diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..54c2753 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,49 @@ +name: CI + +on: + push: + paths: + - '**' + workflow_dispatch: + +permissions: + id-token: write + attestations: write + contents: write + +jobs: + build: + runs-on: ubuntu-latest + steps: + + - name: Checkout + uses: actions/checkout@v4 + + - name: Install dependencies + run: | + sudo apt update + sudo apt install bash clang-15 lld-15 + sudo apt install build-essential cmake pkg-config + + - name: Install toolchain + run: | + wget https://github.com/ps5-payload-dev/pacbrew-repo/releases/download/v0.29/ps5-payload-dev.tar.gz + sudo tar xf ps5-payload-dev.tar.gz -C / + + - name: Build + run: | + sudo chmod +x ./build.sh + PS5_PAYLOAD_SDK=/opt/ps5-payload-sdk ./build.sh + + - name: Attest + uses: actions/attest-build-provenance@v1 + continue-on-error: true # this will fail if the repo is private + with: + subject-path: ./byepervisor.elf + + - name: Upload + uses: actions/upload-artifact@v4 + with: + name: Byepervisor + path: ./byepervisor.elf + if-no-files-found: error diff --git a/Makefile b/Makefile index f052891..2e77240 100644 --- a/Makefile +++ b/Makefile @@ -9,7 +9,7 @@ endif ELF := byepervisor.elf -CFLAGS := -std=c++11 -Wall -Werror -g -I./include -DHEN_BIN_PATH="\"hen/hen.bin\"" +CFLAGS := -std=c++11 -Wall -Werror -g -I./include -DHEN_BIN_PATH="\"hen/hen.bin\"" -lSceSystemService all: $(ELF) diff --git a/README.md b/README.md index 46a7f31..e1af4fe 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ The primary and recommended exploit takes advantage of the fact that system Qual These flags are not reinitialized by the secure loader upon resume from sleep mode, though the hypervisor is. By setting the SL flag, putting the system to sleep, and resuming, we can edit the guest kernel's pagetables to make kernel .text pages read/writable, allowing dumping of the kernel and hooks/patches. ## Important Notes -- Currently only 2.50 FW is supported for Homebrew Enabler (HEN), support for other firmware versions will be added at a later time. +- Currently only listed FW is supported for Homebrew Enabler (HEN), support for other firmware versions will be added at a later time. - The exploit payload (byepervisor.elf) will need to be sent twice, once before suspending the system and again after resuming. - You will have to put the system into rest mode manually yourself - Kernel dump from QA flags exploit will not contain hypervisor's .data region at the moment, if this is important for you, dump using the jump table exploit after porting or disable nested paging first (this is a TODO) @@ -26,7 +26,11 @@ These flags are not reinitialized by the secure loader upon resume from sleep mo ## Currently included - Kernel dumping code (commented out, running this code *will* panic the system as it will try to dump as much as it can before hitting unmapped memory) - Code to decrypt system library SELFs over TCP -- Homebrew enabler (HEN) for 2.50 firmware (fself+fpkg) +- Homebrew enabler (HEN) (fself+fpkg) + +## Firmware Status +- Completed: 1.00, 1.01, 1.02, 1.12, 1.14, 2.00, 2.20, 2.25, 2.26, 2.30, 2.50, 2.70 +- Not Completed: 1.05, 1.10, 1.11, 1.13 ## Build notes This exploit payload is built using the [PS5-Payload-Dev SDK](https://github.com/ps5-payload-dev/sdk). Note also that the build for `hen/` is slightly special, as it gets compiled to a flat binary thats copied into a kernel code cave. The entirety of code in `hen/` runs in supervisor/kernel mode. @@ -41,7 +45,6 @@ This exploit payload is built using the [PS5-Payload-Dev SDK](https://github.com ## Future work - [ ] Support more firmwares (offsets) - [ ] Make it so `byepervisor.elf` only needs to be sent once -- [ ] Automatically suspend the system? - [ ] Patch vmcbs with QA flags exploit to dump hypervisor data ## Credits / Shouts diff --git a/_old_jump_table_exploit/include/offsets/1_05.h b/_old_jump_table_exploit/include/offsets/1_05.h new file mode 100644 index 0000000..92b12bb --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_05.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_05_H +#define OFFSETS_1_05_H + +uint64_t g_sym_map_105[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb98, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_105[] = { + 0x2, // KERNEL_GADGET_RET + 0x1531f2, // KERNEL_GADGET_INFLOOP + 0xaa9140, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa97b1, // KERNEL_GADGET_RETURN_ADDR + 0x18ea78, // KERNEL_GADGET_POP_RDI + 0x1230c4, // KERNEL_GADGET_POP_RSI + 0x1100c2, // KERNEL_GADGET_POP_RDX + 0x1ab6d0, // KERNEL_GADGET_POP_RAX + 0x12d876, // KERNEL_GADGET_POP_RBX + 0x1ea199, // KERNEL_GADGET_ADD_RAX_RDX + 0x681cfb, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x646f21, // KERNEL_GADGET_POP_R12 + 0x3f2c36, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x149b8f, // KERNEL_GADGET_POP_RSP + 0x153790, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153937, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2309e0, // KERNEL_GADGET_SETJMP + 0x230a10, // KERNEL_GADGET_LONGJMP + 0xb1ecac, // KERNEL_GADGET_JOP1 + 0x1c0e8f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_05_H diff --git a/_old_jump_table_exploit/include/offsets/1_10.h b/_old_jump_table_exploit/include/offsets/1_10.h new file mode 100644 index 0000000..e693fef --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_10.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_10_H +#define OFFSETS_1_10_H + +uint64_t g_sym_map_110[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb98, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_110[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa9160, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa97d1, // KERNEL_GADGET_RETURN_ADDR + 0x18eab8, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x8232f6, // KERNEL_GADGET_POP_RDX + 0x1ab710, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681d5b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x646f61, // KERNEL_GADGET_POP_R12 + 0x3f2c76, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1f7620, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1eccc, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_10_H diff --git a/_old_jump_table_exploit/include/offsets/1_11.h b/_old_jump_table_exploit/include/offsets/1_11.h new file mode 100644 index 0000000..a60aa5a --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_11.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_11_H +#define OFFSETS_1_11_H + +uint64_t g_sym_map_111[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb18, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_111[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa92c0, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa9931, // KERNEL_GADGET_RETURN_ADDR + 0x18eab8, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x8356d2, // KERNEL_GADGET_POP_RDX + 0x13e183, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681dfb, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x647001, // KERNEL_GADGET_POP_R12 + 0x3f2c76, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1f7620, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1ed9c, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_11_H diff --git a/_old_jump_table_exploit/include/offsets/1_12.h b/_old_jump_table_exploit/include/offsets/1_12.h new file mode 100644 index 0000000..5af508a --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_12.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_12_H +#define OFFSETS_1_12_H + +uint64_t g_sym_map_112[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb18, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_112[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa9410, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa9A81, // KERNEL_GADGET_RETURN_ADDR + 0x18eab8, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x476842, // KERNEL_GADGET_POP_RDX + 0x1ab710, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681f4b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x6470d1, // KERNEL_GADGET_POP_R12 + 0x3f2cd6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1f7620, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1eeec, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_12_H diff --git a/_old_jump_table_exploit/include/offsets/1_13.h b/_old_jump_table_exploit/include/offsets/1_13.h new file mode 100644 index 0000000..1b3180d --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_13.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_13_H +#define OFFSETS_1_13_H + +uint64_t g_sym_map_113[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb18, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_113[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa93e0, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa9a51, // KERNEL_GADGET_RETURN_ADDR + 0x18eab8, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x28aaaa, // KERNEL_GADGET_POP_RDX + 0x1ab710, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681f4b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x6470d1, // KERNEL_GADGET_POP_R12 + 0x3f2cd6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1f7620, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1eebc, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_13_H diff --git a/_old_jump_table_exploit/include/offsets/1_14.h b/_old_jump_table_exploit/include/offsets/1_14.h new file mode 100644 index 0000000..d8a68c9 --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_14.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_14_H +#define OFFSETS_1_14_H + +uint64_t g_sym_map_114[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebbd8, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_114[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa9990, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaaa001, // KERNEL_GADGET_RETURN_ADDR + 0x116a3d, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x124952, // KERNEL_GADGET_POP_RDX + 0x1ab710, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681f6b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x6470f1, // KERNEL_GADGET_POP_R12 + 0x3f2cd6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1484be, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1f46c, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_14_H diff --git a/_old_jump_table_exploit/include/offsets/2_20.h b/_old_jump_table_exploit/include/offsets/2_20.h new file mode 100644 index 0000000..7e9db9b --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/2_20.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_2_20_H +#define OFFSETS_2_20_H + +uint64_t g_sym_map_220[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x245B0C0, // KERNEL_SYM_HV_JMP_TABLE + 0x248EBB0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_220[] = { + 0x103c4e, // KERNEL_GADGET_RET + 0x16aff2, // KERNEL_GADGET_INFLOOP + 0xadfb40, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xae01af, // KERNEL_GADGET_RETURN_ADDR + 0x1a6878, // KERNEL_GADGET_POP_RDI + 0x125c34, // KERNEL_GADGET_POP_RSI + 0x1984e2, // KERNEL_GADGET_POP_RDX + 0x1c34d0, // KERNEL_GADGET_POP_RAX + 0x133166, // KERNEL_GADGET_POP_RBX + 0x201f99, // KERNEL_GADGET_ADD_RAX_RDX + 0x672937, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x62cda1, // KERNEL_GADGET_POP_R12 + 0x3b2ae6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x14acb7, // KERNEL_GADGET_POP_RSP + 0x16b590, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x16b737, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2488f0, // KERNEL_GADGET_SETJMP + 0x248920, // KERNEL_GADGET_LONGJMP + 0xb5d12c, // KERNEL_GADGET_JOP1 + 0x1d8c8f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_2_20_H diff --git a/_old_jump_table_exploit/include/offsets/2_25.h b/_old_jump_table_exploit/include/offsets/2_25.h new file mode 100644 index 0000000..efe4766 --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/2_25.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_2_25_H +#define OFFSETS_2_25_H + +uint64_t g_sym_map_225[] = { + 0x4cb3b50, // KERNEL_SYM_DMPML4I + 0x4cb3b54, // KERNEL_SYM_DMPDPI + 0x4cb38ac, // KERNEL_SYM_PML4PML4I + 0x4cb38c8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x245b180, // KERNEL_SYM_HV_JMP_TABLE + 0x248ebb0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_225[] = { + 0x103c4e, // KERNEL_GADGET_RET + 0x16aff2, // KERNEL_GADGET_INFLOOP + 0xadfbf0, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xae025f, // KERNEL_GADGET_RETURN_ADDR + 0x1a6878, // KERNEL_GADGET_POP_RDI + 0x167430, // KERNEL_GADGET_POP_RSI + 0x1984e2, // KERNEL_GADGET_POP_RDX + 0x1c34d0, // KERNEL_GADGET_POP_RAX + 0x133166, // KERNEL_GADGET_POP_RBX + 0x201f99, // KERNEL_GADGET_ADD_RAX_RDX + 0x6729e7, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x62ce51, // KERNEL_GADGET_POP_R12 + 0x3b2ae6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x14acb7, // KERNEL_GADGET_POP_RSP + 0x16b590, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x16b737, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2488f0, // KERNEL_GADGET_SETJMP + 0x248920, // KERNEL_GADGET_LONGJMP + 0xb5d2bc, // KERNEL_GADGET_JOP1 + 0x1d8c8f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_2_25_H diff --git a/_old_jump_table_exploit/include/offsets/2_26.h b/_old_jump_table_exploit/include/offsets/2_26.h new file mode 100644 index 0000000..4034f56 --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/2_26.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_2_26_H +#define OFFSETS_2_26_H + +uint64_t g_sym_map_226[] = { + 0x4cb3b50, // KERNEL_SYM_DMPML4I + 0x4cb3b54, // KERNEL_SYM_DMPDPI + 0x4cb38ac, // KERNEL_SYM_PML4PML4I + 0x4cb38c8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x245b180, // KERNEL_SYM_HV_JMP_TABLE + 0x248ebb0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_226[] = { + 0x103c4e, // KERNEL_GADGET_RET + 0x16aff2, // KERNEL_GADGET_INFLOOP + 0xadfc20, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xae028f, // KERNEL_GADGET_RETURN_ADDR + 0x1a6878, // KERNEL_GADGET_POP_RDI + 0x167430, // KERNEL_GADGET_POP_RSI + 0x1984e2, // KERNEL_GADGET_POP_RDX + 0x1c34d0, // KERNEL_GADGET_POP_RAX + 0x133166, // KERNEL_GADGET_POP_RBX + 0x201f99, // KERNEL_GADGET_ADD_RAX_RDX + 0x6729e7, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x62ce51, // KERNEL_GADGET_POP_R12 + 0x3b2ae6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x14acb7, // KERNEL_GADGET_POP_RSP + 0x16b590, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x16b737, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2488f0, // KERNEL_GADGET_SETJMP + 0x248920, // KERNEL_GADGET_LONGJMP + 0xb5d2ec, // KERNEL_GADGET_JOP1 + 0x1d8c8f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_2_26_H diff --git a/_old_jump_table_exploit/include/offsets/2_30.h b/_old_jump_table_exploit/include/offsets/2_30.h new file mode 100644 index 0000000..8ecb489 --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/2_30.