From 68fc49b064228722fe9e0669a911df7671c180a3 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sat, 26 Oct 2024 07:09:03 -0600 Subject: [PATCH 01/24] Added Kernel Offsets For Hen Thanks To @BestPig And @zecoxao For Help --- hen/include/offsets/1_10.h | 41 +++++++++++++++++++++++++++++++++++++ hen/include/offsets/1_11.h | 41 +++++++++++++++++++++++++++++++++++++ hen/include/offsets/1_12.h | 41 +++++++++++++++++++++++++++++++++++++ hen/include/offsets/1_13.h | 41 +++++++++++++++++++++++++++++++++++++ hen/include/offsets/1_14.h | 41 +++++++++++++++++++++++++++++++++++++ hen/include/offsets/2_00.h | 41 +++++++++++++++++++++++++++++++++++++ hen/include/offsets/2_20.h | 42 ++++++++++++++++++++++++++++++++++++++ hen/include/offsets/2_25.h | 41 +++++++++++++++++++++++++++++++++++++ hen/include/offsets/2_26.h | 41 +++++++++++++++++++++++++++++++++++++ hen/include/offsets/2_30.h | 41 +++++++++++++++++++++++++++++++++++++ hen/src/kdlsym.cpp | 25 +++++++++++++++++++++++ 11 files changed, 436 insertions(+) create mode 100644 hen/include/offsets/1_10.h create mode 100644 hen/include/offsets/1_11.h create mode 100644 hen/include/offsets/1_12.h create mode 100644 hen/include/offsets/1_13.h create mode 100644 hen/include/offsets/1_14.h create mode 100644 hen/include/offsets/2_00.h create mode 100644 hen/include/offsets/2_20.h create mode 100644 hen/include/offsets/2_25.h create mode 100644 hen/include/offsets/2_26.h create mode 100644 hen/include/offsets/2_30.h diff --git a/hen/include/offsets/1_10.h b/hen/include/offsets/1_10.h new file mode 100644 index 0000000..9d69600 --- /dev/null +++ b/hen/include/offsets/1_10.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_10_H +#define OFFSETS_1_10_H + +uint64_t g_sym_map_110[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE // NEEDS TO BE CHECKED + 0x04A05E0, // KERNEL_SYM_PRINTF + 0x08A6970, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7520, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9C90, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457580, // KERNEL_SYM_M_TEMP + 0x0A9CFB0, // KERNEL_SYM_MALLOC + 0x0A9D360, // KERNEL_SYM_FREE + 0x28D1C58, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A69D0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563FA0, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0A40, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F30, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907D30, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F190, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F290, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689930, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689A90, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B710, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0816080, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A000, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_10_H diff --git a/hen/include/offsets/1_11.h b/hen/include/offsets/1_11.h new file mode 100644 index 0000000..0b23290 --- /dev/null +++ b/hen/include/offsets/1_11.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_11_H +#define OFFSETS_1_11_H + +uint64_t g_sym_map_111[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE // NEEDS TO BE CHECKED + 0x04A05E0, // KERNEL_SYM_PRINTF + 0x08A6A70, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7620, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9CB0, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457580, // KERNEL_SYM_M_TEMP + 0x0A9D110, // KERNEL_SYM_MALLOC + 0x0A9D370, // KERNEL_SYM_FREE + 0x28D1C58, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A6AD0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563FC0, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0A40, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F30, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907E80, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F1B0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F2B0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x06899D0, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689B30, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B710, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0816170, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A0F0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_11_H diff --git a/hen/include/offsets/1_12.h b/hen/include/offsets/1_12.h new file mode 100644 index 0000000..3eae8bf --- /dev/null +++ b/hen/include/offsets/1_12.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_12_H +#define OFFSETS_1_12_H + +uint64_t g_sym_map_112[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0640, // KERNEL_SYM_PRINTF + 0x08A6BC0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7770, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9D20, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457580, // KERNEL_SYM_M_TEMP + 0x0A9D260, // KERNEL_SYM_MALLOC + 0x0A9D4C0, // KERNEL_SYM_FREE + 0x28D1C58, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A6C20, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0564030, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0AA0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F90, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907FD0, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F220, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F320, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689B20, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689C80, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B770, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x08162C0, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A240, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_12_H diff --git a/hen/include/offsets/1_13.h b/hen/include/offsets/1_13.h new file mode 100644 index 0000000..12aca0c --- /dev/null +++ b/hen/include/offsets/1_13.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_13_H +#define OFFSETS_1_13_H + +uint64_t g_sym_map_113[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0640, // KERNEL_SYM_PRINTF + 0x08A6B70, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7720, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9D20, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34575C0, // KERNEL_SYM_M_TEMP + 0x0A9D230, // KERNEL_SYM_MALLOC + 0x0A9D490, // KERNEL_SYM_FREE + 0x28D1CB8, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A6BD0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0564030, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0AA0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F90, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907FA0, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F220, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F320, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689B20, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689C80, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B770, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0816270, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A1F0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_13_H diff --git a/hen/include/offsets/1_14.h b/hen/include/offsets/1_14.h new file mode 100644 index 0000000..9a005c8 --- /dev/null +++ b/hen/include/offsets/1_14.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_14_H +#define OFFSETS_1_14_H + +uint64_t g_sym_map_114[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0640, // KERNEL_SYM_PRINTF + 0x08A6BE0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A7790, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9D40, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34575C0, // KERNEL_SYM_M_TEMP + 0x0A9D7E0, // KERNEL_SYM_MALLOC + 0x0A9DA40, // KERNEL_SYM_FREE + 0x2805CB8, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A6C40, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0564050, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC368, // KERNEL_SYM_CTXTABLE_MTX // NEEDS TO BE CHECKED + 0x38AC390, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B0AA0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B0F90, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0908550, // KERNEL_SYM_RW_MEM + 0x4211C18, // KERNEL_SYM_ALLPROC + 0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059F240, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059F340, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689B40, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689CA0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B770, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x08162E0, // KERNEL_SYM_SHA256_HMAC + 0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x072A260, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_14_H diff --git a/hen/include/offsets/2_00.h b/hen/include/offsets/2_00.h new file mode 100644 index 0000000..6dd605a --- /dev/null +++ b/hen/include/offsets/2_00.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_2_00_H +#define OFFSETS_2_00_H + +uint64_t g_sym_map_200[] = { + 0x0B70000, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0468450, // KERNEL_SYM_PRINTF + 0x08C2DA0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C3940, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580890, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D31F0, // KERNEL_SYM_M_TEMP + 0x0AD1450, // KERNEL_SYM_MALLOC + 0x0AD1680, // KERNEL_SYM_FREE + 0x27FB448, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C2E00, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0534060, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047AD10, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B200, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0929AF0, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C3BD0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3C10, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C40E0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0574C40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0574D40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A460, // KERNEL_SYM_FPU_KERN_ENTER + 0x067A590, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CDC30, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x08252C0, // KERNEL_SYM_SHA256_HMAC + 0x02E5870, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0725F00, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_2_00_H diff --git a/hen/include/offsets/2_20.h b/hen/include/offsets/2_20.h new file mode 100644 index 0000000..929ba55 --- /dev/null +++ b/hen/include/offsets/2_20.h @@ -0,0 +1,42 @@ +#ifndef OFFSETS_2_20_H +#define OFFSETS_2_20_H + +uint64_t g_sym_map_220[] = { + 0x0B6F780, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x04684A0, // KERNEL_SYM_PRINTF + 0x08C3250, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C3DE0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580A00, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D32F0, // KERNEL_SYM_M_TEMP + 0x0AD1910, // KERNEL_SYM_MALLOC + 0x0AD1B40, // KERNEL_SYM_FREE + 0x2818488, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C32A0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x05340B0, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047AD60, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B250, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0929FB0, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C3C10, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3C50, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C4120, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0574DB0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0574EB0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A610, // KERNEL_SYM_FPU_KERN_ENTER + 0x067A740, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CDC80, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0825760, // KERNEL_SYM_SHA256_HMAC + 0x02E58B0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x07263C0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + + +#endif // OFFSETS_2_20_H diff --git a/hen/include/offsets/2_25.h b/hen/include/offsets/2_25.h new file mode 100644 index 0000000..c2b0ef7 --- /dev/null +++ b/hen/include/offsets/2_25.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_2_25_H +#define OFFSETS_2_25_H + +uint64_t g_sym_map_225[] = { + 0x0B70000, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x04684A0, // KERNEL_SYM_PRINTF + 0x08C32F0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C3E90, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580AB0, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D32F0, // KERNEL_SYM_M_TEMP + 0x0AD19C0, // KERNEL_SYM_MALLOC + 0x0AD1BF0, // KERNEL_SYM_FREE + 0x2818488, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C3350, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0534160, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047AD60, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B250, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x092A060, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C3C10, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3C50, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C4120, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0574E60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0574F60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A6C0, // KERNEL_SYM_FPU_KERN_ENTER + 0x067A7F0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CDC80, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0825810, // KERNEL_SYM_SHA256_HMAC + 0x02E58B0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0726470, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_2_25_H diff --git a/hen/include/offsets/2_26.h b/hen/include/offsets/2_26.h new file mode 100644 index 0000000..8e6fab8 --- /dev/null +++ b/hen/include/offsets/2_26.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_2_26_H +#define OFFSETS_2_26_H + +uint64_t g_sym_map_226[] = { + 0x0B70000, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x04684A0, // KERNEL_SYM_PRINTF + 0x08C3320, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C3EC0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580AB0, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D32F0, // KERNEL_SYM_M_TEMP + 0x0AD19F0, // KERNEL_SYM_MALLOC + 0x0AD1C20, // KERNEL_SYM_FREE + 0x2818488, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C3380, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0534160, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047AD60, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B250, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x092A090, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C3C10, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3C50, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C4120, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0574E60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0574F60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A6C0, // KERNEL_SYM_FPU_KERN_ENTER + 0x067A7F0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CDC80, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0825840, // KERNEL_SYM_SHA256_HMAC + 0x02E58B0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0726470, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_2_26_H diff --git a/hen/include/offsets/2_30.h b/hen/include/offsets/2_30.h new file mode 100644 index 0000000..b2f87c7 --- /dev/null +++ b/hen/include/offsets/2_30.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_2_30_H +#define OFFSETS_2_30_H + +uint64_t g_sym_map_230[] = { + 0x0B70000, // KERNEL_SYM_TEXT_END + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0468400, // KERNEL_SYM_PRINTF + 0x08C35F0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C4190, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x0580D80, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x34D3470, // KERNEL_SYM_M_TEMP + 0x0AD1E00, // KERNEL_SYM_MALLOC + 0x0AD2030, // KERNEL_SYM_FREE + 0x286E628, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08C3650, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x05340C0, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x3910370, // KERNEL_SYM_CTXTABLE_MTX + 0x3910390, // KERNEL_SYM_CTXSTATUS + 0x39103A0, // KERNEL_SYM_CTXTABLE + 0x047ACC0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x047B1B0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x092A360, // KERNEL_SYM_RW_MEM + 0x4281C28, // KERNEL_SYM_ALLPROC + 0x02C38F0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x02C3930, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x02C3E00, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x0575130, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x0575230, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x067A990, // KERNEL_SYM_FPU_KERN_ENTER + 0x067AAC0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x03CD980, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0825B10, // KERNEL_SYM_SHA256_HMAC + 0x02E5590, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0726740, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_2_30_H diff --git a/hen/src/kdlsym.cpp b/hen/src/kdlsym.cpp index d3094b2..ab87add 100644 --- a/hen/src/kdlsym.cpp +++ b/hen/src/kdlsym.cpp @@ -1,6 +1,16 @@ #include #include "kdlsym.h" +#include "offsets/1_10.h" +#include "offsets/1_11.h" +#include "offsets/1_12.h" +#include "offsets/1_13.h" +#include "offsets/1_14.h" +#include "offsets/2_00.h" +#include "offsets/2_20.h" +#include "offsets/2_25.h" +#include "offsets/2_26.h" +#include "offsets/2_30.h" #include "offsets/2_50.h" uint64_t g_fw_version; @@ -35,11 +45,26 @@ uint64_t kdlsym(ksym_t sym) return 0; switch (g_fw_version) { + case 0x1100000: + return g_kernel_base + g_sym_map_110[sym]; + case 0x1110000: + return g_kernel_base + g_sym_map_111[sym]; + case 0x1120000: + return g_kernel_base + g_sym_map_112[sym]; + case 0x1130000: + return g_kernel_base + g_sym_map_113[sym]; + case 0x1140000: + return g_kernel_base + g_sym_map_114[sym]; case 0x2000000: + return g_kernel_base + g_sym_map_200[sym]; case 0x2200000: + return g_kernel_base + g_sym_map_220[sym]; case 0x2250000: + return g_kernel_base + g_sym_map_225[sym]; case 0x2260000: + return g_kernel_base + g_sym_map_226[sym]; case 0x2300000: + return g_kernel_base + g_sym_map_230[sym]; case 0x2500000: return g_kernel_base + g_sym_map_250[sym]; } From 43f972103c183067a59475f2cd53e3967841e85f Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sat, 26 Oct 2024 08:30:37 -0600 Subject: [PATCH 02/24] Added Hook Offsets For Hen Thanks To @BestPig And @zecoxao For Help --- hen/include/hooks/1_10.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/include/hooks/1_11.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/include/hooks/1_12.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/include/hooks/1_13.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/include/hooks/1_14.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/include/hooks/2_00.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/include/hooks/2_20.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/include/hooks/2_25.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/include/hooks/2_26.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/include/hooks/2_30.h | 79 ++++++++++++++++++++++++++++++++++++++++ hen/src/hook.cpp | 50 +++++++++++++++++++++++++ 11 files changed, 840 insertions(+) create mode 100644 hen/include/hooks/1_10.h create mode 100644 hen/include/hooks/1_11.h create mode 100644 hen/include/hooks/1_12.h create mode 100644 hen/include/hooks/1_13.h create mode 100644 hen/include/hooks/1_14.h create mode 100644 hen/include/hooks/2_00.h create mode 100644 hen/include/hooks/2_20.h create mode 100644 hen/include/hooks/2_25.h create mode 100644 hen/include/hooks/2_26.h create mode 100644 hen/include/hooks/2_30.h diff --git a/hen/include/hooks/1_10.h b/hen/include/hooks/1_10.h new file mode 100644 index 0000000..9eb5dfd --- /dev/null +++ b/hen/include/hooks/1_10.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_10_H +#define HOOKS_1_10_H + +#include "hook.h" + +struct hook g_kernel_hooks_110[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 9079BB + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6970 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a69d0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a69d0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x3712d5, + 0x563fa0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x3717df, + 0x563fa0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371d85, + 0x563fa0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9c90 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86760c, + 0x563fa0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8678b1, + 0x563fa0 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x563fa0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x563fa0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x563fa0 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x729f40 + } +}; + +#endif // HOOKS_1_10_H diff --git a/hen/include/hooks/1_11.h b/hen/include/hooks/1_11.h new file mode 100644 index 0000000..df7e873 --- /dev/null +++ b/hen/include/hooks/1_11.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_11_H +#define HOOKS_1_11_H + +#include "hook.h" + +struct hook g_kernel_hooks_111[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 0x907b0b + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6a70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a6ad0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a6ad0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x3712d5, + 0x563fc0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x3717df, + 0x563fc0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371d85, + 0x563fc0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9cb0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86770c, + 0x563fc0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8679b1, + 0x563fc0 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x563fc0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x563fc0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x563fc0 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x72a030 + } +}; + +#endif // HOOKS_1_11_H diff --git a/hen/include/hooks/1_12.h b/hen/include/hooks/1_12.h new file mode 100644 index 0000000..5b82eaa --- /dev/null +++ b/hen/include/hooks/1_12.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_12_H +#define HOOKS_1_12_H + +#include "hook.h" + +struct hook g_kernel_hooks_112[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 0x907c5b + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6bc0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a6c20 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a6c20 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371305, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37180f, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371db5, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9d20 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86785c, + 0x564030 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x867b01, + 0x564030 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x72a180 + } +}; + +#endif // HOOKS_1_12_H diff --git a/hen/include/hooks/1_13.h b/hen/include/hooks/1_13.h new file mode 100644 index 0000000..af0cecd --- /dev/null +++ b/hen/include/hooks/1_13.