From e7645a94802b8a13b03022651f775cbb6e1704fa Mon Sep 17 00:00:00 2001 From: SiSTR0 Date: Fri, 13 Mar 2020 20:13:22 +0100 Subject: [PATCH] release v2.1.3 --- README.md | 8 +- exploit/index.html | 2 +- installer/include/defines.h | 2 +- installer/include/offsets.h | 34 +++++--- installer/source/debug.c | 4 +- installer/source/main.c | 6 ++ kpayload/include/offsets.h | 165 +++++++++++++++++++----------------- kpayload/source/main.c | 11 +-- kpayload/source/patch.c | 148 ++++++++++++++++++++++++++------ 9 files changed, 253 insertions(+), 127 deletions(-) diff --git a/README.md b/README.md index f36d15c..81546b7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# PS4HEN v2.1.2 +# PS4HEN v2.1.3 ## Features - Homebrew Enabler @@ -12,9 +12,10 @@ - External HDD Format 7.xx Support - FW Version Spoof to 7.02 - Debug Trophies Support - -## Fixes - sys_dynlib_dlsym Patch +- UART Enabler +- Never Disable Screenshot +- Remote Play Enabler ## Contributors Massive credits to the following: @@ -28,6 +29,7 @@ Massive credits to the following: - [SiSTRo](https://github.com/SiSTR0) - [SocraticBliss](https://twitter.com/SocraticBliss) - [ChendoChap](https://github.com/ChendoChap) +- [Biorn1950](https://github.com/Biorn1950) - Anonymous ## Testers diff --git a/exploit/index.html b/exploit/index.html index 4956b12..1620fd0 100644 --- a/exploit/index.html +++ b/exploit/index.html @@ -1 +1 @@ -PS4Jailbreak 5.05 (HEN)
\ No newline at end of file +PS4Jailbreak 5.05 (HEN)
\ No newline at end of file diff --git a/installer/include/defines.h b/installer/include/defines.h index a9f6261..a8e5fa2 100644 --- a/installer/include/defines.h +++ b/installer/include/defines.h @@ -2,7 +2,7 @@ #define __DEFINES_H__ #pragma once -#define VERSION "2.1.2" +#define VERSION "2.1.3" //#define DEBUG_SOCKET diff --git a/installer/include/offsets.h b/installer/include/offsets.h index 7540676..e3105ca 100644 --- a/installer/include/offsets.h +++ b/installer/include/offsets.h @@ -3,34 +3,40 @@ #pragma once // 5.05 -#define XFAST_SYSCALL_addr 0x00001C0 +#define XFAST_SYSCALL_addr 0x00001C0 // Names - Data -#define PRISON0_addr 0x10986A0 -#define ROOTVNODE_addr 0x22C1A70 -#define PMAP_STORE_addr 0x22CB570 -#define DT_HASH_SEGMENT_addr 0x0B5EF30 +#define PRISON0_addr 0x10986A0 +#define ROOTVNODE_addr 0x22C1A70 +#define PMAP_STORE_addr 0x22CB570 +#define DT_HASH_SEGMENT_addr 0x0B5EF30 // Functions -#define pmap_protect_addr 0x02E3090 -#define pmap_protect_p_addr 0x02E30D4 +#define pmap_protect_addr 0x02E3090 +#define pmap_protect_p_addr 0x02E30D4 // Patches // debug menu error -#define debug_menu_error_patch1 0x04F9048 -#define debug_menu_error_patch2 0x04FA15C +#define debug_menu_error_patch1 0x04F9048 +#define debug_menu_error_patch2 0x04FA15C // disable signature check -#define disable_signature_check_patch 0x06A2700 +#define disable_signature_check_patch 0x06A2700 // enable debug RIFs -#define enable_debug_rifs_patch1 0x064B2B0 -#define enable_debug_rifs_patch2 