{"id":30304531,"url":"https://github.com/syssec-kaist/llfuzz","last_synced_at":"2025-08-17T07:09:43.412Z","repository":{"id":309626688,"uuid":"995390932","full_name":"SysSec-KAIST/LLFuzz","owner":"SysSec-KAIST","description":"LLFuzz: An Over-the-Air Dynamic Testing Framework for Cellular Baseband Lower Layers","archived":false,"fork":false,"pushed_at":"2025-08-12T22:33:29.000Z","size":20291,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-13T00:26:11.549Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SysSec-KAIST.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-03T12:10:52.000Z","updated_at":"2025-08-12T22:33:32.000Z","dependencies_parsed_at":"2025-08-13T00:36:16.900Z","dependency_job_id":null,"html_url":"https://github.com/SysSec-KAIST/LLFuzz","commit_stats":null,"previous_names":["syssec-kaist/llfuzz"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/SysSec-KAIST/LLFuzz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FLLFuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FLLFuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FLLFuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FLLFuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SysSec-KAIST","download_url":"https://codeload.github.com/SysSec-KAIST/LLFuzz/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FLLFuzz/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270817536,"owners_count":24651013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-17T02:00:09.016Z","response_time":129,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-08-17T07:09:42.207Z","updated_at":"2025-08-17T07:09:43.392Z","avatar_url":"https://github.com/SysSec-KAIST.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"## LLFuzz - An Over-the-Air Dynamic Testing Framework for Cellular Baseband Lower Layers\n\n**LLFuzz** is an over-the-air dynamic testing framework designed to uncover memory corruptions in the Lower Layers of cellular basebands, including PDCP, RLC, MAC, and PHY. Unlike most of prior efforts that focus on Layer 3 protocols, LLFuzz systematically targets Layers 1 and 2 using a channel-driven, configuration-aware fuzzing approach. It leverages 3GPP specifications to generate test cases capable of reaching the Lower Layers without being prematurely rejected. In the evaluation of 15 commercial basebands from 5 major vendors, LLFuzz uncovered 11 previously unknown memory corruptions: 3 in PDCP, 2 in RLC, 5 in MAC, and 1 in the RRC Layer.\n\nFor more details, please refer to our [paper](https://www.usenix.org/conference/usenixsecurity25/presentation/hoang).\n\n### Erratum (Paper Correction)\nIn Table 1 of our USENIX Security ’25 [paper](https://www.usenix.org/conference/usenixsecurity25/presentation/hoang), we mistakenly listed FirmWire as supporting only LTE. It actually supports GSM and LTE.\n\n## Table of Contents\n- 1. [Hardware Requirements](#hardware-requirements)\n- 2. [Software Requirements](#software-requirements)\n- 3. [Installation](#installation)\n- 4. [Run LLFuzz](#run-llfuzz)\n- 5. [LLFuzz's Output](#llfuzzs-output)\n- 6. [Key source files and their purposes](#llfuzzs-source-code)\n- 7. [List of discovered bugs](#list-of-discovered-bugs)\n- 8. [Example Configuration File and Explanation](#example-configuration-file-and-explanation)\n\n### Hardware Requirements\n- **Software-Defined Radio (SDR):** USRP X310 or B210\n- **Target UE:** Android smartphones that support the ADB interface. We recommend using recent smartphones with Qualcomm, MediaTek, Samsung Exynos, or Huawei Kirin chipsets. For example, we tested 15 UEs, including the Samsung Galaxy Note 20 Ultra, Galaxy S20, Galaxy S24 Ultra, Galaxy S22 Plus, Galaxy A31, Galaxy A32, Galaxy S21, Galaxy S24, Galaxy S10e, OnePlus 9 Pro, Xiaomi K40 Gaming, Xiaomi Redmi Note 9T, Google Pixel 6a, Pixel 8 Pro, and Huawei P30 Pro.