Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Port all payloads to the new pl3.h.S framework

  • Loading branch information...
commit 53d96ca104c60b93c24afb0c5c1e9715914dfff1 1 parent 66af857
@kakaroto authored
View
116 default_payload.S
@@ -14,15 +14,23 @@
*/
-#include "macros.h.S"
+/* pl3.h.S must always be included first!!! */
+#include "pl3.h.S"
-.org 0
-// Position 0x20 in the page
-payload_start:
+#include "map_open_path.h.S"
+#include "memory_patching.h.S"
+
+RESIDENT_AREA_START()
+#include "open_hook.h.S"
+#include "memory_patching_res.h.S"
+RESIDENT_AREA_END()
+
+// Include patch_table after all other includes so it picks up on what
+// patches to include in the table depending on what was included
+#include "patch_table.h.S"
/**
- * payload_entry:
- * @payload_block: Pointer to the memory page containing our payload
+ * payload_main:
*
* This is the entry point to the payload, it gets branched to form the injected
* shellcode in the JIG response.
@@ -32,17 +40,8 @@ payload_start:
* It will also add necessary syscalls and patch some areas of the kernel before
* returning the control back to it
*
- * exploit_main ():
- * {
- * memcpy(MEM_BASE2, RESIDENT_PAYLOAD_OFFSET, RESIDENT_PAYLOAD_SIZE)
- * add_kernel_module (kernel_module_struct);
- * syscall_table[36] = syscall36_desc;
- * ptr = patch_table;
- * while (ptr[0] != NULL)
- * *ptr[0] = ptr[1];
- * }
*/
-payload_entry:
+payload_main:
// epilog
mflr %r0
stdu %r1, -0xa0(%r1)
@@ -51,37 +50,24 @@ payload_entry:
std %r0, 0xb0(%r1)
GET_CURRENT_PAGE(%r3, %r31)
-
MEM_BASE (%r30) // Load 0x8000000000000000 in %r30
- // Copy functions that need to stay resident in memory to MEM_BASE2
- LOAD_LABEL (MEM_BASE2, %r3, %r30, 0)
- addi %r4, %r31, ADDR_IN_PAGE(RESIDENT_PAYLOAD_OFFSET)
- li %r5, RESIDENT_PAYLOAD_SIZE
- bl pl3_memcpy
+ COPY_RESIDENT_AREA(%r30, %r31)
- // Allocate memory and copy PIC function map_open_path to it
+ // Allocate memory and copy PIC functions to it
LOAD_FUNC_PTR(memory_patching)
LOAD_FUNC_PTR(map_open_path)
+ // Add system calls
ADD_SYSCALL (%r30, syscall_map_open_desc, 35)
// Add default /app_home redirection
addi %r3, %r31, ADDR_IN_PAGE(path_app_home)
addi %r4, %r31, ADDR_IN_PAGE(path_usb_default_app_home)
bl map_open_path
-
- addi %r5, %r31, ADDR_IN_PAGE (patch_table)
-l_apply_patches_loop:
- lwz %r3, 0(%r5) // If entry in patch table is NULL, we're done
- cmplwi %r3, 0
- beq l_patches_applied
- lwz %r4, 4(%r5)
- add %r3, %r3, %r30
- stw %r4, 0(%r3)
- addi %r5, %r5, 8
- b l_apply_patches_loop
-l_patches_applied:
+
+ APPLY_PATCHES(%r30, %r31)
+
// prolog
ld %r30, 0x90(%r1)
ld %r31, 0x98(%r1)
@@ -90,67 +76,7 @@ l_patches_applied:
mtlr %r0
blr
-/**
- * patch_table:
- *
- * The patch table used by exploit_main to patch the kernel
- * it format is .long address, .long new_value
- *
- * it will patch its content until the destination address is 0
- *
- */
-patch_table:
- PATCH_DATA(patch_data1, 0x01000000)
- PATCH_INST(patch_func1 + patch_func1_offset, ld %r4, rtoc_entry_1(%r2)) //hang
- PATCH_INST(patch_func1 + patch_func1_offset + 4, ld %r3, 0x20(%r28))
- PATCH_INST(patch_func1 + patch_func1_offset + 8, std %r3, 0(%r4))
- PATCH_BRANCH_MEM2 (patch_func2 + patch_func2_offset, bl, memory_patching)
- PATCH_BRANCH_MEM2 (patch_func3 + patch_func3_offset, b, hook_open)
- PATCH_INST(patch_func4 + patch_func4_offset, li %r4, 0) //80010009 error
- PATCH_INST(patch_func4 + patch_func4_offset + 4, stw %r4, 0(%r3))
- PATCH_INST(patch_func4 + patch_func4_offset + 8, blr)
- PATCH_INST(patch_func5 + patch_func5_offset, li %r3, 1) //check feature?
- PATCH_INST(patch_func5 + patch_func5_offset + 4, blr)
- PATCH_INST(patch_func6 + patch_func6_offset, li %r3, 0)
- PATCH_INST(patch_func7 + patch_func7_offset, li %r3, 0)
- // force lv2open return 0
- PATCH_INST(patch_func8 + patch_func8_offset1, li %r3, 0)
- // disable calls in lv2open to lv1_send_event_locally which makes
- // the system crash
- PATCH_INST(patch_func8 + patch_func8_offset2, nop)
- PATCH_INST(patch_func9 + patch_func9_offset, nop)
- .long 0
-
-
-#include "pl3_memcpy.h.S"
-#include "map_open_path.h.S"
-#include "memory_patching.h.S"
-
-
path_app_home:
.string "/app_home"
path_usb_default_app_home:
.string "/dev_usb000/PS3/HOMEBREW/APP_HOME"
-
-/**
- * overwritten_kernel_function:
- *
- * For now noone knows what the original kernel function did, but
- * this just patches it up to just return 1, and also replaces its
- * content with our own payload
- *
- */
-.align 4
-overwritten_kernel_function:
- li %r3, 1
- blr
-
-//#include "device6_kmod.h.S"
-//#include "dev_syscalls.h.S"
-
-#include "open_hook.h.S"
-#include "memory_patching_res.h.S"
-
-payload_end:
-.org RESIDENT_PAYLOAD_OFFSET + RESIDENT_PAYLOAD_MAXSIZE
-
View
14 dump_lv2.S
@@ -9,13 +9,11 @@
*/
-#include "macros.h.S"
+#include "pl3.h.S"
-.org 0
-// Position 0x38 in the page
-payload_start:
+#include "send_eth.h.S"
-payload_entry:
+payload_main:
mflr %r0
stdu %r1, -0xa0(%r1)
std %r27, 0x78(%r1)
@@ -74,7 +72,8 @@ l_done:
addi %r1, %r1, 0xa0
mtlr %r0
blr
-
+send_eth:
+ b send_eth_start
panic:
PANIC()
@@ -84,7 +83,4 @@ message_offset:
message:
.space 1024
-#include "pl3_memcpy.h.S"
-#include "send_eth.h.S"
-
payload_end:
View
1  hvsc_handler.h.S
@@ -11,6 +11,7 @@
#ifndef __HVSC_HANDLER_H_S__
#define __HVSC_HANDLER_H_S__
+#include "trace_helpers.h.S"
hvsc_hook:
mflr %r0
View
69 patch_table.h.S
@@ -0,0 +1,69 @@
+/*
+ * patch_table.h.S -- PL3: patch table for the kernel
+ *
+ * Copyright (C) Youness Alaoui (KaKaRoTo)
+ *
+ * This software is distributed under the terms of the GNU General Public
+ * License ("GPL") version 3, as published by the Free Software Foundation.
