yuxing/etaHEN
1
0
Fork 0
mirror of https://github.com/etaHEN/etaHEN.git synced 2026-01-12 19:25:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: yuxing:2.1B
Branches Tags
yuxing:main
yuxing:2.5B yuxing:2.4B yuxing:2.3B yuxing:2.2 yuxing:2.1B yuxing:2.0b yuxing:2.0b-pre yuxing:Pb-test yuxing:1.9b yuxing:1.08b yuxing:1.7b yuxing:1.6b yuxing:1.5b yuxing:1.4b yuxing:1.3b yuxing:1.21b yuxing:1.2b yuxing:1.11b yuxing:1.1b yuxing:1.0b
...
compare: yuxing:main
Branches Tags
yuxing:main
yuxing:2.5B yuxing:2.4B yuxing:2.3B yuxing:2.2 yuxing:2.1B yuxing:2.0b yuxing:2.0b-pre yuxing:Pb-test yuxing:1.9b yuxing:1.08b yuxing:1.7b yuxing:1.6b yuxing:1.5b yuxing:1.4b yuxing:1.3b yuxing:1.21b yuxing:1.2b yuxing:1.11b yuxing:1.1b yuxing:1.0b

12 Commits
2.1B ... main

Author SHA1 Message Date
LM
5061a85312 etaHEN 2.5B 2025-12-25 00:28:32 -05:00
LightningMods
8860c0a603 kstuff update 2025-12-07 17:46:34 -05:00
LightningMods
0fe0407b3a etaHEN 2.4B 
etaHEN 2.4B

etaHEN 2.4B Change log

- Updated to support the latest PS5 Payload SDK
- Fixed etaHEN and Cheats support for 8.40-10.01
- Added a Game Overlay menu to show CPU/GPU Temp and utilization, Local IP Address and other future states
- Added a Kstuff menu for options like downloading the latest kstuff from github, turning off kstufff autoload and more
- Added a Custom Background Package Installer for installing PKGs from internal storage from any directory (Requires DPIv2 enabled for 5.50+)
- DPIv2 can now download local files via url example http://192.xxx.xxx.xxx:12800/data/etaHEN/etaHEN.log
- Improved Cheats support, cheats with or without 0 sections are now supported
- Added Fix by TheFlow to Improve 2.xx PS4 PKG speeds
- Replaced the donation links in the etaHEN credits menu with ones to github sponsers
- Removed the non-whitelist app jailbreak option and moved it to an optional Legacy CMD Server option in the etaHEN Settings off by default
- Game Decryptor has been updated for the Itemzflow Dumper
- Updated the Plugin loader System
- The Payload SDK ELFLDR is now REQUIRED for etaHEN to load
- Replaced HTTP2 with Curl for better compatibility
- Added timeout for ShellUI to receive a response (will stop it from freezing if no response is given)

small fix
 2025-12-01 20:31:16 -05:00
LM
7967c0a633 added John to the credits 2025-10-09 07:24:11 -04:00
Adam Furtenbach
0a4bfbe558 use of custom kstuff (#58) 
* reverted libmprotect.h, couldn't make a viable build with recent ps5 sdk's
* added feature to load kstuff from /data/kstuff.elf before using embedded
* added menu feature to download latest kstuff from echostretch
* made download_file() more generic
 2025-09-22 14:11:47 -04:00
SonyUSA
b41b22d768 PS4Debug 1.0b5 FW 3.00 Support (#54) 
PS4Debug 1.0b5 seems to support FW 3.00 and can be used for remove save mounter
 2025-09-11 18:48:19 -04:00
Adam Furtenbach
f446ee1ee5 Fixing build issues with llvm-20 and latest ps5 sdk (#53) 
* Fixes some build issues when using latest ps5 sdk and llvm-20

* Changed Makefile to work with ps5-payload-sdk/bin/clang++
 2025-09-11 10:56:32 -04:00
LM
03d016fd31 etaHEN Goes Open Source 
etaHEN Goes Open Source

clean tmp files

....
 2025-09-07 11:10:19 -04:00
LM
56b1cf99f7 2.3B: fix plugin auto start 2025-09-06 09:52:13 -04:00
LM
55cfedcdac 2.3B Released 2025-09-04 21:26:38 -04:00
LightningMods
4051e18f02 small fix 2025-06-11 03:13:03 -04:00
LightningMods
a66823580b etaHEN update 2.2B 
## New additions
- ALL PS4 cheats should now work now that ASLR is disabled
- Renamed Debug Settings to the etaHEN Toolbox in the settings menu and changed the icon
- Added a PS5 Game menu (named after webMAN) to the toolbox for those that dont want to use itemzflow
- Added a controller shortcuts menu with the following shortcuts (with more than one button combo option for each)
   - Cheats Menu
   - Toolbox
   - PS5 Games menu
   - Toggle Kstuff
- the Utilities menu has been changed to the Settings menu and is now below the Services menu
- Patched the systems game patch checker to not auto update games with etaHEN active
- Updated the Kstuff menu to include the option to pause the PS5 or PS4 sysents independently
- the download Cheats option will now check if its up to date instead of always just redownloading the whole repo everytime
- Added the ability to save remote play info to a USB if one is detected (both the encoded and decoded account ids)
- Added the option to disable the toolbox auto start in the rest mode options

## Fixes and Updates
- Updated Kstuff to 1.5
- Updated PS5Debug to v1.0b4 (6.xx support) by @CTN
- Fixed an Issue that would cause the etaHEN utility daemon to crash if malformed cheat .txt files were present
- etaHEN will now attempt to restart the home menu if loading the toolbox fails
- updated itemzflow self decrypter for 7.xx
- Improved etaHEN Startup time by 1-2 secs
- Updated & Improved lite mode
- Fixed an issue preventing people from enabling cheats after turning off lite mode
- Fixed an issue with Cheats not showing the full description for long descriptions
- [Dev/TestKits] the red activate banner will now only go away when the activation patches are present
- [Dev/TestKits] added activation patches for DevKit FW 3.21, 4.03, 4.51 and 5.50 and Testkit fw 4.03, 4.51, 6.50, 7.61
- Delete daemon crash logs on startup if available
- Updated the config.ini layout for the new additions
 2025-06-10 22:45:32 -04:00
1223 changed files with 571401 additions and 22 deletions
Expand all files Collapse all files

674
LICENSE Normal file
View File

@@ -0,0 +1,674 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<https://www.gnu.org/licenses/why-not-lgpl.html>.

76
README.md
View File

@@ -5,11 +5,16 @@
## 🚀 **Support the Project**
If you find this project useful and would like to support its continued development, consider buying me a coffee!
[![ko-fi](https://www.ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/lightningmods)
[![GitHub Sponsers](https://www.ko-fi.com/img/githubbutton_sm.svg)](https://github.com/sponsors/LightningMods)
## Building from Source
The Source code is provided in the Source code folder under GPLv3 with all the necessary files to build it as required under GPLv3
However I will not be providing instructions on how to build it since any dev should know how to use cmake
## Official PS5 exploit website
- https://tinyurl.com/PS5IPV6 (requires you to manually send the payload but has the best stability)
- https://ps5jb.pages.dev/ (auto loads the payload for you, id recommand the IPV6 exploit over UMTX)
- https://ps5jb.pages.dev/ (auto loads the payload for you, id recommend the IPV6 exploit over UMTX)
## Recommended self-host exploits
- [Modified IPV6 exploit for etaHEN support](https://github.com/LightningMods/PS5-IPV6-Kernel-Exploit)
@@ -52,17 +57,26 @@ Port: XXXX
- [Toolbox] Install the Homebrew Store on the console
- [Toolbox] ★Rest Mode Options
- [Toolbox] Remote Play Menu
- [Toolbox] Plugin Menu and Plugin auto start menu
- [Toolbox] Plugin / Payload ELF Menu with auto start options
- [Toolbox] External HDD Menu
- [Toolbox] TestKit Menu
- [Toolbox] Kstuff menu
- [Toolbox] Game Overlay Menu
- [Toolbox] Cheats Menu (WIP)
- [Toolbox] Controller Shortcuts
- [Toolbox] PS5 webMAN Games menu
- [Toolbox] Custom Game Options Menu
- [Toolbox] Display Title IDs on Home menu
- [Toolbox] Disable toolbox auto start
- [Toolbox] Blu-Ray license activation
- [Toolbox] Disc auto eject for BD-J and LUA based exploits
- [Toolbox] etaHEN credits and supporters
- [Toolbox] Custom debug settings text and icon
- [Toolbox] Auto open menu after etaHEN loads
- [Toolbox] a number of different toolbox settings
- React bundle (all FWs) & Self (only on 2.xx) FTP decryption Support
- 2 seperate daemons for improved stability and reliability
- the Util daemon willl be auto restarted by the main etaHEN daemon
- The Util daemon will be auto restarted by the main etaHEN daemon
- Custom System Software version (custom System info)
- kstuff for fself and fpkg support
- etaHEN log in /data/etaHEN
@@ -89,8 +103,6 @@ More info [Here](https://github.com/LightningMods/etaHEN-SDK/blob/main/README.md
## Upcoming features
- [Toolbox] FPS Counter
- [Toolbox] change debug settings text
- [Toolbox] On-Screen temps and other info (for retails)
- More userland patches
- Improved PS5 Game support (itemzflow)
- More (consider donating)
@@ -99,21 +111,40 @@ More info [Here](https://github.com/LightningMods/etaHEN-SDK/blob/main/README.md
etaHEN's ini settings file can be found at `/data/etaHEN/config.ini` and can be accessed using the built-in FTP
and is automatically created when you run etaHEN for the first time
#### Configuration Layout (toolbox)
| INI Key | Description | Default value
|---------------------|-------------------------------------------------------------|---------------------|
| `PS5Debug` | 0 = disables PS5Debug (Sistr0) auto load 1 = enable PS5Debug auto load | 0 (disabled) |
| `FTP` | 0 = disables etaHEN built-in FTP 1 = enables it | 1 (enabled) |
| `discord_rpc` | 0 = disables Discord RPC server 1 = enables it | 0 (disabled) |
| `toolbox_auto_start` | 0 = auto replaces debug settings 1 = OG Debug settings only | 1 (enabled) |
| `Allow_data_in_sandbox` | 0 = disables /data in an apps sandbox 1 = enables it | 1 (enabled) |
| `DPI`/ `DPIv2` | 0 = disables The Direct PKG Installer service 1 = enables it | 1 (DPIv2 enabled) |
| `Klog` | 0 = disables kernel logging, 1 = enables it | 0 (disabled) |
| `ALLOW_FTP_DEV_ACCESS` | 0 = disables FTP developer access, 1 = enables it | 0 (disabled) |
| `StartOption` | 0=None, 1=Home menu, 2=Settings 3=Toolbox, 4=itemzflow | 0 (None) |
| `Rest_Mode_Delay_Seconds` | Delay in seconds before patching shellui coming out rest mode | 0 (no delay) |
| `Util_rest_kill` | 0 = dont kill the util daemon during rest, 1 = Do kill it on rest | 0 (disabled) |
| `Game_rest_kill` | 0 = dont kill the open game during rest, 1 = Do kill it on rest | 0 (disabled) |
| INI Key | Description | Default value |
|---------------------|-------------------------------------------------------------|---------------|
| `PS5Debug` | 0 = disables PS5Debug (Sistr0) auto load, 1 = enable PS5Debug auto load | 0 (disabled) |
| `FTP` | 0 = disables etaHEN built-in FTP, 1 = enables it | 1 (enabled) |
| `discord_rpc` | 0 = disables Discord RPC server, 1 = enables it | 0 (disabled) |
| `toolbox_auto_start` | 0 = disabled, 1 = enabled | 1 (enabled) |
| `Allow_data_in_sandbox` | 0 = disables /data in an apps sandbox, 1 = enables it | 1 (enabled) |
| `DPI` | 0 = disables The Direct PKG Installer service, 1 = enables it | 0 (disabled) |
| `DPI_v2` | 0 = disables DPI version 2, 1 = enables it | 0 (disabled) |
| `Klog` | 0 = disables kernel logging, 1 = enables it | 0 (disabled) |
| `ALLOW_FTP_DEV_ACCESS` | 0 = disables FTP developer access, 1 = enables it | 0 (disabled) |
| `StartOption` | 0=None, 1=Home menu, 2=Settings, 3=Toolbox, 4=itemzflow | 0 (None) |
| `Rest_Mode_Delay_Seconds` | Delay in seconds before patching shellui coming out rest mode | 0 (no delay) |
| `Util_rest_kill` | 0 = don't kill the util daemon during rest, 1 = Do kill it on rest | 0 (disabled) |
| `Game_rest_kill` | 0 = don't kill the open game during rest, 1 = Do kill it on rest | 0 (disabled) |
| `disable_toolbox_auto_start_for_rest_mode` | 0 = disabled, 1 = enabled | 0 (disabled) |
| `libhijacker_cheats` | 0 = disables libhijacker cheats, 1 = enables it | 0 (disabled) |
| `launch_itemzflow` | 0 = disabled, 1 = enables auto launch of itemzflow | 0 (disabled) |
| `testkit` | 0 = disabled, 1 = enables testkit mode | 0 (disabled) |
| `Display_tids` | 0 = disabled, 1 = enables display of title IDs | 0 (disabled) |
| `APP_JB_Debug_Msg` | 0 = disabled, 1 = enables app jailbreak debug messages | 0 (disabled) |
| `etaHEN_Game_Options` | 0 = disabled, 1 = enables etaHEN game options | 1 (enabled) |
| `auto_eject_disc` | 0 = disabled, 1 = enables automatic disc ejection | 0 (disabled) |
| `Cheats_shortcut_opt` | Multi-select option for cheats shortcut | 0 (CHEATS_SC_OFF) |
| `Toolbox_shortcut_opt` | Multi-select option for toolbox shortcut | 0 (TOOLBOX_SC_OFF) |
| `Games_shortcut_opt` | Multi-select option for games shortcut | 0 (GAMES_SC_OFF) |
| `Kstuff_shortcut_opt` | Multi-select option for kstuff shortcut | 0 (KSTUFF_SC_OFF) |
| `auto_eject_disc` | 0 = disabled, 1 = enabled | 0 (disabled) |
| `overlay_ram` | 0 = disabled, 1 = enabled | 0 (disabled) |
| `overlay_cpu` | 0 = disabled, 1 = enabled | 0 (disabled) |
| `overlay_gpu` | 0 = disabled, 1 = enabled | 0 (disabled) |
| `overlay_ip` | 0 = disabled, 1 = enabled | 1 (enabled) |
| `overlay_kstuff` | 0 = disabled, 1 = enabled | 1 (enabled) |
| `Overlay_pos` | Multi-select option for game overlay | 0 (OVERLAY_POS_TOP_LEFT) |
## DPI API details for tool creators
etaHEN's Direct PKG Installer currently is very simple and is considered a WIP
@@ -131,7 +162,7 @@ the service flow is as follows
4. etaHEN will close the client socket after the return json is sent
## Jailbreaking an app (FPKG) using etaHEN (non-whitelist method, Network required)
## Jailbreaking an app (FPKG) using etaHEN (non-whitelist method, Network and Legacy CMD server toolbox setting required)
```
enum Commands : int {
@@ -215,6 +246,7 @@ int main()
```
## Contributors
- [John Tornblom / PS5-Payload-dev](https://github.com/john-tornblom)
- [Buzzer](https://github.com/buzzer-re)
- [sleirsgoevy](https://github.com/sleirsgoevy)
- [ChendoChap](https://github.com/ChendoChap)

8
Source Code/.clang-tidy Normal file
View File

@@ -0,0 +1,8 @@
---
Checks: 'bugprone-*,-bugprone-reserved-identifier,-bugprone-easily-swappable-parameters,clang-diagnostic-*,clang-analyzer-*,cppcoreguidelines-*,-cppcoreguidelines-pro-type-reinterpret-cast,-cppcoreguidelines-pro-type-union-access,-cppcoreguidelines-avoid-c-arrays,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-cppcoreguidelines-non-private-member-variables-in-classes,-cppcoreguidelines-pro-bounds-array-to-pointer-decay,-cppcoreguidelines-pro-type-vararg,-cppcoreguidelines-pro-bounds-constant-array-index,performance*,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling'
WarningsAsErrors: true
HeaderFilterRegex: '.*'
AnalyzeTemporaryDtors: false
FormatStyle: none
...

29
Source Code/.gitignore vendored Normal file
View File

@@ -0,0 +1,29 @@
.cache
.vscode
.ninja_deps
.ninja_log
cmake_install.cmake
compile_commands.json
build.ninja
CMakeCache.txt
**/CMakeFiles
**/bin
*.o
*.elf
*.txt
!**/CMakeLists.txt
/BREW00000
aerolib.csv
stubber/main.exe
stubber/out/
homebrew/
*.i64
*.lnk
*.til
lib/libNidResolver.a
lib/libNineS.a
lib/libhijacker.a
Makefile
bootstrapper/Makefile
hen.bin
util/assets/shellui.elf

3
Source Code/.gitmodules vendored Normal file
View File

@@ -0,0 +1,3 @@
[submodule "libNidResolver"]
path = libNidResolver
url = https://github.com/astrelsky/libNidResolver.git

25
Source Code/CMakeLists.txt Normal file
View File

@@ -0,0 +1,25 @@
cmake_minimum_required (VERSION 3.20)
project("etaHEN")
set(PROJECT_ROOT "${CMAKE_CURRENT_SOURCE_DIR}")
set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${PROJECT_ROOT}/bin)
set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${PROJECT_ROOT}/lib)
set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${PROJECT_ROOT}/lib) # static libs are archive
include_directories (SYSTEM "${PROJECT_ROOT}/include")
include_directories(SYSTEM "${PS5_PAYLOAD_SDK}")
include_directories(SYSTEM "${PS5_PAYLOAD_SDK}/include")
add_subdirectory(libhijacker)
add_subdirectory(libNidResolver)
# add_subdirectory(libRPI)
add_subdirectory(libSelfDecryptor)
add_subdirectory(libNineS)
add_subdirectory(libelfldr)
add_subdirectory(shellui)
add_subdirectory(fps_elf)
add_subdirectory(daemon)
add_subdirectory(util)
add_subdirectory(bootstrapper)
add_subdirectory(unpacker)

103
Source Code/CMakePresets.json Normal file
View File

@@ -0,0 +1,103 @@
{
"buildPresets": [
{
"hidden": false,
"verbose": true,
"name": "default-build-windows",
"displayName": "DefaultBuild",
"configurePreset": "ps5-base",
"description": "default build"
},
{
"hidden": false,
"verbose": true,
"name": "default-build-nix",
"displayName": "DefaultBuild",
"configurePreset": "nix-base",
"description": "default build"
}
],
"configurePresets": [
{
"name": "ps5-base",
"hidden": true,
"generator": "Ninja",
"binaryDir": "${sourceDir}/build/${presetName}",
"installDir": "${sourceDir}/build/install/${presetName}",
"toolchainFile": "${env:PS5SDK}/cmake/toolchain-ps5.cmake",
"cacheVariables": {
"CMAKE_C_COMPILER": "clang.exe",
"CMAKE_CXX_COMPILER": "clang++.exe"
},
"condition": {
"type": "equals",
"lhs": "${hostSystemName}",
"rhs": "Windows"
}
},
{
"name": "nix-base",
"hidden": true,
"generator": "Ninja",
"binaryDir": "${sourceDir}/build/${presetName}",
"installDir": "${sourceDir}/build/install/${presetName}",
"toolchainFile": "${env:PS5SDK}/cmake/toolchain-ps5.cmake",
"cacheVariables": {
"CMAKE_C_COMPILER": "clang",
"CMAKE_CXX_COMPILER": "clang++"
},
"condition": {
"type": "notEquals",
"lhs": "${hostSystemName}",
"rhs": "Windows"
}
},
{
"name": "ps5-debug",
"displayName": "PS5 Debug",
"inherits": "ps5-base",
"architecture": {
"value": "x64",
"strategy": "external"
},
"cacheVariables": {
"CMAKE_BUILD_TYPE": "Debug"
}
},
{
"name": "ps5-release",
"displayName": "PS5 Release",
"inherits": "ps5-debug",
"cacheVariables": {
"CMAKE_BUILD_TYPE": "Release"
}
},
{
"name": "linux-debug",
"displayName": "Linux Debug",
"inherits": "nix-base",
"cacheVariables": {
"CMAKE_BUILD_TYPE": "Debug"
},
"vendor": {
"microsoft.com/VisualStudioRemoteSettings/CMake/1.0": {
"sourceDir": "$env{HOME}/.vs/$ms{projectDirName}"
}
}
},
{
"name": "macos-debug",
"displayName": "macOS Debug",
"inherits": "nix-base",
"cacheVariables": {
"CMAKE_BUILD_TYPE": "Debug"
},
"vendor": {
"microsoft.com/VisualStudioRemoteSettings/CMake/1.0": {
"sourceDir": "$env{HOME}/.vs/$ms{projectDirName}"
}
}
}
],
"version": 3
}

BIN
Source Code/ETAHEN.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 601 KiB