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_2_30_H +#define OFFSETS_2_30_H + +uint64_t g_sym_map_230[] = { + 0x4cb3b50, // KERNEL_SYM_DMPML4I + 0x4cb3b54, // KERNEL_SYM_DMPDPI + 0x4cb38ac, // KERNEL_SYM_PML4PML4I + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x4cb38c8, // KERNEL_SYM_PMAP_STORE + 0x245be20, // KERNEL_SYM_HV_JMP_TABLE + 0x248ebb0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_230[] = { + 0x103f7e, // KERNEL_GADGET_RET + 0x16acb2, // KERNEL_GADGET_INFLOOP + 0xae0030, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xae069f, // KERNEL_GADGET_RETURN_ADDR + 0x1a6538, // KERNEL_GADGET_POP_RDI + 0x13ee4e, // KERNEL_GADGET_POP_RSI + 0x33ad4d, // KERNEL_GADGET_POP_RDX + 0x1c3190, // KERNEL_GADGET_POP_RAX + 0x1325f6, // KERNEL_GADGET_POP_RBX + 0x201c59, // KERNEL_GADGET_ADD_RAX_RDX + 0x672cb7, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x62d121, // KERNEL_GADGET_POP_R12 + 0x3b27e6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x14a127, // KERNEL_GADGET_POP_RSP + 0x16b250, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x16b3f7, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2485b0, // KERNEL_GADGET_SETJMP + 0x2485e0, // KERNEL_GADGET_LONGJMP + 0xb5d70c, // KERNEL_GADGET_JOP1 + 0x1d894f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_2_30_H diff --git a/_old_jump_table_exploit/src/kdlsym.c b/_old_jump_table_exploit/src/kdlsym.c index 2483928..988f599 100644 --- a/_old_jump_table_exploit/src/kdlsym.c +++ b/_old_jump_table_exploit/src/kdlsym.c @@ -3,10 +3,18 @@ #include "debug_log.h" #include "kdlsym.h" - +#include "offsets/1_05.h" +#include "offsets/1_10.h" +#include "offsets/1_11.h" +#include "offsets/1_12.h" +#include "offsets/1_13.h" +#include "offsets/1_14.h" #include "offsets/2_00.h" +#include "offsets/2_20.h" +#include "offsets/2_25.h" +#include "offsets/2_26.h" +#include "offsets/2_30.h" #include "offsets/2_50.h" - uint64_t g_fw_version; uint64_t g_kernel_base = 0; @@ -17,8 +25,23 @@ void init_kdlsym() // Resolve symbols switch (g_fw_version) { + case 0x1000000: + case 0x1020000: + case 0x1050000: + case 0x1100000: + case 0x1110000: + case 0x1120000: + case 0x1130000: + case 0x1140000: + g_kernel_base = KERNEL_ADDRESS_DATA_BASE - 0x1B40000; + break; case 0x2000000: + case 0x2200000: + case 0x2250000: + case 0x2260000: + case 0x2300000: case 0x2500000: + case 0x2700000: g_kernel_base = KERNEL_ADDRESS_DATA_BASE - 0x1B80000; break; } @@ -44,9 +67,30 @@ uint64_t kdlsym(ksym_t sym) return 0; switch (g_fw_version) { + case 0x1050000: + return g_kernel_base + g_sym_map_105[sym]; + case 0x1100000: + return g_kernel_base + g_sym_map_110[sym]; + case 0x1110000: + return g_kernel_base + g_sym_map_111[sym]; + case 0x1120000: + return g_kernel_base + g_sym_map_112[sym]; + case 0x1130000: + return g_kernel_base + g_sym_map_113[sym]; + case 0x1140000: + return g_kernel_base + g_sym_map_114[sym]; case 0x2000000: return g_kernel_base + g_sym_map_200[sym]; + case 0x2200000: + return g_kernel_base + g_sym_map_220[sym]; + case 0x2250000: + return g_kernel_base + g_sym_map_225[sym]; + case 0x2260000: + return g_kernel_base + g_sym_map_226[sym]; + case 0x2300000: + return g_kernel_base + g_sym_map_230[sym]; case 0x2500000: + case 0x2700000: return g_kernel_base + g_sym_map_250[sym]; } @@ -64,9 +108,30 @@ uint64_t kdlgadget(kgadget_t gadget) return 0; switch (g_fw_version) { + case 0x1050000: + return g_kernel_base + g_gadget_map_105[gadget]; + case 0x1100000: + return g_kernel_base + g_gadget_map_110[gadget]; + case 0x1110000: + return g_kernel_base + g_gadget_map_111[gadget]; + case 0x1120000: + return g_kernel_base + g_gadget_map_112[gadget]; + case 0x1130000: + return g_kernel_base + g_gadget_map_113[gadget]; + case 0x1140000: + return g_kernel_base + g_gadget_map_114[gadget]; case 0x2000000: return g_kernel_base + g_gadget_map_200[gadget]; + case 0x2200000: + return g_kernel_base + g_gadget_map_220[gadget]; + case 0x2250000: + return g_kernel_base + g_gadget_map_225[gadget]; + case 0x2260000: + return g_kernel_base + g_gadget_map_226[gadget]; + case 0x2300000: + return g_kernel_base + g_gadget_map_230[gadget]; case 0x2500000: + case 0x2700000: return g_kernel_base + g_gadget_map_250[gadget]; } diff --git a/hen/include/hooks/1_00.h b/hen/include/hooks/1_00.h new file mode 100644 index 0000000..5884e99 --- /dev/null +++ b/hen/include/hooks/1_00.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_00_H +#define HOOKS_1_00_H + +#include "hook.h" + +struct hook g_kernel_hooks_100[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x90719b, + 0x990d80 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcd71, + 0x8a5850 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd4ee, + 0x8a5820 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de339, + 0x8a5820 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371075, + 0x563a50 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37157f, + 0x563a50 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371b25, + 0x563a50 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcc5d, + 0x5a9740 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8664bc, + 0x563a50 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x866761, + 0x563a50 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d5646, + 0x563a50 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d506f, + 0x563a50 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50db, + 0x563a50 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e0dd, + 0x729990 + } +}; + +#endif // HOOKS_1_00_H diff --git a/hen/include/hooks/1_01.h b/hen/include/hooks/1_01.h new file mode 100644 index 0000000..c9e242e --- /dev/null +++ b/hen/include/hooks/1_01.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_01_H +#define HOOKS_1_01_H + +#include "hook.h" + +struct hook g_kernel_hooks_101[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x90720b, + 0x990df0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcd71, + 0x8a5890 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd4ee, + 0x8a58f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de339, + 0x8a58f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371075, + 0x563a70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37157f, + 0x563a70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371b25, + 0x563a70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcc5d, + 0x5a9760 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86652c, + 0x563a70 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8667d1, + 0x563a70 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d5646, + 0x563a70 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d506f, + 0x563a70 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50db, + 0x563a70 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e0dd, + 0x729a00 + } +}; + +#endif // HOOKS_1_01_H diff --git a/hen/include/hooks/1_02.h b/hen/include/hooks/1_02.h new file mode 100644 index 0000000..a0dfae5 --- /dev/null +++ b/hen/include/hooks/1_02.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_02_H +#define HOOKS_1_02_H + +#include "hook.h" + +struct hook g_kernel_hooks_102[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x9071cb, + 0x990db0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcd71, + 0x8a5850 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd4ee, + 0x8a58b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de339, + 0x8a58b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371075, + 0x563a80 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37157f, + 0x563a80 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371b25, + 0x563a80 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcc5d, + 0x5a9770 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8664ec, + 0x563a80 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x866791, + 0x563a80 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d5646, + 0x563a80 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d506f, + 0x563a80 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50db, + 0x563a80 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e0dd, + 0x7299c0 + } +}; + +#endif // HOOKS_1_02_H diff --git a/hen/include/hooks/1_05.h b/hen/include/hooks/1_05.h new file mode 100644 index 0000000..31f46d1 --- /dev/null +++ b/hen/include/hooks/1_05.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_05_H +#define HOOKS_1_05_H + +#include "hook.h" + +struct hook g_kernel_hooks_105[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x9079ab, + 0x9915f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcda1, + 0x8a6960 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd51e, + 0x8a69c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de369, + 0x8a69c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371295, + 0x563f60 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37179f, + 0x563f60 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371d45, + 0x563f60 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcc8d, + 0x5a9c50 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8675fc, + 0x563f60 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8678a1, + 0x563f60 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d5676, + 0x563f60 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d509f, + 0x563f60 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d510b, + 0x563f60 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e2fd, + 0x729f30 + } +}; + +#endif // HOOKS_1_05_H diff --git a/hen/include/hooks/1_10.h b/hen/include/hooks/1_10.h new file mode 100644 index 0000000..4c7d0a4 --- /dev/null +++ b/hen/include/hooks/1_10.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_10_H +#define HOOKS_1_10_H + +#include "hook.h" + +struct hook g_kernel_hooks_110[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x9079bb, + 0x991600 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6970 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a69d0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a69d0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x3712d5, + 0x563fa0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x3717df, + 0x563fa0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371d85, + 0x563fa0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9c90 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86760c, + 0x563fa0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8678b1, + 0x563fa0 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x563fa0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x563fa0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x563fa0 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x729f40 + } +}; + +#endif // HOOKS_1_10_H diff --git a/hen/include/hooks/1_11.h b/hen/include/hooks/1_11.h new file mode 100644 index 0000000..79cf885 --- /dev/null +++ b/hen/include/hooks/1_11.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_11_H +#define HOOKS_1_11_H + +#include "hook.h" + +struct hook g_kernel_hooks_111[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x907b0b, + 0x991760 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6a70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a6ad0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a6ad0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x3712d5, + 0x563fc0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x3717df, + 0x563fc0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371d85, + 0x563fc0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9cb0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86770c, + 0x563fc0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8679b1, + 0x563fc0 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x563fc0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x563fc0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x563fc0 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x72a030 + } +}; + +#endif // HOOKS_1_11_H diff --git a/hen/include/hooks/1_12.h b/hen/include/hooks/1_12.h new file mode 100644 index 0000000..3f01cde --- /dev/null +++ b/hen/include/hooks/1_12.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_12_H +#define HOOKS_1_12_H + +#include "hook.h" + +struct hook g_kernel_hooks_112[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x907c5b, + 0x36cabc + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6bc0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a6c20 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a6c20 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371305, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37180f, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371db5, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9d20 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86785c, + 0x564030 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x867b01, + 0x564030 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x72a180 + } +}; + +#endif // HOOKS_1_12_H diff --git a/hen/include/hooks/1_13.h b/hen/include/hooks/1_13.h new file mode 100644 index 0000000..e32f47e --- /dev/null +++ b/hen/include/hooks/1_13.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_13_H +#define HOOKS_1_13_H + +#include "hook.h" + +struct hook g_kernel_hooks_113[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x907c2b, + 0x991880 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6b70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a6bd0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a6bd0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371305, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37180f, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371db5, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9d20 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86780c, + 0x564030 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x867ab1, + 0x564030 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x72a130 + } +}; + +#endif // HOOKS_1_13_H diff --git a/hen/include/hooks/1_14.h b/hen/include/hooks/1_14.h new file mode 100644 index 0000000..ddc3b81 --- /dev/null +++ b/hen/include/hooks/1_14.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_14_H +#define HOOKS_1_14_H + +#include "hook.h" + +struct hook g_kernel_hooks_114[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x9081db, + 0x991e30 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6be0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a6c40 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a6c40 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371305, + 0x564050 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37180f, + 0x564050 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371db5, + 0x564050 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9d40 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86787c, + 0x564050 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x867b21, + 0x564050 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x564050 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x564050 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x564050 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x72a1a0 + } +}; + +#endif // HOOKS_1_14_H diff --git a/hen/include/hooks/2_00.h b/hen/include/hooks/2_00.h new file mode 100644 index 0000000..7a0fdc4 --- /dev/null +++ b/hen/include/hooks/2_00.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_00_H +#define HOOKS_2_00_H + +#include "hook.h" + +struct hook g_kernel_hooks_200[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x92976b, + 0x9b7840 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2915a1, + 0x8c2da0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291d29, + 0x8c2e00 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x292b4b, + 0x8c2e00 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c915, + 0x534060 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32cdff, + 0x534060 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d3a5, + 0x534060 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x29148d, + 0x580890 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87d60c, + 0x534060 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87d8b1, + 0x534060 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28a116, + 0x534060 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289b3f, + 0x534060 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289bab, + 0x534060 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e587d, + 0x725e40 + } +}; + +#endif // HOOKS_2_00_H diff --git a/hen/include/hooks/2_20.h b/hen/include/hooks/2_20.h new file mode 100644 index 0000000..88272e2 --- /dev/null +++ b/hen/include/hooks/2_20.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_20_H +#define HOOKS_2_20_H + +#include "hook.h" + +struct hook g_kernel_hooks_220[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x929c2b, + 0x9b7d00 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2915e1, + 0x8c3250 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291d69, + 0x8c32a0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x292b8b, + 0x8c32a0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c955, + 0x5340b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32ce3f, + 0x5340b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d3e5, + 0x5340b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2914cd, + 0x580a00 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87daac, + 0x5340b0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87dd51, + 0x5340b0 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28a156, + 0x5340b0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289b7f, + 0x5340b0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289beb, + 0x5340b0 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e58bd, + 0x726300 + } +}; + +#endif // HOOKS_2_20_H \ No newline at end of file diff --git a/hen/include/hooks/2_25.h b/hen/include/hooks/2_25.h new file mode 100644 index 0000000..f0294b9 --- /dev/null +++ b/hen/include/hooks/2_25.