\n- **Host PC:** A high-performance CPU with at least 16 cores, 16 GB of RAM, and 250 GB SSD. \n- **SIM Card:** A programmable SIM card (e.g., [SysmoISIM-SJA2][sim-card]) that enables the LTE radio connection between the UE and LLFuzz's eNB.\n- **USB-C cable:** A USB-C cable used to connect the UE (smartphone) to the host PC for ADB communication. \n- **Shield box:** A Faraday cage or shield box used to isolate the LLFuzz eNB signal from other cellular devices. Refer to the image at LLFuzz/image/experiment_setup.png for an example of the experimental setup.\n- **GPSDO:** A GPS Disciplined Oscillator (GPSDO) [module][gpsdo-module] is recommended to improve synchronization of the USRP devices. While not mandatory, it can help address synchronization issues that may cause UEs to fail to connect to the LLFuzz eNB. If used, an additional GPS antenna is required to connect to the GPSDO module.\n\n### Software Requirements\n- **Operating System:** Ubuntu 18.04 (other Ubuntu versions might cause errors during compilation.)\n\n### Installation\n#### 1. Install UHD Library\n**UHD dependencies:**\n```bash\nsudo apt update\nsudo apt-get install autoconf automake build-essential ccache cmake cpufrequtils doxygen ethtool \\\ng++ git inetutils-tools libboost-all-dev libncurses5 libncurses5-dev libusb-1.0-0 libusb-1.0-0-dev \\\nlibusb-dev python3-dev python3-mako python3-numpy python3-requests python3-scipy python3-setuptools \\\npython3-ruamel.yaml\n```\n**Clone and build UHD from source** (Make sure the current branch is version 4.0 or higher)\n```bash\ngit clone https://github.com/EttusResearch/uhd.git\ncd uhd/host\nmkdir build\ncd build\ncmake ../\nmake -j8\nmake test\nsudo make install\nsudo ldconfig\n```\n**Download USRP firmware and FPGA images**\n```bash\nsudo uhd_images_downloader\n```\n**Test USRP connection**\n```bash\nsudo uhd_find_devices\nsudo uhd_usrp_probe\n# Only for USRP X310\nsudo sysctl -w net.core.rmem_max=33554432\nsudo sysctl -w net.core.wmem_max=33554432\nsudo ifconfig \u003c10Gb card interface\u003e mtu 9000\n```\n\n#### 2. Build LLFuzz from Source\nLLFuzz is built on top of srsRAN eNB, an open-source LTE base station software. Therefore, it requires all of srsRAN’s dependencies. The build process is similar to srsRAN; if you are already familiar with it, you can proceed quickly through the installation. \n\n**Install dependencies:**\n```bash\nsudo apt-get install build-essential cmake libfftw3-dev libmbedtls-dev libboost-program-options-dev libconfig++-dev libsctp-dev\n```\n```bash\nsudo apt-get install libglib2.0-dev libudev-dev libcurl4-gnutls-dev libboost-all-dev qtdeclarative5-dev libqt5charts5-dev\n```\n\n**Install ADB and Fastboot**\n```bash\nsudo apt update\nsudo apt install android-tools-adb android-tools-fastboot\nadb version\n```\n\n**Download the LLFuzz source code, then:** \n```bash\ncd LLFuzz\nmkdir build\ncd build\ncmake ..\nmake -j8\n```\nOnce the build is successful, the **binary files** will be generated in the `build/srseNB/src/` and `build/srsePC/src/` directories.\n\n#### 3. Program the SIM card\nA programmable SIM card is required to run LLFuzz. This SIM card is used to establish the LTE connection between the UE (smartphone) and srseNB. Please refer to the [srsRAN documentation][srsran-sim] for instructions on how to program the SIM card.\nTo match the LLFuzz configuration, we recommend using **MCC/MNC 901/55**.