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_13_H +#define HOOKS_1_13_H + +#include "hook.h" + +struct hook g_kernel_hooks_113[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 0x907c2b + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6b70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a6bd0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a6bd0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371305, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37180f, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371db5, + 0x564030 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9d20 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86780c, + 0x564030 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x867ab1, + 0x564030 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x564030 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x72a130 + } +}; + +#endif // HOOKS_1_13_H diff --git a/hen/include/hooks/1_14.h b/hen/include/hooks/1_14.h new file mode 100644 index 0000000..a850664 --- /dev/null +++ b/hen/include/hooks/1_14.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_14_H +#define HOOKS_1_14_H + +#include "hook.h" + +struct hook g_kernel_hooks_114[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 0x9081db + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcde1, + 0x8a6be0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd55e, + 0x8a6c40 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de3a9, + 0x8a6c40 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371305, + 0x564050 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37180f, + 0x564050 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371db5, + 0x564050 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcccd, + 0x5a9d40 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86787c, + 0x564050 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x867b21, + 0x564050 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d56b6, + 0x564050 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50df, + 0x564050 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d514b, + 0x564050 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e33d, + 0x72a1a0 + } +}; + +#endif // HOOKS_1_14_H diff --git a/hen/include/hooks/2_00.h b/hen/include/hooks/2_00.h new file mode 100644 index 0000000..c5d992c --- /dev/null +++ b/hen/include/hooks/2_00.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_00_H +#define HOOKS_2_00_H + +#include "hook.h" + +struct hook g_kernel_hooks_200[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 0x92976b + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2915a1, + 0x8c2da0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291d29, + 0x8c2e00 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x292b4b, + 0x8c2e00 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c915, + 0x534060 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32cdff, + 0x534060 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d3a5, + 0x534060 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x29148d, + 0x580890 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87d60c, + 0x534060 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87d8b1, + 0x534060 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28a116, + 0x534060 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289b3f, + 0x534060 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289bab, + 0x534060 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e587d, + 0x725e40 + } +}; + +#endif // HOOKS_2_00_H diff --git a/hen/include/hooks/2_20.h b/hen/include/hooks/2_20.h new file mode 100644 index 0000000..b01d8d5 --- /dev/null +++ b/hen/include/hooks/2_20.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_20_H +#define HOOKS_2_20_H + +#include "hook.h" + +struct hook g_kernel_hooks_220[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 0x929c2b + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2915e1, + 0x8c3250 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291d69, + 0x8c32a0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x292b8b, + 0x8c32a0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c955, + 0x5340b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32ce3f, + 0x5340b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d3e5, + 0x5340b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2914cd, + 0x580a00 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87daac, + 0x5340b0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87dd51, + 0x5340b0 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28a156, + 0x5340b0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289b7f, + 0x5340b0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289beb, + 0x5340b0 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e58bd, + 0x726300 + } +}; + +#endif // HOOKS_2_20_H \ No newline at end of file diff --git a/hen/include/hooks/2_25.h b/hen/include/hooks/2_25.h new file mode 100644 index 0000000..cca728e --- /dev/null +++ b/hen/include/hooks/2_25.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_25_H +#define HOOKS_2_25_H + +#include "hook.h" + +struct hook g_kernel_hooks_225[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 0x929cdb + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2915e1, + 0x8c32f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291d69, + 0x8c3350 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x292b8b, + 0x8c3350 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c955, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32ce3f, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d3e5, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2914cd, + 0x580ab0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87db5c, + 0x534160 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87de01, + 0x534160 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28a156, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289b7f, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289beb, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e58bd, + 0x7263b0 + } +}; + +#endif // HOOKS_2_25_H diff --git a/hen/include/hooks/2_26.h b/hen/include/hooks/2_26.h new file mode 100644 index 0000000..339b3e7 --- /dev/null +++ b/hen/include/hooks/2_26.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_26_H +#define HOOKS_2_26_H + +#include "hook.h" + +struct hook g_kernel_hooks_226[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 0x929d0b + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2915e1, + 0x8c3320 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291d69, + 0x8c3380 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x292b8b, + 0x8c3380 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c955, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32ce3f, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d3e5, + 0x534160 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2914cd, + 0x580ab0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87db8c, + 0x534160 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87de31, + 0x534160 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28a156, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289b7f, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289beb, + 0x534160 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e58bd, + 0x7263b0 + } +}; + +#endif // HOOKS_2_26_H diff --git a/hen/include/hooks/2_30.h b/hen/include/hooks/2_30.h new file mode 100644 index 0000000..821fef2 --- /dev/null +++ b/hen/include/hooks/2_30.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_2_30_H +#define HOOKS_2_30_H + +#include "hook.h" + +struct hook g_kernel_hooks_230[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x44000, + 0x929fdb + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2912c1, + 0x8c35f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x291a49, + 0x8c3650 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x29286b, + 0x8c3650 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x32c635, + 0x5340c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x32cb1f, + 0x5340c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x32d0c5, + 0x5340c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2911ad, + 0x580d80 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87de5c, + 0x5340c0 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x87e101, + 0x5340c0 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x289e36, + 0x5340c0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x28985f, + 0x5340c0 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2898cb, + 0x5340c0 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x2e559d, + 0x726680 + } +}; + +#endif // HOOKS_2_30_H diff --git a/hen/src/hook.cpp b/hen/src/hook.cpp index 064632e..55821f4 100644 --- a/hen/src/hook.cpp +++ b/hen/src/hook.cpp @@ -5,6 +5,16 @@ #include "hook.h" #include "kdlsym.h" +#include "hooks/1_10.h" +#include "hooks/1_11.h" +#include "hooks/1_12.h" +#include "hooks/1_13.h" +#include "hooks/1_14.h" +#include "hooks/2_00.h" +#include "hooks/2_20.h" +#include "hooks/2_25.h" +#include "hooks/2_26.h" +#include "hooks/2_30.h" #include "hooks/2_50.h" struct hook *find_hook(hook_id id) @@ -22,6 +32,46 @@ struct hook *find_hook(hook_id id) // hooks = (struct hook *) &g_kernel_hooks_105; // num_hooks = sizeof(g_kernel_hooks_105) / sizeof(struct hook); // break; + case 0x1100000: + hooks = (struct hook *) &g_kernel_hooks_110; + num_hooks = sizeof(g_kernel_hooks_110) / sizeof(struct hook); + break; + case 0x1110000: + hooks = (struct hook *) &g_kernel_hooks_111; + num_hooks = sizeof(g_kernel_hooks_111) / sizeof(struct hook); + break; + case 0x1120000: + hooks = (struct hook *) &g_kernel_hooks_112; + num_hooks = sizeof(g_kernel_hooks_112) / sizeof(struct hook); + break; + case 0x1130000: + hooks = (struct hook *) &g_kernel_hooks_113; + num_hooks = sizeof(g_kernel_hooks_113) / sizeof(struct hook); + break; + case 0x1140000: + hooks = (struct hook *) &g_kernel_hooks_114; + num_hooks = sizeof(g_kernel_hooks_114) / sizeof(struct hook); + break; + case 0x2000000: + hooks = (struct hook *) &g_kernel_hooks_200; + num_hooks = sizeof(g_kernel_hooks_200) / sizeof(struct hook); + break; + case 0x2200000: + hooks = (struct hook *) &g_kernel_hooks_220; + num_hooks = sizeof(g_kernel_hooks_220) / sizeof(struct hook); + break; + case 0x2250000: + hooks = (struct hook *) &g_kernel_hooks_225; + num_hooks = sizeof(g_kernel_hooks_225) / sizeof(struct hook); + break; + case 0x2260000: + hooks = (struct hook *) &g_kernel_hooks_226; + num_hooks = sizeof(g_kernel_hooks_226) / sizeof(struct hook); + break; + case 0x2300000: + hooks = (struct hook *) &g_kernel_hooks_230; + num_hooks = sizeof(g_kernel_hooks_230) / sizeof(struct hook); + break; case 0x2500000: hooks = (struct hook *) &g_kernel_hooks_250; num_hooks = sizeof(g_kernel_hooks_250) / sizeof(struct hook); From c33cd45a3ea220d5d651149920645c7dddfe9d01 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sat, 26 Oct 2024 10:16:01 -0600 Subject: [PATCH 03/24] Added Patch Offsets For Byepervisor Thanks To @BestPig And @zecoxao For Help --- include/patches/1_10.h | 160 ++++++++++++++++++++++++++++++++++++++++ include/patches/1_11.h | 160 ++++++++++++++++++++++++++++++++++++++++ include/patches/1_12.h | 160 ++++++++++++++++++++++++++++++++++++++++ include/patches/1_13.h | 160 ++++++++++++++++++++++++++++++++++++++++ include/patches/1_14.h | 160 ++++++++++++++++++++++++++++++++++++++++ include/patches/2_00.h | 161 ++++++++++++++++++++++++++++++++++++++++ include/patches/2_20.h | 160 ++++++++++++++++++++++++++++++++++++++++ include/patches/2_25.h | 163 +++++++++++++++++++++++++++++++++++++++++ include/patches/2_26.h | 162 ++++++++++++++++++++++++++++++++++++++++ include/patches/2_30.h | 161 ++++++++++++++++++++++++++++++++++++++++ src/patching.cpp | 50 +++++++++++++ 11 files changed, 1657 insertions(+) create mode 100644 include/patches/1_10.h create mode 100644 include/patches/1_11.h create mode 100644 include/patches/1_12.h create mode 100644 include/patches/1_13.h create mode 100644 include/patches/1_14.h create mode 100644 include/patches/2_00.h create mode 100644 include/patches/2_20.h create mode 100644 include/patches/2_25.h create mode 100644 include/patches/2_26.h create mode 100644 include/patches/2_30.h diff --git a/include/patches/1_10.h b/include/patches/1_10.h new file mode 100644 index 0000000..6642d62 --- /dev/null +++ b/include/patches/1_10.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_10_H +#define PATCHES_1_10_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_110[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9079BB + }, +}; + +struct patch g_kernel_patches_110[] = { + { + /* + mov qword ptr [rdi + 0x408], ; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9C60, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9C70, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981919, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458C50, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x7222F0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x405656, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722960, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x722E50, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722A00, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722B50, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722CD0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722F00, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722FC0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x723080, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723150, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723220, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x723300, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D6DE, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D70B, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_10_H \ No newline at end of file diff --git a/include/patches/1_11.h b/include/patches/1_11.h new file mode 100644 index 0000000..9a438ff --- /dev/null +++ b/include/patches/1_11.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_11_H +#define PATCHES_1_11_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_111[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x907b0b + }, +}; + +struct patch g_kernel_patches_111[] = { + { + /* + mov qword ptr [rdi + 0x408], ; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9C80, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9C90, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981A69, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458D10, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x7223E0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40565B, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722A50, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x722F40, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722AF0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722C40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722DC0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722FF0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x7230B0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x723170, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723240, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723310, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x7233F0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D7CE, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D7FB, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_11_H \ No newline at end of file diff --git a/include/patches/1_12.h b/include/patches/1_12.h new file mode 100644 index 0000000..5247444 --- /dev/null +++ b/include/patches/1_12.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_12_H +#define PATCHES_1_12_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_112[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x907c5b + }, +}; + +struct patch g_kernel_patches_112[] = { + { + /* + mov qword ptr [rdi + 0x408], ; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9CF0, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9D00, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981BB9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458D70, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x722530, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x4056BB, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722BA0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x723090, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722C40, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722D90, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722F10, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x723140, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x723200, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x7232C0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723390, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723460, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x723540, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D91E, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D94B, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_12_H \ No newline at end of file diff --git a/include/patches/1_13.h b/include/patches/1_13.h new file mode 100644 index 0000000..091bbbf --- /dev/null +++ b/include/patches/1_13.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_13_H +#define PATCHES_1_13_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_113[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x907c2b + }, +}; + +struct patch g_kernel_patches_113[] = { + { + /* + mov qword ptr [rdi + 0x408], ; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9CF0, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9D00, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981B89, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458D70, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x7224E0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x4056B6, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722B50, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x723040, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722BF0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722D40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722EC0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x7230F0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x7231B0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x723270, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723340, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723410, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x7234F0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D8CE, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D8FB, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_13_H \ No newline at end of file diff --git a/include/patches/1_14.h b/include/patches/1_14.h new file mode 100644 index 0000000..17de7dc --- /dev/null +++ b/include/patches/1_14.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_14_H +#define PATCHES_1_14_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_114[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9081db + }, +}; + +struct patch g_kernel_patches_114[] = { + { + /* + mov qword ptr [rdi + 0x408], ; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2F1810, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5A9D10, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5A9D20, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x982139, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458D70, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40B0DA0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x722550, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x4056BB, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722BC0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x7230B0, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722C60, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722DB0, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722F30, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x723160, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x723220, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x7232E0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x7233B0, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723480, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x723560, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D93E, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D96B, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_14_H \ No newline at end of file diff --git a/include/patches/2_00.h b/include/patches/2_00.h new file mode 100644 index 0000000..552af43 --- /dev/null +++ b/include/patches/2_00.h @@ -0,0 +1,161 @@ +#ifndef PATCHES_2_00_H +#define PATCHES_2_00_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_200[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x92976b + }, +}; + +struct patch g_kernel_patches_200[] = { + { + /* + mov qword ptr [rdi + 0x408], ; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A69B0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x580860, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x580870, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A5F49, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FC60, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x411CD70, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71DEE0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C79D6, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71E730, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71E7D0, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71E880, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71E9D0, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71EB50, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71ECD0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71ED90, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71EE50, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71EF20, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71EFF0, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F0D0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71889A, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x7188C7, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + + +#endif // PATCHES_2_00_H \ No newline at end of file diff --git a/include/patches/2_20.h b/include/patches/2_20.h new file mode 100644 index 0000000..2aae0a5 --- /dev/null +++ b/include/patches/2_20.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_2_20_H +#define PATCHES_2_20_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_220[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x929c2b + }, +}; + +struct patch g_kernel_patches_220[] = { + { + /* + mov qword ptr [rdi + 0x408], ; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A69F0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5809D0, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5809E0, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A6409, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FCB0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0xDEADBEEF, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71E3A0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C7A26, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71EBF0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71EC90, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71ED40, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71EE90, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71F010, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71F190, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71F250, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71F310, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71F3E0, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71F4B0, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F590, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x718D5A, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x718D87, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_2_20_H \ No newline at end of file diff --git a/include/patches/2_25.h b/include/patches/2_25.h new file mode 100644 index 0000000..c5ae405 --- /dev/null +++ b/include/patches/2_25.h @@ -0,0 +1,163 @@ +#ifndef PATCHES_2_25_H +#define PATCHES_2_25_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_225[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x929cdb + }, +}; + +struct patch g_kernel_patches_225[] = { + { + /* + mov qword ptr [rdi + 0x408], ; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A69F0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x580A80, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x580A90, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A64B9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FCB0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x411CD70, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71E450, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C7A26, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71ECA0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71ED40, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71EDF0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71EF40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71F0C0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71F240, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71F300, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71F3C0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71F490, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71F560, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F640, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x718E0A, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x718E37, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + + + + +#endif // PATCHES_2_25_H \ No newline at end of file diff --git a/include/patches/2_26.h b/include/patches/2_26.h new file mode 100644 index 0000000..a2f0dd7 --- /dev/null +++ b/include/patches/2_26.h @@ -0,0 +1,162 @@ +#ifndef PATCHES_2_26_H +#define PATCHES_2_26_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_226[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x929d0b + }, +}; + +struct patch g_kernel_patches_226[] = { + { + /* + mov qword ptr [rdi + 0x408], ; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A69F0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x580A80, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x580A90, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A64E9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FCB0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x411CD70, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71E450, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C7A26, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71ECA0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71ED40, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71EDF0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71EF40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71F0C0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71F240, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71F300, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71F3C0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71F490, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71F560, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F640, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x718E0A, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x718E37, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + + + +#endif // PATCHES_2_26_H \ No newline at end of file diff --git a/include/patches/2_30.h b/include/patches/2_30.h new file mode 100644 index 0000000..e157b42 --- /dev/null +++ b/include/patches/2_30.h @@ -0,0 +1,161 @@ +#ifndef PATCHES_2_30_H +#define PATCHES_2_30_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_230[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x929fdb + }, +}; + +struct patch g_kernel_patches_230[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2A66D0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x580D50, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x580D60, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9A67B9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x41FB70, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x411CD70, + "\x00", + 1 + }, + { + "panic patch 1", + 0x71E720, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x3C7726, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x71EF70, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x71F010, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x71F0C0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x71F210, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x71F390, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x71F510, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x71F5D0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x71F690, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x71F760, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x71F830, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x71F910, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x7190DA, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x719107, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + + +#endif // PATCHES_2_30_H \ No newline at end of file diff --git a/src/patching.cpp b/src/patching.cpp index 7f6af28..04e2ac3 100644 --- a/src/patching.cpp +++ b/src/patching.cpp @@ -15,6 +15,16 @@ extern "C" #include "patching.h" #include "patches/1_05.h" +#include "patches/1_10.h" +#include "patches/1_11.h" +#include "patches/1_12.h" +#include "patches/1_13.h" +#include "patches/1_14.h" +#include "patches/2_00.h" +#include "patches/2_20.h" +#include "patches/2_25.h" +#include "patches/2_26.h" +#include "patches/2_30.h" #include "patches/2_50.h" int apply_kernel_patches() @@ -36,6 +46,46 @@ int apply_kernel_patches() patches = (struct patch *) &g_kernel_patches_105; num_patches = sizeof(g_kernel_patches_105) / sizeof(struct patch); break; + case 0x1100000: + patches = (struct patch *) &g_kernel_patches_110; + num_patches = sizeof(g_kernel_patches_110) / sizeof(struct patch); + break; + case 0x1110000: + patches = (struct patch *) &g_kernel_patches_111; + num_patches = sizeof(g_kernel_patches_111) / sizeof(struct patch); + break; + case 0x1120000: + patches = (struct patch *) &g_kernel_patches_112; + num_patches = sizeof(g_kernel_patches_112) / sizeof(struct patch); + break; + case 0x1130000: + patches = (struct patch *) &g_kernel_patches_113; + num_patches = sizeof(g_kernel_patches_113) / sizeof(struct patch); + break; + case 0x1140000: + patches = (struct patch *) &g_kernel_patches_114; + num_patches = sizeof(g_kernel_patches_114) / sizeof(struct patch); + break; + case 0x2000000: + patches = (struct patch *) &g_kernel_patches_200; + num_patches = sizeof(g_kernel_patches_200) / sizeof(struct patch); + break; + case 0x2200000: + patches = (struct patch *) &g_kernel_patches_220; + num_patches = sizeof(g_kernel_patches_220) / sizeof(struct patch); + break; + case 0x2250000: + patches = (struct patch *) &g_kernel_patches_225; + num_patches = sizeof(g_kernel_patches_225) / sizeof(struct patch); + break; + case 0x2260000: + patches = (struct patch *) &g_kernel_patches_226; + num_patches = sizeof(g_kernel_patches_226) / sizeof(struct patch); + break; + case 0x2300000: + patches = (struct patch *) &g_kernel_patches_230; + num_patches = sizeof(g_kernel_patches_230) / sizeof(struct patch); + break; case 0x2500000: patches = (struct patch *) &g_kernel_patches_250; num_patches = sizeof(g_kernel_patches_250) / sizeof(struct patch); From d839c14619699609ef8ec5e68d8220501a79f446 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sat, 26 Oct 2024 11:42:42 -0600 Subject: [PATCH 04/24] Added Kernel Offsets For Byepervisor Thanks To @BestPig And @zecoxao For Help --- include/offsets/1_10.h | 23 +++++++++++++++++++++++ include/offsets/1_11.h | 23 +++++++++++++++++++++++ include/offsets/1_12.h | 23 +++++++++++++++++++++++ include/offsets/1_13.h | 23 +++++++++++++++++++++++ include/offsets/1_14.h | 23 +++++++++++++++++++++++ include/offsets/2_00.h | 23 +++++++++++++++++++++++ include/offsets/2_20.h | 23 +++++++++++++++++++++++ include/offsets/2_25.h | 23 +++++++++++++++++++++++ include/offsets/2_26.h | 23 +++++++++++++++++++++++ include/offsets/2_30.h | 23 +++++++++++++++++++++++ src/kdlsym.cpp | 22 +++++++++++++++++++++- 11 files changed, 251 insertions(+), 1 deletion(-) create mode 100644 include/offsets/1_10.h create mode 100644 include/offsets/1_11.h create mode 100644 include/offsets/1_12.h create mode 100644 include/offsets/1_13.h create mode 100644 include/offsets/1_14.h create mode 100644 include/offsets/2_00.h create mode 100644 include/offsets/2_20.h create mode 100644 include/offsets/2_25.h create mode 100644 include/offsets/2_26.h create mode 100644 include/offsets/2_30.h diff --git a/include/offsets/1_10.h b/include/offsets/1_10.h new file mode 100644 index 0000000..78b5fa2 --- /dev/null +++ b/include/offsets/1_10.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_10_H +#define OFFSETS_1_10_H + +uint64_t g_sym_map_110[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_110[] = { + 0x05A9C60, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9C70, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981919, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_10_H \ No newline at end of file diff --git a/include/offsets/1_11.h b/include/offsets/1_11.h new file mode 100644 index 0000000..a1e5383 --- /dev/null +++ b/include/offsets/1_11.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_13_H +#define OFFSETS_1_13_H + +uint64_t g_sym_map_113[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_113[] = { + 0x05A9C80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9C90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981A69, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_13_H \ No newline at end of file diff --git a/include/offsets/1_12.h b/include/offsets/1_12.h new file mode 100644 index 0000000..144f14f --- /dev/null +++ b/include/offsets/1_12.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_13_H +#define OFFSETS_1_13_H + +uint64_t g_sym_map_113[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_113[] = { + 0x05A9CF0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9D00, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981BB9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_13_H \ No newline at end of file diff --git a/include/offsets/1_13.h b/include/offsets/1_13.h new file mode 100644 index 0000000..968820c --- /dev/null +++ b/include/offsets/1_13.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_13_H +#define OFFSETS_1_13_H + +uint64_t g_sym_map_113[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_113[] = { + 0x05A9CF0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9D00, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981B89, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_13_H \ No newline at end of file diff --git a/include/offsets/1_14.h b/include/offsets/1_14.h new file mode 100644 index 0000000..b7e5e70 --- /dev/null +++ b/include/offsets/1_14.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_14_H +#define OFFSETS_1_14_H + +uint64_t g_sym_map_114[] = { + 0x4ADF5B0, // KERNEL_SYM_DMPML4I + 0x4ADF5B4, // KERNEL_SYM_DMPDPI + 0x4ADF30C, // KERNEL_SYM_PML4PML4I + 0x4ADF328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_114[] = { + 0x05A9D10, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9D20, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0982139, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F1810, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_14_H \ No newline at end of file diff --git a/include/offsets/2_00.h b/include/offsets/2_00.h new file mode 100644 index 0000000..bcab877 --- /dev/null +++ b/include/offsets/2_00.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_00_H +#define OFFSETS_2_00_H + +uint64_t g_sym_map_200[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE4F0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6D10, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_200[] = { + 0x0580860, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x0580870, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A6F49, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A69B0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_00_H \ No newline at end of file diff --git a/include/offsets/2_20.h b/include/offsets/2_20.h new file mode 100644 index 0000000..518038b --- /dev/null +++ b/include/offsets/2_20.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_20_H +#define OFFSETS_2_20_H + +uint64_t g_sym_map_220[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE5B0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6DD0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_220[] = { + 0x05809D0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05809E0, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A6409, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A69F0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_20_H \ No newline at end of file diff --git a/include/offsets/2_25.h b/include/offsets/2_25.h new file mode 100644 index 0000000..d850720 --- /dev/null +++ b/include/offsets/2_25.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_25_H +#define OFFSETS_2_25_H + +uint64_t g_sym_map_225[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE5B0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6DD0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_225[] = { + 0x0580A80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x0580A90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A64B9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A69F0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_25_H \ No newline at end of file diff --git a/include/offsets/2_26.h b/include/offsets/2_26.h new file mode 100644 index 0000000..59f7523 --- /dev/null +++ b/include/offsets/2_26.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_26_H +#define OFFSETS_2_26_H + +uint64_t g_sym_map_226[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE5B0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6DD0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_226[] = { + 0x0580A80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x0580A90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A64E9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A69F0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_26_H \ No newline at end of file diff --git a/include/offsets/2_30.h b/include/offsets/2_30.h new file mode 100644 index 0000000..effa877 --- /dev/null +++ b/include/offsets/2_30.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_2_30_H +#define OFFSETS_2_30_H + +uint64_t g_sym_map_230[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CDE5C0, // KERNEL_SYM_PS4_SYSENT + 0x1CE6DE0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_230[] = { + 0x0580D50, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x0580D60, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09A67B9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02A66D0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_2_30_H \ No newline at end of file diff --git a/src/kdlsym.cpp b/src/kdlsym.cpp index f3f2595..4be5c13 100644 --- a/src/kdlsym.cpp +++ b/src/kdlsym.cpp @@ -9,6 +9,16 @@ extern "C" #include "kdlsym.h" #include "offsets/1_05.h" +#include "offsets/1_10.h" +#include "offsets/1_11.h" +#include "offsets/1_12.h" +#include "offsets/1_13.h" +#include "offsets/1_14.h" +#include "offsets/2_00.h" +#include "offsets/2_20.h" +#include "offsets/2_25.h" +#include "offsets/2_26.h" +#include "offsets/2_30.h" #include "offsets/2_50.h" uint64_t g_fw_version; @@ -65,17 +75,27 @@ uint64_t kdlsym(ksym_t sym) case 0x1000000: case 0x1020000: case 0x1050000: + return g_kernel_base + g_sym_map_105[sym]; case 0x1100000: + return g_kernel_base + g_sym_map_110[sym]; case 0x1110000: + return g_kernel_base + g_sym_map_111[sym]; case 0x1120000: + return g_kernel_base + g_sym_map_112[sym]; case 0x1130000: + return g_kernel_base + g_sym_map_113[sym]; case 0x1140000: - return g_kernel_base + g_sym_map_105[sym]; + return g_kernel_base + g_sym_map_114[sym]; case 0x2000000: + return g_kernel_base + g_sym_map_200[sym]; case 0x2200000: + return g_kernel_base + g_sym_map_220[sym]; case 0x2250000: + return g_kernel_base + g_sym_map_225[sym]; case 0x2260000: + return g_kernel_base + g_sym_map_226[sym]; case 0x2300000: + return g_kernel_base + g_sym_map_230[sym]; case 0x2500000: return g_kernel_base + g_sym_map_250[sym]; } From f736a1af754dcd681986ebf0b5e503e0737bda9f Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sat, 26 Oct 2024 11:54:33 -0600 Subject: [PATCH 05/24] Small Building Error Should Build Now --- hen/include/hooks/1_10.h | 2 +- include/offsets/1_11.h | 10 +++++----- include/offsets/1_12.h | 10 +++++----- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/hen/include/hooks/1_10.h b/hen/include/hooks/1_10.h index 9eb5dfd..1669375 100644 --- a/hen/include/hooks/1_10.h +++ b/hen/include/hooks/1_10.h @@ -7,7 +7,7 @@ struct hook g_kernel_hooks_110[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, 0x44000, - 9079BB + 0x9079BB }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/include/offsets/1_11.h b/include/offsets/1_11.h index a1e5383..caed3e5 100644 --- a/include/offsets/1_11.h +++ b/include/offsets/1_11.h @@ -1,7 +1,7 @@ -#ifndef OFFSETS_1_13_H -#define OFFSETS_1_13_H +#ifndef OFFSETS_1_11_H +#define OFFSETS_1_11_H -uint64_t g_sym_map_113[] = { +uint64_t g_sym_map_111[] = { 0x4ADF5B0, // KERNEL_SYM_DMPML4I 0x4ADF5B4, // KERNEL_SYM_DMPDPI 0x4ADF30C, // KERNEL_SYM_PML4PML4I @@ -13,11 +13,11 @@ uint64_t g_sym_map_113[] = { 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI }; -uint64_t g_patch_map_113[] = { +uint64_t g_patch_map_111[] = { 0x05A9C80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY 0x05A9C90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF 0x0981A69, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE 0x02F1810, // KERNEL_PATCH_SYS_GETGID }; -#endif // OFFSETS_1_13_H \ No newline at end of file +#endif // OFFSETS_1_11_H \ No newline at end of file diff --git a/include/offsets/1_12.h b/include/offsets/1_12.h index 144f14f..c4e9008 100644 --- a/include/offsets/1_12.h +++ b/include/offsets/1_12.h @@ -1,7 +1,7 @@ -#ifndef OFFSETS_1_13_H -#define OFFSETS_1_13_H +#ifndef OFFSETS_1_12_H +#define OFFSETS_1_12_H -uint64_t g_sym_map_113[] = { +uint64_t g_sym_map_112[] = { 0x4ADF5B0, // KERNEL_SYM_DMPML4I 0x4ADF5B4, // KERNEL_SYM_DMPDPI 0x4ADF30C, // KERNEL_SYM_PML4PML4I @@ -13,11 +13,11 @@ uint64_t g_sym_map_113[] = { 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI }; -uint64_t g_patch_map_113[] = { +uint64_t g_patch_map_112[] = { 0x05A9CF0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY 0x05A9D00, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF 0x0981BB9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE 0x02F1810, // KERNEL_PATCH_SYS_GETGID }; -#endif // OFFSETS_1_13_H \ No newline at end of file +#endif // OFFSETS_1_12_H \ No newline at end of file From 96ddcf3682d71c2e1ea69008e29e04f9d00cd8b2 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sat, 26 Oct 2024 17:25:04 -0600 Subject: [PATCH 06/24] Added Shellcore Offsets For Some Hen Fw Thanks To @BestPig , @zecoxao And Anonymous Friend For Help --- hen/include/shellcore_patches/1_12.h | 152 +++++++++++++++++++++++++++ hen/include/shellcore_patches/1_14.h | 152 +++++++++++++++++++++++++++ hen/include/shellcore_patches/2_00.h | 152 +++++++++++++++++++++++++++ hen/include/shellcore_patches/2_20.h | 152 +++++++++++++++++++++++++++ hen/include/shellcore_patches/2_25.h | 152 +++++++++++++++++++++++++++ hen/include/shellcore_patches/2_26.h | 152 +++++++++++++++++++++++++++ hen/include/shellcore_patches/2_30.h | 152 +++++++++++++++++++++++++++ hen/src/patch_shellcore.cpp | 35 ++++++ include/patches/1_10.h | 2 +- include/patches/1_11.h | 2 +- include/patches/1_12.h | 2 +- include/patches/1_13.h | 2 +- include/patches/1_14.h | 2 +- include/patches/2_00.h | 2 +- include/patches/2_20.h | 2 +- include/patches/2_25.h | 2 +- include/patches/2_26.h | 2 +- 17 files changed, 1108 insertions(+), 9 deletions(-) create mode 100644 hen/include/shellcore_patches/1_12.h create mode 100644 hen/include/shellcore_patches/1_14.h create mode 100644 hen/include/shellcore_patches/2_00.h create mode 100644 hen/include/shellcore_patches/2_20.h create mode 100644 hen/include/shellcore_patches/2_25.h create mode 100644 hen/include/shellcore_patches/2_26.h create mode 100644 hen/include/shellcore_patches/2_30.h diff --git a/hen/include/shellcore_patches/1_12.h b/hen/include/shellcore_patches/1_12.h new file mode 100644 index 0000000..68bd91d --- /dev/null +++ b/hen/include/shellcore_patches/1_12.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_1_12 +#define SHELLCORE_PATCHES_1_12 + +#include "common.h" + +struct patch g_shellcore_patches_112[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E69E3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E6A2F, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E6A9B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91D9B3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91D9FF, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91DA6B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9A9E42, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB70F13, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB70F5F, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB70FCB, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x42F411, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x11E9EEE, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371547, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371582, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371911, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x47B3C0, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_1_12 diff --git a/hen/include/shellcore_patches/1_14.h b/hen/include/shellcore_patches/1_14.h new file mode 100644 index 0000000..b59ffa1 --- /dev/null +++ b/hen/include/shellcore_patches/1_14.