Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ps5-kstuff] Firmware offsets meta-issue #18

Open
SevenDice opened this issue Nov 3, 2023 · 14 comments
Open

[ps5-kstuff] Firmware offsets meta-issue #18

SevenDice opened this issue Nov 3, 2023 · 14 comments

Comments

@SevenDice
Copy link

I ran your porting_tool and found offsets. I hope this will be useful for porting the exploit to firmware 3.20
symbols.json

@sleirsgoevy
Copy link
Owner

Send a pull request to Echo Stretch's fork of this repository. They're collecting a database of offsets.

@oden1sy
Copy link

oden1sy commented Dec 27, 2023

I found all of the offsets for 3.00 firmware as well...not sure where to put them :)

Correction on the upload :)

symbols.json

@sleirsgoevy
Copy link
Owner

Good news that now everybody updated to 4.03 yet.

@oden1sy
Copy link

oden1sy commented Dec 27, 2023

I hope this helps the process for 3.00. :)

@Cerebral-Context
Copy link

Good work everyone!

@KsAmJ
Copy link

KsAmJ commented Jan 2, 2024

I ran your porting_tool and found offsets. I hope this will be useful for porting the exploit to firmware 3.20 symbols.json

Do anyone need to rerun the tool or that's all of them?

@sleirsgoevy
Copy link
Owner

3.20 offsets are already in the source, sorry. The last offset should've been "crypt_message_resolve".

@sleirsgoevy
Copy link
Owner

Firmware 3.00 added. Now theoretically supported (but not yet tested): 3.00, 3.20, 3.21, 4.03, 4.50, 4.51. Other firmwares are welcome!

@Goon3r
Copy link

Goon3r commented Jan 5, 2024

How long should dumping kdata... take when exeuting the porting tool? Feel like it hangs every time i try run the tool. PS5 3.20.

EDIT: Definitely hanging without error. Any ideas on how to fix or ways to increase verbosity to help debug this @sleirsgoevy?

@sleirsgoevy
Copy link
Owner

3.20 is already probed, no need to do that. But if you want to do it anyway, make sure you are not using WSL2, and if you're using Linux in a VM set your network to bridged.

@sleirsgoevy sleirsgoevy changed the title ps5 3.20 offsets [ps5-kstuff] Firmware offsets meta-issue Jan 6, 2024
@Goon3r
Copy link

Goon3r commented Jan 6, 2024

3.20 is already probed, no need to do that. But if you want to do it anyway, make sure you are not using WSL2, and if you're using Linux in a VM set your network to bridged.

Cheers for getting back to me.

I'm currently developing a Docker image to simplify execution of the tool, 3.20 is the only system i have access to test against atm, but hopefully it will make it easier for people to grab offsets for other versions. You can view it here: https://github.com/Goon3r/ps5-kstuff-porting-tool-docker

It seems im able to successfully connect to the PS5, it just hangs on dumping of kernel data. Docker by default uses a bridge network ofcourse.