\n\nOnce the SIM card is programmed, you will obtain the following information:\n```bash\n\u003e Name     : Magic\n \u003e SMSP     : e1ffffffffffffffffffffffff0581005155f5ffffffffffffxxxxxx\n \u003e ICCID    : 8988211000000xxxxxx\n \u003e MCC/MNC  : 901/55\n \u003e IMSI     : 901550000xxxxxx\n \u003e Ki       : 1A6D20EE06BECCA86AA276DE1Cxxxxxx\n \u003e OPC      : 51E7D953F4F33D0E4EA5671F0Axxxxxx\n \u003e ACC      : xxxx\n \u003e ADM1(hex): 3539383432xxxxxx\n \u003e OPMODE   : None\n\n```\nCopy this information into /LLFuzz/config/user_db.csv. The final field in the line is the static IP address of the UE.\n```bash \nue6,mil,001010000xxxxxx,1A6D20EE06BECCA86AA276DE1Cxxxxxx,opc,51E7D953F4F33D0E4EA5671F0Axxxxxx,9001,0000004bf55d,7,172.16.0.3 \n```\n\nAlso, copy the IMSI into /LLFuzz/config/llfuzz.conf\n```bash\n# --------------------------------------------\n# Configurations for LLFuzz-------------------\n#---------------------------------------------\nimsi = 901550000xxxxxx\n```\nOnce completed, the SIM card is ready to be inserted into the UE.\n\n#### 4. Enable ADB interface (USB debugging) on the Smartphone\nLLFuzz requires the ADB interface to collect radio logcat messages, which serve as its oracle for detecting bugs.\nTo enable ADB, you need to:\n- Enable Developer Options on the smartphone:\n - Go to Settings \u003e About phone \u003e Tap \"Build number\" 7 times until you see \"You are now a developer!\"\n- Enable USB debugging:\n - Go to Settings \u003e System \u003e Developer options \u003e Enable \"USB debugging\".\n- Connect the UE to the host PC via USB-C cable. A USB 3.0 port on the host PC is recommended for better performance.\n\nRefer to the image in `LLFuzz/image/adb.png` for a visual guide.\n\nVerify the connection:\n```bash\nadb devices\n```\n\n\n### Run LLFuzz\nBasically, LLFuzz is an LTE base station capable of fuzzing target UEs over the air. Since it is built on top of srsRAN eNB, the running process is very similar to srsRAN eNB.\n\n#### 1. Test initial UE-eNB connection\nFirst, test whether the UE can connect to the LLFuzz eNB. To do this, run srsePC and LLFuzz eNB in two separate terminals. \n**Note:** Both of them must be run from the `LLFuzz/build/` directory. Otherwise, the configuration files will not be found.\n\n```bash\n# In the first terminal, run srsePC\ncd LLFuzz/build/\nsudo ./srsepc/src/srsepc ../config/epc.conf\n\n# In the second terminal, run LLFuzz eNB\nsudo ./srsenb/src/srsenb ../config/llfuzz.conf\n```\nThen, toggle Airplane mode on the UE or reboot it to enable the UE-eNB radio connection.\nIt is recommended to use a shield box (e.g., a Faraday cage) to prevent the LLFuzz eNB's signal from interfering with other cellular devices.\nPlease refer to our experimental setup image at `LLFuzz/image/experiment_setup.png`. \nIf the UE connects successfully with ADB enabled, you will see the following message in the LLFuzz eNB terminal:\n\n```bash\nList of devices attached\n24061JEGR0XXXX device\n\n[ADB] Device Connected\n\nOpening 1 channels in RF device=default with args=default\nRF device 'UHD' successfully opened\n\n==== eNodeB started ===\nType \u003ct\u003e to view trace\nSetting frequency: DL=xxx.0 Mhz, UL=xxx.0 MHz for cc_idx=0 nof_prb=100\n[MAC] SF: 547:1 RACH: cc=0, pci=429, preamble=45, offset=1, temp_crnti=0x46\n[RRC] User 0x46 (70) connected\n```\n**Tips for enabling UE connection** \nIf the UE fails to connect to the LLFuzz eNB for unknown reasons, try the following:\n- Set the APN to `srsapn` on the UE\n- Force UE to use LTE network only: \n - Open the dialer app and enter `*#*#4636#*#*` to open the testing menu.