1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
# Copyright 2022 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
include <uapi/asm/ioctl.h>
include <uapi/linux/fcntl.h>
include <net/nfc/nci.h>
resource fd_nci[fd]
resource nfc_dev_id[int32]
openat$nci(fd const[AT_FDCWD], file ptr[in, string["/dev/virtual_nci"]], flags const[O_RDWR], mode const[0]) fd_nci (automatic_helper)
ioctl$IOCTL_GET_NCIDEV_IDX(fd fd_nci, cmd const[IOCTL_GET_NCIDEV_IDX], arg ptr[out, nfc_dev_id]) (automatic_helper)
read$nci(fd fd_nci, data ptr[out, array[int8]], len bytesize[data])
write$nci(fd fd_nci, data ptr[in, nci_frame], len bytesize[data])
define IOCTL_GET_NCIDEV_IDX 0
define NCI_OP_CORE_RESET_RSP_OID nci_opcode_oid(NCI_OP_CORE_RESET_RSP)
define NCI_OP_CORE_INIT_RSP_OID nci_opcode_oid(NCI_OP_CORE_INIT_RSP)
define NCI_OP_CORE_SET_CONFIG_RSP_OID nci_opcode_oid(NCI_OP_CORE_SET_CONFIG_RSP)
define NCI_OP_CORE_CONN_CREATE_RSP_OID nci_opcode_oid(NCI_OP_CORE_CONN_CREATE_RSP)
define NCI_OP_CORE_CONN_CLOSE_RSP_OID nci_opcode_oid(NCI_OP_CORE_CONN_CLOSE_RSP)
define NCI_OP_RF_DISCOVER_MAP_RSP_OID nci_opcode_oid(NCI_OP_RF_DISCOVER_MAP_RSP)
define NCI_OP_RF_DISCOVER_RSP_OID nci_opcode_oid(NCI_OP_RF_DISCOVER_RSP)
define NCI_OP_RF_DISCOVER_SELECT_RSP_OID nci_opcode_oid(NCI_OP_RF_DISCOVER_SELECT_RSP)
define NCI_OP_RF_DEACTIVATE_RSP_OID nci_opcode_oid(NCI_OP_RF_DEACTIVATE_RSP)
define NCI_OP_NFCEE_DISCOVER_RSP_OID nci_opcode_oid(NCI_OP_NFCEE_DISCOVER_RSP)
define NCI_OP_NFCEE_MODE_SET_RSP_OID nci_opcode_oid(NCI_OP_NFCEE_MODE_SET_RSP)
define NCI_OP_CORE_RESET_NTF_OID nci_opcode_oid(NCI_OP_CORE_RESET_NTF)
define NCI_OP_CORE_CONN_CREDITS_NTF_OID nci_opcode_oid(NCI_OP_CORE_CONN_CREDITS_NTF)
define NCI_OP_CORE_GENERIC_ERROR_NTF_OID nci_opcode_oid(NCI_OP_CORE_GENERIC_ERROR_NTF)
define NCI_OP_CORE_INTF_ERROR_NTF_OID nci_opcode_oid(NCI_OP_CORE_INTF_ERROR_NTF)
define NCI_OP_RF_DISCOVER_NTF_OID nci_opcode_oid(NCI_OP_RF_DISCOVER_NTF)
define NCI_OP_RF_INTF_ACTIVATED_NTF_OID nci_opcode_oid(NCI_OP_RF_INTF_ACTIVATED_NTF)
define NCI_OP_RF_DEACTIVATE_NTF_OID nci_opcode_oid(NCI_OP_RF_DEACTIVATE_NTF)
define NCI_OP_NFCEE_DISCOVER_NTF_OID nci_opcode_oid(NCI_OP_NFCEE_DISCOVER_NTF)
define NCI_OP_RF_NFCEE_ACTION_NTF_OID nci_opcode_oid(NCI_OP_RF_NFCEE_ACTION_NTF)