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_1_14 +#define SHELLCORE_PATCHES_1_14 + +#include "common.h" + +struct patch g_shellcore_patches_114[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E69E3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E6A2F, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1E6A9B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91DC83, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91DCCF, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91DD3B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9AA102, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB711D3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB7121F, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xB7128B, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x42F511, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x11E9741, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371547, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371582, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371911, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x47B5C0, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_1_14 diff --git a/hen/include/shellcore_patches/2_00.h b/hen/include/shellcore_patches/2_00.h new file mode 100644 index 0000000..c20fc58 --- /dev/null +++ b/hen/include/shellcore_patches/2_00.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_2_00 +#define SHELLCORE_PATCHES_2_00 + +#include "common.h" + +struct patch g_shellcore_patches_200[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E513, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E55C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E5CC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4433, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D447C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D44EC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA62A32, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC61D13, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC61D5C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC61DCC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49C0D1, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x136DE1C, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3764, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D379F, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3B2E, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E7020, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_2_00 diff --git a/hen/include/shellcore_patches/2_20.h b/hen/include/shellcore_patches/2_20.h new file mode 100644 index 0000000..35c860a --- /dev/null +++ b/hen/include/shellcore_patches/2_20.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_2_20 +#define SHELLCORE_PATCHES_2_20 + +#include "common.h" + +struct patch g_shellcore_patches_220[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E7B3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E7FC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21E86C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4783, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D47CC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D483C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA62D92, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC62073, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC620BC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC6212C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49C421, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x1371F7E, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3A34, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3A6F, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3DFE, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E7370, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_2_20 diff --git a/hen/include/shellcore_patches/2_25.h b/hen/include/shellcore_patches/2_25.h new file mode 100644 index 0000000..6e9c331 --- /dev/null +++ b/hen/include/shellcore_patches/2_25.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_2_25 +#define SHELLCORE_PATCHES_2_25 + +#include "common.h" + +struct patch g_shellcore_patches_225[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21ED03, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21ED4C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x21EDBC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4CD3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4D1C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D4D8C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA632D2, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC625B3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC625FC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC6266C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49C971, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x1371C5F, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3F84, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D3FBF, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D434E, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E78C0, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_2_25 diff --git a/hen/include/shellcore_patches/2_26.h b/hen/include/shellcore_patches/2_26.h new file mode 100644 index 0000000..4e71fd9 --- /dev/null +++ b/hen/include/shellcore_patches/2_26.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_2_26 +#define SHELLCORE_PATCHES_2_26 + +#include "common.h" + +struct patch g_shellcore_patches_226[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x220473, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x2204BC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x22052C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D6483, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D64CC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D653C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA64A92, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC63D73, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC63DBC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC63E2C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49E121, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x13724D4, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D56F4, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D572F, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D5ABE, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E9070, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_2_26 diff --git a/hen/include/shellcore_patches/2_30.h b/hen/include/shellcore_patches/2_30.h new file mode 100644 index 0000000..9cc3e81 --- /dev/null +++ b/hen/include/shellcore_patches/2_30.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_2_30 +#define SHELLCORE_PATCHES_2_30 + +#include "common.h" + +struct patch g_shellcore_patches_230[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x220623, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x22066C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x2206DC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D7043, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D708C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D70FC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA65652, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC64933, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC6497C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC649EC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49E8C1, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x1371BFD, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D5E94, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D5ECF, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D625E, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4E9890, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_2_30 diff --git a/hen/src/patch_shellcore.cpp b/hen/src/patch_shellcore.cpp index bdb4866..3aa5aa0 100644 --- a/hen/src/patch_shellcore.cpp +++ b/hen/src/patch_shellcore.cpp @@ -7,6 +7,13 @@ #include "patch_shellcore.h" #include "proc.h" +#include "shellcore_patches/1_12.h" +#include "shellcore_patches/1_14.h" +#include "shellcore_patches/2_00.h" +#include "shellcore_patches/2_20.h" +#include "shellcore_patches/2_25.h" +#include "shellcore_patches/2_26.h" +#include "shellcore_patches/2_30.h" #include "shellcore_patches/2_50.h" /** @@ -161,6 +168,34 @@ void apply_shellcore_patches() printf("apply_shellcore_patches: fw_ver = 0x%lx\n", fw_ver); switch (fw_ver) { + case 0x1120000: + patches = (struct patch *) &g_shellcore_patches_112; + num_patches = sizeof(g_shellcore_patches_112) / sizeof(struct patch); + break; + case 0x1140000: + patches = (struct patch *) &g_shellcore_patches_114; + num_patches = sizeof(g_shellcore_patches_114) / sizeof(struct patch); + break; + case 0x2000000: + patches = (struct patch *) &g_shellcore_patches_200; + num_patches = sizeof(g_shellcore_patches_200) / sizeof(struct patch); + break; + case 0x2200000: + patches = (struct patch *) &g_shellcore_patches_220; + num_patches = sizeof(g_shellcore_patches_220) / sizeof(struct patch); + break; + case 0x2250000: + patches = (struct patch *) &g_shellcore_patches_225; + num_patches = sizeof(g_shellcore_patches_225) / sizeof(struct patch); + break; + case 0x2260000: + patches = (struct patch *) &g_shellcore_patches_226; + num_patches = sizeof(g_shellcore_patches_226) / sizeof(struct patch); + break; + case 0x2300000: + patches = (struct patch *) &g_shellcore_patches_230; + num_patches = sizeof(g_shellcore_patches_230) / sizeof(struct patch); + break; case 0x2500000: patches = (struct patch *) &g_shellcore_patches_250; num_patches = sizeof(g_shellcore_patches_250) / sizeof(struct patch); diff --git a/include/patches/1_10.h b/include/patches/1_10.h index 6642d62..637f849 100644 --- a/include/patches/1_10.h +++ b/include/patches/1_10.h @@ -15,7 +15,7 @@ struct hook g_kernel_hooks_110[] = { struct patch g_kernel_patches_110[] = { { /* - mov qword ptr [rdi + 0x408], ; + mov qword ptr [rdi + 0x408], 0xc0ffee; xor eax, eax; ret */ diff --git a/include/patches/1_11.h b/include/patches/1_11.h index 9a438ff..9b07377 100644 --- a/include/patches/1_11.h +++ b/include/patches/1_11.h @@ -15,7 +15,7 @@ struct hook g_kernel_hooks_111[] = { struct patch g_kernel_patches_111[] = { { /* - mov qword ptr [rdi + 0x408], ; + mov qword ptr [rdi + 0x408], 0xc0ffee; xor eax, eax; ret */ diff --git a/include/patches/1_12.h b/include/patches/1_12.h index 5247444..797aa51 100644 --- a/include/patches/1_12.h +++ b/include/patches/1_12.h @@ -15,7 +15,7 @@ struct hook g_kernel_hooks_112[] = { struct patch g_kernel_patches_112[] = { { /* - mov qword ptr [rdi + 0x408], ; + mov qword ptr [rdi + 0x408], 0xc0ffee; xor eax, eax; ret */ diff --git a/include/patches/1_13.h b/include/patches/1_13.h index 091bbbf..e2609d1 100644 --- a/include/patches/1_13.h +++ b/include/patches/1_13.h @@ -15,7 +15,7 @@ struct hook g_kernel_hooks_113[] = { struct patch g_kernel_patches_113[] = { { /* - mov qword ptr [rdi + 0x408], ; + mov qword ptr [rdi + 0x408], 0xc0ffee; xor eax, eax; ret */ diff --git a/include/patches/1_14.h b/include/patches/1_14.h index 17de7dc..98adb57 100644 --- a/include/patches/1_14.h +++ b/include/patches/1_14.h @@ -15,7 +15,7 @@ struct hook g_kernel_hooks_114[] = { struct patch g_kernel_patches_114[] = { { /* - mov qword ptr [rdi + 0x408], ; + mov qword ptr [rdi + 0x408], 0xc0ffee; xor eax, eax; ret */ diff --git a/include/patches/2_00.h b/include/patches/2_00.h index 552af43..d2af1db 100644 --- a/include/patches/2_00.h +++ b/include/patches/2_00.h @@ -15,7 +15,7 @@ struct hook g_kernel_hooks_200[] = { struct patch g_kernel_patches_200[] = { { /* - mov qword ptr [rdi + 0x408], ; + mov qword ptr [rdi + 0x408], 0xc0ffee; xor eax, eax; ret */ diff --git a/include/patches/2_20.h b/include/patches/2_20.h index 2aae0a5..0fdb67f 100644 --- a/include/patches/2_20.h +++ b/include/patches/2_20.h @@ -15,7 +15,7 @@ struct hook g_kernel_hooks_220[] = { struct patch g_kernel_patches_220[] = { { /* - mov qword ptr [rdi + 0x408], ; + mov qword ptr [rdi + 0x408], 0xc0ffee; xor eax, eax; ret */ diff --git a/include/patches/2_25.h b/include/patches/2_25.h index c5ae405..45b91ff 100644 --- a/include/patches/2_25.h +++ b/include/patches/2_25.h @@ -15,7 +15,7 @@ struct hook g_kernel_hooks_225[] = { struct patch g_kernel_patches_225[] = { { /* - mov qword ptr [rdi + 0x408], ; + mov qword ptr [rdi + 0x408], 0xc0ffee; xor eax, eax; ret */ diff --git a/include/patches/2_26.h b/include/patches/2_26.h index a2f0dd7..52b2ffd 100644 --- a/include/patches/2_26.h +++ b/include/patches/2_26.h @@ -15,7 +15,7 @@ struct hook g_kernel_hooks_226[] = { struct patch g_kernel_patches_226[] = { { /* - mov qword ptr [rdi + 0x408], ; + mov qword ptr [rdi + 0x408], 0xc0ffee; xor eax, eax; ret */ From 2a37768c27ab10728310d68755cc3e06986d3948 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sun, 27 Oct 2024 09:52:58 -0600 Subject: [PATCH 07/24] Added More Fw Offsets For _old_jump_table_exploit Thanks @BestPig And @zecoxao For The Help --- .../include/offsets/1_10.h | 37 ++++++++++++ .../include/offsets/1_11.h | 37 ++++++++++++ .../include/offsets/1_12.h | 37 ++++++++++++ .../include/offsets/1_13.h | 37 ++++++++++++ .../include/offsets/1_14.h | 37 ++++++++++++ .../include/offsets/2_20.h | 37 ++++++++++++ .../include/offsets/2_25.h | 37 ++++++++++++ .../include/offsets/2_26.h | 37 ++++++++++++ .../include/offsets/2_30.h | 37 ++++++++++++ _old_jump_table_exploit/src/kdlsym.c | 60 ++++++++++++++++++- 10 files changed, 392 insertions(+), 1 deletion(-) create mode 100644 _old_jump_table_exploit/include/offsets/1_10.h create mode 100644 _old_jump_table_exploit/include/offsets/1_11.h create mode 100644 _old_jump_table_exploit/include/offsets/1_12.h create mode 100644 _old_jump_table_exploit/include/offsets/1_13.h create mode 100644 _old_jump_table_exploit/include/offsets/1_14.h create mode 100644 _old_jump_table_exploit/include/offsets/2_20.h create mode 100644 _old_jump_table_exploit/include/offsets/2_25.h create mode 100644 _old_jump_table_exploit/include/offsets/2_26.h create mode 100644 _old_jump_table_exploit/include/offsets/2_30.h diff --git a/_old_jump_table_exploit/include/offsets/1_10.h b/_old_jump_table_exploit/include/offsets/1_10.h new file mode 100644 index 0000000..e693fef --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_10.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_10_H +#define OFFSETS_1_10_H + +uint64_t g_sym_map_110[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb98, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_110[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa9160, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa97d1, // KERNEL_GADGET_RETURN_ADDR + 0x18eab8, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x8232f6, // KERNEL_GADGET_POP_RDX + 0x1ab710, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681d5b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x646f61, // KERNEL_GADGET_POP_R12 + 0x3f2c76, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1f7620, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1eccc, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_10_H diff --git a/_old_jump_table_exploit/include/offsets/1_11.h b/_old_jump_table_exploit/include/offsets/1_11.h new file mode 100644 index 0000000..a60aa5a --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_11.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_11_H +#define OFFSETS_1_11_H + +uint64_t g_sym_map_111[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb18, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_111[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa92c0, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa9931, // KERNEL_GADGET_RETURN_ADDR + 0x18eab8, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x8356d2, // KERNEL_GADGET_POP_RDX + 0x13e183, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681dfb, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x647001, // KERNEL_GADGET_POP_R12 + 0x3f2c76, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1f7620, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1ed9c, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_11_H diff --git a/_old_jump_table_exploit/include/offsets/1_12.h b/_old_jump_table_exploit/include/offsets/1_12.h new file mode 100644 index 0000000..5af508a --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_12.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_12_H +#define OFFSETS_1_12_H + +uint64_t g_sym_map_112[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb18, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_112[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa9410, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa9A81, // KERNEL_GADGET_RETURN_ADDR + 0x18eab8, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x476842, // KERNEL_GADGET_POP_RDX + 0x1ab710, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681f4b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x6470d1, // KERNEL_GADGET_POP_R12 + 0x3f2cd6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1f7620, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1eeec, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_12_H diff --git a/_old_jump_table_exploit/include/offsets/1_13.h b/_old_jump_table_exploit/include/offsets/1_13.h new file mode 100644 index 0000000..1b3180d --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_13.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_13_H +#define OFFSETS_1_13_H + +uint64_t g_sym_map_113[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb18, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_113[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa93e0, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa9a51, // KERNEL_GADGET_RETURN_ADDR + 0x18eab8, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x28aaaa, // KERNEL_GADGET_POP_RDX + 0x1ab710, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681f4b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x6470d1, // KERNEL_GADGET_POP_R12 + 0x3f2cd6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1f7620, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1eebc, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_13_H diff --git a/_old_jump_table_exploit/include/offsets/1_14.h b/_old_jump_table_exploit/include/offsets/1_14.h new file mode 100644 index 0000000..d8a68c9 --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_14.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_14_H +#define OFFSETS_1_14_H + +uint64_t g_sym_map_114[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebbd8, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_114[] = { + 0x1030eb, // KERNEL_GADGET_RET + 0x153232, // KERNEL_GADGET_INFLOOP + 0xaa9990, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaaa001, // KERNEL_GADGET_RETURN_ADDR + 0x116a3d, // KERNEL_GADGET_POP_RDI + 0x12e72a, // KERNEL_GADGET_POP_RSI + 0x124952, // KERNEL_GADGET_POP_RDX + 0x1ab710, // KERNEL_GADGET_POP_RAX + 0x12d8a6, // KERNEL_GADGET_POP_RBX + 0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX + 0x681f6b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x6470f1, // KERNEL_GADGET_POP_R12 + 0x3f2cd6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x1484be, // KERNEL_GADGET_POP_RSP + 0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x230a20, // KERNEL_GADGET_SETJMP + 0x230a50, // KERNEL_GADGET_LONGJMP + 0xb1f46c, // KERNEL_GADGET_JOP1 + 0x1c0ecf, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_14_H diff --git a/_old_jump_table_exploit/include/offsets/2_20.h b/_old_jump_table_exploit/include/offsets/2_20.h new file mode 100644 index 0000000..7e9db9b --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/2_20.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_2_20_H +#define OFFSETS_2_20_H + +uint64_t g_sym_map_220[] = { + 0x4CB3B50, // KERNEL_SYM_DMPML4I + 0x4CB3B54, // KERNEL_SYM_DMPDPI + 0x4CB38AC, // KERNEL_SYM_PML4PML4I + 0x4CB38C8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x245B0C0, // KERNEL_SYM_HV_JMP_TABLE + 0x248EBB0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_220[] = { + 0x103c4e, // KERNEL_GADGET_RET + 0x16aff2, // KERNEL_GADGET_INFLOOP + 0xadfb40, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xae01af, // KERNEL_GADGET_RETURN_ADDR + 0x1a6878, // KERNEL_GADGET_POP_RDI + 0x125c34, // KERNEL_GADGET_POP_RSI + 0x1984e2, // KERNEL_GADGET_POP_RDX + 0x1c34d0, // KERNEL_GADGET_POP_RAX + 0x133166, // KERNEL_GADGET_POP_RBX + 0x201f99, // KERNEL_GADGET_ADD_RAX_RDX + 0x672937, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x62cda1, // KERNEL_GADGET_POP_R12 + 0x3b2ae6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x14acb7, // KERNEL_GADGET_POP_RSP + 0x16b590, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x16b737, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2488f0, // KERNEL_GADGET_SETJMP + 0x248920, // KERNEL_GADGET_LONGJMP + 0xb5d12c, // KERNEL_GADGET_JOP1 + 0x1d8c8f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_2_20_H diff --git a/_old_jump_table_exploit/include/offsets/2_25.h b/_old_jump_table_exploit/include/offsets/2_25.h new file mode 100644 index 0000000..efe4766 --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/2_25.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_2_25_H +#define OFFSETS_2_25_H + +uint64_t g_sym_map_225[] = { + 0x4cb3b50, // KERNEL_SYM_DMPML4I + 0x4cb3b54, // KERNEL_SYM_DMPDPI + 0x4cb38ac, // KERNEL_SYM_PML4PML4I + 0x4cb38c8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x245b180, // KERNEL_SYM_HV_JMP_TABLE + 0x248ebb0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_225[] = { + 0x103c4e, // KERNEL_GADGET_RET + 0x16aff2, // KERNEL_GADGET_INFLOOP + 0xadfbf0, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xae025f, // KERNEL_GADGET_RETURN_ADDR + 0x1a6878, // KERNEL_GADGET_POP_RDI + 0x167430, // KERNEL_GADGET_POP_RSI + 0x1984e2, // KERNEL_GADGET_POP_RDX + 0x1c34d0, // KERNEL_GADGET_POP_RAX + 0x133166, // KERNEL_GADGET_POP_RBX + 0x201f99, // KERNEL_GADGET_ADD_RAX_RDX + 0x6729e7, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x62ce51, // KERNEL_GADGET_POP_R12 + 0x3b2ae6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x14acb7, // KERNEL_GADGET_POP_RSP + 0x16b590, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x16b737, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2488f0, // KERNEL_GADGET_SETJMP + 0x248920, // KERNEL_GADGET_LONGJMP + 0xb5d2bc, // KERNEL_GADGET_JOP1 + 0x1d8c8f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_2_25_H diff --git a/_old_jump_table_exploit/include/offsets/2_26.h b/_old_jump_table_exploit/include/offsets/2_26.h new file mode 100644 index 0000000..4034f56 --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/2_26.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_2_26_H +#define OFFSETS_2_26_H + +uint64_t g_sym_map_226[] = { + 0x4cb3b50, // KERNEL_SYM_DMPML4I + 0x4cb3b54, // KERNEL_SYM_DMPDPI + 0x4cb38ac, // KERNEL_SYM_PML4PML4I + 0x4cb38c8, // KERNEL_SYM_PMAP_STORE + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x245b180, // KERNEL_SYM_HV_JMP_TABLE + 0x248ebb0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_226[] = { + 0x103c4e, // KERNEL_GADGET_RET + 0x16aff2, // KERNEL_GADGET_INFLOOP + 0xadfc20, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xae028f, // KERNEL_GADGET_RETURN_ADDR + 0x1a6878, // KERNEL_GADGET_POP_RDI + 0x167430, // KERNEL_GADGET_POP_RSI + 0x1984e2, // KERNEL_GADGET_POP_RDX + 0x1c34d0, // KERNEL_GADGET_POP_RAX + 0x133166, // KERNEL_GADGET_POP_RBX + 0x201f99, // KERNEL_GADGET_ADD_RAX_RDX + 0x6729e7, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x62ce51, // KERNEL_GADGET_POP_R12 + 0x3b2ae6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x14acb7, // KERNEL_GADGET_POP_RSP + 0x16b590, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x16b737, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2488f0, // KERNEL_GADGET_SETJMP + 0x248920, // KERNEL_GADGET_LONGJMP + 0xb5d2ec, // KERNEL_GADGET_JOP1 + 0x1d8c8f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_2_26_H diff --git a/_old_jump_table_exploit/include/offsets/2_30.h b/_old_jump_table_exploit/include/offsets/2_30.h new file mode 100644 index 0000000..8ecb489 --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/2_30.