Merge pull request #1 from Mistawes/ROOT

Approved!
Mistawes · Jan 7, 2018 · 3ba39e5 · 3ba39e5
2 parents 88dbd98 + 6349be4
commit 3ba39e5
Showing 1 changed file with 198 additions and 12 deletions.
diff --git a/source/main.c b/source/main.c
@@ -6,17 +6,197 @@
 #include "ftps4.h"
 
 #undef  SHOW_DEBUG
-#define PS4_IP   "192.168.0.14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+#define PS4_IP   "192.168.0.22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
 #define PS4_PORT 1337
-#define LOG_IP   "192.168.0.4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+#define LOG_IP   "192.168.0.28\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
 #define LOG_PORT 9023
 
-int log_sock;
+// DebugSettings
+#define IP(a, b, c, d) (((a) << 0) + ((b) << 8) + ((c) << 16) + ((d) << 24))
+
+
+#define	CTL_KERN	1	/* "high kernel": proc, limits */
+#define	KERN_PROC	14	/* struct: process entries */
+#define	KERN_PROC_VMMAP	32	/* VM map entries for process */
+#define	KERN_PROC_PID	1	/* by process id */
+
+struct auditinfo_addr {
+    /*
+    4    ai_auid;
+    8    ai_mask;
+    24    ai_termid;
+    4    ai_asid;
+    8    ai_flags;r
+    */
+    char useless[184];
+};
+
+#define printfsocket(format, ...)\
+	do {\
+		char buffer[512];\
+		int size = sprintf(buffer, format, ##__VA_ARGS__);\
+		sceNetSend(sock, buffer, size, 0);\
+	} while(0)
+
+
+unsigned int long long __readmsr(unsigned long __register) {
+	// Loads the contents of a 64-bit model specific register (MSR) specified in
+	// the ECX register into registers EDX:EAX. The EDX register is loaded with
+	// the high-order 32 bits of the MSR and the EAX register is loaded with the
+	// low-order 32 bits. If less than 64 bits are implemented in the MSR being
+	// read, the values returned to EDX:EAX in unimplemented bit locations are
+	// undefined.
+	unsigned long __edx;
+	unsigned long __eax;
+	__asm__ ("rdmsr" : "=d"(__edx), "=a"(__eax) : "c"(__register));
+	return (((unsigned int long long)__edx) << 32) | (unsigned int long long)__eax;
+}
+
+
+#define X86_CR0_WP (1 << 16)
+
+static inline __attribute__((always_inline)) uint64_t readCr0(void) {
+	uint64_t cr0;
+
+	asm volatile (
+		"movq %0, %%cr0"
+		: "=r" (cr0)
+		: : "memory"
+ 	);
+
+	return cr0;
+}
+
+static inline __attribute__((always_inline)) void writeCr0(uint64_t cr0) {
+	asm volatile (
+		"movq %%cr0, %0"
+		: : "r" (cr0)
+		: "memory"
+	);
+}
+
+
+struct ucred {
+	uint32_t useless1;
+	uint32_t cr_uid;     // effective user id
+	uint32_t cr_ruid;    // real user id
+ 	uint32_t useless2;
+    	uint32_t useless3;
+    	uint32_t cr_rgid;    // real group id
+    	uint32_t useless4;
+    	void *useless5;
+    	void *useless6;
+    	void *cr_prison;     // jail(2)
+    	void *useless7;
+    	uint32_t useless8;
+    	void *useless9[2];
+    	void *useless10;
+    	struct auditinfo_addr useless11;
+    	uint32_t *cr_groups; // groups
+    	uint32_t useless12;
+};
+
+struct filedesc {
+	void *useless1[3];
+    	void *fd_rdir;
+    	void *fd_jdir;
+};
+
+struct proc {
+    	char useless[64];
+    	struct ucred *p_ucred;
+    	struct filedesc *p_fd;
+};
+
+struct thread {
+    	void *useless;
+    	struct proc *td_proc;
+};
+
+struct kpayload_args{
+	uint64_t user_arg;
+};
+
+// DebugSettings Definitions end here
+
+int kpayload(struct thread *td, struct kpayload_args* args){
+
+	struct ucred* cred;
+	struct filedesc* fd;
+
+	fd = td->td_proc->p_fd;
+	cred = td->td_proc->p_ucred;
+
+	void* kernel_base = &((uint8_t*)__readmsr(0xC0000082))[-0x30EB30];
+	uint8_t* kernel_ptr = (uint8_t*)kernel_base;
+	void** got_prison0 =   (void**)&kernel_ptr[0xF26010];
+	void** got_rootvnode = (void**)&kernel_ptr[0x206D250];
+
+	// resolve kernel functions
+
+	int (*copyout)(const void *kaddr, void *uaddr, size_t len) = (void *)(kernel_base + 0x286d70);
+	int (*printfkernel)(const char *fmt, ...) = (void *)(kernel_base + 0x347580);
+
+	cred->cr_uid = 0;
+	cred->cr_ruid = 0;
+	cred->cr_rgid = 0;
+	cred->cr_groups[0] = 0;
+
+	cred->cr_prison = *got_prison0;
+	fd->fd_rdir = fd->fd_jdir = *got_rootvnode;
+
+	// uart enabler
+	*(char *)(kernel_base + 0x186b0a0) = 0; // set the console disable console output bool
+
+	// specters debug settings patchs
+	*(char *)(kernel_base + 0x186b0a0) = 0; 
+	*(char *)(kernel_base + 0x2001516) |= 0x14;
+	*(char *)(kernel_base + 0x2001539) |= 1;
+	*(char *)(kernel_base + 0x2001539) |= 2;
+	*(char *)(kernel_base + 0x200153A) |= 1;
+	*(char *)(kernel_base + 0x2001558) |= 1;	
+
+	// Disable write protection
+
+	uint64_t cr0 = readCr0();
+	writeCr0(cr0 & ~X86_CR0_WP);
+
+	// debug menu full patches thanks to sealab
+
+	*(uint32_t *)(kernel_base + 0x4CECB7) = 0;
+	*(uint32_t *)(kernel_base + 0x4CFB9B) = 0;
+
+	// Target ID Patches :)
+
+	*(uint16_t *)(kernel_base + 0x1FE59E4) = 0x8101;
+	*(uint16_t *)(kernel_base + 0X1FE5A2C) = 0x8101;
+	*(uint16_t *)(kernel_base + 0x200151C) = 0x8101;
+
+	// Say hello and put the kernel base in userland so we can use later
+
+	printfkernel("\n\n\nHELLO FROM YOUR KERN DUDE =)\n\n\n");
+
+	printfkernel("kernel base is:0x%016llx\n", kernel_base);
+
+	uint64_t uaddr;
+	memcpy(&uaddr,&args[2],8);
+
+	printfkernel("uaddr is:0x%016llx\n", uaddr);
+
+	return 0;
+}
+
+// DebugSettings END
+// DebugSettings END
+// DebugSettings END
+// DebugSettings END
+
+int sock;
 int run;
 