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_25_H +#define HOOKS_2_25_H + +#include "hook.h" + +struct hook g_kernel_hooks_225[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x929cdb, + 0x9b7db0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2915e1, + 0x8c32f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291d69, + 0x8c3350 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x292b8b, + 0x8c3350 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c955, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32ce3f, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d3e5, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2914cd, + 0x580ab0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87db5c, + 0x534160 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87de01, + 0x534160 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28a156, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289b7f, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289beb, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e58bd, + 0x7263b0 + } +}; + +#endif // HOOKS_2_25_H diff --git a/hen/include/hooks/2_26.h b/hen/include/hooks/2_26.h new file mode 100644 index 0000000..0116f6d --- /dev/null +++ b/hen/include/hooks/2_26.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_26_H +#define HOOKS_2_26_H + +#include "hook.h" + +struct hook g_kernel_hooks_226[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x929d0b, + 0x9b7de0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2915e1, + 0x8c3320 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291d69, + 0x8c3380 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x292b8b, + 0x8c3380 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c955, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32ce3f, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d3e5, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2914cd, + 0x580ab0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87db8c, + 0x534160 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87de31, + 0x534160 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28a156, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289b7f, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289beb, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e58bd, + 0x7263b0 + } +}; + +#endif // HOOKS_2_26_H diff --git a/hen/include/hooks/2_30.h b/hen/include/hooks/2_30.h new file mode 100644 index 0000000..e3d4bd0 --- /dev/null +++ b/hen/include/hooks/2_30.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_30_H +#define HOOKS_2_30_H + +#include "hook.h" + +struct hook g_kernel_hooks_230[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x929fdb, + 0x9b80b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2912c1, + 0x8c35f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291a49, + 0x8c3650 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x29286b, + 0x8c3650 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c635, + 0x5340c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32cb1f, + 0x5340c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d0c5, + 0x5340c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2911ad, + 0x580d80 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87de5c, + 0x5340c0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87e101, + 0x5340c0 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289e36, + 0x5340c0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28985f, + 0x5340c0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2898cb, + 0x5340c0 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e559d, + 0x726680 + } +}; + +#endif // HOOKS_2_30_H diff --git a/hen/include/offsets/1_00.h b/hen/include/offsets/1_00.h new file mode 100644 index 0000000..9988302 --- /dev/null +++ b/hen/include/offsets/1_00.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_00_H +#define OFFSETS_1_00_H + +uint64_t g_sym_map_100[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0070, // KERNEL_SYM_PRINTF + 0x08A5820, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A63D0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9740, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457540, // KERNEL_SYM_M_TEMP + 0x0A9C6A0, // KERNEL_SYM_MALLOC + 0x0A9CA50, // KERNEL_SYM_FREE + 0x28D1C48, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A5880, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563A50, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC358, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC380, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B04D0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B09C0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907510, // KERNEL_SYM_RW_MEM + 0x4211BF8, // KERNEL_SYM_ALLPROC + 0x030D7B0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D7F0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DCC0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059EC40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059ED40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689380, // KERNEL_SYM_FPU_KERN_ENTER + 0x06894E0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B200, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0814F30, // KERNEL_SYM_SHA256_HMAC + 0x032E0D0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0729A50, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_00_H diff --git a/hen/include/offsets/1_01.h b/hen/include/offsets/1_01.h new file mode 100644 index 0000000..1532023 --- /dev/null +++ b/hen/include/offsets/1_01.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_01_H +#define OFFSETS_1_01_H + +uint64_t g_sym_map_101[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0070, // KERNEL_SYM_PRINTF + 0x08A5890, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A6440, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9760, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457540, // KERNEL_SYM_M_TEMP + 0x0A9C710, // KERNEL_SYM_MALLOC + 0x0A9CAC0, // KERNEL_SYM_FREE + 0x28D1C48, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A58F0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563A70, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC358, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC380, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B04D0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B09C0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907580, // KERNEL_SYM_RW_MEM + 0x4211BF8, // KERNEL_SYM_ALLPROC + 0x030D7B0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D7F0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DCC0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059EC60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059ED60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x06893A0, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689500, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B200, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0814FA0, // KERNEL_SYM_SHA256_HMAC + 0x032E0D0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0729AC0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_01_H diff --git a/hen/include/offsets/1_02.h b/hen/include/offsets/1_02.h new file mode 100644 index 0000000..5864d0f --- /dev/null +++ b/hen/include/offsets/1_02.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_02_H +#define OFFSETS_1_02_H + +uint64_t g_sym_map_102[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0070, // KERNEL_SYM_PRINTF + 0x08A5850, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A6400, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9770, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457540, // KERNEL_SYM_M_TEMP + 0x0A9C6D0, // KERNEL_SYM_MALLOC + 0x0A9CA80, // KERNEL_SYM_FREE + 0x28D1C48, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A58B0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563A80, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC358, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC380, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B04D0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B09C0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907540, // KERNEL_SYM_RW_MEM + 0x4211BF8, // KERNEL_SYM_ALLPROC + 0x030D7B0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D7F0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DCC0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059EC70, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059ED70, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x06893B0, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689510, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B200, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0814F60, // KERNEL_SYM_SHA256_HMAC + 0x032E0D0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0729A80, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_02_H diff --git a/hen/include/offsets/1_05.h b/hen/include/offsets/1_05.h new file mode 100644 index 0000000..c97ccfe --- /dev/null +++ b/hen/include/offsets/1_05.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_05_H +#define OFFSETS_1_05_H + +uint64_t g_sym_map_105[] = { + 0x0b30000, // KERNEL_SYM_TEXT_END + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE // NEEDS TO BE CHECKED + 0x04a05a0, // KERNEL_SYM_PRINTF + 0x08a6960, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08a7510, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05a9c50, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457580, // KERNEL_SYM_M_TEMP + 0x0a9cf90, // KERNEL_SYM_MALLOC + 0x0a9d340, // KERNEL_SYM_FREE + 0x28d1c58, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08a69c0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563f60, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38ac368, // KERNEL_SYM_CTXTABLE_MTX + 0x38ac390, // KERNEL_SYM_CTXSTATUS + 0x38ac3a0, // KERNEL_SYM_CTXTABLE + 0x04b0a00, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04b0ef0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907d20, // KERNEL_SYM_RW_MEM + 0x4211c18, // KERNEL_SYM_ALLPROC + 0x030d860, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030d8a0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030dd70, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059f150, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059f250, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x06898d0, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689a30, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040b6d0, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0816070, // KERNEL_SYM_SHA256_HMAC + 0x032e2f0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0729ff0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_05_H diff --git a/hen/include/offsets/1_10.h b/hen/include/offsets/1_10.h new file mode 100644 index 0000000..9d69600 --- /dev/null +++ b/hen/include/offsets/1_10.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_10_H +#define OFFSETS_1_10_H + +uint64_t g_sym_map_110[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE // NEEDS TO BE CHECKED + 0x04A05E0, // KERNEL_SYM_PRINTF + 0x08A6970, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7520, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9C90, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457580, // KERNEL_SYM_M_TEMP + 0x0A9CFB0, // KERNEL_SYM_MALLOC + 0x0A9D360, // KERNEL_SYM_FREE + 0x28D1C58, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A69D0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563FA0, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0A40, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F30, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907D30, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F190, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F290, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689930, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689A90, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B710, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0816080, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A000, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_10_H diff --git a/hen/include/offsets/1_11.h b/hen/include/offsets/1_11.h new file mode 100644 index 0000000..0b23290 --- /dev/null +++ b/hen/include/offsets/1_11.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_11_H +#define OFFSETS_1_11_H + +uint64_t g_sym_map_111[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE // NEEDS TO BE CHECKED + 0x04A05E0, // KERNEL_SYM_PRINTF + 0x08A6A70, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7620, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9CB0, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457580, // KERNEL_SYM_M_TEMP + 0x0A9D110, // KERNEL_SYM_MALLOC + 0x0A9D370, // KERNEL_SYM_FREE + 0x28D1C58, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A6AD0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563FC0, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0A40, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F30, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907E80, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F1B0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F2B0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x06899D0, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689B30, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B710, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0816170, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A0F0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_11_H diff --git a/hen/include/offsets/1_12.h b/hen/include/offsets/1_12.h new file mode 100644 index 0000000..3eae8bf --- /dev/null +++ b/hen/include/offsets/1_12.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_12_H +#define OFFSETS_1_12_H + +uint64_t g_sym_map_112[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0640, // KERNEL_SYM_PRINTF + 0x08A6BC0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7770, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9D20, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457580, // KERNEL_SYM_M_TEMP + 0x0A9D260, // KERNEL_SYM_MALLOC + 0x0A9D4C0, // KERNEL_SYM_FREE + 0x28D1C58, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A6C20, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0564030, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0AA0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F90, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907FD0, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F220, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F320, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689B20, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689C80, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B770, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x08162C0, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A240, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_12_H diff --git a/hen/include/offsets/1_13.h b/hen/include/offsets/1_13.h new file mode 100644 index 0000000..12aca0c --- /dev/null +++ b/hen/include/offsets/1_13.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_13_H +#define OFFSETS_1_13_H + +uint64_t g_sym_map_113[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0640, // KERNEL_SYM_PRINTF + 0x08A6B70, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7720, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9D20, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34575C0, // KERNEL_SYM_M_TEMP + 0x0A9D230, // KERNEL_SYM_MALLOC + 0x0A9D490, // KERNEL_SYM_FREE + 0x28D1CB8, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A6BD0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0564030, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0AA0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F90, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907FA0, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F220, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F320, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689B20, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689C80, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B770, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0816270, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A1F0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_13_H diff --git a/hen/include/offsets/1_14.h b/hen/include/offsets/1_14.h new file mode 100644 index 0000000..9a005c8 --- /dev/null +++ b/hen/include/offsets/1_14.