258
Source Code/README.md Normal file
View File

@@ -0,0 +1,258 @@
# etaHEN - AIO Homebrew enabler
![etaHEN](https://github.com/LightningMods/etaHEN/blob/main/etaHEN-Icon.jpg)
## 🚀 **Support the Project**
If you find this project useful and would like to support its continued development, consider buying me a coffee!
[![ko-fi](https://www.ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/lightningmods)
## Building from Source
The Source code is provided in the Source code folder under GPLv3 with all the necessary files to build it as required under GPLv3
However I will not be providing instructions on how to build it since any dev should know how to use cmake
## Official PS5 exploit website
- https://tinyurl.com/PS5IPV6 (requires you to manually send the payload but has the best stability)
- https://ps5jb.pages.dev/ (auto loads the payload for you, id recommand the IPV6 exploit over UMTX)
## Recommended self-host exploits
- [Modified IPV6 exploit for etaHEN support](https://github.com/LightningMods/PS5-IPV6-Kernel-Exploit)
## Payload PowerShell Script usage for Windows (send_payload.ps1)
if you haven't already, you will need to either enable script execution globally via
```
Set-ExecutionPolicy Bypass
```
in an admin PowerShell window or run the script with this command after replacing the script path
```
powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\send_payload.ps1
```
**Script Usage**
```
.\send_payload.ps1 -Payload "C:\path\to\example.elf" -IP "192.168.xxx.xxx" -Port XXXX
```
**OR**
```
.\send_payload.ps1
cmdlet send_payload.ps1 at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
Payload: C:\path\to\example.elf
IP: 192.168.xxx.xxx
Port: XXXX
```
- Common Ports: SB elfldr 9021, exploit elfldr 9020
## Features
- ★ etaHEN toolbox (debug settings replacement)
- Custom etaHEN [Plugins](https://github.com/LightningMods/etaHEN-SDK/tree/main/Plugin_samples)
- [Toolbox] Install the Homebrew Store on the console
- [Toolbox] ★Rest Mode Options
- [Toolbox] Remote Play Menu
- [Toolbox] Plugin / Payload ELF Menu with auto start options
- [Toolbox] External HDD Menu
- [Toolbox] TestKit Menu
- [Toolbox] Cheats Menu (WIP)
- [Toolbox] Controller Shortcuts
- [Toolbox] PS5 webMAN Games menu
- [Toolbox] Custom Game Options Menu
- [Toolbox] Display Title IDs on Home menu
- [Toolbox] Disable toolbox auto start
- [Toolbox] Blu-Ray license activation
- [Toolbox] Disc auto eject for BD-J and LUA based exploits
- [Toolbox] etaHEN credits and supporters
- [Toolbox] Custom debug settings text and icon
- [Toolbox] Auto open menu after etaHEN loads
- [Toolbox] a number of different toolbox settings
- React bundle (all FWs) & Self (only on 2.xx) FTP decryption Support
- 2 seperate daemons for improved stability and reliability
- The Util daemon will be auto restarted by the main etaHEN daemon
- Custom System Software version (custom System info)
- kstuff for fself and fpkg support
- etaHEN log in /data/etaHEN
- (optional) System-wide controller shortcut to open itemzflow
- Debug Settings
- Game Dumper (Intrgrated with Itemzflow)
- HEN config file for settings
- Jailbreak IPC call (jailbreaks Homebrew apps)
- Update blocker (unmounts update partition)
- *Optional* Illusions cheats/patches [Plugin](https://github.com/LightningMods/etaHEN-SDK/tree/main/Plugin_samples/Illusion_cheats)
- *Optional* FTP server on port 1337
- *Optional* /data allowed inside apps sandboxes
- Klog server on port 9081
- elf loader on port 9021 (use Johns elfldr)
- *Optional* PS5Debug
- Itemzflow intergration
- *Optional* Discord RPC server on port 8000, click [here](https://github.com/jeroendev-one/ps5-rpc-client) for setup instructions
- *Optional* Direct PKG installer V2 service with WebUI on http://PS5_IP:12800
- *Optional* Direct PKG installer service on port 9090
## etaHEN SDK
make your own custom plugins via the [etaHEN SDK](https://github.com/lightningmods/etaHEN-SDK)
More info [Here](https://github.com/LightningMods/etaHEN-SDK/blob/main/README.md)
## Upcoming features
- [Toolbox] FPS Counter
- [Toolbox] On-Screen temps and other info (for retails)
- More userland patches
- Improved PS5 Game support (itemzflow)
- More (consider donating)
## etaHEN INI Configuration file
etaHEN's ini settings file can be found at `/data/etaHEN/config.ini` and can be accessed using the built-in FTP
and is automatically created when you run etaHEN for the first time
| INI Key | Description | Default value |
|---------------------|-------------------------------------------------------------|---------------|
| `PS5Debug` | 0 = disables PS5Debug (Sistr0) auto load, 1 = enable PS5Debug auto load | 0 (disabled) |
| `FTP` | 0 = disables etaHEN built-in FTP, 1 = enables it | 1 (enabled) |
| `discord_rpc` | 0 = disables Discord RPC server, 1 = enables it | 0 (disabled) |
| `toolbox_auto_start` | 0 = disabled, 1 = enabled | 1 (enabled) |
| `Allow_data_in_sandbox` | 0 = disables /data in an apps sandbox, 1 = enables it | 1 (enabled) |
| `DPI` | 0 = disables The Direct PKG Installer service, 1 = enables it | 0 (disabled) |
| `DPI_v2` | 0 = disables DPI version 2, 1 = enables it | 0 (disabled) |
| `Klog` | 0 = disables kernel logging, 1 = enables it | 0 (disabled) |
| `ALLOW_FTP_DEV_ACCESS` | 0 = disables FTP developer access, 1 = enables it | 0 (disabled) |
| `StartOption` | 0=None, 1=Home menu, 2=Settings, 3=Toolbox, 4=itemzflow | 0 (None) |
| `Rest_Mode_Delay_Seconds` | Delay in seconds before patching shellui coming out rest mode | 0 (no delay) |
| `Util_rest_kill` | 0 = don't kill the util daemon during rest, 1 = Do kill it on rest | 0 (disabled) |
| `Game_rest_kill` | 0 = don't kill the open game during rest, 1 = Do kill it on rest | 0 (disabled) |
| `disable_toolbox_auto_start_for_rest_mode` | 0 = disabled, 1 = enabled | 0 (disabled) |
| `libhijacker_cheats` | 0 = disables libhijacker cheats, 1 = enables it | 0 (disabled) |
| `launch_itemzflow` | 0 = disabled, 1 = enables auto launch of itemzflow | 0 (disabled) |
| `testkit` | 0 = disabled, 1 = enables testkit mode | 0 (disabled) |
| `Display_tids` | 0 = disabled, 1 = enables display of title IDs | 0 (disabled) |
| `APP_JB_Debug_Msg` | 0 = disabled, 1 = enables app jailbreak debug messages | 0 (disabled) |
| `etaHEN_Game_Options` | 0 = disabled, 1 = enables etaHEN game options | 1 (enabled) |
| `auto_eject_disc` | 0 = disabled, 1 = enables automatic disc ejection | 0 (disabled) |
| `Cheats_shortcut_opt` | Multi-select option for cheats shortcut | 0 (CHEATS_SC_OFF) |
| `Toolbox_shortcut_opt` | Multi-select option for toolbox shortcut | 0 (TOOLBOX_SC_OFF) |
| `Games_shortcut_opt` | Multi-select option for games shortcut | 0 (GAMES_SC_OFF) |
| `Kstuff_shortcut_opt` | Multi-select option for kstuff shortcut | 0 (KSTUFF_SC_OFF) |
## DPI API details for tool creators
etaHEN's Direct PKG Installer currently is very simple and is considered a WIP
the service flow is as follows
1. Connect to etaHEN's TCP server via port 9090 (using the PS5s IP)
2. Send a URL to etaHEN in the following json format
```
{ "url" : "http://xxxx" }
```
3. etaHEN will then send back the return value (0 on success)
```
{ "res" : "0" }
```
4. etaHEN will close the client socket after the return json is sent
## Jailbreaking an app (FPKG) using etaHEN (non-whitelist method, Network required)
```
enum Commands : int {
INVALID_CMD = -1,
ACTIVE_CMD = 0,
LAUNCH_CMD,
PROCLIST_CMD,
KILL_CMD,
KILL_APP_CMD,
JAILBREAK_CMD
};
struct HijackerCommand
{
int magic = 0xDEADBEEF;
Commands cmd = INVALID_CMD;
int PID = -1;
int ret = -1337;
char msg1[0x500];
char msg2[0x500];
};
int HJOpenConnectionforBC() {
SceNetSockaddrIn address;
address.sin_len = sizeof(address);
address.sin_family = AF_INET;
address.sin_port = sceNetHtons(9028); //command serve port
memset(address.sin_zero, 0, sizeof(address.sin_zero));
sceNetInetPton(AF_INET, "127.0.0.1", &address.sin_addr.s_addr);
int socket = sceNetSocket("IPC_CMD_SERVER", AF_INET, SOCK_STREAM, 0);
if (sceNetConnect(socket, (SceNetSockaddr*)&address, sizeof(address)) < 0) {
close(socket), socket = -1;
}
return socket;
}
bool HJJailbreakforBC(int& sock) {
// send jailbreak IPC command
HijackerCommand cmd;
cmd.PID = getpid();
cmd.cmd = JAILBREAK_CMD;
if (send(sock, (void*)&cmd, sizeof(cmd), MSG_NOSIGNAL) == -1) {
puts("failed to send command");
return false;
}
else {
// get ret val from daemon
recv(sock, reinterpret_cast<void*>(&cmd), sizeof(cmd), MSG_NOSIGNAL);
close(sock), sock = -1;
if (cmd.ret != 0 && cmd.ret != -1337) {
puts("Jailbreak has failed");
return false;
}
return true;
}
return false;
}
int main()
{
int ret = HJOpenConnectionforBC();
if (ret < 0) {
puts("Failed to connect to daemon");
return -1;
}
if (!HJJailbreakforBC(ret))
{
puts("Jailbreak failed");
return -1;
}
return 0;
}
```
## Contributors
- [Buzzer](https://github.com/buzzer-re)
- [sleirsgoevy](https://github.com/sleirsgoevy)
- [ChendoChap](https://github.com/ChendoChap)
- [astrelsky](https://github.com/astrelsky)
- [illusion](https://github.com/illusion0001)
- CTN & [SiSTR0](https://github.com/SiSTR0) for PS5Debug
- [Nomadic](https://github.com/jeroendev-one) (Discord RPC feature)
## Testers
- [Echo Stretch](https://twitter.com/StretchEcho)
- [idlesauce](https://github.com/idlesauce)
- [Dizz](https://github.com/DizzRL)
- [BedroZen](https://twitter.com/BedroZen)
- [MODDED WARFARE](https://twitter.com/MODDED_WARFARE)
## Join us on the Support Discord
- https://discord.gg/xs2F46tKzK

42
Source Code/bootstrapper/Byepervisor/hen/Makefile Normal file
View File

@@ -0,0 +1,42 @@
PS5_HOST ?= ps5
PS5_PORT ?= 9021
ELF := hen.elf
BIN := hen.bin
CFLAGS := -std=c++11 -Wall -Werror -D_KERNEL -I./include -O2 -fno-builtin -nostartfiles -nostdlib -fno-stack-protector -fno-plt -fPIC -Wno-error=frame-address -I${PS5_PAYLOAD_SDK}include/freebsd -g3
#SFLAGS := -nostartfiles -nostdlib -fPIC
LFLAGS := -Xlinker -T ./link.x -Wl,--build-id=none
ODIR := build
SDIR := src
CXXFILES := $(wildcard $(SDIR)/*.cpp)
SFILES := $(wildcard $(SDIR)/*.s)
OBJS := $(patsubst $(SDIR)/%.cpp, $(ODIR)/%.o, $(CXXFILES)) $(patsubst $(SDIR)/%.s, $(ODIR)/%.o, $(SFILES))
$(ELF): $(ODIR) $(OBJS)
$(CXX) $(ODIR)/*.o -o $(ELF) $(CFLAGS) $(LFLAGS)
objcopy -O binary $(ELF) $(BIN)
$(ODIR)/%.o: $(SDIR)/%.cpp
$(CXX) -c -o $@ $< $(CFLAGS)
$(ODIR)/%.o: $(SDIR)/%.s
$(AS) -c -o $@ $< $(SFLAGS)
$(ODIR):
@mkdir $@
clean:
rm -f $(ELF) $(BIN) $(ODIR)/*.o
test: $(ELF)
$(PS5_DEPLOY) -h $(PS5_HOST) -p $(PS5_PORT) $^
debug: $(ELF)
gdb \
-ex "target extended-remote $(PS5_HOST):2159" \
-ex "file $(ELF)" \
-ex "remote put $(ELF) /data/$(ELF)" \
-ex "set remote exec-file /data/$(ELF)" \
-ex "start"

24
Source Code/bootstrapper/Byepervisor/hen/include/config.h Normal file
View File

@@ -0,0 +1,24 @@
#ifndef CONFIG_H
#define CONFIG_H
/*
* Enable debug logging via TCP connection to PC
*/
#define PC_DEBUG_ENABLED 1
/*
* PC IP address for debug logging
*/
#define PC_DEBUG_IP "10.0.0.143"
/*
* PC IP port for debug logging
*/
#define PC_DEBUG_PORT 5655
/*
* TCP port to run the RPC server on
*/
#define RPC_TCP_PORT 9002
#endif // CONFIG_H

225
Source Code/bootstrapper/Byepervisor/hen/include/fake.h Normal file
View File

@@ -0,0 +1,225 @@
/**
* Credits:
* Inital Structures: flat_z
* Structs and asserts: mira-vnext/kiwidog
*/
#ifndef FAKE_H
#define FAKE_H
#include <stdint.h>
#include <assert.h>
#include <stddef.h>
#include <string.h>
#include <sys/stdint.h>
#include <sys/elf.h>
#include <sys/param.h>
#include <sys/lock.h>
#include <sys/mutex.h>
/**
* @brief This is just here to prevent errors, too lazy to remove logging
*
*/
#define WriteLog(x, y, ...)
/**
* C++ to C fixes
*/
#define false 0
#define true 1
/**
* Fake Self
*/
#pragma region FAKE SELF
// Forward declarations
struct self_auth_info_t;
struct self_context_t;
struct self_ex_info_t;
struct self_header_t;
enum self_format_t : int;
struct self_fake_auth_info_t;
struct self_entry_t;
/**
* SELF authentication information
*/
typedef struct self_auth_info_t
{
uint64_t paid;
uint64_t caps[4];
uint64_t attrs[4];
uint8_t unk[0x40];
}self_auth_info_t, SelfAuthInfo;
/**
* SELF kernel context
*/
typedef struct self_context_t
{
uint32_t format;
uint32_t elf_auth_type;
uint32_t total_header_size;
uint32_t unk_0C;
void *segment;
uint32_t unk_18;
uint32_t ctx_id;
uint64_t svc_id;
uint64_t unk_28;
uint32_t buf_id;
uint32_t unk_34;
struct self_header_t *header;
uint8_t mtx_struct[0x20];
} self_context_t, SelfContext;
/**
* SELF extra information
*/
typedef struct self_ex_info_t
{
uint64_t paid;
uint64_t ptype;
uint64_t app_version;
uint64_t firmware_version;
uint8_t digest[0x20];
} self_ex_info_t, SelfExInfo;
/**
* SELF entry
*/
typedef struct self_entry_t
{
uint32_t props;
uint32_t reserved;
uint64_t offset;
uint64_t filesz;
uint64_t memsz;
} self_entry_t, SelfEntry;
/**
* SELF header
*/
typedef struct self_header_t
{
uint32_t magic;
uint8_t version;
uint8_t mode;
uint8_t endian;
uint8_t attr;
uint32_t key_type;
uint16_t header_size;
uint16_t meta_size;
uint64_t file_size;
uint16_t num_entries;
uint16_t flags;
uint32_t reserved;
struct self_entry_t entries[0];
} self_header_t, SelfHeader;
/**
* SELF fake authentication information
*/
typedef struct self_fake_auth_info_t
{
uint64_t size;
SelfAuthInfo info;
} self_fake_auth_info_t, SelfFakeAuthInfo;
/**
* SELF formats
*/
enum self_format_t : int
{
/**
* No Specified format
*/
SF_None,
/**
* RAW elf format
*/
SF_Elf,
/**
* SELF format
*/
SF_Self,
/**
* Count of formats
*/
SF_Count
};
enum
{
LoadSelfSegment = 2,
LoadSelfBlock = 6,
SelfMagic = 0x1D3D154F,
ElfMagic = 0x464C457F,
SelfPtypeFake = 1,
AuthInfoSize = 136,
};
struct mailbox_authmgr_verify_header_msg {
uint32_t cmd;
uint32_t res;
uint64_t headerPa;
uint64_t headerSize;
uint32_t unk18;
uint32_t serviceId;
uint64_t paid;
};
struct mailbox_authmgr_load_self_segment_msg {
uint32_t cmd;
uint32_t res;
uint64_t pa;
uint32_t segmentIndex;
uint16_t unk14;
uint16_t unk16;
uint8_t unk18[0x18];
uint32_t serviceId;
};
struct mailbox_authmgr_load_self_block_msg {
uint32_t cmd;
uint32_t res;
uint64_t unk08;
uint64_t unk10;
uint64_t unk18;
uint64_t unk20;
uint64_t unk28;
uint32_t unk30;
uint32_t unk34;
uint32_t unk38;
uint32_t segmentIndex;
uint32_t blockIndex;
uint32_t serviceId;
uint8_t digest[0x20];
uint8_t ext_info[0x8];
uint16_t unk70;
uint16_t unk72;
uint16_t unk74;
};
struct mailbox_authmgr_load_multiple_self_blocks_msg {
uint32_t cmd;
uint32_t res;
uint64_t unk08; //pa to 8 pa's of input
uint64_t unk10; //pa to 8 pa's of output (right after the above)
uint64_t unk18; //pa to digests
uint32_t segmentIndex;
uint32_t firstBlockIndex;
uint32_t nBlocks;
uint32_t serviceId;
};
#pragma endregion
#endif /* FAKE_H */

19
Source Code/bootstrapper/Byepervisor/hen/include/fkeys.h Normal file
View File

@@ -0,0 +1,19 @@
#ifndef FKEYS_H
#define FKEYS_H
#include <stdint.h>
struct key_area
{
uint64_t bitmask;
char pad[24];
char key_data[63][32];
};
extern struct key_area shared_area;
int register_fake_key(const char key_data[32]);
int unregister_fake_key(int key_id);
int get_fake_key(int key_id, char key_data[32]);
#endif // FKEYS_H

133
Source Code/bootstrapper/Byepervisor/hen/include/fpkg.h Normal file
View File

@@ -0,0 +1,133 @@
#ifndef FPKG_H
#define FPKG_H
#include <stdint.h>
struct NpDrmCmd5 {
uint32_t cmd;
uint32_t res;
uint64_t rif_pa;
uint32_t unk10;
};
struct NpDrmCmd6 {
uint32_t cmd;
uint32_t res;
uint64_t rif_pa;
uint8_t unk10[0x10];
uint8_t unk20[0x10];
uint32_t unk30; // 0 or 1
};
struct ClearKey {
uint32_t cmd;
uint32_t res;
uint64_t keyHandle;
};
struct Rif {
uint32_t magic;
uint16_t version;
uint16_t unk06;
uint64_t psnid;
uint64_t startTimestamp;
uint64_t endTimestamp;
uint8_t contentId[0x30];
uint16_t type;
uint16_t drmType;
uint16_t contentType;
uint16_t skuFlag;
uint64_t extraFlags;
uint32_t unk60;
uint32_t unk64;
uint32_t unk68;
uint32_t unk6C;
uint32_t unk70;
uint32_t unk74;
uint32_t unk78;
uint32_t unk7C;
uint8_t unk80[0x10];
uint8_t unk90[0x1B0];
uint8_t discKey[0x20];
uint8_t rifIv[0x10];
uint8_t rifSecret[0x90];
uint8_t rifSignature[0x100];
};
struct RifOutput {
/* 0x00 */ uint32_t version;
/* 0x04 */ uint32_t unk04;
/* 0x08 */ uint64_t psnid;
/* 0x10 */ uint64_t startTimestamp;
/* 0x18 */ uint64_t endTimestamp;
/* 0x20 */ uint64_t extraFlags;
/* 0x28 */ uint32_t type;
/* 0x2C */ uint32_t contentType;
/* 0x30 */ uint32_t skuFlag;
/* 0x34 */ uint32_t unk34;
/* 0x38 */ uint32_t unk38;
/* 0x3C */ uint32_t unk3C; //not set
/* 0x40 */ uint32_t unk40; //not set
/* 0x44 */ uint32_t unk44; //not set
/* 0x48 */ uint8_t contentId[0x30];
/* 0x78 */ uint8_t rifIv[0x10];
/* 0x88 */ uint32_t unk88;
/* 0x8C */ uint32_t unk8C;
/* 0x90 */ uint32_t unk90;
/* 0x94 */ uint32_t unk94;
/* 0x98 */ uint8_t unk98[0x10];
};
struct RifCmd5MemoryLayout {
Rif rif;
RifOutput output;
};
struct PfsmgrCmd11 {
uint32_t cmd;
uint32_t res;
uint32_t keyHandle0;
uint32_t keyHandle1; //also pubkey_ver
uint64_t tablePa;
uint64_t headerPa;
uint64_t headerCapacity;
uint64_t unk28;
uint64_t unk30;
uint64_t unk38;
uint64_t unk40;
uint64_t unk48;
uint32_t unk50;
uint8_t contentId[0x24];
};
struct sbl_chunk_table_entry
{
uint64_t pa;
uint64_t size;
};
struct sbl_chunk_table_header
{
uint64_t first_pa;
uint64_t data_size;
uint64_t used_entries;
uint64_t unk18;
sbl_chunk_table_entry entries[];
};
struct RsaBuffer {
uint8_t* ptr;
uint32_t size;
};
struct RsaKey {
const uint8_t _pad00[0x20];
const uint8_t* p;
const uint8_t* q;
const uint8_t* dmp1;
const uint8_t* dmq1;
const uint8_t* iqmp;
};
void apply_fpkg_hooks();
#endif /* FPKG_H */