\n - Select \"Phone Information\" and set \"Preferred network type\" to \"LTE only\".\n- Manually select the network operator:\n - Go to Settings \u003e Network \u0026 internet \u003e Mobile network \u003e Disable \"Automatically select network\".\n- If you are using a Samsung smartphone, the best way is forcing the UE to use a specific band:\n - Open the dialer app and enter `319712358#` to open the service mode. Enter password `996412` or `774632`.\n - Select \"Network Setting\" \u003e \"Network Mode\" \u003e Select the three dots on the top left corner \u003e \"Band Selection\" \u003e Choose the same band as the LLFuzz eNB and select \"Selection\".\n\n#### 2. Run LLFuzz to test different LTE Layers/states/basebands.\nLLFuzz supports fuzzing various LTE protocol layers, including PDCP, RLC, MAC, and PHY. For these layers, LLFuzz repeatedly triggers the LTE Attach procedure and sends malformed test cases to the UE in the targeted state. We define four states for the lower layers based on the establishment of logical channels during the LTE Attach procedure, as shown in the figure below.\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"image/LLFuzz_state_definition.png\" alt=\"LLFuzz LTE Attach Procedure and States\" width=\"400\"\u003e\n \u003c!-- \u003cimg src=\"image/Evaluation_setup2.png\" alt=\"LLFuzz Evaluation Setup\" width=\"500\"\u003e --\u003e\n\u003c/p\u003e\n\nTo simplify the fuzzing process, LLFuzz uses a configuration file located at `config/llfuzz.conf` to specify all important parameters.\nA full example and detailed explanation of the configuration file are provided at the end of this README.\nFor a quick start, this section covers only the basic configurations needed to begin fuzzing.\n\nIn genenal, before running LLFuzz eNB, you might need to update the following parameters in the configuration file: \n- **targetLayer:** The target Layer to fuzz. Options: `PDCP`, `RLC`, `MAC`, or `PHY`.\n- **fuzzingState:** The target state to fuzz. Options: `state1`, `state2`, `state3`, or `state4`. Due to LTE Lower-Layer design, the MAC and PHY Layers can be fuzzed in all states, while PDCP and RLC Layers can only be fuzzed in state 3 and state 4.\n\nFor example, to fuzz the MAC Layer in state 4, set the following parameters in the configuration file:\n```bash\ntargetLayer = MAC\nfuzzingState = state4\n# Other parameters remain unchanged\n# Don't forget to update the IMSI of the SIM card\nimsi = 90155000005xxxx\n```\n\nThen, run srsePC and LLFuzz eNB similarly to the initial connection test:\n```bash\n# In the first terminal, run srsePC\ncd LLFuzz/build/\nsudo ./srsepc/src/srsepc ../config/epc.conf\n\n# In the second terminal, run LLFuzz eNB\ncd LLFuzz/build/\nsudo ./srsenb/src/srsenb ../config/llfuzz.conf\n```\n\nOnce the LLFuzz eNB is started, you might **need to type** `n` `enter` to start the fuzzing process. Upon starting, you should see output similar to the following in the LLFuzz eNB terminal:\n```bash\n==== eNodeB started ===\nType \u003ct\u003e to view trace\nSetting frequency: DL=xxx Mhz, UL=xxx MHz for cc_idx=0 nof_prb=100\n[MAC] SF: 323:1 RACH: cc=0, pci=429, preamble=37, offset=1, temp_crnti=0x46\n[RRC] User 0x46 (70) connected\n\nn\nStarted LLFuzz, enter n to stop sending test cases.