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_14_H +#define OFFSETS_1_14_H + +uint64_t g_sym_map_114[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0640, // KERNEL_SYM_PRINTF + 0x08A6BE0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7790, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9D40, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34575C0, // KERNEL_SYM_M_TEMP + 0x0A9D7E0, // KERNEL_SYM_MALLOC + 0x0A9DA40, // KERNEL_SYM_FREE + 0x2805CB8, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A6C40, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0564050, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX // NEEDS TO BE CHECKED + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0AA0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F90, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0908550, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F240, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F340, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689B40, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689CA0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B770, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x08162E0, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A260, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_14_H diff --git a/hen/include/offsets/2_00.h b/hen/include/offsets/2_00.h new file mode 100644 index 0000000..6dd605a --- /dev/null +++ b/hen/include/offsets/2_00.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_2_00_H +#define OFFSETS_2_00_H + +uint64_t g_sym_map_200[] = { + 0x0B70000, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0468450, // KERNEL_SYM_PRINTF + 0x08C2DA0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C3940, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580890, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D31F0, // KERNEL_SYM_M_TEMP + 0x0AD1450, // KERNEL_SYM_MALLOC + 0x0AD1680, // KERNEL_SYM_FREE + 0x27FB448, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C2E00, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0534060, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047AD10, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B200, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0929AF0, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C3BD0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3C10, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C40E0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0574C40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0574D40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A460, // KERNEL_SYM_FPU_KERN_ENTER + 0x067A590, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CDC30, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x08252C0, // KERNEL_SYM_SHA256_HMAC + 0x02E5870, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0725F00, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_2_00_H diff --git a/hen/include/offsets/2_20.h b/hen/include/offsets/2_20.h new file mode 100644 index 0000000..4ed7582 --- /dev/null +++ b/hen/include/offsets/2_20.h @@ -0,0 +1,42 @@ +#ifndef OFFSETS_2_20_H +#define OFFSETS_2_20_H + +uint64_t g_sym_map_220[] = { + 0x0B70000, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x04684A0, // KERNEL_SYM_PRINTF + 0x08C3240, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C3DE0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580A00, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D32F0, // KERNEL_SYM_M_TEMP + 0x0AD1910, // KERNEL_SYM_MALLOC + 0x0AD1B40, // KERNEL_SYM_FREE + 0x2818488, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C32A0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x05340B0, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047AD60, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B250, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0929FB0, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C3C10, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3C50, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C4120, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0574DB0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0574EB0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A610, // KERNEL_SYM_FPU_KERN_ENTER + 0x067A740, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CDC80, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0825760, // KERNEL_SYM_SHA256_HMAC + 0x02E58B0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x07263C0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + + +#endif // OFFSETS_2_20_H diff --git a/hen/include/offsets/2_25.h b/hen/include/offsets/2_25.h new file mode 100644 index 0000000..c2b0ef7 --- /dev/null +++ b/hen/include/offsets/2_25.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_2_25_H +#define OFFSETS_2_25_H + +uint64_t g_sym_map_225[] = { + 0x0B70000, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x04684A0, // KERNEL_SYM_PRINTF + 0x08C32F0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C3E90, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580AB0, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D32F0, // KERNEL_SYM_M_TEMP + 0x0AD19C0, // KERNEL_SYM_MALLOC + 0x0AD1BF0, // KERNEL_SYM_FREE + 0x2818488, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C3350, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0534160, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047AD60, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B250, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x092A060, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C3C10, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3C50, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C4120, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0574E60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0574F60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A6C0, // KERNEL_SYM_FPU_KERN_ENTER + 0x067A7F0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CDC80, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0825810, // KERNEL_SYM_SHA256_HMAC + 0x02E58B0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0726470, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_2_25_H diff --git a/hen/include/offsets/2_26.h b/hen/include/offsets/2_26.h new file mode 100644 index 0000000..8e6fab8 --- /dev/null +++ b/hen/include/offsets/2_26.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_2_26_H +#define OFFSETS_2_26_H + +uint64_t g_sym_map_226[] = { + 0x0B70000, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x04684A0, // KERNEL_SYM_PRINTF + 0x08C3320, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C3EC0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580AB0, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D32F0, // KERNEL_SYM_M_TEMP + 0x0AD19F0, // KERNEL_SYM_MALLOC + 0x0AD1C20, // KERNEL_SYM_FREE + 0x2818488, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C3380, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0534160, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047AD60, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B250, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x092A090, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C3C10, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3C50, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C4120, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0574E60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0574F60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A6C0, // KERNEL_SYM_FPU_KERN_ENTER + 0x067A7F0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CDC80, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0825840, // KERNEL_SYM_SHA256_HMAC + 0x02E58B0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0726470, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_2_26_H diff --git a/hen/include/offsets/2_30.h b/hen/include/offsets/2_30.h new file mode 100644 index 0000000..b2f87c7 --- /dev/null +++ b/hen/include/offsets/2_30.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_2_30_H +#define OFFSETS_2_30_H + +uint64_t g_sym_map_230[] = { + 0x0B70000, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0468400, // KERNEL_SYM_PRINTF + 0x08C35F0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C4190, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580D80, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D3470, // KERNEL_SYM_M_TEMP + 0x0AD1E00, // KERNEL_SYM_MALLOC + 0x0AD2030, // KERNEL_SYM_FREE + 0x286E628, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C3650, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x05340C0, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047ACC0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B1B0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x092A360, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C38F0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3930, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C3E00, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0575130, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0575230, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A990, // KERNEL_SYM_FPU_KERN_ENTER + 0x067AAC0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CD980, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0825B10, // KERNEL_SYM_SHA256_HMAC + 0x02E5590, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0726740, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_2_30_H diff --git a/hen/include/shellcore_patches/1_00.h b/hen/include/shellcore_patches/1_00.h new file mode 100644 index 0000000..e80c9af --- /dev/null +++ b/hen/include/shellcore_patches/1_00.h @@ -0,0 +1,242 @@ +#ifndef SHELLCORE_PATCHES_1_00 +#define SHELLCORE_PATCHES_1_00 + +#include "common.h" + +struct patch g_shellcore_patches_100[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6a93, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6adf, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6b4b, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d263, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d2af, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d31b, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9a96e2, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb70733, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb7077f, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb707eb, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x42ef81, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x11e56f5, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371137, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371172, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371501, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x47af30, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x1DDB1B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x1DDB98, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x1DDC9B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x1DDD6F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x1DE1DA, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x1DE3AE, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x1DE75E, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x1DE824, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x41C6D7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x41C7EC, + "\xEB", + 1 + } +}; + +#endif // SHELLCORE_PATCHES_1_00 diff --git a/hen/include/shellcore_patches/1_02.h b/hen/include/shellcore_patches/1_02.h new file mode 100644 index 0000000..745ee81 --- /dev/null +++ b/hen/include/shellcore_patches/1_02.h @@ -0,0 +1,242 @@ +#ifndef SHELLCORE_PATCHES_1_02 +#define SHELLCORE_PATCHES_1_02 + +#include "common.h" + +struct patch g_shellcore_patches_102[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6a93, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6adf, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6b4b, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d263, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d2af, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d31b, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9a96e2, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb70733, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb7077f, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb707eb, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x42ef81, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x11e544e, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371137, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371172, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371501, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x47af30, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x1DDB1B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x1DDB98, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x1DDC9B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x1DDD6F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x1DE1DA, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x1DE3AE, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x1DE75E, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x1DE824, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x41C6D7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x41C7EC, + "\xEB", + 1 + } +}; + +#endif // SHELLCORE_PATCHES_1_02 diff --git a/hen/include/shellcore_patches/1_12.h b/hen/include/shellcore_patches/1_12.h new file mode 100644 index 0000000..d05efbd --- /dev/null +++ b/hen/include/shellcore_patches/1_12.h @@ -0,0 +1,242 @@ +#ifndef SHELLCORE_PATCHES_1_12 +#define SHELLCORE_PATCHES_1_12 + +#include "common.h" + +struct patch g_shellcore_patches_112[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E69E3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E6A2F, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E6A9B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91D9B3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91D9FF, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91DA6B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9A9E42, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB70F13, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB70F5F, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB70FCB, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x42F411, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x11E9EEE, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371547, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371582, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371911, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x47B3C0, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x1DDAFB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x1DDB78, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x1DDC7B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x1DDD4F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x1DE1BA, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x1DE38E, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x1DE73E, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x1DE804, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x41CB67, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x41CC7C, + "\xEB", + 1 + } +}; + +#endif // SHELLCORE_PATCHES_1_12 diff --git a/hen/include/shellcore_patches/1_14.h b/hen/include/shellcore_patches/1_14.h new file mode 100644 index 0000000..5d6f3fa --- /dev/null +++ b/hen/include/shellcore_patches/1_14.h @@ -0,0 +1,242 @@ +#ifndef SHELLCORE_PATCHES_1_14 +#define SHELLCORE_PATCHES_1_14 + +#include "common.h" + +struct patch g_shellcore_patches_114[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E69E3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E6A2F, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E6A9B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91DC83, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91DCCF, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91DD3B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9AA102, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB711D3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB7121F, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB7128B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x42F511, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x11E9741, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371547, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371582, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371911, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x47B5C0, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x1DDAFB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x1DDB78, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x1DDC7B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x1DDD4F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x1DE1BA, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x1DE38E, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x1DE73E, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x1DE804, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x41CBC7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x41CCDC, + "\xEB", + 