0x064B2D0 +#define enable_debug_rifs_patch1 0x064B2B0 +#define enable_debug_rifs_patch2 0x064B2D0 // allow sys_dynlib_dlsym in all processes -#define sys_dynlib_dlsym_patch 0x0237F3A +#define sys_dynlib_dlsym_patch 0x0237F3A // sdk version spoof - enable all VR fws -#define sdk_version_patch 0x14A63F0 +#define sdk_version_patch 0x14A63F0 + +// enable debug log +#define enable_debug_log_patch 0x043612A + +// enable uart output +#define enable_uart_patch 0x19ECEB0 #endif \ No newline at end of file diff --git a/installer/source/debug.c b/installer/source/debug.c index 25f09af..d35791c 100644 --- a/installer/source/debug.c +++ b/installer/source/debug.c @@ -30,6 +30,6 @@ void closeDebugSocket(void) void notify(char *message) { char buffer[512]; - sprintf(buffer, "%s\n\n\n\n\n\n\n", message); - sceSysUtilSendSystemNotificationWithText(0x81, buffer); + sprintf(buffer, "%s", message); + sceSysUtilSendSystemNotificationWithText(222, buffer); } diff --git a/installer/source/main.c b/installer/source/main.c index b4f2b56..18c3731 100644 --- a/installer/source/main.c +++ b/installer/source/main.c @@ -78,6 +78,12 @@ int install_payload(struct thread *td, struct install_payload_args* args) // spoof sdk_version - enable vr 5.05 *(uint32_t *)(kernel_base + sdk_version_patch) = FAKE_FW_VERSION; + // enable debug log + *(uint16_t*)(kernel_base + enable_debug_log_patch) = 0x38EB; + + // enable uart output + *(uint32_t *)(kernel_base + enable_uart_patch) = 0; + // install kpayload memset(payload_buffer, 0, PAGE_SIZE); memcpy(payload_buffer, payload_data, payload_size); diff --git a/kpayload/include/offsets.h b/kpayload/include/offsets.h index 9bfda02..867a97c 100644 --- a/kpayload/include/offsets.h +++ b/kpayload/include/offsets.h @@ -3,111 +3,122 @@ #pragma once // data -#define XFAST_SYSCALL_addr 0x00001C0 -#define M_TEMP_addr 0x14B4110 -#define MINI_SYSCORE_SELF_BINARY_addr 0x14C9D48 -#define ALLPROC_addr 0x2382FF8 -#define SBL_DRIVER_MAPPED_PAGES_addr 0x271E208 -#define SBL_PFS_SX_addr 0x271E5D8 -#define SBL_KEYMGR_KEY_SLOTS_addr 0x2744548 -#define SBL_KEYMGR_KEY_RBTREE_addr 0x2744558 -#define SBL_KEYMGR_BUF_VA_addr 0x2748000 -#define SBL_KEYMGR_BUF_GVA_addr 0x2748800 -#define FPU_CTX_addr 0x274C040 -#define DIPSW_addr 0x1CD0650 +#define XFAST_SYSCALL_addr 0x00001C0 +#define M_TEMP_addr 0x14B4110 +#define MINI_SYSCORE_SELF_BINARY_addr 0x14C9D48 +#define ALLPROC_addr 0x2382FF8 +#define SBL_DRIVER_MAPPED_PAGES_addr 0x271E208 +#define SBL_PFS_SX_addr 0x271E5D8 +#define SBL_KEYMGR_KEY_SLOTS_addr 0x2744548 +#define SBL_KEYMGR_KEY_RBTREE_addr 0x2744558 +#define SBL_KEYMGR_BUF_VA_addr 0x2748000 +#define SBL_KEYMGR_BUF_GVA_addr 0x2748800 +#define FPU_CTX_addr 0x274C040 +#define DIPSW_addr 0x1CD0650 // common -#define memcmp_addr 0x050AC0 -#define _sx_xlock_addr 0x0F5E10 -#define _sx_xunlock_addr 0x0F5FD0 -#define malloc_addr 0x10E250 -#define free_addr 0x10E460 -#define strstr_addr 0x17DFB0 -#define fpu_kern_enter_addr 