From 16b5aa3809bde89133a4089b08786f132eec1901 Mon Sep 17 00:00:00 2001 From: LightningMods <34066913+LightningMods@users.noreply.github.com> Date: Sun, 5 May 2024 17:39:12 -0400 Subject: [PATCH] Added Additional Payloads --- module_dumper/Makefile | 37 ++ module_dumper/module_dumper.map | 903 ++++++++++++++++++++++++++++++++ module_dumper/source/main.c | 337 ++++++++++++ payload/source/main.c | 2 +- stage2/Makefile | 2 +- stage2/offsets.h | 11 +- stage2/stage2.c | 125 +++-- update_blocker/Makefile | 37 ++ update_blocker/source/main.c | 89 ++++ 9 files changed, 1483 insertions(+), 60 deletions(-) create mode 100644 module_dumper/Makefile create mode 100644 module_dumper/module_dumper.map create mode 100644 module_dumper/source/main.c create mode 100644 update_blocker/Makefile create mode 100644 update_blocker/source/main.c diff --git a/module_dumper/Makefile b/module_dumper/Makefile new file mode 100644 index 00000000..99a4c5f4 --- /dev/null +++ b/module_dumper/Makefile @@ -0,0 +1,37 @@ +LIBPS4 := $(PS4SDK)/libPS4 + +CC := gcc +OBJCOPY := objcopy +ODIR := build +SDIR := source +IDIRS := -I$(LIBPS4)/include -Iinclude +LDIRS := -L$(LIBPS4) +MAPFILE := $(shell basename "$(CURDIR)").map +CFLAGS := $(IDIRS) -Os -std=c11 -ffunction-sections -fdata-sections -fno-builtin -nostartfiles -nostdlib -Wall -Wextra -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=small -fpie -fPIC +LFLAGS := $(LDIRS) -Xlinker -T $(LIBPS4)/linker.x -Xlinker -Map="$(MAPFILE)" -Wl,--build-id=none -Wl,--gc-sections +CFILES := $(wildcard $(SDIR)/*.c) +SFILES := $(wildcard $(SDIR)/*.s) +OBJS := $(patsubst $(SDIR)/%.c, $(ODIR)/%.o, $(CFILES)) $(patsubst $(SDIR)/%.s, $(ODIR)/%.o, $(SFILES)) + +LIBS := -lPS4 + +TARGET = $(shell basename "$(CURDIR)").bin + +$(TARGET): $(ODIR) $(OBJS) + $(CC) $(LIBPS4)/crt0.s $(ODIR)/*.o -o temp.t $(CFLAGS) $(LFLAGS) $(LIBS) + $(OBJCOPY) -O binary temp.t "$(TARGET)" + rm -f temp.t + +$(ODIR)/%.o: $(SDIR)/%.c + $(CC) -c -o $@ $< $(CFLAGS) + +$(ODIR)/%.o: $(SDIR)/%.s + $(CC) -c -o $@ $< $(CFLAGS) + +$(ODIR): + @mkdir $@ + +.PHONY: clean + +clean: + rm -rf "$(TARGET)" "$(MAPFILE)" $(ODIR) diff --git a/module_dumper/module_dumper.map b/module_dumper/module_dumper.map new file mode 100644 index 00000000..b8fcf280 --- /dev/null +++ b/module_dumper/module_dumper.map @@ -0,0 +1,903 @@ +Archive member included to satisfy reference by file (symbol) + +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + build/main.o (get_firmware_string) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + build/main.o (read) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + build/main.o (initSysUtil) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + build/main.o (wait_for_usb) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(memory.o) + build/main.o (mmap) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(debug.o) + build/main.o (DEBUG_SOCK) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + build/main.o (initLibc) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + build/main.o (getFunctionAddressByName) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + build/main.o (SckSend) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) (kexec) +/home/lm/ps4-payload-sdk/libPS4/libPS4.a(syscall.o) + build/main.o (syscall) + +Merging program properties + +Removed property 0xc0000002 to merge build/main.o (0x3) and /tmp/cc7gqL8s.o (not found) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) (0x3) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) (0x3) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) (0x3) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) (0x3) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(memory.o) (0x3) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(debug.o) (0x3) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) (0x3) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) (0x3) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) (0x3) +Removed property 0xc0000002 to merge build/main.o (not found) and /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) (0x3) + +Allocating common symbols +Common symbol size file + +strcpy 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +asctime 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +libc 0x4 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelGettimeofday + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceSysmoduleLoadModule + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) +getgid 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceUserServiceInitialize + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +strerror 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +memmove 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +snprintf 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +strncpy_s 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +libKernelHandle 0x4 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +__stack_chk_guard 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceKernelGetDirectMemorySize + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +ceil 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetCtlInit 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +sceNetHtonll 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +execve 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +getpid 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceNetNtohll 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +sceKernelSleep 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +memcpy 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelGetCurrentCpu + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceNetCtlGetInfo 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +seekdir 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelDeleteEqueue + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceKernelGetCpuTemperature + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +getuid 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +rewinddir 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +malloc 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetInetNtop 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +libModule 0x4 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) +readdir_r 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetSocket 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +getprogname 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +readdir 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceSysUtilSendSystemNotificationWithText + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +sceUserServiceGetInitialUser + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +sceNetInetPton 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +__stack_chk_fail 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceKernelMapDirectMemory + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +strtol 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +g_firmware 0x2 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) +snprintf_s 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sysarch 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +strrchr 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +calloc 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +rindex 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetGetsockname 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +sceKernelError 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +atof 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetHtons 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +_Getpctype 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sysctl 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +fprintf 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +ctime 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelRead 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +strcat 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetSend 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +setregid 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +fseek 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +libSceUserService 0x4 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +mktime 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +strstr 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +__error 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +rand 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelSendNotificationRequest + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceNetHtonl 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +setgid 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +dirfd 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetErrnoLoc 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +sceKernelLseek 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceKernelStat 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +strlcpy 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +strncmp 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelLoadStartModule + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceSystemServiceLaunchWebBrowser + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +strncpy 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +realloc 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelGetSystemSwVersion + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +bcopy 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +strtok 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +memcmp 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelClose 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sscanf 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceUserServiceGetUserName + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +strncat 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +memmove_s 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +fread 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +_Stoul 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +pthread_setaffinity_np + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +strdup 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetSetsockopt 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +index 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +libSceSystemService + 0x4 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +sceNetSocketClose 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +fopen 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelGetProcessTime + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +asctime_r 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +setreuid 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +localtime 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +memset 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +ftell 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +srand 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +fclose 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelAllocateDirectMemory + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +time 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +opendir 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +strcmp 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetRecv 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +sceUserServiceGetLoginUserIdList + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +gmtime_s 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetBind 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +memalign 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sprintf 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +libNetCtl 0x4 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +sceNetConnect 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +sceNetNtohs 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +ctime_r 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelUsleep 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceNetCtlTerm 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +buf 0xc8 build/main.o +sceKernelAddUserEvent + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +pthread_self 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceUserServiceTerminate + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +localtime_r 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetListen 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +isdigit 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelReboot 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +fwrite 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelCreateEqueue + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceNetNtohl 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +sceNetGetsockopt 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +atoi 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +gmtime 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +strlen 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceKernelOpen 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +strchr 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sceNetAccept 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +libNet 0x4 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +closedir 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +setuid 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sysUtilHandle 0x4 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) +sceKernelGetFsSandboxRandomWord + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceKernelAddReadEvent + 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +sceNetSocketAbort 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) +telldir 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) +sysctlbyname 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) +free 0x8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + +Discarded input sections + + .data 0x0000000000000000 0x0 /tmp/cc7gqL8s.o + .bss 0x0000000000000000 0x0 /tmp/cc7gqL8s.o + .text 0x0000000000000000 0x0 build/main.o + .data 0x0000000000000000 0x0 build/main.o + .bss 0x0000000000000000 0x0 build/main.o + .comment 0x0000000000000000 0x2c build/main.o + .note.GNU-stack + 0x0000000000000000 0x0 build/main.o + .note.gnu.property + 0x0000000000000000 0x20 build/main.o + .eh_frame 0x0000000000000000 0x278 build/main.o + .text 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_kbase.str1.1 + 0x0000000000000000 0x15 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_kbase + 0x0000000000000000 0x676 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_kbase + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_dump + 0x0000000000000000 0x571 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_dump + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_jailbreak + 0x0000000000000000 0x6a8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_jailbreak + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_mmap + 0x0000000000000000 0x7b7 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_mmap + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_aslr + 0x0000000000000000 0x58a /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_aslr + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_kernel_clock.str1.1 + 0x0000000000000000 0xce /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_kernel_clock + 0x0000000000000000 0xf54 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_kernel_clock + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_enable_browser + 0x0000000000000000 0x62c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_enable_browser + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_target_id + 0x0000000000000000 0x593 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_target_id + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_perm_uart + 0x0000000000000000 0x5cb /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_perm_uart + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_exit_idu + 0x0000000000000000 0x5cb /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_exit_idu + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kpayload_npdrm_patch + 0x0000000000000000 0x833 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.kpayload_npdrm_patch + 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.is_jailbroken.str1.1 + 0x0000000000000000 0x11 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.is_jailbroken + 0x0000000000000000 0x3b /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.is_fw_spoofed.str1.1 + 0x0000000000000000 0xc /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.is_fw_spoofed + 0x0000000000000000 0xaf /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.get_kernel_base + 0x0000000000000000 0x88 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.get_memory_dump + 0x0000000000000000 0x47 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.jailbreak + 0x0000000000000000 0x39 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.mmap_patch + 0x0000000000000000 0x2a /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.disable_aslr + 0x0000000000000000 0x2a /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.kernel_clock + 0x0000000000000000 0x31 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.enable_browser + 0x0000000000000000 0x2a /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.spoof_target_id + 0x0000000000000000 0x32 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.enable_perm_uart + 0x0000000000000000 0x2a /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.exit_idu + 0x0000000000000000 0x2a /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .text.npdrm_patch + 0x0000000000000000 0x2a /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .eh_frame 0x0000000000000000 0x408 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.getSandboxDirectory + 0x0000000000000000 0x1b /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.file_exists + 0x0000000000000000 0x23 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.dir_exists + 0x0000000000000000 0x28 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.symlink_exists + 0x0000000000000000 0x3a /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.touch_file + 0x0000000000000000 0x23 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.copy_file + 0x0000000000000000 0x99 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .rodata.copy_dir.str1.1 + 0x0000000000000000 0xb /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.copy_dir + 0x0000000000000000 0x132 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.file_compare + 0x0000000000000000 0x175 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.rmtree 0x0000000000000000 0x143 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.fgetc_pointer + 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.build_iovec + 0x0000000000000000 0xec /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .rodata.mount_large_fs.str1.1 + 0x0000000000000000 0x4b /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text.mount_large_fs + 0x0000000000000000 0x14f /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .eh_frame 0x0000000000000000 0x260 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + .text 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .rodata.initUserService.str1.1 + 0x0000000000000000 0xb3 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .text.initUserService + 0x0000000000000000 0x9f /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .text.openBrowser + 0x0000000000000000 0x12 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .text.getUserIDList + 0x0000000000000000 0x47 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .text.getUserID + 0x0000000000000000 0x18 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .text.getUserName + 0x0000000000000000 0x8d /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .text.getInitialUser + 0x0000000000000000 0x45 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .rodata.shutdown.str1.1 + 0x0000000000000000 0x11 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .text.shutdown + 0x0000000000000000 0x55 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .rodata.reboot.str1.1 + 0x0000000000000000 0x32 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .text.reboot 0x0000000000000000 0x41 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .eh_frame 0x0000000000000000 0x120 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .text 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .text.is_self 0x0000000000000000 0xb8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .text.read_decrypt_segment + 0x0000000000000000 0x99 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .text.is_segment_in_other_segment + 0x0000000000000000 0x44 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .text.parse_phdr + 0x0000000000000000 0xd2 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .text.do_dump 0x0000000000000000 0x129 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .text.decrypt_and_dump_self + 0x0000000000000000 0xd5 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .rodata.decrypt_dir.str1.1 + 0x0000000000000000 0xb /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .text.decrypt_dir + 0x0000000000000000 0x142 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .rodata.wait_for_app.str1.1 + 0x0000000000000000 0x2a /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .text.wait_for_app + 0x0000000000000000 0xdb /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .rodata.wait_for_bdcopy.str1.1 + 0x0000000000000000 0x25 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .text.wait_for_bdcopy + 0x0000000000000000 0x105 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .eh_frame 0x0000000000000000 0x288 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(memory.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(memory.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(memory.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(memory.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(memory.o) + .text 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(debug.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(debug.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(debug.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(debug.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(debug.