release v2.0

README.md

@@ -1,10 +1,27 @@
-# PS4HEN
-Homebrew enabler for PS4
+# PS4HEN v2.0
+
+## Features
+- Homebrew Enabler
+- Jailbreak
+- Sandbox Escape
+- Debug Settings
+- External HDD Support
+- VR Support
+- Remote Package Install
+- Rest Mode Support
 
 ## Contributors
 Massive credits to the following:
-
-- [Flatz](https://twitter.com/flat_z)
+- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
+- [Specter](https://twitter.com/SpecterDev) 
+- [flat_z](https://twitter.com/flat_z)
 - [idc](https://twitter.com/3226_2143)
-- [Joon](https://twitter.com/joonie86)
+- [Joonie](https://github.com/Joonie86/)
+- [Vortex](https://github.com/xvortex)
+- [zecoxao](https://twitter.com/notzecoxao)
+- [SiSTRo](https://github.com/SiSTR0)
 - Anonymous
+
+## Testers
+- [SCORPION](https://twitter.com/SCORPION1399)
+- [SocraticBliss](https://mobile.twitter.com/SocraticBliss)

installer/include/defines.h

@@ -1,7 +1,7 @@
 #ifndef __DEFINES
 #define __DEFINES
 
-#define VERSION "1.7"
+#define VERSION "2.0"
 
 //#define DEBUG_SOCKET
 

installer/source/main.c

@@ -90,6 +90,9 @@ int install_payload(struct thread *td, struct install_payload_args* args)
   *(uint32_t *)(kernel_base + 0x64B2B0) = 0x90C301B0;
   *(uint32_t *)(kernel_base + 0x64B2D0) = 0x90C301B0;
 
+  //enable vr 5.05
+  *(uint32_t *)(kernel_base + 0x14A63F1) = 0x9090000;
+
   // install kpayload
   memset(payload_buffer, 0, PAGE_SIZE);
   memcpy(payload_buffer, payload_data, payload_size);

kpayload/include/freebsd_helper.h

@@ -13,6 +13,7 @@
 
 #define	TRACEBUF	struct qm_trace trace;
 
+#define	TAILQ_EMPTY(head) ((head)->tqh_first == NULL)
 #define	TAILQ_FIRST(head) ((head)->tqh_first)
 #define	TAILQ_NEXT(elm, field) ((elm)->field.tqe_next)
 

kpayload/include/offsets.h

@@ -10,12 +10,18 @@
 #define mini_syscore_self_binary_addr   0x14C9D48
 #define sbl_driver_mapped_pages_addr    0x271E208
 #define sbl_pfs_sx_addr                 0x271E5D8
+#define sbl_keymgr_key_rbtree_addr      0x2744558
+#define sbl_keymgr_key_slots_addr       0x2744548
+#define sbl_keymgr_buf_va_addr          0x2748000
+#define sbl_keymgr_buf_gva_addr         0x2748800
 #define allproc_addr                    0x2382FF8
 
 // common
 #define strlen_addr                     0x3B71A0
+#define strstr_addr                     0x17DFB0
 #define malloc_addr                     0x10E250
 #define free_addr                       0x10E460
+#define printf_addr                     0x436040
 #define memcpy_addr                     0x1EA530
 #define memset_addr                     0x3205C0
 #define memcmp_addr                     0x050AC0
@@ -30,12 +36,14 @@
 #define sceSblAuthMgrGetSelfInfo_addr   0x63CD40
 #define sceSblAuthMgrIsLoadable2_addr   0x63C4F0
 #define sceSblAuthMgrVerifyHeader_addr  0x642B40
+#define sceSblACMgrGetPathId_addr       0x0117E0
 
 // Fpkg
 #define sceSblPfsKeymgrGenKeys_addr     0x62D480
 #define sceSblPfsSetKeys_addr           0x61EFA0
 #define sceSblKeymgrClearKey_addr       0x62DB10
 #define sceSblKeymgrSetKeyForPfs_addr   0x62D780
+#define sceSblKeymgrSetKeyStorage_addr  0x623FC0
 #define sceSblKeymgrSmCallfunc_addr     0x62E2A0
 #define sceSblDriverSendMsg_addr        0x61D7F0
 #define RsaesPkcs1v15Dec2048CRT_addr    0x1FD7D0
@@ -57,11 +65,13 @@
 #define sceSblAuthMgrVerifyHeader_hook2                           0x63F718
 #define sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox_hook 0x64318B
 #define sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox_hook   0x643DA2
+#define sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId__hook       0x63E25D
 