1 + } +}; + +#endif // SHELLCORE_PATCHES_1_14 diff --git a/hen/include/shellcore_patches/2_00.h b/hen/include/shellcore_patches/2_00.h new file mode 100644 index 0000000..d6943db --- /dev/null +++ b/hen/include/shellcore_patches/2_00.h @@ -0,0 +1,251 @@ +#ifndef SHELLCORE_PATCHES_2_00 +#define SHELLCORE_PATCHES_2_00 + +#include "common.h" + +struct patch g_shellcore_patches_200[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E513, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E55C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E5CC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4433, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D447C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D44EC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA62A32, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC61D13, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC61D5C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC61DCC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49C0D1, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x136DE1C, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3764, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D379F, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3B2E, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E7020, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x21585B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x2158D8, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x2159DB, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x215AAF, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x215F1A, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x2160EE, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x2164A5, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x216542, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x487847, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x48795C, + "\xEB", + 1 + }, + + { + /* + * PKG Installer Patch + */ + 0x4897B0, + "\x48\x31\xC0\xC3", + 4 + } +}; + +#endif // SHELLCORE_PATCHES_2_00 diff --git a/hen/include/shellcore_patches/2_20.h b/hen/include/shellcore_patches/2_20.h new file mode 100644 index 0000000..8fe7012 --- /dev/null +++ b/hen/include/shellcore_patches/2_20.h @@ -0,0 +1,251 @@ +#ifndef SHELLCORE_PATCHES_2_20 +#define SHELLCORE_PATCHES_2_20 + +#include "common.h" + +struct patch g_shellcore_patches_220[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E7B3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E7FC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E86C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4783, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D47CC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D483C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA62D92, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC62073, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC620BC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC6212C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49C421, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x1371F7E, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3A34, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3A6F, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3DFE, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E7370, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x215AFB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x215B78, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x215C7B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x215D4F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x2161BA, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x21638E, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x216745, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x2167E2, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x487B97, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x487CAC, + "\xEB", + 1 + }, + + { + /* + * PKG Installer Patch + */ + 0x489B00, + "\x48\x31\xC0\xC3", + 4 + } +}; + +#endif // SHELLCORE_PATCHES_2_20 diff --git a/hen/include/shellcore_patches/2_25.h b/hen/include/shellcore_patches/2_25.h new file mode 100644 index 0000000..d85d3cf --- /dev/null +++ b/hen/include/shellcore_patches/2_25.h @@ -0,0 +1,252 @@ +#ifndef SHELLCORE_PATCHES_2_25 +#define SHELLCORE_PATCHES_2_25 + +#include "common.h" + +struct patch g_shellcore_patches_225[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21ED03, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21ED4C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21EDBC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4CD3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4D1C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4D8C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA632D2, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC625B3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC625FC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC6266C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49C971, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x1371C5F, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3F84, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3FBF, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D434E, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E78C0, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x215AFB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x215B78, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x215C7B, + "\xEB", + 1 + }, + + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x215D4F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x2161BA, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x21638E, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x216745, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x2167E2, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x4880E7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x4881FC, + "\xEB", + 1 + }, + + { + /* + * PKG Installer Patch + */ + 0x48A050, + "\x48\x31\xC0\xC3", + 4 + } +}; + +#endif // SHELLCORE_PATCHES_2_25 diff --git a/hen/include/shellcore_patches/2_26.h b/hen/include/shellcore_patches/2_26.h new file mode 100644 index 0000000..d17e6cf --- /dev/null +++ b/hen/include/shellcore_patches/2_26.h @@ -0,0 +1,251 @@ +#ifndef SHELLCORE_PATCHES_2_26 +#define SHELLCORE_PATCHES_2_26 + +#include "common.h" + +struct patch g_shellcore_patches_226[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x220473, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x2204BC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x22052C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D6483, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D64CC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D653C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA64A92, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC63D73, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC63DBC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC63E2C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49E121, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x13724D4, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D56F4, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D572F, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D5ABE, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E9070, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x21726B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x2172E8, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x2173EB, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x2174BF, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x21792A, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x217AFE, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x217EB5, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x217F52, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x489897, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x4899C3, + "\xEB", + 1 + }, + + { + /* + * PKG Installer Patch + */ + 0x48B800, + "\x48\x31\xC0\xC3", + 4 + } +}; + +#endif // SHELLCORE_PATCHES_2_26 diff --git a/hen/include/shellcore_patches/2_30.h b/hen/include/shellcore_patches/2_30.h new file mode 100644 index 0000000..a89c4c1 --- /dev/null +++ b/hen/include/shellcore_patches/2_30.h @@ -0,0 +1,251 @@ +#ifndef SHELLCORE_PATCHES_2_30 +#define SHELLCORE_PATCHES_2_30 + +#include "common.h" + +struct patch g_shellcore_patches_230[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x220623, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x22066C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x2206DC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D7043, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D708C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D70FC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA65652, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC64933, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC6497C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC649EC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49E8C1, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x1371BFD, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D5E94, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D5ECF, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D625E, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E9890, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x21741B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x217498, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x21759B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x21766F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x217ADA, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x217CAE, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x218065, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x218102, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x48A037, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x48A14C, + "\xEB", + 1 + }, + + { + /* + * PKG Installer Patch + */ + 0x48BFA0, + "\x48\x31\xC0\xC3", + 4 + } +}; + +#endif // SHELLCORE_PATCHES_2_30 diff --git a/hen/include/shellcore_patches/2_50.h b/hen/include/shellcore_patches/2_50.h index 3d899bf..a2ac64a 100644 --- a/hen/include/shellcore_patches/2_50.h +++ b/hen/include/shellcore_patches/2_50.h @@ -146,6 +146,105 @@ struct patch g_shellcore_patches_250[] = { 0x4EAC40, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x2171BB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x217238, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x21733B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x21740F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x21787A, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x217A4E, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x217E05, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x217EA2, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x48B3E7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x48B4FC, + "\xEB", + 1 + }, + + { + /* + * PKG Installer + */ + 0x48D350, + "\x48\x31\xC0\xC3", + 4 } }; diff --git a/hen/include/shellcore_patches/2_70.h b/hen/include/shellcore_patches/2_70.h new file mode 100644 index 0000000..4b343db --- /dev/null +++ b/hen/include/shellcore_patches/2_70.h @@ -0,0 +1,251 @@ +#ifndef SHELLCORE_PATCHES_2_70 +#define SHELLCORE_PATCHES_2_70 + +#include "common.h" + +struct patch g_shellcore_patches_270[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x2203C3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x22040C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x22047C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D83F3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D843C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D84AC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA669F2, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC65CD3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC65D1C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC65D8C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49FC71, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x13767F5, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D7244, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D727F, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D760E, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4EAC40, + "\x31\xC0\xFF\xC0\xC3", + 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x2171BB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x217238, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x21733B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x21740F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x21787A, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x217A4E, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x217E05, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 PKG Installer Patch 3 + */ + 0x217EA2, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x48B3E7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 4 + */ + 0x48B4FC, + "\xEB", + 1 + }, + + { + /* + * PKG Installer Patch + */ + 0x48D350, + "\x48\x31\xC0\xC3", + 4 + } +}; + +#endif // SHELLCORE_PATCHES_2_70 \ No newline at end of file diff --git a/hen/src/fpkg.cpp b/hen/src/fpkg.cpp index 35c8160..b87ce65 100644 --- a/hen/src/fpkg.cpp +++ b/hen/src/fpkg.cpp @@ -436,83 +436,53 @@ void hex_dump(const char *name, uint8_t *buf, int len) } } -int sceSblServiceCryptAsync_hook(void *async_req) -{ - struct ccp_common *msg; - struct ccp_common *next; - struct ccp_req* req; - int idx = -1; - - //auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF); - auto sceSblServiceCryptAsync = (int (*)(void *req)) kdlsym(KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC); - auto Sha256Hmac = (void (*)(void *hash, void *data, size_t data_sz, void *key, size_t key_size)) kdlsym(KERNEL_SYM_SHA256_HMAC); - - req = (struct ccp_req *) async_req; - msg = (struct ccp_common *) (*(uint64_t *) (async_req)); - //printf("sceSblServiceCryptAsync_hook: msg = %p, before (msg->cmd = 0x%x) (first=%p, last=%p)\n", msg, msg->cmd, req->tqh_first, *req->tqh_last); - - while (msg) { - next = (struct ccp_common *) (*(uint64_t *) ((uint64_t) (msg) + 0x140)); - //printf("msg = %p (msg->cmd = 0x%x), next = %p \n", msg, msg->cmd, next); - - if ((msg->cmd & 0x7FFFFFFF) == 0x9132000) { // SHA256 HMAC with key handle - struct ccp_hmac *hmac_msg = (struct ccp_hmac *) msg; - idx = HANDLE_TO_IDX(hmac_msg->key_index); - //printf("sceSblServiceCryptAsync_hook: SHA256 hmac key idx = 0x%x\n", idx); - - if (idx < 0) { - return sceSblServiceCryptAsync(async_req); - } else { - char hmac_key[0x40]; - get_fake_key(idx, (char *) &hmac_key); - - // hex_dump("hmac ccp msg", (uint8_t *) hmac_msg, 0x200); - // hex_dump("hmac key", (uint8_t *) hmac_key, 0x40); - - Sha256Hmac(hmac_msg->hash, hmac_msg->data, hmac_msg->data_size, hmac_key, 0x20); - - // printf("hmac data=%p, data_size = 0x%lx\n", hmac_msg->data, hmac_msg->data_size); - // hex_dump("hmac input (first 0x20 bytes)", (uint8_t *) hmac_msg->data, 0x20); - // hex_dump("hmac hash output", (uint8_t *) hmac_msg->hash, 0x20); - } - } else if ((msg->cmd & 0x7FFFF7FF) == 0x2108000) { // AES-XTS with key handle - struct ccp_xts *xts_msg = (struct ccp_xts *) msg; - idx = HANDLE_TO_IDX(xts_msg->key_index); - //printf("sceSblServiceCryptAsync_hook: AES-XTS key idx = 0x%x\n", idx); - - if (idx < 0) { - return sceSblServiceCryptAsync(async_req); - } else { - char xts_key[0x40]; - get_fake_key(idx, (char *) &xts_key); - - // printf("xts in=%p, out=%p (is_encrypt=%d)\n", xts_msg->in_data, xts_msg->out_data, ((xts_msg->common.cmd & 0x800) >> 11)); - // printf("xts->start_sector = 0x%lx, num_sectors = 0x%lx\n", xts_msg->start_sector, xts_msg->num_sectors); - // hex_dump("xts ccp msg", (uint8_t *) xts_msg, 0x200); - // hex_dump("xts tweak/key", (uint8_t *) xts_key, 0x20); - // hex_dump("xta data", (uint8_t *) xts_msg->in_data, 0x20); - - void *tweak = (void *) ((uint64_t) (xts_key) + 0x00); - void *key = (void *) ((uint64_t) (xts_key) + 0x10); - if (((xts_msg->common.cmd & 0x800) >> 11)) { - aes_xts_4096_dec(xts_msg->in_data, xts_msg->out_data, xts_msg->num_sectors, xts_msg->start_sector, key, tweak, 1); - } else { - aes_xts_4096_dec(xts_msg->in_data, xts_msg->out_data, xts_msg->num_sectors, xts_msg->start_sector, key, tweak, 0); - } - - // hex_dump("xts decrypted output (first 0x20 bytes)", (uint8_t *) xts_msg->out_data, 0x20); - } - } - - msg = next; +int sceSblServiceCryptAsync_hook(void *async_req) { + struct ccp_common *msg; + struct ccp_common *next; + //struct ccp_req *req; + int idx = -1; + + //req = (struct ccp_req *)async_req; + msg = (struct ccp_common *)(*(uint64_t *)(async_req)); + + auto sceSblServiceCryptAsync = (int (*)(void *req)) kdlsym(KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC); + + while (msg) { + next = (struct ccp_common *)(*(uint64_t *)((uint64_t)(msg) + 0x140)); + + if ((msg->cmd & 0x7FFFFFFF) == 0x9132000) { + // SHA256 HMAC with key handle + struct ccp_hmac *hmac_msg = (struct ccp_hmac *)msg; + idx = HANDLE_TO_IDX(hmac_msg->key_index); + + if (idx >= 0) { + char hmac_key[0x20]; + get_fake_key(idx, (char *)&hmac_key); + + memcpy(hmac_msg->key, hmac_key, 0x20); + msg->cmd &= ~0x100000; // key handle + msg->cmd &= ~0x80000000; // a53 + } + } else if ((msg->cmd & 0x7FFFF7FF) == 0x2108000) { + // AES-XTS with key handle + struct ccp_xts *xts_msg = (struct ccp_xts *)msg; + idx = HANDLE_TO_IDX(xts_msg->key_index); + + if (idx >= 0) { + char xts_key[0x20]; + get_fake_key(idx, (char *)&xts_key); + + memcpy(xts_msg->key, xts_key + 0x10, 0x10); + memcpy(xts_msg->key + 0x10, xts_key, 0x10); + msg->cmd &= ~0x100000; // key handle + msg->cmd &= ~0x80000000; // a53 + } } - if (idx == -1) { - return sceSblServiceCryptAsync(async_req); - } + msg = next; + } - req->cb(req->args, 0); - return 0; + return sceSblServiceCryptAsync(async_req); } int sceSblPfsClearKey_sceSblServiceMailbox(uint64_t handle, const ClearKey* input, ClearKey* output) diff --git a/hen/src/fself.cpp b/hen/src/fself.cpp index b586687..64f7b06 100644 --- a/hen/src/fself.cpp +++ b/hen/src/fself.cpp @@ -41,15 +41,28 @@ extern "C" { static volatile int enableHook6 = 1; } +struct mtx { + uint8_t dontcare[0x18]; + volatile uintptr_t mtx_lock; +}; + SelfContext* getSelfContextByServiceId(uint32_t serviceId) { auto ctxTable = (SelfContext *) kdlsym(KERNEL_SYM_CTXTABLE); - + auto ctxStatus = (int*) kdlsym(KERNEL_SYM_CTXSTATUS); + auto ctxTableMtx = (mtx*) kdlsym(KERNEL_SYM_CTXTABLE_MTX); + auto __mtx_lock_flags = (void(*)(volatile uintptr_t*, int, const char*, int)) kdlsym(KERNEL_SYM_MTX_LOCK_FLAGS); + auto __mtx_unlock_flags = (void(*)(volatile uintptr_t*, int, const char*, int)) kdlsym(KERNEL_SYM_MTX_UNLOCK_FLAGS); + + __mtx_lock_flags(&ctxTableMtx->mtx_lock, 0, nullptr, 0); for(int i = 0; i < 4; i++) { + if(ctxStatus[i] != 3 && ctxStatus[i] != 4) { continue; } auto ctx = &ctxTable[i]; if(ctx->unk1C == serviceId) { + __mtx_unlock_flags(&ctxTableMtx->mtx_lock, 0, nullptr, 0); return ctx; } } + __mtx_unlock_flags(&ctxTableMtx->mtx_lock, 0, nullptr, 0); return nullptr; } @@ -263,4 +276,4 @@ void apply_fself_hooks() printf("[HEN] [FSELF] sceSblAuthMgrIsLoadable() -> sceSblACMgrGetPathId()\n"); install_hook(HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, (void *) &sceSblACMgrGetPathId_hook); -} +} \ No newline at end of file diff --git a/hen/src/hook.cpp b/hen/src/hook.cpp index 064632e..c00f53e 100644 --- a/hen/src/hook.cpp +++ b/hen/src/hook.cpp @@ -5,6 +5,20 @@ #include "hook.h" #include "kdlsym.h" +#include "hooks/1_00.h" +#include "hooks/1_01.h" +#include "hooks/1_02.h" +#include "hooks/1_05.h" +#include "hooks/1_10.h" +#include "hooks/1_11.h" +#include "hooks/1_12.h" +#include "hooks/1_13.h" +#include "hooks/1_14.h" +#include "hooks/2_00.h" +#include "hooks/2_20.h" +#include "hooks/2_25.h" +#include "hooks/2_26.h" +#include "hooks/2_30.h" #include "hooks/2_50.h" struct hook *find_hook(hook_id id) @@ -18,11 +32,61 @@ struct hook *find_hook(hook_id id) auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF); switch (fw_ver) { - // case 0x1050000: - // hooks = (struct hook *) &g_kernel_hooks_105; - // num_hooks = sizeof(g_kernel_hooks_105) / sizeof(struct hook); - // break; + case 0x1000000: + hooks = (struct hook *) &g_kernel_hooks_100; + num_hooks = sizeof(g_kernel_hooks_100) / sizeof(struct hook); + break; + case 0x1010000: + case 0x1020000: + hooks = (struct hook *) &g_kernel_hooks_102; + num_hooks = sizeof(g_kernel_hooks_102) / sizeof(struct hook); + break; + case 0x1050000: + hooks = (struct hook *) &g_kernel_hooks_105; + num_hooks = sizeof(g_kernel_hooks_105) / sizeof(struct hook); + break; + case 0x1100000: + hooks = (struct hook *) &g_kernel_hooks_110; + num_hooks = sizeof(g_kernel_hooks_110) / sizeof(struct hook); + break; + case 0x1110000: + hooks = (struct hook *) &g_kernel_hooks_111; + num_hooks = sizeof(g_kernel_hooks_111) / sizeof(struct hook); + break; + case 0x1120000: + hooks = (struct hook *) &g_kernel_hooks_112; + num_hooks = sizeof(g_kernel_hooks_112) / sizeof(struct hook); + break; + case 0x1130000: + hooks = (struct hook *) &g_kernel_hooks_113; + num_hooks = sizeof(g_kernel_hooks_113) / sizeof(struct hook); + break; + case 0x1140000: + hooks = (struct hook *) &g_kernel_hooks_114; + num_hooks = sizeof(g_kernel_hooks_114) / sizeof(struct hook); + break; + case 0x2000000: + hooks = (struct hook *) &g_kernel_hooks_200; + num_hooks = sizeof(g_kernel_hooks_200) / sizeof(struct hook); + break; + case 0x2200000: + hooks = (struct hook *) &g_kernel_hooks_220; + num_hooks = sizeof(g_kernel_hooks_220) / sizeof(struct hook); + break; + case 0x2250000: + hooks = (struct hook *) &g_kernel_hooks_225; + num_hooks = sizeof(g_kernel_hooks_225) / sizeof(struct hook); + break; + case 0x2260000: + hooks = (struct hook *) &g_kernel_hooks_226; + num_hooks = sizeof(g_kernel_hooks_226) / sizeof(struct hook); + break; + case 0x2300000: + hooks = (struct hook *) &g_kernel_hooks_230; + num_hooks = sizeof(g_kernel_hooks_230) / sizeof(struct hook); + break; case 0x2500000: + case 0x2700000: hooks = (struct hook *) &g_kernel_hooks_250; num_hooks = sizeof(g_kernel_hooks_250) / sizeof(struct hook); break; diff --git a/hen/src/kdlsym.cpp b/hen/src/kdlsym.cpp index d3094b2..f0d2f20 100644 --- a/hen/src/kdlsym.cpp +++ b/hen/src/kdlsym.cpp @@ -1,6 +1,21 @@ #include #include "kdlsym.h" + +#include "offsets/1_00.h" +#include "offsets/1_01.h" +#include "offsets/1_02.h" +#include "offsets/1_05.h" +#include "offsets/1_10.h" +#include "offsets/1_11.h" +#include "offsets/1_12.h" +#include "offsets/1_13.h" +#include "offsets/1_14.h" +#include "offsets/2_00.h" +#include "offsets/2_20.h" +#include "offsets/2_25.h" +#include "offsets/2_26.h" +#include "offsets/2_30.h" #include "offsets/2_50.h" uint64_t g_fw_version; @@ -35,12 +50,36 @@ uint64_t kdlsym(ksym_t sym) return 0; switch (g_fw_version) { + case 0x1000000: + return g_kernel_base + g_sym_map_100[sym]; + case 0x1010000: + return g_kernel_base + g_sym_map_101[sym]; + case 0x1020000: + return g_kernel_base + g_sym_map_102[sym]; + case 0x1050000: + return g_kernel_base + g_sym_map_105[sym]; + case 0x1100000: + return g_kernel_base + g_sym_map_110[sym]; + case 0x1110000: + return g_kernel_base + g_sym_map_111[sym]; + case 0x1120000: + return g_kernel_base + g_sym_map_112[sym]; + case 0x1130000: + return g_kernel_base + g_sym_map_113[sym]; + case 0x1140000: + return g_kernel_base + g_sym_map_114[sym]; case 0x2000000: + return g_kernel_base + g_sym_map_200[sym]; case 0x2200000: + return g_kernel_base + g_sym_map_220[sym]; case 0x2250000: + return g_kernel_base + g_sym_map_225[sym]; case 0x2260000: + return g_kernel_base + g_sym_map_226[sym]; case 0x2300000: + return g_kernel_base + g_sym_map_230[sym]; case 0x2500000: + case 0x2700000: return g_kernel_base + g_sym_map_250[sym]; } diff --git a/hen/src/patch_shellcore.cpp b/hen/src/patch_shellcore.cpp index bdb4866..ec5c93c 100644 --- a/hen/src/patch_shellcore.cpp +++ b/hen/src/patch_shellcore.cpp @@ -7,7 +7,17 @@ #include "patch_shellcore.h" #include "proc.h" +#include "shellcore_patches/1_00.h" +#include "shellcore_patches/1_02.h" +#include "shellcore_patches/1_12.h" +#include "shellcore_patches/1_14.h" +#include "shellcore_patches/2_00.h" +#include "shellcore_patches/2_20.h" +#include "shellcore_patches/2_25.h" +#include "shellcore_patches/2_26.h" +#include "shellcore_patches/2_30.h" #include "shellcore_patches/2_50.h" +#include "shellcore_patches/2_70.h" /** * @brief Implementation of read/write memory for a process (from kernel) @@ -161,10 +171,55 @@ void apply_shellcore_patches() printf("apply_shellcore_patches: fw_ver = 0x%lx\n", fw_ver); switch (fw_ver) { + case 0x1000000: + patches = (struct patch *) &g_shellcore_patches_100; + num_patches = sizeof(g_shellcore_patches_100) / sizeof(struct patch); + break; + case 0x1010000: + case 0x1020000: + patches = (struct patch *) &g_shellcore_patches_102; + num_patches = sizeof(g_shellcore_patches_102) / sizeof(struct patch); + break; + case 0x1050000: + case 0x1100000: + case 0x1110000: + case 0x1120000: + patches = (struct patch *) &g_shellcore_patches_112; + num_patches = sizeof(g_shellcore_patches_112) / sizeof(struct patch); + break; + case 0x1130000: + case 0x1140000: + patches = (struct patch *) &g_shellcore_patches_114; + num_patches = sizeof(g_shellcore_patches_114) / sizeof(struct patch); + break; + case 0x2000000: + patches = (struct patch *) &g_shellcore_patches_200; + num_patches = sizeof(g_shellcore_patches_200) / sizeof(struct patch); + break; + case 0x2200000: + patches = (struct patch *) &g_shellcore_patches_220; + num_patches = sizeof(g_shellcore_patches_220) / sizeof(struct patch); + break; + case 0x2250000: + patches = (struct patch *) &g_shellcore_patches_225; + num_patches = sizeof(g_shellcore_patches_225) / sizeof(struct patch); + break; + case 0x2260000: + patches = (struct patch *) &g_shellcore_patches_226; + num_patches = sizeof(g_shellcore_patches_226) / sizeof(struct patch); + break; + case 0x2300000: + patches = (struct patch *) &g_shellcore_patches_230; + num_patches = sizeof(g_shellcore_patches_230) / sizeof(struct patch); + break; case 0x2500000: patches = (struct patch *) &g_shellcore_patches_250; num_patches = sizeof(g_shellcore_patches_250) / sizeof(struct patch); break; + case 0x2700000: + patches = (struct patch *) &g_shellcore_patches_270; + num_patches = sizeof(g_shellcore_patches_270) / sizeof(struct patch); + break; default: printf("apply_shellcore_patches: don't have offsets for this firmware\n"); return; diff --git a/include/offsets/1_00.h b/include/offsets/1_00.h new file mode 100644 index 0000000..f088924 --- /dev/null +++ b/include/offsets/1_00.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_00_H +#define OFFSETS_1_00_H + +uint64_t g_sym_map_100[] = { + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA25B0, // KERNEL_SYM_PS4_SYSENT + 0x1CAA7B0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_100[] = { + 0x05A9710, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9720, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981099, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F17A0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_00_H \ No newline at end of file diff --git a/include/offsets/1_01.h b/include/offsets/1_01.h new file mode 100644 index 0000000..176e45e --- /dev/null +++ b/include/offsets/1_01.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_01_H +#define OFFSETS_1_01_H + +uint64_t g_sym_map_101[] = { + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA25B0, // KERNEL_SYM_PS4_SYSENT + 0x1CAA7B0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_101[] = { + 0x05A9730, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9740, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981109, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F17A0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_01_H \ No newline at end of file diff --git a/include/offsets/1_02.h b/include/offsets/1_02.h new file mode 100644 index 0000000..8164eea --- /dev/null +++ b/include/offsets/1_02.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_02_H +#define OFFSETS_1_02_H + +uint64_t g_sym_map_102[] = { + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA25B0, // KERNEL_SYM_PS4_SYSENT + 0x1CAA7B0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_102[] = { + 0x05A9740, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9750, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09810C9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F17A0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_02_H \ No newline at end of file diff --git a/include/offsets/1_05.h b/include/offsets/1_05.h index 49c5b82..d76d32f 100644 --- a/include/offsets/1_05.h +++ b/include/offsets/1_05.h @@ -7,6 +7,10 @@ uint64_t g_sym_map_105[] = { 0x4ADF30C, // KERNEL_SYM_PML4PML4I 0x4ADF328, // KERNEL_SYM_PMAP_STORE 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI }; uint64_t g_patch_map_105[] = { diff --git a/include/offsets/1_10.h b/include/offsets/1_10.h new file mode 100644 index 0000000..78b5fa2 --- /dev/null +++ b/include/offsets/1_10.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_10_H +#define OFFSETS_1_10_H + +uint64_t g_sym_map_110[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_110[] = { + 0x05A9C60, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9C70, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981919, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_10_H \ No newline at end of file diff --git a/include/offsets/1_11.h b/include/offsets/1_11.h new file mode 100644 index 0000000..caed3e5 --- /dev/null +++ b/include/offsets/1_11.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_11_H +#define OFFSETS_1_11_H + +uint64_t g_sym_map_111[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_111[] = { + 0x05A9C80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9C90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981A69, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_11_H \ No newline at end of file diff --git a/include/offsets/1_12.h b/include/offsets/1_12.h new file mode 100644 index 0000000..c4e9008 --- /dev/null +++ b/include/offsets/1_12.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_12_H +#define OFFSETS_1_12_H + +uint64_t g_sym_map_112[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_112[] = { + 0x05A9CF0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9D00, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981BB9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_12_H \ No newline at end of file diff --git a/include/offsets/1_13.h b/include/offsets/1_13.h new file mode 100644 index 0000000..968820c --- /dev/null +++ b/include/offsets/1_13.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_13_H +#define OFFSETS_1_13_H + +uint64_t g_sym_map_113[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_113[] = { + 0x05A9CF0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9D00, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981B89, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_13_H \ No newline at end of file diff --git a/include/offsets/1_14.h b/include/offsets/1_14.h new file mode 100644 index 0000000..b7e5e70 --- /dev/null +++ b/include/offsets/1_14.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_14_H +#define OFFSETS_1_14_H + +uint64_t g_sym_map_114[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_114[] = { + 0x05A9D10, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9D20, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0982139, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_14_H \ No newline at end of file diff --git a/include/offsets/2_00.h b/include/offsets/2_00.h new file mode 100644 index 0000000..84a289c --- /dev/null +++ b/include/offsets/2_00.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_00_H +#define OFFSETS_2_00_H + +uint64_t g_sym_map_200[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE4F0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6D10, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_200[] = { + 0x0580860, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x0580870, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A5F49, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A69B0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_00_H \ No newline at end of file diff --git a/include/offsets/2_20.h b/include/offsets/2_20.h new file mode 100644 index 0000000..518038b --- /dev/null +++ b/include/offsets/2_20.