From 5bd7754cf9c780c06657d4327cacd72bd35dab17 Mon Sep 17 00:00:00 2001 From: GiantPluto <3701024+GiantPluto@@users.noreply.github.com> Date: Sat, 1 Aug 2020 22:11:02 +0530 Subject: [PATCH 1/8] Removed ps4-sdk and ps4-payload-sdk and will be added with new --- .gitmodules | 6 ------ ps4-ksdk | 1 - ps4-payload-sdk | 1 - 3 files changed, 8 deletions(-) delete mode 160000 ps4-ksdk delete mode 160000 ps4-payload-sdk diff --git a/.gitmodules b/.gitmodules index 0ff076c..e69de29 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +0,0 @@ -[submodule "ps4-payload-sdk"] - path = ps4-payload-sdk - url = https://github.com/xvortex/ps4-payload-sdk.git -[submodule "ps4-ksdk"] - path = ps4-ksdk - url = https://github.com/xemio/ps4-ksdk.git diff --git a/ps4-ksdk b/ps4-ksdk deleted file mode 160000 index 81e7838..0000000 --- a/ps4-ksdk +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 81e7838ec9facbefdfffac51261f74bf02456133 diff --git a/ps4-payload-sdk b/ps4-payload-sdk deleted file mode 160000 index e6f009d..0000000 --- a/ps4-payload-sdk +++ /dev/null @@ -1 +0,0 @@ -Subproject commit e6f009de39f7d7f70280ce7f9c3eafdbab568cb5 From 8bc58738f4ae87839fcedd97b7edde271d962f75 Mon Sep 17 00:00:00 2001 From: GiantPluto <3701024+GiantPluto@@users.noreply.github.com> Date: Sat, 1 Aug 2020 22:38:49 +0530 Subject: [PATCH 2/8] Added 6.72 offsets and consuming payload sdk from Scene-Collective repo --- .gitmodules | 6 ++++++ debugger/include/ptrace.h | 7 ------- debugger/source/console.c | 4 ++-- debugger/source/proc.c | 2 +- installer/Makefile | 8 +++----- installer/source/installer.c | 26 +++++++++++++------------- installer/source/proc.c | 24 ++++++++++++------------ kdebugger/source/proc.c | 24 ++++++++++++------------ ps4-ksdk | 1 + ps4-payload-sdk | 1 + 10 files changed, 51 insertions(+), 52 deletions(-) create mode 160000 ps4-ksdk create mode 160000 ps4-payload-sdk diff --git a/.gitmodules b/.gitmodules index e69de29..3a8f03d 100644 --- a/.gitmodules +++ b/.gitmodules @@ -0,0 +1,6 @@ +[submodule "ps4-payload-sdk"] + path = ps4-payload-sdk + url = https://github.com/GiantPluto/ps4-payload-sdk.git +[submodule "ps4-ksdk"] + path = ps4-ksdk + url = https://github.com/GiantPluto/ps4-ksdk.git diff --git a/debugger/include/ptrace.h b/debugger/include/ptrace.h index 091a330..076463b 100644 --- a/debugger/include/ptrace.h +++ b/debugger/include/ptrace.h @@ -91,13 +91,6 @@ #define SIGUSR1 30 /* user defined signal 1 */ #define SIGUSR2 31 /* user defined signal 2 */ -struct ptrace_io_desc { - int piod_op; /* I/O operation */ - void *piod_offs; /* child offset */ - void *piod_addr; /* parent offset */ - uint64_t piod_len; /* request length */ -}; - TYPE_BEGIN(struct ptrace_lwpinfo, 0x98); TYPE_FIELD(uint32_t pl_lwpid, 0); TYPE_FIELD(char pl_tdname[24], 0x80); diff --git a/debugger/source/console.c b/debugger/source/console.c index ab98cea..1f16fb2 100644 --- a/debugger/source/console.c +++ b/debugger/source/console.c @@ -78,8 +78,8 @@ int console_notify_handle(int fd, struct cmd_packet *packet) { } int console_info_handle(int fd, struct cmd_packet *packet) { - struct cmd_console_info_response resp; - size_t len; + //struct cmd_console_info_response resp; + //size_t len; //extern int (*sysctl)(int *name, unsigned int namelen, char *oldval, size_t *oldlen, char *newval, size_t newlen); //extern int (*sysctlbyname)(char *name, char *oldval, size_t *oldlen, char *newval, size_t newlen); diff --git a/debugger/source/proc.c b/debugger/source/proc.c index 69212af..294ae14 100644 --- a/debugger/source/proc.c +++ b/debugger/source/proc.c @@ -2,7 +2,7 @@ // 6/12/2018 // -#include "proc.h" +#include "include/proc.h" int proc_list_handle(int fd, struct cmd_packet *packet) { void *data; diff --git a/installer/Makefile b/installer/Makefile index 32eb319..382479e 100644 --- a/installer/Makefile +++ b/installer/Makefile @@ -1,8 +1,5 @@ KSDK := ../ps4-ksdk/ -TEXT := 0x926200000 -DATA := 0x926300000 - CC := gcc AS := gcc OBJCOPY := objcopy @@ -10,9 +7,10 @@ ODIR := build SDIR := source IDIRS := -I$(KSDK)/include -I. -Iinclude LDIRS := -L$(KSDK) -L. -Llib -CFLAGS := $(IDIRS) -O2 -std=c11 -fno-builtin -nostartfiles -nostdlib -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large -DTEXT_ADDRESS=$(TEXT) -DDATA_ADDRESS=$(DATA) +MAPFILE := $(shell basename $(CURDIR)).map +CFLAGS := $(IDIRS) -Os -std=gnu11 -ffunction-sections -fdata-sections -fno-builtin -nostartfiles -nostdlib -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=small -fpie SFLAGS := -nostartfiles -nostdlib -march=btver2 -mtune=btver2 -LFLAGS := $(LDIRS) -Xlinker -T linker.x -Wl,--build-id=none -Ttext=$(TEXT) -Tdata=$(DATA) +LFLAGS := $(LDIRS) -Xlinker -T linker.x -Wl,--build-id=none -Wl,--gc-sections CFILES := $(wildcard $(SDIR)/*.c) SFILES := $(wildcard $(SDIR)/*.s) OBJS := $(patsubst $(SDIR)/%.c, $(ODIR)/%.o, $(CFILES)) $(patsubst $(SDIR)/%.s, $(ODIR)/%.o, $(SFILES)) diff --git a/installer/source/installer.c b/installer/source/installer.c index 21fd218..f0042c1 100644 --- a/installer/source/installer.c +++ b/installer/source/installer.c @@ -27,39 +27,39 @@ void patch_kernel() { uint64_t kernbase = get_kbase(); // patch memcpy first - *(uint8_t *)(kernbase + 0x1EA53D) = 0xEB; + *(uint8_t *)(kernbase + 0x003C15BD) = 0xEB; // patch sceSblACMgrIsAllowedSystemLevelDebugging - memcpy((void *)(kernbase + 0x11730), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8); + memcpy((void *)(kernbase + 0x00233BD0), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8); // patch sceSblACMgrHasMmapSelfCapability - memcpy((void *)(kernbase + 0x117B0), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8); + memcpy((void *)(kernbase + 0x00233C40), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8); // patch sceSblACMgrIsAllowedToMmapSelf - memcpy((void *)(kernbase + 0x117C0), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8); + memcpy((void *)(kernbase + 0x00233C50), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8); // disable sysdump_perform_dump_on_fatal_trap // will continue execution and give more information on crash, such as rip - *(uint8_t *)(kernbase + 0x7673E0) = 0xC3; + *(uint8_t *)(kernbase + 0x00784120) = 0xC3; // self patches - memcpy((void *)(kernbase + 0x13F03F), "\x31\xC0\x90\x90\x90", 5); + memcpy((void *)(kernbase + 0x000AD2E4), "\x31\xC0\x90\x90\x90", 5); // patch vm_map_protect check - memcpy((void *)(kernbase + 0x1A3C08), "\x90\x90\x90\x90\x90\x90", 6); + memcpy((void *)(kernbase + 0x00451DB8), "\x90\x90\x90\x90\x90\x90", 6); // patch ptrace, thanks 2much4u - *(uint8_t *)(kernbase + 0x30D9AA) = 0xEB; + *(uint8_t *)(kernbase + 0x0010F879) = 0xEB; // remove all these bullshit checks from ptrace, by golden memcpy((void *)(kernbase + 0x30DE01), "\xE9\xD0\x00\x00\x00", 5); // patch ASLR, thanks 2much4u - *(uint16_t *)(kernbase + 0x194875) = 0x9090; + *(uint16_t *)(kernbase + 0x003CECE1) = 0xEB; // patch kmem_alloc - *(uint8_t *)(kernbase + 0xFCD48) = VM_PROT_ALL; - *(uint8_t *)(kernbase + 0xFCD56) = VM_PROT_ALL; + *(uint8_t *)(kernbase + 0x002507F5) = VM_PROT_ALL; + *(uint8_t *)(kernbase + 0x00250803) = VM_PROT_ALL; cpu_enable_wp(); } @@ -145,8 +145,8 @@ int load_debugger() { int runinstaller() { init_ksdk(); - // enable uart - *disable_console_output = 0; + //// enable uart + //*disable_console_output = 0; ascii_art(); diff --git a/installer/source/proc.c b/installer/source/proc.c index d0b1c5c..6ae0cca 100644 --- a/installer/source/proc.c +++ b/installer/source/proc.c @@ -266,25 +266,25 @@ int proc_create_thread(struct proc *p, uint64_t address) { } if (!memcmp(entries[i].name, "libkernel.sprx", 14)) { - _scePthreadAttrInit = entries[i].start + 0x12660; - _scePthreadAttrSetstacksize = entries[i].start + 0x12680; - _scePthreadCreate = entries[i].start + 0x12AA0; - _thr_initial = entries[i].start + 0x84C20; + _scePthreadAttrInit = entries[i].start + 0x00013A40; + _scePthreadAttrSetstacksize = entries[i].start + 0x00013A60; + _scePthreadCreate = entries[i].start + 0x00013E80; + _thr_initial = entries[i].start + 0x00435420; break; } if (!memcmp(entries[i].name, "libkernel_web.sprx", 18)) { - _scePthreadAttrInit = entries[i].start + 0x1E730; - _scePthreadAttrSetstacksize = entries[i].start + 0xFA80; - _scePthreadCreate = entries[i].start + 0x98C0; - _thr_initial = entries[i].start + 0x84C20; + _scePthreadAttrInit = entries[i].start + 0x0001FD20; + _scePthreadAttrSetstacksize = entries[i].start + 0x00010540; + _scePthreadCreate = entries[i].start + 0x0000A0F0; + _thr_initial = entries[i].start + 0x00435420; break; } if (!memcmp(entries[i].name, "libkernel_sys.sprx", 18)) { - _scePthreadAttrInit = entries[i].start + 0x13190; - _scePthreadAttrSetstacksize = entries[i].start + 0x131B0; - _scePthreadCreate = entries[i].start + 0x135D0; - _thr_initial = entries[i].start + 0x89030; + _scePthreadAttrInit = entries[i].start + 0x00014570; + _scePthreadAttrSetstacksize = entries[i].start + 0x00014590; + _scePthreadCreate = entries[i].start + 0x000149B0; + _thr_initial = entries[i].start + 0x00435830; break; } } diff --git a/kdebugger/source/proc.c b/kdebugger/source/proc.c index 3108d4f..fdf453c 100644 --- a/kdebugger/source/proc.c +++ b/kdebugger/source/proc.c @@ -269,25 +269,25 @@ int proc_create_thread(struct proc *p, uint64_t address) { } if (!memcmp(entries[i].name, "libkernel.sprx", 14)) { - _scePthreadAttrInit = entries[i].start + 0x12660; - _scePthreadAttrSetstacksize = entries[i].start + 0x12680; - _scePthreadCreate = entries[i].start + 0x12AA0; - _thr_initial = entries[i].start + 0x84C20; + _scePthreadAttrInit = entries[i].start + 0x00013A40; + _scePthreadAttrSetstacksize = entries[i].start + 0x00013A60; + _scePthreadCreate = entries[i].start + 0x00013E80; + _thr_initial = entries[i].start + 0x00435420; break; } if (!memcmp(entries[i].name, "libkernel_web.sprx", 18)) { - _scePthreadAttrInit = entries[i].start + 0x1E730; - _scePthreadAttrSetstacksize = entries[i].start + 0xFA80; - _scePthreadCreate = entries[i].start + 0x98C0; - _thr_initial = entries[i].start + 0x84C20; + _scePthreadAttrInit = entries[i].start + 0x0001FD20; + _scePthreadAttrSetstacksize = entries[i].start + 0x00010540; + _scePthreadCreate = entries[i].start + 0x0000A0F0; + _thr_initial = entries[i].start + 0x00435420; break; } if (!memcmp(entries[i].name, "libkernel_sys.sprx", 18)) { - _scePthreadAttrInit = entries[i].start + 0x13190; - _scePthreadAttrSetstacksize = entries[i].start + 0x131B0; - _scePthreadCreate = entries[i].start + 0x135D0; - _thr_initial = entries[i].start + 0x89030; + _scePthreadAttrInit = entries[i].start + 0x00014570; + _scePthreadAttrSetstacksize = entries[i].start + 0x00014590; + _scePthreadCreate = entries[i].start + 0x000149B0; + _thr_initial = entries[i].start + 0x00435830; break; } } diff --git a/ps4-ksdk b/ps4-ksdk new file mode 160000 index 0000000..360fb0c --- /dev/null +++ b/ps4-ksdk @@ -0,0 +1 @@ +Subproject commit 360fb0c89a64ce04ace50ca6f0fc6ad806114ea5 diff --git a/ps4-payload-sdk b/ps4-payload-sdk new file mode 160000 index 0000000..3c7b1aa --- /dev/null +++ b/ps4-payload-sdk @@ -0,0 +1 @@ +Subproject commit 3c7b1aaf6db6a93a35cc765543cc92a4760cc260 From 43d395d6e9ef9efd0ae4d25e99398a0798f2b6fb Mon Sep 17 00:00:00 2001 From: GiantPluto <3701024+GiantPluto@@users.noreply.github.com> Date: Sat, 1 Aug 2020 22:44:14 +0530 Subject: [PATCH 3/8] Commenting out second ptrace patch as offset for 6.72 need to be figured out. --- installer/source/installer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/installer/source/installer.c b/installer/source/installer.c index f0042c1..e2955f9 100644 --- a/installer/source/installer.c +++ b/installer/source/installer.c @@ -51,8 +51,9 @@ void patch_kernel() { // patch ptrace, thanks 2much4u *(uint8_t *)(kernbase + 0x0010F879) = 0xEB; + // Need to find 6.72 offsets. // remove all these bullshit checks from ptrace, by golden - memcpy((void *)(kernbase + 0x30DE01), "\xE9\xD0\x00\x00\x00", 5); + //memcpy((void *)(kernbase + 0x30DE01), "\xE9\xD0\x00\x00\x00", 5); // patch ASLR, thanks 2much4u *(uint16_t *)(kernbase + 0x003CECE1) = 0xEB; From 56fda04328bcf658ecf6a0631cbc39471baea13c Mon Sep 17 00:00:00 2001 From: DeathRGH <36369791+DeathRGH@users.noreply.github.com> Date: Thu, 6 Aug 2020 04:55:50 +0200 Subject: [PATCH 4/8] Fix for 2nd ptrace patch --- installer/source/installer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installer/source/installer.c b/installer/source/installer.c index e2955f9..30a15f3 100644 --- a/installer/source/installer.c +++ b/installer/source/installer.c @@ -51,9 +51,9 @@ void patch_kernel() { // patch ptrace, thanks 2much4u *(uint8_t *)(kernbase + 0x0010F879) = 0xEB; - // Need to find 6.72 offsets. // remove all these bullshit checks from ptrace, by golden - //memcpy((void *)(kernbase + 0x30DE01), "\xE9\xD0\x00\x00\x00", 5); + // updated 6.72 patch ~DeathRGH 06/08/2020 + memcpy((void *)(kernbase + 0x10FD22), "\xE9\xE2\x02\x00\x00", 5); // patch ASLR, thanks 2much4u *(uint16_t *)(kernbase + 0x003CECE1) = 0xEB; From b9443a3b5fedbf825ad5ae79d2c36de5839ef92a Mon Sep 17 00:00:00 2001 From: GiantPluto <3701024+GiantPluto@@users.noreply.github.com> Date: Mon, 10 Aug 2020 11:17:33 +0530 Subject: [PATCH 5/8] Enable UART and line endings fixed in build.sh --- debugger/source/main.c | 2 +- installer/source/installer.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debugger/source/main.c b/debugger/source/main.c index 2a458ac..674b8af 100644 --- a/debugger/source/main.c +++ b/debugger/source/main.c @@ -19,7 +19,7 @@ int _main(void) { sceKernelSleep(2); // just a little notify - sceSysUtilSendSystemNotificationWithText(222, "ps4debug by golden"); + sceSysUtilSendSystemNotificationWithText(222, "ps4debug by golden\n 6.72 port by GiantPluto"); // jailbreak current thread sys_console_cmd(SYS_CONSOLE_CMD_JAILBREAK, NULL); diff --git a/installer/source/installer.c b/installer/source/installer.c index 30a15f3..a634205 100644 --- a/installer/source/installer.c +++ b/installer/source/installer.c @@ -147,7 +147,7 @@ int runinstaller() { init_ksdk(); //// enable uart - //*disable_console_output = 0; + *disable_console_output = 0; ascii_art(); From 457c2bf5468329e68a272b5f1e1ab88957f5f2d8 Mon Sep 17 00:00:00 2001 From: GiantPluto <3701024+GiantPluto@@users.noreply.github.com> Date: Tue, 11 Aug 2020 15:18:00 +0530 Subject: [PATCH 6/8] Fixed disable ASLR patch. Though the offset and the patch I identified were correct, I overlooked the data type since I updated bunch of them together. May be an idiot or blind? --- installer/source/installer.