0x1BFF90 -#define fpu_kern_leave_addr 0x1C0090 -#define memcpy_addr 0x1EA530 -#define memset_addr 0x3205C0 -#define strlen_addr 0x3B71A0 -#define printf_addr 0x436040 -#define eventhandler_register_addr 0x1EC400 +#define memcmp_addr 0x050AC0 +#define _sx_xlock_addr 0x0F5E10 +#define _sx_xunlock_addr 0x0F5FD0 +#define malloc_addr 0x10E250 +#define free_addr 0x10E460 +#define strstr_addr 0x17DFB0 +#define fpu_kern_enter_addr 0x1BFF90 +#define fpu_kern_leave_addr 0x1C0090 +#define memcpy_addr 0x1EA530 +#define memset_addr 0x3205C0 +#define strlen_addr 0x3B71A0 +#define printf_addr 0x436040 +#define eventhandler_register_addr 0x1EC400 // Fself -#define sceSblACMgrGetPathId_addr 0x0117E0 -#define sceSblServiceMailbox_addr 0x632540 -#define sceSblAuthMgrSmIsLoadable2_addr 0x63C4F0 -#define _sceSblAuthMgrGetSelfInfo_addr 0x63CD40 -#define _sceSblAuthMgrSmStart_addr 0x6418E0 -#define sceSblAuthMgrVerifyHeader_addr 0x642B40 +#define sceSblACMgrGetPathId_addr 0x0117E0 +#define sceSblServiceMailbox_addr 0x632540 +#define sceSblAuthMgrSmIsLoadable2_addr 0x63C4F0 +#define _sceSblAuthMgrGetSelfInfo_addr 0x63CD40 +#define _sceSblAuthMgrSmStart_addr 0x6418E0 +#define sceSblAuthMgrVerifyHeader_addr 0x642B40 // Fpkg -#define RsaesPkcs1v15Dec2048CRT_addr 0x1FD7D0 -#define Sha256Hmac_addr 0x2D55B0 -#define AesCbcCfb128Encrypt_addr 0x3A2BD0 -#define AesCbcCfb128Decrypt_addr 0x3A2E00 -#define sceSblDriverSendMsg_0_addr 0x61D7F0 -#define sceSblPfsSetKeys_addr 0x61EFA0 -#define sceSblKeymgrSetKeyStorage_addr 0x623FC0 -#define sceSblKeymgrSetKeyForPfs_addr 0x62D780 -#define sceSblKeymgrCleartKey_addr 0x62DB10 -#define sceSblKeymgrSmCallfunc_addr 0x62E2A0 +#define RsaesPkcs1v15Dec2048CRT_addr 0x1FD7D0 +#define Sha256Hmac_addr 0x2D55B0 +#define AesCbcCfb128Encrypt_addr 0x3A2BD0 +#define AesCbcCfb128Decrypt_addr 0x3A2E00 +#define sceSblDriverSendMsg_0_addr 0x61D7F0 +#define sceSblPfsSetKeys_addr 0x61EFA0 +#define sceSblKeymgrSetKeyStorage_addr 0x623FC0 +#define sceSblKeymgrSetKeyForPfs_addr 0x62D780 +#define sceSblKeymgrCleartKey_addr 0x62DB10 +#define sceSblKeymgrSmCallfunc_addr 0x62E2A0 // Patch -#define vmspace_acquire_ref_addr 0x19EF90 -#define vmspace_free_addr 0x19EDC0 -#define vm_map_lock_read_addr 0x19F140 -#define vm_map_unlock_read_addr 0x19F190 -#define vm_map_lookup_entry_addr 0x19F760 -#define proc_rwmem_addr 0x30D150 +#define vmspace_acquire_ref_addr 0x19EF90 +#define vmspace_free_addr 0x19EDC0 +#define vm_map_lock_read_addr 0x19F140 +#define vm_map_unlock_read_addr 0x19F190 +#define vm_map_lookup_entry_addr 0x19F760 +#define proc_rwmem_addr 0x30D150 // Fself hooks -#define sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId_hook 0x63E25D -#define sceSblAuthMgrIsLoadable2_hook 0x63E3A1 -#define sceSblAuthMgrVerifyHeader_hook1 0x63EAFC -#define sceSblAuthMgrVerifyHeader_hook2 0x63F718 -#define sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox_hook 0x64318B -#define sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox_hook 