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_20_H +#define OFFSETS_2_20_H + +uint64_t g_sym_map_220[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE5B0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6DD0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_220[] = { + 0x05809D0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05809E0, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A6409, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A69F0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_20_H \ No newline at end of file diff --git a/include/offsets/2_25.h b/include/offsets/2_25.h new file mode 100644 index 0000000..d850720 --- /dev/null +++ b/include/offsets/2_25.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_25_H +#define OFFSETS_2_25_H + +uint64_t g_sym_map_225[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE5B0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6DD0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_225[] = { + 0x0580A80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x0580A90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A64B9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A69F0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_25_H \ No newline at end of file diff --git a/include/offsets/2_26.h b/include/offsets/2_26.h new file mode 100644 index 0000000..59f7523 --- /dev/null +++ b/include/offsets/2_26.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_26_H +#define OFFSETS_2_26_H + +uint64_t g_sym_map_226[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE5B0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6DD0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_226[] = { + 0x0580A80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x0580A90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A64E9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A69F0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_26_H \ No newline at end of file diff --git a/include/offsets/2_30.h b/include/offsets/2_30.h new file mode 100644 index 0000000..effa877 --- /dev/null +++ b/include/offsets/2_30.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_30_H +#define OFFSETS_2_30_H + +uint64_t g_sym_map_230[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE5C0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6DE0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_230[] = { + 0x0580D50, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x0580D60, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A67B9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A66D0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_30_H \ No newline at end of file diff --git a/include/patches/1_00.h b/include/patches/1_00.h new file mode 100644 index 0000000..f7055fe --- /dev/null +++ b/include/patches/1_00.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_00_H +#define PATCHES_1_00_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_100[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9071AB + }, +}; + +struct patch g_kernel_patches_100[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2f17a0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5a9710, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5a9720, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981099, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x4587e0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40b0d20, + "\x00", + 1 + }, + { + "panic patch 1", + 0x721d40, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40514b, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x7223b0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x7228a0, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722450, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x7225a0, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722720, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722950, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722a10, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x722ad0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x722ba0, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x722c70, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x722d50, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71d12e, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71d15b, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_00_H diff --git a/include/patches/1_01.h b/include/patches/1_01.h new file mode 100644 index 0000000..3f7bb71 --- /dev/null +++ b/include/patches/1_01.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_01_H +#define PATCHES_1_01_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_101[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x90720B + }, +}; + +struct patch g_kernel_patches_101[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2f17a0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5a9730, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5a9740, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981109, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x4587e0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40b0d20, + "\x00", + 1 + }, + { + "panic patch 1", + 0x721db0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40514b, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722420, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x722910, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x7224C0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722610, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722790, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x7229C0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722A80, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x722B40, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x722C10, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x722CE0, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x722DC0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D19E, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D1CB, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_01_H diff --git a/include/patches/1_02.h b/include/patches/1_02.h new file mode 100644 index 0000000..eec7bdd --- /dev/null +++ b/include/patches/1_02.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_02_H +#define PATCHES_1_02_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_102[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9071CB + }, +}; + +struct patch g_kernel_patches_102[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2f17a0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5a9740, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5a9750, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9810c9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x4587e0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40b0d20, + "\x00", + 1 + }, + { + "panic patch 1", + 0x721d70, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40514b, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x7223e0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x7228d0, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722480, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x7225d0, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722750, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722980, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722a40, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x722b00, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x722bd0, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x722ca0, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x722d80, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71d15e, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71d18b, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_02_H diff --git a/include/patches/1_05.h b/include/patches/1_05.h index 481bab6..20163ac 100644 --- a/include/patches/1_05.h +++ b/include/patches/1_05.h @@ -3,6 +3,15 @@ #include "patch_common.h" +struct hook g_kernel_hooks_105[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9079BB + }, +}; + struct patch g_kernel_patches_105[] = { { /* @@ -11,31 +20,141 @@ struct patch g_kernel_patches_105[] = { ret */ "sys_getgid()", - 0x02F17D0, + 0x02f17d0, "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", 14 }, { // mov eax, 1; ret "sceSblACMgrHasMmapSelfCapability()", - 0x05A9C20, + 0x5a9c20, "\xB8\x01\x00\x00\x00\xC3", 6 }, { // mov eax, 1; ret "sceSblACMgrIsAllowedToMmapSelf()", - 0x05A9C30, + 0x5a9c30, "\xB8\x01\x00\x00\x00\xC3", 6 }, { - // xor eax, eax; 3x nop; + // xor eax, eax; 3x nop "vm_mmap sceSblAuthMgrIsLoadable() call", - 0x0981909, + 0x981909, "\x31\xC0\x90\x90\x90", 5 }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458c10, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40b0da0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x7222e0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40561b, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722950, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x722e40, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x7229f0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722b40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722cc0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722ef0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722fb0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x723070, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723140, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723210, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x7232f0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71d6ce, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71d6fb, + "\xB8\x00\x00\x00\x00", + 5 + } }; #endif // PATCHES_1_05_H \ No newline at end of file diff --git a/include/patches/1_10.h b/include/patches/1_10.h new file mode 100644 index 0000000..a6fd3a9 --- /dev/null +++ b/include/patches/1_10.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_10_H +#define PATCHES_1_10_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_110[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9079BB + }, +}; + +struct patch g_kernel_patches_110[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9C60, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9C70, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981919, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458C50, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x7222F0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40565b, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722960, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x722E50, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722A00, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722B50, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722CD0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722F00, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722FC0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x723080, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723150, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723220, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x723300, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D6DE, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D70B, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_10_H \ No newline at end of file diff --git a/include/patches/1_11.h b/include/patches/1_11.h new file mode 100644 index 0000000..9b07377 --- /dev/null +++ b/include/patches/1_11.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_11_H +#define PATCHES_1_11_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_111[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x907b0b + }, +}; + +struct patch g_kernel_patches_111[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9C80, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9C90, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981A69, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458D10, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x7223E0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40565B, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722A50, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x722F40, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722AF0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722C40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722DC0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722FF0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x7230B0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x723170, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723240, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723310, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x7233F0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D7CE, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D7FB, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_11_H \ No newline at end of file diff --git a/include/patches/1_12.h b/include/patches/1_12.h new file mode 100644 index 0000000..797aa51 --- /dev/null +++ b/include/patches/1_12.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_12_H +#define PATCHES_1_12_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_112[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x907c5b + }, +}; + +struct patch g_kernel_patches_112[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9CF0, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9D00, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981BB9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458D70, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x722530, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x4056BB, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722BA0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x723090, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722C40, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722D90, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722F10, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x723140, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x723200, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x7232C0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723390, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723460, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x723540, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D91E, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D94B, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_12_H \ No newline at end of file diff --git a/include/patches/1_13.h b/include/patches/1_13.h new file mode 100644 index 0000000..e2609d1 --- /dev/null +++ b/include/patches/1_13.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_13_H +#define PATCHES_1_13_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_113[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x907c2b + }, +}; + +struct patch g_kernel_patches_113[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9CF0, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9D00, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981B89, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458D70, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x7224E0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x4056B6, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722B50, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x723040, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722BF0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722D40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722EC0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x7230F0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x7231B0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x723270, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723340, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723410, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x7234F0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D8CE, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D8FB, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_13_H \ No newline at end of file diff --git a/include/patches/1_14.h b/include/patches/1_14.h new file mode 100644 index 0000000..98adb57 --- /dev/null +++ b/include/patches/1_14.