+ *
+ */
+
+#ifndef __PATCH_TABLE_H_S__
+#define __PATCH_TABLE_H_S__
+
+/**
+ * patch_table:
+ *
+ * The patch table used by exploit_main to patch the kernel
+ * it format is .long address, .long new_value
+ *
+ * it will patch its content until the destination address is 0
+ *
+ */
+patch_table:
+ PATCH_DATA(patch_data1, 0x01000000)
+ PATCH_INST(patch_func1 + patch_func1_offset, ld %r4, rtoc_entry_1(%r2)) //hang
+ PATCH_INST(patch_func1 + patch_func1_offset + 4, ld %r3, 0x20(%r28))
+ PATCH_INST(patch_func1 + patch_func1_offset + 8, std %r3, 0(%r4))
+#ifdef __MEMORY_PATCHING_H_S__
+ PATCH_BRANCH_MEM2 (patch_func2 + patch_func2_offset, bl, memory_patching)
+#endif
+#ifdef __OPEN_HOOK_H_S__
+ PATCH_BRANCH_MEM2 (patch_func3 + patch_func3_offset, b, hook_open)
+#endif
+ PATCH_INST(patch_func4 + patch_func4_offset, li %r4, 0) //80010009 error
+ PATCH_INST(patch_func4 + patch_func4_offset + 4, stw %r4, 0(%r3))
+ PATCH_INST(patch_func4 + patch_func4_offset + 8, blr)
+#ifndef NO_UNAUTH_SYSCALL
+ PATCH_INST(patch_func5 + patch_func5_offset, li %r3, 1) //check feature?
+ PATCH_INST(patch_func5 + patch_func5_offset + 4, blr)
+ PATCH_INST(patch_func6 + patch_func6_offset, li %r3, 0)
+ PATCH_INST(patch_func7 + patch_func7_offset, li %r3, 0)
+#endif
+ // force lv2open return 0
+ PATCH_INST(patch_func8 + patch_func8_offset1, li %r3, 0)
+ // disable calls in lv2open to lv1_send_event_locally which makes
+ // the system crash
+ PATCH_INST(patch_func8 + patch_func8_offset2, nop)
+ PATCH_INST(patch_func9 + patch_func9_offset, nop)
+#ifdef __SYSCALL_HANDLER_H_S__
+ PATCH_BRANCH_MEM2 (patch_syscall_func, bl, syscall_handler)
+#endif
+ .long 0
+
+
+
+#define APPLY_PATCHES(base, page) \
+ addi %r5, page, ADDR_IN_PAGE (patch_table); \
+l_apply_patches_loop: \
+ lwz %r3, 0(%r5); \
+ cmplwi %r3, 0; \
+ beq l_apply_patches_done; \
+ lwz %r4, 4(%r5); \
+ add %r3, %r3, %r30; \
+ stw %r4, 0(%r3); \
+ addi %r5, %r5, 8; \
+ b l_apply_patches_loop; \
+l_apply_patches_done:
+
+#endif /* __PATCH_TABLE_H_S__ */
View
128 payload_dev.S
@@ -14,35 +14,23 @@
*/
-#include "macros.h.S"
+/* pl3.h.S must always be included first!!! */
+#include "pl3.h.S"
-.org 0
-// Position 0x20 in the page
-payload_start:
+#include "map_open_path.h.S"
+#include "memory_patching.h.S"
-/**
- * payload_entry:
- * @payload_block: Pointer to the memory page containing our payload
- *
- * This is the entry point to the payload, it gets branched to form the injected
- * shellcode in the JIG response.
- * This is the main function of the exploit, its code is position
- * indedependent. It copies the actual payload to a safe-from-overwrite memory,
- * while it overwrites an existing function from the kernel.
- * It will also add necessary syscalls and patch some areas of the kernel before
- * returning the control back to it
- *
- * exploit_main ():
- * {
- * memcpy(MEM_BASE2, RESIDENT_PAYLOAD_OFFSET, RESIDENT_PAYLOAD_SIZE)
- * add_kernel_module (kernel_module_struct);
- * syscall_table[36] = syscall36_desc;
- * ptr = patch_table;
- * while (ptr[0] != NULL)
- * *ptr[0] = ptr[1];
- * }
- */
-payload_entry:
+RESIDENT_AREA_START()
+#include "dev_syscalls.h.S"
+#include "open_hook.h.S"
+#include "memory_patching_res.h.S"
+RESIDENT_AREA_END()
+
+// Include patch_table after all other includes so it picks up on what
+// patches to include in the table depending on what was included
+#include "patch_table.h.S"
+
+payload_main:
// epilog
mflr %r0
stdu %r1, -0xa0(%r1)
@@ -51,18 +39,13 @@ payload_entry:
std %r0, 0xb0(%r1)
GET_CURRENT_PAGE(%r3, %r31)
-
MEM_BASE (%r30) // Load 0x8000000000000000 in %r30
- // Copy functions that need to stay resident in memory to MEM_BASE2
- LOAD_LABEL (MEM_BASE2, %r3, %r30, 0)
- addi %r4, %r31, ADDR_IN_PAGE(RESIDENT_PAYLOAD_OFFSET)
- li %r5, RESIDENT_PAYLOAD_SIZE
- bl pl3_memcpy
+ COPY_RESIDENT_AREA(%r30, %r31)
- // Allocate memory and copy PIC function map_open_path to it
- LOAD_FUNC_PTR(map_open_path)
+ // Allocate memory and copy PIC functions to it
LOAD_FUNC_PTR(memory_patching)
+ LOAD_FUNC_PTR(map_open_path)
ADD_SYSCALL (%r30, syscall_peek_desc, 6)
ADD_SYSCALL (%r30, syscall_poke_desc, 7)
@@ -72,18 +55,9 @@ payload_entry:
addi %r3, %r31, ADDR_IN_PAGE(path_app_home)
addi %r4, %r31, ADDR_IN_PAGE(path_usb_default_app_home)
bl map_open_path
-
- addi %r5, %r31, ADDR_IN_PAGE (patch_table)
-l_apply_patches_loop:
- lwz %r3, 0(%r5) // If entry in patch table is NULL, we're done
- cmplwi %r3, 0
- beq l_patches_applied
- lwz %r4, 4(%r5)
- add %r3, %r3, %r30
- stw %r4, 0(%r3)
- addi %r5, %r5, 8
- b l_apply_patches_loop
-l_patches_applied:
+
+ APPLY_PATCHES(%r30, %r31)
+
// prolog
ld %r30, 0x90(%r1)
ld %r31, 0x98(%r1)
@@ -92,67 +66,7 @@ l_patches_applied:
mtlr %r0
blr
-/**
- * patch_table:
- *
- * The patch table used by exploit_main to patch the kernel
- * it format is .long address, .long new_value
- *
- * it will patch its content until the destination address is 0
- *
- */
-patch_table:
- PATCH_DATA(patch_data1, 0x01000000)
- PATCH_INST(patch_func1 + patch_func1_offset, ld %r4, rtoc_entry_1(%r2)) //hang
- PATCH_INST(patch_func1 + patch_func1_offset + 4, ld %r3, 0x20(%r28))
- PATCH_INST(patch_func1 + patch_func1_offset + 8, std %r3, 0(%r4))
- PATCH_BRANCH_MEM2 (patch_func2 + patch_func2_offset, bl, memory_patching)
- PATCH_BRANCH_MEM2 (patch_func3 + patch_func3_offset, b, hook_open)
- PATCH_INST(patch_func4 + patch_func4_offset, li %r4, 0) //80010009 error
- PATCH_INST(patch_func4 + patch_func4_offset + 4, stw %r4, 0(%r3))
- PATCH_INST(patch_func4 + patch_func4_offset + 8, blr)
- PATCH_INST(patch_func5 + patch_func5_offset, li %r3, 1) //check feature?
