Jump to content

Disabling userland ASLR and Enabling QA menu?


wildcard
 Share

Recommended Posts

So lately ive been able to dump ps4 kernel memory using hitos sdk and taking inspiration from cTurts work. I wanna be able to dump userland memory more easily without my ps4 crashing cause ive got the wrong addresses. I just so happened to find a function called sceSblRcMgrIsAllowDisablingAslr in my kernel dump and after tracing it it links to a unk_FFFFFFFF83324318 at in kernel memory 0xFFFFFFFF83324318. Now there are a bunch of other functions that refer to this address in a similar fashion to how the debug menu function worked. I also seen this function sceSblRcMgrIsSoftwagnerQafForAcmgr, im guessing this could be function to enable a qa menu? Unless all options are enabled in the debug menu and that is effectively what a qa menu would be, it just got me curious. Any way these functions link to this unk_FFFFFFFF83324318 in a similar fasion to how debug menu was. So im thinking that ASLR can be disabled like debug/store mode was enabled by kR105.

 

// sysctl_machdep_rcmgr_debug_menu and sysctl_machdep_rcmgr_store_moe
	*(uint16_t *)0xFFFFFFFF82607C46 = 0x9090;
	*(uint16_t *)0xFFFFFFFF82607826 = 0x9090;
	
	*(char *)0xFFFFFFFF8332431A = 1;
	*(char *)0xFFFFFFFF83324338 = 1;

 

I understand those char pointers point to an unk that sets the values to 1 which would be the same for the unk linked to aslr disable. Yet i have no idea how he worked out where to change and what to change it to for the unsigned ints. They are in the hex dump but i see no reference to those locations in kernel code. Any help would be appreciated!

 

Been looking into how we could possibly mount and decrypt ps4 filesystem partitions such as sbram and sflash, as well as the other partitions. Ive found a sceSblServiceCrypt function that i believe is the equivalent to geli or gbde for freebsd but sonys take on those interfaces. Makes sense since geli creates files like sflash0.geli and crypt would logically create a sflash0.crypt.

  • Upvote 1
Link to comment
Share on other sites

uhm..first i may allowed to ask how 'big' your kernel dump is ?

And then the stuff you talk here is already knowen. Please calm down and wait thoes 2 months till NEO and VR is released.

rsz_2cfwprophet_banner_3.jpg

Link to comment
Share on other sites

1 hour ago, cfwprophet said:

uhm..first i may allowed to ask how 'big' your kernel dump is ?

And then the stuff you talk here is already knowen. Please calm down and wait thoes 2 months till NEO and VR is released.

 

my dump is 15,025kb using ps4KernelCall(ps4KernelMemoryCopy, (void *)0xffffffff80700000, dump,  0xeac180)

any later and it fails and before it i can dump up to 0xFFFFFFFF80000000 which has BIOS_FLASH data in a mix of compressed and encrypted.

 

I was only asking cause i haven't seen anyone mention disabling ASLR only a hint at the function by cTurt with looking into UART enabling.

lol I may just be outta the circle and that i didn't pick up on that consensus cfwprophet.

Link to comment
Share on other sites

UART do not work on Retail cons even if enabled. That is more a feaure for Dev / Test consoles.
And no that is not a full dump. This is only the symbols table, not even the code page of the kernel it self. So it is no wonder that you can't find the offset of the function call within your dump.
Sure you can dump future. I have a 32 MB dump of some one else too but that is not the point here...

You may should read the kernels data header to get on the complete size of the kernel. And even then it seems you may doing a bit wrong if you only can dumb thoes 15 mb. ^^

 

I give you a hint....i never heard of 'ps4KernelMemoryCopy'. You do that with basic shit c.

 

it hase nothing to do with

Quote

lol I may just be outta the circle and that i didn't pick up on that consensus cfwprophet.

it's just that peoples that do trust them each other to a specific point do share some stuff they archived. That is all. And since what happend in past, dude it is no wonder. We get some nice stuff, the next day later the half of it is leaked. So don't put that shit on us. Go put it on the persons that are held for this.

rsz_2cfwprophet_banner_3.jpg

Link to comment
Share on other sites

That pretty much answered my questions, thanks for the info.

 

1 hour ago, cfwprophet said:

I give you a hint....i never heard of 'ps4KernelMemoryCopy'. You do that with basic shit c.

 

It was a reference to hitodamas sdk https://github.com/ps4dev/ps4sdk/blob/master/common/kernel/source/kernel/memory.c

basic shit c is where im at..

 

Quote

it's just that peoples that do trust them each other to a specific point do share some stuff they archived. That is all. And since what happend in past, dude it is no wonder. We get some nice stuff, the next day later the half of it is leaked. So don't put that shit on us. Go put it on the persons that are held for this.

 

Yeah screw that/them, id be so pissed if someone took something i worked on without my permission. Dont take that outta the circle comment as im against a circle lol just meant that it was new information to me and just didn't know.

Link to comment
Share on other sites

well in main there is no real cirlce ^^
i just eg. did my home work and when i really need to ask something in 10 years or so, then i do it but i show that i did my homework first and the ni don't ask for the solution im asking if im on ther ight way.
So some other hint. Google for the basic linux elf header for 64 bit and for the elf documentation for Unix / Linux systems.
Read that, check the elf structure, take the last block away and you have the PS4 elf. ^^

Also you may not be able to read the whole kernel cause you may forgetting it is not a PS3 anymore, meaning even if we play games, the OS is still running in background. So you may hitted a offset where code is executed the moment you wnt to read it.
Google for the ASM commants for Unix / Linux for interreuption and also give a look into Marcans kernel source for the ps4. ;)

  • Upvote 2

rsz_2cfwprophet_banner_3.jpg

Link to comment
Share on other sites

inb4 the token is signed and you need private keys to do it....

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...