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_2_30_H +#define OFFSETS_2_30_H + +uint64_t g_sym_map_230[] = { + 0x4cb3b50, // KERNEL_SYM_DMPML4I + 0x4cb3b54, // KERNEL_SYM_DMPDPI + 0x4cb38ac, // KERNEL_SYM_PML4PML4I + 0x7C40000, // KERNEL_SYM_DATA_CAVE + 0x4cb38c8, // KERNEL_SYM_PMAP_STORE + 0x245be20, // KERNEL_SYM_HV_JMP_TABLE + 0x248ebb0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_230[] = { + 0x103f7e, // KERNEL_GADGET_RET + 0x16acb2, // KERNEL_GADGET_INFLOOP + 0xae0030, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xae069f, // KERNEL_GADGET_RETURN_ADDR + 0x1a6538, // KERNEL_GADGET_POP_RDI + 0x13ee4e, // KERNEL_GADGET_POP_RSI + 0x33ad4d, // KERNEL_GADGET_POP_RDX + 0x1c3190, // KERNEL_GADGET_POP_RAX + 0x1325f6, // KERNEL_GADGET_POP_RBX + 0x201c59, // KERNEL_GADGET_ADD_RAX_RDX + 0x672cb7, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x62d121, // KERNEL_GADGET_POP_R12 + 0x3b27e6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x14a127, // KERNEL_GADGET_POP_RSP + 0x16b250, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x16b3f7, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2485b0, // KERNEL_GADGET_SETJMP + 0x2485e0, // KERNEL_GADGET_LONGJMP + 0xb5d70c, // KERNEL_GADGET_JOP1 + 0x1d894f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_2_30_H diff --git a/_old_jump_table_exploit/src/kdlsym.c b/_old_jump_table_exploit/src/kdlsym.c index 2483928..a7cf4b6 100644 --- a/_old_jump_table_exploit/src/kdlsym.c +++ b/_old_jump_table_exploit/src/kdlsym.c @@ -4,9 +4,17 @@ #include "debug_log.h" #include "kdlsym.h" +#include "offsets/1_10.h" +#include "offsets/1_11.h" +#include "offsets/1_12.h" +#include "offsets/1_13.h" +#include "offsets/1_14.h" #include "offsets/2_00.h" +#include "offsets/2_20.h" +#include "offsets/2_25.h" +#include "offsets/2_26.h" +#include "offsets/2_30.h" #include "offsets/2_50.h" - uint64_t g_fw_version; uint64_t g_kernel_base = 0; @@ -17,7 +25,21 @@ void init_kdlsym() // Resolve symbols switch (g_fw_version) { + case 0x1000000: + case 0x1020000: + case 0x1050000: + case 0x1100000: + case 0x1110000: + case 0x1120000: + case 0x1130000: + case 0x1140000: + g_kernel_base = KERNEL_ADDRESS_DATA_BASE - 0x1B40000; + break; case 0x2000000: + case 0x2200000: + case 0x2250000: + case 0x2260000: + case 0x2300000: case 0x2500000: g_kernel_base = KERNEL_ADDRESS_DATA_BASE - 0x1B80000; break; @@ -44,8 +66,26 @@ uint64_t kdlsym(ksym_t sym) return 0; switch (g_fw_version) { + case 0x1100000: + return g_kernel_base + g_sym_map_110[sym]; + case 0x1110000: + return g_kernel_base + g_sym_map_111[sym]; + case 0x1120000: + return g_kernel_base + g_sym_map_112[sym]; + case 0x1130000: + return g_kernel_base + g_sym_map_113[sym]; + case 0x1140000: + return g_kernel_base + g_sym_map_114[sym]; case 0x2000000: return g_kernel_base + g_sym_map_200[sym]; + case 0x2200000: + return g_kernel_base + g_sym_map_220[sym]; + case 0x2250000: + return g_kernel_base + g_sym_map_225[sym]; + case 0x2260000: + return g_kernel_base + g_sym_map_226[sym]; + case 0x2300000: + return g_kernel_base + g_sym_map_230[sym]; case 0x2500000: return g_kernel_base + g_sym_map_250[sym]; } @@ -64,8 +104,26 @@ uint64_t kdlgadget(kgadget_t gadget) return 0; switch (g_fw_version) { + case 0x1100000: + return g_kernel_base + g_gadget_map_110[gadget]; + case 0x1110000: + return g_kernel_base + g_gadget_map_111[gadget]; + case 0x1120000: + return g_kernel_base + g_gadget_map_112[gadget]; + case 0x1130000: + return g_kernel_base + g_gadget_map_113[gadget]; + case 0x1140000: + return g_kernel_base + g_gadget_map_114[gadget]; case 0x2000000: return g_kernel_base + g_gadget_map_200[gadget]; + case 0x2200000: + return g_kernel_base + g_gadget_map_220[gadget]; + case 0x2250000: + return g_kernel_base + g_gadget_map_225[gadget]; + case 0x2260000: + return g_kernel_base + g_gadget_map_226[gadget]; + case 0x2300000: + return g_kernel_base + g_gadget_map_230[gadget]; case 0x2500000: return g_kernel_base + g_gadget_map_250[gadget]; } From 4655f86ec0fb32d1c34f429ef78749e1a9570b61 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sun, 27 Oct 2024 18:46:30 -0600 Subject: [PATCH 08/24] Create build.yml --- .github/workflows/build.yml | 49 +++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..5bc6d5d --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,49 @@ +name: CI + +on: + push: + paths: + - '**' + workflow_dispatch: + +permissions: + id-token: write + attestations: write + contents: write + +jobs: + build: + runs-on: ubuntu-latest + steps: + + - name: Checkout + uses: actions/checkout@v3 + + - name: Install dependencies + run: | + sudo apt update + sudo apt install bash clang-15 lld-15 + sudo apt install build-essential cmake pkg-config + + - name: Install toolchain + run: | + wget https://github.com/ps5-payload-dev/pacbrew-repo/releases/latest/download/ps5-payload-dev.tar.gz + sudo tar xf ps5-payload-dev.tar.gz -C / + + - name: Build + run: | + sudo chmod +x ./build.sh + PS5_PAYLOAD_SDK=/opt/ps5-payload-sdk ./build.sh + + - name: Attest + uses: actions/attest-build-provenance@v1 + continue-on-error: true # this will fail if the repo is private + with: + subject-path: ./byepervisor.elf + + - name: Upload + uses: actions/upload-artifact@v3 + with: + name: Byepervisor + path: ./byepervisor.elf + if-no-files-found: error From cb62548c4954d00217e6cfd27763ab32a7970539 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sun, 27 Oct 2024 20:54:38 -0600 Subject: [PATCH 09/24] Added Kernel Offsets For 1.05 Still Requires Shellcore Offsets For HEN --- README.md | 5 +- .../include/offsets/1_05.h | 37 +++++ _old_jump_table_exploit/src/kdlsym.c | 6 +- hen/include/hooks/1_05.h | 79 +++++++++++ hen/include/offsets/1_05.h | 41 ++++++ hen/src/hook.cpp | 9 +- hen/src/kdlsym.cpp | 3 + include/offsets/1_05.h | 4 + include/patches/1_05.h | 129 +++++++++++++++++- 9 files changed, 302 insertions(+), 11 deletions(-) create mode 100644 _old_jump_table_exploit/include/offsets/1_05.h create mode 100644 hen/include/hooks/1_05.h create mode 100644 hen/include/offsets/1_05.h diff --git a/README.md b/README.md index 46a7f31..92b02c7 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,10 @@ These flags are not reinitialized by the secure loader upon resume from sleep mo ## Currently included - Kernel dumping code (commented out, running this code *will* panic the system as it will try to dump as much as it can before hitting unmapped memory) - Code to decrypt system library SELFs over TCP -- Homebrew enabler (HEN) for 2.50 firmware (fself+fpkg) +- Homebrew enabler (HEN) (fself+fpkg) + +## Firmware Status +Completed: 1.12, 1.14, 2.00, 2.20, 2.25, 2.26, 2.30, 2.50 ## Build notes This exploit payload is built using the [PS5-Payload-Dev SDK](https://github.com/ps5-payload-dev/sdk). Note also that the build for `hen/` is slightly special, as it gets compiled to a flat binary thats copied into a kernel code cave. The entirety of code in `hen/` runs in supervisor/kernel mode. diff --git a/_old_jump_table_exploit/include/offsets/1_05.h b/_old_jump_table_exploit/include/offsets/1_05.h new file mode 100644 index 0000000..92b12bb --- /dev/null +++ b/_old_jump_table_exploit/include/offsets/1_05.h @@ -0,0 +1,37 @@ +#ifndef OFFSETS_1_05_H +#define OFFSETS_1_05_H + +uint64_t g_sym_map_105[] = { + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x23ebb98, // KERNEL_SYM_HV_JMP_TABLE + 0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR +}; + +uint64_t g_gadget_map_105[] = { + 0x2, // KERNEL_GADGET_RET + 0x1531f2, // KERNEL_GADGET_INFLOOP + 0xaa9140, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4 + 0xaa97b1, // KERNEL_GADGET_RETURN_ADDR + 0x18ea78, // KERNEL_GADGET_POP_RDI + 0x1230c4, // KERNEL_GADGET_POP_RSI + 0x1100c2, // KERNEL_GADGET_POP_RDX + 0x1ab6d0, // KERNEL_GADGET_POP_RAX + 0x12d876, // KERNEL_GADGET_POP_RBX + 0x1ea199, // KERNEL_GADGET_ADD_RAX_RDX + 0x681cfb, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48 + 0x646f21, // KERNEL_GADGET_POP_R12 + 0x3f2c36, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI + 0x149b8f, // KERNEL_GADGET_POP_RSP + 0x153790, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX + 0x153937, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0 + 0x2309e0, // KERNEL_GADGET_SETJMP + 0x230a10, // KERNEL_GADGET_LONGJMP + 0xb1ecac, // KERNEL_GADGET_JOP1 + 0x1c0e8f, // KERNEL_GADGET_JOP2 +}; + +#endif // OFFSETS_1_05_H diff --git a/_old_jump_table_exploit/src/kdlsym.c b/_old_jump_table_exploit/src/kdlsym.c index a7cf4b6..1acab65 100644 --- a/_old_jump_table_exploit/src/kdlsym.c +++ b/_old_jump_table_exploit/src/kdlsym.c @@ -3,7 +3,7 @@ #include "debug_log.h" #include "kdlsym.h" - +#include "offsets/1_05.h" #include "offsets/1_10.h" #include "offsets/1_11.h" #include "offsets/1_12.h" @@ -66,6 +66,8 @@ uint64_t kdlsym(ksym_t sym) return 0; switch (g_fw_version) { + case 0x1050000: + return g_kernel_base + g_sym_map_105[sym]; case 0x1100000: return g_kernel_base + g_sym_map_110[sym]; case 0x1110000: @@ -104,6 +106,8 @@ uint64_t kdlgadget(kgadget_t gadget) return 0; switch (g_fw_version) { + case 0x1050000: + return g_kernel_base + g_gadget_map_105[gadget]; case 0x1100000: return g_kernel_base + g_gadget_map_110[gadget]; case 0x1110000: diff --git a/hen/include/hooks/1_05.h b/hen/include/hooks/1_05.h new file mode 100644 index 0000000..31f46d1 --- /dev/null +++ b/hen/include/hooks/1_05.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_05_H +#define HOOKS_1_05_H + +#include "hook.h" + +struct hook g_kernel_hooks_105[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x9079ab, + 0x9915f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcda1, + 0x8a6960 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd51e, + 0x8a69c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de369, + 0x8a69c0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371295, + 0x563f60 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37179f, + 0x563f60 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371d45, + 0x563f60 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcc8d, + 0x5a9c50 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8675fc, + 0x563f60 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8678a1, + 0x563f60 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d5676, + 0x563f60 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d509f, + 0x563f60 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d510b, + 0x563f60 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e2fd, + 0x729f30 + } +}; + +#endif // HOOKS_1_05_H diff --git a/hen/include/offsets/1_05.h b/hen/include/offsets/1_05.h new file mode 100644 index 0000000..c97ccfe --- /dev/null +++ b/hen/include/offsets/1_05.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_05_H +#define OFFSETS_1_05_H + +uint64_t g_sym_map_105[] = { + 0x0b30000, // KERNEL_SYM_TEXT_END + 0x4adf5b0, // KERNEL_SYM_DMPML4I + 0x4adf5b4, // KERNEL_SYM_DMPDPI + 0x4adf30c, // KERNEL_SYM_PML4PML4I + 0x4adf328, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE // NEEDS TO BE CHECKED + 0x04a05a0, // KERNEL_SYM_PRINTF + 0x08a6960, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08a7510, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05a9c50, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457580, // KERNEL_SYM_M_TEMP + 0x0a9cf90, // KERNEL_SYM_MALLOC + 0x0a9d340, // KERNEL_SYM_FREE + 0x28d1c58, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08a69c0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563f60, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38ac368, // KERNEL_SYM_CTXTABLE_MTX + 0x38ac390, // KERNEL_SYM_CTXSTATUS + 0x38ac3a0, // KERNEL_SYM_CTXTABLE + 0x04b0a00, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04b0ef0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907d20, // KERNEL_SYM_RW_MEM + 0x4211c18, // KERNEL_SYM_ALLPROC + 0x030d860, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030d8a0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030dd70, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059f150, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059f250, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x06898d0, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689a30, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040b6d0, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0816070, // KERNEL_SYM_SHA256_HMAC + 0x032e2f0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0729ff0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_05_H diff --git a/hen/src/hook.cpp b/hen/src/hook.cpp index 55821f4..2e47269 100644 --- a/hen/src/hook.cpp +++ b/hen/src/hook.cpp @@ -5,6 +5,7 @@ #include "hook.h" #include "kdlsym.h" +#include "hooks/1_05.h" #include "hooks/1_10.h" #include "hooks/1_11.h" #include "hooks/1_12.h" @@ -28,10 +29,10 @@ struct hook *find_hook(hook_id id) auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF); switch (fw_ver) { - // case 0x1050000: - // hooks = (struct hook *) &g_kernel_hooks_105; - // num_hooks = sizeof(g_kernel_hooks_105) / sizeof(struct hook); - // break; + case 0x1050000: + hooks = (struct hook *) &g_kernel_hooks_105; + num_hooks = sizeof(g_kernel_hooks_105) / sizeof(struct hook); + break; case 0x1100000: hooks = (struct hook *) &g_kernel_hooks_110; num_hooks = sizeof(g_kernel_hooks_110) / sizeof(struct hook); diff --git a/hen/src/kdlsym.cpp b/hen/src/kdlsym.cpp index ab87add..96b37c0 100644 --- a/hen/src/kdlsym.cpp +++ b/hen/src/kdlsym.cpp @@ -1,6 +1,7 @@ #include #include "kdlsym.h" +#include "offsets/1_05.h" #include "offsets/1_10.h" #include "offsets/1_11.h" #include "offsets/1_12.h" @@ -45,6 +46,8 @@ uint64_t kdlsym(ksym_t sym) return 0; switch (g_fw_version) { + case 0x1050000: + return g_kernel_base + g_sym_map_105[sym]; case 0x1100000: return g_kernel_base + g_sym_map_110[sym]; case 0x1110000: diff --git a/include/offsets/1_05.h b/include/offsets/1_05.h index 49c5b82..d76d32f 100644 --- a/include/offsets/1_05.h +++ b/include/offsets/1_05.h @@ -7,6 +7,10 @@ uint64_t g_sym_map_105[] = { 0x4ADF30C, // KERNEL_SYM_PML4PML4I 0x4ADF328, // KERNEL_SYM_PMAP_STORE 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA2690, // KERNEL_SYM_PS4_SYSENT + 0x1CAA890, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI }; uint64_t g_patch_map_105[] = { diff --git a/include/patches/1_05.h b/include/patches/1_05.h index 481bab6..494552b 100644 --- a/include/patches/1_05.h +++ b/include/patches/1_05.h @@ -3,6 +3,15 @@ #include "patch_common.h" +struct hook g_kernel_hooks_105[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9079BB + }, +}; + struct patch g_kernel_patches_105[] = { { /* @@ -11,31 +20,141 @@ struct patch g_kernel_patches_105[] = { ret */ "sys_getgid()", - 0x02F17D0, + 0x02f17d0, "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", 14 }, { // mov eax, 1; ret "sceSblACMgrHasMmapSelfCapability()", - 0x05A9C20, + 0x5a9c20, "\xB8\x01\x00\x00\x00\xC3", 6 }, { // mov eax, 1; ret "sceSblACMgrIsAllowedToMmapSelf()", - 0x05A9C30, + 0x5a9c30, "\xB8\x01\x00\x00\x00\xC3", 6 }, { - // xor eax, eax; 3x nop; + // xor eax, eax; 3x nop "vm_mmap sceSblAuthMgrIsLoadable() call", - 0x0981909, + 0x981909, "\x31\xC0\x90\x90\x90", 5 }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x458c10, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40b0da0, + "\x00", + 1 + }, + { + "panic patch 1", + 0x7222e0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x405616, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722950, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x722e40, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x7229f0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722b40, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722cc0, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722ef0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722fb0, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x723070, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x723140, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x723210, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x7232f0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71d6ce, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71d6fb, + "\xB8\x00\x00\x00\x00", + 5 + } }; #endif // PATCHES_1_05_H \ No newline at end of file From 39341b2198203f3a0ba7cd7010d829246070ed6a Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Mon, 28 Oct 2024 16:44:16 -0600 Subject: [PATCH 10/24] Added Support For PS5 2.70 Thanks To @BestPig , @zecoxao And Anonymous Friend For Help --- README.md | 4 ++-- _old_jump_table_exploit/src/kdlsym.c | 3 +++ hen/src/hook.cpp | 1 + hen/src/kdlsym.cpp | 1 + hen/src/patch_shellcore.cpp | 1 + src/kdlsym.cpp | 2 ++ src/patching.cpp | 1 + 7 files changed, 11 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 92b02c7..688ef56 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ The primary and recommended exploit takes advantage of the fact that system Qual These flags are not reinitialized by the secure loader upon resume from sleep mode, though the hypervisor is. By setting the SL flag, putting the system to sleep, and resuming, we can edit the guest kernel's pagetables to make kernel .text pages read/writable, allowing dumping of the kernel and hooks/patches. ## Important Notes -- Currently only 2.50 FW is supported for Homebrew Enabler (HEN), support for other firmware versions will be added at a later time. +- Currently only listed FW is supported for Homebrew Enabler (HEN), support for other firmware versions will be added at a later time. - The exploit payload (byepervisor.elf) will need to be sent twice, once before suspending the system and again after resuming. - You will have to put the system into rest mode manually yourself - Kernel dump from QA flags exploit will not contain hypervisor's .data region at the moment, if this is important for you, dump using the jump table exploit after porting or disable nested paging first (this is a TODO) @@ -29,7 +29,7 @@ These flags are not reinitialized by the secure loader upon resume from sleep mo - Homebrew enabler (HEN) (fself+fpkg) ## Firmware Status -Completed: 1.12, 1.14, 2.00, 2.20, 2.25, 2.26, 2.30, 2.50 +Completed: 1.12, 1.14, 2.00, 2.20, 2.25, 2.26, 2.30, 2.50, 2.70 ## Build notes This exploit payload is built using the [PS5-Payload-Dev SDK](https://github.com/ps5-payload-dev/sdk). Note also that the build for `hen/` is slightly special, as it gets compiled to a flat binary thats copied into a kernel code cave. The entirety of code in `hen/` runs in supervisor/kernel mode. diff --git a/_old_jump_table_exploit/src/kdlsym.c b/_old_jump_table_exploit/src/kdlsym.c index 1acab65..988f599 100644 --- a/_old_jump_table_exploit/src/kdlsym.c +++ b/_old_jump_table_exploit/src/kdlsym.c @@ -41,6 +41,7 @@ void init_kdlsym() case 0x2260000: case 0x2300000: case 0x2500000: + case 0x2700000: g_kernel_base = KERNEL_ADDRESS_DATA_BASE - 0x1B80000; break; } @@ -89,6 +90,7 @@ uint64_t kdlsym(ksym_t sym) case 0x2300000: return g_kernel_base + g_sym_map_230[sym]; case 0x2500000: + case 0x2700000: return g_kernel_base + g_sym_map_250[sym]; } @@ -129,6 +131,7 @@ uint64_t kdlgadget(kgadget_t gadget) case 0x2300000: return g_kernel_base + g_gadget_map_230[gadget]; case 0x2500000: + case 0x2700000: return g_kernel_base + g_gadget_map_250[gadget]; } diff --git a/hen/src/hook.cpp b/hen/src/hook.cpp index 2e47269..769f3a5 100644 --- a/hen/src/hook.cpp +++ b/hen/src/hook.cpp @@ -74,6 +74,7 @@ struct hook *find_hook(hook_id id) num_hooks = sizeof(g_kernel_hooks_230) / sizeof(struct hook); break; case 0x2500000: + case 0x2700000: hooks = (struct hook *) &g_kernel_hooks_250; num_hooks = sizeof(g_kernel_hooks_250) / sizeof(struct hook); break; diff --git a/hen/src/kdlsym.cpp b/hen/src/kdlsym.cpp index 96b37c0..ebc8684 100644 --- a/hen/src/kdlsym.cpp +++ b/hen/src/kdlsym.cpp @@ -69,6 +69,7 @@ uint64_t kdlsym(ksym_t sym) case 0x2300000: return g_kernel_base + g_sym_map_230[sym]; case 0x2500000: + case 0x2700000: return g_kernel_base + g_sym_map_250[sym]; } diff --git a/hen/src/patch_shellcore.cpp b/hen/src/patch_shellcore.cpp index 3aa5aa0..38bc15f 100644 --- a/hen/src/patch_shellcore.cpp +++ b/hen/src/patch_shellcore.cpp @@ -197,6 +197,7 @@ void apply_shellcore_patches() num_patches = sizeof(g_shellcore_patches_230) / sizeof(struct patch); break; case 0x2500000: + case 0x2700000: patches = (struct patch *) &g_shellcore_patches_250; num_patches = sizeof(g_shellcore_patches_250) / sizeof(struct patch); break; diff --git a/src/kdlsym.cpp b/src/kdlsym.cpp index 4be5c13..40b82b8 100644 --- a/src/kdlsym.cpp +++ b/src/kdlsym.cpp @@ -47,6 +47,7 @@ void init_kdlsym() case 0x2260000: case 0x2300000: case 0x2500000: + case 0x2700000: g_kernel_base = KERNEL_ADDRESS_DATA_BASE - 0x1B80000; break; } @@ -97,6 +98,7 @@ uint64_t kdlsym(ksym_t sym) case 0x2300000: return g_kernel_base + g_sym_map_230[sym]; case 0x2500000: + case 0x2700000: return g_kernel_base + g_sym_map_250[sym]; } diff --git a/src/patching.cpp b/src/patching.cpp index 04e2ac3..09d2ba4 100644 --- a/src/patching.cpp +++ b/src/patching.cpp @@ -87,6 +87,7 @@ int apply_kernel_patches() num_patches = sizeof(g_kernel_patches_230) / sizeof(struct patch); break; case 0x2500000: + case 0x2700000: patches = (struct patch *) &g_kernel_patches_250; num_patches = sizeof(g_kernel_patches_250) / sizeof(struct patch); break; From 99201dde8602a5f89adeb54ca0151d3f36ee52b7 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Thu, 31 Oct 2024 20:32:02 -0600 Subject: [PATCH 11/24] Added Support For PS5 1.00 - 1.05 Thanks To @BestPig , @zecoxao And Anonymous Friend For Help --- README.md | 2 +- hen/include/hooks/1_00.h | 79 +++++++++++++ hen/include/hooks/1_01.h | 79 +++++++++++++ hen/include/hooks/1_02.h | 79 +++++++++++++ hen/include/offsets/1_00.h | 41 +++++++ hen/include/offsets/1_01.h | 41 +++++++ hen/include/offsets/1_02.h | 41 +++++++ hen/include/shellcore_patches/1_00.h | 152 +++++++++++++++++++++++++ hen/include/shellcore_patches/1_02.h | 152 +++++++++++++++++++++++++ hen/src/hook.cpp | 12 ++ hen/src/kdlsym.cpp | 10 ++ hen/src/patch_shellcore.cpp | 15 +++ include/offsets/1_00.h | 23 ++++ include/offsets/1_01.h | 23 ++++ include/offsets/1_02.h | 23 ++++ include/offsets/2_00.h | 2 +- include/patches/1_00.h | 160 +++++++++++++++++++++++++++ include/patches/1_01.h | 160 +++++++++++++++++++++++++++ include/patches/1_02.h | 160 +++++++++++++++++++++++++++ include/patches/1_05.h | 2 +- include/patches/1_10.h | 2 +- src/kdlsym.cpp | 8 ++ src/main.cpp | 4 +- src/patching.cpp | 15 +++ 24 files changed, 1279 insertions(+), 6 deletions(-) create mode 100644 hen/include/hooks/1_00.h create mode 100644 hen/include/hooks/1_01.h create mode 100644 hen/include/hooks/1_02.h create mode 100644 hen/include/offsets/1_00.h create mode 100644 hen/include/offsets/1_01.h create mode 100644 hen/include/offsets/1_02.h create mode 100644 hen/include/shellcore_patches/1_00.h create mode 100644 hen/include/shellcore_patches/1_02.h create mode 100644 include/offsets/1_00.h create mode 100644 include/offsets/1_01.h create mode 100644 include/offsets/1_02.h create mode 100644 include/patches/1_00.h create mode 100644 include/patches/1_01.h create mode 100644 include/patches/1_02.h diff --git a/README.md b/README.md index 688ef56..aed5895 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ These flags are not reinitialized by the secure loader upon resume from sleep mo - Homebrew enabler (HEN) (fself+fpkg) ## Firmware Status -Completed: 1.12, 1.14, 2.00, 2.20, 2.25, 2.26, 2.30, 2.50, 2.70 +Completed: 1.00, 1.01, 1.02, 1.05, 1.12, 1.14, 2.00, 2.20, 2.25, 2.26, 2.30, 2.50, 2.70 ## Build notes This exploit payload is built using the [PS5-Payload-Dev SDK](https://github.com/ps5-payload-dev/sdk). Note also that the build for `hen/` is slightly special, as it gets compiled to a flat binary thats copied into a kernel code cave. The entirety of code in `hen/` runs in supervisor/kernel mode. diff --git a/hen/include/hooks/1_00.h b/hen/include/hooks/1_00.h new file mode 100644 index 0000000..5884e99 --- /dev/null +++ b/hen/include/hooks/1_00.