Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by twisted89

  1. Anyone got ptrace/proc_rwmem working properly? Just keeps stalling here.
  2. Only other thing I can think off is a bad usb stick, @eXtreme tried a different one?
  3. I saw something about only working at 1080p a while back, not sure if that's still an issue though.
  4. Good spot, just tested, seems to work fine and PS4 shuts down properly after indicating no locked resources. He uses some trampoline code to return to userland, haven't analysed it much more interested in fully working return now
  5. As I mentioned above those functions are broken (what looks like intentionally) and need fixing. Some of the asm command is round the wrong way. The example given in cturts article works fine if you fix the asm commands.
  6. changing isfd had no effect, kn->kn_kq->kq_knlist and kn_id appear to be both valid. Here are the structs if you want to give it a try: #define TAILQ_ENTRY(type) \ struct { \ void *tqe_next; /* next element */ \ void **tqe_prev; /* address of previous next element */ \ } #define SLIST_ENTRY(type) \ struct { \ void *sle_next; /* next element */ \ } struct selfdlist { void *tqh_first; void **tqh_last; }; struct selinfo { struct selfdlist si_tdlist; /* List of sleeping threads. */ struct knlist si_note; /* kernel note list */ struct mtx *si_mtx; /* Lock for tdlist. */ }; struct sigio { union { void *siu_proc; /* (c) process to receive SIGIO/SIGURG */ void *siu_pgrp; /* (c) process group to receive ... */ } sio_u; SLIST_ENTRY(sigio) sio_pgsigio; /* (pg) sigio's for process or group */ struct sigio **sio_myref; /* (c) location of the pointer that holds * the reference to this structure */ struct ucred *sio_ucred; /* (c) current credentials */ pid_t sio_pgid; /* (c) pgid for signals */ }; struct task { STAILQ_ENTRY(task) ta_link; /* (q) link for queue */ u_short ta_pending; /* (q) count times queued */ u_short ta_priority; /* (c) Priority */ void *ta_func; /* (c) task handler */ void *ta_context; /* (c) argument for handler */ }; struct kqueue { struct mtx kq_lock; int kq_refcnt; SLIST_ENTRY(kqueue) kq_list; TAILQ_HEAD(, knote) kq_head; /* list of pending event */ int kq_count; /* number of pending events */ struct selinfo kq_sel; struct sigio *kq_sigio; struct filedesc *kq_fdp; int kq_state; #define KQ_SEL 0x01 #define KQ_SLEEP 0x02 #define KQ_FLUXWAIT 0x04 /* waiting for a in flux kn */ #define KQ_ASYNC 0x08 #define KQ_CLOSING 0x10 #define KQ_TASKSCHED 0x20 /* task scheduled */ #define KQ_TASKDRAIN 0x40 /* waiting for task to drain */ int kq_knlistsize; /* size of knlist */ struct klist *kq_knlist; /* list of knotes */ u_long kq_knhashmask; /* size of knhash */ struct klist *kq_knhash; /* hash table for knotes */ struct task kq_task; }; struct kevent { u_int ident; /* identifier for this event */ short filter; /* filter for event */ u_short flags; u_int fflags; intptr_t data; void *udata; /* opaque user data identifier */ }; struct knote { SLIST_ENTRY(knote) kn_link; /* for kq */ //0 SLIST_ENTRY(knote) kn_selnext; /* for struct selinfo */ //8 struct knlist *kn_knlist; /* f_attach populated */ //16 TAILQ_ENTRY(knote) kn_tqe; //24 struct kqueue *kn_kq; /* which queue we are on */ //40 struct kevent kn_kevent; //48 int kn_status; /* protected by kq lock */ //80 #define KN_ACTIVE 0x01 /* event has been triggered */ #define KN_QUEUED 0x02 /* event is on queue */ #define KN_DISABLED 0x04 /* event is disabled */ #define KN_DETACHED 0x08 /* knote is detached */ #define KN_INFLUX 0x10 /* knote is in flux */ #define KN_MARKER 0x20 /* ignore this knote */ #define KN_KQUEUE 0x40 /* this knote belongs to a kq */ #define KN_HASKQLOCK 0x80 /* for _inevent */ int kn_sfflags; /* saved filter flags */ //88 intptr_t kn_sdata; /* saved data field */ //96 union { uint64_t *p_fp; /* file data pointer */ //104 uint64_t *p_proc; /* proc pointer */ //112 uint64_t *p_aio; /* AIO job pointer */ //120 uint64_t *p_lio; /* LIO job pointer */ //112 } kn_ptr; struct filterops *kn_fop; //120 void *kn_hook; //128 int kn_hookid; //136 #define kn_id kn_kevent.ident #define kn_filter kn_kevent.filter #define kn_flags kn_kevent.flags #define kn_fflags kn_kevent.fflags #define kn_data kn_kevent.data #define kn_fp kn_ptr.p_fp }; struct klist { struct knote *slh_first; }; struct knlist { struct klist kl_list; void (*kl_lock)(void *); /* lock function */ void (*kl_unlock)(void *); void (*kl_assert_locked)(void *); void (*kl_assert_unlocked)(void *); void *kl_lockarg; /* argument passed to kl_lockf() */ }; struct proc { char unk1[64]; struct ucred *p_ucred; struct filedesc *p_fd; //untested char unk2[2220]; u_short p_xstat; /* (c) Exit status; also stop sig. */ struct knlist p_klist; /* (c) Knotes attached to this proc. */ }; If I missed something let me know. Gets quite messy with all these structs... EDIT: Trying to hook kvprintf at the moment so we can get some better output, anyone trying to use the cpu write fixes readCr0 and writeCr0 from cturt's article keep in mind they are broken (intentionally?) and need fixing before they will work.
  7. Yes, status set still causes a panic, not sure exactly what you mean about isfd? In this case the new knote has isfd set to 0.
  8. I'm not sure we can cleanly exit dlclose through 'fixing' the knote. You can get a list of valid knotes through proc with td->td_proc->p_klist.kl_list.slh_first, if you memcpy one of them over the broken note in kernel payload the Ps4 still panics and shuts down.
  9. Not how it works, trying to return from dlclose forcefully leaves resources locked in the kernel thread which breaks further system calls.
  10. Yeah it seems to be locking some resources which also breaks subsequent system calls. Looking into it.
  • Create New...