0x643DA2 +#define sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId_hook 0x63E25D +#define sceSblAuthMgrIsLoadable2_hook 0x63E3A1 +#define sceSblAuthMgrVerifyHeader_hook1 0x63EAFC +#define sceSblAuthMgrVerifyHeader_hook2 0x63F718 +#define sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox_hook 0x64318B +#define sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox_hook 0x643DA2 // Fpkg hooks -#define sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook 0x624065 -#define sceSblKeymgrInvalidateKey__sx_xlock_hook 0x62E96D -#define sceSblKeymgrSmCallfunc_npdrm_decrypt_isolated_rif_hook 0x64C720 -#define sceSblKeymgrSmCallfunc_npdrm_decrypt_rif_new_hook 0x64D4FF -#define mountpfs__sceSblPfsSetKeys_hook1 0x6AAAD5 -#define mountpfs__sceSblPfsSetKeys_hook2 0x6AAD04 +#define sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook 0x624065 +#define sceSblKeymgrInvalidateKey__sx_xlock_hook 0x62E96D +#define sceSblKeymgrSmCallfunc_npdrm_decrypt_isolated_rif_hook 0x64C720 +#define sceSblKeymgrSmCallfunc_npdrm_decrypt_rif_new_hook 0x64D4FF +#define mountpfs__sceSblPfsSetKeys_hook1 0x6AAAD5 +#define mountpfs__sceSblPfsSetKeys_hook2 0x6AAD04 -// SceShellUI - libkernel patches -#define sceSblRcMgrIsAllowDebugMenuForSettings_patch 0x01BD90 -#define sceSblRcMgrIsStoreMode_patch 0x01C090 +// SceShellUI patches - debug patches +#define sceSblRcMgrIsAllowDebugMenuForSettings_patch 0x01BD90 +#define sceSblRcMgrIsStoreMode_patch 0x01C090 + +// SceShellUI patches - remote play patches +#define CreateUserForIDU_patch 0x1A8FA0 +#define remote_play_menu_patch 0xEE638E + +// SceRemotePlay patches - remote play patches +#define SceRemotePlay_patch1 0x03C33F +#define SceRemotePlay_patch2 0x03C35A // SceShellCore patches // call sceKernelIsGenuineCEX -#define sceKernelIsGenuineCEX_patch1 0x16D05B -#define sceKernelIsGenuineCEX_patch2 0x79980B -#define sceKernelIsGenuineCEX_patch3 0x7E5A13 -#define sceKernelIsGenuineCEX_patch4 0x94715B +#define sceKernelIsGenuineCEX_patch1 0x16D05B +#define sceKernelIsGenuineCEX_patch2 0x79980B +#define sceKernelIsGenuineCEX_patch3 0x7E5A13 +#define sceKernelIsGenuineCEX_patch4 0x94715B // call nidf_libSceDipsw -#define nidf_libSceDipsw_patch1 0x16D087 -#define nidf_libSceDipsw_patch2 0x23747B -#define nidf_libSceDipsw_patch3 0x799837 -#define nidf_libSceDipsw_patch4 0x947187 +#define nidf_libSceDipsw_patch1 0x16D087 +#define nidf_libSceDipsw_patch2 0x23747B +#define nidf_libSceDipsw_patch3 0x799837 +#define nidf_libSceDipsw_patch4 0x947187 // enable data mount -#define enable_data_mount_patch 0x319A53 +#define enable_data_mount_patch 0x319A53 // enable fpkg -#define enable_fpkg_patch 0x3E0602 +#define enable_fpkg_patch 0x3E0602 // debug pkg free string -#define fake_free_patch 0xEA96A7 +#define fake_free_patch 0xEA96A7 // make pkgs installer working with external hdd -#define pkg_installer_patch 0x9312A1 +#define pkg_installer_patch 0x9312A1 // enable support with 