStats.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::FrameStats": { 3 | "code": 0, 4 | "constraint": [ 5 | ], 6 | "possibility": [ 7 | { 8 | "return": "", 9 | "reply": [], 10 | "data": [ 11 | "refreshPeriodNano", 12 | "desiredPresentTimesNano", 13 | "actualPresentTimesNano", 14 | "frameReadyTimesNano" 15 | ], 16 | "id": 0 17 | } 18 | ], 19 | "dependency": [], 20 | "fixed":0, 21 | "variable": [ 22 | { 23 | "count": 1, 24 | "self_constraint": [], 25 | "name": "refreshPeriodNano", 26 | "under_constraint": [], 27 | "dependency": [], 28 | "relation": [], 29 | "serialization_type": 1, 30 | "usedBy": [], 31 | "type": "nsecs_t", 32 | "loop": [] 33 | }, 34 | { 35 | "count": 1, 36 | "self_constraint": [], 37 | "name": "frameCount", 38 | "under_constraint": [], 39 | "dependency": [], 40 | "relation": [], 41 | "serialization_type": 0, 42 | "usedBy": [], 43 | "type": "int", 44 | "loop": [] 45 | }, 46 | { 47 | "count": 1, 48 | "self_constraint": [], 49 | "name": "desiredPresentTimesNano", 50 | "under_constraint": [], 51 | "dependency": [], 52 | "relation": [], 53 | "serialization_type": 1, 54 | "usedBy": [], 55 | "type": "class android::Vector", 56 | "loop": [] 57 | }, 58 | { 59 | "count": 1, 60 | "self_constraint": [], 61 | "name": "desiredPresentTimesNano::item", 62 | "under_constraint": [], 63 | "dependency": [], 64 | "relation": [], 65 | "serialization_type": 1, 66 | "usedBy": [], 67 | "type": "nsecs_t", 68 | "loop": [] 69 | }, 70 | { 71 | "count": 1, 72 | "self_constraint": [], 73 | "name": "actualPresentTimesNano", 74 | "under_constraint": [], 75 | "dependency": [], 76 | "relation": [], 77 | "serialization_type": 1, 78 | "usedBy": [], 79 | "type": "class android::Vector", 80 | "loop": [] 81 | }, 82 | { 83 | "count": 1, 84 | "self_constraint": [], 85 | "name": "actualPresentTimesNano::item", 86 | "under_constraint": [], 87 | "dependency": [], 88 | "relation": [], 89 | "serialization_type": 1, 90 | "usedBy": [], 91 | "type": "nsecs_t", 92 | "loop": [] 93 | }, 94 | { 95 | "count": 1, 96 | "self_constraint": [], 97 | "name": "frameReadyTimesNano", 98 | "under_constraint": [], 99 | "dependency": [], 100 | "relation": [], 101 | "serialization_type": 1, 102 | "usedBy": [], 103 | "type": "class android::Vector", 104 | "loop": [] 105 | }, 106 | { 107 | "count": 1, 108 | "self_constraint": [], 109 | "name": "frameReadyTimesNano::item", 110 | "under_constraint": [], 111 | "dependency": [], 112 | "relation": [], 113 | "serialization_type": 1, 114 | "usedBy": [], 115 | "type": "nsecs_t", 116 | "loop": [] 117 | } 118 | ], 119 | "loop": [] 120 | } 121 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/light_flattenable/data/class android::HdrCapabilities.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::HdrCapabilities": { 3 | "code": 0, 4 | "possibility": [ 5 | { 6 | "return": "", 7 | "reply": [], 8 | "data": [ 9 | "mMaxLuminance", 10 | "mMaxAverageLuminance", 11 | "mMinLuminance", 12 | "mSupportedHdrTypes" 13 | ], 14 | "id": 0 15 | } 16 | ], 17 | "dependency": [], 18 | "fixed":0, 19 | "variable": [ 20 | { 21 | "count": 1, 22 | "self_constraint": [], 23 | "name": "mMaxLuminance", 24 | "under_constraint": [], 25 | "dependency": [], 26 | "relation": [], 27 | "serialization_type": 1, 28 | "usedBy": [], 29 | "type": "float", 30 | "loop": [] 31 | }, 32 | { 33 | "count": 1, 34 | "self_constraint": [], 35 | "name": "mMaxAverageLuminance", 36 | "under_constraint": [], 37 | "dependency": [], 38 | "relation": [], 39 | "serialization_type": 1, 40 | "usedBy": [], 41 | "type": "float", 42 | "loop": [] 43 | }, 44 | { 45 | "count": 1, 46 | "self_constraint": [], 47 | "name": "mMinLuminance", 48 | "under_constraint": [], 49 | "dependency": [], 50 | "relation": [], 51 | "serialization_type": 1, 52 | "usedBy": [], 53 | "type": "float", 54 | "loop": [] 55 | }, 56 | { 57 | "count": 1, 58 | "self_constraint": [], 59 | "name": "mSupportedHdrTypes", 60 | "under_constraint": [], 61 | "dependency": [], 62 | "relation": [], 63 | "serialization_type": 1, 64 | "usedBy": [], 65 | "type": "vector", 66 | "loop": [] 67 | }, 68 | { 69 | "count": 1, 70 | "self_constraint": [], 71 | "name": "mSupportedHdrTypes::item", 72 | "under_constraint": [], 73 | "dependency": [], 74 | "relation": [], 75 | "serialization_type": 1, 76 | "usedBy": [], 77 | "type": "int", 78 | "loop": [] 79 | } 80 | ], 81 | "constraint": [], 82 | "loop": [] 83 | } 84 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/light_flattenable/data/class android::Rect.