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_14_H +#define PATCHES_1_14_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_114[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9081db + }, +}; + +struct patch g_kernel_patches_114[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9D10, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9D20, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x982139, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458D70, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x722550, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x4056BB, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722BC0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x7230B0, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722C60, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722DB0, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722F30, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x723160, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x723220, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x7232E0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x7233B0, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723480, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x723560, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D93E, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D96B, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_14_H \ No newline at end of file diff --git a/include/patches/2_00.h b/include/patches/2_00.h new file mode 100644 index 0000000..d2af1db --- /dev/null +++ b/include/patches/2_00.h @@ -0,0 +1,161 @@ +#ifndef PATCHES_2_00_H +#define PATCHES_2_00_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_200[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x92976b + }, +}; + +struct patch g_kernel_patches_200[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A69B0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x580860, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x580870, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A5F49, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FC60, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x411CD70, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71DEE0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C79D6, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71E730, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71E7D0, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71E880, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71E9D0, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71EB50, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71ECD0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71ED90, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71EE50, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71EF20, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71EFF0, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F0D0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71889A, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x7188C7, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + + +#endif // PATCHES_2_00_H \ No newline at end of file diff --git a/include/patches/2_20.h b/include/patches/2_20.h new file mode 100644 index 0000000..8062f6c --- /dev/null +++ b/include/patches/2_20.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_2_20_H +#define PATCHES_2_20_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_220[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x929c2b + }, +}; + +struct patch g_kernel_patches_220[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A69F0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5809D0, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5809E0, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A6409, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FCB0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x411CD70, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71E3A0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C7A26, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71EBF0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71EC90, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71ED40, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71EE90, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71F010, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71F190, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71F250, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71F310, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71F3E0, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71F4B0, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F590, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x718D5A, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x718D87, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_2_20_H diff --git a/include/patches/2_25.h b/include/patches/2_25.h new file mode 100644 index 0000000..45b91ff --- /dev/null +++ b/include/patches/2_25.h @@ -0,0 +1,163 @@ +#ifndef PATCHES_2_25_H +#define PATCHES_2_25_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_225[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x929cdb + }, +}; + +struct patch g_kernel_patches_225[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A69F0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x580A80, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x580A90, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A64B9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FCB0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x411CD70, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71E450, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C7A26, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71ECA0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71ED40, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71EDF0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71EF40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71F0C0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71F240, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71F300, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71F3C0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71F490, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71F560, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F640, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x718E0A, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x718E37, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + + + + +#endif // PATCHES_2_25_H \ No newline at end of file diff --git a/include/patches/2_26.h b/include/patches/2_26.h new file mode 100644 index 0000000..52b2ffd --- /dev/null +++ b/include/patches/2_26.h @@ -0,0 +1,162 @@ +#ifndef PATCHES_2_26_H +#define PATCHES_2_26_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_226[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x929d0b + }, +}; + +struct patch g_kernel_patches_226[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A69F0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x580A80, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x580A90, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A64E9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FCB0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x411CD70, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71E450, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C7A26, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71ECA0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71ED40, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71EDF0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71EF40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71F0C0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71F240, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71F300, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71F3C0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71F490, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71F560, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F640, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x718E0A, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x718E37, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + + + +#endif // PATCHES_2_26_H \ No newline at end of file diff --git a/include/patches/2_30.h b/include/patches/2_30.h new file mode 100644 index 0000000..e157b42 --- /dev/null +++ b/include/patches/2_30.h @@ -0,0 +1,161 @@ +#ifndef PATCHES_2_30_H +#define PATCHES_2_30_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_230[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x929fdb + }, +}; + +struct patch g_kernel_patches_230[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A66D0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x580D50, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x580D60, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A67B9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FB70, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x411CD70, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71E720, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C7726, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71EF70, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71F010, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71F0C0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71F210, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71F390, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71F510, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71F5D0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71F690, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71F760, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71F830, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F910, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x7190DA, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x719107, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + + +#endif // PATCHES_2_30_H \ No newline at end of file diff --git a/src/kdlsym.cpp b/src/kdlsym.cpp index f3f2595..4e3d861 100644 --- a/src/kdlsym.cpp +++ b/src/kdlsym.cpp @@ -8,7 +8,20 @@ extern "C" #include "debug_log.h" #include "kdlsym.h" +#include "offsets/1_00.h" +#include "offsets/1_01.h" +#include "offsets/1_02.h" #include "offsets/1_05.h" +#include "offsets/1_10.h" +#include "offsets/1_11.h" +#include "offsets/1_12.h" +#include "offsets/1_13.h" +#include "offsets/1_14.h" +#include "offsets/2_00.h" +#include "offsets/2_20.h" +#include "offsets/2_25.h" +#include "offsets/2_26.h" +#include "offsets/2_30.h" #include "offsets/2_50.h" uint64_t g_fw_version; @@ -22,6 +35,7 @@ void init_kdlsym() // Resolve symbols switch (g_fw_version) { case 0x1000000: + case 0x1010000: case 0x1020000: case 0x1050000: case 0x1100000: @@ -37,6 +51,7 @@ void init_kdlsym() case 0x2260000: case 0x2300000: case 0x2500000: + case 0x2700000: g_kernel_base = KERNEL_ADDRESS_DATA_BASE - 0x1B80000; break; } @@ -63,20 +78,35 @@ uint64_t kdlsym(ksym_t sym) switch (g_fw_version) { case 0x1000000: + return g_kernel_base + g_sym_map_100[sym]; + case 0x1010000: + return g_kernel_base + g_sym_map_101[sym]; case 0x1020000: + return g_kernel_base + g_sym_map_102[sym]; case 0x1050000: + return g_kernel_base + g_sym_map_105[sym]; case 0x1100000: + return g_kernel_base + g_sym_map_110[sym]; case 0x1110000: + return g_kernel_base + g_sym_map_111[sym]; case 0x1120000: + return g_kernel_base + g_sym_map_112[sym]; case 0x1130000: + return g_kernel_base + g_sym_map_113[sym]; case 0x1140000: - return g_kernel_base + g_sym_map_105[sym]; + return g_kernel_base + g_sym_map_114[sym]; case 0x2000000: + return g_kernel_base + g_sym_map_200[sym]; case 0x2200000: + return g_kernel_base + g_sym_map_220[sym]; case 0x2250000: + return g_kernel_base + g_sym_map_225[sym]; case 0x2260000: + return g_kernel_base + g_sym_map_226[sym]; case 0x2300000: + return g_kernel_base + g_sym_map_230[sym]; case 0x2500000: + case 0x2700000: return g_kernel_base + g_sym_map_250[sym]; } diff --git a/src/main.cpp b/src/main.cpp index 46f17aa..60e7e56 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -31,6 +31,8 @@ extern "C" int sceKernelSleep(int secs); int sceKernelLoadStartModule(char *name, size_t argc, const void *argv, uint32_t flags, void *unk, int *res); int __sys_is_development_mode(); + + int sceSystemStateMgrEnterStandby(void); } void dump_kernel_to_client(int client) @@ -132,11 +134,20 @@ int main() // Check if this is a resume state or not, if it's not, prompt for restart and exit if (kernel_read4(kdlsym(KERNEL_SYM_DATA_CAVE)) != 0x1337) { // Notify the user that they have to suspend/resume their console - SOCK_LOG("[+] System needs to be suspended and resumed...\n"); - flash_notification("Byepervisor\nEnter rest mode & resume"); + flash_notification("[PS5HEN] Entering rest mode for in 3 secs\nRe-run Byepervisor after resuming to continue..."); kernel_write4(kdlsym(KERNEL_SYM_DATA_CAVE), 0x1337); - - return 0; + sleep(3); + sceSystemStateMgrEnterStandby(); + return 0; + } + else + { + SOCK_LOG("[+] Loading PS5HEN By SpecterDev\n"); + flash_notification( + "Welcome To PS5HEN 1.1\nPlayStation 5 FW: %u.%u\nBy SpecterDev", + (kernel_get_fw_version() >> 24) & 0xF, + ((kernel_get_fw_version() >> 20) & 0xF) * 10 + ((kernel_get_fw_version() >> 16) & 0xF) + ); } // Print out the kernel base @@ -181,7 +192,8 @@ int main() SOCK_LOG("[+] Aft. hook is_development_mode = 0x%x\n", __sys_is_development_mode()); - run_self_server(9004); reset_mirrors(); + run_self_server(9004); + return 0; } diff --git a/src/patching.cpp b/src/patching.cpp index 7f6af28..551908b 100644 --- a/src/patching.cpp +++ b/src/patching.cpp @@ -14,7 +14,20 @@ extern "C" #include "kdlsym.h" #include "patching.h" +#include "patches/1_00.h" +#include "patches/1_01.h" +#include "patches/1_02.h" #include "patches/1_05.h" +#include "patches/1_10.h" +#include "patches/1_11.h" +#include "patches/1_12.h" +#include "patches/1_13.h" +#include "patches/1_14.h" +#include "patches/2_00.h" +#include "patches/2_20.h" +#include "patches/2_25.h" +#include "patches/2_26.h" +#include "patches/2_30.h" #include "patches/2_50.h" int apply_kernel_patches() @@ -32,11 +45,64 @@ int apply_kernel_patches() SOCK_LOG("apply_kernel_patches: fw_ver=0x%lx\n", fw_ver); switch (fw_ver) { + case 0x1000000: + patches = (struct patch *) &g_kernel_patches_100; + num_patches = sizeof(g_kernel_patches_100) / sizeof(struct patch); + break; + case 0x1010000: + patches = (struct patch *) &g_kernel_patches_101; + num_patches = sizeof(g_kernel_patches_101) / sizeof(struct patch); + break; + case 0x1020000: + patches = (struct patch *) &g_kernel_patches_102; + num_patches = sizeof(g_kernel_patches_102) / sizeof(struct patch); + break; case 0x1050000: patches = (struct patch *) &g_kernel_patches_105; num_patches = sizeof(g_kernel_patches_105) / sizeof(struct patch); break; + case 0x1100000: + patches = (struct patch *) &g_kernel_patches_110; + num_patches = sizeof(g_kernel_patches_110) / sizeof(struct patch); + break; + case 0x1110000: + patches = (struct patch *) &g_kernel_patches_111; + num_patches = sizeof(g_kernel_patches_111) / sizeof(struct patch); + break; + case 0x1120000: + patches = (struct patch *) &g_kernel_patches_112; + num_patches = sizeof(g_kernel_patches_112) / sizeof(struct patch); + break; + case 0x1130000: + patches = (struct patch *) &g_kernel_patches_113; + num_patches = sizeof(g_kernel_patches_113) / sizeof(struct patch); + break; + case 0x1140000: + patches = (struct patch *) &g_kernel_patches_114; + num_patches = sizeof(g_kernel_patches_114) / sizeof(struct patch); + break; + case 0x2000000: + patches = (struct patch *) &g_kernel_patches_200; + num_patches = sizeof(g_kernel_patches_200) / sizeof(struct patch); + break; + case 0x2200000: + patches = (struct patch *) &g_kernel_patches_220; + num_patches = sizeof(g_kernel_patches_220) / sizeof(struct patch); + break; + case 0x2250000: + patches = (struct patch *) &g_kernel_patches_225; + num_patches = sizeof(g_kernel_patches_225) / sizeof(struct patch); + break; + case 0x2260000: + patches = (struct patch *) &g_kernel_patches_226; + num_patches = sizeof(g_kernel_patches_226) / sizeof(struct patch); + break; + case 0x2300000: + patches = (struct patch *) &g_kernel_patches_230; + num_patches = sizeof(g_kernel_patches_230) / sizeof(struct patch); + break; case 0x2500000: + case 0x2700000: patches = (struct patch *) &g_kernel_patches_250; num_patches = sizeof(g_kernel_patches_250) / sizeof(struct patch); break;