 // Fpkg hooks
 #define sceSblKeymgrSmCallfunc_npdrm_decrypt_isolated_rif_hook    0x64C720
 #define sceSblKeymgrSmCallfunc_npdrm_decrypt_rif_new_hook         0x64D4FF
 #define sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook       0x624065
+#define sceSblKeymgrInvalidateKey__sx_xlock_hook                  0x62E96D
 #define mountpfs__sceSblPfsSetKeys_hook1                          0x6AAAD5
 #define mountpfs__sceSblPfsSetKeys_hook2                          0x6AAD04
 
@@ -79,13 +89,15 @@
 #define nidf_libSceDipsw_patch3         0x799837
 #define nidf_libSceDipsw_patch4         0x947187
 
+#define enable_data_mount_patch         0x319A53
+
 // enable fpkg
 #define enable_fpkg_patch               0x3E0602
 
 // debug pkg free string
 #define fake_free_patch                 0xEA96A7
 
 // make pkgs installer working with external hdd
-#define pkg_installer_patch		0x9312A1
+#define pkg_installer_patch	             0x9312A1
 
 #endif

kpayload/include/sbl_helper.h

@@ -4,9 +4,8 @@
 #define SCE_SBL_ERROR_NPDRM_ENOTSUP 0x800F0A25
 #define SIZEOF_SBL_KEY_RBTREE_ENTRY 0xA8 // sceSblKeymgrSetKey
 #define SIZEOF_SBL_MAP_LIST_ENTRY 0x50 // sceSblDriverMapPages
-#define TYPE_SBL_KEY_RBTREE_ENTRY_DESC_OFFSET 0x04
-#define TYPE_SBL_KEY_RBTREE_ENTRY_LOCKED_OFFSET 0x80
 #define SIZEOF_SBL_KEY_DESC 0x7C // sceSblKeymgrSetKey
+#define SIZEOF_SBL_KEY_SLOT_DESC 0x20
 #define SBL_MSG_SERVICE_MAILBOX_MAX_SIZE 0x80
 #define SBL_MSG_CCP 0x8
 
@@ -27,10 +26,21 @@ union sbl_key_desc {
 };
 TYPE_CHECK_SIZE(union sbl_key_desc, SIZEOF_SBL_KEY_DESC);
 
+TYPE_BEGIN(struct sbl_key_slot_desc, SIZEOF_SBL_KEY_SLOT_DESC);
+  TYPE_FIELD(uint32_t key_id, 0x00);
+  TYPE_FIELD(uint32_t unk_0x04, 0x04);
+  TYPE_FIELD(uint32_t key_handle, 0x08); /* or -1 if it's freed */
+  TYPE_FIELD(uint32_t unk_0x0C, 0x0C);
+  TYPE_FIELD(TAILQ_ENTRY(sbl_key_slot_desc) list, 0x10);
+TYPE_END();
+
+TAILQ_HEAD(sbl_key_slot_queue, sbl_key_slot_desc);
+
 TYPE_BEGIN(struct sbl_key_rbtree_entry, SIZEOF_SBL_KEY_RBTREE_ENTRY);
   TYPE_FIELD(uint32_t handle, 0x00);
-  TYPE_FIELD(union sbl_key_desc desc, TYPE_SBL_KEY_RBTREE_ENTRY_DESC_OFFSET);
-  TYPE_FIELD(uint32_t locked, TYPE_SBL_KEY_RBTREE_ENTRY_LOCKED_OFFSET);
+  TYPE_FIELD(uint32_t occupied, 0x04);
+  TYPE_FIELD(union sbl_key_desc desc, 0x08);
+  TYPE_FIELD(uint32_t locked, 0x80);
   TYPE_FIELD(struct sbl_key_rbtree_entry* left, 0x88);
   TYPE_FIELD(struct sbl_key_rbtree_entry* right, 0x90);
   TYPE_FIELD(struct sbl_key_rbtree_entry* parent, 0x98);

kpayload/source/fpkg.c

@@ -11,21 +11,27 @@
 #include "ccp_helper.h"
 #include "amd_helper.h"
 
