update

LightningMods · May 2, 2024 · 88df8a1 · 88df8a1
1 parent dad57a2
commit 88df8a1
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 69 deletions.
diff --git a/stage2/offsets.h b/stage2/offsets.h
@@ -28,6 +28,11 @@
 #define dipsw_libSceDipsw_2 0x00862202 
 #define dipsw_libSceDipsw_3 0x00A27C02 
 
+#define _scePthreadAttrInit_offset 0x0014190
+#define _scePthreadAttrSetstacksize_offset 0x00141B0
+#define _scePthreadCreate_offset 0x00145D0
+#define _thr_initial_offset 0x8E830
+
 //kern
 #define vm_map_protect_p 0x00080B8B
 #define ptrace_p 0x41F4E5

diff --git a/stage2/proc_utils.c b/stage2/proc_utils.c
@@ -2,23 +2,6 @@
 #include "elf.h"
 #include "offsets.h"
 
-int sys_kern_rw(struct thread *td, struct sys_kern_rw_args *uap) {
-  if (uap->write) {
-    // Disable write protection
-    uint64_t cr0 = rcr0();
-    load_cr0(cr0 & ~CR0_WP);
-    memcpy((void *)uap->address, uap->data, uap->length);
-    // Restore write protection
-    load_cr0(cr0);
-  } else {
-    memcpy(uap->data, (void *)uap->address, uap->length);
-  }
-
-  td->td_retval[0] = 0;
-  return 0;
-}
-
-
 int proc_get_vm_map(struct thread *td, uint8_t *kbase, struct proc *p, struct proc_vm_map_entry **entries, uint64_t *num_entries) {
     struct proc_vm_map_entry *info = NULL;
     struct vm_map_entry *entry = NULL;
@@ -90,9 +73,14 @@ int proc_rw_mem(struct thread *td, uint8_t *kbase, struct proc *p, void *ptr, ui
 
     int r = 0;
     int (*proc_rwmem)(struct proc *p, struct uio *uio) = (void *)(kbase + proc_rmem_offset);
-        uint64_t kaslr_offset = rdmsr(MSR_LSTAR) - kdlsym_addr_Xfast_syscall;
+    uint64_t kaslr_offset = rdmsr(MSR_LSTAR) - kdlsym_addr_Xfast_syscall;
     int (*printf)(const char *format, ...) = (void *)kdlsym(printf);
 
+    if(size >= 0x400000){
+        printf("Size %d too big\n", size);
+        return 1;
+    }
+
     if (!p) {
         return 1;
     }
@@ -117,7 +105,7 @@ int proc_rw_mem(struct thread *td, uint8_t *kbase, struct proc *p, void *ptr, ui
     uio.uio_segflg = UIO_SYSSPACE;
     uio.uio_rw = write ? UIO_WRITE : UIO_READ;
     uio.uio_td = td;
-    
+
     printf("proc_rw_mem: uio.uio_resid: %d\n", uio.uio_resid);
     r = proc_rwmem(p, &uio);
 
@@ -187,7 +175,7 @@ int proc_deallocate(struct thread* td, uint8_t* kbase,struct proc *p, void *addr
     void (*vm_map_lock)(struct vm_map *map) = (void *)(kbase + vm_map_lock_offset);
     int (*vm_map_unlock)(struct vm_map *map) = (void *)(kbase + vm_map_unlock_offset);
 
-    int(*vm_map_delete)(struct vm_map *map, uint64_t start, uint64_t end) = (void *)(kbase + 0x0007E680);
+    int(*vm_map_delete)(struct vm_map *map, uint64_t start, uint64_t end) = (void *)(kbase + vm_map_delete_offset);
 
     struct vmspace *vm = p->p_vmspace;
     struct vm_map *map = &vm->vm_map;
@@ -254,52 +242,17 @@ int proc_create_thread(struct thread *td, uint8_t *kbase, struct proc *p, uint64
 
     // offsets are for 9.00 libraries
 
-// libkernel.sprx
-//scePthreadAttrInit = 0x0013660
-//scePthreadAttrSetstacksize = 0x00013680
-//scePthreadCreate = 0x00013AA0
-//thr_initial = 0x8E430
-
-// libkernel_web.sprx
-//scePthreadAttrInit = 0x000087F0
-//scePthreadAttrSetstacksize = 0x0001A580
-//scePthreadCreate = 0x00204C0
-//thr_initial = 0x8E430
-
-// libkernel_sys.sprx
-//scePthreadAttrInit = 0x0014190
-//scePthreadAttrSetstacksize = 0x0141B0
-//scePthreadCreate = 0x00145D0
-//thr_initial = 0x8E830
-
     uint64_t _scePthreadAttrInit = 0, _scePthreadAttrSetstacksize = 0, _scePthreadCreate = 0, _thr_initial = 0;
     for (int i = 0; i < num_entries; i++) {
         if (entries[i].prot != (PROT_READ | PROT_EXEC)) {
             continue;
         }
 