- PATCH_INST(patch_func5 + patch_func5_offset + 4, blr)
- PATCH_INST(patch_func6 + patch_func6_offset, li %r3, 0)
- PATCH_INST(patch_func7 + patch_func7_offset, li %r3, 0)
- // force lv2open return 0
- PATCH_INST(patch_func8 + patch_func8_offset1, li %r3, 0)
- // disable calls in lv2open to lv1_send_event_locally which makes
- // the system crash
- PATCH_INST(patch_func8 + patch_func8_offset2, nop)
- PATCH_INST(patch_func9 + patch_func9_offset, nop)
- .long 0
-
-
-#include "pl3_memcpy.h.S"
-#include "map_open_path.h.S"
-#include "memory_patching.h.S"
-
-
path_app_home:
.string "/app_home"
path_usb_default_app_home:
.string "/dev_usb000/PS3/HOMEBREW/APP_HOME"
-
-/**
- * overwritten_kernel_function:
- *
- * For now noone knows what the original kernel function did, but
- * this just patches it up to just return 1, and also replaces its
- * content with our own payload
- *
- */
-.align 4
-overwritten_kernel_function:
- li %r3, 1
- blr
-
-//#include "device6_kmod.h.S"
-#include "dev_syscalls.h.S"
-
-#include "open_hook.h.S"
-#include "memory_patching_res.h.S"
-
-payload_end:
-.org RESIDENT_PAYLOAD_OFFSET + RESIDENT_PAYLOAD_MAXSIZE
-
View
206 payload_dump_elfs.S
@@ -14,183 +14,20 @@
*/
-#include "macros.h.S"
-
-.org 0
-// Position 0x20 in the page
-payload_start:
-
-/**
- * payload_entry:
- * @payload_block: Pointer to the memory page containing our payload
- *
- * This is the entry point to the payload, it gets branched to form the injected
- * shellcode in the JIG response.
- * This is the main function of the exploit, its code is position
- * indedependent. It copies the actual payload to a safe-from-overwrite memory,
- * while it overwrites an existing function from the kernel.
- * It will also add necessary syscalls and patch some areas of the kernel before
- * returning the control back to it
- *
- * exploit_main ():
- * {
- * memcpy(MEM_BASE2, RESIDENT_PAYLOAD_OFFSET, RESIDENT_PAYLOAD_SIZE)
- * add_kernel_module (kernel_module_struct);
- * syscall_table[36] = syscall36_desc;
- * ptr = patch_table;
- * while (ptr[0] != NULL)
- * *ptr[0] = ptr[1];
- * }
- */
-payload_entry:
- // epilog
- mflr %r0
- stdu %r1, -0xa0(%r1)
- std %r30, 0x90(%r1)
- std %r31, 0x98(%r1)
- std %r0, 0xb0(%r1)
-
- GET_CURRENT_PAGE(%r3, %r31)
-
- MEM_BASE (%r30) // Load 0x8000000000000000 in %r30
-
- // Copy functions that need to stay resident in memory to MEM_BASE2
- LOAD_LABEL (MEM_BASE2, %r3, %r30, 0)
- addi %r4, %r31, ADDR_IN_PAGE(RESIDENT_PAYLOAD_OFFSET)
- li %r5, RESIDENT_PAYLOAD_SIZE
- bl pl3_memcpy
-
- addi %r5, %r31, ADDR_IN_PAGE (patch_table)
-l_apply_patches_loop:
- lwz %r3, 0(%r5) // If entry in patch table is NULL, we're done
- cmplwi %r3, 0
- beq l_patches_applied
- lwz %r4, 4(%r5)
- add %r3, %r3, %r30
- stw %r4, 0(%r3)
- addi %r5, %r5, 8
- b l_apply_patches_loop
-l_patches_applied:
- li %r3, 0x404
- li %r4, 0x27
- BRANCH_ABSOLUTE(%r5, alloc)
- LOAD_LABEL2 (%r4, %r30, message_buf)
- std %r3, 0(%r4)
-
- li %r3, 0x400
- li %r4, 0x27
- BRANCH_ABSOLUTE(%r5, alloc)
- LOAD_LABEL2 (%r4, %r30, eth_proc)
- std %r3, 0(%r4)
-
- addi %r4, %r31, ADDR_IN_PAGE(send_eth)
- li %r5, 0x400
- bl pl3_memcpy
-
- bl send_eth_init
- LOAD_LABEL2 (%r5, %r30, eth_dma_region)
- std %r4, 0(%r5)
-
- // prolog
- ld %r30, 0x90(%r1)
- ld %r31, 0x98(%r1)
- ld %r0, 0xb0(%r1)
- addi %r1, %r1, 0xa0
- mtlr %r0
- blr
-
-/**
- * patch_table:
- *
- * The patch table used by exploit_main to patch the kernel
- * it format is .long address, .long new_value
- *
- * it will patch its content until the destination address is 0
- *
- */
-patch_table:
- PATCH_INST(patch_func1 + patch_func1_offset, ld %r4, rtoc_entry_1(%r2))
- PATCH_INST(patch_func1 + patch_func1_offset + 4, ld %r3, 0x20(%r28))
- PATCH_INST(patch_func1 + patch_func1_offset + 8, std %r3, 0(%r4))
- PATCH_BRANCH_MEM2 (patch_func2 + patch_func2_offset, bl, memory_patching)
- PATCH_INST(patch_func4 + patch_func4_offset, li %r4, 0)
- PATCH_INST(patch_func4 + patch_func4_offset + 4, stw %r4, 0(%r3))
- PATCH_INST(patch_func4 + patch_func4_offset + 8, blr)
- PATCH_INST(patch_func5 + patch_func5_offset, li %r3, 1)
- PATCH_INST(patch_func5 + patch_func5_offset + 4, blr)
- PATCH_DATA(patch_data1, 0x01000000)
- .long 0
-
+#include "pl3.h.S"
#include "send_eth.h.S"
#include "pl3_memcpy.h.S"
-
-/**
- * overwritten_kernel_function:
- *
- * For now noone knows what the original kernel function did, but
- * this just patches it up to just return 1, and also replaces its
- * content with our own payload
- *
- */
-.align 4
-overwritten_kernel_function:
- li %r3, 1
- blr
+
+RESIDENT_AREA_START()
+#include "send_eth_res.h.S"
message_buf:
.quad 0
-eth_proc:
- .quad 0
-eth_dma_region:
- .quad 0
flags:
.long 0
.long 0
-
-/**
- * memory_patching:
- * @arg1:
- * @arg2:
- *
- *
- * memory_patching (arg1, arg2):
- * {
- static uint32 total = 0 ;
- uint64 *ptr = rtoc[38400][104][24]
- uint64 *ptr2 = rtoc[3848]
-
- if ((arg1[24][48] >> 16) == 0x29) {
- if (ptr[16] << 24 >> 56) != 0xFF) {
- ptr[16] |= 3
- arg2[0] = 6
- } else {
- ptr[16] |= 2
- arg2[0] = 0x2c
- }