148
Source Code/bootstrapper/Byepervisor/hen/include/fself.h Normal file
View File

@@ -0,0 +1,148 @@
#ifndef FSELF_H
#define FSELF_H
#define ET_EXEC 0x0002
#define ET_SCE_EXEC 0xFE00
#define ET_SCE_DYNEXEC 0xFE10
#define ET_SCE_DYNAMIC 0xFE18
extern "C" {
#include <stdint.h>
#include <sys/types.h>
#include <sys/param.h>
}
enum SelfFormat {
NONE,
ELF,
SELF
};
struct ElfHeader {
uint8_t e_ident[0x10];
uint16_t e_type;
uint16_t e_machine;
uint32_t e_version;
uint64_t e_entry;
uint64_t e_phoff;
uint64_t e_shoff;
uint32_t e_flags;
uint16_t e_ehsize;
uint16_t e_phentsize;
uint16_t e_phnum;
uint16_t e_shentsize;
uint16_t e_shnum;
uint16_t e_shstrndx;
};
struct SelfHeader {
uint32_t magic;
uint32_t unk04;
union {
uint32_t raw;
struct {
uint8_t content_type;
uint8_t program_type : 4;
uint8_t key_revision : 4;
};
};
uint16_t header_size;
uint16_t metadata_size;
uint64_t file_size;
uint16_t entry_num;
uint16_t flags;
uint8_t padding[0x4];
};
struct SelfContext {
SelfFormat format;
uint32_t authType;
uint64_t headerSize;
uint64_t currentSegmentTable;
uint32_t currentSegmentTableIndex;
uint32_t unk1C;
uint64_t unk20;
uint64_t sizeInPages; //smth like that
uint32_t serviceId;
uint32_t unk34;
union {
SelfHeader* selfHeader;
ElfHeader* elfHeader;
};
uint8_t mtx[0x20];
};
struct SelfAuthInfo {
uint64_t cr_paid;
uint64_t cr_capability[4];
uint64_t cr_attribute[4];
uint64_t cr_sharedSecret[8];
};
struct SelfFakeAuthInfo {
uint64_t size;
SelfAuthInfo info;
};
struct MailboxVerifyHeaderMessage {
uint32_t cmd;
uint32_t res;
uint64_t headerPa;
uint64_t headerSize;
uint32_t unk18;
uint32_t serviceId;
uint64_t paid;
};
struct MailboxLoadSelfSegmentMessage {
uint32_t cmd;
uint32_t res;
uint64_t pa;
uint32_t segmentIndex;
uint16_t unk14;
uint16_t unk16;
uint8_t unk18[0x18];
uint32_t serviceId;
};
struct MailboxLoadSelfBlockMessage {
uint32_t cmd;
uint32_t res;
uint64_t unk08;
uint64_t unk10;
uint64_t unk18;
uint64_t unk20;
uint64_t unk28;
uint32_t unk30;
uint32_t unk34;
uint32_t unk38;
uint32_t segmentIndex;
uint32_t blockIndex;
uint32_t serviceId;
uint8_t digest[0x20];
uint8_t ext_info[0x8];
uint16_t unk70;
uint16_t unk72;
uint16_t unk74;
};
struct MailboxLoadMultipleSelfBlocksMessage {
uint32_t cmd;
uint32_t res;
uint64_t unk08; //pa to 8 pa's of input
uint64_t unk10; //pa to 8 pa's of output (right after the above)
uint64_t unk18; //pa to digests
uint32_t segmentIndex;
uint32_t firstBlockIndex;
uint32_t nBlocks;
uint32_t serviceId;
};
int sceSblAuthMgrIsLoadable__sceSblAuthMgrCheckSelfIsLoadable_hook(SelfContext* ctx, SelfAuthInfo* parentAuth, int pathid, SelfAuthInfo* selfAuth);
int _sceSblAuthMgrVerifySelfHeader_hook(SelfContext* ctx);
int _sceSblAuthMgrSmLoadSelfSegment_sceSblServiceMailbox(uint64_t handle, MailboxLoadSelfSegmentMessage* input, MailboxLoadSelfSegmentMessage* output);
int _sceSblAuthMgrSmLoadSelfBlock_sceSblServiceMailbox(uint64_t handle, MailboxLoadSelfBlockMessage* input, MailboxLoadSelfBlockMessage* output);
int _sceSblAuthMgrSmLoadMultipleSelfBlocks_sceSblServiceMailbox(uint64_t handle, MailboxLoadMultipleSelfBlocksMessage* input, MailboxLoadMultipleSelfBlocksMessage* output);
int sceSblACMgrGetPathId_hook(const char* path);
void apply_fself_hooks();
#endif // FSELF_H

39
Source Code/bootstrapper/Byepervisor/hen/include/hook.h Normal file
View File

@@ -0,0 +1,39 @@
#pragma once
#ifndef HOOK_H
#define HOOK_H
enum hook_id
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE = 0,
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
HOOK_TEST_DIGEST_CHECK,
HOOK_CHECK_DIR_DEPTH,
HOOK_DEVACT_IOCTL,
HOOK_MAX
};
struct hook
{
enum hook_id id;
uint64_t call_offset;
uint64_t orig_func_offset;
};
int install_raw_hook(uint64_t call_addr, void *func);
int install_hook(hook_id id, void *func);
void reset_hook(hook_id id);
int apply_test_hook();
#endif // HOOK_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/1_00.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_1_00_H
#define HOOKS_1_00_H
#include "hook.h"
struct hook g_kernel_hooks_100[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x90719b,
0x990d80
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2dcd71,
0x8a5850
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x2dd4ee,
0x8a5820
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x2de339,
0x8a5820
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x371075,
0x563a50
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x37157f,
0x563a50
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x371b25,
0x563a50
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2dcc5d,
0x5a9740
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x8664bc,
0x563a50
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x866761,
0x563a50
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d5646,
0x563a50
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d506f,
0x563a50
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d50db,
0x563a50
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x32e0dd,
0x729990
},
{
HOOK_CHECK_DIR_DEPTH,
0x59C44E,
0xB0E730
},
};
#endif // HOOKS_1_00_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/1_01.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_1_01_H
#define HOOKS_1_01_H
#include "hook.h"
struct hook g_kernel_hooks_101[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x90720b,
0x990df0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2dcd71,
0x8a5890
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x2dd4ee,
0x8a58f0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x2de339,
0x8a58f0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x371075,
0x563a70
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x37157f,
0x563a70
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x371b25,
0x563a70
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2dcc5d,
0x5a9760
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x86652c,
0x563a70
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x8667d1,
0x563a70
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d5646,
0x563a70
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d506f,
0x563a70
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d50db,
0x563a70
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x32e0dd,
0x729a00
},
{
HOOK_CHECK_DIR_DEPTH,
0x59C46E,
0xB0E7A0
},
};
#endif // HOOKS_1_01_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/1_02.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_1_02_H
#define HOOKS_1_02_H
#include "hook.h"
struct hook g_kernel_hooks_102[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x9071cb,
0x990db0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2dcd71,
0x8a5850
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x2dd4ee,
0x8a58b0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x2de339,
0x8a58b0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x371075,
0x563a80
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x37157f,
0x563a80
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x371b25,
0x563a80
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2dcc5d,
0x5a9770
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x8664ec,
0x563a80
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x866791,
0x563a80
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d5646,
0x563a80
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d506f,
0x563a80
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d50db,
0x563a80
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x32e0dd,
0x7299c0
},
{
HOOK_CHECK_DIR_DEPTH,
0x59C47E,
0xB0E760
},
};
#endif // HOOKS_1_02_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/1_05.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_1_05_H
#define HOOKS_1_05_H
#include "hook.h"
struct hook g_kernel_hooks_105[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x9079ab,
0x9915f0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2dcda1,
0x8a6960
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x2dd51e,
0x8a69c0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x2de369,
0x8a69c0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x371295,
0x563f60
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x37179f,
0x563f60
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x371d45,
0x563f60
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2dcc8d,
0x5a9c50
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x8675fc,
0x563f60
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x8678a1,
0x563f60
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d5676,
0x563f60
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d509f,
0x563f60
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d510b,
0x563f60
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x32e2fd,
0x729f30
},
{
HOOK_CHECK_DIR_DEPTH,
0x59C95E,
0xB0F120
},
};
#endif // HOOKS_1_05_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/1_10.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_1_10_H
#define HOOKS_1_10_H
#include "hook.h"
struct hook g_kernel_hooks_110[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x9079bb,
0x991600
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2dcde1,
0x8a6970
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x2dd55e,
0x8a69d0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x2de3a9,
0x8a69d0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x3712d5,
0x563fa0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x3717df,
0x563fa0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x371d85,
0x563fa0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2dcccd,
0x5a9c90
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x86760c,
0x563fa0
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x8678b1,
0x563fa0
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d56b6,
0x563fa0
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d50df,
0x563fa0
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d514b,
0x563fa0
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x32e33d,
0x729f40
},
{
HOOK_CHECK_DIR_DEPTH,
0x59C99E,
0xB0F140
},
};
#endif // HOOKS_1_10_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/1_11.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_1_11_H
#define HOOKS_1_11_H
#include "hook.h"
struct hook g_kernel_hooks_111[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x907b0b,
0x991760
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2dcde1,
0x8a6a70
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x2dd55e,
0x8a6ad0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x2de3a9,
0x8a6ad0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x3712d5,
0x563fc0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x3717df,
0x563fc0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x371d85,
0x563fc0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2dcccd,
0x5a9cb0
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x86770c,
0x563fc0
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x8679b1,
0x563fc0
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d56b6,
0x563fc0
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d50df,
0x563fc0
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d514b,
0x563fc0
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x32e33d,
0x72a030
},
{
HOOK_CHECK_DIR_DEPTH,
0x59C9BE,
0xB0F210
},
};
#endif // HOOKS_1_11_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/1_12.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_1_12_H
#define HOOKS_1_12_H
#include "hook.h"
struct hook g_kernel_hooks_112[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x907c5b,
0x36cabc
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2dcde1,
0x8a6bc0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x2dd55e,
0x8a6c20
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x2de3a9,
0x8a6c20
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x371305,
0x564030
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x37180f,
0x564030
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x371db5,
0x564030
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2dcccd,
0x5a9d20
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x86785c,
0x564030
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x867b01,
0x564030
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d56b6,
0x564030
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d50df,
0x564030
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d514b,
0x564030
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x32e33d,
0x72a180
},
{
HOOK_CHECK_DIR_DEPTH,
0x59CA2E,
0xB0F360
},
};
#endif // HOOKS_1_12_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/1_13.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_1_13_H
#define HOOKS_1_13_H
#include "hook.h"
struct hook g_kernel_hooks_113[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x907c2b,
0x991880
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2dcde1,
0x8a6b70
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x2dd55e,
0x8a6bd0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x2de3a9,
0x8a6bd0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x371305,
0x564030
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x37180f,
0x564030
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x371db5,
0x564030
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2dcccd,
0x5a9d20
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x86780c,
0x564030
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x867ab1,
0x564030
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d56b6,
0x564030
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d50df,
0x564030
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d514b,
0x564030
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x32e33d,
0x72a130
},
{
HOOK_CHECK_DIR_DEPTH,
0x59CA2E,
0xB0F330
},
};
#endif // HOOKS_1_13_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/1_14.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_1_14_H
#define HOOKS_1_14_H
#include "hook.h"
struct hook g_kernel_hooks_114[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x9081db,
0x991e30
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2dcde1,
0x8a6be0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x2dd55e,
0x8a6c40
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x2de3a9,
0x8a6c40
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x371305,
0x564050
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x37180f,
0x564050
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x371db5,
0x564050
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2dcccd,
0x5a9d40
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x86787c,
0x564050
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x867b21,
0x564050
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d56b6,
0x564050
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d50df,
0x564050
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2d514b,
0x564050
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x32e33d,
0x72a1a0
},
{
HOOK_CHECK_DIR_DEPTH,
0x59CA4E,
0xB0F8E0
},
};
#endif // HOOKS_1_14_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/2_00.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_2_00_H
#define HOOKS_2_00_H
#include "hook.h"
struct hook g_kernel_hooks_200[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x92976b,
0x9b7840
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2915a1,
0x8c2da0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x291d29,
0x8c2e00
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x292b4b,
0x8c2e00
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x32c915,
0x534060
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x32cdff,
0x534060
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x32d3a5,
0x534060
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x29148d,
0x580890
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87d60c,
0x534060
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87d8b1,
0x534060
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x28a116,
0x534060
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289b3f,
0x534060
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289bab,
0x534060
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x2e587d,
0x725e40
},
{
HOOK_CHECK_DIR_DEPTH,
0x5723DE,
0xB4C940
},
};
#endif // HOOKS_2_00_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/2_20.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_2_20_H
#define HOOKS_2_20_H
#include "hook.h"
struct hook g_kernel_hooks_220[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x929c2b,
0x9b7d00
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2915e1,
0x8c3250
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x291d69,
0x8c32a0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x292b8b,
0x8c32a0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x32c955,
0x5340b0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x32ce3f,
0x5340b0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x32d3e5,
0x5340b0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2914cd,
0x580a00
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87daac,
0x5340b0
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87dd51,
0x5340b0
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x28a156,
0x5340b0
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289b7f,
0x5340b0
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289beb,
0x5340b0
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x2e58bd,
0x726300
},
{
HOOK_CHECK_DIR_DEPTH,
0x57254E,
0xB4D2B0
},
};
#endif // HOOKS_2_20_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/2_25.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_2_25_H
#define HOOKS_2_25_H
#include "hook.h"
struct hook g_kernel_hooks_225[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x929cdb,
0x9b7db0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2915e1,
0x8c32f0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x291d69,
0x8c3350
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x292b8b,
0x8c3350
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x32c955,
0x534160
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x32ce3f,
0x534160
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x32d3e5,
0x534160
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2914cd,
0x580ab0
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87db5c,
0x534160
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87de01,
0x534160
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x28a156,
0x534160
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289b7f,
0x534160
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289beb,
0x534160
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x2e58bd,
0x7263b0
},
{
HOOK_CHECK_DIR_DEPTH,
0x5725FE,
0xB4D440
},
};
#endif // HOOKS_2_25_H

84
Source Code/bootstrapper/Byepervisor/hen/include/hooks/2_26.h Normal file
View File

@@ -0,0 +1,84 @@
#ifndef HOOKS_2_26_H
#define HOOKS_2_26_H
#include "hook.h"
struct hook g_kernel_hooks_226[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x929d0b,
0x9b7de0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2915e1,
0x8c3320
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x291d69,
0x8c3380
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x292b8b,
0x8c3380
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x32c955,
0x534160
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x32ce3f,
0x534160
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x32d3e5,
0x534160
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2914cd,
0x580ab0
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87db8c,
0x534160
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87de31,
0x534160
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x28a156,
0x534160
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289b7f,
0x534160
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289beb,
0x534160
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x2e58bd,
0x7263b0
},
{
HOOK_CHECK_DIR_DEPTH,
0x5725FE,
0xB4D470
},
};
#endif // HOOKS_2_26_H

90
Source Code/bootstrapper/Byepervisor/hen/include/hooks/2_30.h Normal file
View File

@@ -0,0 +1,90 @@
#ifndef HOOKS_2_30_H
#define HOOKS_2_30_H
#include "hook.h"
struct hook g_kernel_hooks_230[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x929fdb,
0x9b80b0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2912c1,
0x8c35f0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x291a49,
0x8c3650
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x29286b,
0x8c3650
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x32c635,
0x5340c0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x32cb1f,
0x5340c0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x32d0c5,
0x5340c0
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2911ad,
0x580d80
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87de5c,
0x5340c0
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87e101,
0x5340c0
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289e36,
0x5340c0
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x28985f,
0x5340c0
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2898cb,
0x5340c0
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x2e559d,
0x726680
},
{
HOOK_CHECK_DIR_DEPTH,
0x5728CE,
0xB4D890
},
{
HOOK_DEVACT_IOCTL,
0x2679D8,
0x93BA40 //devact_ioctl,
}
};
#endif // HOOKS_2_30_H

91
Source Code/bootstrapper/Byepervisor/hen/include/hooks/2_50.h Normal file
View File

@@ -0,0 +1,91 @@
#ifndef HOOKS_2_50_H
#define HOOKS_2_50_H
#include "hook.h"
struct hook g_kernel_hooks_250[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
0x92A1EB,
0x9B8350
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE,
0x2913C1,
0x8C3800
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER,
0x291B49,
0x8C3860
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME,
0x29296B,
0x8C3860
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT,
0x32C735,
0x534220
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK,
0x32CC1F,
0x534220
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS,
0x32D1C5,
0x534220
},
{
HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID,
0x2912AD,
0x580EE0
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87E06C,
0x534220
},
{
HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX,
0x87E311,
0x534220
},
{
HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX,
0x289F36,
0x534220
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX,
0x28995F,
0x534220
},
{
HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX,
0x2899CB,
0x534220
},
{
HOOK_FPKG_SCE_SBL_SERVICE_CRYPT_ASYNC_CALL_CCP_MSG_ENQUEUE,
0x2E569D,
0x726700
},
{
HOOK_CHECK_DIR_DEPTH,
0x572A2E,
0xB4DB30
},
{
HOOK_DEVACT_IOCTL,
0x268D28,
0x93BCC0
}
};
#endif // HOOKS_2_50_H