# The exact error code does not matter much (only ok/not ok).
type nci_status int8[0:1]
nci_frame [
DATA nci_data_hdr
NCI_GID_PROPRIETARY_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_PROPRIETARY, 0, array[int8]]
NCI_OP_CORE_RESET_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_RESET_RSP_OID, nci_core_reset_rsp]
NCI_OP_CORE_INIT_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_INIT_RSP_OID, nci_core_init_rsp]
NCI_OP_CORE_INIT_RSP_V2 nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_INIT_RSP_OID, nci_core_init_rsp_nci_ver2]
NCI_OP_CORE_SET_CONFIG_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_SET_CONFIG_RSP_OID, nci_core_set_config_rsp]
NCI_OP_CORE_CONN_CREATE_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_CONN_CREATE_RSP_OID, nci_core_conn_create_rsp]
NCI_OP_CORE_CONN_CLOSE_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_CONN_CLOSE_RSP_OID, nci_status]
NCI_OP_RF_DISCOVER_MAP_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DISCOVER_MAP_RSP_OID, nci_status]
NCI_OP_RF_DISCOVER_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DISCOVER_RSP_OID, nci_status]
NCI_OP_RF_DISCOVER_SELECT_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DISCOVER_SELECT_RSP_OID, nci_status]
NCI_OP_RF_DEACTIVATE_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DEACTIVATE_RSP_OID, nci_status]
NCI_OP_NFCEE_DISCOVER_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_NFCEE_MGMT, NCI_OP_NFCEE_DISCOVER_RSP_OID, nci_nfcee_discover_rsp]
NCI_OP_NFCEE_MODE_SET_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_NFCEE_MGMT, NCI_OP_NFCEE_MODE_SET_RSP_OID, nci_status]
NCI_GID_PROPRIETARY_NFT nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_PROPRIETARY, 0, array[int8]]
NCI_OP_CORE_RESET_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_CORE, NCI_OP_CORE_RESET_NTF_OID, nci_core_reset_ntf]
NCI_OP_CORE_CONN_CREDITS_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_CORE, NCI_OP_CORE_CONN_CREDITS_NTF_OID, nci_core_conn_credit_ntf]
NCI_OP_CORE_GENERIC_ERROR_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_CORE, NCI_OP_CORE_GENERIC_ERROR_NTF_OID, nci_status]
NCI_OP_CORE_INTF_ERROR_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_CORE, NCI_OP_CORE_INTF_ERROR_NTF_OID, nci_core_intf_error_ntf]
NCI_OP_RF_DISCOVER_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DISCOVER_NTF_OID, nci_rf_discover_ntf_t]
NCI_OP_RF_INTF_ACTIVATED_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_INTF_ACTIVATED_NTF_OID, nci_rf_intf_activated_ntf_t]
NCI_OP_RF_DEACTIVATE_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DEACTIVATE_NTF_OID, nci_rf_deactivate_ntf]
NCI_OP_RF_NFCEE_ACTION_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_NFCEE_ACTION_NTF_OID, void]
NCI_OP_NFCEE_DISCOVER_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_NFCEE_MGMT, NCI_OP_NFCEE_DISCOVER_NTF_OID, nci_nfcee_discover_ntf]
] [varlen]
nci_data_hdr {
conn_id int8:4[0:4]
# NCI_PBF_LAST/NCI_PBF_CONT
pbf int8:1
# This does not seem to be used.
mt const[NCI_MT_DATA_PKT, int8:3]
# This does not seem to be used.
rfu const[0, int8]
# It does not seem to be actually used/verified by the code (only logged), so let's keep random.
plen int8
data array[int8]
} [packed]
type nci_ctrl_hdr[MT, GID, OID, PAYLOAD] {
gid const[GID, int8:4]
# NCI_PBF_LAST/NCI_PBF_CONT
pbf int8:1
mt const[MT, int8:3]
oid const[OID, int8]
# It does not seem to be actually used/verified by the code (only logged), so let's keep random.
plen int8
payload PAYLOAD
} [packed]
nci_core_reset_rsp {
status nci_status
nci_ver flags[nci_ver, int8]
config_status int8
} [packed]
nci_ver = 0, 1, NCI_VER_2_MASK
nci_core_init_rsp {
rsp1 nci_core_init_rsp_1
rsp2 nci_core_init_rsp_2
} [packed]
nci_core_init_rsp_1 {
status nci_status
nfcc_features int32
num_supported_rf_interfaces len[supported_rf_interfaces, int8]
supported_rf_interfaces array[int8]
} [packed]
nci_core_init_rsp_2 {
max_logical_connections int8
max_routing_table_size int16
max_ctrl_pkt_payload_len int8
max_size_for_large_params int16
manufact_id int8
manufact_specific_info int32
} [packed]