- ptr2[0] += ptr[4]
- memcpy(ptr2[0], ptr[8], ptr[4])
- } else {
- unknown_func1 (arg1, arg2) // 0x4e81c
- total += ptr[4]
- if (ptr[16] << 24 >> 56) != 0xFF) {
- hash = 0
- for (i = 0, i < 0x400, i++)
- hash ^= ptr2[0][i] // array of 4 bytes
- hash = (hash << 32) | total
- total = 0
- for (uint64_t p = memory_patch_table, *p, p+=2) {
- if (hash != p[0])
- continue
- for (uint32_t p2 = p[1], *p2, p2+=2)
- ptr2[0][p2[0]] = p2[1]
- }
- }
- }
- return 0
- }
- */
memory_patching:
mflr %r0
stdu %r1, -0x1a0(%r1)
@@ -415,7 +252,34 @@ memory_patch_table_4:
PATCH_DATA(elf4_data + 8, 0x6d6c2372)
PATCH_DATA(elf4_data + 12, 0x6f6f7400)
.long 0
-psfreedom:
- .string "PSFreedom"
-payload_end:
-.org RESIDENT_PAYLOAD_OFFSET + RESIDENT_PAYLOAD_MAXSIZE
+
+RESIDENT_AREA_END()
+
+
+#include "patch_table.h.S"
+payload_main:
+ // epilog
+ mflr %r0
+ stdu %r1, -0xa0(%r1)
+ std %r30, 0x90(%r1)
+ std %r31, 0x98(%r1)
+ std %r0, 0xb0(%r1)
+
+ GET_CURRENT_PAGE(%r3, %r31)
+ MEM_BASE (%r30) // Load 0x8000000000000000 in %r30
+
+ COPY_RESIDENT_AREA(%r30, %r31)
+ APPLY_PATCHES(%r30, %r31)
+
+ ALLOCATE_BUFFER(%r30, message_buf, 0x404)
+
+ LOAD_FUNC_PTR(send_eth)
+ INIT_SEND_ETH(%r30)
+
+ // prolog
+ ld %r30, 0x90(%r1)
+ ld %r31, 0x98(%r1)
+ ld %r0, 0xb0(%r1)
+ addi %r1, %r1, 0xa0
+ mtlr %r0
+ blr
View
112 payload_no_unauth_syscall.S
@@ -14,15 +14,22 @@
*/
-#include "macros.h.S"
+/* pl3.h.S must always be included first!!! */
+#include "pl3.h.S"
-.org 0
-// Position 0x20 in the page
-payload_start:
+#include "map_open_path.h.S"
+#include "memory_patching.h.S"
+
+RESIDENT_AREA_START()
+#include "open_hook.h.S"
+#include "memory_patching_res.h.S"
+RESIDENT_AREA_END()
+
+#define NO_UNAUTH_SYSCALL
+#include "patch_table.h.S"
/**
- * payload_entry:
- * @payload_block: Pointer to the memory page containing our payload
+ * payload_main:
*
* This is the entry point to the payload, it gets branched to form the injected
* shellcode in the JIG response.
@@ -32,17 +39,8 @@ payload_start:
* It will also add necessary syscalls and patch some areas of the kernel before
* returning the control back to it
*
- * exploit_main ():
- * {
- * memcpy(MEM_BASE2, RESIDENT_PAYLOAD_OFFSET, RESIDENT_PAYLOAD_SIZE)
- * add_kernel_module (kernel_module_struct);
- * syscall_table[36] = syscall36_desc;
- * ptr = patch_table;
- * while (ptr[0] != NULL)
- * *ptr[0] = ptr[1];
- * }
*/
-payload_entry:
+payload_main:
// epilog
mflr %r0
stdu %r1, -0xa0(%r1)
@@ -51,37 +49,24 @@ payload_entry:
std %r0, 0xb0(%r1)
GET_CURRENT_PAGE(%r3, %r31)
-
MEM_BASE (%r30) // Load 0x8000000000000000 in %r30
- // Copy functions that need to stay resident in memory to MEM_BASE2
- LOAD_LABEL (MEM_BASE2, %r3, %r30, 0)
- addi %r4, %r31, ADDR_IN_PAGE(RESIDENT_PAYLOAD_OFFSET)
- li %r5, RESIDENT_PAYLOAD_SIZE
- bl pl3_memcpy
+ COPY_RESIDENT_AREA(%r30, %r31)
- // Allocate memory and copy PIC function map_open_path to it
- LOAD_FUNC_PTR(map_open_path)
+ // Allocate memory and copy PIC functions to it
LOAD_FUNC_PTR(memory_patching)
+ LOAD_FUNC_PTR(map_open_path)
+ // Add system calls
ADD_SYSCALL (%r30, syscall_map_open_desc, 35)
// Add default /app_home redirection
addi %r3, %r31, ADDR_IN_PAGE(path_app_home)
addi %r4, %r31, ADDR_IN_PAGE(path_usb_default_app_home)
bl map_open_path
-
- addi %r5, %r31, ADDR_IN_PAGE (patch_table)
-l_apply_patches_loop:
- lwz %r3, 0(%r5) // If entry in patch table is NULL, we're done
- cmplwi %r3, 0
- beq l_patches_applied
- lwz %r4, 4(%r5)
- add %r3, %r3, %r30
- stw %r4, 0(%r3)
- addi %r5, %r5, 8
- b l_apply_patches_loop
-l_patches_applied:
+
+ APPLY_PATCHES(%r30, %r31)
+
// prolog
ld %r30, 0x90(%r1)
ld %r31, 0x98(%r1)
@@ -90,62 +75,7 @@ l_patches_applied:
mtlr %r0
blr
-/**
- * patch_table:
- *
- * The patch table used by exploit_main to patch the kernel
- * it format is .long address, .long new_value
- *
- * it will patch its content until the destination address is 0
- *
- */
-patch_table:
- PATCH_DATA(patch_data1, 0x01000000)
- PATCH_INST(patch_func1 + patch_func1_offset, ld %r4, rtoc_entry_1(%r2)) //hang
- PATCH_INST(patch_func1 + patch_func1_offset + 4, ld %r3, 0x20(%r28))
- PATCH_INST(patch_func1 + patch_func1_offset + 8, std %r3, 0(%r4))
- PATCH_BRANCH_MEM2 (patch_func2 + patch_func2_offset, bl, memory_patching)
- PATCH_BRANCH_MEM2 (patch_func3 + patch_func3_offset, b, hook_open)
- PATCH_INST(patch_func4 + patch_func4_offset, li %r4, 0) //80010009 error
- PATCH_INST(patch_func4 + patch_func4_offset + 4, stw %r4, 0(%r3))
- PATCH_INST(patch_func4 + patch_func4_offset + 8, blr)
- // force lv2open return 0
- PATCH_INST(patch_func8 + patch_func8_offset1, li %r3, 0)
- // disable calls in lv2open to lv1_send_event_locally which makes
- // the system crash
- PATCH_INST(patch_func8 + patch_func8_offset2, nop)
- PATCH_INST(patch_func9 + patch_func9_offset, nop)
- .long 0
-
-
-#include "pl3_memcpy.h.S"
-#include "map_open_path.h.S"
-#include "memory_patching.h.S"
-
path_app_home:
.string "/app_home"
path_usb_default_app_home:
.string "/dev_usb000/PS3/HOMEBREW/APP_HOME"
-
-/**
- * overwritten_kernel_function:
- *
- * For now noone knows what the original kernel function did, but
- * this just patches it up to just return 1, and also replaces its
- * content with our own payload
- *
- */
-.align 4
-overwritten_kernel_function:
- li %r3, 1
- blr
-
-//#include "device6_kmod.h.S"
-//#include "dev_syscalls.h.S"
-
-#include "open_hook.h.S"
-#include "memory_patching_res.h.S"
-
-payload_end:
-.org RESIDENT_PAYLOAD_OFFSET + RESIDENT_PAYLOAD_MAXSIZE
-
View
131 payload_trace_all_sc_calls.S
@@ -15,35 +15,22 @@
*/
-#include "macros.h.S"
+#include "pl3.h.S"
-.org 0
-// Position 0x20 in the page
-payload_start:
+#include "send_eth.h.S"
+#include "memory_patching.h.S"
-/**
- * payload_entry:
- * @payload_block: Pointer to the memory page containing our payload
- *
- * This is the entry point to the payload, it gets branched to form the injected
- * shellcode in the JIG response.
- * This is the main function of the exploit, its code is position
- * indedependent. It copies the actual payload to a safe-from-overwrite memory,
- * while it overwrites an existing function from the kernel.
- * It will also add necessary syscalls and patch some areas of the kernel before
- * returning the control back to it
- *
- * exploit_main ():
- * {
- * memcpy(MEM_BASE2, RESIDENT_PAYLOAD_OFFSET, RESIDENT_PAYLOAD_SIZE)
- * add_kernel_module (kernel_module_struct);
- * syscall_table[36] = syscall36_desc;
- * ptr = patch_table;
- * while (ptr[0] != NULL)
- * *ptr[0] = ptr[1];
- * }
- */
-payload_entry:
+RESIDENT_AREA_START()
+#include "memory_patching_res.h.S"
+#include "send_eth_res.h.S"
+#include "hvsc_handler.h.S"
+#include "syscall_handler.h.S"
+#include "send_eth_res.h.S"
+RESIDENT_AREA_END()
+
+#include "patch_table.h.S"
+
+payload_main:
// epilog
mflr %r0
stdu %r1, -0xa0(%r1)
@@ -52,41 +39,15 @@ payload_entry:
std %r0, 0xb0(%r1)
GET_CURRENT_PAGE(%r3, %r31)
-
MEM_BASE (%r30) // Load 0x8000000000000000 in %r30
- // Copy functions that need to stay resident in memory to MEM_BASE2
- LOAD_LABEL (MEM_BASE2, %r3, %r30, 0)
- addi %r4, %r31, ADDR_IN_PAGE(RESIDENT_PAYLOAD_OFFSET)
- li %r5, RESIDENT_PAYLOAD_SIZE
- bl pl3_memcpy
-
- addi %r5, %r31, ADDR_IN_PAGE (patch_table)
-l_apply_patches_loop:
- lwz %r3, 0(%r5) // If entry in patch table is NULL, we're done
- cmplwi %r3, 0
- beq l_patches_applied
- lwz %r4, 4(%r5)
- add %r3, %r3, %r30
- stw %r4, 0(%r3)
- addi %r5, %r5, 8
- b l_apply_patches_loop
-l_patches_applied:
-
- li %r3, 0x400
- li %r4, 0x27
- BRANCH_ABSOLUTE(%r5, alloc)
- LOAD_LABEL2 (%r4, %r30, eth_proc)
- std %r3, 0(%r4)
-
- addi %r4, %r31, ADDR_IN_PAGE(send_eth)
- li %r5, 0x400
- bl pl3_memcpy
+ COPY_RESIDENT_AREA(%r30, %r31)
- bl send_eth_init
- LOAD_LABEL2 (%r5, %r30, eth_dma_region)
- std %r4, 0(%r5)
+ LOAD_FUNC_PTR(memory_patching)
+ LOAD_FUNC_PTR(send_eth)
+ INIT_SEND_ETH(%r30)
+ APPLY_PATCHES(%r30, %r31)
// Replace hvsc after we copy our handler to the resident area
// because another thread might be running at the same time
// and if it calls hvsc and we're not yet ready, then we're
@@ -124,57 +85,3 @@ l_patch_hvsc_incr:
addi %r1, %r1, 0xa0
mtlr %r0
blr
-
-/**
- * patch_table:
- *
- * The patch table used by exploit_main to patch the kernel
- * it format is .long address, .long new_value
- *
- * it will patch its content until the destination address is 0
- *
- */
-patch_table:
- PATCH_DATA(patch_data1, 0x01000000)
- PATCH_INST(patch_func1 + patch_func1_offset, ld %r4, rtoc_entry_1(%r2)) //hang
- PATCH_INST(patch_func1 + patch_func1_offset + 4, ld %r3, 0x20(%r28))
- PATCH_INST(patch_func1 + patch_func1_offset + 8, std %r3, 0(%r4))
- PATCH_BRANCH_MEM2 (patch_func2 + patch_func2_offset, bl, memory_patching)
- PATCH_INST(patch_func4 + patch_func4_offset, li %r4, 0)
- PATCH_INST(patch_func4 + patch_func4_offset + 4, stw %r4, 0(%r3))
- PATCH_INST(patch_func4 + patch_func4_offset + 8, blr)
- PATCH_INST(patch_func5 + patch_func5_offset, li %r3, 1)
- PATCH_INST(patch_func5 + patch_func5_offset + 4, blr)
- PATCH_BRANCH_MEM2 (patch_syscall_func, bl, syscall_handler)
- .long 0
-
-
-#include "send_eth.h.S"
-#include "pl3_memcpy.h.S"
-
-/**
- * overwritten_kernel_function:
- *
- * For now noone knows what the original kernel function did, but
- * this just patches it up to just return 1, and also replaces its
- * content with our own payload
- *
- */
-.align 4
-overwritten_kernel_function:
- li %r3, 1
- blr
-
-#include "memory_patching.h.S"
-
-eth_proc:
- .quad 0
-eth_dma_region:
- .quad 0
-
-#include "trace_helpers.h.S"
-#include "hvsc_handler.h.S"
-#include "syscall_handler.h.S"
-
-payload_end:
-.org RESIDENT_PAYLOAD_OFFSET + RESIDENT_PAYLOAD_MAXSIZE
View
129 payload_trace_hypercalls.S
@@ -15,35 +15,22 @@
*/
-#include "macros.h.S"
+#include "pl3.h.S"
-.org 0
-// Position 0x20 in the page
-payload_start:
+#include "send_eth.h.S"
+#include "memory_patching.h.S"
-/**
- * payload_entry:
- * @payload_block: Pointer to the memory page containing our payload
- *
- * This is the entry point to the payload, it gets branched to form the injected
- * shellcode in the JIG response.