\n[MAC] Switch Fuzzer to Mode 23, start_index = 0\n[MAC] Switch Fuzzer to Mode 23\n[MAC] SF: 580.3 State 234: state234Prepare --\u003e state234PrepareWaitingUE\n[ADB] SF: 570.2 Received signal: [RLC -\u003e ADB] switchAirplane\n[ADB] SF: 570.2 -- State: Turned on Airplane mode, enabled timer 0\n[RRC] Disconnecting RNTI 0x46 (70)\n\n[ADB] SF: 570.2 Sent adbAirPlaneOn signal to rlc\n[MAC] Received signal from ADB: [ADB -\u003e MAC] adbAirPlaneOn\n[ADB] SF: 570.2 State: Turned off AirPlane mode 1\n[MAC] SF: 819:1 RACH: cc=0, pci=429, preamble=26, offset=1, temp_crnti=0x47\n[MAC] SF: 819:6 Added RNTI: 71 to state 2\n[MAC] SF: 820:8 Updated RNTI: 71 to state 3\n[MAC] SF: 829.4 State 234: state234PrepareWaitingUE --\u003e state234PrepareWaitingADB\n[MAC] SF: 829:4 Updated RNTI: 71 to state 4\n[RRC] User 0x47 (71) connected\n\n[ADB] SF: 829.4 Received signal: [RLC -\u003e ADB] state1PrepareADB\n[ADB] SF: 829.4 State: state1PrepareADB --\u003e monitorLogcat\n[MAC] Received signal from ADB: [ADB -\u003e MAC] adbConfigSuccess\n[MAC] SF: 833.4 State 234: state234PrepareWaitingUE --\u003e state234WaitingUEIdle, enabled rrcRelease timer\n[MAC] State 234: state234WaitingUEIdle --\u003e state234Paging in rem_ue function\n[RRC] Disconnecting RNTI 0x47 (71)\n\n[MAC] SF: 843.5 Sent paging to TMSI = 0xdc87e74, State 23: state234Paging --\u003e state234Send\n[MAC] SF: 868:1 RACH: cc=0, pci=429, preamble=30, offset=1, temp_crnti=0x48\n[MAC] SF: 868:6 Added RNTI: 72 to state 2\n[MAC] SF: 869:8 Updated RNTI: 72 to state 3\n[MAC] SF: 877:3 Updated RNTI: 72 to state 4\n[RRC] User 0x48 (72) connected\n\n[MAC] SF: 883.3 Rnti = 72, Allocated DCI 1 type 1 1 / 2\n[MAC] SF: 883.3 -- Sending State: 4, RNTIState = 4 -- Idx = 0/92882 -- nofCrash: 0\n------------------------------------------------------------------\n[PDU] NofSubHea: 0|1 -- totalByte: 0|1 -- iseLCID: 0 -- MutatingMacCE: 0 -- eIdx: 0|0\n\n[MAC] SF: 883.4 Rnti = 72, Allocated DCI 1 type 1 1 / 2\n[MAC] SF: 883.4 -- Sending State: 4, RNTIState = 4 -- Idx = 1/92882 -- nofCrash: 0\n------------------------------------------------------------------\n[PDU] NofSubHea: 0|1 -- totalByte: 0|1 -- iseLCID: 0 -- MutatingMacCE: 0 -- eIdx: 0|0\n\n[MAC] SF: 883.5 Rnti = 72, Allocated DCI 1 type 1 3 / 3\n[MAC] SF: 883.5 -- Sending State: 4, RNTIState = 4 -- Idx = 2/92882 -- nofCrash: 0\n------------------------------------------------------------------\n[PDU] NofSubHea: 0|1 -- totalByte: 0|3 -- iseLCID: 0 -- MutatingMacCE: 0 -- eIdx: 0|0\n\n```\n\n**For PHY Layer fuzzing**, as the configurations are more complex, we provide predefined configuration files in `config/phy_fuzz/` directory.\nThese files are named based on the targeted states, DCI formats, and uplink/downlink directions. For example, to test Downlink DCI format 1 in state 4, use the configuration file `config/phy_fuzz/llfuzz_state4_dci1_dl.conf`. \n**Note:** For PHY Layer fuzzing, a GPSDO may be required when testing DCI formats 1, 2, or 2A, as these involve MIMO communication between the eNB and UE, which requires precise synchronization. To enable the GPSDO clock source, uncomment the `device_args = clock=gpsdo` line in the `/LLFuzz/config/enb.conf` file before running LLFuzz eNB.\n\n```bash\n# In the first terminal, run srsePC\ncd LLFuzz/build/\nsudo ./srsepc/src/srsepc ../config/epc.conf\n\n# In the second terminal, run LLFuzz eNB with PHY fuzzing configuration\ncd LLFuzz/build/\nsudo ./srsenb/src/srsenb ../config/phy_fuzz/llfuzz_state4_dci1_dl.conf\n```\n\n### LLFuzz's Output\nLLFuzz generates three output files in the `LLFuzz/pcap/` directory:\n- **enb_mac.pcap:** A PCAP file capturing all packets intercepted at the MAC layer, including the sent test cases.\n- **crashLog.txt:** A log file containing detailed information about recent test cases that potentially caused the UE to crash.\n- **speedLog.txt:** A log file recording the number of test cases sent every 5 seconds, useful for monitoring fuzzing speed.