-        if (!memcmp(entries[i].name, "libkernel.sprx", 14)) {
-            _scePthreadAttrInit = entries[i].start + 0x0013660;
-            _scePthreadAttrSetstacksize = entries[i].start + 0x00013680;
-            _scePthreadCreate = entries[i].start + 0x00013AA0;
-            _thr_initial = entries[i].start + 0x8E430;
-            printf("libkernel.sprx found\n");
-            break;
-        }
-        if (!memcmp(entries[i].name, "libkernel_web.sprx", 18))
-        {
-            _scePthreadAttrInit = entries[i].start + 0x000087F0;
-            _scePthreadAttrSetstacksize = entries[i].start + 0x0001A580;
-            _scePthreadCreate = entries[i].start + 0x00204C0;
-            _thr_initial = entries[i].start + 0x8E430;
-            printf("libkernel_web.sprx found\n");
-            break;
-        }
         if (!memcmp(entries[i].name, "libkernel_sys.sprx", 18)) {
-            _scePthreadAttrInit = entries[i].start + 0x0014190;
-            _scePthreadAttrSetstacksize = entries[i].start + 0x0141B0;
-            _scePthreadCreate = entries[i].start + 0x00145D0;
-            _thr_initial = entries[i].start + 0x8E830;
+            _scePthreadAttrInit = entries[i].start + _scePthreadAttrInit_offset;
+            _scePthreadAttrSetstacksize = entries[i].start + _scePthreadAttrSetstacksize_offset;
+            _scePthreadCreate = entries[i].start + _scePthreadCreate_offset;
+            _thr_initial = entries[i].start + _thr_initial_offset;
             printf("libkernel_sys.sprx found\n");
             break;
         }

diff --git a/stage2/stage2.c b/stage2/stage2.c
@@ -11,6 +11,8 @@
 extern uint8_t payloadbin[];
 extern int32_t payloadbin_size;
 
+
+
 int memcmp(const void * str1,
   const void * str2, size_t count) {
   const unsigned char * s1 = (const unsigned char * ) str1;
@@ -94,7 +96,7 @@ struct sce_proc * proc_find_by_name(uint8_t * kbase,
 
   return NULL;
 }
-
+#define USB_LOADER 1
 #if USB_LOADER
 static int ksys_read(struct thread * td, int fd, void * buf, size_t nbytes) {
   int( * sys_read)(struct thread * , struct read_args * ) =
@@ -414,11 +416,14 @@ void stage2(void) {
   shellcore_fpkg_patch(td, kbase);
   printf("Done.\n");
   #endif
+  int fd;
 
-  #if USB_PAYLOAD
-
+  #if USB_LOADER
+ void* buffer = NULL;
+ void (*free)(void * ptr, int type) = (void *)(kbase + free_offset);
+ void* M_TEMP = (void *)(kbase + M_TEMP_offset);
   void * ( * malloc)(unsigned long size, void * type, int flags) = (void * )(kbase + malloc_offset);
-  int fd = ksys_open(td, "/mnt/usb0/payload.bin", O_RDONLY, 0);
+  fd = ksys_open(td, "/mnt/usb0/payload.bin", O_RDONLY, 0);
   if (fd < 0)
     fd = ksys_open(td, "/mnt/usb1/payload.bin", O_RDONLY, 0);
   if (fd < 0)
@@ -427,21 +432,21 @@ void stage2(void) {
     fd = ksys_open(td, "/data/payload.bin", O_RDONLY, 0);
 
   if (fd < 0) {
-    notify(td, "Failed to open payload.bin from local storage\n");
+    printf( "Failed to open payload.bin from local storage\n");
     return;
   }
 
   static
   const int PAYLOAD_SZ = 0x400000;
 
-  if ((buffer = malloc(PAYLOAD_SZ, M_TEMP, M_WAITOK | M_ZERO)) == NULL) {
-    notify(td, "Failed to allocate memory for payload\n");
+  if ((buffer = malloc(PAYLOAD_SZ, M_TEMP, 0)) == NULL) {
+   printf(  "Failed to allocate memory for payload\n");
     return;
   }
 
   int payload_size = ksys_read(td, fd, buffer, PAYLOAD_SZ);
   if (payload_size <= 0) {
-    notify(td, "Failed to read payload\n");
+    printf(  "Failed to read payload\n");
     free(buffer, M_TEMP);
     return;
   }
@@ -474,7 +479,33 @@ void stage2(void) {
   printf("Writing payload...\n");
   // write the payload
   #if USB_LOADER
-  r = proc_write_mem(td, kbase, p, (void * ) PAYLOAD_BASE, buffer, payload_size, NULL);
+ // r = proc_write_mem(td, kbase, p, (void * ) PAYLOAD_BASE, buffer, payload_size, NULL);
+  struct iovec iov;
+    struct uio uio;
+
+    int (*proc_rwmem)(struct proc *p, struct uio *uio) = (void *)(kbase + proc_rmem_offset);
+
+    if(payload_size >= 0x400000){
+        printf("Size %d too big\n", payload_size);
+        return 1;
+    }
+
+    memset(&iov, NULL, sizeof(iov));
+    iov.iov_base = (uint64_t)buffer;
+    iov.iov_len = payload_size;
+
+    memset(&uio, NULL, sizeof(uio));
+    uio.uio_iov = (uint64_t)&iov;
+    uio.uio_iovcnt = 1;
+    uio.uio_offset = (uint64_t)PAYLOAD_BASE;
+    uio.uio_resid = payload_size;
+    uio.uio_segflg = UIO_SYSSPACE;
+    uio.uio_rw =  UIO_WRITE;
+    uio.uio_td = td;
+
+    printf("proc_rw_mem: uio.uio_resid: %d\n", uio.uio_resid);
+    r = proc_rwmem(p, &uio);
+
   #else
   r = proc_write_mem(td, kbase, p, (void * ) PAYLOAD_BASE, payloadbin_size, payloadbin, NULL);
   #endif
@@ -492,7 +523,7 @@ void stage2(void) {
   }
   printf("Created payload thread!\n");
 
-  int fd;
+
   fd = ksys_open(td, "/dev/notification0", O_WRONLY, 0);
   if (!fd)
     fd = ksys_open(td, "/dev/notification0", O_WRONLY | O_NONBLOCK, 0);