+extern int (*printf)(const char *fmt, ...) PAYLOAD_BSS;
 extern void* (*memcpy)(void* dst, const void* src, size_t len) PAYLOAD_BSS;
 extern void* (*memset)(void *s, int c, size_t n) PAYLOAD_BSS;
-extern int (*sx_xlock)(struct sx *sx, int opts) PAYLOAD_BSS;
+extern int (*sx_xlock)(struct sx *sx, int opts, const char *file, int line) PAYLOAD_BSS;
 extern int (*sx_xunlock)(struct sx *sx) PAYLOAD_BSS;
 extern int (*fpu_kern_enter)(struct thread *td, struct fpu_kern_ctx *ctx, uint32_t flags) PAYLOAD_BSS;
 extern int (*fpu_kern_leave)(struct thread *td, struct fpu_kern_ctx *ctx) PAYLOAD_BSS;
 
 extern void* fpu_ctx PAYLOAD_BSS;
 extern struct sx* sbl_pfs_sx PAYLOAD_BSS;
 extern struct sbl_map_list_entry** sbl_driver_mapped_pages PAYLOAD_BSS;
+extern struct sbl_key_rbtree_entry** sbl_keymgr_key_rbtree PAYLOAD_BSS;
+extern struct sbl_key_slot_queue* sbl_keymgr_key_slots PAYLOAD_BSS;
+extern uint8_t* sbl_keymgr_buf_va PAYLOAD_BSS;
+extern uint64_t* sbl_keymgr_buf_gva PAYLOAD_BSS;
 
 extern int (*sceSblPfsKeymgrGenKeys)(union pfs_key_blob* key_blob) PAYLOAD_BSS;
 extern int (*sceSblPfsSetKeys)(uint32_t* ekh, uint32_t* skh, uint8_t* eekpfs, struct ekc* eekc, unsigned int pubkey_ver, unsigned int key_ver, struct pfs_header* hdr, size_t hdr_size, unsigned int type, unsigned int finalized, unsigned int is_disc) PAYLOAD_BSS;
 extern int (*sceSblKeymgrClearKey)(uint32_t kh) PAYLOAD_BSS;
 extern int (*sceSblKeymgrSetKeyForPfs)(union sbl_key_desc* key, unsigned int* handle) PAYLOAD_BSS;
+extern int (*sceSblKeymgrSetKeyStorage)(uint64_t key_gpu_va, unsigned int key_size, uint32_t key_id, uint32_t key_handle) PAYLOAD_BSS;
 extern int (*sceSblKeymgrSmCallfunc)(union keymgr_payload* payload) PAYLOAD_BSS;
 extern int (*sceSblDriverSendMsg)(struct sbl_msg* msg, size_t size) PAYLOAD_BSS;
 
@@ -269,7 +275,7 @@ PAYLOAD_CODE int my_mountpfs__sceSblPfsSetKeys(uint32_t* ekh, uint32_t* skh, uin
         goto err;
       }
 
-      sx_xlock(sbl_pfs_sx, 0);
+      sx_xlock(sbl_pfs_sx, 0, 0, 0);
       {
         memset(&enc_key_desc, 0, sizeof(enc_key_desc));
         {
@@ -409,6 +415,72 @@ PAYLOAD_CODE int my_sceSblKeymgrSmCallfunc_npdrm_decrypt_rif_new(union keymgr_pa
   return ret;
 }
 
+PAYLOAD_CODE static inline struct sbl_key_rbtree_entry* sceSblKeymgrGetKey(unsigned int handle)
+{
+  struct sbl_key_rbtree_entry* entry = *sbl_keymgr_key_rbtree;
+
+  while (entry)
+  {
+    if (entry->handle < handle)
+      entry = entry->right;
+    else if (entry->handle > handle)
+      entry = entry->left;
+    else if (entry->handle == handle)
+      return entry;
+  }
+
+  return NULL;
+}
+
+PAYLOAD_CODE static int my_sceSblKeymgrInvalidateKey__sx_xlock(struct sx* sx, int opts, const char* file, int line) {
+  printf("[ps4hen] my_sceSblKeymgrInvalidateKey__sx_xlock");
+
+  struct sbl_key_rbtree_entry* key_desc;
+  struct sbl_key_slot_desc* key_slot_desc;
+  unsigned key_handle;
+  int ret, ret2;
+
+  ret = sx_xlock(sx, opts, file, line);
+
+  if (TAILQ_EMPTY(sbl_keymgr_key_slots))
+    goto done;
+
+  TAILQ_FOREACH(key_slot_desc, sbl_keymgr_key_slots, list) {
+    key_handle = key_slot_desc->key_handle;
+    if (key_handle == (unsigned int)-1) {
+      /* unbounded */
+      continue;
+    }
+    key_desc = sceSblKeymgrGetKey(key_handle);
+    if (!key_desc) {
+      /* shouldn't happen in normal situations */
+      continue;
+    }
+    if (!key_desc->occupied) {
+      continue;
+    }
+    if (key_desc->desc.pfs.obf_key_id != PFS_FAKE_OBF_KEY_ID) {
+      /* not our key, just skip, so it will be handled by original code */
+      continue;
+    }
+    if (key_desc->desc.pfs.key_size != sizeof(key_desc->desc.pfs.escrowed_key)) {
+      /* something weird with key params, just ignore and app will just crash... */
+      continue;
+    }
+    memcpy(sbl_keymgr_buf_va, key_desc->desc.pfs.escrowed_key, key_desc->desc.pfs.key_size);
+    ret2 = sceSblKeymgrSetKeyStorage(*sbl_keymgr_buf_gva, key_desc->desc.pfs.key_size, key_desc->desc.pfs.obf_key_id, key_slot_desc->key_id);
+    if (ret2) {
+      /* wtf? */
+      continue;
+    }
+  }
+
+  done:
+  /* XXX: no need to call SX unlock because we'll jump to original code which expects SX is already locked */
+
+  return ret;
+}
+
 PAYLOAD_CODE void install_fpkg_hooks()
 {
   uint64_t flags, cr0;
@@ -421,6 +493,7 @@ PAYLOAD_CODE void install_fpkg_hooks()
   KCALL_REL32(kernbase, sceSblKeymgrSmCallfunc_npdrm_decrypt_isolated_rif_hook, (uint64_t)my_sceSblKeymgrSmCallfunc_npdrm_decrypt_isolated_rif);
   KCALL_REL32(kernbase, sceSblKeymgrSmCallfunc_npdrm_decrypt_rif_new_hook, (uint64_t)my_sceSblKeymgrSmCallfunc_npdrm_decrypt_rif_new);
   KCALL_REL32(kernbase, sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook, (uint64_t)my_sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg);
+  KCALL_REL32(kernbase, sceSblKeymgrInvalidateKey__sx_xlock_hook, (uint64_t)my_sceSblKeymgrInvalidateKey__sx_xlock);
   KCALL_REL32(kernbase, mountpfs__sceSblPfsSetKeys_hook1, (uint64_t)my_mountpfs__sceSblPfsSetKeys);
   KCALL_REL32(kernbase, mountpfs__sceSblPfsSetKeys_hook2, (uint64_t)my_mountpfs__sceSblPfsSetKeys);
 

kpayload/source/fself.c

@@ -15,6 +15,8 @@
 extern void* (*malloc)(unsigned long size, void* type, int flags) PAYLOAD_BSS;
 extern void (*free)(void* addr, void* type) PAYLOAD_BSS;
 extern void* (*memcpy)(void* dst, const void* src, size_t len) PAYLOAD_BSS;
+extern size_t (*strlen)(const char *str) PAYLOAD_BSS;
+extern char * (*strstr) (const char *haystack, const char *needle) PAYLOAD_BSS;
 
 extern void* M_TEMP PAYLOAD_BSS;
 extern struct sbl_map_list_entry** sbl_driver_mapped_pages PAYLOAD_BSS;
@@ -25,6 +27,7 @@ extern int (*sceSblAuthMgrGetSelfInfo)(struct self_context* ctx, struct self_ex_
 extern void (*sceSblAuthMgrSmStart)(void**) PAYLOAD_BSS;
 extern int (*sceSblAuthMgrIsLoadable2)(struct self_context* ctx, struct self_auth_info* old_auth_info, int path_id, struct self_auth_info* new_auth_info) PAYLOAD_BSS;
 extern int (*sceSblAuthMgrVerifyHeader)(struct self_context* ctx) PAYLOAD_BSS;
+extern int (*sceSblACMgrGetPathId) (const char* path) PAYLOAD_BSS;
 
 static const uint8_t s_auth_info_for_exec[] PAYLOAD_RDATA =
 {
@@ -377,6 +380,22 @@ PAYLOAD_CODE int my_sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox(unsigned
   return result;
 }
 
+PAYLOAD_CODE int my_sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId(const char* path) {
+	static const char* self_dir_prefix = "/data/self/";
+	const char* p;
+	int ret;
+
+	if (path) {
+		p = strstr(path, self_dir_prefix);
+		if (p)
+			path = p + strlen(self_dir_prefix);
+	}
+
+	ret = sceSblACMgrGetPathId(path);
+
+	return ret;
+}
+
 PAYLOAD_CODE void install_fself_hooks()
 {
   uint64_t flags, cr0;
@@ -391,6 +410,7 @@ PAYLOAD_CODE void install_fself_hooks()
   KCALL_REL32(kernbase, sceSblAuthMgrVerifyHeader_hook2, (uint64_t)my_sceSblAuthMgrVerifyHeader);
   KCALL_REL32(kernbase, sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox_hook, (uint64_t)my_sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox);
   KCALL_REL32(kernbase, sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox_hook, (uint64_t)my_sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox);
+  KCALL_REL32(kernbase, sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId__hook, (uint64_t)my_sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId);
 
   intr_restore(flags);
   writeCr0(cr0);