11.00 working payload loader

LightningMods · May 3, 2024 · 42773d0 · 42773d0 · DJTOMATO · May 3, 2024
1 parent b060655
commit 42773d0
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/stage2/offsets.h b/stage2/offsets.h
@@ -7,7 +7,7 @@
 
 #ifndef __OFFSETS_H__
 #define __OFFSETS_H__
-#define ENABLE_DEBUG_MENU 1
+//#define ENABLE_DEBUG_MENU 1
 
 #if FIRMWARE == 900 // FW 9.00
 
@@ -60,6 +60,8 @@
 #define vm_map_delete_offset 0x0007E680
 #define create_thread_offset 0x001ED670
 #define all_proc_offset 0x01B946E0
+#define sys_dynlib_dlsym_p 0x0023B67F
+#define sys_dynlib_dlsym_p2 0x00221B40
 
 /* kernel offsets */
 

diff --git a/stage2/stage2.c b/stage2/stage2.c
@@ -330,6 +330,9 @@ static int sys_kexec(struct thread * td, struct sys_kexec_args * uap) {
 }
 
 void stage2(void) {
+
+  // Use "kmem" for all patches
+	uint8_t *kmem;
   uint64_t kaslr_offset = rdmsr(MSR_LSTAR) - kdlsym_addr_Xfast_syscall;
   uint8_t * kbase = (uint8_t * )(rdmsr(0xC0000082) - 0x1C0);
   int( * printf)(const char * format, ...) = (void * ) kdlsym(printf);
@@ -387,6 +390,28 @@ void stage2(void) {
   *(uint8_t * )(kbase + kemem_1) = VM_PROT_ALL;
   *(uint8_t * )(kbase + kemem_2) = VM_PROT_ALL;
 
+#if FIRMWARE == 1100 // FW 11.00, only neeeded for 11.00
+  kmem = (uint8_t *)&kbase[0x1E4C33];
+  kmem[0] = 0x90;
+  kmem[1] = 0x90;
+  kmem[2] = 0x90;
+  kmem[3] = 0x90;
+  kmem[4] = 0x90;
+  kmem[5] = 0x90;
+
+  kmem = (uint8_t *)&kbase[0x1E4C43];
+  kmem[0] = 0x90;
+  kmem[1] = 0x90;
+  kmem[2] = 0x90;
+  kmem[3] = 0x90;
+  kmem[4] = 0x90;
+  kmem[5] = 0x90;
+
+  kmem = (uint8_t *)&kbase[0x1E4C63];
+  kmem[0] = 0x90;
+  kmem[1] = 0xE9;
+#endif
+
   // Install kexec syscall 11
   struct sysent * sys = & sysents[SYS_kexec];
   sys -> sy_narg = 2;