- * This is the main function of the exploit, its code is position
- * indedependent. It copies the actual payload to a safe-from-overwrite memory,
- * while it overwrites an existing function from the kernel.
- * It will also add necessary syscalls and patch some areas of the kernel before
- * returning the control back to it
- *
- * exploit_main ():
- * {
- * memcpy(MEM_BASE2, RESIDENT_PAYLOAD_OFFSET, RESIDENT_PAYLOAD_SIZE)
- * add_kernel_module (kernel_module_struct);
- * syscall_table[36] = syscall36_desc;
- * ptr = patch_table;
- * while (ptr[0] != NULL)
- * *ptr[0] = ptr[1];
- * }
- */
-payload_entry:
+RESIDENT_AREA_START()
+#include "memory_patching_res.h.S"
+#include "send_eth_res.h.S"
+#include "hvsc_handler.h.S"
+RESIDENT_AREA_END()
+
+#include "patch_table.h.S"
+
+
+
+payload_main:
// epilog
mflr %r0
stdu %r1, -0xa0(%r1)
@@ -52,41 +39,15 @@ payload_entry:
std %r0, 0xb0(%r1)
GET_CURRENT_PAGE(%r3, %r31)
-
MEM_BASE (%r30) // Load 0x8000000000000000 in %r30
- // Copy functions that need to stay resident in memory to MEM_BASE2
- LOAD_LABEL (MEM_BASE2, %r3, %r30, 0)
- addi %r4, %r31, ADDR_IN_PAGE(RESIDENT_PAYLOAD_OFFSET)
- li %r5, RESIDENT_PAYLOAD_SIZE
- bl pl3_memcpy
-
- addi %r5, %r31, ADDR_IN_PAGE (patch_table)
-l_apply_patches_loop:
- lwz %r3, 0(%r5) // If entry in patch table is NULL, we're done
- cmplwi %r3, 0
- beq l_patches_applied
- lwz %r4, 4(%r5)
- add %r3, %r3, %r30
- stw %r4, 0(%r3)
- addi %r5, %r5, 8
- b l_apply_patches_loop
-l_patches_applied:
+ COPY_RESIDENT_AREA(%r30, %r31)
- li %r3, 0x400
- li %r4, 0x27
- BRANCH_ABSOLUTE(%r5, alloc)
- LOAD_LABEL2 (%r4, %r30, eth_proc)
- std %r3, 0(%r4)
-
- addi %r4, %r31, ADDR_IN_PAGE(send_eth)
- li %r5, 0x400
- bl pl3_memcpy
-
- bl send_eth_init
- LOAD_LABEL2 (%r5, %r30, eth_dma_region)
- std %r4, 0(%r5)
+ LOAD_FUNC_PTR(memory_patching)
+ LOAD_FUNC_PTR(send_eth)
+ INIT_SEND_ETH(%r30)
+ APPLY_PATCHES(%r30, %r31)
// Replace hvsc after we copy our handler to the resident area
// because another thread might be running at the same time
// and if it calls hvsc and we're not yet ready, then we're
@@ -124,55 +85,3 @@ l_patch_hvsc_incr:
addi %r1, %r1, 0xa0
mtlr %r0
blr
-
-/**
- * patch_table:
- *
- * The patch table used by exploit_main to patch the kernel
- * it format is .long address, .long new_value
- *
- * it will patch its content until the destination address is 0
- *
- */
-patch_table:
- PATCH_DATA(patch_data1, 0x01000000)
- PATCH_INST(patch_func1 + patch_func1_offset, ld %r4, rtoc_entry_1(%r2)) //hang
- PATCH_INST(patch_func1 + patch_func1_offset + 4, ld %r3, 0x20(%r28))
- PATCH_INST(patch_func1 + patch_func1_offset + 8, std %r3, 0(%r4))
- PATCH_BRANCH_MEM2 (patch_func2 + patch_func2_offset, bl, memory_patching)
- PATCH_INST(patch_func4 + patch_func4_offset, li %r4, 0)
- PATCH_INST(patch_func4 + patch_func4_offset + 4, stw %r4, 0(%r3))
- PATCH_INST(patch_func4 + patch_func4_offset + 8, blr)
- PATCH_INST(patch_func5 + patch_func5_offset, li %r3, 1)
- PATCH_INST(patch_func5 + patch_func5_offset + 4, blr)
- .long 0
-
-
-#include "send_eth.h.S"
-#include "pl3_memcpy.h.S"
-
-/**
- * overwritten_kernel_function:
- *
- * For now noone knows what the original kernel function did, but
- * this just patches it up to just return 1, and also replaces its
- * content with our own payload
- *
- */
-.align 4
-overwritten_kernel_function:
- li %r3, 1
- blr
-
-#include "memory_patching.h.S"
-
-eth_proc:
- .quad 0
-eth_dma_region:
- .quad 0
-
-#include "trace_helpers.h.S"
-#include "hvsc_handler.h.S"
-
-payload_end:
-.org RESIDENT_PAYLOAD_OFFSET + RESIDENT_PAYLOAD_MAXSIZE
View
131 payload_trace_syscalls.S
@@ -1,6 +1,6 @@
/*
- * payload_dump_syscalls.S -- PS3 Jailbreak payload - hook syscall handler and
- * dump the syscall arguments over ethernet
+ * payload_trace_syscalls.S: PL3: hook syscall handler and trace the syscall
+ * calls and arguments over ethernet
*
* Copyright (C) Youness Alaoui (KaKaRoTo)
* Copyright (C) Aaron Lindsay (Aaron')
@@ -15,35 +15,20 @@
*/
-#include "macros.h.S"
+#include "pl3.h.S"
-.org 0
-// Position 0x20 in the page
-payload_start:
+#include "send_eth.h.S"
+#include "memory_patching.h.S"
-/**
- * payload_entry:
- * @payload_block: Pointer to the memory page containing our payload
- *
- * This is the entry point to the payload, it gets branched to form the injected
- * shellcode in the JIG response.