 static void info_log(const char *s)
 {
-	sceNetSend(log_sock, s, strlen(s), 0);
+	sceNetSend(sock, s, strlen(s), 0);
 }
 #define INFO(...) \
 	do { \
@@ -28,7 +208,7 @@ static void info_log(const char *s)
 #ifdef SHOW_DEBUG
 static void debug_log(const char *s)
 {
-	sceNetSend(log_sock, s, strlen(s), 0);
+	sceNetSend(sock, s, strlen(s), 0);
 }
 #define DEBUG(...) \
 	do { \
@@ -121,26 +301,30 @@ void custom_UMT(ftps4_client_info_t *client)
 	ftps4_ext_client_send_ctrl_msg(client, "200 Unmount success." FTPS4_EOL);
 }
 
-int _main(void)
-{
-	run = 1;
 
+int _main(struct thread *td){
+
+	run = 1;
 	// Init and resolve libraries
 	initKernel();
 	initLibc();
 	initNetwork();
 	initPthread();
 
-	// Init netdebug
+	// create our server
 	struct sockaddr_in server;
+
 	server.sin_len = sizeof(server);
 	server.sin_family = AF_INET;
 	sceNetInetPton(AF_INET, LOG_IP, &server.sin_addr);
 	server.sin_port = sceNetHtons(LOG_PORT);
 	memset(server.sin_zero, 0, sizeof(server.sin_zero));
+	sock = sceNetSocket("netdebug", AF_INET, SOCK_STREAM, 0);
+	sceNetConnect(sock, (struct sockaddr *)&server, sizeof(server));
+
+	printfsocket("connected\n");
 
-	log_sock = sceNetSocket("netdebug", AF_INET, SOCK_STREAM, 0);
-	sceNetConnect(log_sock, (struct sockaddr *)&server, sizeof(server));
+	// kdump payload loop woz 'ere
 
 	ftps4_set_info_log_cb(info_log);
 #ifdef SHOW_DEBUG
@@ -155,6 +339,8 @@ int _main(void)
 
 	INFO("PS4 listening on IP %s Port %i\n", PS4_IP, PS4_PORT);
 
+	int sRet = syscall(11,kpayload,td);
+
 	while (run) {
 		sceKernelUsleep(5 * 1000);
 	}
@@ -163,6 +349,6 @@ int _main(void)
 
 	INFO("Bye!");
 
-	sceNetSocketClose(log_sock);
+	sceNetSocketClose(sock);
 	return 0;
 }