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/installer/source/installer.c b/installer/source/installer.c index a634205..16855e5 100644 --- a/installer/source/installer.c +++ b/installer/source/installer.c @@ -48,15 +48,12 @@ void patch_kernel() { // patch vm_map_protect check memcpy((void *)(kernbase + 0x00451DB8), "\x90\x90\x90\x90\x90\x90", 6); - // patch ptrace, thanks 2much4u + // patch ptrace *(uint8_t *)(kernbase + 0x0010F879) = 0xEB; - - // remove all these bullshit checks from ptrace, by golden - // updated 6.72 patch ~DeathRGH 06/08/2020 memcpy((void *)(kernbase + 0x10FD22), "\xE9\xE2\x02\x00\x00", 5); - // patch ASLR, thanks 2much4u - *(uint16_t *)(kernbase + 0x003CECE1) = 0xEB; + // disable ASLR + *(uint8_t *)(kernbase + 0x003CECE1) = 0xEB; // patch kmem_alloc *(uint8_t *)(kernbase + 0x002507F5) = VM_PROT_ALL; From 0d564e10ec03b8548be75e5aa16a5920fab86c4b Mon Sep 17 00:00:00 2001 From: GiantPluto <3701024+GiantPluto@users.noreply.github.com> Date: Wed, 12 Aug 2020 02:01:33 +0530 Subject: [PATCH 7/8] Update README.md --- README.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c5ed6e0..dcef4c1 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# ps4debug +# ps4debug for 6.72 This is a debugger for the PlayStation 4. Yes thats right! Look around and you will find some very useful tools online or on the PS4 Source Discord channel. Anything is possible, except kernel mode debugging, which I decided to leave out. ### Quickstart Guide @@ -16,5 +16,13 @@ Please look at the libdebug folder for a library to use with this payload. ### Contributing If you want to contribute, then feel free to make a pull request or open an issue with a bug that you have found! I am always in need of people to test for me. Join the PS4 Source Discord and look for golden. Also I need someone that is good at writing to spiff up this readme document. I am always in need of people to do work! It seems like I do everything... -##### Created by **golden** -###### Shout out to ChendoChap, berkayylmao, 2much4u, idc, and zecoxao! +#### Created by **golden** + +### Contributors + +- ChendoChap - For his intial work till 5.05 and his guidance during 6.72 porting on ptrace +- berkayylmao +- 2much4u +- idc +- zecoxao +- DeathRGH - For second [ptrace](https://github.com/GiantPluto/ps4debug/blob/457c2bf5468329e68a272b5f1e1ab88957f5f2d8/installer/source/installer.c#L53) patch for 6.72 From 0cc311cd1ff62e1020657b7f5715b57ba18a28a3 Mon Sep 17 00:00:00 2001 From: GiantPluto <3701024+GiantPluto@users.noreply.github.com> Date: Wed, 12 Aug 2020 02:06:57 +0530 Subject: [PATCH 8/8] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index dcef4c1..d24d8c8 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ Please look at the libdebug folder for a library to use with this payload. ### Contributing If you want to contribute, then feel free to make a pull request or open an issue with a bug that you have found! I am always in need of people to test for me. Join the PS4 Source Discord and look for golden. Also I need someone that is good at writing to spiff up this readme document. I am always in need of people to do work! It seems like I do everything... -#### Created by **golden** +### Created by **golden** ### Contributors