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(debug.o) + .text 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + .text.memset_s + 0x0000000000000000 0x51 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + .eh_frame 0x0000000000000000 0x68 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .text.getModuleInfo + 0x0000000000000000 0x1f /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .text.unloadModule + 0x0000000000000000 0x19 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .rodata.initModule.str1.1 + 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .text.initModule + 0x0000000000000000 0x47 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .eh_frame 0x0000000000000000 0x80 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + COMMON 0x0000000000000000 0xc /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + .text 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .rodata.initNetwork.str1.1 + 0x0000000000000000 0x173 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .text.initNetwork + 0x0000000000000000 0x258 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .text.SckConnect + 0x0000000000000000 0xa9 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .text.SckClose + 0x0000000000000000 0xd /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .text.SckRecv 0x0000000000000000 0xce /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .text.SckRecvf + 0x0000000000000000 0x7b /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .eh_frame 0x0000000000000000 0x118 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + .text 0x0000000000000000 0x24 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + .comment 0x0000000000000000 0x2c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + .note.GNU-stack + 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + .note.gnu.property + 0x0000000000000000 0x20 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + .eh_frame 0x0000000000000000 0x50 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + .data 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(syscall.o) + .bss 0x0000000000000000 0x0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(syscall.o) + +Memory Configuration + +Name Origin Length Attributes +*default* 0x0000000000000000 0xffffffffffffffff + +Linker script and memory map + +LOAD /tmp/cc7gqL8s.o +LOAD build/main.o + +.text 0x0000000000000000 0x20f3 + *(.text.start) + *(.text*) + .text 0x0000000000000000 0x5 /tmp/cc7gqL8s.o + 0x0000000000000000 _start + .text.kpayload + 0x0000000000000005 0x72 build/main.o + 0x0000000000000005 kpayload + .text.my_free 0x0000000000000077 0x21 build/main.o + 0x0000000000000077 my_free + .text.my_malloc + 0x0000000000000098 0x86 build/main.o + 0x0000000000000098 my_malloc + .text.read_decrypt_segment_alt + 0x000000000000011e 0x99 build/main.o + 0x000000000000011e read_decrypt_segment_alt + .text.is_segment_in_other_segment_alt + 0x00000000000001b7 0x44 build/main.o + 0x00000000000001b7 is_segment_in_other_segment_alt + .text.parse_phdr_alt + 0x00000000000001fb 0xc5 build/main.o + 0x00000000000001fb parse_phdr_alt + .text.do_dump_alt + 0x00000000000002c0 0x257 build/main.o + 0x00000000000002c0 do_dump_alt + .text.decrypt_and_dump_self_alt + 0x0000000000000517 0x371 build/main.o + 0x0000000000000517 decrypt_and_dump_self_alt + .text.decrypt_self_to_elf + 0x0000000000000888 0xb6 build/main.o + 0x0000000000000888 decrypt_self_to_elf + .text.traverse_dir + 0x000000000000093e 0x25c build/main.o + 0x000000000000093e traverse_dir + .text._main 0x0000000000000b9a 0x680 build/main.o + 0x0000000000000b9a _main + .text.get_firmware + 0x000000000000121a 0x190 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + 0x000000000000121a get_firmware + .text.get_firmware_string + 0x00000000000013aa 0xbb /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + 0x00000000000013aa get_firmware_string + .text 0x0000000000001465 0x108 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(file.o) + 0x0000000000001465 read + 0x0000000000001471 write + 0x000000000000147d open + 0x0000000000001489 close + 0x0000000000001495 unlink + 0x00000000000014a1 link + 0x00000000000014ad readlink + 0x00000000000014b9 symlink + 0x00000000000014c5 mount + 0x00000000000014d1 nmount + 0x00000000000014dd unmount + 0x00000000000014e9 fchown + 0x00000000000014f5 fchmod + 0x0000000000001501 rename + 0x000000000000150d mkdir + 0x0000000000001519 rmdir + 0x0000000000001525 stat + 0x0000000000001531 fstat + 0x000000000000153d lstat + 0x0000000000001549 getdents + 0x0000000000001555 lseek + 0x0000000000001561 fstatat + .text.initSysUtil + 0x000000000000156d 0x86 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + 0x000000000000156d initSysUtil + .text.wait_for_usb + 0x00000000000015f3 0xc1 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + 0x00000000000015f3 wait_for_usb + .text 0x00000000000016b4 0x60 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(memory.o) + 0x00000000000016b4 mmap + 0x00000000000016c0 munmap + 0x00000000000016cc mprotect + 0x00000000000016d8 msync + 0x00000000000016e4 mlock + 0x00000000000016f0 munlock + 0x00000000000016fc getMemoryInfo + 0x0000000000001708 getOtherMemoryInfo + .text.initLibc + 0x0000000000001714 0x5d2 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + 0x0000000000001714 initLibc + .text 0x0000000000001ce6 0x18 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + 0x0000000000001ce6 getFunctionAddressByName + 0x0000000000001cf2 getLoadedModules + .text.loadModule + 0x0000000000001cfe 0x1e /home/lm/ps4-payload-sdk/libPS4/libPS4.a(module.o) + 0x0000000000001cfe loadModule + .text.SckSend 0x0000000000001d1c 0x15 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + 0x0000000000001d1c SckSend + .text.initKernel + 0x0000000000001d31 0x394 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + 0x0000000000001d31 initKernel + .text 0x00000000000020c5 0x2e /home/lm/ps4-payload-sdk/libPS4/libPS4.a(syscall.o) + 0x00000000000020c5 syscall + 0x00000000000020c8 syscall_macro + +.plt 0x0000000000002100 0x0 + .plt 0x0000000000002100 0x0 /tmp/cc7gqL8s.o + +.plt.got 0x00000000000020f8 0x0 + .plt.got 0x00000000000020f8 0x0 /tmp/cc7gqL8s.o + +.rodata 0x00000000000020f3 0x89b + *(.rodata) + .rodata 0x00000000000020f3 0x7 build/main.o + *(.rodata*) + .rodata.my_malloc.str1.1 + 0x00000000000020fa 0x1b build/main.o + .rodata.do_dump_alt.str1.1 + 0x0000000000002115 0x59 build/main.o + .rodata.decrypt_and_dump_self_alt.str1.1 + 0x000000000000216e 0x3f build/main.o + .rodata.decrypt_self_to_elf.str1.1 + 0x00000000000021ad 0xb build/main.o + 0x17 (size before relaxing) + .rodata.traverse_dir.str1.1 + 0x00000000000021b8 0x68 build/main.o + 0x6a (size before relaxing) + .rodata._main.str1.1 + 0x0000000000002220 0x19e build/main.o + .rodata.get_firmware.str1.1 + 0x00000000000023be 0x41 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + .rodata.get_firmware_string.str1.1 + 0x00000000000023ff 0x17 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + 0x22 (size before relaxing) + .rodata.initSysUtil.str1.1 + 0x0000000000002416 0x9c /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + .rodata.wait_for_usb.str1.1 + 0x00000000000024b2 0x23 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(dump.o) + .rodata.initLibc.str1.1 + 0x00000000000024d5 0x1f8 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + 0x216 (size before relaxing) + .rodata.initKernel.str1.1 + 0x00000000000026cd 0x2c1 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + 0x2d4 (size before relaxing) + +.gnu.version_d 0x0000000000002990 0x0 + .gnu.version_d + 0x0000000000002990 0x0 /tmp/cc7gqL8s.o + +.gnu.version 0x000000000000298e 0x0 + .gnu.version 0x000000000000298e 0x0 /tmp/cc7gqL8s.o + +.gnu.version_r 0x0000000000002990 0x0 + .gnu.version_r + 0x0000000000002990 0x0 /tmp/cc7gqL8s.o + +.dynsym 0x0000000000002990 0x18 + .dynsym 0x0000000000002990 0x18 /tmp/cc7gqL8s.o + +.dynstr 0x00000000000029a8 0x1 + .dynstr 0x00000000000029a8 0x1 /tmp/cc7gqL8s.o + +.gnu.hash 0x00000000000029b0 0x1c + .gnu.hash 0x00000000000029b0 0x1c /tmp/cc7gqL8s.o + +.eh_frame_hdr 0x00000000000029cc 0x0 + .eh_frame_hdr 0x00000000000029cc 0x0 build/main.o + +.rela.dyn 0x00000000000029d0 0x0 + .rela.plt 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.got 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.bss 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.data.rel.ro + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.ifunc 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.my_malloc + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.read_decrypt_segment_alt + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.do_dump_alt + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.decrypt_and_dump_self_alt + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.decrypt_self_to_elf + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.traverse_dir + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text._main + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.get_firmware + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.get_firmware_string + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.initSysUtil + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.wait_for_usb + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.initLibc + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.SckSend + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text.initKernel + 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + .rela.text 0x00000000000029d0 0x0 /tmp/cc7gqL8s.o + +.data + *(.data) + +.dynamic 0x00000000000029d0 0xe0 + .dynamic 0x00000000000029d0 0xe0 /tmp/cc7gqL8s.o + 0x00000000000029d0 _DYNAMIC + +.got 0x0000000000002ab0 0x0 + .got 0x0000000000002ab0 0x0 /tmp/cc7gqL8s.o + +.got.plt 0x0000000000002ab0 0x0 + .got.plt 0x0000000000002ab0 0x0 /tmp/cc7gqL8s.o + +.data.rel.ro 0x0000000000002ab0 0x0 + .data.rel.ro 0x0000000000002ab0 0x0 /tmp/cc7gqL8s.o + +.data.page_size + 0x0000000000002ab0 0x8 + .data.page_size + 0x0000000000002ab0 0x8 build/main.o + 0x0000000000002ab0 page_size + +.data.DEBUG_SOCK + 0x0000000000002ab8 0x4 + .data.DEBUG_SOCK + 0x0000000000002ab8 0x4 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(debug.o) + 0x0000000000002ab8 DEBUG_SOCK + +.bss 0x0000000000002ac0 0x558 + *(.bss) + COMMON 0x0000000000002ac0 0xc8 build/main.o + 0x0000000000002ac0 buf + COMMON 0x0000000000002b88 0x2 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(payload_utils.o) + 0x0000000000002b88 g_firmware + *fill* 0x0000000000002b8a 0x6 + COMMON 0x0000000000002b90 0x54 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(sysutil.o) + 0x0000000000002b90 sceUserServiceInitialize + 0x0000000000002b98 sceSysUtilSendSystemNotificationWithText + 0x0000000000002ba0 sceUserServiceGetInitialUser + 0x0000000000002ba8 libSceUserService + 0x0000000000002bb0 sceSystemServiceLaunchWebBrowser + 0x0000000000002bb8 sceUserServiceGetUserName + 0x0000000000002bc0 libSceSystemService + 0x0000000000002bc8 sceUserServiceGetLoginUserIdList + 0x0000000000002bd0 sceUserServiceTerminate + 0x0000000000002bd8 sceKernelReboot + 0x0000000000002be0 sysUtilHandle + *fill* 0x0000000000002be4 0x4 + COMMON 0x0000000000002be8 0x220 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(libc.o) + 0x0000000000002be8 strcpy + 0x0000000000002bf0 asctime + 0x0000000000002bf8 libc + 0x0000000000002c00 strerror + 0x0000000000002c08 memmove + 0x0000000000002c10 snprintf + 0x0000000000002c18 strncpy_s + 0x0000000000002c20 ceil + 0x0000000000002c28 memcpy + 0x0000000000002c30 seekdir + 0x0000000000002c38 rewinddir + 0x0000000000002c40 malloc + 0x0000000000002c48 readdir_r + 0x0000000000002c50 getprogname + 0x0000000000002c58 readdir + 0x0000000000002c60 strtol + 0x0000000000002c68 snprintf_s + 0x0000000000002c70 strrchr + 0x0000000000002c78 calloc + 0x0000000000002c80 rindex + 0x0000000000002c88 atof + 0x0000000000002c90 _Getpctype + 0x0000000000002c98 fprintf + 0x0000000000002ca0 ctime + 0x0000000000002ca8 strcat + 0x0000000000002cb0 fseek + 0x0000000000002cb8 mktime + 0x0000000000002cc0 strstr + 0x0000000000002cc8 rand + 0x0000000000002cd0 dirfd + 0x0000000000002cd8 strlcpy + 0x0000000000002ce0 strncmp + 0x0000000000002ce8 strncpy + 0x0000000000002cf0 realloc + 0x0000000000002cf8 bcopy + 0x0000000000002d00 strtok + 0x0000000000002d08 memcmp + 0x0000000000002d10 sscanf + 0x0000000000002d18 strncat + 0x0000000000002d20 memmove_s + 0x0000000000002d28 fread + 0x0000000000002d30 _Stoul + 0x0000000000002d38 strdup + 0x0000000000002d40 index + 0x0000000000002d48 fopen + 0x0000000000002d50 asctime_r + 0x0000000000002d58 localtime + 0x0000000000002d60 memset + 0x0000000000002d68 ftell + 0x0000000000002d70 srand + 0x0000000000002d78 fclose + 0x0000000000002d80 time + 0x0000000000002d88 opendir + 0x0000000000002d90 strcmp + 0x0000000000002d98 gmtime_s + 0x0000000000002da0 memalign + 0x0000000000002da8 sprintf + 0x0000000000002db0 ctime_r + 0x0000000000002db8 localtime_r + 0x0000000000002dc0 isdigit + 0x0000000000002dc8 fwrite + 0x0000000000002dd0 atoi + 0x0000000000002dd8 gmtime + 0x0000000000002de0 strlen + 0x0000000000002de8 strchr + 0x0000000000002df0 closedir + 0x0000000000002df8 telldir + 0x0000000000002e00 free + COMMON 0x0000000000002e08 0xd0 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(network.o) + 0x0000000000002e08 sceNetCtlInit + 0x0000000000002e10 sceNetHtonll + 0x0000000000002e18 sceNetNtohll + 0x0000000000002e20 sceNetCtlGetInfo + 0x0000000000002e28 sceNetInetNtop + 0x0000000000002e30 sceNetSocket + 0x0000000000002e38 sceNetInetPton + 0x0000000000002e40 sceNetGetsockname + 0x0000000000002e48 sceNetHtons + 0x0000000000002e50 sceNetSend + 0x0000000000002e58 sceNetHtonl + 0x0000000000002e60 sceNetErrnoLoc + 0x0000000000002e68 sceNetSetsockopt + 0x0000000000002e70 sceNetSocketClose + 0x0000000000002e78 sceNetRecv + 0x0000000000002e80 sceNetBind + 0x0000000000002e88 libNetCtl + 0x0000000000002e90 sceNetConnect + 0x0000000000002e98 sceNetNtohs + 0x0000000000002ea0 sceNetCtlTerm + 0x0000000000002ea8 sceNetListen + 0x0000000000002eb0 sceNetNtohl + 0x0000000000002eb8 sceNetGetsockopt + 0x0000000000002ec0 sceNetAccept + 0x0000000000002ec8 libNet + 0x0000000000002ed0 sceNetSocketAbort + COMMON 0x0000000000002ed8 0x140 /home/lm/ps4-payload-sdk/libPS4/libPS4.a(kernel.o) + 0x0000000000002ed8 sceKernelGettimeofday + 0x0000000000002ee0 getgid + 0x0000000000002ee8 libKernelHandle + 0x0000000000002ef0 __stack_chk_guard + 0x0000000000002ef8 sceKernelGetDirectMemorySize + 0x0000000000002f00 execve + 0x0000000000002f08 getpid + 0x0000000000002f10 sceKernelSleep + 0x0000000000002f18 sceKernelGetCurrentCpu + 0x0000000000002f20 sceKernelDeleteEqueue + 0x0000000000002f28 sceKernelGetCpuTemperature + 0x0000000000002f30 getuid + 0x0000000000002f38 __stack_chk_fail + 0x0000000000002f40 sceKernelMapDirectMemory + 0x0000000000002f48 sysarch + 0x0000000000002f50 sceKernelError + 0x0000000000002f58 sysctl + 0x0000000000002f60 sceKernelRead + 0x0000000000002f68 setregid + 0x0000000000002f70 __error + 0x0000000000002f78 sceKernelSendNotificationRequest + 0x0000000000002f80 setgid + 0x0000000000002f88 sceKernelLseek + 0x0000000000002f90 sceKernelStat + 0x0000000000002f98 sceKernelLoadStartModule + 0x0000000000002fa0 sceKernelGetSystemSwVersion + 0x0000000000002fa8 sceKernelClose + 0x0000000000002fb0 pthread_setaffinity_np + 0x0000000000002fb8 sceKernelGetProcessTime + 0x0000000000002fc0 setreuid + 0x0000000000002fc8 sceKernelAllocateDirectMemory + 