release v2.1.2

SiSTR0 · Feb 5, 2020 · e13b115 · e13b115
1 parent cb05655
commit e13b115
Show file tree

Hide file tree

Showing 10 changed files with 37 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# PS4HEN v2.1.1
+# PS4HEN v2.1.2
 
 ## Features
 - Homebrew Enabler
@@ -9,11 +9,12 @@
 - VR Support
 - Remote Package Install
 - Rest Mode Support
-- External HDD Format 6.xx Support
+- External HDD Format 7.xx Support
+- FW Version Spoof to 7.02
+- Debug Trophies Support
 
 ## Fixes
-- Black Screen Fix on Rest Mode
-- FW Version Spoof to 6.70
+- sys_dynlib_dlsym Patch
 
 ## Contributors
 Massive credits to the following:
@@ -32,6 +33,6 @@ Massive credits to the following:
 ## Testers
 - [SCORPION](https://twitter.com/SCORPION1399)
 - [KiiWii](https://twitter.com/defaultdnb)
-- [Leeful74](https://twitter.com/leeful74b)
+- [Leeful74](https://twitter.com/leeful74)
 - [opoisso893](https://twitter.com/opoisso893)
 - Anonymous
diff --git a/exploit.template b/exploit.template
diff --git a/exploit/index.html b/exploit/index.html
diff --git a/installer/include/defines.h b/installer/include/defines.h
@@ -2,14 +2,14 @@
 #define __DEFINES_H__
 #pragma once
 
-#define VERSION "2.1.1"
+#define VERSION "2.1.2"
 
 //#define DEBUG_SOCKET
 
 #define LOG_IP   "192.168.1.3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
 #define LOG_PORT 9023
 
-#define FAKE_FW_VERSION 0x06700061
+#define FAKE_FW_VERSION 0x07020000
 
 struct filedesc {
 	void *useless1[3];

diff --git a/installer/include/offsets.h b/installer/include/offsets.h
@@ -27,6 +27,9 @@
 #define enable_debug_rifs_patch1		0x064B2B0
 #define enable_debug_rifs_patch2		0x064B2D0
 
+// allow sys_dynlib_dlsym in all processes
+#define sys_dynlib_dlsym_patch			0x0237F3A
+
 // sdk version spoof - enable all VR fws
 #define sdk_version_patch				0x14A63F0
 

diff --git a/installer/source/main.c b/installer/source/main.c
@@ -72,7 +72,10 @@ int install_payload(struct thread *td, struct install_payload_args* args)
 	*(uint32_t *)(kernel_base + enable_debug_rifs_patch1) = 0x90C301B0;
 	*(uint32_t *)(kernel_base + enable_debug_rifs_patch2) = 0x90C301B0;
 
-	// enable vr 5.05
+	// flatz allow sys_dynlib_dlsym in all processes 5.05
+	*(uint64_t*)(kernel_base + sys_dynlib_dlsym_patch) = 0x8B4890000001C1E9;
+
+	// spoof sdk_version - enable vr 5.05
 	*(uint32_t *)(kernel_base + sdk_version_patch) = FAKE_FW_VERSION;
 
 	// install kpayload

diff --git a/kpayload/include/offsets.h b/kpayload/include/offsets.h
@@ -107,4 +107,7 @@
 // enable support with 6.xx external hdd
 #define ext_hdd_patch					0x593C7D
 
+// enable debug trophies on retail
+#define debug_trophies_patch			0x6ABE39
+
 #endif
diff --git a/kpayload/source/fpkg.c b/kpayload/source/fpkg.c
@@ -17,7 +17,6 @@ extern int (*fpu_kern_enter)(struct thread *td, struct fpu_kern_ctx *ctx, uint32
 extern int (*fpu_kern_leave)(struct thread *td, struct fpu_kern_ctx *ctx) PAYLOAD_BSS;
 extern void* (*memcpy)(void* dst, const void* src, size_t len) PAYLOAD_BSS;
 extern void* (*memset)(void *s, int c, size_t n) PAYLOAD_BSS;
-extern int (*printf)(const char *fmt, ...) PAYLOAD_BSS;
 
 extern struct sbl_map_list_entry** SBL_DRIVER_MAPPED_PAGES PAYLOAD_BSS;
 extern struct sx* SBL_PFS_SX PAYLOAD_BSS;

diff --git a/kpayload/source/fself.c b/kpayload/source/fself.c
@@ -286,7 +286,10 @@ PAYLOAD_CODE int my_sceSblAuthMgrVerifyHeader(struct self_context* ctx)
 
 PAYLOAD_CODE int my_sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox(unsigned long service_id, uint8_t* request, void* response)
 {
-	register struct self_context* ctx __asm ("r14"); // 5.05
+	// self_context is first param of caller. 0x08 = sizeof(struct self_context*)
+	uint8_t* frame = (uint8_t*)__builtin_frame_address(1);
+	struct self_context* ctx = *(struct self_context**)(frame - 0x08);
+
 	int is_unsigned = ctx && is_fake_self(ctx);
 
 	if (is_unsigned) {
@@ -298,8 +301,10 @@ PAYLOAD_CODE int my_sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox(unsigne
 
 PAYLOAD_CODE int my_sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox(unsigned long service_id, uint8_t* request, void* response)
 {
+	// self_context is first param of caller. 0x08 = sizeof(struct self_context*)
 	uint8_t* frame = (uint8_t*)__builtin_frame_address(1);
-	struct self_context* ctx = *(struct self_context**)(frame - 0x1C8); // 5.05
+	struct self_context* ctx = *(struct self_context**)(frame - 0x08);
+
 	vm_offset_t segment_data_gpu_va = *(unsigned long*)(request + 0x08);
 	vm_offset_t cur_data_gpu_va = *(unsigned long*)(request + 0x50);
 	vm_offset_t cur_data2_gpu_va = *(unsigned long*)(request + 0x58);
@@ -323,7 +328,10 @@ PAYLOAD_CODE int my_sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox(unsigned
 				/* data spans two consecutive memory's pages, so we need to copy twice */
 				size1 = PAGE_SIZE - data_offset;
 				memcpy((char*)segment_data_cpu_va, (char*)cur_data_cpu_va + data_offset, size1);
-				memcpy((char*)segment_data_cpu_va + size1, (char*)cur_data2_cpu_va, data_size - size1);
+
+				// thanks to kiwidog & Al-Azif
+				if (cur_data2_cpu_va)
+					memcpy((char*)segment_data_cpu_va + size1, (char*)cur_data2_cpu_va, data_size - size1);
 			} else {
 				memcpy((char*)segment_data_cpu_va, (char*)cur_data_cpu_va + data_offset, data_size);
 			}

diff --git a/kpayload/source/patch.c b/kpayload/source/patch.c
@@ -231,6 +231,12 @@ PAYLOAD_CODE int shellcore_fpkg_patch(void)
 	if (ret)
 		goto error;
 
+	// enable debug trophies on retail
+	ret = proc_write_mem(ssc, (void *)(text_seg_base + debug_trophies_patch), 5, "\x31\xc0\x90\x90\x90", &n);
+	if (ret)
+	{
+		goto error;
+	}
 
 error:
 	if (entries)