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::Rect": { 3 | "code": 0, 4 | "constraint": [ 5 | ], 6 | "possibility": [ 7 | { 8 | "return": "", 9 | "reply": [], 10 | "data": [ 11 | "left", 12 | "top", 13 | "right", 14 | "bottom" 15 | ], 16 | "id": 0 17 | } 18 | ], 19 | "dependency": [], 20 | "fixed":1, 21 | "variable": [ 22 | { 23 | "count": 1, 24 | "self_constraint": [], 25 | "name": "left", 26 | "under_constraint": [], 27 | "dependency": [], 28 | "relation": [], 29 | "serialization_type": 1, 30 | "usedBy": [], 31 | "type": "int", 32 | "loop": [] 33 | }, 34 | { 35 | "count": 1, 36 | "self_constraint": [], 37 | "name": "top", 38 | "under_constraint": [], 39 | "dependency": [], 40 | "relation": [], 41 | "serialization_type": 1, 42 | "usedBy": [], 43 | "type": "int", 44 | "loop": [] 45 | }, 46 | { 47 | "count": 1, 48 | "self_constraint": [], 49 | "name": "right", 50 | "under_constraint": [], 51 | "dependency": [], 52 | "relation": [], 53 | "serialization_type": 1, 54 | "usedBy": [], 55 | "type": "int", 56 | "loop": [] 57 | }, 58 | { 59 | "count": 1, 60 | "self_constraint": [], 61 | "name": "bottom", 62 | "under_constraint": [], 63 | "dependency": [], 64 | "relation": [], 65 | "serialization_type": 1, 66 | "usedBy": [], 67 | "type": "int", 68 | "loop": [] 69 | } 70 | ], 71 | "loop": [] 72 | } 73 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/light_flattenable/data/struct android::HdrMetadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "struct android::HdrMetadata": { 3 | "code": 0, 4 | "possibility": [ 5 | { 6 | "return": "", 7 | "reply": [], 8 | "data": [ 9 | "validTypes", 10 | "smpte2086", 11 | "cta8613" 12 | ], 13 | "id": 0 14 | } 15 | ], 16 | "dependency": [], 17 | "fixed":0, 18 | "variable": [ 19 | { 20 | "count": 1, 21 | "self_constraint": [], 22 | "name": "validTypes", 23 | "under_constraint": [], 24 | "dependency": [], 25 | "relation": [], 26 | "serialization_type": 1, 27 | "usedBy": [], 28 | "type": "unsigned int", 29 | "loop": [] 30 | }, 31 | { 32 | "count": 1, 33 | "self_constraint": [], 34 | "name": "SMPTE2086", 35 | "under_constraint": [], 36 | "dependency": [], 37 | "relation": [], 38 | "serialization_type": 0, 39 | "usedBy": [], 40 | "type": "IntegerLiteral", 41 | "value":1, 42 | "loop": [] 43 | }, 44 | { 45 | "count": 1, 46 | "self_constraint": [], 47 | "name": "smpte2086", 48 | "under_constraint": [ 49 | { 50 | "name":"constraint0", 51 | "status":true 52 | } 53 | ], 54 | "dependency": [], 55 | "relation": [], 56 | "serialization_type": 1, 57 | "usedBy": [], 58 | "type": "struct android_smpte2086_metadata", 59 | "loop": [] 60 | }, 61 | { 62 | "count": 1, 63 | "self_constraint": [], 64 | "name": "CTA861_3", 65 | "under_constraint": [], 66 | "dependency": [], 67 | "relation": [], 68 | "serialization_type": 0, 69 | "usedBy": [], 70 | "type": "IntegerLiteral", 71 | "value":2, 72 | "loop": [] 73 | }, 74 | { 75 | "count": 1, 76 | "self_constraint": [], 77 | "name": "cta8613", 78 | "under_constraint": [ 79 | { 80 | "name":"constraint1", 81 | "status":true 82 | } 83 | ], 84 | "dependency": [], 85 | "relation": [], 86 | "serialization_type": 1, 87 | "usedBy": [], 88 | "type": "struct android_cta861_3_metadata", 89 | "loop": [] 90 | } 91 | ], 92 | "constraint": [ 93 | { 94 | "lhs": { 95 | "type": "unsigned int", 96 | "name": "validTypes" 97 | }, 98 | "rhs": { 99 | "type": "IntegerLiteral", 100 | "name": "SMPTE2086", 101 | "value":1 102 | }, 103 | "opcode": "&", 104 | "name": "constraint0" 105 | }, 106 | { 107 | "lhs": { 108 | "type": "unsigned int", 109 | "name": "validTypes" 110 | }, 111 | "rhs": { 112 | "type": "IntegerLiteral", 113 | "name": "CTA861_3", 114 | "value":2 115 | }, 116 | "opcode": "&", 117 | "name": "constraint1" 118 | } 119 | ], 120 | "loop": [] 121 | } 122 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/light_flattenable/reply/class android::FrameStats.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::FrameStats": { 3 | "code": 0, 4 | "constraint": [ 5 | ], 6 | "possibility": [ 7 | { 8 | "return": "", 9 | "reply": [ 10 | "refreshPeriodNano", 11 | "desiredPresentTimesNano", 12 | "actualPresentTimesNano", 13 | "frameReadyTimesNano" 14 | ], 15 | "data": [], 16 | "id": 0 17 | } 18 | ], 19 | "dependency": [], 20 | "fixed":0, 21 | "variable": [ 22 | { 23 | "count": 1, 24 | "self_constraint": [], 25 | "name": "refreshPeriodNano", 26 | "under_constraint": [], 27 | "dependency": [], 28 | "relation": [], 29 | "serialization_type": 2, 30 | "usedBy": [], 31 | "type": "nsecs_t", 32 | "loop": [] 33 | }, 34 | { 35 | "count": 1, 36 | "self_constraint": [], 37 | "name": "frameCount", 38 | "under_constraint": [], 39 | "dependency": [], 40 | "relation": [], 41 | "serialization_type": 0, 42 | "usedBy": [], 43 | "type": "int", 44 | "loop": [] 45 | }, 46 | { 47 | "count": 1, 48 | "self_constraint": [], 49 | "name": "desiredPresentTimesNano", 50 | "under_constraint": [], 51 | "dependency": [], 52 | "relation": [], 53 | "serialization_type": 2, 54 | "usedBy": [], 55 | "type": "class android::Vector", 56 | "loop": [] 57 | }, 58 | { 59 | "count": 1, 60 | "self_constraint": [], 61 | "name": "desiredPresentTimesNano::item", 62 | "under_constraint": [], 