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_00_H +#define HOOKS_1_00_H + +#include "hook.h" + +struct hook g_kernel_hooks_100[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x90719b, + 0x990d80 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcd71, + 0x8a5850 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd4ee, + 0x8a5820 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de339, + 0x8a5820 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371075, + 0x563a50 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37157f, + 0x563a50 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371b25, + 0x563a50 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcc5d, + 0x5a9740 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8664bc, + 0x563a50 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x866761, + 0x563a50 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d5646, + 0x563a50 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d506f, + 0x563a50 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50db, + 0x563a50 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e0dd, + 0x729990 + } +}; + +#endif // HOOKS_1_00_H diff --git a/hen/include/hooks/1_01.h b/hen/include/hooks/1_01.h new file mode 100644 index 0000000..c9e242e --- /dev/null +++ b/hen/include/hooks/1_01.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_01_H +#define HOOKS_1_01_H + +#include "hook.h" + +struct hook g_kernel_hooks_101[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x90720b, + 0x990df0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcd71, + 0x8a5890 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd4ee, + 0x8a58f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de339, + 0x8a58f0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371075, + 0x563a70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37157f, + 0x563a70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371b25, + 0x563a70 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcc5d, + 0x5a9760 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x86652c, + 0x563a70 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8667d1, + 0x563a70 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d5646, + 0x563a70 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d506f, + 0x563a70 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50db, + 0x563a70 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e0dd, + 0x729a00 + } +}; + +#endif // HOOKS_1_01_H diff --git a/hen/include/hooks/1_02.h b/hen/include/hooks/1_02.h new file mode 100644 index 0000000..a0dfae5 --- /dev/null +++ b/hen/include/hooks/1_02.h @@ -0,0 +1,79 @@ +#ifndef HOOKS_1_02_H +#define HOOKS_1_02_H + +#include "hook.h" + +struct hook g_kernel_hooks_102[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + 0x9071cb, + 0x990db0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, + 0x2dcd71, + 0x8a5850 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, + 0x2dd4ee, + 0x8a58b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, + 0x2de339, + 0x8a58b0 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, + 0x371075, + 0x563a80 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, + 0x37157f, + 0x563a80 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, + 0x371b25, + 0x563a80 + }, + { + HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, + 0x2dcc5d, + 0x5a9770 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x8664ec, + 0x563a80 + }, + { + HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x866791, + 0x563a80 + }, + { + HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d5646, + 0x563a80 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d506f, + 0x563a80 + }, + { + HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, + 0x2d50db, + 0x563a80 + }, + { + HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE, + 0x32e0dd, + 0x7299c0 + } +}; + +#endif // HOOKS_1_02_H diff --git a/hen/include/offsets/1_00.h b/hen/include/offsets/1_00.h new file mode 100644 index 0000000..9988302 --- /dev/null +++ b/hen/include/offsets/1_00.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_00_H +#define OFFSETS_1_00_H + +uint64_t g_sym_map_100[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0070, // KERNEL_SYM_PRINTF + 0x08A5820, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A63D0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9740, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457540, // KERNEL_SYM_M_TEMP + 0x0A9C6A0, // KERNEL_SYM_MALLOC + 0x0A9CA50, // KERNEL_SYM_FREE + 0x28D1C48, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A5880, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563A50, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC358, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC380, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B04D0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B09C0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907510, // KERNEL_SYM_RW_MEM + 0x4211BF8, // KERNEL_SYM_ALLPROC + 0x030D7B0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D7F0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DCC0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059EC40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059ED40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x0689380, // KERNEL_SYM_FPU_KERN_ENTER + 0x06894E0, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B200, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0814F30, // KERNEL_SYM_SHA256_HMAC + 0x032E0D0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0729A50, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_00_H diff --git a/hen/include/offsets/1_01.h b/hen/include/offsets/1_01.h new file mode 100644 index 0000000..1532023 --- /dev/null +++ b/hen/include/offsets/1_01.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_01_H +#define OFFSETS_1_01_H + +uint64_t g_sym_map_101[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0070, // KERNEL_SYM_PRINTF + 0x08A5890, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A6440, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9760, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457540, // KERNEL_SYM_M_TEMP + 0x0A9C710, // KERNEL_SYM_MALLOC + 0x0A9CAC0, // KERNEL_SYM_FREE + 0x28D1C48, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A58F0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563A70, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC358, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC380, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B04D0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B09C0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907580, // KERNEL_SYM_RW_MEM + 0x4211BF8, // KERNEL_SYM_ALLPROC + 0x030D7B0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D7F0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DCC0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059EC60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059ED60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x06893A0, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689500, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B200, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0814FA0, // KERNEL_SYM_SHA256_HMAC + 0x032E0D0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0729AC0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_01_H diff --git a/hen/include/offsets/1_02.h b/hen/include/offsets/1_02.h new file mode 100644 index 0000000..5864d0f --- /dev/null +++ b/hen/include/offsets/1_02.h @@ -0,0 +1,41 @@ +#ifndef OFFSETS_1_02_H +#define OFFSETS_1_02_H + +uint64_t g_sym_map_102[] = { + 0x0B30000, // KERNEL_SYM_TEXT_END + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x04A0070, // KERNEL_SYM_PRINTF + 0x08A5850, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08A6400, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO + 0x05A9770, // KERNEL_SYM_SCESBLACMGRGETPATHID + 0x3457540, // KERNEL_SYM_M_TEMP + 0x0A9C6D0, // KERNEL_SYM_MALLOC + 0x0A9CA80, // KERNEL_SYM_FREE + 0x28D1C48, // KERNEL_SYM_MINI_SYSCORE_BIN + 0x08A58B0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER + 0x0563A80, // KERNEL_SYM_SCESBLSERVICEMAILBOX + 0x38AC358, // KERNEL_SYM_CTXTABLE_MTX + 0x38AC380, // KERNEL_SYM_CTXSTATUS + 0x38AC3A0, // KERNEL_SYM_CTXTABLE + 0x04B04D0, // KERNEL_SYM_MTX_LOCK_FLAGS + 0x04B09C0, // KERNEL_SYM_MTX_UNLOCK_FLAGS + 0x0907540, // KERNEL_SYM_RW_MEM + 0x4211BF8, // KERNEL_SYM_ALLPROC + 0x030D7B0, // KERNEL_SYM_VM_MAP_LOCK_READ + 0x030D7F0, // KERNEL_SYM_VM_MAP_UNLOCK_READ + 0x030DCC0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY + 0x059EC70, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT + 0x059ED70, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT + 0x06893B0, // KERNEL_SYM_FPU_KERN_ENTER + 0x0689510, // KERNEL_SYM_FPU_KERN_LEAVE + 0x040B200, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE + 0x0814F60, // KERNEL_SYM_SHA256_HMAC + 0x032E0D0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC + 0x0729A80, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC +}; + +#endif // OFFSETS_1_02_H diff --git a/hen/include/shellcore_patches/1_00.h b/hen/include/shellcore_patches/1_00.h new file mode 100644 index 0000000..07397ec --- /dev/null +++ b/hen/include/shellcore_patches/1_00.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_1_00 +#define SHELLCORE_PATCHES_1_00 + +#include "common.h" + +struct patch g_shellcore_patches_100[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6a93, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6adf, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6b4b, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d263, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d2af, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d31b, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9a96e2, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb70733, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb7077f, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb707eb, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x42ef81, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x11e56f5, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371137, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371172, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371501, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x47af30, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_1_00 diff --git a/hen/include/shellcore_patches/1_02.h b/hen/include/shellcore_patches/1_02.h new file mode 100644 index 0000000..c911a15 --- /dev/null +++ b/hen/include/shellcore_patches/1_02.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_1_02 +#define SHELLCORE_PATCHES_1_02 + +#include "common.h" + +struct patch g_shellcore_patches_102[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6a93, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6adf, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x1e6b4b, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d263, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d2af, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x91d31b, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9a96e2, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb70733, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb7077f, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xb707eb, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x42ef81, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x11e544e, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371137, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371172, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x371501, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x47af30, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_1_02 diff --git a/hen/src/hook.cpp b/hen/src/hook.cpp index 769f3a5..c00f53e 100644 --- a/hen/src/hook.cpp +++ b/hen/src/hook.cpp @@ -5,6 +5,9 @@ #include "hook.h" #include "kdlsym.h" +#include "hooks/1_00.h" +#include "hooks/1_01.h" +#include "hooks/1_02.h" #include "hooks/1_05.h" #include "hooks/1_10.h" #include "hooks/1_11.h" @@ -29,6 +32,15 @@ struct hook *find_hook(hook_id id) auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF); switch (fw_ver) { + case 0x1000000: + hooks = (struct hook *) &g_kernel_hooks_100; + num_hooks = sizeof(g_kernel_hooks_100) / sizeof(struct hook); + break; + case 0x1010000: + case 0x1020000: + hooks = (struct hook *) &g_kernel_hooks_102; + num_hooks = sizeof(g_kernel_hooks_102) / sizeof(struct hook); + break; case 0x1050000: hooks = (struct hook *) &g_kernel_hooks_105; num_hooks = sizeof(g_kernel_hooks_105) / sizeof(struct hook); diff --git a/hen/src/kdlsym.cpp b/hen/src/kdlsym.cpp index ebc8684..f0d2f20 100644 --- a/hen/src/kdlsym.cpp +++ b/hen/src/kdlsym.cpp @@ -1,6 +1,10 @@ #include #include "kdlsym.h" + +#include "offsets/1_00.h" +#include "offsets/1_01.h" +#include "offsets/1_02.h" #include "offsets/1_05.h" #include "offsets/1_10.h" #include "offsets/1_11.h" @@ -46,6 +50,12 @@ uint64_t kdlsym(ksym_t sym) return 0; switch (g_fw_version) { + case 0x1000000: + return g_kernel_base + g_sym_map_100[sym]; + case 0x1010000: + return g_kernel_base + g_sym_map_101[sym]; + case 0x1020000: + return g_kernel_base + g_sym_map_102[sym]; case 0x1050000: return g_kernel_base + g_sym_map_105[sym]; case 0x1100000: diff --git a/hen/src/patch_shellcore.cpp b/hen/src/patch_shellcore.cpp index 38bc15f..81fb3ae 100644 --- a/hen/src/patch_shellcore.cpp +++ b/hen/src/patch_shellcore.cpp @@ -7,6 +7,8 @@ #include "patch_shellcore.h" #include "proc.h" +#include "shellcore_patches/1_00.h" +#include "shellcore_patches/1_02.h" #include "shellcore_patches/1_12.h" #include "shellcore_patches/1_14.h" #include "shellcore_patches/2_00.h" @@ -168,10 +170,23 @@ void apply_shellcore_patches() printf("apply_shellcore_patches: fw_ver = 0x%lx\n", fw_ver); switch (fw_ver) { + case 0x1000000: + patches = (struct patch *) &g_shellcore_patches_100; + num_patches = sizeof(g_shellcore_patches_100) / sizeof(struct patch); + break; + case 0x1010000: + case 0x1020000: + patches = (struct patch *) &g_shellcore_patches_102; + num_patches = sizeof(g_shellcore_patches_102) / sizeof(struct patch); + break; + case 0x1050000: + case 0x1100000: + case 0x1110000: case 0x1120000: patches = (struct patch *) &g_shellcore_patches_112; num_patches = sizeof(g_shellcore_patches_112) / sizeof(struct patch); break; + case 0x1130000: case 0x1140000: patches = (struct patch *) &g_shellcore_patches_114; num_patches = sizeof(g_shellcore_patches_114) / sizeof(struct patch); diff --git a/include/offsets/1_00.h b/include/offsets/1_00.h new file mode 100644 index 0000000..f088924 --- /dev/null +++ b/include/offsets/1_00.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_00_H +#define OFFSETS_1_00_H + +uint64_t g_sym_map_100[] = { + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA25B0, // KERNEL_SYM_PS4_SYSENT + 0x1CAA7B0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_100[] = { + 0x05A9710, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9720, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981099, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F17A0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_00_H \ No newline at end of file diff --git a/include/offsets/1_01.h b/include/offsets/1_01.h new file mode 100644 index 0000000..176e45e --- /dev/null +++ b/include/offsets/1_01.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_01_H +#define OFFSETS_1_01_H + +uint64_t g_sym_map_101[] = { + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA25B0, // KERNEL_SYM_PS4_SYSENT + 0x1CAA7B0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_101[] = { + 0x05A9730, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9740, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x0981109, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F17A0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_01_H \ No newline at end of file diff --git a/include/offsets/1_02.h b/include/offsets/1_02.h new file mode 100644 index 0000000..8164eea --- /dev/null +++ b/include/offsets/1_02.h @@ -0,0 +1,23 @@ +#ifndef OFFSETS_1_02_H +#define OFFSETS_1_02_H + +uint64_t g_sym_map_102[] = { + 0x4ADF540, // KERNEL_SYM_DMPML4I + 0x4ADF544, // KERNEL_SYM_DMPDPI + 0x4ADF29C, // KERNEL_SYM_PML4PML4I + 0x4ADF2B8, // KERNEL_SYM_PMAP_STORE + 0x7980000, // KERNEL_SYM_DATA_CAVE + 0x0044000, // KERNEL_SYM_CODE_CAVE + 0x1CA25B0, // KERNEL_SYM_PS4_SYSENT + 0x1CAA7B0, // KERNEL_SYM_PPR_SYSENT + 0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI +}; + +uint64_t g_patch_map_102[] = { + 0x05A9740, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY + 0x05A9750, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF + 0x09810C9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x02F17A0, // KERNEL_PATCH_SYS_GETGID +}; + +#endif // OFFSETS_1_02_H \ No newline at end of file diff --git a/include/offsets/2_00.h b/include/offsets/2_00.h index bcab877..84a289c 100644 --- a/include/offsets/2_00.h +++ b/include/offsets/2_00.h @@ -16,7 +16,7 @@ uint64_t g_sym_map_200[] = { uint64_t g_patch_map_200[] = { 0x0580860, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY 0x0580870, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF - 0x09A6F49, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE + 0x09A5F49, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE 0x02A69B0, // KERNEL_PATCH_SYS_GETGID }; diff --git a/include/patches/1_00.h b/include/patches/1_00.h new file mode 100644 index 0000000..f7055fe --- /dev/null +++ b/include/patches/1_00.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_00_H +#define PATCHES_1_00_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_100[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9071AB + }, +}; + +struct patch g_kernel_patches_100[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2f17a0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5a9710, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5a9720, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981099, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x4587e0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40b0d20, + "\x00", + 1 + }, + { + "panic patch 1", + 0x721d40, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40514b, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x7223b0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x7228a0, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722450, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x7225a0, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722720, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722950, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722a10, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x722ad0, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x722ba0, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x722c70, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x722d50, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71d12e, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71d15b, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_00_H diff --git a/include/patches/1_01.h b/include/patches/1_01.h new file mode 100644 index 0000000..3f7bb71 --- /dev/null +++ b/include/patches/1_01.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_01_H +#define PATCHES_1_01_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_101[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x90720B + }, +}; + +struct patch g_kernel_patches_101[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2f17a0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5a9730, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5a9740, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x981109, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x4587e0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40b0d20, + "\x00", + 1 + }, + { + "panic patch 1", + 0x721db0, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40514b, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x722420, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x722910, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x7224C0, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x722610, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722790, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x7229C0, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722A80, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x722B40, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x722C10, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x722CE0, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x722DC0, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71D19E, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71D1CB, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_01_H diff --git a/include/patches/1_02.h b/include/patches/1_02.h new file mode 100644 index 0000000..eec7bdd --- /dev/null +++ b/include/patches/1_02.h @@ -0,0 +1,160 @@ +#ifndef PATCHES_1_02_H +#define PATCHES_1_02_H + +#include "patch_common.h" + +struct hook g_kernel_hooks_102[] = { + { + HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, + "sys_is_development_mode() -> isDevelopmentMode()", + 0x44000, + 0x9071CB + }, +}; + +struct patch g_kernel_patches_102[] = { + { + /* + mov qword ptr [rdi + 0x408], 0xc0ffee; + xor eax, eax; + ret + */ + "sys_getgid()", + 0x2f17a0, + "\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3", + 14 + }, + { + // mov eax, 1; ret + "sceSblACMgrHasMmapSelfCapability()", + 0x5a9740, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // mov eax, 1; ret + "sceSblACMgrIsAllowedToMmapSelf()", + 0x5a9750, + "\xB8\x01\x00\x00\x00\xC3", + 6 + }, + { + // xor eax, eax; 3x nop + "vm_mmap sceSblAuthMgrIsLoadable() call", + 0x9810c9, + "\x31\xC0\x90\x90\x90", + 5 + }, + { + // xor eax, eax; ret + "cfi_check_fail()", + 0x4587e0, + "\xC3", + 1 + }, + { + // jmp qword ptr [rsi] + "kexec trampoline gadget", + 0x0042000, + "\xFF\x26", + 2 + }, + { + "sysveri flag", + 0x40b0d20, + "\x00", + 1 + }, + { + "panic patch 1", + 0x721d70, + "\xC3", + 1 + }, + { + "panic patch 2", + 0x40514b, + "\xEB\xFE", + 2 + }, + { + "panic patch 3", + 0x7223e0, + "\xC3", + 1 + }, + { + "panic patch 4", + 0x7228d0, + "\xC3", + 1 + }, + { + "panic patch 5", + 0x722480, + "\xC3", + 1 + }, + { + "panic patch 6", + 0x7225d0, + "\xC3", + 1 + }, + { + "panic patch 7", + 0x722750, + "\xC3", + 1 + }, + { + "panic patch 8", + 0x722980, + "\xC3", + 1 + }, + { + "panic patch 9", + 0x722a40, + "\xC3", + 1 + }, + { + "panic patch 10", + 0x722b00, + "\xC3", + 1 + }, + { + "panic patch 11", + 0x722bd0, + "\xC3", + 1 + }, + { + "panic patch 12", + 0x722ca0, + "\xC3", + 1 + }, + { + "panic patch 13", + 0x722d80, + "\xC3", + 1 + }, + { + "panic patch 14", + 0x71d15e, + "\xB8\x00\x00\x00\x00", + 5 + }, + { + "panic patch 15", + 0x71d18b, + "\xB8\x00\x00\x00\x00", + 5 + } +}; + +#endif // PATCHES_1_02_H diff --git a/include/patches/1_05.h b/include/patches/1_05.h index 494552b..20163ac 100644 --- a/include/patches/1_05.h +++ b/include/patches/1_05.h @@ -73,7 +73,7 @@ struct patch g_kernel_patches_105[] = { }, { "panic patch 2", - 0x405616, + 0x40561b, "\xEB\xFE", 2 }, diff --git a/include/patches/1_10.h b/include/patches/1_10.h index 637f849..a6fd3a9 100644 --- a/include/patches/1_10.h +++ b/include/patches/1_10.h @@ -73,7 +73,7 @@ struct patch g_kernel_patches_110[] = { }, { "panic patch 2", - 0x405656, + 0x40565b, "\xEB\xFE", 2 }, diff --git a/src/kdlsym.cpp b/src/kdlsym.cpp index 40b82b8..4e3d861 100644 --- a/src/kdlsym.cpp +++ b/src/kdlsym.cpp @@ -8,6 +8,9 @@ extern "C" #include "debug_log.h" #include "kdlsym.h" +#include "offsets/1_00.h" +#include "offsets/1_01.h" +#include "offsets/1_02.h" #include "offsets/1_05.h" #include "offsets/1_10.h" #include "offsets/1_11.h" @@ -32,6 +35,7 @@ void init_kdlsym() // Resolve symbols switch (g_fw_version) { case 0x1000000: + case 0x1010000: case 0x1020000: case 0x1050000: case 0x1100000: @@ -74,7 +78,11 @@ uint64_t kdlsym(ksym_t sym) switch (g_fw_version) { case 0x1000000: + return g_kernel_base + g_sym_map_100[sym]; + case 0x1010000: + return g_kernel_base + g_sym_map_101[sym]; case 0x1020000: + return g_kernel_base + g_sym_map_102[sym]; case 0x1050000: return g_kernel_base + g_sym_map_105[sym]; case 0x1100000: diff --git a/src/main.cpp b/src/main.cpp index 46f17aa..07d8032 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -21,7 +21,7 @@ extern "C" { #include "mirror.h" #include "paging.h" #include "patching.h" -#include "self.h" +//#include "self.h" #include "util.h" int g_debug_sock = -1; @@ -181,7 +181,7 @@ int main() SOCK_LOG("[+] Aft. hook is_development_mode = 0x%x\n", __sys_is_development_mode()); - run_self_server(9004); + //run_self_server(9004); reset_mirrors(); return 0; } diff --git a/src/patching.cpp b/src/patching.cpp index 09d2ba4..551908b 100644 --- a/src/patching.cpp +++ b/src/patching.cpp @@ -14,6 +14,9 @@ extern "C" #include "kdlsym.h" #include "patching.h" +#include "patches/1_00.h" +#include "patches/1_01.h" +#include "patches/1_02.h" #include "patches/1_05.h" #include "patches/1_10.h" #include "patches/1_11.h" @@ -42,6 +45,18 @@ int apply_kernel_patches() SOCK_LOG("apply_kernel_patches: fw_ver=0x%lx\n", fw_ver); switch (fw_ver) { + case 0x1000000: + patches = (struct patch *) &g_kernel_patches_100; + num_patches = sizeof(g_kernel_patches_100) / sizeof(struct patch); + break; + case 0x1010000: + patches = (struct patch *) &g_kernel_patches_101; + num_patches = sizeof(g_kernel_patches_101) / sizeof(struct patch); + break; + case 0x1020000: + patches = (struct patch *) &g_kernel_patches_102; + num_patches = sizeof(g_kernel_patches_102) / sizeof(struct patch); + break; case 0x1050000: patches = (struct patch *) &g_kernel_patches_105; num_patches = sizeof(g_kernel_patches_105) / sizeof(struct patch); From 3e28421d22eb250ec637989005fbc13ff56aa006 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Fri, 1 Nov 2024 19:44:52 -0600 Subject: [PATCH 12/24] Added notification on second send --- src/main.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/main.cpp b/src/main.cpp index 07d8032..c9d597d 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -138,7 +138,13 @@ int main() return 0; } - + else + { + // Notify the user on second send that Hen is loaded + SOCK_LOG("[+] Loading PS5HEN 1.0\n"); + flash_notification("Welcome To PS5HEN 1.0\nBy SpecterDev"); + } + // Print out the kernel base SOCK_LOG("[+] Kernel base = 0x%lx\n", ktext(0)); From 9f4ff480a646640e48036d546f612b77994fad8e Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sat, 2 Nov 2024 08:57:45 -0600 Subject: [PATCH 13/24] revert back run_self_server --- src/main.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main.cpp b/src/main.cpp index c9d597d..9830717 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -21,7 +21,7 @@ extern "C" { #include "mirror.h" #include "paging.h" #include "patching.h" -//#include "self.h" +#include "self.h" #include "util.h" int g_debug_sock = -1; @@ -187,7 +187,7 @@ int main() SOCK_LOG("[+] Aft. hook is_development_mode = 0x%x\n", __sys_is_development_mode()); - //run_self_server(9004); + run_self_server(9004); reset_mirrors(); return 0; } From 84e0221621ee119091085055c29947dc25eb963b Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sun, 3 Nov 2024 19:08:18 -0700 Subject: [PATCH 14/24] Fixed 2.70 --- hen/include/shellcore_patches/2_70.h | 152 +++++++++++++++++++++++++++ hen/src/patch_shellcore.cpp | 6 +- 2 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 hen/include/shellcore_patches/2_70.h diff --git a/hen/include/shellcore_patches/2_70.h b/hen/include/shellcore_patches/2_70.h new file mode 100644 index 0000000..ace8947 --- /dev/null +++ b/hen/include/shellcore_patches/2_70.h @@ -0,0 +1,152 @@ +#ifndef SHELLCORE_PATCHES_2_70 +#define SHELLCORE_PATCHES_2_70 + +#include "common.h" + +struct patch g_shellcore_patches_270[] = { + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x2203C3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x22040C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x22047C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D83F3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D843C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0x9D84AC, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xA669F2, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC65CD3, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC65D1C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * xor eax, eax; nop; nop; nop + */ + 0xC65D8C, + "\x31\xC0\x90\x90\x90", + 5 + }, + + { + /* + * longjmp + */ + 0x49FC71, + "\x90\xE9", + 2 + }, + + { + /* + * strfree + */ + 0x13767F5, + "\x66\x72\x65\x65", + 4 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D7244, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D727F, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; nop + */ + 0x3D760E, + "\x31\xC0\xFF\xC0\x90", + 5 + }, + + { + /* + * xor eax, eax; inc eax; ret + */ + 0x4EAC40, + "\x31\xC0\xFF\xC0\xC3", + 5 + } +}; + +#endif // SHELLCORE_PATCHES_2_70 \ No newline at end of file diff --git a/hen/src/patch_shellcore.cpp b/hen/src/patch_shellcore.cpp index 81fb3ae..ec5c93c 100644 --- a/hen/src/patch_shellcore.cpp +++ b/hen/src/patch_shellcore.cpp @@ -17,6 +17,7 @@ #include "shellcore_patches/2_26.h" #include "shellcore_patches/2_30.h" #include "shellcore_patches/2_50.h" +#include "shellcore_patches/2_70.h" /** * @brief Implementation of read/write memory for a process (from kernel) @@ -212,10 +213,13 @@ void apply_shellcore_patches() num_patches = sizeof(g_shellcore_patches_230) / sizeof(struct patch); break; case 0x2500000: - case 0x2700000: patches = (struct patch *) &g_shellcore_patches_250; num_patches = sizeof(g_shellcore_patches_250) / sizeof(struct patch); break; + case 0x2700000: + patches = (struct patch *) &g_shellcore_patches_270; + num_patches = sizeof(g_shellcore_patches_270) / sizeof(struct patch); + break; default: printf("apply_shellcore_patches: don't have offsets for this firmware\n"); return; From bacd8c7b08e47fef2d45d2a765a9634c72f2f2e8 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Tue, 12 Nov 2024 16:13:53 -0700 Subject: [PATCH 15/24] fixed sysveri flag --- include/patches/2_20.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/patches/2_20.h b/include/patches/2_20.h index 0fdb67f..8062f6c 100644 --- a/include/patches/2_20.h +++ b/include/patches/2_20.h @@ -61,7 +61,7 @@ struct patch g_kernel_patches_220[] = { }, { "sysveri flag", - 0xDEADBEEF, + 0x411CD70, "\x00", 1 }, @@ -157,4 +157,4 @@ struct patch g_kernel_patches_220[] = { } }; -#endif // PATCHES_2_20_H \ No newline at end of file +#endif // PATCHES_2_20_H From b79387efc90bdd1b99ce1c4c913fa79626a05af4 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sun, 17 Nov 2024 20:49:53 -0700 Subject: [PATCH 16/24] Added bypass fw checks 2.xx --- hen/include/shellcore_patches/2_00.h | 99 ++++++++++++++++++++++++++ hen/include/shellcore_patches/2_20.h | 99 ++++++++++++++++++++++++++ hen/include/shellcore_patches/2_25.h | 100 +++++++++++++++++++++++++++ hen/include/shellcore_patches/2_26.h | 99 ++++++++++++++++++++++++++ hen/include/shellcore_patches/2_30.h | 99 ++++++++++++++++++++++++++ hen/include/shellcore_patches/2_50.h | 99 ++++++++++++++++++++++++++ hen/include/shellcore_patches/2_70.h | 99 ++++++++++++++++++++++++++ 7 files changed, 694 insertions(+) diff --git a/hen/include/shellcore_patches/2_00.h b/hen/include/shellcore_patches/2_00.h index c20fc58..d222378 100644 --- a/hen/include/shellcore_patches/2_00.h +++ b/hen/include/shellcore_patches/2_00.h @@ -146,6 +146,105 @@ struct patch g_shellcore_patches_200[] = { 0x4E7020, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x21585B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x2158D8, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x2159DB, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x215AAF, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x215F1A, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x2160EE, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x2164A5, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x216542, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x487847, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x48795C, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x4897B0, + "\x48\x31\xC0\xC3", + 4 } }; diff --git a/hen/include/shellcore_patches/2_20.h b/hen/include/shellcore_patches/2_20.h index 35c860a..209bcc1 100644 --- a/hen/include/shellcore_patches/2_20.h +++ b/hen/include/shellcore_patches/2_20.h @@ -146,6 +146,105 @@ struct patch g_shellcore_patches_220[] = { 0x4E7370, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x215AFB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x215B78, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x215C7B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x215D4F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x2161BA, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x21638E, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x216745, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x2167E2, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x487B97, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x487CC3, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x489B00, + "\x48\x31\xC0\xC3", + 4 } }; diff --git a/hen/include/shellcore_patches/2_25.h b/hen/include/shellcore_patches/2_25.h index 6e9c331..be69a4c 100644 --- a/hen/include/shellcore_patches/2_25.h +++ b/hen/include/shellcore_patches/2_25.h @@ -146,6 +146,106 @@ struct patch g_shellcore_patches_225[] = { 0x4E78C0, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x215AFB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x215B78, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x215C7B, + "\xEB", + 1 + }, + + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x215D4F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x2161BA, + "\x90\xE9", + 2 + }, + + { + /* + * Not sure + */ + 0x21638E, + "\xEB", + 1 + }, + + { + /* + * Not sure + */ + 0x216745, + "\x90\xE9", + 2 + }, + + { + /* + * Not sure + */ + 0x2167E2, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x4880E7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x4881FC, + "\xEB", + 1 + }, + + { + /* + * PKG Installer Patch 4 + */ + 0x48A050, + "\x48\x31\xC0\xC3", + 4 } }; diff --git a/hen/include/shellcore_patches/2_26.h b/hen/include/shellcore_patches/2_26.h index 4e71fd9..9c074ee 100644 --- a/hen/include/shellcore_patches/2_26.h +++ b/hen/include/shellcore_patches/2_26.h @@ -146,6 +146,105 @@ struct patch g_shellcore_patches_226[] = { 0x4E9070, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x21726B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x2172E8, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x2173EB, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x2174BF, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x21792A, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x217AFE, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x217EB5, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x217F52, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x489897, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x4899C3, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x48B800, + "\x48\x31\xC0\xC3", + 4 } }; diff --git a/hen/include/shellcore_patches/2_30.h b/hen/include/shellcore_patches/2_30.h index 9cc3e81..a73942d 100644 --- a/hen/include/shellcore_patches/2_30.h +++ b/hen/include/shellcore_patches/2_30.h @@ -146,6 +146,105 @@ struct patch g_shellcore_patches_230[] = { 0x4E9890, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x21741B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x217498, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x21759B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x21766F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x217ADA, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x217CAE, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x218065, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x218102, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x48A037, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x48A14C, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x48BFA0, + "\x48\x31\xC0\xC3", + 4 } }; diff --git a/hen/include/shellcore_patches/2_50.h b/hen/include/shellcore_patches/2_50.h index 3d899bf..7f5f35a 100644 --- a/hen/include/shellcore_patches/2_50.h +++ b/hen/include/shellcore_patches/2_50.h @@ -146,6 +146,105 @@ struct patch g_shellcore_patches_250[] = { 0x4EAC40, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x2171BB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x217238, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x21733B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x21740F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x21787A, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x217A4E, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x217E05, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x217EA2, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x48B3E7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x48B4FC, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x48D350, + "\x48\x31\xC0\xC3", + 4 } }; diff --git a/hen/include/shellcore_patches/2_70.h b/hen/include/shellcore_patches/2_70.h index ace8947..ab92e43 100644 --- a/hen/include/shellcore_patches/2_70.h +++ b/hen/include/shellcore_patches/2_70.h @@ -146,6 +146,105 @@ struct patch g_shellcore_patches_270[] = { 0x4EAC40, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x2171BB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x217238, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x21733B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x21740F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x21787A, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x217A4E, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x217E05, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x217EA2, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x48B3E7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x48B4FC, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 4 + */ + 0x48D350, + "\x48\x31\xC0\xC3", + 4 } }; From 62e44303108abd057923345ed21e64d4109c23a6 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Wed, 20 Nov 2024 17:14:49 -0700 Subject: [PATCH 17/24] Updates From @ChendoChap Updates From @ChendoChap preferably reset mirrors before playing with blocking sockets. --- hen/src/fself.cpp | 17 +++++++++++++++-- src/main.cpp | 8 ++++---- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/hen/src/fself.cpp b/hen/src/fself.cpp index b586687..64f7b06 100644 --- a/hen/src/fself.cpp +++ b/hen/src/fself.cpp @@ -41,15 +41,28 @@ extern "C" { static volatile int enableHook6 = 1; } +struct mtx { + uint8_t dontcare[0x18]; + volatile uintptr_t mtx_lock; +}; + SelfContext* getSelfContextByServiceId(uint32_t serviceId) { auto ctxTable = (SelfContext *) kdlsym(KERNEL_SYM_CTXTABLE); - + auto ctxStatus = (int*) kdlsym(KERNEL_SYM_CTXSTATUS); + auto ctxTableMtx = (mtx*) kdlsym(KERNEL_SYM_CTXTABLE_MTX); + auto __mtx_lock_flags = (void(*)(volatile uintptr_t*, int, const char*, int)) kdlsym(KERNEL_SYM_MTX_LOCK_FLAGS); + auto __mtx_unlock_flags = (void(*)(volatile uintptr_t*, int, const char*, int)) kdlsym(KERNEL_SYM_MTX_UNLOCK_FLAGS); + + __mtx_lock_flags(&ctxTableMtx->mtx_lock, 0, nullptr, 0); for(int i = 0; i < 4; i++) { + if(ctxStatus[i] != 3 && ctxStatus[i] != 4) { continue; } auto ctx = &ctxTable[i]; if(ctx->unk1C == serviceId) { + __mtx_unlock_flags(&ctxTableMtx->mtx_lock, 0, nullptr, 0); return ctx; } } + __mtx_unlock_flags(&ctxTableMtx->mtx_lock, 0, nullptr, 0); return nullptr; } @@ -263,4 +276,4 @@ void apply_fself_hooks() printf("[HEN] [FSELF] sceSblAuthMgrIsLoadable() -> sceSblACMgrGetPathId()\n"); install_hook(HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, (void *) &sceSblACMgrGetPathId_hook); -} +} \ No newline at end of file diff --git a/src/main.cpp b/src/main.cpp index 9830717..c87c642 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -140,11 +140,10 @@ int main() } else { - // Notify the user on second send that Hen is loaded SOCK_LOG("[+] Loading PS5HEN 1.0\n"); - flash_notification("Welcome To PS5HEN 1.0\nBy SpecterDev"); + flash_notification("Welcome To PS5HEN 1.0\nBy SpecterDev"); } - + // Print out the kernel base SOCK_LOG("[+] Kernel base = 0x%lx\n", ktext(0)); @@ -187,7 +186,8 @@ int main() SOCK_LOG("[+] Aft. hook is_development_mode = 0x%x\n", __sys_is_development_mode()); - run_self_server(9004); reset_mirrors(); + run_self_server(9004); + return 0; } From 5219b0142d2e4ce60135753966c7c7eb2d6edffa Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Wed, 20 Nov 2024 20:34:02 -0700 Subject: [PATCH 18/24] Added Most bypass fw checks 1.xx Still need shellcore for 1.05, 1.10, 1.11 And 1.13 --- hen/include/shellcore_patches/1_00.h | 90 ++++++++++++++++++++++++++++ hen/include/shellcore_patches/1_02.h | 90 ++++++++++++++++++++++++++++ hen/include/shellcore_patches/1_12.h | 90 ++++++++++++++++++++++++++++ hen/include/shellcore_patches/1_14.h | 90 ++++++++++++++++++++++++++++ 4 files changed, 360 insertions(+) diff --git a/hen/include/shellcore_patches/1_00.h b/hen/include/shellcore_patches/1_00.h index 07397ec..bd39978 100644 --- a/hen/include/shellcore_patches/1_00.h +++ b/hen/include/shellcore_patches/1_00.h @@ -146,6 +146,96 @@ struct patch g_shellcore_patches_100[] = { 0x47af30, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x1DDB1B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x1DDB98, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x1DDC9B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x1DDD6F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x1DE1DA, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x1DE3AE, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x1DE75E, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x1DE824, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x41C6D7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x41C7EC, + "\xEB", + 1 } }; diff --git a/hen/include/shellcore_patches/1_02.h b/hen/include/shellcore_patches/1_02.h index c911a15..0061c38 100644 --- a/hen/include/shellcore_patches/1_02.h +++ b/hen/include/shellcore_patches/1_02.h @@ -146,6 +146,96 @@ struct patch g_shellcore_patches_102[] = { 0x47af30, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x1DDB1B, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x1DDB98, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x1DDC9B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x1DDD6F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x1DE1DA, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x1DE3AE, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x1DE75E, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x1DE824, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x41C6D7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x41C7EC, + "\xEB", + 1 } }; diff --git a/hen/include/shellcore_patches/1_12.h b/hen/include/shellcore_patches/1_12.h index 68bd91d..602c02b 100644 --- a/hen/include/shellcore_patches/1_12.h +++ b/hen/include/shellcore_patches/1_12.h @@ -146,6 +146,96 @@ struct patch g_shellcore_patches_112[] = { 0x47B3C0, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x1DDAFB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x1DDB78, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x1DDC7B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x1DDD4F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x1DE1BA, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x1DE38E, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x1DE73E, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x1DE804, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x41CB67, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x41CC7C, + "\xEB", + 1 } }; diff --git a/hen/include/shellcore_patches/1_14.h b/hen/include/shellcore_patches/1_14.h index b59ffa1..3ae0b45 100644 --- a/hen/include/shellcore_patches/1_14.h +++ b/hen/include/shellcore_patches/1_14.h @@ -146,6 +146,96 @@ struct patch g_shellcore_patches_114[] = { 0x47B5C0, "\x31\xC0\xFF\xC0\xC3", 5 + }, + + { + /* + * PS4 Disc Installer Patch 1 + */ + 0x1DDAFB, + "\x90\xE9", + 2 + }, + + { + /* + * PS5 Disc Installer Patch 1 + */ + 0x1DDB78, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 1 + */ + 0x1DDC7B, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 1 + */ + 0x1DDD4F, + "\xEB", + 1 + }, + + { + /* + * PS4 PKG Installer Patch 2 + */ + 0x1DE1BA, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x1DE38E, + "\xEB", + 1 + }, + + { + /* + * Not Sure + */ + 0x1DE73E, + "\x90\xE9", + 2 + }, + + { + /* + * Not Sure + */ + 0x1DE804, + "\x90\xE9", + 2 + }, + + { + /* + * PS4 PKG Installer Patch 3 + */ + 0x41CBC7, + "\xEB", + 1 + }, + + { + /* + * PS5 PKG Installer Patch 2 + */ + 0x41CCDC, + "\xEB", + 1 } }; From 69bb8a93c182b1d845a6193bd327a2b66d5a0721 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Wed, 20 Nov 2024 20:37:00 -0700 Subject: [PATCH 19/24] Added Auto Rest Mode From @LightningMods https://github.com/PS5Dev/Byepervisor/pull/3 --- Makefile | 2 +- src/main.cpp | 12 +++++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index f052891..2e77240 100644 --- a/Makefile +++ b/Makefile @@ -9,7 +9,7 @@ endif ELF := byepervisor.elf -CFLAGS := -std=c++11 -Wall -Werror -g -I./include -DHEN_BIN_PATH="\"hen/hen.bin\"" +CFLAGS := -std=c++11 -Wall -Werror -g -I./include -DHEN_BIN_PATH="\"hen/hen.bin\"" -lSceSystemService all: $(ELF) diff --git a/src/main.cpp b/src/main.cpp index c87c642..02338af 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -31,6 +31,8 @@ extern "C" int sceKernelSleep(int secs); int sceKernelLoadStartModule(char *name, size_t argc, const void *argv, uint32_t flags, void *unk, int *res); int __sys_is_development_mode(); + + int sceSystemStateMgrEnterStandby(void); } void dump_kernel_to_client(int client) @@ -132,15 +134,15 @@ int main() // Check if this is a resume state or not, if it's not, prompt for restart and exit if (kernel_read4(kdlsym(KERNEL_SYM_DATA_CAVE)) != 0x1337) { // Notify the user that they have to suspend/resume their console - SOCK_LOG("[+] System needs to be suspended and resumed...