\n\n### LLFuzz's source code\nThe main source code of LLFuzz is organized in two directories:\n- `LLFuzz/srsenb/hdr/stack/mac/`: contains header files (.h)\n- `LLFuzz/srsenb/src/stack/mac/`: contains implementation files (.cc)\n\nKey source files and their purposes: \n - `fuzzer_based.h` and `fuzzer_based.cc`: Skeleton class for the fuzzer implementation.\n - `llfuzz.h` and `llfuzz.cc`: The implementation of ADB Controller, Crash oracle, UE Controller, Fuzzer's state machine, configuration file parser, Layer-specific fuzzer manager, UE's state manager.\n - `mac_fuzzer.h` and `mac_fuzzer.cc`: The implementation of MAC Layer fuzzer, including the test case generation, assembling, and sending.\n - `rlc_fuzzer.h` and `rlc_fuzzer.cc`: The implementation of RLC Layer fuzzer, including the test case generation, assembling, and sending.\n - `pdcp_fuzzer.h` and `pdcp_fuzzer.cc`: The implementation of PDCP Layer fuzzer, including the test case generation, assembling, and sending.\n - `phy_fuzzer.h` and `phy_fuzzer.cc`: The implementation of PHY Layer fuzzer, including the test case generation, assembling, and sending.\n - `utility.h` and `utility.cc`: Utility functions used in LLFuzz.\n - `mac.h` and `mac.cc`: Modified srseNB MAC Layer implementation to support LLFuzz.\n\n### List of discovered bugs\n\n| No. | Tested Smartphones | Baseband | Layer | Description | State | Configuration | Disclosure |\n|-----|--------------------|-------------------|-------|------------------------------------------------------------------------------------------------------|---------------|--------------------------|----------------------------------|\n| B1 |Galaxy Note 20 Ultra \u003cbr\u003e Galaxy S20 \u003cbr\u003e OnePlus 9 Pro| Qualcomm | MAC | Incorrect handling of the length field in the MAC\u003cbr\u003e header when a CCCH sub-header is present | S2, S3, S4 | - | CVE-2025-21477\u003cbr\u003e Patched |\n| B2 |Galaxy S22 Plus \u003cbr\u003e Galaxy Note 20 Ultra \u003cbr\u003e Galaxy S20 \u003cbr\u003e OnePlus 9 Pro | Qualcomm | MAC | Incorrect handling of RAR messages containing\u003cbr\u003e only sub-headers without any payload | S1 | - | CVE-2024-23385\u003cbr\u003e Patched |\n| B3 |Galaxy S24 Ultra\u003cbr\u003eGalaxy S22 Plus \u003cbr\u003e Galaxy Note 20 Ultra \u003cbr\u003e Galaxy S20 \u003cbr\u003e OnePlus 9 Pro | Qualcomm | RLC | Incorrect handling of the extension part of the RLC\u003cbr\u003e UM Data PDU header | S4 | UM, 5-bit SN | Verified |\n| B4 |Galaxy A31 \u003cbr\u003e Galaxy A32 | MediaTek | MAC | Incorrect handling of zero value in the length field\u003cbr\u003e of the MAC sub-header | S3 | - | CVE-2024-20076\u003cbr\u003e Patched |\n| B5 |Galaxy A31 \u003cbr\u003e Galaxy A32 | MediaTek | MAC | Incorrect handling of MAC PDUs with many\u003cbr\u003e MAC CE sub-headers | S2, S3, S4 | - | CVE-2024-20077\u003cbr\u003e Patched |\n| B6 |Galaxy A31 \u003cbr\u003e Galaxy A32 | MediaTek | MAC | Incorrect handling of continuously malformed\u003cbr\u003e MAC PDUs during the attach procedure | S2, S3 | - | Affects only older firmware |\n| B7 |Xiaomi K40 Gaming \u003cbr\u003e Xiaomi Redmi Note 9T | MediaTek | PDCP | Incorrect handling of 5-byte PDCP Data PDUs for\u003cbr\u003e the control plane | S4 | - | CVE-2025-20659\u003cbr\u003e Patched |\n| B8 |Galaxy S24 \u003cbr\u003e Pixel 6a | Exynos \u003cbr\u003e Tensor | RLC | Incorrect handling of RLC AM Data PDUs\u003cbr\u003e containing many data chunks | S3, S4 | AM, 11-bit LI, 10-bit SN | CVE-2025-26781/26782 \u003cbr\u003e Patched |\n| B9 |Galaxy S24 | Exynos | PDCP | Incorrect