63 | "dependency": [], 64 | "relation": [], 65 | "serialization_type": 2, 66 | "usedBy": [], 67 | "type": "nsecs_t", 68 | "loop": [] 69 | }, 70 | { 71 | "count": 1, 72 | "self_constraint": [], 73 | "name": "actualPresentTimesNano", 74 | "under_constraint": [], 75 | "dependency": [], 76 | "relation": [], 77 | "serialization_type": 2, 78 | "usedBy": [], 79 | "type": "class android::Vector", 80 | "loop": [] 81 | }, 82 | { 83 | "count": 1, 84 | "self_constraint": [], 85 | "name": "actualPresentTimesNano::item", 86 | "under_constraint": [], 87 | "dependency": [], 88 | "relation": [], 89 | "serialization_type": 1, 90 | "usedBy": [], 91 | "type": "nsecs_t", 92 | "loop": [] 93 | }, 94 | { 95 | "count": 1, 96 | "self_constraint": [], 97 | "name": "frameReadyTimesNano", 98 | "under_constraint": [], 99 | "dependency": [], 100 | "relation": [], 101 | "serialization_type": 2, 102 | "usedBy": [], 103 | "type": "class android::Vector", 104 | "loop": [] 105 | }, 106 | { 107 | "count": 1, 108 | "self_constraint": [], 109 | "name": "frameReadyTimesNano::item", 110 | "under_constraint": [], 111 | "dependency": [], 112 | "relation": [], 113 | "serialization_type": 2, 114 | "usedBy": [], 115 | "type": "nsecs_t", 116 | "loop": [] 117 | } 118 | ], 119 | "loop": [] 120 | } 121 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/light_flattenable/reply/class android::HdrCapabilities.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::HdrCapabilities": { 3 | "code": 0, 4 | "possibility": [ 5 | { 6 | "return": "", 7 | "reply": [ 8 | "mMaxLuminance", 9 | "mMaxAverageLuminance", 10 | "mMinLuminance", 11 | "mSupportedHdrTypes" 12 | ], 13 | "data": [], 14 | "id": 0 15 | } 16 | ], 17 | "dependency": [], 18 | "fixed":0, 19 | "variable": [ 20 | { 21 | "count": 1, 22 | "self_constraint": [], 23 | "name": "mMaxLuminance", 24 | "under_constraint": [], 25 | "dependency": [], 26 | "relation": [], 27 | "serialization_type": 2, 28 | "usedBy": [], 29 | "type": "float", 30 | "loop": [] 31 | }, 32 | { 33 | "count": 1, 34 | "self_constraint": [], 35 | "name": "mMaxAverageLuminance", 36 | "under_constraint": [], 37 | "dependency": [], 38 | "relation": [], 39 | "serialization_type": 2, 40 | "usedBy": [], 41 | "type": "float", 42 | "loop": [] 43 | }, 44 | { 45 | "count": 1, 46 | "self_constraint": [], 47 | "name": "mMinLuminance", 48 | "under_constraint": [], 49 | "dependency": [], 50 | "relation": [], 51 | "serialization_type": 2, 52 | "usedBy": [], 53 | "type": "float", 54 | "loop": [] 55 | }, 56 | { 57 | "count": 1, 58 | "self_constraint": [], 59 | "name": "mSupportedHdrTypes", 60 | "under_constraint": [], 61 | "dependency": [], 62 | "relation": [], 63 | "serialization_type": 2, 64 | "usedBy": [], 65 | "type": "vector", 66 | "loop": [] 67 | }, 68 | { 69 | "count": 1, 70 | "self_constraint": [], 71 | "name": "mSupportedHdrTypes::item", 72 | "under_constraint": [], 73 | "dependency": [], 74 | "relation": [], 75 | "serialization_type": 2, 76 | "usedBy": [], 77 | "type": "int", 78 | "loop": [] 79 | } 80 | ], 81 | "constraint": [], 82 | "loop": [] 83 | } 84 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/light_flattenable/reply/class android::Rect.json: -------------------------------------------------------------------------------- 1 | { 2 | "class android::Rect": { 3 | "code": 0, 4 | "constraint": [ 5 | ], 6 | "possibility": [ 7 | { 8 | "return": "", 9 | "reply": [ 10 | "left", 11 | "top", 12 | "right", 13 | "bottom" 14 | ], 15 | "data": [ 16 | ], 17 | "id": 0 18 | } 19 | ], 20 | "dependency": [], 21 | "fixed":1, 22 | "variable": [ 23 | { 24 | "count": 1, 25 | "self_constraint": [], 26 | "name": "left", 27 | "under_constraint": [], 28 | "dependency": [], 29 | "relation": [], 30 | "serialization_type": 1, 31 | "usedBy": [], 32 | "type": "int", 33 | "loop": [] 34 | }, 35 | { 36 | "count": 1, 37 | "self_constraint": [], 38 | "name": "top", 39 | "under_constraint": [], 40 | "dependency": [], 41 | "relation": [], 42 | "serialization_type": 1, 43 | "usedBy": [], 44 | "type": "int", 45 | "loop": [] 46 | }, 47 | { 48 | "count": 1, 49 | "self_constraint": [], 50 | "name": "right", 51 | "under_constraint": [], 52 | "dependency": [], 53 | "relation": [], 54 | "serialization_type": 1, 55 | "usedBy": [], 56 | "type": "int", 57 | "loop": [] 58 | }, 59 | { 60 | "count": 1, 61 | "self_constraint": [], 62 | "name": "bottom", 63 | "under_constraint": [], 64 | "dependency": [], 65 | "relation": [], 66 | "serialization_type": 1, 67 | "usedBy": [], 68 | "type": "int", 69 | "loop": [] 70 | } 71 | ], 72 | "loop": [] 73 | } 74 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/manually/light_flattenable/reply/struct android::HdrMetadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "struct android::HdrMetadata": { 3 | "code": 0, 4 | "possibility": [ 5 | { 6 | "return": "", 