nci_core_init_rsp_nci_ver2 {
status nci_status
nfcc_features int32
max_logical_connections int8
max_routing_table_size int16
max_ctrl_pkt_payload_len int8
max_data_pkt_hci_payload_len int8
number_of_hci_credit int8
max_nfc_v_frame_size int16
num_supported_rf_interfaces len[supported_rf_interfaces, int8]
supported_rf_interfaces array[int8]
} [packed]
nci_core_set_config_rsp {
status nci_status
num_params len[params_id, int8]
params_id array[int8]
} [packed]
nci_core_conn_create_rsp {
status nci_status
max_ctrl_pkt_payload_len int8
credits_cnt int8
conn_id int8[0:4]
} [packed]
nci_nfcee_discover_rsp {
status nci_status
num_nfcee int8
} [packed]
nci_core_reset_ntf {
reset_trigger int8
config_status int8
nci_ver flags[nci_ver, int8]
manufact_id int8
manufacturer_specific_len int8
manufact_specific_info int32
} [packed]
nci_core_conn_credit_ntf {
num_entries len[conn_entries, int8]
conn_entries array[conn_credit_entry]
} [packed]
conn_credit_entry {
conn_id int8[0:4]
credits int8
} [packed]
nci_core_intf_error_ntf {
status nci_status
conn_id int8[0:4]
} [packed]
nci_rf_discover_ntf_t [
a nci_rf_discover_ntf[NCI_NFC_A_PASSIVE_POLL_MODE, rf_tech_specific_params_nfca_poll]
b nci_rf_discover_ntf[NCI_NFC_B_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcb_poll]
f nci_rf_discover_ntf[NCI_NFC_F_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcf_poll]
v nci_rf_discover_ntf[NCI_NFC_V_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcv_poll]
] [varlen]
type nci_rf_discover_ntf[MODE, POLL] {
rf_discovery_id int8
rf_protocol flags[nci_rf_protocol, int8]
rf_tech_and_mode const[MODE, int8]
rf_tech_specific_params_len int8
poll POLL
ntf_type flags[nci_discover_ntf_type, int8]
} [packed]
nci_rf_protocol = NCI_RF_PROTOCOL_UNKNOWN, NCI_RF_PROTOCOL_T1T, NCI_RF_PROTOCOL_T2T, NCI_RF_PROTOCOL_T3T, NCI_RF_PROTOCOL_ISO_DEP, NCI_RF_PROTOCOL_NFC_DEP, NCI_RF_PROTOCOL_T5T
rf_tech_specific_params_nfca_poll {
sens_res int8
nfcid1_len len[nfcid1, int8]
nfcid1 array[int8]
sel_res_len int8
sel_res int8
} [packed]
rf_tech_specific_params_nfcb_poll {
sensb_res_len len[sensb_res, int8]
sensb_res array[int8]
} [packed]
rf_tech_specific_params_nfcf_listen {
local_nfcid2_len len[local_nfcid2, int8]
local_nfcid2 array[int8]
} [packed]
rf_tech_specific_params_nfcf_poll {
bit_rate int8
sensf_res_len len[sensf_res, int8]
sensf_res array[int8]
} [packed]
rf_tech_specific_params_nfcv_poll {
res_flags int8
dsfid int8
uid array[int8, NFC_ISO15693_UID_MAXSIZE]
} [packed]
nci_rf_intf_activated_ntf_t [
a nci_rf_intf_activated_ntf[NCI_NFC_A_PASSIVE_POLL_MODE, rf_tech_specific_params_nfca_poll]
b nci_rf_intf_activated_ntf[NCI_NFC_B_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcb_poll]
f nci_rf_intf_activated_ntf[NCI_NFC_F_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcf_poll]
v nci_rf_intf_activated_ntf[NCI_NFC_V_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcv_poll]
a_listen nci_rf_intf_activated_ntf[NCI_NFC_A_PASSIVE_LISTEN_MODE, void]
f_listen nci_rf_intf_activated_ntf[NCI_NFC_F_PASSIVE_LISTEN_MODE, rf_tech_specific_params_nfcf_listen]
] [varlen]
type nci_rf_intf_activated_ntf[MODE, POLL] {
rf_discovery_id int8
rf_interface flags[nci_rf_interface, int8]
rf_protocol flags[nci_rf_protocol, int8]
activation_rf_tech_and_mode const[MODE, int8]
max_data_pkt_payload_size int8
initial_num_credits int8
rf_tech_specific_params_len int8
poll POLL
data_exch_rf_tech_and_mode int8
data_exch_tx_bit_rate int8
data_exch_rx_bit_rate int8
activation_params_len int8
# This is how all of activation_params_nfca_poll_iso_dep, activation_params_nfcb_poll_iso_dep,
# activation_params_poll_nfc_dep and activation_params_listen_nfc_dep look like.
res_len len[res, int8]
res array[int8]
} [packed]
nci_rf_interface = NCI_RF_INTERFACE_NFCEE_DIRECT, NCI_RF_INTERFACE_FRAME, NCI_RF_INTERFACE_ISO_DEP, NCI_RF_INTERFACE_NFC_DEP
nci_rf_deactivate_ntf {
type int8
reason int8
} [packed]
nci_nfcee_discover_ntf {
nfcee_id int8
nfcee_status int8
unused array[int8]
} [packed]
nci_discover_ntf_type = NCI_DISCOVER_NTF_TYPE_LAST, NCI_DISCOVER_NTF_TYPE_LAST_NFCC, NCI_DISCOVER_NTF_TYPE_MORE
|