52
Source Code/bootstrapper/Byepervisor/hen/include/kdlsym.h Normal file
View File

@@ -0,0 +1,52 @@
#pragma once
#ifndef KDLSYM_H
#define KDLSYM_H
#include <stdint.h>
typedef enum {
KERNEL_SYM_TEXT_END,
KERNEL_SYM_DMPML4I,
KERNEL_SYM_DMPDPI,
KERNEL_SYM_PML4PML4I,
KERNEL_SYM_PMAP_STORE,
KERNEL_SYM_DATA_CAVE,
KERNEL_SYM_PRINTF,
KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2,
KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO,
KERNEL_SYM_SCESBLACMGRGETPATHID,
KERNEL_SYM_M_TEMP,
KERNEL_SYM_MALLOC,
KERNEL_SYM_FREE,
KERNEL_SYM_MINI_SYSCORE_BIN,
KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER,
KERNEL_SYM_SCESBLSERVICEMAILBOX,
KERNEL_SYM_CTXTABLE_MTX,
KERNEL_SYM_CTXSTATUS,
KERNEL_SYM_CTXTABLE,
KERNEL_SYM_MTX_LOCK_FLAGS,
KERNEL_SYM_MTX_UNLOCK_FLAGS,
KERNEL_SYM_RW_MEM,
KERNEL_SYM_ALLPROC,
KERNEL_SYM_VM_MAP_LOCK_READ,
KERNEL_SYM_VM_MAP_UNLOCK_READ,
KERNEL_SYM_VM_MAP_LOOKUP_ENTRY,
KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT,
KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT,
KERNEL_SYM_FPU_KERN_ENTER,
KERNEL_SYM_FPU_KERN_LEAVE,
KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE,
KERNEL_SYM_SHA256_HMAC,
KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC,
KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC,
KERNEL_SYM_SYS_FOPEN,
KERNEL_SYM_DEVACTIOCTL,
KERNEL_SYM_MAX,
} ksym_t;
void init_kdlsym(uint64_t fw_ver, uint64_t kernel_base);
uint64_t get_fw_version();
uint64_t kdlsym(ksym_t sym);
uint64_t ktext(uint64_t offset);
#endif // KDLSYM_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/1_00.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_1_00_H
#define OFFSETS_1_00_H
uint64_t g_sym_map_100[] = {
0x0B30000, // KERNEL_SYM_TEXT_END
0x4ADF540, // KERNEL_SYM_DMPML4I
0x4ADF544, // KERNEL_SYM_DMPDPI
0x4ADF29C, // KERNEL_SYM_PML4PML4I
0x4ADF2B8, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x04A0070, // KERNEL_SYM_PRINTF
0x08A5820, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08A63D0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x05A9740, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x3457540, // KERNEL_SYM_M_TEMP
0x0A9C6A0, // KERNEL_SYM_MALLOC
0x0A9CA50, // KERNEL_SYM_FREE
0x28D1C48, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08A5880, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0563A50, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x38AC358, // KERNEL_SYM_CTXTABLE_MTX
0x38AC380, // KERNEL_SYM_CTXSTATUS
0x38AC3A0, // KERNEL_SYM_CTXTABLE
0x04B04D0, // KERNEL_SYM_MTX_LOCK_FLAGS
0x04B09C0, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0907510, // KERNEL_SYM_RW_MEM
0x4211BF8, // KERNEL_SYM_ALLPROC
0x030D7B0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x030D7F0, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x030DCC0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x059EC40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x059ED40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x0689380, // KERNEL_SYM_FPU_KERN_ENTER
0x06894E0, // KERNEL_SYM_FPU_KERN_LEAVE
0x040B200, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0814F30, // KERNEL_SYM_SHA256_HMAC
0x032E0D0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x0729A50, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x03AF170, // SYS_FOPEN
};
#endif // OFFSETS_1_00_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/1_01.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_1_01_H
#define OFFSETS_1_01_H
uint64_t g_sym_map_101[] = {
0x0B30000, // KERNEL_SYM_TEXT_END
0x4ADF540, // KERNEL_SYM_DMPML4I
0x4ADF544, // KERNEL_SYM_DMPDPI
0x4ADF29C, // KERNEL_SYM_PML4PML4I
0x4ADF2B8, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x04A0070, // KERNEL_SYM_PRINTF
0x08A5890, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08A6440, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x05A9760, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x3457540, // KERNEL_SYM_M_TEMP
0x0A9C710, // KERNEL_SYM_MALLOC
0x0A9CAC0, // KERNEL_SYM_FREE
0x28D1C48, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08A58F0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0563A70, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x38AC358, // KERNEL_SYM_CTXTABLE_MTX
0x38AC380, // KERNEL_SYM_CTXSTATUS
0x38AC3A0, // KERNEL_SYM_CTXTABLE
0x04B04D0, // KERNEL_SYM_MTX_LOCK_FLAGS
0x04B09C0, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0907580, // KERNEL_SYM_RW_MEM
0x4211BF8, // KERNEL_SYM_ALLPROC
0x030D7B0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x030D7F0, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x030DCC0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x059EC60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x059ED60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x06893A0, // KERNEL_SYM_FPU_KERN_ENTER
0x0689500, // KERNEL_SYM_FPU_KERN_LEAVE
0x040B200, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0814FA0, // KERNEL_SYM_SHA256_HMAC
0x032E0D0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x0729AC0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x03AF170, // SYS_FOPEN
};
#endif // OFFSETS_1_01_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/1_02.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_1_02_H
#define OFFSETS_1_02_H
uint64_t g_sym_map_102[] = {
0x0B30000, // KERNEL_SYM_TEXT_END
0x4ADF540, // KERNEL_SYM_DMPML4I
0x4ADF544, // KERNEL_SYM_DMPDPI
0x4ADF29C, // KERNEL_SYM_PML4PML4I
0x4ADF2B8, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x04A0070, // KERNEL_SYM_PRINTF
0x08A5850, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08A6400, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x05A9770, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x3457540, // KERNEL_SYM_M_TEMP
0x0A9C6D0, // KERNEL_SYM_MALLOC
0x0A9CA80, // KERNEL_SYM_FREE
0x28D1C48, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08A58B0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0563A80, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x38AC358, // KERNEL_SYM_CTXTABLE_MTX
0x38AC380, // KERNEL_SYM_CTXSTATUS
0x38AC3A0, // KERNEL_SYM_CTXTABLE
0x04B04D0, // KERNEL_SYM_MTX_LOCK_FLAGS
0x04B09C0, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0907540, // KERNEL_SYM_RW_MEM
0x4211BF8, // KERNEL_SYM_ALLPROC
0x030D7B0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x030D7F0, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x030DCC0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x059EC70, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x059ED70, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x06893B0, // KERNEL_SYM_FPU_KERN_ENTER
0x0689510, // KERNEL_SYM_FPU_KERN_LEAVE
0x040B200, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0814F60, // KERNEL_SYM_SHA256_HMAC
0x032E0D0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x0729A80, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x03AF170, // SYS_FOPEN
};
#endif // OFFSETS_1_02_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/1_05.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_1_05_H
#define OFFSETS_1_05_H
uint64_t g_sym_map_105[] = {
0x0b30000, // KERNEL_SYM_TEXT_END
0x4adf5b0, // KERNEL_SYM_DMPML4I
0x4adf5b4, // KERNEL_SYM_DMPDPI
0x4adf30c, // KERNEL_SYM_PML4PML4I
0x4adf328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE // NEEDS TO BE CHECKED
0x04a05a0, // KERNEL_SYM_PRINTF
0x08a6960, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08a7510, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x05a9c50, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x3457580, // KERNEL_SYM_M_TEMP
0x0a9cf90, // KERNEL_SYM_MALLOC
0x0a9d340, // KERNEL_SYM_FREE
0x28d1c58, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08a69c0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0563f60, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x38ac368, // KERNEL_SYM_CTXTABLE_MTX
0x38ac390, // KERNEL_SYM_CTXSTATUS
0x38ac3a0, // KERNEL_SYM_CTXTABLE
0x04b0a00, // KERNEL_SYM_MTX_LOCK_FLAGS
0x04b0ef0, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0907d20, // KERNEL_SYM_RW_MEM
0x4211c18, // KERNEL_SYM_ALLPROC
0x030d860, // KERNEL_SYM_VM_MAP_LOCK_READ
0x030d8a0, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x030dd70, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x059f150, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x059f250, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x06898d0, // KERNEL_SYM_FPU_KERN_ENTER
0x0689a30, // KERNEL_SYM_FPU_KERN_LEAVE
0x040b6d0, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0816070, // KERNEL_SYM_SHA256_HMAC
0x032e2f0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x0729ff0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x03AF600, // SYS_FOPEN
};
#endif // OFFSETS_1_05_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/1_10.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_1_10_H
#define OFFSETS_1_10_H
uint64_t g_sym_map_110[] = {
0x0B30000, // KERNEL_SYM_TEXT_END
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE // NEEDS TO BE CHECKED
0x04A05E0, // KERNEL_SYM_PRINTF
0x08A6970, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08A7520, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x05A9C90, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x3457580, // KERNEL_SYM_M_TEMP
0x0A9CFB0, // KERNEL_SYM_MALLOC
0x0A9D360, // KERNEL_SYM_FREE
0x28D1C58, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08A69D0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0563FA0, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x38AC368, // KERNEL_SYM_CTXTABLE_MTX
0x38AC390, // KERNEL_SYM_CTXSTATUS
0x38AC3A0, // KERNEL_SYM_CTXTABLE
0x04B0A40, // KERNEL_SYM_MTX_LOCK_FLAGS
0x04B0F30, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0907D30, // KERNEL_SYM_RW_MEM
0x4211C18, // KERNEL_SYM_ALLPROC
0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x059F190, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x059F290, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x0689930, // KERNEL_SYM_FPU_KERN_ENTER
0x0689A90, // KERNEL_SYM_FPU_KERN_LEAVE
0x040B710, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0816080, // KERNEL_SYM_SHA256_HMAC
0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x072A000, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x03AF640, // SYS_FOPEN
};
#endif // OFFSETS_1_10_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/1_11.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_1_11_H
#define OFFSETS_1_11_H
uint64_t g_sym_map_111[] = {
0x0B30000, // KERNEL_SYM_TEXT_END
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE // NEEDS TO BE CHECKED
0x04A05E0, // KERNEL_SYM_PRINTF
0x08A6A70, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08A7620, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x05A9CB0, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x3457580, // KERNEL_SYM_M_TEMP
0x0A9D110, // KERNEL_SYM_MALLOC
0x0A9D370, // KERNEL_SYM_FREE
0x28D1C58, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08A6AD0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0563FC0, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x38AC368, // KERNEL_SYM_CTXTABLE_MTX
0x38AC390, // KERNEL_SYM_CTXSTATUS
0x38AC3A0, // KERNEL_SYM_CTXTABLE
0x04B0A40, // KERNEL_SYM_MTX_LOCK_FLAGS
0x04B0F30, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0907E80, // KERNEL_SYM_RW_MEM
0x4211C18, // KERNEL_SYM_ALLPROC
0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x059F1B0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x059F2B0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x06899D0, // KERNEL_SYM_FPU_KERN_ENTER
0x0689B30, // KERNEL_SYM_FPU_KERN_LEAVE
0x040B710, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0816170, // KERNEL_SYM_SHA256_HMAC
0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x072A0F0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x03AF640, // SYS_FOPEN
};
#endif // OFFSETS_1_11_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/1_12.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_1_12_H
#define OFFSETS_1_12_H
uint64_t g_sym_map_112[] = {
0x0B30000, // KERNEL_SYM_TEXT_END
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x04A0640, // KERNEL_SYM_PRINTF
0x08A6BC0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08A7770, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x05A9D20, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x3457580, // KERNEL_SYM_M_TEMP
0x0A9D260, // KERNEL_SYM_MALLOC
0x0A9D4C0, // KERNEL_SYM_FREE
0x28D1C58, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08A6C20, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0564030, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x38AC368, // KERNEL_SYM_CTXTABLE_MTX
0x38AC390, // KERNEL_SYM_CTXSTATUS
0x38AC3A0, // KERNEL_SYM_CTXTABLE
0x04B0AA0, // KERNEL_SYM_MTX_LOCK_FLAGS
0x04B0F90, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0907FD0, // KERNEL_SYM_RW_MEM
0x4211C18, // KERNEL_SYM_ALLPROC
0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x059F220, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x059F320, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x0689B20, // KERNEL_SYM_FPU_KERN_ENTER
0x0689C80, // KERNEL_SYM_FPU_KERN_LEAVE
0x040B770, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x08162C0, // KERNEL_SYM_SHA256_HMAC
0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x072A240, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x03AF6A0, // SYS_FOPEN
};
#endif // OFFSETS_1_12_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/1_13.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_1_13_H
#define OFFSETS_1_13_H
uint64_t g_sym_map_113[] = {
0x0B30000, // KERNEL_SYM_TEXT_END
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x04A0640, // KERNEL_SYM_PRINTF
0x08A6B70, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08A7720, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x05A9D20, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x34575C0, // KERNEL_SYM_M_TEMP
0x0A9D230, // KERNEL_SYM_MALLOC
0x0A9D490, // KERNEL_SYM_FREE
0x28D1CB8, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08A6BD0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0564030, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x38AC368, // KERNEL_SYM_CTXTABLE_MTX
0x38AC390, // KERNEL_SYM_CTXSTATUS
0x38AC3A0, // KERNEL_SYM_CTXTABLE
0x04B0AA0, // KERNEL_SYM_MTX_LOCK_FLAGS
0x04B0F90, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0907FA0, // KERNEL_SYM_RW_MEM
0x4211C18, // KERNEL_SYM_ALLPROC
0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x059F220, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x059F320, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x0689B20, // KERNEL_SYM_FPU_KERN_ENTER
0x0689C80, // KERNEL_SYM_FPU_KERN_LEAVE
0x040B770, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0816270, // KERNEL_SYM_SHA256_HMAC
0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x072A1F0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x03AF6A0, // SYS_FOPEN
};
#endif // OFFSETS_1_13_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/1_14.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_1_14_H
#define OFFSETS_1_14_H
uint64_t g_sym_map_114[] = {
0x0B30000, // KERNEL_SYM_TEXT_END
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x04A0640, // KERNEL_SYM_PRINTF
0x08A6BE0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08A7790, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x05A9D40, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x34575C0, // KERNEL_SYM_M_TEMP
0x0A9D7E0, // KERNEL_SYM_MALLOC
0x0A9DA40, // KERNEL_SYM_FREE
0x2805CB8, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08A6C40, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0564050, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x38AC368, // KERNEL_SYM_CTXTABLE_MTX // NEEDS TO BE CHECKED
0x38AC390, // KERNEL_SYM_CTXSTATUS
0x38AC3A0, // KERNEL_SYM_CTXTABLE
0x04B0AA0, // KERNEL_SYM_MTX_LOCK_FLAGS
0x04B0F90, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0908550, // KERNEL_SYM_RW_MEM
0x4211C18, // KERNEL_SYM_ALLPROC
0x030D8A0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x030D8E0, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x030DDB0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x059F240, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x059F340, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x0689B40, // KERNEL_SYM_FPU_KERN_ENTER
0x0689CA0, // KERNEL_SYM_FPU_KERN_LEAVE
0x040B770, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x08162E0, // KERNEL_SYM_SHA256_HMAC
0x032E330, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x072A260, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x03AF6A0, // SYS_FOPEN
};
#endif // OFFSETS_1_14_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/2_00.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_2_00_H
#define OFFSETS_2_00_H
static uint64_t g_sym_map_200[] = {
0x0B70000, // KERNEL_SYM_TEXT_END
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x0468450, // KERNEL_SYM_PRINTF
0x08C2DA0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08C3940, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x0580890, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x34D31F0, // KERNEL_SYM_M_TEMP
0x0AD1450, // KERNEL_SYM_MALLOC
0x0AD1680, // KERNEL_SYM_FREE
0x27FB448, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08C2E00, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0534060, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x3910370, // KERNEL_SYM_CTXTABLE_MTX
0x3910390, // KERNEL_SYM_CTXSTATUS
0x39103A0, // KERNEL_SYM_CTXTABLE
0x047AD10, // KERNEL_SYM_MTX_LOCK_FLAGS
0x047B200, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0929AF0, // KERNEL_SYM_RW_MEM
0x4281C28, // KERNEL_SYM_ALLPROC
0x02C3BD0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x02C3C10, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x02C40E0, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x0574C40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x0574D40, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x067A460, // KERNEL_SYM_FPU_KERN_ENTER
0x067A590, // KERNEL_SYM_FPU_KERN_LEAVE
0x03CDC30, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x08252C0, // KERNEL_SYM_SHA256_HMAC
0x02E5870, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x0725F00, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x036D890, // SYS_FOPEN
};
#endif // OFFSETS_2_00_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/2_20.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_2_20_H
#define OFFSETS_2_20_H
uint64_t g_sym_map_220[] = {
0x0B70000, // KERNEL_SYM_TEXT_END
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x04684A0, // KERNEL_SYM_PRINTF
0x08C3240, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08C3DE0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x0580A00, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x34D32F0, // KERNEL_SYM_M_TEMP
0x0AD1910, // KERNEL_SYM_MALLOC
0x0AD1B40, // KERNEL_SYM_FREE
0x2818488, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08C32A0, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x05340B0, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x3910370, // KERNEL_SYM_CTXTABLE_MTX
0x3910390, // KERNEL_SYM_CTXSTATUS
0x39103A0, // KERNEL_SYM_CTXTABLE
0x047AD60, // KERNEL_SYM_MTX_LOCK_FLAGS
0x047B250, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x0929FB0, // KERNEL_SYM_RW_MEM
0x4281C28, // KERNEL_SYM_ALLPROC
0x02C3C10, // KERNEL_SYM_VM_MAP_LOCK_READ
0x02C3C50, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x02C4120, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x0574DB0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x0574EB0, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x067A610, // KERNEL_SYM_FPU_KERN_ENTER
0x067A740, // KERNEL_SYM_FPU_KERN_LEAVE
0x03CDC80, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0825760, // KERNEL_SYM_SHA256_HMAC
0x02E58B0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x07263C0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x036D8D0, // SYS_FOPEN
};
#endif // OFFSETS_2_20_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/2_25.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_2_25_H
#define OFFSETS_2_25_H
uint64_t g_sym_map_225[] = {
0x0B70000, // KERNEL_SYM_TEXT_END
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x04684A0, // KERNEL_SYM_PRINTF
0x08C32F0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08C3E90, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x0580AB0, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x34D32F0, // KERNEL_SYM_M_TEMP
0x0AD19C0, // KERNEL_SYM_MALLOC
0x0AD1BF0, // KERNEL_SYM_FREE
0x2818488, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08C3350, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0534160, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x3910370, // KERNEL_SYM_CTXTABLE_MTX
0x3910390, // KERNEL_SYM_CTXSTATUS
0x39103A0, // KERNEL_SYM_CTXTABLE
0x047AD60, // KERNEL_SYM_MTX_LOCK_FLAGS
0x047B250, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x092A060, // KERNEL_SYM_RW_MEM
0x4281C28, // KERNEL_SYM_ALLPROC
0x02C3C10, // KERNEL_SYM_VM_MAP_LOCK_READ
0x02C3C50, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x02C4120, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x0574E60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x0574F60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x067A6C0, // KERNEL_SYM_FPU_KERN_ENTER
0x067A7F0, // KERNEL_SYM_FPU_KERN_LEAVE
0x03CDC80, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0825810, // KERNEL_SYM_SHA256_HMAC
0x02E58B0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x0726470, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x036D8D0, // SYS_FOPEN
};
#endif // OFFSETS_2_25_H

42
Source Code/bootstrapper/Byepervisor/hen/include/offsets/2_26.h Normal file
View File

@@ -0,0 +1,42 @@
#ifndef OFFSETS_2_26_H
#define OFFSETS_2_26_H
uint64_t g_sym_map_226[] = {
0x0B70000, // KERNEL_SYM_TEXT_END
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x04684A0, // KERNEL_SYM_PRINTF
0x08C3320, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08C3EC0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x0580AB0, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x34D32F0, // KERNEL_SYM_M_TEMP
0x0AD19F0, // KERNEL_SYM_MALLOC
0x0AD1C20, // KERNEL_SYM_FREE
0x2818488, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08C3380, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0534160, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x3910370, // KERNEL_SYM_CTXTABLE_MTX
0x3910390, // KERNEL_SYM_CTXSTATUS
0x39103A0, // KERNEL_SYM_CTXTABLE
0x047AD60, // KERNEL_SYM_MTX_LOCK_FLAGS
0x047B250, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x092A090, // KERNEL_SYM_RW_MEM
0x4281C28, // KERNEL_SYM_ALLPROC
0x02C3C10, // KERNEL_SYM_VM_MAP_LOCK_READ
0x02C3C50, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x02C4120, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x0574E60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x0574F60, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x067A6C0, // KERNEL_SYM_FPU_KERN_ENTER
0x067A7F0, // KERNEL_SYM_FPU_KERN_LEAVE
0x03CDC80, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0825840, // KERNEL_SYM_SHA256_HMAC
0x02E58B0, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x0726470, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x036D8D0, // SYS_FOPEN
};
#endif // OFFSETS_2_26_H

44
Source Code/bootstrapper/Byepervisor/hen/include/offsets/2_30.h Normal file
View File

@@ -0,0 +1,44 @@
#ifndef OFFSETS_2_30_H
#define OFFSETS_2_30_H
uint64_t g_sym_map_230[] = {
0x0B70000, // KERNEL_SYM_TEXT_END
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x0468400, // KERNEL_SYM_PRINTF
0x08C35F0, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08C4190, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x0580D80, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x34D3470, // KERNEL_SYM_M_TEMP
0x0AD1E00, // KERNEL_SYM_MALLOC
0x0AD2030, // KERNEL_SYM_FREE
0x286E628, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08C3650, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x05340C0, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x3910370, // KERNEL_SYM_CTXTABLE_MTX
0x3910390, // KERNEL_SYM_CTXSTATUS
0x39103A0, // KERNEL_SYM_CTXTABLE
0x047ACC0, // KERNEL_SYM_MTX_LOCK_FLAGS
0x047B1B0, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x092A360, // KERNEL_SYM_RW_MEM
0x4281C28, // KERNEL_SYM_ALLPROC
0x02C38F0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x02C3930, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x02C3E00, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x0575130, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x0575230, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x067A990, // KERNEL_SYM_FPU_KERN_ENTER
0x067AAC0, // KERNEL_SYM_FPU_KERN_LEAVE
0x03CD980, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0825B10, // KERNEL_SYM_SHA256_HMAC
0x02E5590, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x0726740, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x036D5B0, // SYS_FOPEN
0x093BA40, //KERNEL_SYM_DEVACTIOCTL
};
#endif // OFFSETS_2_30_H

43
Source Code/bootstrapper/Byepervisor/hen/include/offsets/2_50.h Normal file
View File

@@ -0,0 +1,43 @@
#ifndef OFFSETS_2_50_H
#define OFFSETS_2_50_H
uint64_t g_sym_map_250[] = {
0x0B70000, // KERNEL_SYM_TEXT_END
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x0468560, // KERNEL_SYM_PRINTF
0x08C3800, // KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2
0x08C43A0, // KERNEL_SYM_SCESBLAUTHMGRGETSELFINFO
0x0580EE0, // KERNEL_SYM_SCESBLACMGRGETPATHID
0x34D34B0, // KERNEL_SYM_M_TEMP
0x0AD20A0, // KERNEL_SYM_MALLOC
0x0AD22D0, // KERNEL_SYM_FREE
0x286E628, // KERNEL_SYM_MINI_SYSCORE_BIN
0x08C3860, // KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER
0x0534220, // KERNEL_SYM_SCESBLSERVICEMAILBOX
0x3910370, // KERNEL_SYM_CTXTABLE_MTX
0x3910390, // KERNEL_SYM_CTXSTATUS
0x39103A0, // KERNEL_SYM_CTXTABLE
0x047AE20, // KERNEL_SYM_MTX_LOCK_FLAGS
0x047B310, // KERNEL_SYM_MTX_UNLOCK_FLAGS
0x092A570, // KERNEL_SYM_RW_MEM
0x4281C28, // KERNEL_SYM_ALLPROC
0x02C39F0, // KERNEL_SYM_VM_MAP_LOCK_READ
0x02C3A30, // KERNEL_SYM_VM_MAP_UNLOCK_READ
0x02C3F00, // KERNEL_SYM_VM_MAP_LOOKUP_ENTRY
0x0575290, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT
0x0575390, // KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT
0x067AA10, // KERNEL_SYM_FPU_KERN_ENTER
0x067AB40, // KERNEL_SYM_FPU_KERN_LEAVE
0x03CDAB0, // KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE
0x0825D20, // KERNEL_SYM_SHA256_HMAC
0x02E5690, // KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC
0x07267C0, // KERNEL_SYM_SCE_SBL_FINALIZE_CRYPT_ASYNC
0x036D6D0, // SYS_FOPEN
0x093BCC0 //
};
#endif // OFFSETS_2_50_H

6
Source Code/bootstrapper/Byepervisor/hen/include/patch_shellcore.h Normal file
View File

@@ -0,0 +1,6 @@
#ifndef PATCH_SHELLCORE_H
#define PATCH_SHELLCORE_H
void apply_shellcore_patches();
#endif // PATCH_SHELLCORE_H

14
Source Code/bootstrapper/Byepervisor/hen/include/proc.h Normal file
View File

@@ -0,0 +1,14 @@
#ifndef PROC_H
#define PROC_H
#define PROC_OFFSET_P_PID 0x0BC
#define PROC_OFFSET_P_VMSPACE 0x200
#define PROC_OFFSET_P_COMM 0x564
#define VM_ENTRY_OFFSET_NEXT 0x008
#define VM_ENTRY_OFFSET_START 0x020
#define VM_ENTRY_OFFSET_PROT 0x064
#define VM_ENTRY_OFFSET_NAME 0x142
#endif // PROC_H

242
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/1_00.h Normal file
View File

@@ -0,0 +1,242 @@
#ifndef SHELLCORE_PATCHES_1_00
#define SHELLCORE_PATCHES_1_00
#include "common.h"
struct patch g_shellcore_patches_100[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1e6a93,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1e6adf,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1e6b4b,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91d263,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91d2af,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91d31b,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9a96e2,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xb70733,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xb7077f,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xb707eb,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x42ef81,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x11e56f5,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371137,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371172,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371501,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x47af30,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x1DDB1B,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x1DDB98,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x1DDC9B,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x1DDD6F,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x1DE1DA,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x1DE3AE,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x1DE75E,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x1DE824,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x41C6D7,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x41C7EC,
"\xEB",
1
}
};
#endif // SHELLCORE_PATCHES_1_00

242
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/1_02.h Normal file
View File

@@ -0,0 +1,242 @@
#ifndef SHELLCORE_PATCHES_1_02
#define SHELLCORE_PATCHES_1_02
#include "common.h"
struct patch g_shellcore_patches_102[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1e6a93,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1e6adf,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1e6b4b,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91d263,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91d2af,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91d31b,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9a96e2,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xb70733,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xb7077f,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xb707eb,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x42ef81,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x11e544e,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371137,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371172,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371501,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x47af30,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x1DDB1B,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x1DDB98,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x1DDC9B,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x1DDD6F,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x1DE1DA,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x1DE3AE,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x1DE75E,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x1DE824,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x41C6D7,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x41C7EC,
"\xEB",
1
}
};
#endif // SHELLCORE_PATCHES_1_02

242
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/1_12.h Normal file
View File

@@ -0,0 +1,242 @@
#ifndef SHELLCORE_PATCHES_1_12
#define SHELLCORE_PATCHES_1_12
#include "common.h"
struct patch g_shellcore_patches_112[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1E69E3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1E6A2F,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1E6A9B,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91D9B3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91D9FF,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91DA6B,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9A9E42,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xB70F13,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xB70F5F,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xB70FCB,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x42F411,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x11E9EEE,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371547,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371582,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371911,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x47B3C0,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x1DDAFB,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x1DDB78,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x1DDC7B,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x1DDD4F,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x1DE1BA,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x1DE38E,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x1DE73E,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x1DE804,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x41CB67,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x41CC7C,
"\xEB",
1
}
};
#endif // SHELLCORE_PATCHES_1_12

242
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/1_14.h Normal file
View File

@@ -0,0 +1,242 @@
#ifndef SHELLCORE_PATCHES_1_14
#define SHELLCORE_PATCHES_1_14
#include "common.h"
struct patch g_shellcore_patches_114[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1E69E3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1E6A2F,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x1E6A9B,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91DC83,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91DCCF,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x91DD3B,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9AA102,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xB711D3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xB7121F,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xB7128B,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x42F511,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x11E9741,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371547,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371582,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x371911,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x47B5C0,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x1DDAFB,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x1DDB78,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x1DDC7B,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x1DDD4F,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x1DE1BA,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x1DE38E,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x1DE73E,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x1DE804,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x41CBC7,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x41CCDC,
"\xEB",
1
}
};
#endif // SHELLCORE_PATCHES_1_14

251
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/2_00.h Normal file
View File

@@ -0,0 +1,251 @@
#ifndef SHELLCORE_PATCHES_2_00
#define SHELLCORE_PATCHES_2_00
#include "common.h"
struct patch g_shellcore_patches_200[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x21E513,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x21E55C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x21E5CC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D4433,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D447C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D44EC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xA62A32,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC61D13,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC61D5C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC61DCC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x49C0D1,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x136DE1C,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D3764,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D379F,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D3B2E,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x4E7020,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x21585B,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x2158D8,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x2159DB,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x215AAF,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x215F1A,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x2160EE,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x2164A5,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x216542,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x487847,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x48795C,
"\xEB",
1
},
{
/*
* PKG Installer Patch
*/
0x4897B0,
"\x48\x31\xC0\xC3",
4
}
};
#endif // SHELLCORE_PATCHES_2_00

251
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/2_20.h Normal file
View File