handling of 1-byte PDCP Data PDUs for\u003cbr\u003e the user plane | S4 | 12-bit SN | CVE-2025-26780\u003cbr\u003e Patched |\n| B10 |Xiaomi K40 Gaming (5G) | MediaTek | 5G PDCP | We will provide technical details after the vendor's patch | - | - | Under review |\n| B11 |Xiaomi K40 Gaming (5G) | MediaTek | 5G RRC | We will provide technical details after the vendor's patch | - | - | Under review |\n\n\n### Example Configuration File and Explanation\n\n```bash \n#--------------------------------------------\n# Configurations for srseNB------------------\n#--------------------------------------------\n\n# Path to the srseNB configuration files\n# including enb.conf, sib.conf, rr.conf, rb.conf\n# These are included in the /config/ directory by default.\nenb_config = ../config/enb.conf\nsib_config = ../config/sib.conf\nrr_config = ../config/rr.conf\nrb_config = ../config/rb.conf\n\n# MCC and MNC of the network\n# These values should match the SIM card configuration\n# Recommend using MCC=901 and MNC=55 to match with ePC configuration\nmcc = 901\nmnc = 55\n\n# The number of PRBs (Physical Resource Blocks) of the eNB\n# This value corresponds to the channel bandwidth\n# For example, 100 PRBs corresponds to 20 MHz bandwidth\n# 50: 10 MHz, 25: 5 MHz, you don't need to change this value\nn_prb = 100\n\n# Transmission Mode and number of ports for MIMO.\n# No change needed for MAC/RLC/PDCP fuzzing.\ntm = 1\nnof_ports = 1\n\n# The EARFCN of the eNB, corresponds to the center frequency of the channel\ndl_earfcn = 3400\n\n# TX and RX gains for the eNB\ntx_gain = 120\nrx_gain = 60\n\n# --------------------------------------------\n# Configurations for LLFuzz-------------------\n#---------------------------------------------\n\n# Target protocol layer to fuzz. Options: PDCP, RLC, MAC, PHY\ntargetLayer = MAC\n\n# Target UE state to fuzz. Options: state1, state2, state3, state4\nfuzzingState = state4\n\n# Enable ADB-based crash detection (always keep this true).\nenableADB = true\n\n# Index of the starting test case.\n# Use 0 to start from the beginning. You can resume from a specific index when debugging a crash.\nstartIdx = 0\n\n# Number of test cases to send in each fuzzing session.\n# Recommended value: 5 (for optimal performance). \nNofTestCasesPerSS = 5\n\n# Enable verification mode for bug reproduction.\nverifyingMode = false\n\n# IMSI of the UE’s SIM card (must match the inserted SIM). \nimsi = 90155000005xxxx\n\n# Whether to send Uplink DCI (DCI0) in PHY Layer fuzzing.\n# Only set to true when fuzzing DCI0.\nsendUplinkDCI = false\n\n# Time (ms) to wait after a UE crash before attempting recovery.\nrecoverTimerThres = 5000\n\n# Timers and thresholds for device-specific behaviors.\n# Advanced options, usually do not change these values.\nwaitingConnTimerThres = 4000 \nwaitConnAfterPagingThres = 500\nenableNotWorkingReboot = false\nnofFailedConnReboot = 8\n\n# Enable speed logging (cases/5s).\nenableSpeedLog = true\n\n# Paths to output files (saved in /pcap/ directory).\nspeedLogFilename = ../pcap/speedLog.txt\ncrashLogFilename = ../pcap/crashLog.txt\nenbPCAPFilename = ../pcap/enb_mac.pcap\n```\n\n[srsran-sim]: https://docs.srsran.com/projects/project/en/latest/tutorials/source/cotsUE/source/index.html#sim-programming\n[gpsdo-module]: https://www.ettus.com/all-products/gpsdo-mini/\n[sim-card]: https://sysmocom.de/products/sim/sysmousim/index.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsyssec-kaist%2Fllfuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsyssec-kaist%2Fllfuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsyssec-kaist%2Fllfuzz/lists"}