- * This is the main function of the exploit, its code is position
- * indedependent. It copies the actual payload to a safe-from-overwrite memory,
- * while it overwrites an existing function from the kernel.
- * It will also add necessary syscalls and patch some areas of the kernel before
- * returning the control back to it
- *
- * exploit_main ():
- * {
- * memcpy(MEM_BASE2, RESIDENT_PAYLOAD_OFFSET, RESIDENT_PAYLOAD_SIZE)
- * add_kernel_module (kernel_module_struct);
- * syscall_table[36] = syscall36_desc;
- * ptr = patch_table;
- * while (ptr[0] != NULL)
- * *ptr[0] = ptr[1];
- * }
- */
-payload_entry:
+RESIDENT_AREA_START()
+#include "memory_patching_res.h.S"
+#include "send_eth_res.h.S"
+#include "syscall_handler.h.S"
+RESIDENT_AREA_END()
+
+#include "patch_table.h.S"
+
+payload_main:
// epilog
mflr %r0
stdu %r1, -0xa0(%r1)
@@ -52,40 +37,15 @@ payload_entry:
std %r0, 0xb0(%r1)
GET_CURRENT_PAGE(%r3, %r31)
-
MEM_BASE (%r30) // Load 0x8000000000000000 in %r30
- // Copy functions that need to stay resident in memory to MEM_BASE2
- LOAD_LABEL (MEM_BASE2, %r3, %r30, 0)
- addi %r4, %r31, ADDR_IN_PAGE(RESIDENT_PAYLOAD_OFFSET)
- li %r5, RESIDENT_PAYLOAD_SIZE
- bl pl3_memcpy
-
- addi %r5, %r31, ADDR_IN_PAGE (patch_table)
-l_apply_patches_loop:
- lwz %r3, 0(%r5) // If entry in patch table is NULL, we're done
- cmplwi %r3, 0
- beq l_patches_applied
- lwz %r4, 4(%r5)
- add %r3, %r3, %r30
- stw %r4, 0(%r3)
- addi %r5, %r5, 8
- b l_apply_patches_loop
-l_patches_applied:
+ COPY_RESIDENT_AREA(%r30, %r31)
- li %r3, 0x400
- li %r4, 0x27
- BRANCH_ABSOLUTE(%r5, alloc)
- LOAD_LABEL2 (%r4, %r30, eth_proc)
- std %r3, 0(%r4)
-
- addi %r4, %r31, ADDR_IN_PAGE(send_eth)
- li %r5, 0x400
- bl pl3_memcpy
+ LOAD_FUNC_PTR(memory_patching)
+ LOAD_FUNC_PTR(send_eth)
+ INIT_SEND_ETH(%r30)
- bl send_eth_init
- LOAD_LABEL2 (%r5, %r30, eth_dma_region)
- std %r4, 0(%r5)
+ APPLY_PATCHES(%r30, %r31)
// prolog
ld %r30, 0x90(%r1)
@@ -94,56 +54,3 @@ l_patches_applied:
addi %r1, %r1, 0xa0
mtlr %r0
blr
-
-/**
- * patch_table:
- *
- * The patch table used by exploit_main to patch the kernel
- * it format is .long address, .long new_value
- *
- * it will patch its content until the destination address is 0
- *
- */
-patch_table:
- PATCH_DATA(patch_data1, 0x01000000)
- PATCH_INST(patch_func1 + patch_func1_offset, ld %r4, rtoc_entry_1(%r2)) //hang
- PATCH_INST(patch_func1 + patch_func1_offset + 4, ld %r3, 0x20(%r28))
- PATCH_INST(patch_func1 + patch_func1_offset + 8, std %r3, 0(%r4))
- PATCH_BRANCH_MEM2 (patch_func2 + patch_func2_offset, bl, memory_patching)
- PATCH_INST(patch_func4 + patch_func4_offset, li %r4, 0)
- PATCH_INST(patch_func4 + patch_func4_offset + 4, stw %r4, 0(%r3))
- PATCH_INST(patch_func4 + patch_func4_offset + 8, blr)
- PATCH_INST(patch_func5 + patch_func5_offset, li %r3, 1)
- PATCH_INST(patch_func5 + patch_func5_offset + 4, blr)
- PATCH_BRANCH_MEM2 (patch_syscall_func, bl, syscall_handler)
- .long 0
-
-
-#include "send_eth.h.S"
-#include "pl3_memcpy.h.S"
-
-/**
- * overwritten_kernel_function:
- *
- * For now noone knows what the original kernel function did, but
- * this just patches it up to just return 1, and also replaces its
- * content with our own payload
- *
- */
-.align 4
-overwritten_kernel_function:
- li %r3, 1
- blr
-
-#include "memory_patching.h.S"
-
-eth_proc:
- .quad 0
-eth_dma_region:
- .quad 0
-
-#include "trace_helpers.h.S"
-#include "syscall_handler.h.S"
-
-payload_end:
-.org RESIDENT_PAYLOAD_OFFSET + RESIDENT_PAYLOAD_MAXSIZE
View
126 payload_trace_vuart.S
@@ -15,35 +15,20 @@
*/
-#include "macros.h.S"
+#include "pl3.h.S"
-.org 0
-// Position 0x20 in the page
-payload_start:
+#include "send_eth.h.S"
+#include "memory_patching.h.S"
-/**
- * payload_entry:
- * @payload_block: Pointer to the memory page containing our payload
- *
- * This is the entry point to the payload, it gets branched to form the injected
- * shellcode in the JIG response.
- * This is the main function of the exploit, its code is position
- * indedependent. It copies the actual payload to a safe-from-overwrite memory,
- * while it overwrites an existing function from the kernel.