@@ -0,0 +1,251 @@
#ifndef SHELLCORE_PATCHES_2_20
#define SHELLCORE_PATCHES_2_20
#include "common.h"
struct patch g_shellcore_patches_220[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x21E7B3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x21E7FC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x21E86C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D4783,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D47CC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D483C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xA62D92,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC62073,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC620BC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC6212C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x49C421,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x1371F7E,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D3A34,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D3A6F,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D3DFE,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x4E7370,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x215AFB,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x215B78,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x215C7B,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x215D4F,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x2161BA,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x21638E,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x216745,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x2167E2,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x487B97,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x487CAC,
"\xEB",
1
},
{
/*
* PKG Installer Patch
*/
0x489B00,
"\x48\x31\xC0\xC3",
4
}
};
#endif // SHELLCORE_PATCHES_2_20

252
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/2_25.h Normal file
View File

@@ -0,0 +1,252 @@
#ifndef SHELLCORE_PATCHES_2_25
#define SHELLCORE_PATCHES_2_25
#include "common.h"
struct patch g_shellcore_patches_225[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x21ED03,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x21ED4C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x21EDBC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D4CD3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D4D1C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D4D8C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xA632D2,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC625B3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC625FC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC6266C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x49C971,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x1371C5F,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D3F84,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D3FBF,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D434E,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x4E78C0,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x215AFB,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x215B78,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x215C7B,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x215D4F,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x2161BA,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x21638E,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x216745,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x2167E2,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x4880E7,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x4881FC,
"\xEB",
1
},
{
/*
* PKG Installer Patch
*/
0x48A050,
"\x48\x31\xC0\xC3",
4
}
};
#endif // SHELLCORE_PATCHES_2_25

251
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/2_26.h Normal file
View File

@@ -0,0 +1,251 @@
#ifndef SHELLCORE_PATCHES_2_26
#define SHELLCORE_PATCHES_2_26
#include "common.h"
struct patch g_shellcore_patches_226[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x220473,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x2204BC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x22052C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D6483,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D64CC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D653C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xA64A92,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC63D73,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC63DBC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC63E2C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x49E121,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x13724D4,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D56F4,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D572F,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D5ABE,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x4E9070,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x21726B,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x2172E8,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x2173EB,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x2174BF,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x21792A,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x217AFE,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x217EB5,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x217F52,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x489897,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x4899C3,
"\xEB",
1
},
{
/*
* PKG Installer Patch
*/
0x48B800,
"\x48\x31\xC0\xC3",
4
}
};
#endif // SHELLCORE_PATCHES_2_26

251
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/2_30.h Normal file
View File

@@ -0,0 +1,251 @@
#ifndef SHELLCORE_PATCHES_2_30
#define SHELLCORE_PATCHES_2_30
#include "common.h"
struct patch g_shellcore_patches_230[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x220623,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x22066C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x2206DC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D7043,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D708C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D70FC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xA65652,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC64933,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC6497C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC649EC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x49E8C1,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x1371BFD,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D5E94,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D5ECF,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D625E,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x4E9890,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x21741B,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x217498,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x21759B,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x21766F,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x217ADA,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x217CAE,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x218065,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x218102,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x48A037,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x48A14C,
"\xEB",
1
},
{
/*
* PKG Installer Patch
*/
0x48BFA0,
"\x48\x31\xC0\xC3",
4
}
};
#endif // SHELLCORE_PATCHES_2_30

251
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/2_50.h Normal file
View File

@@ -0,0 +1,251 @@
#ifndef SHELLCORE_PATCHES_2_50
#define SHELLCORE_PATCHES_2_50
#include "common.h"
struct patch g_shellcore_patches_250[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x2203C3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x22040C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x22047C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D83F3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D843C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D84AC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xA669F2,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC65CD3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC65D1C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC65D8C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x49FC71,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x1376A0B,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D7244,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D727F,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D760E,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x4EAC40,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x2171BB,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x217238,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x21733B,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x21740F,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x21787A,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x217A4E,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x217E05,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x217EA2,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x48B3E7,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x48B4FC,
"\xEB",
1
},
{
/*
* PKG Installer
*/
0x48D350,
"\x48\x31\xC0\xC3",
4
}
};
#endif // SHELLCORE_PATCHES_2_50

251
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/2_70.h Normal file
View File

@@ -0,0 +1,251 @@
#ifndef SHELLCORE_PATCHES_2_70
#define SHELLCORE_PATCHES_2_70
#include "common.h"
struct patch g_shellcore_patches_270[] = {
{
/*
* xor eax, eax; nop; nop; nop
*/
0x2203C3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x22040C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x22047C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D83F3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D843C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0x9D84AC,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xA669F2,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC65CD3,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC65D1C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* xor eax, eax; nop; nop; nop
*/
0xC65D8C,
"\x31\xC0\x90\x90\x90",
5
},
{
/*
* longjmp
*/
0x49FC71,
"\x90\xE9",
2
},
{
/*
* strfree
*/
0x13767F5,
"\x66\x72\x65\x65",
4
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D7244,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D727F,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; nop
*/
0x3D760E,
"\x31\xC0\xFF\xC0\x90",
5
},
{
/*
* xor eax, eax; inc eax; ret
*/
0x4EAC40,
"\x31\xC0\xFF\xC0\xC3",
5
},
{
/*
* PS4 Disc Installer Patch 1
*/
0x2171BB,
"\x90\xE9",
2
},
{
/*
* PS5 Disc Installer Patch 1
*/
0x217238,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 1
*/
0x21733B,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 1
*/
0x21740F,
"\xEB",
1
},
{
/*
* PS4 PKG Installer Patch 2
*/
0x21787A,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 2
*/
0x217A4E,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 3
*/
0x217E05,
"\x90\xE9",
2
},
{
/*
* PS5 PKG Installer Patch 3
*/
0x217EA2,
"\x90\xE9",
2
},
{
/*
* PS4 PKG Installer Patch 4
*/
0x48B3E7,
"\xEB",
1
},
{
/*
* PS5 PKG Installer Patch 4
*/
0x48B4FC,
"\xEB",
1
},
{
/*
* PKG Installer Patch
*/
0x48D350,
"\x48\x31\xC0\xC3",
4
}
};
#endif // SHELLCORE_PATCHES_2_70

30
Source Code/bootstrapper/Byepervisor/hen/include/shellcore_patches/common.h Normal file
View File

@@ -0,0 +1,30 @@
#ifndef COMMON_H
#define COMMON_H
struct patch
{
uint64_t offset;
const char data[0x100];
int size;
};
enum uio_rw { UIO_READ, UIO_WRITE };
/* Segment flag values. */
enum uio_seg {
UIO_USERSPACE, /* from user data space */
UIO_SYSSPACE, /* from system space */
UIO_NOCOPY /* don't copy, already in object */
};
struct uio {
struct iovec *uio_iov; /* scatter/gather list */
int uio_iovcnt; /* length of scatter/gather list */
off_t uio_offset; /* offset in target object */
ssize_t uio_resid; /* remaining bytes to process */
enum uio_seg uio_segflg; /* address space */
enum uio_rw uio_rw; /* operation */
void *uio_td; /* owner */
};
#endif // COMMON_H

23
Source Code/bootstrapper/Byepervisor/hen/include/util.h Normal file
View File

@@ -0,0 +1,23 @@
#pragma once
#ifndef UTIL_H
#define UTIL_H
#include <sys/types.h>
#define PAD_(t) (sizeof(register_t) <= sizeof(t) ? \
0 : sizeof(register_t) - sizeof(t))
uint64_t get_dmap_addr(uint64_t pa);
void *find_proc_by_name(const char *name);
void *get_proc_vmmap(void *proc);
void memcpy(void *dest, const void *src, size_t n);
size_t strlen(const char *str);
char *strstr(const char *str, const char *substring);
int strncmp(const char * s1, const char * s2, size_t n);
bool if_exists(const char * path);
extern void *curthread;
#endif // UTIL_H

83
Source Code/bootstrapper/Byepervisor/hen/link.x Normal file
View File

@@ -0,0 +1,83 @@
OUTPUT_FORMAT("elf64-x86-64")
OUTPUT_ARCH(i386:x86-64)
ENTRY(_start)
PHDRS
{
/*
* PF_X = 0x1
* PF_W = 0x2
* PF_R = 0x4
*/
ph_text PT_LOAD FLAGS (0x1 | 0x4);
ph_relro PT_LOAD FLAGS (0x4);
ph_data PT_LOAD FLAGS (0x2 | 0x4);
ph_dyn PT_DYNAMIC FLAGS(0x2 | 0x4);
}
SECTIONS
{
__payload_base = .;
.text :
{
KEEP (*(.init))
KEEP (*(.fini))
*(.text.prologue);
*(.text .text.*)
. = ALIGN(4);
} : ph_text = 0x90909090
.rodata :
{
*(.rodata .rodata.*)
}
.eh_frame :
{
*(.eh_frame.*)
}
. = ALIGN(0x4000);
.data.rel.ro :
{
*(.data.rel.ro .data.rel.ro.*)
} : ph_relro
.rela :
{
*(.rela *.rela.*)
. = ALIGN(4);
}
. = ALIGN(0x4000);
.data :
{
*(.data .data.*)
. = ALIGN(0x10);
__imports_start = .;
KEEP(*(.imports .imports.*))
__imports_end = .;
__patches_start = .;
KEEP(*(.patches .patches.*))
QUAD(0); BYTE(0); BYTE(0);
__patches_end = .;
__bss_start = .;
*(.bss .bss.*) *(COMMON)
__bss_end = .;
. = . + 4;
. = ALIGN(4);
} : ph_data
}

7
Source Code/bootstrapper/Byepervisor/hen/src/crt0.s Normal file
View File

@@ -0,0 +1,7 @@
.intel_syntax noprefix
.text
.section .text.prologue
.global _start
_start:
jmp kernel_main

54
Source Code/bootstrapper/Byepervisor/hen/src/fkeys.cpp Normal file
View File

@@ -0,0 +1,54 @@
/*
* Credit: sleirsgoevy
* https://github.com/sleirsgoevy/ps4jb-payloads/blob/87f31afca6afc573d953e8343113c179a416e1b0/ps5-kstuff/uelf/fakekeys.c
*/
#include <stdint.h>
#include "fkeys.h"
#include "util.h"
struct key_area shared_area = {};
int register_fake_key(const char key_data[32])
{
uint64_t mask, mask1;
mask = __atomic_load_n(&shared_area.bitmask, __ATOMIC_ACQUIRE);
do
{
mask1 = (mask | (mask + 1)) & ((1ull << 63) - 1);
if(mask1 == mask)
return -1;
}
while(!__atomic_compare_exchange_n(&shared_area.bitmask, &mask, mask1, 1, __ATOMIC_RELEASE, __ATOMIC_ACQUIRE));
int key_idx = 63 - __builtin_clzll(mask ^ mask1);
memcpy(shared_area.key_data[key_idx], key_data, 32);
return key_idx;
}
int unregister_fake_key(int key_id)
{
if(key_id < 0 || key_id >= 63)
return 0;
uint64_t mask, mask1;
mask = __atomic_load_n(&shared_area.bitmask, __ATOMIC_ACQUIRE);
do
{
if(!(mask & (1ull << key_id)))
return 0;
mask1 = mask & ~(1ull << key_id);
}
while(!__atomic_compare_exchange_n(&shared_area.bitmask, &mask, mask1, 1, __ATOMIC_RELEASE, __ATOMIC_ACQUIRE));
return 1;
}
int get_fake_key(int key_id, char key_data[32])
{
if(key_id < 0 || key_id >= 63)
return 0;
uint64_t mask = __atomic_load_n(&shared_area.bitmask, __ATOMIC_ACQUIRE);
if(!(mask & (1ull << key_id)))
return 0;
memcpy(key_data, shared_area.key_data[key_id], 32);
return 1;
}