7 | "reply": [ 8 | "validTypes", 9 | "smpte2086", 10 | "cta8613" 11 | ], 12 | "data": [], 13 | "id": 0 14 | } 15 | ], 16 | "dependency": [], 17 | "fixed":0, 18 | "variable": [ 19 | { 20 | "count": 1, 21 | "self_constraint": [], 22 | "name": "validTypes", 23 | "under_constraint": [], 24 | "dependency": [], 25 | "relation": [], 26 | "serialization_type": 2, 27 | "usedBy": [], 28 | "type": "unsigned int", 29 | "loop": [] 30 | }, 31 | { 32 | "count": 1, 33 | "self_constraint": [], 34 | "name": "SMPTE2086", 35 | "under_constraint": [], 36 | "dependency": [], 37 | "relation": [], 38 | "serialization_type": 0, 39 | "usedBy": [], 40 | "type": "IntegerLiteral", 41 | "value":1, 42 | "loop": [] 43 | }, 44 | { 45 | "count": 1, 46 | "self_constraint": [], 47 | "name": "smpte2086", 48 | "under_constraint": [ 49 | { 50 | "name":"constraint0", 51 | "status":true 52 | } 53 | ], 54 | "dependency": [], 55 | "relation": [], 56 | "serialization_type": 2, 57 | "usedBy": [], 58 | "type": "struct android_smpte2086_metadata", 59 | "loop": [] 60 | }, 61 | { 62 | "count": 1, 63 | "self_constraint": [], 64 | "name": "CTA861_3", 65 | "under_constraint": [], 66 | "dependency": [], 67 | "relation": [], 68 | "serialization_type": 0, 69 | "usedBy": [], 70 | "type": "IntegerLiteral", 71 | "value":2, 72 | "loop": [] 73 | }, 74 | { 75 | "count": 1, 76 | "self_constraint": [], 77 | "name": "cta8613", 78 | "under_constraint": [ 79 | { 80 | "name":"constraint1", 81 | "status":true 82 | } 83 | ], 84 | "dependency": [], 85 | "relation": [], 86 | "serialization_type": 2, 87 | "usedBy": [], 88 | "type": "struct android_cta861_3_metadata", 89 | "loop": [] 90 | } 91 | ], 92 | "constraint": [ 93 | { 94 | "lhs": { 95 | "type": "unsigned int", 96 | "name": "validTypes" 97 | }, 98 | "rhs": { 99 | "type": "IntegerLiteral", 100 | "name": "SMPTE2086", 101 | "value":1 102 | }, 103 | "opcode": "&", 104 | "name": "constraint0" 105 | }, 106 | { 107 | "lhs": { 108 | "type": "unsigned int", 109 | "name": "validTypes" 110 | }, 111 | "rhs": { 112 | "type": "IntegerLiteral", 113 | "name": "CTA861_3", 114 | "value":2 115 | }, 116 | "opcode": "&", 117 | "name": "constraint1" 118 | } 119 | ], 120 | "loop": [] 121 | } 122 | } -------------------------------------------------------------------------------- /interface-model-extractor/post-process/parse.sh: -------------------------------------------------------------------------------- 1 | python parse_interface.py 2 | python parse_structure.py 3 | python parse_parcel_function.py 4 | python parse_raw_structure.py 5 | python adjust_structure.py 6 | python save_type_map.py 7 | -------------------------------------------------------------------------------- /interface-model-extractor/post-process/parse_parcel_function.py: -------------------------------------------------------------------------------- 1 | import os 2 | from jsonutil import xml2json,get_formatted_json,add_qualified_name 3 | import json 4 | from collections import OrderedDict 5 | import logging 6 | from variable_type import load_simplified_typemap 7 | from ast_visitor import ASTVisitor 8 | import argparse 9 | cfg = json.load(open("../../fans.cfg")) 10 | 11 | fans_dir = cfg["fans_dir"] 12 | 13 | rough_function_data_dir = os.path.join( 14 | cfg["rough_interface_related_data_dir"], "function") 15 | interface_model_extractor_dir = os.path.join( 16 | fans_dir, cfg["interface_model_extractor_dir"]) 17 | precise_function_data_dir = os.path.join(interface_model_extractor_dir,"model","function") 18 | already_parsed_functions_file = os.path.join(interface_model_extractor_dir, "already_parsed_functions.txt") 19 | already_parsed_functions = [] 20 | if os.path.exists(already_parsed_functions_file): 21 | already_parsed_functions = open(already_parsed_functions_file).read().split("\n") 22 | 23 | 24 | interface_model_extractor_tmp_dir = os.path.join(interface_model_extractor_dir, "tmp") 25 | 26 | blacklist_funcname = ["android::hardware::writeToParcel","android::hardware::readFromParcel"] 27 | 28 | logging.basicConfig(format='%(levelname)s - %(message)s') 29 | logger = logging.getLogger(__name__) 30 | logger.setLevel(logging.ERROR) 31 | type_map = load_simplified_typemap() 32 | 33 | def check_funcname(funcname): 34 | if funcname in ["android::hardware::writeToParcel","android::hardware::readFromParcel","android::AMessage::setPointer"]: 35 | return False 36 | if "android::Bp" in funcname: 37 | return False 38 | if "MediaPlayer2Interface" in funcname or "MediaPlayerBase" in funcname: 39 | return False 40 | # if "::MediaPlayer::" in funcname or "::MediaPlayer2::" in funcname: 41 | # return False 42 | # if "::MediaPlayerService::" in funcname: 43 | # return False 44 | return True 45 | 46 | def parse_one_parcel_function(filename): 47 | 48 | logger.info("Start dealing with " + filename) 49 | data = xml2json(os.path.join(rough_function_data_dir, filename)) 50 | 51 | tmp_function_file = os.path.join( 52 | interface_model_extractor_tmp_dir, "tmp_function_file.json") 53 | open(tmp_function_file, "w").write(get_formatted_json(data)) 54 | 55 | function = data["function"] 56 | func_name = function["funcName"]["$"] 57 | if func_name.startswith("class "): 58 | func_name = func_name.split("class ")[1] 59 | if func_name.startswith("struct "): 60 | func_name = func_name.split("struct ")[1] 61 | signature = function["signature"]["$"] 62 | if not check_funcname(func_name): 63 | return 64 | if func_name + "+" + signature in already_parsed_functions: 65 | return 66 | if len(function) > 2: 67 | ast_walker = ASTVisitor(type_map) 68 | parcel = ast_walker.walk_parcel_function(function) 69 | # add_qualified_name(parcel, func_name) 70 | # add_qualified_name(parcel, struct_name) 71 | data = OrderedDict() 72 | data[func_name + "+" + signature] = parcel 73 | open(os.path.join(precise_function_data_dir,filename[:-4]+".json"),"w").write(get_formatted_json(data)) 74 | logging.info("Finish parsing one parcel function: " + filename) 75 | open(already_parsed_functions_file, "a").write(func_name + "+" + signature + "\n") 76 | 77 | 78 | 79 | def parse_parcel_functions(): 80 | for filename in os.listdir(rough_function_data_dir): 81 | if not os.path.isdir(filename): 82 | tmp = filename 83 | if "-" in filename: 84 | tmp = tmp.split("-")[0] 85 | else: 86 | tmp = tmp[:-4] 87 | parse_one_parcel_function(str(filename)) 88 | 89 | 90 | if __name__=="__main__": 91 | parser = argparse.ArgumentParser(description="parse function") 92 | parser.add_argument("-f","--function",help="parse one function") 93 | args = parser.parse_args() 94 | if args.function: 95 | parse_one_parcel_function(args.function) 96 | else: 97 | parse_parcel_functions() -------------------------------------------------------------------------------- /interface-model-extractor/post-process/postprocess.sh: -------------------------------------------------------------------------------- 1 | sh init.sh 2 | sh parse.sh 3 | sh copy.sh -------------------------------------------------------------------------------- /interface-model-extractor/post-process/readme.md: -------------------------------------------------------------------------------- 1 | # Post Process 2 | 3 | The post-process of the interface model extractor will generate a precise interface model. 4 | 5 | During this process, we use `python2`. 6 | 7 | Here are some required libraries. 8 | 9 | ```bash 10 | # Note: you might need to install some other necessary libraries. 11 | pip install --user xmljson 12 | pip install --user lxml 13 | ``` 14 | After installing these libraries, you should modify the `xmljson` library manually. 15 | First, you should find the `xmljson` library location, then modify it as follows. 16 | 17 | ```python 18 | # __init__.py file, line 175 19 | ### before modifying 20 | for child in children: 21 | if count[child.tag] == 1: 22 | value.update(self.data(child)) 23 | else: 24 | result = value.setdefault(child.tag, self.list()) 25 | result += self.data(child).values() 26 | ### after modifying 27 | for child in children: 28 | if count[child.tag] == 1: 29 | value.update(self.data(child)) 30 | else: 31 | num = 1 32 | while True: 33 | if child.tag + str(num) in value: 34 | num += 1 35 | else: 36 | break 37 | child.tag = child.tag + str(num) 38 | value.update(self.data(child)) 39 | #result = value.setdefault(child.tag, self.list()) 40 | #result += self.data(child).values() 41 | ``` 42 | 43 | Then you can run `sh postprocess.sh` to generate the model. The generated model is located at `workdir/interface-model-extractor/model`. 44 | 45 | When you find new functions, e.g., 46 | 47 | ```bash 48 | $ sh postprocess.sh 49 | ... 50 | Find new function android::IMediaPlayerService::pullBatteryData+android::status_t (class android::Parcel *) 51 | ... 52 | ``` 53 | 54 | This means you should collect the files related to those functions described in [Service Related File Collector](../../service-related-file-collector/readme.md). -------------------------------------------------------------------------------- /interface-model-extractor/post-process/save_type_map.py: -------------------------------------------------------------------------------- 1 | from variable_type import save_type_map,load_simplified_typemap 2 | import os 3 | import json 4 | 5 | cfg = json.load(open("../../fans.cfg")) 6 | 7 | fans_dir = cfg["fans_dir"] 8 | 9 | interface_model_extractor_dir = os.path.join( 10 | fans_dir, cfg["interface_model_extractor_dir"]) 11 | 12 | type_map = load_simplified_typemap() 13 | 14 | used_types_file = os.path.join(interface_model_extractor_dir,"used_types.txt") 15 | used_types = open(used_types_file).read().split("\n") 16 | 17 | save_type_map(type_map,used_types) -------------------------------------------------------------------------------- /interface-model-extractor/post-process/variable_type.py: -------------------------------------------------------------------------------- 1 | import json 2 | import os 3 | 4 | cfg = json.load(open("../../fans.cfg")) 5 | fans_dir = cfg["fans_dir"] 6 | 7 | special_type = json.load(open("data/special_type.json")) 8 | basic_types = open("data/basic_type.txt").read().split("\n") 9 | rough_typemap_file = os.path.join(cfg["rough_interface_related_data_dir"],"typemap.txt") 10 | precise_typemap_file = os.path.join(fans_dir,cfg["interface_model_extractor_dir"],"model","typemap.txt") 11 | simplified_typemap_file = os.path.join(fans_dir,cfg["interface_model_extractor_dir"],"simplified_typemap_file.txt") 12 | 13 | def get_true_complex_type(type_map,var_type): 14 | if var_type in type_map and type_map[var_type] not in basic_types: 15 | return type_map[var_type] 16 | else: 17 | return var_type 18 | 19 | 20 | def load_simplified_typemap(): 21 | type_map = dict() 22 | with open(simplified_typemap_file) as f: 23 | for line in f.readlines(): 24 | key,value = line.strip().split("+") 25 | type_map[key]=value 26 | return type_map 27 | 28 | 29 | def save_type_map(type_map, used_types): 30 | with open(precise_typemap_file, "w") as f: 31 | for key, value in type_map.items(): 32 | if key in used_types and value in basic_types: 33 | f.write(key + "+" + value + "\n") 34 | elif key in used_types: 35 | print(key,value) 36 | raw_input("complex type?") -------------------------------------------------------------------------------- /interface-model-extractor/pre-process/BinderIface/BinderIface.exports: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iromise/fans/2c48521a5e20bbcd4339eb841971cd1507c5ca34/interface-model-extractor/pre-process/BinderIface/BinderIface.exports -------------------------------------------------------------------------------- /interface-model-extractor/pre-process/BinderIface/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # If we don't need RTTI or EH, there's no reason to export anything 2 | # from the plugin. 3 | if( NOT MSVC ) # MSVC mangles symbols differently, and 4 | # BinderIface.export contains C++ symbols. 5 | if( NOT LLVM_REQUIRES_RTTI ) 6 | if( NOT LLVM_REQUIRES_EH ) 7 | set(LLVM_EXPORTED_SYMBOL_FILE ${CMAKE_CURRENT_SOURCE_DIR}/BinderIface.exports) 8 | endif() 9 | endif() 10 | endif() 11 | 12 | add_llvm_loadable_module(BinderIface BinderIface.cpp PLUGIN_TOOL clang) 13 | SET(CMAKE_INSTALL_RPATH "") 14 | if(LLVM_ENABLE_PLUGINS AND (WIN32 OR CYGWIN)) 15 | target_link_libraries(BinderIface PRIVATE 16 | clangAST 17 | clangBasic 18 | clangFrontend 19 | LLVMSupport 20 | ) 21 | endif() 22 | 23 | INCLUDE_DIRECTORIES(/usr/include/libxml2) 24 | #LINK_DIRECTORIES(/usr/lib/x86_64-linux-gnu) 25 | #rosbuild_add_executable(kinectueye src/kinect_ueye.cpp) 26 | TARGET_LINK_LIBRARIES(BinderIface xml2 clangToolingCore) 27 | -------------------------------------------------------------------------------- /interface-model-extractor/pre-process/gen_all_related_cc1_cmd.py: -------------------------------------------------------------------------------- 1 | import os 2 | import json 3 | import ast 4 | cfg = json.load(open("../../fans.cfg")) 5 | 6 | fans_dir = cfg["fans_dir"] 7 | aosp_dir = cfg["aosp_dir"] 8 | aosp_compilation_cmd_file = cfg["aosp_compilation_cmd_file"] 9 | aosp_compilation_cc1_cmd_file = os.path.join(fans_dir, cfg["aosp_compilation_cc1_cmd_file"]) 10 | aosp_clang_location = cfg["aosp_clang_location"] 11 | service_related_filepath_storage_location = os.path.join(fans_dir,cfg[ 12 | "service_related_filepath_storage_location"]) 13 | 14 | cc1_cmd = dict() 15 | if os.path.exists(aosp_compilation_cc1_cmd_file): 16 | cc1_cmd = ast.literal_eval(open(aosp_compilation_cc1_cmd_file).read()) 17 | 18 | def gen_cc1_cmd(cmd, filepath): 19 | compile_cmd = cmd.split('] ')[1].strip() 20 | if "/bin/bash -c" in cmd: 21 | cmd = compile_cmd[:-1] + " -v 2>&1 | grep %s" % aosp_clang_location + '"' 22 | else: 23 | cmd = compile_cmd + " -v 2>&1 | grep %s" % aosp_clang_location 24 | 25 | os.chdir(aosp_dir) 26 | result = os.popen(cmd).read().strip() 27 | # print(filepath, result) 28 | cc1_cmd[filepath] = result 29 | 30 | 31 | def main(): 32 | service_related_files = open( 33 | service_related_filepath_storage_location).read().strip().split("\n") 34 | 35 | with open(aosp_compilation_cmd_file, 'r') as f: 36 | for line in f: 37 | if "prebuilts/clang" not in line: 38 | continue 39 | if "mkdir -p" in line or "rm -f" in line: 40 | continue 41 | if "out/soong/host/linux-x86/bin/aidl-cpp" in line: 42 | continue 43 | if "tests/" in line or "test_" in line: 44 | continue 45 | filepath = line.split(" ")[-1].strip().strip('"').strip("'") 46 | if