\n"); - flash_notification("Byepervisor\nEnter rest mode & resume"); + flash_notification("[PS5HEN] Entering rest mode for in 3 secs\nRe-run Byepervisor after resuming to continue..."); kernel_write4(kdlsym(KERNEL_SYM_DATA_CAVE), 0x1337); - - return 0; + sleep(3); + sceSystemStateMgrEnterStandby(); + return 0; } else { - SOCK_LOG("[+] Loading PS5HEN 1.0\n"); + SOCK_LOG("[+] Loading PS5HEN 1.0\n"); flash_notification("Welcome To PS5HEN 1.0\nBy SpecterDev"); } From 47a6ae771ada7f48efdccb2b70f16b6e7a17e9e3 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Tue, 31 Dec 2024 22:10:10 -0700 Subject: [PATCH 20/24] Added Some Offset Fixes --- README.md | 4 ++-- hen/include/hooks/1_10.h | 4 ++-- hen/include/hooks/1_11.h | 4 ++-- hen/include/hooks/1_12.h | 4 ++-- hen/include/hooks/1_13.h | 4 ++-- hen/include/hooks/1_14.h | 4 ++-- hen/include/hooks/2_00.h | 4 ++-- hen/include/hooks/2_20.h | 4 ++-- hen/include/hooks/2_25.h | 4 ++-- hen/include/hooks/2_26.h | 4 ++-- hen/include/hooks/2_30.h | 4 ++-- hen/include/offsets/2_20.h | 4 ++-- hen/include/shellcore_patches/1_00.h | 14 +++++++------- hen/include/shellcore_patches/1_02.h | 14 +++++++------- hen/include/shellcore_patches/1_12.h | 14 +++++++------- hen/include/shellcore_patches/1_14.h | 14 +++++++------- hen/include/shellcore_patches/2_00.h | 16 ++++++++-------- hen/include/shellcore_patches/2_20.h | 18 +++++++++--------- hen/include/shellcore_patches/2_25.h | 16 ++++++++-------- hen/include/shellcore_patches/2_26.h | 16 ++++++++-------- hen/include/shellcore_patches/2_30.h | 16 ++++++++-------- hen/include/shellcore_patches/2_50.h | 16 ++++++++-------- hen/include/shellcore_patches/2_70.h | 16 ++++++++-------- 23 files changed, 109 insertions(+), 109 deletions(-) diff --git a/README.md b/README.md index aed5895..e1af4fe 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,8 @@ These flags are not reinitialized by the secure loader upon resume from sleep mo - Homebrew enabler (HEN) (fself+fpkg) ## Firmware Status -Completed: 1.00, 1.01, 1.02, 1.05, 1.12, 1.14, 2.00, 2.20, 2.25, 2.26, 2.30, 2.50, 2.70 +- Completed: 1.00, 1.01, 1.02, 1.12, 1.14, 2.00, 2.20, 2.25, 2.26, 2.30, 2.50, 2.70 +- Not Completed: 1.05, 1.10, 1.11, 1.13 ## Build notes This exploit payload is built using the [PS5-Payload-Dev SDK](https://github.com/ps5-payload-dev/sdk). Note also that the build for `hen/` is slightly special, as it gets compiled to a flat binary thats copied into a kernel code cave. The entirety of code in `hen/` runs in supervisor/kernel mode. @@ -44,7 +45,6 @@ This exploit payload is built using the [PS5-Payload-Dev SDK](https://github.com ## Future work - [ ] Support more firmwares (offsets) - [ ] Make it so `byepervisor.elf` only needs to be sent once -- [ ] Automatically suspend the system? - [ ] Patch vmcbs with QA flags exploit to dump hypervisor data ## Credits / Shouts diff --git a/hen/include/hooks/1_10.h b/hen/include/hooks/1_10.h index 1669375..4c7d0a4 100644 --- a/hen/include/hooks/1_10.h +++ b/hen/include/hooks/1_10.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_110[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x9079BB + 0x9079bb, + 0x991600 }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/hooks/1_11.h b/hen/include/hooks/1_11.h index df7e873..79cf885 100644 --- a/hen/include/hooks/1_11.h +++ b/hen/include/hooks/1_11.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_111[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x907b0b + 0x907b0b, + 0x991760 }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/hooks/1_12.h b/hen/include/hooks/1_12.h index 5b82eaa..3f01cde 100644 --- a/hen/include/hooks/1_12.h +++ b/hen/include/hooks/1_12.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_112[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x907c5b + 0x907c5b, + 0x36cabc }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/hooks/1_13.h b/hen/include/hooks/1_13.h index af0cecd..e32f47e 100644 --- a/hen/include/hooks/1_13.h +++ b/hen/include/hooks/1_13.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_113[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x907c2b + 0x907c2b, + 0x991880 }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/hooks/1_14.h b/hen/include/hooks/1_14.h index a850664..ddc3b81 100644 --- a/hen/include/hooks/1_14.h +++ b/hen/include/hooks/1_14.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_114[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x9081db + 0x9081db, + 0x991e30 }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/hooks/2_00.h b/hen/include/hooks/2_00.h index c5d992c..7a0fdc4 100644 --- a/hen/include/hooks/2_00.h +++ b/hen/include/hooks/2_00.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_200[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x92976b + 0x92976b, + 0x9b7840 }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/hooks/2_20.h b/hen/include/hooks/2_20.h index b01d8d5..88272e2 100644 --- a/hen/include/hooks/2_20.h +++ b/hen/include/hooks/2_20.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_220[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x929c2b + 0x929c2b, + 0x9b7d00 }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/hooks/2_25.h b/hen/include/hooks/2_25.h index cca728e..f0294b9 100644 --- a/hen/include/hooks/2_25.h +++ b/hen/include/hooks/2_25.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_225[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x929cdb + 0x929cdb, + 0x9b7db0 }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/hooks/2_26.h b/hen/include/hooks/2_26.h index 339b3e7..0116f6d 100644 --- a/hen/include/hooks/2_26.h +++ b/hen/include/hooks/2_26.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_226[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x929d0b + 0x929d0b, + 0x9b7de0 }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/hooks/2_30.h b/hen/include/hooks/2_30.h index 821fef2..e3d4bd0 100644 --- a/hen/include/hooks/2_30.h +++ b/hen/include/hooks/2_30.h @@ -6,8 +6,8 @@ struct hook g_kernel_hooks_230[] = { { HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, - 0x44000, - 0x929fdb + 0x929fdb, + 0x9b80b0 }, { HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, diff --git a/hen/include/offsets/2_20.h b/hen/include/offsets/2_20.h index 929ba55..4ed7582 100644 --- a/hen/include/offsets/2_20.h +++ b/hen/include/offsets/2_20.h @@ -2,14 +2,14 @@ #define OFFSETS_2_20_H uint64_t g_sym_map_220[] = { - 0x0B6F780, // KERNEL_SYM_TEXT_END + 0x0B70000, // KERNEL_SYM_TEXT_END 0x4CB3B50, // KERNEL_SYM_DMPML4I 0x4CB3B54, // KERNEL_SYM_DMPDPI 0x4CB38AC, // KERNEL_SYM_PML4PML4I 0x4CB38C8, // KERNEL_SYM_PMAP_STORE 0x7C40000, // KERNEL_SYM_DATA_CAVE 0x04684A0, // KERNEL_SYM_PRINTF - 0x08C3250, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 + 0x08C3240, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2 0x08C3DE0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO 0x0580A00, // KERNEL_SYM_SCESBLACMGRGETPATHID 0x34D32F0, // KERNEL_SYM_M_TEMP diff --git a/hen/include/shellcore_patches/1_00.h b/hen/include/shellcore_patches/1_00.h index bd39978..e80c9af 100644 --- a/hen/include/shellcore_patches/1_00.h +++ b/hen/include/shellcore_patches/1_00.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_100[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x1DE3AE, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x1DE75E, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_100[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x1DE824, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_100[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x41C6D7, "\xEB", @@ -231,7 +231,7 @@ struct patch g_shellcore_patches_100[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x41C7EC, "\xEB", diff --git a/hen/include/shellcore_patches/1_02.h b/hen/include/shellcore_patches/1_02.h index 0061c38..745ee81 100644 --- a/hen/include/shellcore_patches/1_02.h +++ b/hen/include/shellcore_patches/1_02.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_102[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x1DE3AE, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x1DE75E, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_102[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x1DE824, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_102[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x41C6D7, "\xEB", @@ -231,7 +231,7 @@ struct patch g_shellcore_patches_102[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x41C7EC, "\xEB", diff --git a/hen/include/shellcore_patches/1_12.h b/hen/include/shellcore_patches/1_12.h index 602c02b..d05efbd 100644 --- a/hen/include/shellcore_patches/1_12.h +++ b/hen/include/shellcore_patches/1_12.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_112[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x1DE38E, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x1DE73E, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_112[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x1DE804, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_112[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x41CB67, "\xEB", @@ -231,7 +231,7 @@ struct patch g_shellcore_patches_112[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x41CC7C, "\xEB", diff --git a/hen/include/shellcore_patches/1_14.h b/hen/include/shellcore_patches/1_14.h index 3ae0b45..5d6f3fa 100644 --- a/hen/include/shellcore_patches/1_14.h +++ b/hen/include/shellcore_patches/1_14.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_114[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x1DE38E, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x1DE73E, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_114[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x1DE804, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_114[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x41CBC7, "\xEB", @@ -231,7 +231,7 @@ struct patch g_shellcore_patches_114[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x41CCDC, "\xEB", diff --git a/hen/include/shellcore_patches/2_00.h b/hen/include/shellcore_patches/2_00.h index d222378..d6943db 100644 --- a/hen/include/shellcore_patches/2_00.h +++ b/hen/include/shellcore_patches/2_00.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_200[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x2160EE, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x2164A5, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_200[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x216542, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_200[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x487847, "\xEB", @@ -231,7 +231,7 @@ struct patch g_shellcore_patches_200[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x48795C, "\xEB", @@ -240,7 +240,7 @@ struct patch g_shellcore_patches_200[] = { { /* - * PS4 PKG Installer Patch 4 + * PKG Installer Patch */ 0x4897B0, "\x48\x31\xC0\xC3", diff --git a/hen/include/shellcore_patches/2_20.h b/hen/include/shellcore_patches/2_20.h index 209bcc1..8fe7012 100644 --- a/hen/include/shellcore_patches/2_20.h +++ b/hen/include/shellcore_patches/2_20.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_220[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x21638E, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x216745, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_220[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x2167E2, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_220[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x487B97, "\xEB", @@ -231,16 +231,16 @@ struct patch g_shellcore_patches_220[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ - 0x487CC3, + 0x487CAC, "\xEB", 1 }, { /* - * PS4 PKG Installer Patch 4 + * PKG Installer Patch */ 0x489B00, "\x48\x31\xC0\xC3", diff --git a/hen/include/shellcore_patches/2_25.h b/hen/include/shellcore_patches/2_25.h index be69a4c..d85d3cf 100644 --- a/hen/include/shellcore_patches/2_25.h +++ b/hen/include/shellcore_patches/2_25.h @@ -196,16 +196,16 @@ struct patch g_shellcore_patches_225[] = { { /* - * Not sure + * PS5 PKG Installer Patch 2 */ 0x21638E, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not sure + * PS4 PKG Installer Patch 3 */ 0x216745, "\x90\xE9", @@ -214,7 +214,7 @@ struct patch g_shellcore_patches_225[] = { { /* - * Not sure + * PS5 PKG Installer Patch 3 */ 0x2167E2, "\x90\xE9", @@ -223,7 +223,7 @@ struct patch g_shellcore_patches_225[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x4880E7, "\xEB", @@ -232,7 +232,7 @@ struct patch g_shellcore_patches_225[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x4881FC, "\xEB", @@ -241,7 +241,7 @@ struct patch g_shellcore_patches_225[] = { { /* - * PKG Installer Patch 4 + * PKG Installer Patch */ 0x48A050, "\x48\x31\xC0\xC3", diff --git a/hen/include/shellcore_patches/2_26.h b/hen/include/shellcore_patches/2_26.h index 9c074ee..d17e6cf 100644 --- a/hen/include/shellcore_patches/2_26.h +++ b/hen/include/shellcore_patches/2_26.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_226[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x217AFE, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x217EB5, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_226[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x217F52, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_226[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x489897, "\xEB", @@ -231,7 +231,7 @@ struct patch g_shellcore_patches_226[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x4899C3, "\xEB", @@ -240,7 +240,7 @@ struct patch g_shellcore_patches_226[] = { { /* - * PS4 PKG Installer Patch 4 + * PKG Installer Patch */ 0x48B800, "\x48\x31\xC0\xC3", diff --git a/hen/include/shellcore_patches/2_30.h b/hen/include/shellcore_patches/2_30.h index a73942d..a89c4c1 100644 --- a/hen/include/shellcore_patches/2_30.h +++ b/hen/include/shellcore_patches/2_30.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_230[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x217CAE, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x218065, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_230[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x218102, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_230[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x48A037, "\xEB", @@ -231,7 +231,7 @@ struct patch g_shellcore_patches_230[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x48A14C, "\xEB", @@ -240,7 +240,7 @@ struct patch g_shellcore_patches_230[] = { { /* - * PS4 PKG Installer Patch 4 + * PKG Installer Patch */ 0x48BFA0, "\x48\x31\xC0\xC3", diff --git a/hen/include/shellcore_patches/2_50.h b/hen/include/shellcore_patches/2_50.h index 7f5f35a..a2ac64a 100644 --- a/hen/include/shellcore_patches/2_50.h +++ b/hen/include/shellcore_patches/2_50.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_250[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x217A4E, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x217E05, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_250[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x217EA2, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_250[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x48B3E7, "\xEB", @@ -231,7 +231,7 @@ struct patch g_shellcore_patches_250[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x48B4FC, "\xEB", @@ -240,7 +240,7 @@ struct patch g_shellcore_patches_250[] = { { /* - * PS4 PKG Installer Patch 4 + * PKG Installer */ 0x48D350, "\x48\x31\xC0\xC3", diff --git a/hen/include/shellcore_patches/2_70.h b/hen/include/shellcore_patches/2_70.h index ab92e43..4b343db 100644 --- a/hen/include/shellcore_patches/2_70.h +++ b/hen/include/shellcore_patches/2_70.h @@ -195,16 +195,16 @@ struct patch g_shellcore_patches_270[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 2 */ 0x217A4E, - "\xEB", - 1 + "\x90\xE9", + 2 }, { /* - * Not Sure + * PS4 PKG Installer Patch 3 */ 0x217E05, "\x90\xE9", @@ -213,7 +213,7 @@ struct patch g_shellcore_patches_270[] = { { /* - * Not Sure + * PS5 PKG Installer Patch 3 */ 0x217EA2, "\x90\xE9", @@ -222,7 +222,7 @@ struct patch g_shellcore_patches_270[] = { { /* - * PS4 PKG Installer Patch 3 + * PS4 PKG Installer Patch 4 */ 0x48B3E7, "\xEB", @@ -231,7 +231,7 @@ struct patch g_shellcore_patches_270[] = { { /* - * PS5 PKG Installer Patch 2 + * PS5 PKG Installer Patch 4 */ 0x48B4FC, "\xEB", @@ -240,7 +240,7 @@ struct patch g_shellcore_patches_270[] = { { /* - * PS4 PKG Installer Patch 4 + * PKG Installer Patch */ 0x48D350, "\x48\x31\xC0\xC3", From 6f051512e84533979769c435c1db29404a91d589 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Wed, 1 Jan 2025 16:17:00 -0700 Subject: [PATCH 21/24] Updated To PS5HEN 1.1 --- src/main.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/main.cpp b/src/main.cpp index 02338af..60e7e56 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -142,8 +142,12 @@ int main() } else { - SOCK_LOG("[+] Loading PS5HEN 1.0\n"); - flash_notification("Welcome To PS5HEN 1.0\nBy SpecterDev"); + SOCK_LOG("[+] Loading PS5HEN By SpecterDev\n"); + flash_notification( + "Welcome To PS5HEN 1.1\nPlayStation 5 FW: %u.%u\nBy SpecterDev", + (kernel_get_fw_version() >> 24) & 0xF, + ((kernel_get_fw_version() >> 20) & 0xF) * 10 + ((kernel_get_fw_version() >> 16) & 0xF) + ); } // Print out the kernel base From 84164bb6a698a68bcfbdc31d95208f0ec9360d75 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Sat, 1 Mar 2025 08:12:49 -0700 Subject: [PATCH 22/24] Update build.yml --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5bc6d5d..9e1b30d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install dependencies run: | @@ -42,7 +42,7 @@ jobs: subject-path: ./byepervisor.elf - name: Upload - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: Byepervisor path: ./byepervisor.elf From 15fde3b34f6cb91f2d922f4387bd8dfea9c47efe Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Tue, 14 Oct 2025 20:22:54 -0600 Subject: [PATCH 23/24] Change SDK version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9e1b30d..54c2753 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: - name: Install toolchain run: | - wget https://github.com/ps5-payload-dev/pacbrew-repo/releases/latest/download/ps5-payload-dev.tar.gz + wget https://github.com/ps5-payload-dev/pacbrew-repo/releases/download/v0.29/ps5-payload-dev.tar.gz sudo tar xf ps5-payload-dev.tar.gz -C / - name: Build From d89a105b2b7cca57c96874e302fd28d917f23ae3 Mon Sep 17 00:00:00 2001 From: Echo Stretch <98502641+EchoStretch@users.noreply.github.com> Date: Tue, 14 Oct 2025 20:25:20 -0600 Subject: [PATCH 24/24] sceSblServiceCryptAsync Fix Suggested Fix to sceSblServiceCryptAsync_hook by @theOfficialFloW --- hen/src/fpkg.cpp | 118 ++++++++++++++++++----------------------------- 1 file changed, 44 insertions(+), 74 deletions(-) diff --git a/hen/src/fpkg.cpp b/hen/src/fpkg.cpp index 35c8160..b87ce65 100644 --- a/hen/src/fpkg.cpp +++ b/hen/src/fpkg.cpp @@ -436,83 +436,53 @@ void hex_dump(const char *name, uint8_t *buf, int len) } } -int sceSblServiceCryptAsync_hook(void *async_req) -{ - struct ccp_common *msg; - struct ccp_common *next; - struct ccp_req* req; - int idx = -1; - - //auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF); - auto sceSblServiceCryptAsync = (int (*)(void *req)) kdlsym(KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC); - auto Sha256Hmac = (void (*)(void *hash, void *data, size_t data_sz, void *key, size_t key_size)) kdlsym(KERNEL_SYM_SHA256_HMAC); - - req = (struct ccp_req *) async_req; - msg = (struct ccp_common *) (*(uint64_t *) (async_req)); - //printf("sceSblServiceCryptAsync_hook: msg = %p, before (msg->cmd = 0x%x) (first=%p, last=%p)\n", msg, msg->cmd, req->tqh_first, *req->tqh_last); - - while (msg) { - next = (struct ccp_common *) (*(uint64_t *) ((uint64_t) (msg) + 0x140)); - //printf("msg = %p (msg->cmd = 0x%x), next = %p \n", msg, msg->cmd, next); - - if ((msg->cmd & 0x7FFFFFFF) == 0x9132000) { // SHA256 HMAC with key handle - struct ccp_hmac *hmac_msg = (struct ccp_hmac *) msg; - idx = HANDLE_TO_IDX(hmac_msg->key_index); - //printf("sceSblServiceCryptAsync_hook: SHA256 hmac key idx = 0x%x\n", idx); - - if (idx < 0) { - return sceSblServiceCryptAsync(async_req); - } else { - char hmac_key[0x40]; - get_fake_key(idx, (char *) &hmac_key); - - // hex_dump("hmac ccp msg", (uint8_t *) hmac_msg, 0x200); - // hex_dump("hmac key", (uint8_t *) hmac_key, 0x40); - - Sha256Hmac(hmac_msg->hash, hmac_msg->data, hmac_msg->data_size, hmac_key, 0x20); - - // printf("hmac data=%p, data_size = 0x%lx\n", hmac_msg->data, hmac_msg->data_size); - // hex_dump("hmac input (first 0x20 bytes)", (uint8_t *) hmac_msg->data, 0x20); - // hex_dump("hmac hash output", (uint8_t *) hmac_msg->hash, 0x20); - } - } else if ((msg->cmd & 0x7FFFF7FF) == 0x2108000) { // AES-XTS with key handle - struct ccp_xts *xts_msg = (struct ccp_xts *) msg; - idx = HANDLE_TO_IDX(xts_msg->key_index); - //printf("sceSblServiceCryptAsync_hook: AES-XTS key idx = 0x%x\n", idx); - - if (idx < 0) { - return sceSblServiceCryptAsync(async_req); - } else { - char xts_key[0x40]; - get_fake_key(idx, (char *) &xts_key); - - // printf("xts in=%p, out=%p (is_encrypt=%d)\n", xts_msg->in_data, xts_msg->out_data, ((xts_msg->common.cmd & 0x800) >> 11)); - // printf("xts->start_sector = 0x%lx, num_sectors = 0x%lx\n", xts_msg->start_sector, xts_msg->num_sectors); - // hex_dump("xts ccp msg", (uint8_t *) xts_msg, 0x200); - // hex_dump("xts tweak/key", (uint8_t *) xts_key, 0x20); - // hex_dump("xta data", (uint8_t *) xts_msg->in_data, 0x20); - - void *tweak = (void *) ((uint64_t) (xts_key) + 0x00); - void *key = (void *) ((uint64_t) (xts_key) + 0x10); - if (((xts_msg->common.cmd & 0x800) >> 11)) { - aes_xts_4096_dec(xts_msg->in_data, xts_msg->out_data, xts_msg->num_sectors, xts_msg->start_sector, key, tweak, 1); - } else { - aes_xts_4096_dec(xts_msg->in_data, xts_msg->out_data, xts_msg->num_sectors, xts_msg->start_sector, key, tweak, 0); - } - - // hex_dump("xts decrypted output (first 0x20 bytes)", (uint8_t *) xts_msg->out_data, 0x20); - } - } - - msg = next; +int sceSblServiceCryptAsync_hook(void *async_req) { + struct ccp_common *msg; + struct ccp_common *next; + //struct ccp_req *req; + int idx = -1; + + //req = (struct ccp_req *)async_req; + msg = (struct ccp_common *)(*(uint64_t *)(async_req)); + + auto sceSblServiceCryptAsync = (int (*)(void *req)) kdlsym(KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC); + + while (msg) { + next = (struct ccp_common *)(*(uint64_t *)((uint64_t)(msg) + 0x140)); + + if ((msg->cmd & 0x7FFFFFFF) == 0x9132000) { + // SHA256 HMAC with key handle + struct ccp_hmac *hmac_msg = (struct ccp_hmac *)msg; + idx = HANDLE_TO_IDX(hmac_msg->key_index); + + if (idx >= 0) { + char hmac_key[0x20]; + get_fake_key(idx, (char *)&hmac_key); + + memcpy(hmac_msg->key, hmac_key, 0x20); + msg->cmd &= ~0x100000; // key handle + msg->cmd &= ~0x80000000; // a53 + } + } else if ((msg->cmd & 0x7FFFF7FF) == 0x2108000) { + // AES-XTS with key handle + struct ccp_xts *xts_msg = (struct ccp_xts *)msg; + idx = HANDLE_TO_IDX(xts_msg->key_index); + + if (idx >= 0) { + char xts_key[0x20]; + get_fake_key(idx, (char *)&xts_key); + + memcpy(xts_msg->key, xts_key + 0x10, 0x10); + memcpy(xts_msg->key + 0x10, xts_key, 0x10); + msg->cmd &= ~0x100000; // key handle + msg->cmd &= ~0x80000000; // a53 + } } - if (idx == -1) { - return sceSblServiceCryptAsync(async_req); - } + msg = next; + } - req->cb(req->args, 0); - return 0; + return sceSblServiceCryptAsync(async_req); } int sceSblPfsClearKey_sceSblServiceMailbox(uint64_t handle, const ClearKey* input, ClearKey* output)