557
Source Code/bootstrapper/Byepervisor/hen/src/fpkg.cpp Normal file
View File

@@ -0,0 +1,557 @@
#include <sys/types.h>
#include <sys/param.h>
#include "fkeys.h"
#include "fpkg.h"
#include "hook.h"
#include "kdlsym.h"
#include "util.h"
#define IDX_TO_HANDLE(x) (0x13374100 | ((uint8_t)((x)+1)))
#define HANDLE_TO_IDX(x) ((((x) & 0xffffff00) == 0x13374100 ? ((int)(uint8_t)(x)) : (int)0) - 1)
constexpr uint8_t rif_debug_key[] = {
0x96, 0xC2, 0x26, 0x8D, 0x69, 0x26, 0x1C, 0x8B, 0x1E, 0x3B, 0x6B, 0xFF, 0x2F, 0xE0, 0x4E, 0x12
};
const uint8_t g_ypkg_p[] =
{
0x2D, 0xE8, 0xB4, 0x65, 0xBE, 0x05, 0x78, 0x6A, 0x89, 0x31, 0xC9, 0x5A, 0x44, 0xDE, 0x50, 0xC1,
0xC7, 0xFD, 0x9D, 0x3E, 0x21, 0x42, 0x17, 0x40, 0x79, 0xF9, 0xC9, 0x41, 0xC1, 0xFC, 0xD7, 0x0F,
0x34, 0x76, 0xA3, 0xE2, 0xC0, 0x1B, 0x5A, 0x20, 0x0F, 0xAF, 0x2F, 0x52, 0xCD, 0x83, 0x34, 0x72,
0xAF, 0xB3, 0x12, 0x33, 0x21, 0x2C, 0x20, 0xB0, 0xC6, 0xA0, 0x2D, 0xB1, 0x59, 0xE3, 0xA7, 0xB0,
0x4E, 0x1C, 0x4C, 0x5B, 0x5F, 0x10, 0x9A, 0x50, 0x18, 0xCC, 0x86, 0x79, 0x25, 0xFF, 0x10, 0x02,
0x8F, 0x90, 0x03, 0xA9, 0x37, 0xBA, 0xF2, 0x1C, 0x13, 0xCC, 0x09, 0x45, 0x15, 0xB8, 0x55, 0x74,
0x0A, 0x28, 0x24, 0x04, 0xD1, 0x19, 0xAB, 0xB3, 0xCA, 0x44, 0xB6, 0xF8, 0x3D, 0xB1, 0x2A, 0x72,
0x88, 0x35, 0xE4, 0x86, 0x6B, 0x55, 0x47, 0x08, 0x25, 0x16, 0xAB, 0x69, 0x1D, 0xBF, 0xF6, 0xFE,
};
const uint8_t g_ypkg_q[] =
{
0x23, 0x80, 0x77, 0x84, 0x4D, 0x6F, 0x9B, 0x24, 0x51, 0xFE, 0x2A, 0x6B, 0x28, 0x80, 0xA1, 0x9E,
0xBD, 0x6D, 0x18, 0xCA, 0x8D, 0x7D, 0x9E, 0x79, 0x5A, 0xE0, 0xB8, 0xEB, 0xD1, 0x3D, 0xF3, 0xD9,
0x02, 0x90, 0x2A, 0xA7, 0xB5, 0x7E, 0x9A, 0xA2, 0xD7, 0x2F, 0x21, 0xA8, 0x50, 0x7D, 0x8C, 0xA1,
0x91, 0x2F, 0xBF, 0x97, 0xBE, 0x92, 0xC2, 0xC1, 0x0D, 0x8C, 0x0C, 0x1F, 0xDE, 0x31, 0x35, 0x15,
0x39, 0x90, 0xCC, 0x97, 0x47, 0x2E, 0x7F, 0x09, 0xE9, 0xC3, 0x9C, 0xCE, 0x91, 0xB2, 0xC8, 0x58,
0x76, 0xE8, 0x70, 0x1D, 0x72, 0x5F, 0x4A, 0xE6, 0xAA, 0x36, 0x22, 0x94, 0xC6, 0x52, 0x90, 0xB3,
0x9F, 0x9B, 0xF0, 0xEF, 0x57, 0x8E, 0x53, 0xC3, 0xE3, 0x30, 0xC9, 0xD7, 0xB0, 0x3A, 0x0C, 0x79,
0x1B, 0x97, 0xA8, 0xD4, 0x81, 0x22, 0xD2, 0xB0, 0x82, 0x62, 0x7D, 0x00, 0x58, 0x47, 0x9E, 0xC7,
};
const uint8_t g_ypkg_dmp1[] =
{
0x25, 0x54, 0xDB, 0xFD, 0x86, 0x45, 0x97, 0x9A, 0x1E, 0x17, 0xF0, 0xE3, 0xA5, 0x92, 0x0F, 0x12,
0x2A, 0x5C, 0x4C, 0xA6, 0xA5, 0xCF, 0x7F, 0xE8, 0x5B, 0xF3, 0x65, 0x1A, 0xC8, 0xCF, 0x9B, 0xB9,
0x2A, 0xC9, 0x90, 0x5D, 0xD4, 0x08, 0xCF, 0xF6, 0x03, 0x5A, 0x5A, 0xFC, 0x9E, 0xB6, 0xDB, 0x11,
0xED, 0xE2, 0x3D, 0x62, 0xC1, 0xFC, 0x88, 0x5D, 0x97, 0xAC, 0x31, 0x2D, 0xC3, 0x15, 0xAD, 0x70,
0x05, 0xBE, 0xA0, 0x5A, 0xE6, 0x34, 0x9C, 0x44, 0x78, 0x2B, 0xE5, 0xFE, 0x38, 0x56, 0xD4, 0x68,
0x83, 0x13, 0xA4, 0xE6, 0xFA, 0xD2, 0x9C, 0xAB, 0xAC, 0x89, 0x5F, 0x10, 0x8F, 0x75, 0x6F, 0x04,
0xBC, 0xAE, 0xB9, 0xBC, 0xB7, 0x1D, 0x42, 0xFA, 0x4E, 0x94, 0x1F, 0xB4, 0x0A, 0x27, 0x9C, 0x6B,
0xAB, 0xC7, 0xD2, 0xEB, 0x27, 0x42, 0x52, 0x29, 0x41, 0xC8, 0x25, 0x40, 0x54, 0xE0, 0x48, 0x6D,
};
const uint8_t g_ypkg_dmq1[] =
{
0x4D, 0x35, 0x67, 0x38, 0xBC, 0x90, 0x3E, 0x3B, 0xAA, 0x6C, 0xBC, 0xF2, 0xEB, 0x9E, 0x45, 0xD2,
0x09, 0x2F, 0xCA, 0x3A, 0x9C, 0x02, 0x36, 0xAD, 0x2E, 0xC1, 0xB1, 0xB2, 0x6D, 0x7C, 0x1F, 0x6B,
0xA1, 0x8F, 0x62, 0x20, 0x8C, 0xD6, 0x6C, 0x36, 0xD6, 0x5A, 0x54, 0x9E, 0x30, 0xA9, 0xA8, 0x25,
0x3D, 0x94, 0x12, 0x3E, 0x0D, 0x16, 0x1B, 0xF0, 0x86, 0x42, 0x72, 0xE0, 0xD6, 0x9C, 0x39, 0x68,
0xDB, 0x11, 0x80, 0x96, 0x18, 0x2B, 0x71, 0x41, 0x48, 0x78, 0xE8, 0x17, 0x8B, 0x7D, 0x00, 0x1F,
0x16, 0x68, 0xD2, 0x75, 0x97, 0xB5, 0xE0, 0xF2, 0x6D, 0x0C, 0x75, 0xAC, 0x16, 0xD9, 0xD5, 0xB1,
0xB5, 0x8B, 0xE8, 0xD0, 0xBF, 0xA7, 0x1F, 0x61, 0x5B, 0x08, 0xF8, 0x68, 0xE7, 0xF0, 0xD1, 0xBC,
0x39, 0x60, 0xBF, 0x55, 0x9C, 0x7C, 0x20, 0x30, 0xE8, 0x50, 0x28, 0x44, 0x02, 0xCE, 0x51, 0x2A,
};
const uint8_t g_ypkg_iqmp[] =
{
0xF5, 0x73, 0xB8, 0x7E, 0x5C, 0x98, 0x7C, 0x87, 0x67, 0xF1, 0xDA, 0xAE, 0xA0, 0xF9, 0x4B, 0xAB,
0x77, 0xD8, 0xCE, 0x64, 0x6A, 0xC1, 0x4F, 0xA6, 0x9B, 0xB9, 0xAA, 0xCC, 0x76, 0x09, 0xA4, 0x3F,
0xB9, 0xFA, 0xF5, 0x62, 0x84, 0x0A, 0xB8, 0x49, 0x02, 0xDF, 0x9E, 0xC4, 0x1A, 0x37, 0xD3, 0x56,
0x0D, 0xA4, 0x6E, 0x15, 0x07, 0x15, 0xA0, 0x8D, 0x97, 0x9D, 0x92, 0x20, 0x43, 0x52, 0xC3, 0xB2,
0xFD, 0xF7, 0xD3, 0xF3, 0x69, 0xA2, 0x28, 0x4F, 0x62, 0x6F, 0x80, 0x40, 0x5F, 0x3B, 0x80, 0x1E,
0x5E, 0x38, 0x0D, 0x8B, 0x56, 0xA8, 0x56, 0x58, 0xD8, 0xD9, 0x6F, 0xEA, 0x12, 0x2A, 0x40, 0x16,
0xC1, 0xED, 0x3D, 0x27, 0x16, 0xA0, 0x63, 0x97, 0x61, 0x39, 0x55, 0xCC, 0x8A, 0x05, 0xFA, 0x08,
0x28, 0xFD, 0x55, 0x56, 0x31, 0x94, 0x65, 0x05, 0xE7, 0xD3, 0x57, 0x6C, 0x0D, 0x1C, 0x67, 0x0B,
};
/* unused variable
const uint8_t g_FakeKeySeed[] =
{
0x46, 0x41, 0x4B, 0x45, 0x46, 0x41, 0x4B, 0x45, 0x46, 0x41, 0x4B, 0x45, 0x46, 0x41, 0x4B, 0x45,
};
*/
int npdrm_cmd_5_sceSblServiceMailbox(uint64_t handle, const NpDrmCmd5* input, NpDrmCmd5* output) {
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto sceSblServiceMailbox = (int (*)(uint64_t handle, void *in, void *out)) kdlsym(KERNEL_SYM_SCESBLSERVICEMAILBOX);
//printf("npdrm_cmd_5_sceSblServiceMailbox pre call\n");
int res = sceSblServiceMailbox(handle, (void *) input, output);
if(output->res == 0x800F0A01) {
//printf("fixup npdrm cmd 5\n");
auto layout = reinterpret_cast<RifCmd5MemoryLayout*>(get_dmap_addr(input->rif_pa));
if(layout->rif.type == 2) {
layout->output.version = __builtin_bswap16(layout->rif.version);
layout->output.unk04 = __builtin_bswap16(layout->rif.unk06);
layout->output.psnid = __builtin_bswap64(layout->rif.psnid);
layout->output.startTimestamp = __builtin_bswap64(layout->rif.startTimestamp);
layout->output.endTimestamp = __builtin_bswap64(layout->rif.endTimestamp);
layout->output.extraFlags = __builtin_bswap64(layout->rif.extraFlags);
layout->output.type = __builtin_bswap16(layout->rif.type);
layout->output.contentType = __builtin_bswap16(layout->rif.contentType);
layout->output.skuFlag = __builtin_bswap16(layout->rif.skuFlag);
layout->output.unk34 = __builtin_bswap32(layout->rif.unk60);
layout->output.unk38 = __builtin_bswap32(layout->rif.unk64);
layout->output.unk3C = 0;
layout->output.unk40 = 0;
layout->output.unk44 = 0;
memcpy(layout->output.contentId, layout->rif.contentId, 0x30);
memcpy(layout->output.rifIv, layout->rif.rifIv, 0x10);
layout->output.unk88 = __builtin_bswap32(layout->rif.unk70);
layout->output.unk8C = __builtin_bswap32(layout->rif.unk74);
layout->output.unk90 = __builtin_bswap32(layout->rif.unk78);
layout->output.unk94 = __builtin_bswap32(layout->rif.unk7C);
memcpy(layout->output.unk98, layout->rif.unk80, 0x10);
if (layout->output.skuFlag == 2) {
layout->output.skuFlag = 1;
}
output->res = 0;
res = 0;
}
}
return res;
}
int npdrm_cmd_6_sceSblServiceMailbox(uint64_t handle, const NpDrmCmd6* input, NpDrmCmd6* output) {
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto sceSblServiceMailbox = (int (*)(uint64_t handle, void *in, void *out)) kdlsym(KERNEL_SYM_SCESBLSERVICEMAILBOX);
auto bnet_crypto_aes_cbc_cfb128_decrypt = (void (*)(void *, void *, size_t, void *, size_t, void *)) kdlsym(KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT);
//printf("npdrm_cmd_6_sceSblServiceMailbox pre call\n");
int res = sceSblServiceMailbox(handle, (void *) input, output);
if(output->res == 0x800F0A01) {
//printf("fixup npdrm cmd\n");
auto va = reinterpret_cast<Rif*>(get_dmap_addr(input->rif_pa));
if(va->type == 0x2) {
bnet_crypto_aes_cbc_cfb128_decrypt(va->rifSecret, va->rifSecret, sizeof(va->rifSecret), (void *) rif_debug_key, 128, va->rifIv);
memcpy(output->unk10, &va->rifSecret[0x70], 0x10);
memcpy(output->unk20, &va->rifSecret[0x80], 0x10);
output->res = 0;
}
}
return res;
}
int RsaesPkcs1v15Dec2048CRT(RsaBuffer *output, RsaBuffer *input, RsaKey *key) {
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto M_TEMP = (void *) kdlsym(KERNEL_SYM_M_TEMP);
auto malloc = (void*(*)(unsigned long size, void* type, int flags)) kdlsym(KERNEL_SYM_MALLOC);
auto free = (void(*)(void* addr, void* type)) kdlsym(KERNEL_SYM_FREE);
auto fpu_kern_enter = (int (*)(void *td, void *ctx, int)) kdlsym(KERNEL_SYM_FPU_KERN_ENTER);
auto fpu_kern_leave = (int (*)(void *td, void *ctx)) kdlsym(KERNEL_SYM_FPU_KERN_LEAVE);
auto LoCACRYPTO_rsadpCRT_core = (int (*)(void *, void *, void *, size_t)) kdlsym(KERNEL_SYM_LACACRYPTO_RSADPCRT_CORE);
auto fpu_ctx = (void *) malloc(0x1000, M_TEMP, 0x102);
auto thr = curthread;
fpu_kern_enter(thr, fpu_ctx, 0);
uint8_t buffer[0x200];
int res = -1;
if(input->size != 0x100) {
fpu_kern_leave(thr, fpu_ctx);
free(fpu_ctx, M_TEMP);
return res;
}
for(int i = 0; i < 0x100; i++) {
buffer[0x80 + i] = input->ptr[0xFF - i];
}
if(LoCACRYPTO_rsadpCRT_core(&buffer[0x80], &buffer[0x80], key, 0x40) == -1) {
fpu_kern_leave(thr, fpu_ctx);
free(fpu_ctx, M_TEMP);
return res;
}
for(int i = 0; i < 0x20; i++) {
output->ptr[i] = buffer[0x9F - i];
}
fpu_kern_leave(thr, fpu_ctx);
free(fpu_ctx, M_TEMP);
return 0;
}
int aes_ecb_128_enc_one_block(char *key, char *data)
{
auto bnet_crypto_aes_cbc_cfb128_encrypt = (int (*)(void *, void *, size_t, void *, size_t, void *)) kdlsym(KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_ENCRYPT);
uint8_t iv[0x10] = {};
return bnet_crypto_aes_cbc_cfb128_encrypt(data, data, 0x10, key, 128, iv);
}
int aes_ecb_128_dec_one_block(char *key, char *data)
{
auto bnet_crypto_aes_cbc_cfb128_decrypt = (int (*)(void *, void *, size_t, void *, size_t, void *)) kdlsym(KERNEL_SYM_BNET_CRYPTO_AES_CBC_CFB128_DECRYPT);
uint8_t iv[0x10] = {};
return bnet_crypto_aes_cbc_cfb128_decrypt(data, data, 0x10, key, 128, iv);
}
void aes_xts_4096_dec(void *buffer, void *out, uint32_t num_sectors, uint32_t start_sector, const void *xts_data, const void *xts_tweak, int is_enc)
{
uint8_t *_buffer = (uint8_t*)buffer;
uint8_t *_out = (uint8_t*)out;
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
//printf("aes_xts_4096_dec: num_sectors = %d (start_sector = %d), is_enc = %d\n", num_sectors, start_sector, is_enc);
if (_buffer != _out)
memcpy(_out, _buffer, num_sectors * 0x1000);
for(uint32_t i = 0; i < num_sectors; i++) {
uint8_t tweak[0x10] = {};
*(uint64_t*)(&tweak[0x0]) = start_sector + i;
aes_ecb_128_enc_one_block((char *) xts_tweak, (char *) tweak);
for(int ii = 0; ii < 0x1000; ii+=0x10) {
for(int iii = 0; iii < 0x10; iii++) {
_out[i * 0x1000 + ii + iii] ^= tweak[iii];
}
if (!is_enc) {
aes_ecb_128_dec_one_block((char *) xts_data, (char *) &_out[i * 0x1000 + ii]);
} else {
aes_ecb_128_enc_one_block((char *) xts_data, (char *) &_out[i * 0x1000 + ii]);
}
for(int iii = 0; iii < 0x10; iii++) {
_out[i * 0x1000 + ii + iii] ^= tweak[iii];
}
uint8_t carry_out = 0;
for(int iii = 0; iii < 0x10; iii++) {
uint8_t tmp = tweak[iii];
tweak[iii] = 2* tweak[iii] | carry_out;
carry_out = (tmp & 0x80) >> 7;
}
if(carry_out != 0x0) {
tweak[0] ^= 0x87;
}
}
}
}
int verifySuperBlock_sceSblServiceMailbox(uint64_t handle, const PfsmgrCmd11* input, PfsmgrCmd11 *output)
{
int ret;
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto sceSblServiceMailbox = (int (*)(uint64_t handle, void *in, void *out)) kdlsym(KERNEL_SYM_SCESBLSERVICEMAILBOX);
auto Sha256Hmac = (void (*)(void *hash, void *data, size_t data_sz, void *key, size_t key_size)) kdlsym(KERNEL_SYM_SHA256_HMAC);
//printf("sceSblPfsSetKeys verify superblock\n");
ret = sceSblServiceMailbox(handle, (void *) input, (void *) output);
if (ret != 0 || output->res != 0) {
//printf("verifySuperBlock_sceSblServiceMailbox: register fake keys\n");
auto tablePA = input->tablePa;
auto headerPA = input->headerPa;
auto header = (uint8_t *) get_dmap_addr(headerPA);
if (!tablePA || !headerPA) {
printf("verifySuperBlock_sceSblServiceMailbox: no tablePA or headerPA (0x%lx, 0x%lx)\n", tablePA, headerPA);
return ret;
}
auto table = (struct sbl_chunk_table_header *) get_dmap_addr(tablePA);
// printf("first pa: 0x%lx\n", table->first_pa);
// printf("data_size: 0x%lx\n", table->data_size);
// printf("used_entries: 0x%lx\n", table->used_entries);
// printf("unk18: 0x%lx\n", table->unk18);
// printf("entry[0] pa: 0x%lx\n", table->entries[0].pa);
// printf("entry[0] sz: 0x%lx\n", table->entries[0].size);
auto keyPA = table->entries[0].pa;
auto key = (uint8_t *) get_dmap_addr(keyPA);
if (!keyPA) {
printf("verifySuperBlock_sceSblServiceMailbox: no keyPA (0x%lx)\n", keyPA);
return ret;
}
if (table->data_size == 0x100) {
RsaBuffer rsaInput{};
rsaInput.ptr = key;
rsaInput.size = 0x100;
uint8_t ekpfs[0x20]{0};
RsaBuffer rsaOutput{};
rsaOutput.ptr = ekpfs;
rsaOutput.size = 0x20;
RsaKey rsaKey{};
rsaKey.p = g_ypkg_p;
rsaKey.q = g_ypkg_q;
rsaKey.dmp1 = g_ypkg_dmp1;
rsaKey.dmq1 = g_ypkg_dmq1;
rsaKey.iqmp = g_ypkg_iqmp;
RsaesPkcs1v15Dec2048CRT(&rsaOutput, &rsaInput, &rsaKey);
auto pfsSeed = &header[0x370];
uint8_t pfs_seed[0x14]{};
memcpy(&pfs_seed[0x4], pfsSeed, 0x10);
*(uint32_t*)(pfs_seed) = 0x1;
uint8_t xts_key[0x20]{};
Sha256Hmac(xts_key, pfs_seed, 0x14, ekpfs, 0x20);
*(uint32_t*)(pfs_seed) = 0x2;
uint8_t hmac_key[0x20]{};
Sha256Hmac(hmac_key, pfs_seed, 0x14, ekpfs, 0x20);
int key0 = register_fake_key((const char *) &xts_key);
int key1 = register_fake_key((const char *) &hmac_key);
output->keyHandle0 = IDX_TO_HANDLE(key0);
output->keyHandle1 = IDX_TO_HANDLE(key1);
//printf("verifySuperBlock_sceSblServiceMailbox: key0 = 0x%x (handle = 0x%x), key1 = 0x%x (handle = 0x%x)\n", key0, output->keyHandle0, key1, output->keyHandle1);
output->res = 0;
ret = 0;
}
}
return ret;
}
struct ccp_msg
{
uint64_t unk_00h;
uint64_t unk_08h;
uint64_t unk_10h;
uint64_t unk_18h;
uint64_t unk_20h;
uint64_t unk_28h;
uint64_t unk_30h;
uint64_t unk_38h;
uint64_t unk_40h;
uint64_t unk_48h;
uint64_t unk_50h;
uint64_t unk_58h;
uint64_t unk_60h;
uint64_t unk_68h;
uint64_t unk_70h;
uint64_t unk_78h;
uint64_t unk_80h;
uint64_t unk_88h;
uint64_t unk_90h;
uint64_t unk_98h;
uint64_t unk_A0h;
uint64_t unk_A8h;
uint64_t unk_B0h;
uint64_t unk_C0h;
uint64_t unk_C8h;
uint64_t unk_D0h;
uint64_t unk_D8h;
uint64_t unk_E0h;
uint64_t unk_E8h;
uint64_t unk_F0h;
uint64_t unk_F8h;
uint64_t unk_100h;
uint64_t unk_108h;
uint64_t unk_110h;
uint64_t unk_118h;
uint64_t unk_120h;
uint64_t unk_128h;
uint64_t unk_130h;
uint64_t unk_138h;
struct ccp_msg *next;
uint64_t unk_148h;
};
struct ccp_common
{
uint32_t cmd; // 0x00
uint32_t status; // 0x10
};
struct ccp_hmac
{
struct ccp_common common; // 0x00
uint64_t data_size; // 0x08
void *data; // 0x10
uint64_t data_size_bits; // 0x18
union { // 0x20
uint16_t keygen_index;
uint8_t hash[0x20];
};
char unk_40h[0x60]; // 0x40
union { // 0xA0
uint32_t key_index;
uint8_t key[0x40];
};
char unk_E0h[0x50]; // 0xE0
uint64_t key_size; // 0x130
};
struct ccp_xts
{
struct ccp_common common; // 0x00
uint32_t num_sectors; // 0x08
void *in_data; // 0x10
void *out_data; // 0x18
uint64_t start_sector; // 0x20
union { // 0x28
uint32_t key_index;
uint8_t key[0x20];
};
};
struct ccp_req {
struct ccp_msg* tqh_first;
struct ccp_msg** tqh_last;
void(*cb)(void*, int);
void* args;
uint64_t mid;
void* le_next;
void** le_prev;
};
int dump_hmac_output = 0;
int dump_xts_output = 0;
void hex_dump(const char *name, uint8_t *buf, int len)
{
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
printf("%s hexdump (0x%x bytes)\n", name, len);
for (int i = 0; i < len; i += 0x10) {
printf("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
buf[i + 0x00], buf[i + 0x01], buf[i + 0x02], buf[i + 0x03],
buf[i + 0x04], buf[i + 0x05], buf[i + 0x06], buf[i + 0x07],
buf[i + 0x08], buf[i + 0x09], buf[i + 0x0A], buf[i + 0x0B],
buf[i + 0x0C], buf[i + 0x0D], buf[i + 0x0E], buf[i + 0x0F]);
}
}
int sceSblServiceCryptAsync_hook(void* async_req) {
struct ccp_common* msg;
struct ccp_common* next;
int idx = -1;
msg = (struct ccp_common*)(*(uint64_t*)(async_req));
auto sceSblServiceCryptAsync = (int (*)(void* req)) kdlsym(KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC);
while (msg) {
next = (struct ccp_common*)(*(uint64_t*)((uint64_t)(msg)+0x140));
if ((msg->cmd & 0x7FFFFFFF) == 0x9132000) {
// SHA256 HMAC with key handle
struct ccp_hmac* hmac_msg = (struct ccp_hmac*)msg;
idx = HANDLE_TO_IDX(hmac_msg->key_index);
if (idx >= 0) {
char hmac_key[0x20];
get_fake_key(idx, (char*)&hmac_key);
memcpy(hmac_msg->key, hmac_key, 0x20);
msg->cmd &= ~0x100000; // key handle
msg->cmd &= ~0x80000000; // a53
}
}
else if ((msg->cmd & 0x7FFFF7FF) == 0x2108000) {
// AES-XTS with key handle
struct ccp_xts* xts_msg = (struct ccp_xts*)msg;
idx = HANDLE_TO_IDX(xts_msg->key_index);
if (idx >= 0) {
char xts_key[0x20];
get_fake_key(idx, (char*)&xts_key);
memcpy(xts_msg->key, xts_key + 0x10, 0x10);
memcpy(xts_msg->key + 0x10, xts_key, 0x10);
msg->cmd &= ~0x100000; // key handle
msg->cmd &= ~0x80000000; // a53
}
}
msg = next;
}
return sceSblServiceCryptAsync(async_req);
}
int sceSblPfsClearKey_sceSblServiceMailbox(uint64_t handle, const ClearKey* input, ClearKey* output)
{
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto sceSblServiceMailbox = (int (*)(uint64_t handle, void *in, void *out)) kdlsym(KERNEL_SYM_SCESBLSERVICEMAILBOX);
uint32_t key = 0;
//printf("sceSblPfsClearKey_sceSblServiceMailbox\n");
key = HANDLE_TO_IDX(input->keyHandle);
if (key < 0)
return sceSblServiceMailbox(handle, (void *) input, output);
//printf("sceSblPfsClearKey_sceSblServiceMailbox: key idx = 0x%x, clearing\n", key);
unregister_fake_key(key);
output->keyHandle = 0;
output->res = 0;
return 0;
}
int check_dir_depth(long zone, const char *path, int unk)
{
// auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
// printf("[HEN][HOOK] check_dir_depth(\"%s\"), returning 0\n", path);
return 0;
}
void apply_fpkg_hooks()
{
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
printf("[HEN] [FPKG] npdrm_ioctl(cmd=5) -> sceSblServiceMailbox()\n");
install_hook(HOOK_FPKG_NPDRM_IOCTL_CMD_5_CALL_SCE_SBL_SERVICE_MAILBOX, (void *) &npdrm_cmd_5_sceSblServiceMailbox);
printf("[HEN] [FPKG] npdrm_ioctl(cmd=6) -> sceSblServiceMailbox()\n");
install_hook(HOOK_FPKG_NPDRM_IOCTL_CMD_6_CALL_SCE_SBL_SERVICE_MAILBOX, (void *) &npdrm_cmd_6_sceSblServiceMailbox);
printf("[HEN] [FPKG] sceSblPfsVerifySuperBlock() -> sceSblServiceMailbox()\n");
install_hook(HOOK_FPKG_PFS_VERIFY_SUPER_BLOCK_CALL_SCE_SBL_SERVICE_MAILBOX, (void *) &verifySuperBlock_sceSblServiceMailbox);
printf("[HEN] [FPKG] sceSblPfsClearKey() -> sceSblServiceMailbox() 1\n");
install_hook(HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_1_CALL_SCE_SBL_SERVICE_MAILBOX, (void *) &sceSblPfsClearKey_sceSblServiceMailbox);
printf("[HEN] [FPKG] sceSblPfsClearKey() -> sceSblServiceMailbox() 2\n");
install_hook(HOOK_FPKG_SCE_SBL_PFS_CLEAR_KEY_2_CALL_SCE_SBL_SERVICE_MAILBOX, (void *) &sceSblPfsClearKey_sceSblServiceMailbox);
printf("[HEN] [FPKG] check_dir_depth() -> return 0\n");
install_hook(HOOK_CHECK_DIR_DEPTH, (void *) &check_dir_depth);
// Install hook on all calls to sceSblServiceCryptAsync()
printf("[HEN] [FPKG] installing hooks to sceSblServiceCryptAsync() [0x%lx, 0x%lx]\n", ktext(0), kdlsym(KERNEL_SYM_TEXT_END));
for (uint64_t scan_ptr = ktext(0); scan_ptr < kdlsym(KERNEL_SYM_TEXT_END); scan_ptr++) {
uint8_t *scan = (uint8_t *) scan_ptr;
int32_t target_rel32;
int32_t rel32;
if (scan[0] == 0xE8) {
target_rel32 = (int32_t) ((uint64_t) (kdlsym(KERNEL_SYM_SCE_SBL_SERVICE_CRYPT_ASYNC)) - scan_ptr) - 5;
rel32 = *(int32_t *) (scan + 1);
if (rel32 == target_rel32) {
install_raw_hook(scan_ptr, (void *) &sceSblServiceCryptAsync_hook);
}
}
}
printf("[HEN] [FPKG] done\n");
}

279
Source Code/bootstrapper/Byepervisor/hen/src/fself.cpp Normal file
View File

@@ -0,0 +1,279 @@
#include "fself.h"
#include "hook.h"
#include "kdlsym.h"
#include "util.h"
extern "C" {
#include <sys/types.h>
#include <sys/param.h>
}
constexpr uint8_t orbisExecAuthInfo[] {
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x80, 0x03, 0x00, 0x20,
0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x40, 0x00, 0x40,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00,
0x00, 0x40, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
constexpr uint8_t orbisPrxAuthInfo[] {
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x30, 0x00, 0x30,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00,
0x00, 0x40, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
extern "C" {
static volatile int enableHook1 = 1;
static volatile int enableHook2 = 1;
static volatile int enableHook3 = 1;
static volatile int enableHook4 = 1;
static volatile int enableHook5 = 1;
static volatile int enableHook6 = 1;
}
struct mtx {
uint8_t dontcare[0x18];
volatile uintptr_t mtx_lock;
};
SelfContext* getSelfContextByServiceId(uint32_t serviceId) {
auto ctxTable = (SelfContext *) kdlsym(KERNEL_SYM_CTXTABLE);
auto ctxStatus = (int*) kdlsym(KERNEL_SYM_CTXSTATUS);
auto ctxTableMtx = (mtx*) kdlsym(KERNEL_SYM_CTXTABLE_MTX);
auto __mtx_lock_flags = (void(*)(volatile uintptr_t*, int, const char*, int)) kdlsym(KERNEL_SYM_MTX_LOCK_FLAGS);
auto __mtx_unlock_flags = (void(*)(volatile uintptr_t*, int, const char*, int)) kdlsym(KERNEL_SYM_MTX_UNLOCK_FLAGS);
__mtx_lock_flags(&ctxTableMtx->mtx_lock, 0, nullptr, 0);
for(int i = 0; i < 4; i++) {
if(ctxStatus[i] != 3 && ctxStatus[i] != 4) { continue; }
auto ctx = &ctxTable[i];
if(ctx->unk1C == serviceId) {
__mtx_unlock_flags(&ctxTableMtx->mtx_lock, 0, nullptr, 0);
return ctx;
}
}
__mtx_unlock_flags(&ctxTableMtx->mtx_lock, 0, nullptr, 0);
return nullptr;
}
bool isFakeSelf(SelfContext* ctx) {
if(ctx) {
if(ctx->format == SelfFormat::ELF) {
return true;
}
return ctx->selfHeader && ctx->selfHeader->program_type == 0x1;
}
return false;
}
int sceSblAuthMgrIsLoadable__sceSblAuthMgrCheckSelfIsLoadable_hook(SelfContext* ctx, SelfAuthInfo* parentAuth, int pathid, SelfAuthInfo* selfAuth) {
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto _sceSblAuthMgrCheckSelfIsLoadable = (int (*)(SelfContext *ctx, SelfAuthInfo *parentAuthInfo, int pathId, SelfAuthInfo *selfAuthInfo)) kdlsym(KERNEL_SYM_SCESBLAUTHMGRISLOADABLE2);
// printf("sceSblAuthMgrIsLoadable__sceSblAuthMgrCheckSelfIsLoadable_hook: 0x%016lX 0x%016lX 0x%016lX 0x%016lX\n", ctx, parentAuth, pathid, selfAuth);
if(enableHook1 && ctx && parentAuth && selfAuth && isFakeSelf(ctx)) {
uint32_t type;
if(ctx->format == SelfFormat::ELF) {
auto hdr = ctx->elfHeader;
type = hdr->e_type;
//printf("sceSblAuthMgrIsLoadable__sceSblAuthMgrCheckSelfIsLoadable_hook: is Fake ELF %i\n", type);
}
else {
auto info = reinterpret_cast<SelfFakeAuthInfo*>(reinterpret_cast<uint8_t*>(ctx->selfHeader) + ctx->selfHeader->header_size + ctx->selfHeader->metadata_size - 0x100);
if(info->size == sizeof(SelfAuthInfo)) {
//printf("sceSblAuthMgrIsLoadable__sceSblAuthMgrCheckSelfIsLoadable_hook: is Fake SELF with own auth info\n");
memcpy(selfAuth, &info->info, sizeof(SelfAuthInfo));
return 0;
}
auto hdr = reinterpret_cast<ElfHeader*>(ctx->selfHeader + (ctx->selfHeader->entry_num + 1));
type = hdr->e_type;
//printf("sceSblAuthMgrIsLoadable__sceSblAuthMgrCheckSelfIsLoadable_hook: is Fake SELF %i\n", type);
}
switch (type) {
case ET_EXEC:
case ET_SCE_EXEC:
case ET_SCE_DYNEXEC: {
//printf("sceSblAuthMgrIsLoadable__sceSblAuthMgrCheckSelfIsLoadable_hook: is EXEC AUTH\n");
memcpy(selfAuth, orbisExecAuthInfo, sizeof(SelfAuthInfo));
break;
}
case ET_SCE_DYNAMIC: {
//printf("sceSblAuthMgrIsLoadable__sceSblAuthMgrCheckSelfIsLoadable_hook: is PRX AUTH\n");
memcpy(selfAuth, orbisPrxAuthInfo, sizeof(SelfAuthInfo));
break;
}
}
return 0;
}
return _sceSblAuthMgrCheckSelfIsLoadable(ctx, parentAuth, pathid, selfAuth);
}
//condtionally check them
int _sceSblAuthMgrVerifySelfHeader_hook(SelfContext* ctx) {
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto M_TEMP = (void *) kdlsym(KERNEL_SYM_M_TEMP);
auto malloc = (void*(*)(unsigned long size, void* type, int flags)) kdlsym(KERNEL_SYM_MALLOC);
auto free = (void(*)(void* addr, void* type)) kdlsym(KERNEL_SYM_FREE);
auto mini_syscore = (SelfHeader *) kdlsym(KERNEL_SYM_MINI_SYSCORE_BIN);
auto _sceSblAuthMgrVerifySelfHeader = (int(*)(SelfContext *context)) kdlsym(KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER);
//printf("_sceSblAuthMgrVerifySelfHeader_hook: 0x%016lX\n", ctx);
if(!ctx) {
return -1;
}
if(!enableHook2 || !isFakeSelf(ctx)) {
return _sceSblAuthMgrVerifySelfHeader(ctx);
}
//printf("_sceSblAuthMgrVerifySelfHeader_hook: fake self\n");
auto backup = malloc(0x1000, M_TEMP, 0x102);
auto ogSize = ctx->headerSize;
auto ogFormat = ctx->format;
auto newSize = mini_syscore->header_size + mini_syscore->metadata_size;
//printf("_sceSblAuthMgrVerifySelfHeader_hook: memcpy: %lx\n", ogSize);
memcpy(backup, ctx->selfHeader, ogSize);
//printf("_sceSblAuthMgrVerifySelfHeader_hook: memcpy2: %lx\n", newSize);
memcpy(ctx->selfHeader, mini_syscore, newSize);
ctx->headerSize = newSize;
ctx->format = SelfFormat::SELF;
////printf("_sceSblAuthMgrVerifySelfHeader_hook: before _sceSblAuthMgrVerifySelfHeader\n");
auto res = _sceSblAuthMgrVerifySelfHeader(ctx);
////printf("_sceSblAuthMgrVerifySelfHeader_hook: _sceSblAuthMgrVerifySelfHeader %i\n", res);
ctx->format = ogFormat;
ctx->headerSize = ogSize;
////printf("_sceSblAuthMgrVerifySelfHeader_hook: memcpy3: %lx\n", ogSize);
memcpy(ctx->selfHeader, backup, ogSize);
free(backup, M_TEMP);
return res;
}
int _sceSblAuthMgrSmLoadSelfSegment_sceSblServiceMailbox(uint64_t handle, MailboxLoadSelfSegmentMessage* input, MailboxLoadSelfSegmentMessage* output) {
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto sceSblServiceMailbox = (int (*)(uint64_t handle, void *input, void *output)) kdlsym(KERNEL_SYM_SCESBLSERVICEMAILBOX);
//printf("_sceSblAuthMgrSmLoadSelfSegment_sceSblServiceMailbox: 0x%016lX 0x%016lX 0x%016lX\n", handle, input, output);
//hexdump(input, 0x80, NULL, 0x0);
if(enableHook3 && input && output) {
auto ctx = getSelfContextByServiceId(input->serviceId);
if(ctx && isFakeSelf(ctx)) {
//printf("_sceSblAuthMgrSmLoadSelfSegment_sceSblServiceMailbox: fake self ctx: %016lX\n", ctx);
output->res = 0;
return 0;
}
}
return sceSblServiceMailbox(handle, input, output);
}
int _sceSblAuthMgrSmLoadSelfBlock_sceSblServiceMailbox(uint64_t handle, MailboxLoadSelfBlockMessage* input, MailboxLoadSelfBlockMessage* output) {
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto sceSblServiceMailbox = (int (*)(uint64_t handle, void *input, void *output)) kdlsym(KERNEL_SYM_SCESBLSERVICEMAILBOX);
//printf("_sceSblAuthMgrSmLoadSelfBlock_sceSblServiceMailbox: ctx: %016lX input: %016lX output: %016lX\n", handle, input, output);
//hexdump(input, 0x80, NULL, 0x0);
if(enableHook4 && input && output) {
auto ctx = getSelfContextByServiceId(input->serviceId);
if(ctx && isFakeSelf(ctx)) {
//printf("_sceSblAuthMgrSmLoadSelfBlock_sceSblServiceMailbox: fake self ctx: %016lX\n", ctx);
auto destBlock = get_dmap_addr(input->unk08);
auto srcBlock = get_dmap_addr(input->unk10);
auto lenBlock = input->unk30;
//printf("_sceSblAuthMgrSmLoadSelfBlock_sceSblServiceMailbox: d %016lX s %016lX l %016lX\n", destBlock, srcBlock, lenBlock);
memcpy((void *) destBlock, (const void *) srcBlock, lenBlock);
output->res = 0;
return 0;
}
}
return sceSblServiceMailbox(handle, input, output);
}
int _sceSblAuthMgrSmLoadMultipleSelfBlocks_sceSblServiceMailbox(uint64_t handle, MailboxLoadMultipleSelfBlocksMessage* input, MailboxLoadMultipleSelfBlocksMessage* output) {
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto sceSblServiceMailbox = (int (*)(uint64_t handle, void *input, void *output)) kdlsym(KERNEL_SYM_SCESBLSERVICEMAILBOX);
//printf("_sceSblAuthMgrSmLoadMultipleSelfBlocks_sceSblServiceMailbox: 0x%016lX 0x%016lX 0x%016lX\n", handle, input, output);
//hexdump(input, 0x80, NULL, 0x0);
if(enableHook5 && input && output) {
auto ctx = getSelfContextByServiceId(input->serviceId);
if(ctx && isFakeSelf(ctx)) {
//printf("_sceSblAuthMgrSmLoadMultipleSelfBlocks_sceSblServiceMailbox: fake self ctx: %016lX\n", ctx);
auto inputPa = (uint64_t*)get_dmap_addr(input->unk08);
auto outputPa = (uint64_t*)get_dmap_addr(input->unk10);
for(int i = 0; i < 8; i++) {
auto sPa = inputPa[i];
auto dPa = outputPa[i];
if(!sPa || !dPa) {continue;}
auto src = get_dmap_addr(sPa);
auto dst = get_dmap_addr(dPa);
//printf("_sceSblAuthMgrSmLoadMultipleSelfBlocks %016X -> %016X\n", src, dst);
memcpy((void *) dst, (const void *) src, 0x4000);
}
output->res = 0;
return 0;
}
}
return sceSblServiceMailbox(handle, input, output);
}
int sceSblACMgrGetPathId_hook(const char* path) {
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto sceSblACMgrGetPathId = (int(*)(const char *path)) kdlsym(KERNEL_SYM_SCESBLACMGRGETPATHID);
//printf("sceSblACMgrGetPathId_hook: %s\n", path);
if(enableHook6) {
constexpr const char *selfDir = "/data/self";
constexpr const char *hostappDir = "/hostapp";
if (strstr(path, selfDir) == path) {
path = path + strlen(selfDir);
//printf("sceSblACMgrGetPathId_hook: new path %s\n", path);
} else if (strstr(path, hostappDir) == path) {
path = path + strlen(hostappDir);
//printf("sceSblACMgrGetPathId_hook: new path %s\n", path);
}
}
return sceSblACMgrGetPathId(path);
}
void apply_fself_hooks()
{
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto _sceSblAuthMgrVerifySelfHeader = (int(*)(SelfContext *context)) kdlsym(KERNEL_SYM_SCESBLAUTHMGRVERIFYHEADER);
//printf("[HEN] [FSELF] sceSblAuthMgrIsLoadable() -> sceSblAuthMgrCheckSelfIsLoadable()\n");
install_hook(HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_IS_LOADABLE, (void *) &sceSblAuthMgrIsLoadable__sceSblAuthMgrCheckSelfIsLoadable_hook);
//printf("[HEN] [FSELF] sceSblAuthMgrAuthHeader() -> sceSblAuthMgrVerifySelfHeader()()\n");
install_hook(HOOK_FSELF_SCE_SBL_AUTHMGR_AUTH_HEADER, (void *) &_sceSblAuthMgrVerifySelfHeader_hook);
//printf("[HEN] [FSELF] resumeAuthMgr() -> sceSblAuthMgrVerifySelfHeader()\n");
install_hook(HOOK_FSELF_SCE_SBL_AUTHMGR_RESUME, (void *) &_sceSblAuthMgrVerifySelfHeader);
//printf("[HEN] [FSELF] sceSblAuthMgrLoadSelfSegment() -> sceSblServiceMailbox()\n");
install_hook(HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_SEGMENT, (void *) &_sceSblAuthMgrSmLoadSelfSegment_sceSblServiceMailbox);
//printf("[HEN] [FSELF] sceSblAuthMgrLoadSelfBlock() -> sceSblServiceMailbox()\n");
install_hook(HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_SELF_BLOCK, (void *) &_sceSblAuthMgrSmLoadSelfBlock_sceSblServiceMailbox);
//printf("[HEN] [FSELF] sceSblAuthMgrLoadMultipleSelfBlocks() -> sceSblServiceMailbox()\n");
install_hook(HOOK_FSELF_SCE_SBL_AUTHMGR_LOAD_MULTIPLE_SELF_BLOCKS, (void *) &_sceSblAuthMgrSmLoadMultipleSelfBlocks_sceSblServiceMailbox);
//printf("[HEN] [FSELF] sceSblAuthMgrIsLoadable() -> sceSblACMgrGetPathId()\n");
install_hook(HOOK_FSELF_SCE_SBL_AUTHMGR_IS_LOADABLE_CALL_GET_PATHID, (void *) &sceSblACMgrGetPathId_hook);
}

208
Source Code/bootstrapper/Byepervisor/hen/src/hook.cpp Normal file
View File

@@ -0,0 +1,208 @@
#include <errno.h>
#include <stdint.h>
#include <sys/types.h>
#include "hook.h"
#include "kdlsym.h"
#include "hooks/1_00.h"
#include "hooks/1_01.h"
#include "hooks/1_02.h"
#include "hooks/1_05.h"
#include "hooks/1_10.h"
#include "hooks/1_11.h"
#include "hooks/1_12.h"
#include "hooks/1_13.h"
#include "hooks/1_14.h"
#include "hooks/2_00.h"
#include "hooks/2_20.h"
#include "hooks/2_25.h"
#include "hooks/2_26.h"
#include "hooks/2_30.h"
#include "hooks/2_50.h"
struct hook *find_hook(hook_id id)
{
uint64_t fw_ver;
struct hook *hooks;
struct hook *cur_hook;
int num_hooks;
fw_ver = get_fw_version();
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
switch (fw_ver) {
case 0x1000000:
hooks = (struct hook *) &g_kernel_hooks_100;
num_hooks = sizeof(g_kernel_hooks_100) / sizeof(struct hook);
break;
case 0x1010000:
case 0x1020000:
hooks = (struct hook *) &g_kernel_hooks_102;
num_hooks = sizeof(g_kernel_hooks_102) / sizeof(struct hook);
break;
case 0x1050000:
hooks = (struct hook *) &g_kernel_hooks_105;
num_hooks = sizeof(g_kernel_hooks_105) / sizeof(struct hook);
break;
case 0x1100000:
hooks = (struct hook *) &g_kernel_hooks_110;
num_hooks = sizeof(g_kernel_hooks_110) / sizeof(struct hook);
break;
case 0x1110000:
hooks = (struct hook *) &g_kernel_hooks_111;
num_hooks = sizeof(g_kernel_hooks_111) / sizeof(struct hook);
break;
case 0x1120000:
hooks = (struct hook *) &g_kernel_hooks_112;
num_hooks = sizeof(g_kernel_hooks_112) / sizeof(struct hook);
break;
case 0x1130000:
hooks = (struct hook *) &g_kernel_hooks_113;
num_hooks = sizeof(g_kernel_hooks_113) / sizeof(struct hook);
break;
case 0x1140000:
hooks = (struct hook *) &g_kernel_hooks_114;
num_hooks = sizeof(g_kernel_hooks_114) / sizeof(struct hook);
break;
case 0x2000000:
hooks = (struct hook *) &g_kernel_hooks_200;
num_hooks = sizeof(g_kernel_hooks_200) / sizeof(struct hook);
break;
case 0x2200000:
hooks = (struct hook *) &g_kernel_hooks_220;
num_hooks = sizeof(g_kernel_hooks_220) / sizeof(struct hook);
break;
case 0x2250000:
hooks = (struct hook *) &g_kernel_hooks_225;
num_hooks = sizeof(g_kernel_hooks_225) / sizeof(struct hook);
break;
case 0x2260000:
hooks = (struct hook *) &g_kernel_hooks_226;
num_hooks = sizeof(g_kernel_hooks_226) / sizeof(struct hook);
break;
case 0x2300000:
hooks = (struct hook *) &g_kernel_hooks_230;
num_hooks = sizeof(g_kernel_hooks_230) / sizeof(struct hook);
break;
case 0x2500000:
case 0x2700000:
hooks = (struct hook *) &g_kernel_hooks_250;
num_hooks = sizeof(g_kernel_hooks_250) / sizeof(struct hook);
break;
default:
return 0;
}
printf("find_hook: num_hooks = %d\n", num_hooks);
for (int i = 0; i < num_hooks; i++) {
cur_hook = &hooks[i];
printf("hook_func_call: hook->id = %d\n", cur_hook->id);
if (cur_hook->id == id) {
return cur_hook;
}
}
return 0;
}
int install_raw_hook(uint64_t call_addr, void *func)
{
uint64_t call_install;
int32_t call_rel32;
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
printf("install_raw_hook: call_addr = 0x%llx, func = %p\n", call_addr, func);
// Calculate rel32
call_rel32 = (int32_t) ((uint64_t) (func) - call_addr) - 5; // Subtract 5 for call opcodes
printf("install_raw_hook: call_rel32=0x%x\n", call_rel32);
// Install hook
printf("hook_func_call: installing hook to 0x%lx (rel32=0x%x)\n", call_addr, call_rel32);
call_install = call_addr + 1;
*(uint32_t *) (call_install) = call_rel32;
return 0;
}
int install_hook(hook_id id, void *func)
{
struct hook *hook_info;
uint64_t call_addr;
uint64_t call_install;
int32_t call_rel32;
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
printf("hook_func_call: hook id = %d\n", id);
// Find info for this hook
hook_info = find_hook(id);
if (hook_info == 0)
return -ENOENT;
printf("hook_func_call: found hook\n");
// Calculate rel32
call_addr = ktext(hook_info->call_offset);
call_rel32 = (int32_t) ((uint64_t) (func) - call_addr) - 5; // Subtract 5 for call opcodes
printf("hook_func_call: call_addr=0x%llx (call_rel32=0x%x)\n", call_addr, call_rel32);
// Install hook
printf("hook_func_call: installing hook to 0x%lx (rel32=0x%x)\n", call_addr, call_rel32);
call_install = call_addr + 1;
*(uint32_t *) (call_install) = call_rel32;
return 0;
}
void reset_hook(hook_id id)
{
struct hook *hook_info;
uint64_t call_addr;
uint64_t call_install;
int32_t call_rel32;
void *func;
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
printf("reset_hook: hook id = %d\n", id);
// Find info for this hook
hook_info = find_hook(id);
if (hook_info == 0)
return;
printf("reset_hook: found hook\n");
// Calculate rel32
func = (void *) ktext(hook_info->orig_func_offset);
call_addr = ktext(hook_info->call_offset);
call_rel32 = (int32_t) ((uint64_t) (func) - call_addr) - 5; // Subtract 5 for call opcodes
printf("reset_hook: call_addr=0x%llx (call_rel32=0x%x)\n", call_addr, call_rel32);
printf("reset_hook: orig func_offset=0x%llx, call_addr=0=%llx\n", hook_info->orig_func_offset, hook_info->call_offset);
// Install hook
printf("reset_hook: installing hook to 0x%lx (rel32=0x%x)\n", call_addr, call_rel32);
call_install = call_addr + 1;
*(uint32_t *) (call_install) = call_rel32;
}
int hook_is_development_mode()
{
return 0xc001;
}
int apply_test_hook()
{
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
printf("sys_is_development_mode() -> isDevelopmentMode()\n");
return install_hook(HOOK_TEST_SYS_IS_DEVELOPMENT_MODE, (void *) &hook_is_development_mode);
}

87
Source Code/bootstrapper/Byepervisor/hen/src/kdlsym.cpp Normal file
View File

@@ -0,0 +1,87 @@
#include <stdint.h>
#include "kdlsym.h"
#include "offsets/1_00.h"
#include "offsets/1_01.h"
#include "offsets/1_02.h"
#include "offsets/1_05.h"
#include "offsets/1_10.h"
#include "offsets/1_11.h"
#include "offsets/1_12.h"
#include "offsets/1_13.h"
#include "offsets/1_14.h"
#include "offsets/2_00.h"
#include "offsets/2_20.h"
#include "offsets/2_25.h"
#include "offsets/2_26.h"
#include "offsets/2_30.h"
#include "offsets/2_50.h"
uint64_t g_fw_version;
uint64_t g_kernel_base = 0;
void init_kdlsym(uint64_t fw_ver, uint64_t kernel_base)
{
g_fw_version = fw_ver;
g_kernel_base = kernel_base;
}
uint64_t get_fw_version()
{
return g_fw_version;
}
uint64_t ktext(uint64_t offset)
{
if (g_kernel_base == 0)
return 0;
return g_kernel_base + offset;
}
uint64_t kdlsym(ksym_t sym)
{
if (g_kernel_base == 0)
return 0;
// Don't overflow sym table
if (sym >= KERNEL_SYM_MAX)
return 0;
switch (g_fw_version) {
case 0x1000000:
return g_kernel_base + g_sym_map_100[sym];
case 0x1010000:
return g_kernel_base + g_sym_map_101[sym];
case 0x1020000:
return g_kernel_base + g_sym_map_102[sym];
case 0x1050000:
return g_kernel_base + g_sym_map_105[sym];
case 0x1100000:
return g_kernel_base + g_sym_map_110[sym];
case 0x1110000:
return g_kernel_base + g_sym_map_111[sym];
case 0x1120000:
return g_kernel_base + g_sym_map_112[sym];
case 0x1130000:
return g_kernel_base + g_sym_map_113[sym];
case 0x1140000:
return g_kernel_base + g_sym_map_114[sym];
case 0x2000000:
return g_kernel_base + g_sym_map_200[sym];
case 0x2200000:
return g_kernel_base + g_sym_map_220[sym];
case 0x2250000:
return g_kernel_base + g_sym_map_225[sym];
case 0x2260000:
return g_kernel_base + g_sym_map_226[sym];
case 0x2300000:
return g_kernel_base + g_sym_map_230[sym];
case 0x2500000:
case 0x2700000:
return g_kernel_base + g_sym_map_250[sym];
}
return 0;
}

60
Source Code/bootstrapper/Byepervisor/hen/src/main.cpp Normal file
View File

@@ -0,0 +1,60 @@
#include <climits>
#include <stdint.h>
#include "fpkg.h"
#include "fself.h"
#include "hook.h"
#include "kdlsym.h"
#include "patch_shellcore.h"
#include "util.h"
struct args
{
uint64_t fptr;
uint64_t fw;
uint64_t kernel_base;
};
extern "C" {
int kernel_main(void *td, struct args *args);
}
/**
* @brief The kernel sysent entrypoint
*
* @param td struct thread* The calling thread
* @param args struct args* Syscall arguments
* @return int 0 on success, error otherwise
*/
int kernel_main(void *td, struct args *args)
{
int ret = -1;
curthread = td;
init_kdlsym(args->fw, args->kernel_base);
// kdlsym assignments
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
// Reset hooks before installing new ones
printf("[HEN] Resetting hooks\n");
for (int i = 0; i < HOOK_MAX; i++) {
reset_hook((hook_id) i);
}
// Install new hooks
printf("[HEN] Applying test hook\n");
ret = apply_test_hook();
if (ret != 0) {
printf("[HEN] Failed to apply test hook\n");
return -1;
}
printf("[HEN] Applying fself hooks\n");
apply_fself_hooks();
printf("[HEN] Applying fpkg hooks\n");
apply_fpkg_hooks();
return 0;
}