0x0000000000002fd0 sceKernelUsleep + 0x0000000000002fd8 sceKernelAddUserEvent + 0x0000000000002fe0 pthread_self + 0x0000000000002fe8 sceKernelCreateEqueue + 0x0000000000002ff0 sceKernelOpen + 0x0000000000002ff8 setuid + 0x0000000000003000 sceKernelGetFsSandboxRandomWord + 0x0000000000003008 sceKernelAddReadEvent + 0x0000000000003010 sysctlbyname + +.dynbss 0x0000000000003018 0x0 + .dynbss 0x0000000000003018 0x0 /tmp/cc7gqL8s.o + +.bss.kernel_base + 0x0000000000003018 0x8 + .bss.kernel_base + 0x0000000000003018 0x8 build/main.o + 0x0000000000003018 kernel_base + +.bss.sceKernelDebugOutText + 0x0000000000003020 0x8 + .bss.sceKernelDebugOutText + 0x0000000000003020 0x8 build/main.o + +/DISCARD/ + *(.comment) + *(.note.GNU-stack) + *(.eh_frame) + *(.interp) +LOAD /home/lm/ps4-payload-sdk/libPS4/libPS4.a +OUTPUT(temp.t elf64-x86-64) diff --git a/module_dumper/source/main.c b/module_dumper/source/main.c new file mode 100644 index 00000000..7d857bf1 --- /dev/null +++ b/module_dumper/source/main.c @@ -0,0 +1,337 @@ + +#include "ps4.h" +char buf[200]; + +#define DT_DIR 0x000004 +#define DT_REG 0x000008 +#define DEC_SIZE 0x100000 +static int( * sceKernelDebugOutText)(int, + const char * ) = NULL; +size_t page_size = 0x4000; + + +void my_free(void *ptr, size_t size) { + // Align size to page size + size = (size + page_size - 1) & ~(page_size - 1); + + // Use munmap to my_free memory + munmap(ptr, size); +} + +void *my_malloc(size_t size) { + // Align size to page size + size = (size + page_size - 1) & ~(page_size - 1); + + // Use mmap to allocate memory + void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (ptr == MAP_FAILED) { + sprintf(buf, "[-] Error: Cant mmap: %s\n", strerror(errno)); + sceKernelDebugOutText(0, buf); + return NULL; // mmap failed + } + return ptr; +} +void * kernel_base = NULL; +int kpayload(struct thread * td) { + kernel_base = & ((uint8_t * ) __readmsr(0xC0000082))[-0x1C0]; + uint8_t *kernel_ptr = (uint8_t *)kernel_base; + //int (*kprintf)(const char *format, ...) = (void*)(kernel_base+0x02FCBD0); + //kprintf("Hello from Kernel\n"); + struct ucred * cred = td -> td_proc -> p_ucred; + // kprintf("setting cr_uid ...\n"); + cred -> cr_uid = 0; + // kprintf("setting cr_ruid ...\n"); + cred -> cr_ruid = 0; + // kprintf("setting cr_rgid ...\n"); + cred -> cr_rgid = 0; + // kprintf("setting cr_groups ...\n"); + cred -> cr_groups[0] = 0; + + // escalate ucred privs, needed for access to the filesystem ie* mounting & decrypting files + void * td_ucred = * (void ** )(((char * ) td) + 304); // p_ucred == td_ucred + // kprintf("setting sceSblACMgrIsSystemUcred ...\n"); + + // sceSblACMgrIsSystemUcred + uint64_t * sonyCred = (uint64_t * )(((char * ) td_ucred) + 96); + * sonyCred = 0xffffffffffffffff; + + // kprintf("setting ceSblACMgrGetDeviceAccessType ...\n"); + + // sceSblACMgrGetDeviceAccessType + uint64_t * sceProcType = (uint64_t * )(((char * ) td_ucred) + 88); + * sceProcType = 0x3801000000000013; // Max access + + // kprintf("setting sceSblACMgrHasSceProcessCapability ...\n"); + + // sceSblACMgrHasSceProcessCapability + uint64_t * sceProcCap = (uint64_t * )(((char * ) td_ucred) + 104); + * sceProcCap = 0xffffffffffffffff; // Sce Process + + //kprintf("returning from Kernel ...\n"); + return 0; +} + +int read_decrypt_segment_alt(int fd, uint64_t index, uint64_t offset, size_t size, uint8_t * out) { + uint8_t * outPtr = out; + uint64_t outSize = size; + uint64_t realOffset = (index << 32) | offset; + + while (outSize > 0) { + size_t bytes = (outSize > DEC_SIZE) ? DEC_SIZE : outSize; + uint8_t * addr = (uint8_t * ) mmap(0, bytes, PROT_READ, MAP_PRIVATE | 0x80000, fd, realOffset); + + if (addr != MAP_FAILED) { + memcpy(outPtr, addr, bytes); + munmap(addr, bytes); + } else { + return 0; + } + + outPtr += bytes; + outSize -= bytes; + realOffset += bytes; + } + + return 1; +} + +int is_segment_in_other_segment_alt(Elf64_Phdr * phdr, int index, Elf64_Phdr * phdrs, int num) { + for (int i = 0; i < num; i += 1) { + Elf64_Phdr * p = & phdrs[i]; + if (i != index) + if (p -> p_filesz > 0) + if ((phdr -> p_offset >= p -> p_offset) && ((phdr -> p_offset + phdr -> p_filesz) <= (p -> p_offset + p -> p_filesz))) + return 1; + } + + return 0; +} + +SegmentBufInfo * parse_phdr_alt(Elf64_Phdr * phdrs, int num, int * segBufNum) { + SegmentBufInfo * infos = (SegmentBufInfo * ) my_malloc(sizeof(SegmentBufInfo) * num); + int segindex = 0; + for (int i = 0; i < num; i += 1) { + Elf64_Phdr * phdr = & phdrs[i]; + + if (phdr -> p_filesz > 0) { + if ((!is_segment_in_other_segment_alt(phdr, i, phdrs, num)) || (phdr -> p_type == 0x6fffff01)) { + SegmentBufInfo * info = & infos[segindex]; + segindex += 1; + info -> index = i; + info -> bufsz = (phdr -> p_filesz + (phdr -> p_align - 1)) & (~(phdr -> p_align - 1)); + info -> filesz = phdr -> p_filesz; + info -> fileoff = phdr -> p_offset; + info -> enc = (phdr -> p_type != 0x6fffff01) ? 1 : 0; + } + } + } + * segBufNum = segindex; + + return infos; +} + +void do_dump_alt(char * saveFile, int fd, SegmentBufInfo * segBufs, int segBufNum, Elf64_Ehdr * ehdr) { + int sf = open(saveFile, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (sf != -1) { + size_t elfsz = 0x40 + ehdr -> e_phnum * sizeof(Elf64_Phdr); + write(sf, ehdr, elfsz); + + for (int i = 0; i < segBufNum; i += 1) { + uint8_t * buf = (uint8_t * ) my_malloc(segBufs[i].bufsz); + memset(buf, 0, segBufs[i].bufsz); + if (segBufs[i].enc) { + if (read_decrypt_segment_alt(fd, segBufs[i].index, 0, segBufs[i].filesz, buf)) { + lseek(sf, segBufs[i].fileoff, SEEK_SET); + write(sf, buf, segBufs[i].bufsz); + } + } else { + lseek(fd, -segBufs[i].filesz, SEEK_END); + read(fd, buf, segBufs[i].filesz); + lseek(sf, segBufs[i].fileoff, SEEK_SET); + write(sf, buf, segBufs[i].filesz); + } + my_free(buf, segBufs[i].bufsz); + } + close(sf); + } else { + sprintf(buf, "[-] Error: Cant dump: %s | %s\n", saveFile, strerror(errno)); + sceKernelDebugOutText(0, buf); + printf_notification(buf); + } +} + +void decrypt_and_dump_self_alt(char * selfFile, char * saveFile) { + int fd = open(selfFile, O_RDONLY, 0); + if (fd != -1) { + void * addr = mmap(0, 0x4000, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (addr != MAP_FAILED) { + uint16_t snum = * (uint16_t * )((uint8_t * ) addr + 0x18); + Elf64_Ehdr * ehdr = (Elf64_Ehdr * )((uint8_t * ) addr + 0x20 + snum * 0x20); + + // shdr fix + ehdr -> e_shoff = ehdr -> e_shentsize = ehdr -> e_shnum = ehdr -> e_shstrndx = 0; + + Elf64_Phdr * phdrs = (Elf64_Phdr * )((uint8_t * ) ehdr + 0x40); + + int segBufNum = 0; + SegmentBufInfo * segBufs = parse_phdr_alt(phdrs, ehdr -> e_phnum, & segBufNum); + do_dump_alt(saveFile, fd, segBufs, segBufNum, ehdr); + + my_free(segBufs, sizeof(SegmentBufInfo) *segBufNum); + munmap(addr, 0x4000); + } else { + sprintf(buf, "[-] Error: Cant mmap: %s | %s\n", selfFile, strerror(errno)); + sceKernelDebugOutText(0, buf); + printf_notification(buf); + } + close(fd); + } else { + sprintf(buf, "[-] Error: Cant open: %s | %s\n", selfFile, strerror(errno)); + sceKernelDebugOutText(0, buf); + printf_notification(buf); + } +} + +void decrypt_self_to_elf(char * file, char * usb) { + char * dot; + + // Check filename and open file + dot = strrchr(file, '.'); + if (!dot) return; + if (strcmp(dot, ".elf") && + strcmp(dot, ".self") && + strcmp(dot, ".sprx")) { + return; + } + char name[1024]; + char usbdir[1024]; + + strcpy(name, file); + sprintf(usbdir, "%s/%s", usb, name + 2); + + decrypt_and_dump_self_alt(name + 1, usbdir); +} + +int traverse_dir(char * base, char * usb, void( * handler)(char * , char * )) { + char name[1024]; + char usbdir[1024]; + + DIR * dir; + struct dirent * entry; + + if (!