WIP 11.00 Support part 2

EchoStretch · May 3, 2024 · 2d96a6c · 2d96a6c
1 parent 7568672
commit 2d96a6c
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 26 deletions.
diff --git a/stage2/offsets.h b/stage2/offsets.h
@@ -7,7 +7,7 @@
 
 #ifndef __OFFSETS_H__
 #define __OFFSETS_H__
-
+//#define ENABLE_DEBUG_MENU 1
 
 #if FIRMWARE == 900 // FW 9.00
 
@@ -106,37 +106,36 @@
 /*=================== POrt these =======================*/
 
 #if ENABLE_DEBUG_MENU
-#define enable_data_mount_patch 0x0032079B
-#define enable_fpkg_patch 0x003D7AFF
-#define fake_free_patch 0x00FD3211
-#define pkg_installer_patch 0x00A10A81
-#define ext_hdd_patch 0x006180FD
-#define debug_trophies_patch 0x00743299
-
-#define sceKernelIsGenuineCEX 0x0016EAA4
-#define sceKernelIsGenuineCEX_1 0x008621D4
-#define sceKernelIsGenuineCEX_2 0x008AFBC2
-#define sceKernelIsGenuineCEX_3 0x00A27BD4
-#define dipsw_libSceDipsw 0x0016EAD2 
-#define dipsw_libSceDipsw_1 0x00249F7B 
-#define dipsw_libSceDipsw_2 0x00862202 
-#define dipsw_libSceDipsw_3 0x00A27C02 
+#define enable_data_mount_patch 0x31F070//
+#define enable_fpkg_patch 0x3D7C9F //
+#define fake_free_patch 0x0FC8439 //
+#define pkg_installer_patch 0xA06C11 //
+#define ext_hdd_patch 0x60E17D //
+
+#define sceKernelIsGenuineCEX 0x16B664 //
+#define sceKernelIsGenuineCEX_1 0x249DDB //
+#define sceKernelIsGenuineCEX_2 0x8BC022 //
+#define sceKernelIsGenuineCEX_3 0x0A1D6C4//
+#define dipsw_libSceDipsw 0x016B692 // 
+#define dipsw_libSceDipsw_1 0x249E0C //
+#define dipsw_libSceDipsw_2 0x086BD52 //
+#define dipsw_libSceDipsw_3 0xA1D6F2 // 
 #endif
 
 // libkernel_sys.srpx 
-#define _scePthreadAttrInit_offset 0x14010
+#define _scePthreadAttrInit_offset 0x14010 
 #define _scePthreadAttrSetstacksize_offset 0x14030
 #define _scePthreadCreate_offset 0x14450
 #define _thr_initial_offset 0x8E830
 
 //kern
-#define vm_map_protect_p 0x0035C8EC
+#define vm_map_protect_p 0x0035C710
 #define ptrace_p 0x00384285
 #define ptrace_p2 0x00384771
 #define disable_aslr_p 0x003B11A4
-#define sceSblACMgrIsAllowedSystemLevelDebugging_p 0x002A0670
-#define kemem_2 0x00245EE4
-#define kemem_1 0x00245EDC
+#define sceSblACMgrIsAllowedSystemLevelDebugging_p 0x003D0DE0
+#define kemem_2 0x00245EE3
+#define kemem_1 0x00245EDA
 #define vm_map_lock_offset  0x00357760
 #define vm_map_insert_offset 0x00358AB0
 #define vm_map_unlock_offset  0x003577D0

diff --git a/stage2/proc_utils.c b/stage2/proc_utils.c
@@ -256,7 +256,6 @@ int proc_create_thread(struct thread *td, uint8_t *kbase, struct proc *p, uint64
     printf("entries->start: %p, entries->offset %p, num_entries %d\n", entries->start, entries->offset, num_entries);
 
     // offsets are for 9.00 libraries
-
     uint64_t _scePthreadAttrInit = 0, _scePthreadAttrSetstacksize = 0, _scePthreadCreate = 0, _thr_initial = 0;
     for (int i = 0; i < num_entries; i++) {
         if (entries[i].prot != (PROT_READ | PROT_EXEC)) {

diff --git a/stage2/stage2.c b/stage2/stage2.c
@@ -7,6 +7,7 @@
 
 // clang-format off
 #include "proc_utils.h"
+#include <string.h>
 
 extern uint8_t payloadbin[];
 extern int32_t payloadbin_size;
@@ -300,12 +301,13 @@ int shellcore_fpkg_patch(struct thread * td, uint8_t * kbase) {
   ret = proc_write_mem(td, kbase, ssc, (void * )(text_seg_base + ext_hdd_patch), 1, "\xEB", & n);
   if (ret)
     goto error;
-
+#if FIRMWARE == 900 // FW 9.00
   // enable debug trophies on retail
   ret = proc_write_mem(td, kbase, ssc, (void * )(text_seg_base + debug_trophies_patch), 5, "\x31\xc0\x90\x90\x90", & n);
   if (ret) {
     goto error;
   }
+#endif
 
   error:
     if (entries)
@@ -399,7 +401,12 @@ void stage2(void) {
   OrbisNotificationRequest notify = {};
   notify.targetId = -1;
   notify.useIconImageUri = 1;
+#if !ENABLE_DEBUG_MENU
   memcpy( & notify.message, "PPPwned: Payload Injected successfully", 40);
+#else
+  memcpy( & notify.message, "PPPwned: Debug Settings enabled", 33);
+#endif
+   int fd;
 
   struct thread * td = curthread;
   void( * vm_map_lock)(struct vm_map * map) = (void * )(kbase + vm_map_lock_offset);
@@ -412,13 +419,27 @@ void stage2(void) {
     (void * )(kbase + vm_map_insert_offset);
   int( * vm_map_unlock)(struct vm_map * map) = (void * )(kbase + vm_map_unlock_offset);
 
-  #if ENABLE_DEBUG_MENU
+#if ENABLE_DEBUG_MENU
   printf("Enabling Debug Menu\n");
   shellui_patch(td, kbase);
   shellcore_fpkg_patch(td, kbase);
   printf("Done.\n");
-  #endif
-  int fd;
+
+   fd = ksys_open(td, "/dev/notification0", O_WRONLY, 0);
+  if (!fd)
+    fd = ksys_open(td, "/dev/notification0", O_WRONLY | O_NONBLOCK, 0);
+  if (!fd)
+    fd = ksys_open(td, "/dev/notification1", O_WRONLY, 0);
+  if (!fd)
+    fd = ksys_open(td, "/dev/notification1", O_WRONLY | O_NONBLOCK, 0);
+
+  if (fd) {
+    ksys_write(td, fd, & notify, sizeof(notify));
+    ksys_close(td, fd);
+  }
+
+return 0;
+#endif
 
   #if USB_LOADER
  void* buffer = NULL;