- * It will also add necessary syscalls and patch some areas of the kernel before
- * returning the control back to it
- *
- * exploit_main ():
- * {
- * memcpy(MEM_BASE2, RESIDENT_PAYLOAD_OFFSET, RESIDENT_PAYLOAD_SIZE)
- * add_kernel_module (kernel_module_struct);
- * syscall_table[36] = syscall36_desc;
- * ptr = patch_table;
- * while (ptr[0] != NULL)
- * *ptr[0] = ptr[1];
- * }
- */
-payload_entry:
+RESIDENT_AREA_START()
+#include "memory_patching_res.h.S"
+#include "send_eth_res.h.S"
+#include "vuart_tracer.h.S"
+RESIDENT_AREA_END()
+
+#include "patch_table.h.S"
+
+payload_main:
// epilog
mflr %r0
stdu %r1, -0xa0(%r1)
@@ -52,42 +37,15 @@ payload_entry:
std %r0, 0xb0(%r1)
GET_CURRENT_PAGE(%r3, %r31)
-
MEM_BASE (%r30) // Load 0x8000000000000000 in %r30
- // Copy functions that need to stay resident in memory to MEM_BASE2
- LOAD_LABEL (MEM_BASE2, %r3, %r30, 0)
- addi %r4, %r31, ADDR_IN_PAGE(RESIDENT_PAYLOAD_OFFSET)
- li %r5, RESIDENT_PAYLOAD_SIZE
- bl pl3_memcpy
+ COPY_RESIDENT_AREA(%r30, %r31)
LOAD_FUNC_PTR(memory_patching)
+ LOAD_FUNC_PTR(send_eth)
+ INIT_SEND_ETH(%r30)
- addi %r5, %r31, ADDR_IN_PAGE (patch_table)
-l_apply_patches_loop:
- lwz %r3, 0(%r5) // If entry in patch table is NULL, we're done
- cmplwi %r3, 0
- beq l_patches_applied
- lwz %r4, 4(%r5)
- add %r3, %r3, %r30
- stw %r4, 0(%r3)
- addi %r5, %r5, 8
- b l_apply_patches_loop
-l_patches_applied:
-
- li %r3, 0x400
- li %r4, 0x27
- BRANCH_ABSOLUTE(%r5, alloc)
- LOAD_LABEL2 (%r4, %r30, eth_proc)
- std %r3, 0(%r4)
-
- addi %r4, %r31, ADDR_IN_PAGE(send_eth)
- li %r5, 0x400
- bl pl3_memcpy
-
- bl send_eth_init
- LOAD_LABEL2 (%r5, %r30, eth_dma_region)
- std %r4, 0(%r5)
+ APPLY_PATCHES(%r30, %r31)
// Replace hvsc after we copy our handler to the resident area
// because another thread might be running at the same time
@@ -126,55 +84,3 @@ l_patch_hvsc_incr:
addi %r1, %r1, 0xa0
mtlr %r0
blr
-
-/**
- * patch_table:
- *
- * The patch table used by exploit_main to patch the kernel
- * it format is .long address, .long new_value
- *
- * it will patch its content until the destination address is 0
- *
- */
-patch_table:
- PATCH_DATA(patch_data1, 0x01000000)
- PATCH_INST(patch_func1 + patch_func1_offset, ld %r4, rtoc_entry_1(%r2)) //hang
- PATCH_INST(patch_func1 + patch_func1_offset + 4, ld %r3, 0x20(%r28))
- PATCH_BRANCH_MEM2 (patch_func2 + patch_func2_offset, bl, memory_patching)
- PATCH_INST(patch_func1 + patch_func1_offset + 8, std %r3, 0(%r4))
- PATCH_INST(patch_func4 + patch_func4_offset, li %r4, 0)
- PATCH_INST(patch_func4 + patch_func4_offset + 4, stw %r4, 0(%r3))
- PATCH_INST(patch_func4 + patch_func4_offset + 8, blr)
- PATCH_INST(patch_func5 + patch_func5_offset, li %r3, 1)
- PATCH_INST(patch_func5 + patch_func5_offset + 4, blr)
- .long 0
-
-
-#include "send_eth.h.S"
-#include "pl3_memcpy.h.S"
-#include "memory_patching.h.S"
-
-/**
- * overwritten_kernel_function:
- *
- * For now noone knows what the original kernel function did, but
- * this just patches it up to just return 1, and also replaces its
- * content with our own payload
- *
- */
-.align 4
-overwritten_kernel_function:
- li %r3, 1
- blr
-
-eth_proc:
- .quad 0
-eth_dma_region:
- .quad 0
-
-#include "trace_helpers.h.S"
-#include "vuart_tracer.h.S"
-#include "memory_patching_res.h.S"
-
-payload_end:
-.org RESIDENT_PAYLOAD_OFFSET + RESIDENT_PAYLOAD_MAXSIZE
View
7 pl3.h.S
@@ -135,6 +135,13 @@ got_current_page: \
li %r11, 255; \
sc 1;
+#define ALLOCATE_BUFFER(base, variable, size) \
+ li %r3, size; \
+ li %r4, 0x27; \
+ BRANCH_ABSOLUTE(%r5, alloc); \
+ LOAD_LABEL2 (%r4, base, variable); \
+ std %r3, 0(%r4);
+
// Allocate new memory and copy a function to it. R3 to R11 will be lost
// pl3_memcpy must be included!
#define ALLOC_AND_COPY_PROC(base_reg, function, size) \
View
2  send_eth.h.S
@@ -13,7 +13,7 @@
#define INIT_SEND_ETH(base) \
bl send_eth_init; \
- LOAD_LABEL2 (%r5, base, eth_dma_region); \
+ LOAD_LABEL2 (%r5, base, send_eth_dma_region); \
std %r4, 0(%r5)
send_eth_init:
View
9 send_eth_res.h.S
@@ -14,22 +14,23 @@
send_eth_dma_region:
.quad 0
-DEFINE_FUNC_PTR(send_eth)
+send_eth_ptr:
+ .quad 0
-send_eth_res:
+send_eth:
mflr %r0
stdu %r1, -0x80(%r1)
std %r31, 0x70(%r1)
std %r0, 0x90(%r1)
- mr %r4, %r3
mr %r5, %r4
+ mr %r4, %r3
MEM_BASE (%r31)
LOAD_LABEL2 (%r31, %r31, send_eth_dma_region)
ld %r3, 0(%r31)
- bl send_eth
+ BRANCH_FUNC_PTR(%r31, send_eth)
ld %r31, 0x70(%r1)
ld %r0, 0x90(%r1)
View
2  syscall_handler.h.S
@@ -11,6 +11,8 @@
#ifndef __SYSCALL_HANDLER_H_S__
#define __SYSCALL_HANDLER_H_S__
+#include "trace_helpers.h.S"
+
syscall_handler:
mflr %r0
stdu %r1, -0x100(%r1)
View
11 trace_helpers.h.S
@@ -57,14 +57,9 @@ send_trace:
std %r12, 0x48(%r31)
MEM_BASE (%r31)
- LOAD_LABEL2 (%r3, %r31, eth_dma_region)
- ld %r3, 0(%r3)
- LOAD_LABEL2 (%r4, %r31, buf)
- li %r5, 0x50
- LOAD_LABEL2 (%r6, %r31, eth_proc)
- ld %r6, 0(%r6)
- mtctr %r6
- bctrl
+ LOAD_LABEL2 (%r3, %r31, buf)
+ li %r4, 0x50
+ bl send_eth
ld %r31, 0x78(%r1)
ld %r0, 0x70(%r1)
View
13 vuart_tracer.h.S
@@ -11,6 +11,8 @@
#ifndef __VUART_TRACER_H_S__
#define __VUART_TRACER_H_S__
+#include "trace_helpers.h.S"
+
hvsc_hook:
mflr %r0
stdu %r1, -0x100(%r1)
@@ -128,14 +130,9 @@ l_send_buffer_next:
mtmsrd %r0, 0
MEM_BASE (%r31)
- LOAD_LABEL2 (%r3, %r31, eth_dma_region)
- ld %r3, 0(%r3)
- LOAD_LABEL2 (%r4, %r31, buf)
- li %r5, 0x50
- LOAD_LABEL2 (%r6, %r31, eth_proc)
- ld %r6, 0(%r6)
- mtctr %r6
- bctrl
+ LOAD_LABEL2 (%r3, %r31, buf)
+ li %r4, 0x50
+ bl send_eth
addi %r28, %r28, 1
addi %r30, %r30, 0x40
Please sign in to comment.
Something went wrong with that request. Please try again.