(dir = opendir(base))) + return 1; + + while ((entry = readdir(dir)) != NULL) { + char * dname = entry -> d_name; + switch (entry -> d_type) { + case DT_DIR: + if (!strcmp(dname, ".") || + !strcmp(dname, "..") || + !strcmp(dname, "cache0002") || + !strcmp(dname, "dev") || + !strcmp(dname, "mnt") || + !strcmp(dname, "preinst") || + !strcmp(dname, "preinst2") || + !strcmp(dname, "$RECYCLE.BIN") || + !strcmp(dname, "sandbox") || + !strcmp(dname, "system_data") || + !strcmp(dname, "system_tmp") || + !strcmp(dname, "user")) { + continue; + } + + snprintf(name, sizeof(name), "%s/%s", base, dname); + + if (!strcmp(dname, "lib") || !strcmp(dname, "sys")) + sprintf(usbdir, "%s/%s/%s", usb, base + 2, dname); + else + sprintf(usbdir, "%s/%s", usb, base + 2); + + mkdir(usbdir, 0644); + traverse_dir(name, usb, handler); + break; + + case DT_REG: + sprintf(name, "%s/%s", base, dname); + handler(name, usb); + break; + } + } + closedir(dir); + return 0; +} + +int _main(struct thread * td) { + UNUSED(td); + char buf[255]; + + char fw_version[6] = { + 0 + }; + char usb_name[7] = { + 0 + }; + char usb_path[13] = { + 0 + }; + char output_root[PATH_MAX] = { + 0 + }; + + // Initialize PS4 Kernel, libc, and networking + initKernel(); + initLibc(); + initSysUtil(); + + // Load and resolve libkernel_sys library + int libk = sceKernelLoadStartModule("libkernel_sys.sprx", 0, NULL, 0, 0, 0); + RESOLVE(libk, sceKernelDebugOutText); + + // Output initialization messages + if (sceKernelDebugOutText) { + sceKernelDebugOutText(0, "==========================\n"); + sceKernelDebugOutText(0, "Hello From inside Shellcore!!!\n"); + sceKernelDebugOutText(0, "==========================\n"); + } + + //jailbreak(); + syscall(11, &kpayload, NULL); + + sprintf(buf, "kernel_base: %p\n", kernel_base); + sceKernelDebugOutText(0, buf); + printf_notification("kbase: %p, waiting 10 secs", kernel_base); + sceKernelDebugOutText(0, "calling sleep\n"); + sceKernelSleep(10); + sceKernelDebugOutText(0, "called sleep\n"); + sceKernelDebugOutText(0, "calling get_firmware_string\n"); + get_firmware_string(fw_version); + sceKernelDebugOutText(0, "called get_firmware_string\n"); + + sprintf(buf, "fw_version: %s\n", fw_version); + sceKernelDebugOutText(0, buf); + + printf_notification("Running Module Dumper"); + wait_for_usb(usb_name, usb_path); + sceKernelDebugOutText(0, "Found USB\n"); + + sprintf(output_root, "%s/PS4", usb_path); + mkdir(output_root, 0777); + sprintf(output_root, "%s/%s", output_root, fw_version); + mkdir(output_root, 0777); + sprintf(output_root, "%s/modules", output_root); + + mkdir(output_root, 0777); + + printf_notification("USB device detected.\n\nStarting module dumping to %s.", usb_name); + + sprintf(buf, "Starting module dumping to %s.\n", usb_name); + sceKernelDebugOutText(0, buf); + + traverse_dir("/", output_root, decrypt_self_to_elf); + + printf_notification("Modules dumped successfully!"); + sceKernelDebugOutText(0, "Modules dumped successfully!"); + + return 0; +} \ No newline at end of file diff --git a/payload/source/main.c b/payload/source/main.c index ea5ebe7b..53aba87c 100644 --- a/payload/source/main.c +++ b/payload/source/main.c @@ -32,7 +32,7 @@ int _main(struct thread *td) { } printf_notification("Payload ran"); - syscall(11, kpayload); + syscall(11, &kpayload, NULL); char buf[255]; sprintf(buf, "kernel_base: %p\n", kernel_base); sceKernelDebugOutText(0, buf); diff --git a/stage2/Makefile b/stage2/Makefile index 87c25173..668f3696 100644 --- a/stage2/Makefile +++ b/stage2/Makefile @@ -6,7 +6,7 @@ OBJCOPY = objcopy CFLAGS = -DSMP -isystem ../freebsd-headers/include -Wl,--build-id=none -Os -fno-stack-protector LDFLAGS = -T linker.ld -nostartfiles -nostdlib -ifneq ($(filter $(FW), 850 900 903 904 950 960 1000 1001 1050 1070 1071 1100),) +ifneq ($(filter $(FW), 900 1100),) CFLAGS += -DFIRMWARE=$(FW) else $(error "Invalid firmware") diff --git a/stage2/offsets.h b/stage2/offsets.h index 0337c9e7..af379878 100644 --- a/stage2/offsets.h +++ b/stage2/offsets.h @@ -7,7 +7,8 @@ #ifndef __OFFSETS_H__ #define __OFFSETS_H__ -#define ENABLE_DEBUG_MENU 1 +//#define ENABLE_DEBUG_MENU 1 +#define MODULE_DUMPER 1 #if FIRMWARE == 850 // FW 8.50 @@ -353,6 +354,14 @@ #define create_thread_offset 0x00295170 #define all_proc_offset 0x022D0A98 +#if MODULE_DUMPER +#define sceSblACMgrHasMmapSelfCapability 0x003D0E50 +#define sceSblACMgrIsAllowedToMmapSelf 0x003D0E70 +#define sceSblAuthMgrIsLoadable 0x00157F91 +#define depth_patch 0x0028FF26 +#endif + + #else diff --git a/stage2/stage2.c b/stage2/stage2.c index dc6caf19..ae30d0be 100644 --- a/stage2/stage2.c +++ b/stage2/stage2.c @@ -22,6 +22,7 @@ size_t strlen(const char * s) { return t - s; } + int memcmp(const void * str1, const void * str2, size_t count) { const unsigned char * s1 = (const unsigned char * ) str1; @@ -105,14 +106,11 @@ struct sce_proc * proc_find_by_name(uint8_t * kbase, return NULL; } - #define USB_LOADER 1 - #if FIRMWARE == 1000 || FIRMWARE == 1001 // Temporary dirty hack for 10.0x #define ENABLE_DEBUG_MENU 1 #define USB_LOADER 0 #endif - #if USB_LOADER static int ksys_read(struct thread * td, int fd, void * buf, size_t nbytes) { int( * sys_read)(struct thread * , struct read_args * ) = @@ -131,7 +129,6 @@ static int ksys_read(struct thread * td, int fd, void * buf, size_t nbytes) { return td -> td_retval[0]; } #endif - #if ENABLE_DEBUG_MENU int shellui_patch(struct thread * td, uint8_t * kbase) { uint8_t * libkernel_sys_base = NULL, @@ -331,16 +328,16 @@ int shellcore_fpkg_patch(struct thread * td, uint8_t * kbase) { return ret; } #endif - #define SYS_kexec 11 struct sys_kexec_args { - int( * fptr)(void * ); + int( * fptr)(void *,... ); void * arg; }; static int sys_kexec(struct thread * td, struct sys_kexec_args * uap) { - return uap -> fptr(uap -> arg); + return uap->arg ? uap->fptr(td, uap->arg) : uap->fptr(td); + } void stage2(void) { @@ -379,14 +376,14 @@ void stage2(void) { *(uint16_t * ) kdlsym(copyout_patch1) = 0x9090; memcpy((void * ) kdlsym(copyout_patch2), nops, sizeof(nops)); + *(uint16_t * ) kdlsym(copyinstr_patch1) = 0x9090; memcpy((void * ) kdlsym(copyinstr_patch2), nops, sizeof(nops)); *(uint16_t * ) kdlsym(copyinstr_patch3) = 0x9090; #if !ENABLE_DEBUG_MENU - printf("Patching vm_map_protect, ptrace, ASLR and kmem_alloc\n"); - +#if EXTRA_PATCHES // patch vm_map_protect check memcpy((void * )(kbase + vm_map_protect_p), "\x90\x90\x90\x90\x90\x90", 6); @@ -394,9 +391,9 @@ void stage2(void) { *(uint8_t * )(kbase + ptrace_p) = 0xEB; memcpy((void * )(kbase + ptrace_p2), "\xE9\x7C\x02\x00\x00", 5); - // patch sceSblACMgrIsAllowedSystemLevelDebugging - memcpy((void * )(kbase + sceSblACMgrIsAllowedSystemLevelDebugging_p), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8); //900 - + //patch sceSblACMgrIsAllowedSystemLevelDebugging + memcpy((void * )(kbase + sceSblACMgrIsAllowedSystemLevelDebugging_p), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8); //900 +#endif // patch ASLR, thanks 2much4u *(uint16_t * )(kbase + disable_aslr_p) = 0x9090; @@ -404,30 +401,10 @@ void stage2(void) { *(uint8_t * )(kbase + kemem_1) = VM_PROT_ALL; *(uint8_t * )(kbase + kemem_2) = VM_PROT_ALL; -#if FIRMWARE == 1100 // FW 11.00, only neeeded for 11.00 - kmem = (uint8_t *)&kbase[0x1E4C33]; // Move to offsets.h? - kmem[0] = 0x90; - kmem[1] = 0x90; - kmem[2] = 0x90; - kmem[3] = 0x90; - kmem[4] = 0x90; - kmem[5] = 0x90; - - kmem = (uint8_t *)&kbase[0x1E4C43]; - kmem[0] = 0x90; - kmem[1] = 0x90; - kmem[2] = 0x90; - kmem[3] = 0x90; - kmem[4] = 0x90; - kmem[5] = 