6.xx external hdd -#define ext_hdd_patch 0x593C7D +#define ext_hdd_patch 0x593C7D // enable debug trophies on retail -#define debug_trophies_patch 0x6ABE39 +#define debug_trophies_patch 0x6ABE39 + +// disable screenshot block +#define disable_screenshot_patch 0x0CB8C6 -#endif +#endif \ No newline at end of file diff --git a/kpayload/source/main.c b/kpayload/source/main.c index a388552..40d72e0 100644 --- a/kpayload/source/main.c +++ b/kpayload/source/main.c @@ -78,10 +78,11 @@ int (*vm_map_lookup_entry)(struct vm_map *map, uint64_t address, struct vm_map_e int (*proc_rwmem)(struct proc *p, struct uio *uio) PAYLOAD_BSS; // initialization, etc -extern void install_fself_hooks(void) PAYLOAD_CODE; -extern void install_fpkg_hooks(void) PAYLOAD_CODE; -extern void install_debug_patches(void) PAYLOAD_CODE; -extern int shellcore_fpkg_patch(void) PAYLOAD_CODE; +extern void install_fself_hooks(void) PAYLOAD_CODE; +extern void install_fpkg_hooks(void) PAYLOAD_CODE; +extern void install_patches(void) PAYLOAD_CODE; +extern void install_fake_signout_patch(void) PAYLOAD_CODE; +extern int shellcore_fpkg_patch(void) PAYLOAD_CODE; #define resolve(name) name = (void *)(kernbase + name##_addr) PAYLOAD_CODE void resolve_kdlsym() @@ -149,7 +150,7 @@ PAYLOAD_CODE int my_entrypoint() resolve_kdlsym(); install_fself_hooks(); install_fpkg_hooks(); - install_debug_patches(); + install_patches(); return shellcore_fpkg_patch(); } diff --git a/kpayload/source/patch.c b/kpayload/source/patch.c index 8e357a9..cdadb2c 100644 --- a/kpayload/source/patch.c +++ b/kpayload/source/patch.c @@ -238,6 +238,12 @@ PAYLOAD_CODE int shellcore_fpkg_patch(void) goto error; } + // never disable screenshot - credits to Biorn1950 + ret = proc_write_mem(ssc, (void *)(text_seg_base + disable_screenshot_patch), 5, "\x90\x90\x90\x90\x90", &n); + if (ret) { + goto error; + } + error: if (entries) dealloc(entries); @@ -245,9 +251,12 @@ PAYLOAD_CODE int shellcore_fpkg_patch(void) return ret; } -PAYLOAD_CODE int shellui_debug_patch(void) +PAYLOAD_CODE int shellui_patch(void) { - uint8_t *text_seg_base = NULL; + uint8_t *libkernel_sys_base = NULL, + *executable_base = NULL, + *app_base = NULL; + size_t n; struct proc_vm_map_entry *entries = NULL; @@ -274,29 +283,115 @@ PAYLOAD_CODE int shellui_debug_patch(void) goto error; for (int i = 0; i < num_entries; i++) { - if (!memcmp(entries[i].name, "libkernel_sys.sprx", 18) && (entries[i].prot == (PROT_READ | PROT_EXEC))) { - text_seg_base = (uint8_t *)entries[i].start; - break; - } - } + if (!memcmp(entries[i].name, "executable", 10) && (entries[i].prot >= (PROT_READ | PROT_EXEC))) { + executable_base = (uint8_t *)entries[i].start; + break; + } + } + + if (!executable_base ) { + ret = 1; + goto error; + } + + // disable CreateUserForIDU + ret = proc_write_mem(ssui, (void *)(executable_base + CreateUserForIDU_patch), 4, "\x48\x31\xC0\xC3", &n); + if (ret) { + goto error; + } + + for (int i = 0; i < num_entries; i++) { + if (!memcmp(entries[i].name, "app.exe.sprx", 12) && (entries[i].prot >= (PROT_READ | PROT_EXEC))) { + app_base = (uint8_t *)entries[i].start; + break; + } + } + + if (!app_base) { + ret = 1; + goto error; + } + + // enable remote play menu - credits to Aida + ret = proc_write_mem(ssui, (void *)(app_base + remote_play_menu_patch), 5, "\xE9\x82\x02\x00\x00", &n); + + for (int i = 0; i < num_entries; i++) { + if (!memcmp(entries[i].name, "libkernel_sys.sprx", 18) && (entries[i].prot >= (PROT_READ | PROT_EXEC))) { + libkernel_sys_base = (uint8_t *)entries[i].start; + break; + } + } + + if (!libkernel_sys_base) { + ret = -1; + goto error; + } + + // enable debug settings menu + for (int i = 0; i < COUNT_OF(ofs_to_ret_1); i++) { + ret = proc_write_mem(ssui, (void *)(libkernel_sys_base + ofs_to_ret_1[i]), sizeof(mov__eax_1__ret), mov__eax_1__ret, &n); + if (ret) + goto error; + } - if (!text_seg_base) { - ret = -1; - goto error; - } +error: + if (entries) + dealloc(entries); - // enable debug settings menu - for (int i = 0; i < COUNT_OF(ofs_to_ret_1); i++) { - ret = proc_write_mem(ssui, (void *)(text_seg_base + ofs_to_ret_1[i]), sizeof(mov__eax_1__ret), mov__eax_1__ret, &n); - if (ret) - goto error; - } + return ret; +} -error: - if (entries) - dealloc(entries); +PAYLOAD_CODE int remoteplay_patch() { - return ret; + uint8_t *executable_base = NULL; + + struct proc_vm_map_entry *entries = NULL; + size_t num_entries; + size_t n; + + int ret = 0; + + struct proc *srp = proc_find_by_name("SceRemotePlay"); + + if (!srp) { + ret = 1; + goto error; + } + + if (proc_get_vm_map(srp, &entries, &num_entries)) { + ret = 1; + goto error; + } + + for (int i = 0; i < num_entries; i++) { + if (!memcmp(entries[i].name, "executable", 10) && (entries[i].prot == (PROT_READ | PROT_EXEC))) { + executable_base = (uint8_t *)entries[i].start; + break; + } + } + + if (!executable_base) { + ret = 1; + goto error; + } + + // patch SceRemotePlay process + ret = proc_write_mem(srp, (void *)(executable_base + SceRemotePlay_patch1), 1, "\x01", &n); + if (ret) { + goto error; + } + + ret = proc_write_mem(srp, (void *)(executable_base + SceRemotePlay_patch2), 2, "\xEB\x1E", &n); + if (ret) { + goto error; + } + + error: + if (entries) { + dealloc(entries); + } + + return ret; } PAYLOAD_CODE void set_dipsw(int debug_patch) { @@ -326,9 +421,14 @@ PAYLOAD_CODE void restore_retail_dipsw() set_dipsw(0); } -PAYLOAD_CODE void install_debug_patches() +PAYLOAD_CODE void apply_patches() { + shellui_patch(); + remoteplay_patch(); +} + +PAYLOAD_CODE void install_patches() { - shellui_debug_patch(); + apply_patches(); eventhandler_register(NULL, "system_suspend_phase3", &restore_retail_dipsw, NULL, EVENTHANDLER_PRI_PRE_FIRST); - eventhandler_register(NULL, "system_resume_phase4", &shellui_debug_patch, NULL, EVENTHANDLER_PRI_LAST); + eventhandler_register(NULL, "system_resume_phase4", &apply_patches, NULL, EVENTHANDLER_PRI_LAST); } \ No newline at end of file