filepath.startswith("external/"): 47 | continue 48 | if '/jni/' in filepath: 49 | continue 50 | if filepath not in service_related_files: 51 | continue 52 | if filepath in cc1_cmd: 53 | continue 54 | if filepath.endswith(".cpp") or filepath.endswith(".cc"): 55 | print("Generate cc1 cmd for %s" % filepath) 56 | gen_cc1_cmd(line, filepath) 57 | json.dump(cc1_cmd, open(aosp_compilation_cc1_cmd_file, "w"), indent=4, sort_keys=True) 58 | 59 | 60 | if __name__ == "__main__": 61 | main() 62 | -------------------------------------------------------------------------------- /interface-model-extractor/readme.md: -------------------------------------------------------------------------------- 1 | # Interface Model Extractor 2 | This component is used to extract the interface model, including the following processes: pre-process, post-process. 3 | 4 | Before extracting interface model, you need to create `workdir/interface-model-extractor` directory. 5 | 6 | ```bash 7 | mkdir ../workdir/interface-model-extractor 8 | ``` 9 | 10 | For detailed usage, see the corresponding subfolders. -------------------------------------------------------------------------------- /seed/files/apk/com.compass.digital-1.0.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iromise/fans/2c48521a5e20bbcd4339eb841971cd1507c5ca34/seed/files/apk/com.compass.digital-1.0.apk -------------------------------------------------------------------------------- /seed/files/media/centaur_2.mpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iromise/fans/2c48521a5e20bbcd4339eb841971cd1507c5ca34/seed/files/media/centaur_2.mpg -------------------------------------------------------------------------------- /seed/files/misc/test1.txt: -------------------------------------------------------------------------------- 1 | 111111111111111111111111111111111111111111111111111111111111111111111111 -------------------------------------------------------------------------------- /seed/files/misc/test2.txt: -------------------------------------------------------------------------------- 1 | 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 -------------------------------------------------------------------------------- /seed/media_url_list.txt: -------------------------------------------------------------------------------- 1 | http://demo.unified-streaming.com/video/tears-of-steel/tears-of-steel.ism/.m3u8 -------------------------------------------------------------------------------- /seed/package_list.txt: -------------------------------------------------------------------------------- 1 | com.android.cts.priv.ctsshim 2 | com.android.internal.display.cutout.emulation.corner 3 | com.android.internal.display.cutout.emulation.double 4 | com.android.providers.telephony 5 | com.android.providers.calendar 6 | com.android.providers.media 7 | com.android.wallpapercropper 8 | com.android.documentsui 9 | android.auto_generated_rro__ 10 | com.android.externalstorage 11 | com.android.htmlviewer 12 | com.android.companiondevicemanager 13 | com.android.quicksearchbox 14 | com.android.mms.service 15 | com.android.providers.downloads 16 | com.android.messaging 17 | com.google.android.theme.pixel 18 | com.google.pixel.wahoo.gfxdrv 19 | com.android.defcontainer 20 | com.android.providers.downloads.ui 21 | com.android.pacprocessor 22 | com.android.simappdialog 23 | com.android.internal.display.cutout.emulation.tall 24 | com.android.certinstaller 25 | com.android.carrierconfig 26 | android 27 | com.android.contacts 28 | com.android.camera2 29 | com.android.egg 30 | com.android.mtp 31 | com.android.nfc 32 | com.android.launcher3 33 | com.android.backupconfirm 34 | com.android.provision 35 | com.android.statementservice 36 | com.android.settings.intelligence 37 | com.android.calendar 38 | com.android.systemui.theme.dark 39 | com.android.providers.settings 40 | com.android.sharedstoragebackup 41 | com.android.printspooler 42 | com.android.dreams.basic 43 | com.android.webview 44 | com.android.se 45 | com.android.inputdevices 46 | com.android.bips 47 | com.android.musicfx 48 | com.android.cellbroadcastreceiver 49 | android.ext.shared 50 | com.android.onetimeinitializer 51 | com.android.server.telecom 52 | com.android.keychain 53 | com.android.printservice.recommendation 54 | com.android.dialer 55 | com.android.gallery3d 56 | android.ext.services 57 | com.android.calllogbackup 58 | com.android.packageinstaller 59 | com.android.carrierdefaultapp 60 | com.android.proxyhandler 61 | com.android.inputmethod.latin 62 | org.chromium.webview_shell 63 | com.android.managedprovisioning 64 | com.android.dreams.phototable 65 | com.android.smspush 66 | com.android.wallpaper.livepicker 67 | com.android.apps.tag 68 | com.android.storagemanager 69 | com.android.bookmarkprovider 70 | com.android.settings 71 | com.android.calculator2 72 | com.android.cts.ctsshim 73 | com.android.vpndialogs 74 | com.android.email 75 | com.android.music 76 | com.android.phone 77 | com.android.shell 78 | com.android.wallpaperbackup 79 | com.android.providers.blockednumber 80 | com.android.providers.userdictionary 81 | com.android.emergency 82 | com.android.location.fused 83 | com.android.deskclock 84 | com.android.systemui 85 | com.android.bluetoothmidiservice 86 | com.android.traceur 87 | com.android.bluetooth 88 | com.qualcomm.timeservice 89 | com.android.wallpaperpicker 90 | com.android.providers.contacts 91 | com.android.captiveportallogin -------------------------------------------------------------------------------- /service-related-file-collector/readme.md: -------------------------------------------------------------------------------- 1 | # Service Related File Collector 2 | 3 | This component is used to collect C++ files related to Android native system services. Specifically, those files are related to 4 | 5 | - top-level and multi-level interfaces. 6 | - standard parcelable and (light)flattenable structures. 7 | - misc functions that have a parcel parameter, e.g., setSchedPolicy(data). 8 | - special parcelable structures that do not use `readFromParcel` or `writeToParcel` method. 9 | 10 | For files related to top-level interfaces, multi-level interfaces, standard parcelable, and (light)flattenable structures, we can collect them directly using the following command. 11 | 12 | ```bash 13 | python collector.py 14 | ``` 15 | 16 | > Currently, we exclude the file generated by the AIDL tool for 32-bit programs as we are testing 64-bit mobile phones. And it won't affect the completeness of the collected interfaces and related files as the corresponding 64-bit files are also generated as far as we see. 17 | 18 | However, we do not know the information about misc functions and special parcelable structures in the beginning. Besides, we should collect them recursively as a misc function may call another misc function. So we can collect the files related to them as follows 19 | 1. Run `python collector.py` to collect related files. 20 | 2. Use interface model extractor to extract interface model. During this process, the interface model extractor will record the misc functions and special parcelable structures. These information will be stored in `misc_parcel_related_function_storage_location` and `special_parcelable_function_storage_location` as described in the `fans.cfg`. 21 | 3. If there are no new functions found, stop. Otherwise, go to step1. 22 | 23 | > Currently, this repo already contains information about misc functions and special parcelable structures in Android 9.0.0_r46. 24 | 25 | From another perspective, it is worth noting that even AOSP is led by Google, there still are some codes that are not standard. If these codes are standard, we could run `python collector.py` to collect all files related to Android native system services once. -------------------------------------------------------------------------------- /workdir/service-related-file/special_parcelable_function.txt: -------------------------------------------------------------------------------- 1 | keystore::writeParamSetToParcel+android::status_t (const hidl_vec &, android::Parcel *)+struct android::hardware::hidl_vec+writeToParcel 2 | keystore::readParamSetFromParcel+hidl_vec (const android::Parcel &)+struct android::hardware::hidl_vec+readFromParcel 3 | writeDecryptHandleToParcelData+void (const class android::DecryptHandle *, class android::Parcel *)+class android::DecryptHandle+writeToParcel 4 | android::layer_state_t::read+android::status_t (const class android::Parcel &)+struct android::layer_state_t+readFromParcel 5 | android::MetaDataBase::updateFromParcel+android::status_t (const class android::Parcel &)+class android::MetaDataBase+readFromParcel 6 | android::ComposerState::read+android::status_t (const class android::Parcel &)+struct android::ComposerState+readFromParcel 7 | android::DisplayState::read+android::status_t (const class android::Parcel &)+struct android::DisplayState+readFromParcel 8 | readDecryptHandleFromParcelData+void (class android::DecryptHandle *, const class android::Parcel &)+class android::DecryptHandle+readFromParcel 9 | android::MetaData::createFromParcel+sp (const class android::Parcel &)+class android::MetaData+readFromParcel 10 | keystore::readKeyParameterFromParcel+NullOr (const android::Parcel &)+struct android::hardware::keymaster::V4_0::KeyParameter+readFromParcel 11 | keystore::writeKeyParameterToParcel+android::status_t (const struct android::hardware::keymaster::V4_0::KeyParameter &, android::Parcel *)+struct android::hardware::keymaster::V4_0::KeyParameter+writeToParcel 12 | --------------------------------------------------------------------------------