Output log

1 offsets currently known
63 offsets to be found
Probing offset `rootvnode`
rm -f payload.elf payload.bin r0run.o prosper0gdb.o
cd ../lib; make
make[1]: Entering directory '/kstuff/tool/lib'
yasm -f elf64 crt.asm
yasm -f elf64 rfork.asm
gcc -c -isystem ../freebsd-headers -nostdinc -fno-stack-protector dl.c -o dl.o -fPIE -ffreestanding
python3 syscalls.py > syscalls.asm
yasm -f elf64 syscalls.asm
ld -r crt.o rfork.o dl.o syscalls.o -o lib.a
python3 syscalls-ps5.py > syscalls-ps5.asm
yasm -f elf64 syscalls-ps5.asm
ld -r crt.o dl.o syscalls-ps5.o -o lib-ps5.a
yasm -f elf64 crt-elf.asm
gcc -c -isystem ../freebsd-headers -nostdinc -fno-stack-protector -O3 crt-elf-c.c -o crt-elf-c.o -fPIE -ffreestanding
ld -r crt-elf.o crt-elf-c.o dl.o syscalls.o -o lib-elf.a
make[1]: Leaving directory '/kstuff/tool/lib'
yasm -f elf64 -g dwarf2 r0run.asm -o r0run.o
gcc -O0 -g -isystem ../freebsd-headers -nostdinc -nostdlib -fno-stack-protector -r -Wl,--unique='*' -ffunction-sections -fdata-sections -DMEMRW_FALLBACK -DNO_BUILTIN_OFFSETS r0gdb.c r0run.o offsets.c -o prosper0gdb.o -fPIE -ffreestanding -fno-unwind-tables -fno-asynchronous-unwind-tables
gcc -O0 -g -isystem ../freebsd-headers -nostdinc -nostdlib -fno-stack-protector -static ../lib/lib-elf.a -DMEMRW_FALLBACK -DNO_BUILTIN_OFFSETS main.c prosper0gdb.o dbg.c -o payload.elf -fPIE -ffreestanding -Wl,-no-pie -Wl,-zmax-page-size=16384 -Wl,-zcommon-page-size=16384
objcopy payload.elf --only-section .text --only-section .data --only-section .bss --only-section .rodata -O binary payload.bin
python3 ../lib/frankenelf.py payload.bin
Connecting to PS5... done
Connecting GDB... warning: remote target does not support file transfer, attempting to access files from local filesystem.
done
dumping kdata...

@sleirsgoevy
Copy link
Owner

For Docker, you'll want to specify the --net=host parameter to disable the network namespace for the container. The tool listens on a random port by default, and AFAIK Docker's default network configuration can only forward fixed ports.

@Goon3r
Copy link

Goon3r commented Jan 8, 2024

Cheers for the reponse, still hangs when running the container with --net=host

docker run \
    -it \
    --rm \
    --mount type=bind,source="${resultDir}",target=/kstuff/results \
    --net=host \
    ps5-kstuff-porting-tool:latest "$@"

Did try run the gdp command manually that i think the process is hanging at, unsure if this is of any use?

root@docker-desktop:/kstuff/tool/ps5-kstuff/porting_tool# gdb ../../prosper0gdb/payload.elf -ex "target remote 192.168.0.167:1234" -ex "py  import sys sys.stdin = sys.__stdin__ sys.stdout = sys.__stdout__ print('ef3e7a1becb877a1ec2075ac641b36c3')  while True:     try: prompt = input()     except (EOFError, KeyboardInterrupt):         gdb.execute('quit')         break     try: ans = eval(prompt)     except gdb.error as e: ans = str(e)     print(repr([[[ans]]]))  end"
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../../prosper0gdb/payload.elf...
Remote debugging using 192.168.0.167:1234
Ignoring packet error, continuing...
warning: unrecognized item "timeout" in "qSupported" response
Ignoring packet error, continuing...
Remote replied unexpectedly to 'vMustReplyEmpty': timeout
  File "<string>", line 1
    import sys sys.stdin = sys.__stdin__ sys.stdout = sys.__stdout__ print('ef3e7a1becb877a1ec2075ac641b36c3')  while True:     try: prompt = input()     except (EOFError, KeyboardInterrupt):         gdb.execute('quit')         break     try: ans = eval(prompt)     except gdb.error as e: ans = str(e)     print(repr([[[ans]]]))  end
               ^^^
SyntaxError: invalid syntax
Error while executing Python code.
(gdb)

@sleirsgoevy
Copy link
Owner

sleirsgoevy commented Jan 8, 2024

First, you messed up the newlines in Python code, this won't work for obvious reasons. (You can actually enter newlines inside quoted shell arguments.) Second, this won't work because this barely sets up an RPC interface for the main script to use, and if you're using GDB manually you'll be better typing in GDB commands without the custom RPC.

EDIT: also try capturing a Wireshark trace of the communication, maybe that will shed some light.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants