Jump to content
eXtreme

Hack The PS4 - Status for End Users

Recommended Posts

8 minutes ago, twisted89 said:

I'm not sure we can cleanly exit dlclose through 'fixing' the knote. You can get a list of valid knotes through proc with td->td_proc->p_klist.kl_list.slh_first, if you memcpy one of them over the broken note in kernel payload the Ps4 still panics and shuts down. 

 

did you modify then knote after you copied it over?

for e.g: if you don't this line https://github.com/freebsd/freebsd/blob/release/9.0.0/sys/kern/kern_event.c#L2104 will trigger an assert, causing the panic

 

the based on f_isfd and kn_id (kn_kevent.ident) https://github.com/freebsd/freebsd/blob/release/9.0.0/sys/kern/kern_event.c#L2108

the list here will have valid 1st but will be null the 2nd time around?

 

finally i remembered about this from the dlclose article

and I've also hinted at a few other things you can try: dumping and decrypting crash dumps (look into /dev/da0x6 and sceSblGetKernelCrashDumpEncKey)

 

Share this post


Link to post
Share on other sites
6 minutes ago, Zer0xFF said:

 

did you modify then knote after you copied it over?

for e.g: if you don't this line https://github.com/freebsd/freebsd/blob/release/9.0.0/sys/kern/kern_event.c#L2104 will trigger an assert, causing the panic

 

the based on f_isfd and kn_id (kn_kevent.ident) https://github.com/freebsd/freebsd/blob/release/9.0.0/sys/kern/kern_event.c#L2108

the list here will have valid 1st but will be null the 2nd time around?

 

finally i remembered about this from the dlclose article


and I've also hinted at a few other things you can try: dumping and decrypting crash dumps (look into /dev/da0x6 and sceSblGetKernelCrashDumpEncKey)

 

 

Yes, status set still causes a panic, not sure exactly what you mean about isfd? In this case the new knote has isfd set to 0. 

Share this post


Link to post
Share on other sites
27 minutes ago, twisted89 said:

 

Yes, status set still causes a panic, not sure exactly what you mean about isfd? In this case the new knote has isfd set to 0. 

 

isfd is checked to determine how the list is determined, the kn_id is used, I'm guessing the id is unique, but since you made a copy of it, there is 2 knote with that id now.

if the list is null because it was cleared the 1st time around, since you stole it from another knote further down when is called

#define SLIST_EMPTY	(	head 		 ) 	   ((head)->slh_first == NULL)

list is null, so would it pointers be, thus crashing.

 

edit:

this point is invalid, since the id is of the kevent and not the knote, and while the knote will be cleared, i wouldn't imagine the kevent is... and i can't find any code that would suggest it is.

Edited by Zer0xFF

Share this post


Link to post
Share on other sites
On 30/03/2016 at 11:27 AM, Zer0xFF said:

 

isfd is checked to determine how the list is determined, the kn_id is used, I'm guessing the id is unique, but since you made a copy of it, there is 2 knote with that id now.

if the list is null because it was cleared the 1st time around, since you stole it from another knote further down when is called


#define SLIST_EMPTY	(	head 		 ) 	   ((head)->slh_first == NULL)

list is null, so would it pointers be, thus crashing.

 

edit:

this point is invalid, since the id is of the kevent and not the knote, and while the knote will be cleared, i wouldn't imagine the kevent is... and i can't find any code that would suggest it is.

 

changing isfd had no effect, kn->kn_kq->kq_knlist and kn_id appear to be both valid.

Here are the structs if you want to give it a try:

 


#define TAILQ_ENTRY(type)						\
struct {								\
	void *tqe_next;	/* next element */			\
	void **tqe_prev;	/* address of previous next element */	\
}

#define SLIST_ENTRY(type)						\
struct {								\
	void *sle_next;	/* next element */			\
}

struct selfdlist { void *tqh_first; void **tqh_last; };



struct selinfo {
	struct selfdlist	si_tdlist;	/* List of sleeping threads. */
	struct knlist		si_note;	/* kernel note list */
	struct mtx		*si_mtx;	/* Lock for tdlist. */
};

struct sigio {
	union {
		void *siu_proc; /* (c)	process to receive SIGIO/SIGURG */
		void *siu_pgrp; /* (c)	process group to receive ... */
	} sio_u;
	SLIST_ENTRY(sigio) sio_pgsigio;	/* (pg)	sigio's for process or group */
	struct	sigio **sio_myref;	/* (c)	location of the pointer that holds
					 * 	the reference to this structure */
	struct	ucred *sio_ucred;	/* (c)	current credentials */
	pid_t	sio_pgid;		/* (c)	pgid for signals */
};

struct task {
	STAILQ_ENTRY(task) ta_link;	/* (q) link for queue */
	u_short	ta_pending;		/* (q) count times queued */
	u_short	ta_priority;		/* (c) Priority */
	void	*ta_func;		/* (c) task handler */
	void	*ta_context;		/* (c) argument for handler */
};

struct kqueue {
	struct		mtx kq_lock;
	int		kq_refcnt;
	SLIST_ENTRY(kqueue)	kq_list;
	TAILQ_HEAD(, knote)	kq_head;	/* list of pending event */
	int		kq_count;		/* number of pending events */
	struct		selinfo kq_sel;
	struct		sigio *kq_sigio;
	struct		filedesc *kq_fdp;
	int		kq_state;
#define KQ_SEL		0x01
#define KQ_SLEEP	0x02
#define KQ_FLUXWAIT	0x04			/* waiting for a in flux kn */
#define KQ_ASYNC	0x08
#define KQ_CLOSING	0x10
#define	KQ_TASKSCHED	0x20			/* task scheduled */
#define	KQ_TASKDRAIN	0x40			/* waiting for task to drain */
	int		kq_knlistsize;		/* size of knlist */
	struct		klist *kq_knlist;	/* list of knotes */
	u_long		kq_knhashmask;		/* size of knhash */
	struct		klist *kq_knhash;	/* hash table for knotes */
	struct		task kq_task;
};

struct kevent {
	u_int		ident;		/* identifier for this event */
	short		filter;		/* filter for event */
	u_short		flags;
	u_int		fflags;
	intptr_t	data;
	void		*udata;		/* opaque user data identifier */
};

struct knote {
	SLIST_ENTRY(knote)	kn_link;	/* for kq */			//0
	SLIST_ENTRY(knote)	kn_selnext;	/* for struct selinfo */	//8
	struct			knlist *kn_knlist;	/* f_attach populated */ //16
	TAILQ_ENTRY(knote)	kn_tqe;						//24
	struct			kqueue *kn_kq;	/* which queue we are on */	//40
	struct 			kevent kn_kevent;				//48
	int			kn_status;	/* protected by kq lock */	//80
#define KN_ACTIVE	0x01			/* event has been triggered */
#define KN_QUEUED	0x02			/* event is on queue */
#define KN_DISABLED	0x04			/* event is disabled */
#define KN_DETACHED	0x08			/* knote is detached */
#define KN_INFLUX	0x10			/* knote is in flux */
#define KN_MARKER	0x20			/* ignore this knote */
#define KN_KQUEUE	0x40			/* this knote belongs to a kq */
#define KN_HASKQLOCK	0x80			/* for _inevent */
	int			kn_sfflags;	/* saved filter flags */	//88
	intptr_t		kn_sdata;	/* saved data field */		//96
	union {									
		uint64_t *p_fp;	/* file data pointer */				//104
		uint64_t *p_proc;	/* proc pointer */			//112
		uint64_t *p_aio;	/* AIO job pointer */			//120
		uint64_t *p_lio;	/* LIO job pointer */ 			//112
	} kn_ptr;
	struct			filterops *kn_fop;				//120
	void			*kn_hook;					//128
	int			kn_hookid;					//136
#define kn_id		kn_kevent.ident
#define kn_filter	kn_kevent.filter
#define kn_flags	kn_kevent.flags
#define kn_fflags	kn_kevent.fflags
#define kn_data		kn_kevent.data
#define kn_fp		kn_ptr.p_fp
};

struct klist { struct knote *slh_first; };

struct knlist {
	struct	klist	kl_list;
	void    (*kl_lock)(void *);	/* lock function */
	void    (*kl_unlock)(void *);
	void	(*kl_assert_locked)(void *);
	void	(*kl_assert_unlocked)(void *);
	void 	*kl_lockarg;		/* argument passed to kl_lockf() */
};

struct proc {
	char unk1[64];
	struct ucred *p_ucred;
	struct filedesc	*p_fd;	//untested
	char unk2[2220];
	u_short		p_xstat;	/* (c) Exit status; also stop sig. */
	struct knlist	p_klist;	/* (c) Knotes attached to this proc. */
};

If I missed something let me know. Gets quite messy with all these structs...

 

EDIT:

 

Trying to hook kvprintf at the moment so we can get some better output, anyone trying to use the cpu write fixes readCr0 and writeCr0 from cturt's article keep in mind they are broken (intentionally?) and need fixing before they will work. 

Edited by twisted89
  • Upvote 2

Share this post


Link to post
Share on other sites
On 30 March 2016 at 11:51 AM, twisted89 said:

EDIT:

 

Trying to hook kvprintf at the moment so we can get some better output, anyone trying to use the cpu write fixes readCr0 and writeCr0 from cturt's article keep in mind they are broken (intentionally?) and need fixing before they will work. 

 

 

fail0verflow have that in their code.. they're slightly different.

https://github.com/fail0verflow/ps4-kexec/blob/master/x86.h#L36

https://github.com/fail0verflow/ps4-kexec/blob/master/kernel.c#L164

edit:also, could the crash be due to invalid knote structure...

if for example our knote is 32bytes long, while let say knote size should be 34bytes,

when the next knote is called by dlclose, the 1st knote will over read by 2bytes, however it should read fine,
but the next knote will start reading 2 bytes into the structure and 2 bytes into the next knote, now trying to read this notes variables, would obviously cause a crash no?

Edited by Zer0xFF

Share this post


Link to post
Share on other sites
6 hours ago, Zer0xFF said:

thoes both things are not really relevant. it's just a even nicer way to wrie it.

 

CTurt do read cr0 and store the value first before to bitwise flip bit's of the value X86_CR0_WP and then to bitwise AND & it to the stored cr0 before writting the value.

To restore he simple use the stored readed value of cr0.

 

Marcan do not store cr0 first. He simple writecr0 but before, the value of cr0 is readed and also bitwise bit flipped the CR0_WP and then to bitwise AND & it. After this the result is writen to cr0 with this one cr0_write() function.

To restore he again use cr0_write() function but before again the vlaue of cr0 is readed and then to bitwise OR | with the non bit flipped value of CR0_WP.

 

If you would take thoes values, in here bit present's, and to manuel bitwise flip, AND &, OR | you would get back the same result to restore the WP in end like it was on the first read before it get's AND & with the bit flipped CR0_WP value.

 

it is the same result then CTurt have stored in his cr0 variable.

 

Marcan is just more hardcore, he makes sex with c ^^ :P:D

Edited by cfwprophet

rsz_2cfwprophet_banner_3.jpg

Share this post


Link to post
Share on other sites

yeah @SonyUSA I've been wondering about where he is as well it's almost april 1st for me way over here on this side of the planet.

 

EDIT: a day has almost passed.

Edited by B7U3C50SS

Share this post


Link to post
Share on other sites

 

9 hours ago, cfwprophet said:

thoes both things are not really relevant. it's just a even nicer way to wrie it.

 

CTurt do read cr0 and store the value first before to bitwise flip bit's of the value X86_CR0_WP and then to bitwise AND & it to the stored cr0 before writting the value.

To restore he simple use the stored readed value of cr0.

 

Marcan do not store cr0 first. He simple writecr0 but before, the value of cr0 is readed and also bitwise bit flipped the CR0_WP and then to bitwise AND & it. After this the result is writen to cr0 with this one cr0_write() function.

To restore he again use cr0_write() function but before again the vlaue of cr0 is readed and then to bitwise OR | with the non bit flipped value of CR0_WP.

 

If you would take thoes values, in here bit present's, and to manuel bitwise flip, AND &, OR | you would get back the same result to restore the WP in end like it was on the first read before it get's AND & with the bit flipped CR0_WP value.

 

it is the same result then CTurt have stored in his cr0 variable.

 

Marcan is just more hardcore, he makes sex with c ^^ :P:D

As I mentioned above those functions are broken (what looks like intentionally) and need fixing. Some of the asm command is round the wrong way. 

 

The example given in cturts article works fine if you fix the asm commands.

Edited by twisted89

Share this post


Link to post
Share on other sites
1 hour ago, twisted89 said:

As I mentioned above those functions are broken (what looks like intentionally) and need fixing. Some of the asm command is round the wrong way. 

and what have that to do with the marks of @Zer0xFF and what i explained ? nothing. ^^

 

you are right but it's not the mark and what i said. it's this:

CTurt:
asm volatile ("movq %%cr0, %0;" : "=r" (cr0) : : "memory");
asm volatile ("movq %0, %%cr0;" : : "r" (cr0) : "memory");

Marcan:
asm volatile("mov %0, cr0;" : "=r" (reg));
asm volatile("mov cr0, %0;" :: "r" (val));

and yea. it's not the first time that i stumble arround such "noob protection's". dev's do that to prevent noobs and or better say skidz to be able to use their source. so only a dev what know's how to do that shit will be able to get it fixed.

i simple call it noob protection. :D

 

anyway. as we can see here the register and the data is wrong on CTurt's source. moveq move's a quad or QWORD so a 64bit value. that's ok. but the syntax is data--->destination that means for reading we need first as data the register so %0 and destination is then the buffer cr0. and to write back cr0--->%0.

 

EDIT:

HaHaHaHaHaHaHa it even don't need to be a noob protection by him. it's maybe even more deeper. if you enter the syntax from @CTurt into google he will spit out this shit and the second link then bring up a system_64.h. now....go down to line 77 and tell me whats written there. ^^

also compare all the other moveq asm instruction's. ALL WRONG !! :D :rotflmao:

it's clearly data--->destination and not the other way arround. also it's the first time i ever have seen this double percentage %%. One % describe a register, so that's ok. but for what i have googled and based on the source's with asm i have at home from other dev's and hacker's....i can't find a double % some where.

So must not be neccessary pure evil of @CTurt or so. I guess he simpled copyed thoes examples out. what does not change that he should know the syntax of moveq ^^.

anyway, back to work.

 

EDIT2:

ok found something with double percentage. ^^

Edited by cfwprophet
  • Upvote 1

rsz_2cfwprophet_banner_3.jpg

Share this post


Link to post
Share on other sites
32 minutes ago, wildcard said:

ayyy kr105 posted a working method! Now we we can see what we have been doing wrong/different. :)https://github.com/kR105/PS4-dlclose

 

 

Good spot, just tested, seems to work fine and PS4 shuts down properly after indicating no locked resources. He uses some trampoline code to return to userland, haven't analysed it much more interested in fully working return now :lol:

  • Upvote 2

Share this post


Link to post
Share on other sites

At first i thought it was an april fools joke lol but after seeing the source and finally testing it turned out to be a nice surprise. Thanks kr105! Just need to add the code for linux and good to go.

  • Upvote 1

Share this post


Link to post
Share on other sites

finally some one did find it ^^
 

it's all and everything all the time on CTurt's github site. :)

 

well then i shall finish my work on dlclose next days and release the mod of me.

yes it can boot linus but that is not my intention. i work right now on the ps4 to push something so that other dev's can jump in and have fun.

 

and i have "raped" f0f's kexec methode and will use that for us, to have a place where we can run our apps in kern mem with kern rights and all that fun shit.

 

  • Upvote 4

rsz_2cfwprophet_banner_3.jpg

Share this post


Link to post
Share on other sites
1 hour ago, cfwprophet said:

finally some one did find it ^^
 

it's all and everything all the time on CTurt's github site. :)

 

well then i shall finish my work on dlclose next days and release the mod of me.

yes it can boot linus but that is not my intention. i work right now on the ps4 to push something so that other dev's can jump in and have fun.

 

and i have "raped" f0f's kexec methode and will use that for us, to have a place where we can run our apps in kern mem with kern rights and all that fun shit.

 

I don't understand your English half the time, but I hope it means fun tools for everyone soon! xP

Share this post


Link to post
Share on other sites

that english thingy is so old like i'm in the scene....

 

funny thing,....it seems that i with my "crappy" english at least do understand more then some other guys out there. go back in this thread and look when i said something about the JIT Array. beside the fact that it is even written on @CTurt github page.

 

see funny, peoples complaining about my english and to same time thei nearly need weeks if not month's to come to the solution. and then it is taken from some one else.

 

and you can not push that shit also on my "crappy" english cause @CTurt ones is much better and he even did wrote it on his page.

 

.....your turn now ^^ :D

  • Upvote 1

rsz_2cfwprophet_banner_3.jpg

Share this post


Link to post
Share on other sites
4 hours ago, wildcard said:

At first i thought it was an april fools joke lol but after seeing the source and finally testing it turned out to be a nice surprise. Thanks kr105! Just need to add the code for linux and good to go.

 

he also just updated the playground with linux loader.

  • Upvote 3

Share this post


Link to post
Share on other sites
1 hour ago, Zer0xFF said:

 

he also just updated the playground with linux loader.

 

first time console shut down, second time blackscreen. don't know if he has added the code to the playground but I think we have to load a .bin before that 2 files from usb.


Feel free to show your Mods @ PS4 etreme Modding - This is for the Modders

 

278.jpg

 

Share this post


Link to post
Share on other sites
31 minutes ago, eXtreme said:

 

first time console shut down, second time blackscreen. don't know if he has added the code to the playground but I think we have to load a .bin before that 2 files from usb.

 

Works fine for me, if the USB stick isn't FAT32 it will do that.

Share this post


Link to post
Share on other sites
24 minutes ago, SonyUSA said:

 

Works fine for me, if the USB stick isn't FAT32 it will do that.

 

fat32 and exfat give me a black screen and ntfs give me the out of memory error. initramfs.cpio.gz and bzImage are in the root of my usb stick. only opened the playground and tried to load it, don't know what I'm doing wrong if you say it works for you.

 

after multiple times ntfs give me a black scrren too and shut down the console.

Edited by eXtreme

Feel free to show your Mods @ PS4 etreme Modding - This is for the Modders

 

278.jpg

 

Share this post


Link to post
Share on other sites
1 hour ago, eXtreme said:

 

fat32 and exfat give me a black screen and ntfs give me the out of memory error. initramfs.cpio.gz and bzImage are in the root of my usb stick. only opened the playground and tried to load it, don't know what I'm doing wrong if you say it works for you.

 

after multiple times ntfs give me a black scrren too and shut down the console.

 

Erm... you ARE running the completed DLCLOSE exploit first as .bin ... right? :P

 

I haven't tested running it right after jailbreak/root escalation, but I close the browser then re-open, as the documentation suggests before running a new function and it works great :D

Edited by SonyUSA

Share this post


Link to post
Share on other sites

ok thanks for the info, I thought we have to load a bin file before.


Feel free to show your Mods @ PS4 etreme Modding - This is for the Modders

 

278.jpg

 

Share this post


Link to post
Share on other sites

no. dlclose "should" have a own Call that will prepare aka loading the files from usb into a buffer and to overload thoes both buffer's to a previous installed custome system call which will then overload again the buffer's from userland into the allocated kernel memory where sys_kexec is waiting for both filles and will be executed after it.

 

now it depends when or how that CSS again with the preperation is called. you can call it right after the dlclose and run linus. you can compile a own binary that will just make this CSS. there are for sure more possabillitys as only this both, for what or when you can trigger linus. like eg. make a userland call from the WK and trigger it.

 

 

Edited by cfwprophet

rsz_2cfwprophet_banner_3.jpg

Share this post


Link to post
Share on other sites

using kr105s files all i had to do was insert into top usb on fat32 format usb and press load linux on the playground no dlclose bin sent. So far just getting this screen.. http://postimg.org/image/n4qx8gqkp/

 

Okay now with kr105s files ive got a command line and its working with the keyboard i have plugged in :) no idea what to do now lol

Edited by wildcard
  • Upvote 1

Share this post


Link to post
Share on other sites

thanks for the link,I have used a wrong file. it works without kernel exploit from usb fat32.

IMAG2624.jpg

 

problem is, it doesn't work again !? after I made this picture I wanted to make a video but everytime a blackscreen.

Edited by eXtreme
  • Upvote 1

Feel free to show your Mods @ PS4 etreme Modding - This is for the Modders

 

278.jpg

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...