0x90; - - kmem = (uint8_t *)&kbase[0x1E4C63]; - kmem[0] = 0x90; - kmem[1] = 0xE9; - +#if MODULE_DUMPER // Enable MAP_SELF // sceSblACMgrHasMmapSelfCapability - kmem = (uint8_t *)&kbase[0x003D0E50]; + kmem = (uint8_t *)&kbase[sceSblACMgrHasMmapSelfCapability]; kmem[0] = 0xB8; kmem[1] = 0x01; kmem[2] = 0x00; @@ -435,8 +412,9 @@ void stage2(void) { kmem[4] = 0x00; kmem[5] = 0xC3; + // sceSblACMgrIsAllowedToMmapSelf - kmem = (uint8_t *)&kbase[0x003D0E70];//3D0DE0 + kmem = (uint8_t *)&kbase[sceSblACMgrIsAllowedToMmapSelf];//3D0DE0 kmem[0] = 0xB8; kmem[1] = 0x01; kmem[2] = 0x00; @@ -444,30 +422,43 @@ void stage2(void) { kmem[4] = 0x00; kmem[5] = 0xC3; + // Patches call to sceSblAuthMgrIsLoadable in vm_mmap2 - kmem = (uint8_t *)&kbase[0x00157F91]; + kmem = (uint8_t *)&kbase[sceSblAuthMgrIsLoadable]; kmem[0] = 0x31; kmem[1] = 0xC0; kmem[2] = 0xEB; kmem[3] = 0x01; -#endif -#else + + // Change directory depth limit from 9 to 64 + kmem = (uint8_t *)&kbase[depth_patch]; + kmem[0] = 0x40; +#endif -#if FIRMWARE == 1000 || FIRMWARE == 1001 // FW 10.0x, 9.00 already has goldhen - // Patch debug setting errors - kmem = (uint8_t *)&kbase[0x004ec908]; - kmem[0] = 0x00; - kmem[1] = 0x00; - kmem[2] = 0x00; - kmem[3] = 0x00; - kmem = (uint8_t *)&kbase[0x004ed9ce]; - kmem[0] = 0x00; - kmem[1] = 0x00; - kmem[2] = 0x00; - kmem[3] = 0x00; +#if FIRMWARE == 1100 // FW 11.00, only neeeded for 11.00 + kmem = (uint8_t *)&kbase[0x1E4C33]; + kmem[0] = 0x90; + kmem[1] = 0x90; + kmem[2] = 0x90; + kmem[3] = 0x90; + kmem[4] = 0x90; + kmem[5] = 0x90; + + kmem = (uint8_t *)&kbase[0x1E4C43]; + kmem[0] = 0x90; + kmem[1] = 0x90; + kmem[2] = 0x90; + kmem[3] = 0x90; + kmem[4] = 0x90; + kmem[5] = 0x90; + + kmem = (uint8_t *)&kbase[0x1E4C63]; + kmem[0] = 0x90; + kmem[1] = 0xE9; #endif +#else #if FIRMWARE == 1100 // FW 11.00, 9.00 already has goldhen // Patch debug setting errors kmem = (uint8_t *)&kbase[0x004EE328]; @@ -482,7 +473,27 @@ void stage2(void) { kmem[2] = 0x00; kmem[3] = 0x00; #endif - +#if FIRMWARE == 1100 // FW 11.00, only neeeded for 11.00 + kmem = (uint8_t *)&kbase[0x1E4C33]; // Move to offsets.h? + kmem[0] = 0x90; + kmem[1] = 0x90; + kmem[2] = 0x90; + kmem[3] = 0x90; + kmem[4] = 0x90; + kmem[5] = 0x90; + + kmem = (uint8_t *)&kbase[0x1E4C43]; + kmem[0] = 0x90; + kmem[1] = 0x90; + kmem[2] = 0x90; + kmem[3] = 0x90; + kmem[4] = 0x90; + kmem[5] = 0x90; + + kmem = (uint8_t *)&kbase[0x1E4C63]; + kmem[0] = 0x90; + kmem[1] = 0xE9; +#endif #endif // Install kexec syscall 11 @@ -540,10 +551,10 @@ void stage2(void) { return 0; #endif -#if USB_LOADER - void* buffer = NULL; - void (*free)(void * ptr, int type) = (void *)(kbase + free_offset); - void* M_TEMP = (void *)(kbase + M_TEMP_offset); + #if USB_LOADER + void* buffer = NULL; + void (*free)(void * ptr, int type) = (void *)(kbase + free_offset); + void* M_TEMP = (void *)(kbase + M_TEMP_offset); void * ( * malloc)(unsigned long size, void * type, int flags) = (void * )(kbase + malloc_offset); fd = ksys_open(td, "/mnt/usb0/payload.bin", O_RDONLY, 0); if (fd < 0) @@ -601,7 +612,7 @@ return 0; printf("Writing payload...\n"); // write the payload #if USB_LOADER - // r = proc_write_mem(td, kbase, p, (void * ) PAYLOAD_BASE, buffer, payload_size, NULL); + // r = proc_write_mem(td, kbase, p, (void * ) PAYLOAD_BASE, buffer, payload_size, NULL); struct iovec iov; struct uio uio; @@ -658,4 +669,4 @@ return 0; ksys_write(td, fd, & notify, sizeof(notify)); ksys_close(td, fd); } -} +} \ No newline at end of file diff --git a/update_blocker/Makefile b/update_blocker/Makefile new file mode 100644 index 00000000..99a4c5f4 --- /dev/null +++ b/update_blocker/Makefile @@ -0,0 +1,37 @@ +LIBPS4 := $(PS4SDK)/libPS4 + +CC := gcc +OBJCOPY := objcopy +ODIR := build +SDIR := source +IDIRS := -I$(LIBPS4)/include -Iinclude +LDIRS := -L$(LIBPS4) +MAPFILE := $(shell basename "$(CURDIR)").map +CFLAGS := $(IDIRS) -Os -std=c11 -ffunction-sections -fdata-sections -fno-builtin -nostartfiles -nostdlib -Wall -Wextra -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=small -fpie -fPIC +LFLAGS := $(LDIRS) -Xlinker -T $(LIBPS4)/linker.x -Xlinker -Map="$(MAPFILE)" -Wl,--build-id=none -Wl,--gc-sections +CFILES := $(wildcard $(SDIR)/*.c) +SFILES := $(wildcard $(SDIR)/*.s) +OBJS := $(patsubst $(SDIR)/%.c, $(ODIR)/%.o, $(CFILES)) $(patsubst $(SDIR)/%.s, $(ODIR)/%.o, $(SFILES)) + +LIBS := -lPS4 + +TARGET = $(shell basename "$(CURDIR)").bin + +$(TARGET): $(ODIR) $(OBJS) + $(CC) $(LIBPS4)/crt0.s $(ODIR)/*.o -o temp.t $(CFLAGS) $(LFLAGS) $(LIBS) + $(OBJCOPY) -O binary temp.t "$(TARGET)" + rm -f temp.t + +$(ODIR)/%.o: $(SDIR)/%.c + $(CC) -c -o $@ $< $(CFLAGS) + +$(ODIR)/%.o: $(SDIR)/%.s + $(CC) -c -o $@ $< $(CFLAGS) + +$(ODIR): + @mkdir $@ + +.PHONY: clean + +clean: + rm -rf "$(TARGET)" "$(MAPFILE)" $(ODIR) diff --git a/update_blocker/source/main.c b/update_blocker/source/main.c new file mode 100644 index 00000000..f64de1ca --- /dev/null +++ b/update_blocker/source/main.c @@ -0,0 +1,89 @@ + +#include "ps4.h" +char buf[200]; + + +static int( * sceKernelDebugOutText)(int, + const char * ) = NULL; +size_t page_size = 0x4000; + + +void * kernel_base = NULL; +int kpayload(struct thread * td) { + kernel_base = & ((uint8_t * ) __readmsr(0xC0000082))[-0x1C0]; + int (*kprintf)(const char *format, ...) = (void*)(kernel_base+0x02FCBD0); + kprintf("Hello from Kernel\n"); + struct ucred * cred = td -> td_proc -> p_ucred; + kprintf("setting cr_uid ...\n"); + cred -> cr_uid = 0; + kprintf("setting cr_ruid ...\n"); + cred -> cr_ruid = 0; + kprintf("setting cr_rgid ...\n"); + cred -> cr_rgid = 0; + kprintf("setting cr_groups ...\n"); + cred -> cr_groups[0] = 0; + + // escalate ucred privs, needed for access to the filesystem ie* mounting & decrypting files + void * td_ucred = * (void ** )(((char * ) td) + 304); // p_ucred == td_ucred + kprintf("setting sceSblACMgrIsSystemUcred ...\n"); + + // sceSblACMgrIsSystemUcred + uint64_t * sonyCred = (uint64_t * )(((char * ) td_ucred) + 96); + * sonyCred = 0xffffffffffffffff; + + kprintf("setting ceSblACMgrGetDeviceAccessType ...\n"); + + // sceSblACMgrGetDeviceAccessType + uint64_t * sceProcType = (uint64_t * )(((char * ) td_ucred) + 88); + * sceProcType = 0x3801000000000013; // Max access + + kprintf("setting sceSblACMgrHasSceProcessCapability ...\n"); + + // sceSblACMgrHasSceProcessCapability + uint64_t * sceProcCap = (uint64_t * )(((char * ) td_ucred) + 104); + * sceProcCap = 0xffffffffffffffff; // Sce Process + + kprintf("returning from Kernel ...\n"); + return 0; +} + +int _main(struct thread * td) { + UNUSED(td); + + + // Initialize PS4 Kernel, libc, and networking + initKernel(); + initLibc(); + initSysUtil(); + + // Load and resolve libkernel_sys library + int libk = sceKernelLoadStartModule("libkernel_sys.sprx", 0, NULL, 0, 0, 0); + RESOLVE(libk, sceKernelDebugOutText); + + // Output initialization messages + if (sceKernelDebugOutText) { + sceKernelDebugOutText(0, "==========================\n"); + sceKernelDebugOutText(0, "Hello From inside Shellcore!!!\n"); + sceKernelDebugOutText(0, "==========================\n"); + } + + //jailbreak(); + syscall(11, &kpayload, NULL); + + sprintf(buf, "kernel_base: %p\n", kernel_base); + sceKernelDebugOutText(0, buf); + sceKernelDebugOutText(0, "Block updates ...\n"); + touch_file("/update/PS4UPDATE.PUP"); + touch_file("/update/PS4UPDATE.PUP.net"); + touch_file("/update/PS4UPDATE.PUP.NET"); + if ((int)unmount("/update", 0x80000LL) < 0) + { + unmount("/update", 0); + } + sceKernelDebugOutText(0, "Blocked updates\n"); + printf_notification("Blocked updates"); + + + + return 0; +} \ No newline at end of file