248
Source Code/bootstrapper/Byepervisor/hen/src/patch_shellcore.cpp Normal file
View File

@@ -0,0 +1,248 @@
#include <sys/types.h>
#include <sys/param.h>
#include <sys/uio.h>
#include "kdlsym.h"
#include "util.h"
#include "patch_shellcore.h"
#include "proc.h"
#include "shellcore_patches/1_00.h"
#include "shellcore_patches/1_02.h"
#include "shellcore_patches/1_12.h"
#include "shellcore_patches/1_14.h"
#include "shellcore_patches/2_00.h"
#include "shellcore_patches/2_20.h"
#include "shellcore_patches/2_25.h"
#include "shellcore_patches/2_26.h"
#include "shellcore_patches/2_30.h"
#include "shellcore_patches/2_50.h"
#include "shellcore_patches/2_70.h"
/**
* @brief Implementation of read/write memory for a process (from kernel)
*
* @param p struct proc* Process to read/write to/from
* @param procAddr off_t Address to read/write to/from
* @param sz size_t Size to read/write
* @param kAddr void* Kernel buffer
* @param ioSz size_t io size
* @param write int32_t 1 for write, 0 for read
* @return int 0 on success, error otherwise
*/
int proc_rw_mem(void *p, off_t procAddr, size_t sz, void *kAddr, size_t *ioSz, int write)
{
// Assign kdlsym
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto debug_rwmem = (int (*)(void *proc, struct uio *uio)) kdlsym(KERNEL_SYM_RW_MEM);
// Debug logging
// printf("proc_rw_mem(%p, 0x%lx, %lx, %p, %p, %d)\n", p, procAddr, sz, kAddr, ioSz, write);
// Validate process
if (!p) {
printf("no proc\n");
return -1;
}
// Validate process address, and kernel address
if (!procAddr || !kAddr) {
printf("no addrs\n");
return -1;
}
// Validate size
if (!sz) {
if (ioSz) {
*ioSz = 0;
}
return 0;
}
struct iovec _iov{};
struct uio _uio{};
_iov.iov_base = kAddr;
_iov.iov_len = sz;
_uio.uio_iov = &_iov;
_uio.uio_iovcnt = 1;
_uio.uio_offset = procAddr;
_uio.uio_resid = sz;
_uio.uio_segflg = UIO_SYSSPACE;
_uio.uio_rw = (write) ? UIO_WRITE : UIO_READ;
_uio.uio_td = curthread;
// Read/Write memory (ignoring faults)
// printf("debug_rwmem: try\n");
int ret = debug_rwmem(p, &_uio);
// printf("debug_rwmem: ret = 0x%x\n", ret);
if (ioSz) {
*ioSz = (sz - _uio.uio_resid);
}
return ret;
}
/**
* @brief Gets the shellcore base address for patching from kernel->user space
*
* @param shellcore_proc struct proc* Shellcore process
* @return uint64_t Base address of shellcore, or 0 on error
*/
uint64_t shellcore_get_addr(void *shellcore_proc)
{
void *vm_map;
void *first_entry;
void *entry;
uint64_t entry_start;
uint8_t entry_prot;
char *entry_name;
uint64_t addr;
// kdlsym function pointers
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto _vm_map_lock_read = (void (*)(void *map, const char *file, int line)) kdlsym(KERNEL_SYM_VM_MAP_LOCK_READ);
auto _vm_map_unlock_read = (void (*)(void *map, const char *file, int line)) kdlsym(KERNEL_SYM_VM_MAP_UNLOCK_READ);
auto _vm_map_lookup_entry = (int (*)(void *map, uint64_t offset, void *entry)) kdlsym(KERNEL_SYM_VM_MAP_LOOKUP_ENTRY);
// Get the process vm map
vm_map = get_proc_vmmap(shellcore_proc);
// printf("[HEN] [SHELLCORE] vm_map = %p\n", vm_map);
// Lock the vm map
_vm_map_lock_read(vm_map, "", 0);
// Lookup the vm map entry
if (_vm_map_lookup_entry(vm_map, 0, &entry) != 0) {
// On failure log and unlock
printf("[HEN] [SHELLCORE] Failed to lookup first entry\n");
_vm_map_unlock_read(vm_map, "", 0);
return 0;
}
first_entry = entry;
addr = 0;
// Iterate over all of the entries and check the name, offset, and protection
do {
entry_name = (char *) ((char *) (entry) + VM_ENTRY_OFFSET_NAME);
entry_start = *(uint64_t *) ((char *) (entry) + VM_ENTRY_OFFSET_START);
entry_prot = *(uint8_t *) ((char *) (entry) + VM_ENTRY_OFFSET_PROT);
printf(" vm entry (start=0x%lx, prot=0x%x), '%s'\n", entry_start, entry_prot, entry_name);
entry = (void *) *(uint64_t *) ((char *) (entry) + VM_ENTRY_OFFSET_NEXT);
if (!strncmp(entry_name, "executable", strlen("executable")) && entry_prot == 4) {
// for (int i = 0; i < 0x200; i += 0x8) {
// printf(" +%02x: 0x%lx\n", i, *(uint64_t *) ((char *) (entry) + i));
// }
addr = entry_start;
break;
}
} while (entry != NULL && entry != first_entry);
// Unlock the vm map
_vm_map_unlock_read(vm_map, "", 0);
// return the found address
return addr;
}
/**
* @brief Applies the shellcore patches in memory
*
*/
void apply_shellcore_patches()
{
uint64_t fw_ver;
struct patch *patches;
struct patch *cur_patch;
void *shellcore_proc;
uint64_t shellcore_base_addr;
int num_patches;
// Get kdlsym function pointers
auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
// Resolve patches for this fw
fw_ver = get_fw_version();
printf("apply_shellcore_patches: fw_ver = 0x%lx\n", fw_ver);
switch (fw_ver) {
case 0x1000000:
patches = (struct patch *) &g_shellcore_patches_100;
num_patches = sizeof(g_shellcore_patches_100) / sizeof(struct patch);
break;
case 0x1010000:
case 0x1020000:
patches = (struct patch *) &g_shellcore_patches_102;
num_patches = sizeof(g_shellcore_patches_102) / sizeof(struct patch);
break;
case 0x1050000:
case 0x1100000:
case 0x1110000:
case 0x1120000:
patches = (struct patch *) &g_shellcore_patches_112;
num_patches = sizeof(g_shellcore_patches_112) / sizeof(struct patch);
break;
case 0x1130000:
case 0x1140000:
patches = (struct patch *) &g_shellcore_patches_114;
num_patches = sizeof(g_shellcore_patches_114) / sizeof(struct patch);
break;
case 0x2000000:
patches = (struct patch *) &g_shellcore_patches_200;
num_patches = sizeof(g_shellcore_patches_200) / sizeof(struct patch);
break;
case 0x2200000:
patches = (struct patch *) &g_shellcore_patches_220;
num_patches = sizeof(g_shellcore_patches_220) / sizeof(struct patch);
break;
case 0x2250000:
patches = (struct patch *) &g_shellcore_patches_225;
num_patches = sizeof(g_shellcore_patches_225) / sizeof(struct patch);
break;
case 0x2260000:
patches = (struct patch *) &g_shellcore_patches_226;
num_patches = sizeof(g_shellcore_patches_226) / sizeof(struct patch);
break;
case 0x2300000:
patches = (struct patch *) &g_shellcore_patches_230;
num_patches = sizeof(g_shellcore_patches_230) / sizeof(struct patch);
break;
case 0x2500000:
patches = (struct patch *) &g_shellcore_patches_250;
num_patches = sizeof(g_shellcore_patches_250) / sizeof(struct patch);
break;
case 0x2700000:
patches = (struct patch *) &g_shellcore_patches_270;
num_patches = sizeof(g_shellcore_patches_270) / sizeof(struct patch);
break;
default:
printf("apply_shellcore_patches: don't have offsets for this firmware\n");
return;
}
// Get shellcore proc
printf("[HEN] [SHELLCORE] Finding shellcore\n");
shellcore_proc = find_proc_by_name("SceShellCore");
if (shellcore_proc == NULL) {
printf("[HEN] [SHELLCORE] Failed to find shellcore\n");
return;
}
printf("[HEN] [SHELLCORE] shellcore proc = %p\n", shellcore_proc);
// Resolve shellcore base address
shellcore_base_addr = shellcore_get_addr(shellcore_proc);
printf("[HEN] [SHELLCORE] Found shellcore base = 0x%lx\n", shellcore_base_addr);
printf("[HEN] [SHELLCORE] Applying shellcore patches...\n");
for (int i = 0; i < num_patches; i++) {
cur_patch = &patches[i];
printf(" offset=0x%lx, size=0x%x, data=%p\n", cur_patch->offset, cur_patch->size, &cur_patch->data);
proc_rw_mem(shellcore_proc, (shellcore_base_addr + cur_patch->offset), cur_patch->size, (void *) &cur_patch->data, NULL, 1);
}
}

129
Source Code/bootstrapper/Byepervisor/hen/src/util.cpp Normal file
View File

@@ -0,0 +1,129 @@
#include <stdint.h>
#include <stddef.h>
#include "kdlsym.h"
#include "proc.h"
#include "util.h"
static uint64_t g_dmap_base = 0;
void *curthread;
void init_dmap_resolve()
{
uint32_t DMPML4I;
uint32_t DMPDPI;
DMPML4I = *(uint32_t *) (kdlsym(KERNEL_SYM_DMPML4I));
DMPDPI = *(uint32_t *) (kdlsym(KERNEL_SYM_DMPDPI));
g_dmap_base = ((uint64_t) (DMPDPI) << 30) | ((uint64_t ) (DMPML4I) << 39) | 0xFFFF800000000000;
}
uint64_t get_dmap_addr(uint64_t pa)
{
// Init dmap resolve if it's not initialized already
if (g_dmap_base == 0)
init_dmap_resolve();
return g_dmap_base + pa;
}
void *find_proc_by_name(const char *name)
{
void *p;
char *proc_name;
//int proc_pid;
//auto printf = (void (*)(const char *fmt, ...)) kdlsym(KERNEL_SYM_PRINTF);
auto allproc = (void *) *(uint64_t *) kdlsym(KERNEL_SYM_ALLPROC);
if (!name) {
return NULL;
}
//printf("find_proc_by_name: proc0 = %p\n", allproc);
p = allproc;
while (p) {
proc_name = (char *) ((char *) (p) + PROC_OFFSET_P_COMM);
//proc_pid = *(int *) ((char *) (p) + PROC_OFFSET_P_PID);
//printf(" proc '%s' (pid: 0x%x)\n", proc_name, proc_pid);
if (!strncmp(proc_name, name, strlen(name))) {
return p;
}
p = (void *) *(uint64_t *) p;
}
return NULL;
}
void *get_proc_vmmap(void *p)
{
return (void *) *(uint64_t *) ((char *) (p) + PROC_OFFSET_P_VMSPACE);
}
void memcpy(void *dest, const void *src, size_t n)
{
char *csrc = (char *) src;
char *cdest = (char *) dest;
for (size_t i = 0; i < n; i++) {
cdest[i] = csrc[i];
}
}
size_t strlen(const char *str)
{
const char *s;
for (s = str; *s; s++) ;
return (s - str);
}
char *strstr(const char *str, const char *substring)
{
const char *a;
const char *b;
b = substring;
if (*b == 0) {
return (char *) str;
}
for ( ; *str != 0; str += 1) {
if (*str != *b) {
continue;
}
a = str;
while (1) {
if (*b == 0) {
return (char *) str;
}
if (*a++ != *b++) {
break;
}
}
b = substring;
}
return NULL;
}
int strncmp(const char * s1, const char * s2, size_t n)
{
while (n && *s1 && (*s1 == *s2)) {
++s1;
++s2;
--n;
}
if (n == 0) {
return 0;
} else {
return (*(unsigned char *) s1 - *(unsigned char *) s2);
}
}

24
Source Code/bootstrapper/Byepervisor/include/config.h Normal file
View File

@@ -0,0 +1,24 @@
#ifndef CONFIG_H
#define CONFIG_H
/*
* Enable debug logging via TCP connection to PC
*/
#define PC_DEBUG_ENABLED 0
/*
* PC IP address for debug logging
*/
#define PC_DEBUG_IP "10.0.0.143"
/*
* PC IP port for debug logging
*/
#define PC_DEBUG_PORT 5655
/*
* TCP port to run the RPC server on
*/
#define RPC_TCP_PORT 9002
#endif // CONFIG_H

10
Source Code/bootstrapper/Byepervisor/include/debug_log.h Normal file
View File

@@ -0,0 +1,10 @@
#ifndef DEBUG_LOG_H
#define DEBUG_LOG_H
extern int g_debug_sock;
#define SOCK_LOG(format, ...)
void DumpHex(const void* data, size_t size);
#endif // DEBUG_LOG_H

17
Source Code/bootstrapper/Byepervisor/include/hen.h Normal file
View File

@@ -0,0 +1,17 @@
/* Autogenerated by hxtools bin2c */
#ifndef HEN_H
#define HEN_H 1
#ifdef __cplusplus
extern "C" {
#endif
extern uint8_t KELF[];
extern uint64_t KELF_SZ;
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* HEN_H */

30
Source Code/bootstrapper/Byepervisor/include/kdlsym.h Normal file
View File

@@ -0,0 +1,30 @@
#pragma once
#ifndef KDLSYM_H
#define KDLSYM_H
typedef enum {
KERNEL_SYM_DMPML4I,
KERNEL_SYM_DMPDPI,
KERNEL_SYM_PML4PML4I,
KERNEL_SYM_PMAP_STORE,
KERNEL_SYM_DATA_CAVE,
KERNEL_SYM_CODE_CAVE,
KERNEL_SYM_PS4_SYSENT,
KERNEL_SYM_PPR_SYSENT,
KERNEL_SYM_GADGET_JMP_PTR_RSI,
KERNEL_SYM_MAX
} ksym_t;
typedef enum {
KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY,
KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF,
KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE,
KERNEL_PATCH_SYS_GETGID,
KERNEL_PATCH_MAX
} kpatch_t;
uint64_t kdlsym(ksym_t sym);
uint64_t kdlpatch(kpatch_t patch);
uint64_t ktext(uint64_t offset);
#endif // KDLSYM_H

27
Source Code/bootstrapper/Byepervisor/include/kexec.h Normal file
View File

@@ -0,0 +1,27 @@
#pragma once
#ifndef KEXEC_H
#define KEXEC_H
struct sysent {
uint32_t n_arg; // 0x00
uint32_t pad_04h; // 0x04
uint64_t sy_call; // 0x08
uint64_t sy_auevent; // 0x10
uint64_t sy_systrace_args; // 0x18
uint32_t sy_entry; // 0x20
uint32_t sy_return; // 0x24
uint32_t sy_flags; // 0x28
uint32_t sy_thrcnt; // 0x2C
};
struct kexec_args {
uint64_t fptr; // 0x00
uint64_t fw; // 0x08
uint64_t kernel_base; // 0x10
};
void install_custom_syscall(int sysc, uint32_t num_args, uint64_t gadget);
void install_kexec();
int kexec(uint64_t fptr);
#endif // KEXEC_H

10
Source Code/bootstrapper/Byepervisor/include/mirror.h Normal file
View File

@@ -0,0 +1,10 @@
#ifndef MIRROR_H
#define MIRROR_H
void *mirror_page(uint64_t kernel_va);
void *mirror_page_no_store(uint64_t kernel_va);
void *mirror_page_range(uint64_t kernel_va, int num_pages);
void *get_mirrored_addr(uint64_t kernel_va);
void reset_mirrors();
#endif // MIRROR_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/1_00.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_1_00_H
#define OFFSETS_1_00_H
uint64_t g_sym_map_100[] = {
0x4ADF540, // KERNEL_SYM_DMPML4I
0x4ADF544, // KERNEL_SYM_DMPDPI
0x4ADF29C, // KERNEL_SYM_PML4PML4I
0x4ADF2B8, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CA25B0, // KERNEL_SYM_PS4_SYSENT
0x1CAA7B0, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_100[] = {
0x05A9710, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05A9720, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x0981099, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02F17A0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_1_00_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/1_01.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_1_01_H
#define OFFSETS_1_01_H
uint64_t g_sym_map_101[] = {
0x4ADF540, // KERNEL_SYM_DMPML4I
0x4ADF544, // KERNEL_SYM_DMPDPI
0x4ADF29C, // KERNEL_SYM_PML4PML4I
0x4ADF2B8, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CA25B0, // KERNEL_SYM_PS4_SYSENT
0x1CAA7B0, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_101[] = {
0x05A9730, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05A9740, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x0981109, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02F17A0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_1_01_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/1_02.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_1_02_H
#define OFFSETS_1_02_H
uint64_t g_sym_map_102[] = {
0x4ADF540, // KERNEL_SYM_DMPML4I
0x4ADF544, // KERNEL_SYM_DMPDPI
0x4ADF29C, // KERNEL_SYM_PML4PML4I
0x4ADF2B8, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CA25B0, // KERNEL_SYM_PS4_SYSENT
0x1CAA7B0, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_102[] = {
0x05A9740, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05A9750, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x09810C9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02F17A0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_1_02_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/1_05.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_1_05_H
#define OFFSETS_1_05_H
uint64_t g_sym_map_105[] = {
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CA2690, // KERNEL_SYM_PS4_SYSENT
0x1CAA890, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_105[] = {
0x05A9C20, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05A9C30, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x0981909, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02F17D0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_1_05_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/1_10.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_1_10_H
#define OFFSETS_1_10_H
uint64_t g_sym_map_110[] = {
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CA2690, // KERNEL_SYM_PS4_SYSENT
0x1CAA890, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_110[] = {
0x05A9C60, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05A9C70, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x0981919, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02F1810, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_1_10_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/1_11.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_1_11_H
#define OFFSETS_1_11_H
uint64_t g_sym_map_111[] = {
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CA2690, // KERNEL_SYM_PS4_SYSENT
0x1CAA890, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_111[] = {
0x05A9C80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05A9C90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x0981A69, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02F1810, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_1_11_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/1_12.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_1_12_H
#define OFFSETS_1_12_H
uint64_t g_sym_map_112[] = {
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CA2690, // KERNEL_SYM_PS4_SYSENT
0x1CAA890, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_112[] = {
0x05A9CF0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05A9D00, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x0981BB9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02F1810, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_1_12_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/1_13.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_1_13_H
#define OFFSETS_1_13_H
uint64_t g_sym_map_113[] = {
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CA2690, // KERNEL_SYM_PS4_SYSENT
0x1CAA890, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_113[] = {
0x05A9CF0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05A9D00, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x0981B89, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02F1810, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_1_13_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/1_14.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_1_14_H
#define OFFSETS_1_14_H
uint64_t g_sym_map_114[] = {
0x4ADF5B0, // KERNEL_SYM_DMPML4I
0x4ADF5B4, // KERNEL_SYM_DMPDPI
0x4ADF30C, // KERNEL_SYM_PML4PML4I
0x4ADF328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CA2690, // KERNEL_SYM_PS4_SYSENT
0x1CAA890, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_114[] = {
0x05A9D10, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05A9D20, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x0982139, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02F1810, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_1_14_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/2_00.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_2_00_H
#define OFFSETS_2_00_H
uint64_t g_sym_map_200[] = {
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CDE4F0, // KERNEL_SYM_PS4_SYSENT
0x1CE6D10, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_200[] = {
0x0580860, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x0580870, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x09A5F49, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02A69B0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_2_00_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/2_20.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_2_20_H
#define OFFSETS_2_20_H
uint64_t g_sym_map_220[] = {
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CDE5B0, // KERNEL_SYM_PS4_SYSENT
0x1CE6DD0, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_220[] = {
0x05809D0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x05809E0, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x09A6409, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02A69F0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_2_20_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/2_25.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_2_25_H
#define OFFSETS_2_25_H
uint64_t g_sym_map_225[] = {
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CDE5B0, // KERNEL_SYM_PS4_SYSENT
0x1CE6DD0, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_225[] = {
0x0580A80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x0580A90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x09A64B9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02A69F0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_2_25_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/2_26.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_2_26_H
#define OFFSETS_2_26_H
uint64_t g_sym_map_226[] = {
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CDE5B0, // KERNEL_SYM_PS4_SYSENT
0x1CE6DD0, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_226[] = {
0x0580A80, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x0580A90, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x09A64E9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02A69F0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_2_26_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/2_30.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_2_30_H
#define OFFSETS_2_30_H
uint64_t g_sym_map_230[] = {
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CDE5C0, // KERNEL_SYM_PS4_SYSENT
0x1CE6DE0, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_230[] = {
0x0580D50, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x0580D60, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x09A67B9, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02A66D0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_2_30_H

23
Source Code/bootstrapper/Byepervisor/include/offsets/2_50.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef OFFSETS_2_50_H
#define OFFSETS_2_50_H
uint64_t g_sym_map_250[] = {
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x0044000, // KERNEL_SYM_CODE_CAVE
0x1CDE5E0, // KERNEL_SYM_PS4_SYSENT
0x1CE6E00, // KERNEL_SYM_PPR_SYSENT
0x0042000, // KERNEL_SYM_GADGET_JMP_PTR_RSI
};
uint64_t g_patch_map_250[] = {
0x0580EB0, // KERNEL_PATCH_HAS_MMAP_SELF_CAPABILITY
0x0580EC0, // KERNEL_PATCH_IS_ALLOWED_TO_MMAP_SELF
0x09A6A59, // KERNEL_PATCH_MMAP_SELF_CALL_IS_LOADABLE
0x02A67D0, // KERNEL_PATCH_SYS_GETGID
};
#endif // OFFSETS_2_50_H

59
Source Code/bootstrapper/Byepervisor/include/paging.h Normal file
View File

@@ -0,0 +1,59 @@
#ifndef PAGING_H
#define PAGING_H
enum pde_shift {
PDE_PRESENT = 0,
PDE_RW,
PDE_USER,
PDE_WRITE_THROUGH,
PDE_CACHE_DISABLE,
PDE_ACCESSED,
PDE_DIRTY,
PDE_PS,
PDE_GLOBAL,
PDE_XOTEXT = 58,
PDE_PROTECTION_KEY = 59,
PDE_EXECUTE_DISABLE = 63
};
#define PDE_PRESENT_MASK 1UL
#define PDE_RW_MASK 1UL
#define PDE_USER_MASK 1UL
#define PDE_WRITE_THROUGH_MASK 1UL
#define PDE_CACHE_DISABLE_MASK 1UL
#define PDE_ACCESSED_MASK 1UL
#define PDE_DIRTY_MASK 1UL
#define PDE_PS_MASK 1UL
#define PDE_GLOBAL_MASK 1UL
#define PDE_XOTEXT_MASK 1UL
#define PDE_PROTECTION_KEY_MASK 0xFUL
#define PDE_EXECUTE_DISABLE_MASK 1UL
#define PDE_ADDR_MASK 0xffffffffff800ULL // bits [12, 51]
#define PDE_FIELD(pde, name) (((pde) >> PDE_##name) & PDE_##name##_MASK)
#define PDE_ADDR(pde) (pde & PDE_ADDR_MASK)
#define SET_PDE_FIELD(pde, name, val) (pde |= (val << PDE_##name))
#define SET_PDE_BIT(pde, name) (pde |= (PDE_##name##_MASK << PDE_##name))
#define CLEAR_PDE_BIT(pde, name) (pde &= ~(PDE_##name##_MASK << PDE_##name))
#define SET_PDE_ADDR(pde, addr) do { \
pde &= ~(PDE_ADDR_MASK); \
pde |= (addr & PDE_ADDR_MASK); \
} while (0)
#define KERNEL_OFFSET_PROC_P_VMSPACE 0x200
#define KERNEL_OFFSET_VMSPACE_VM_PMAP 0x1D0
#define KERNEL_OFFSET_PMAP_PM_PML4 0x020
uint64_t get_proc_pmap();
uint64_t pmap_kextract(uint64_t va);
uint64_t get_dmap_addr(uint64_t pa);
uint64_t find_pml4e(uint64_t pmap, uint64_t va, uint64_t *out_pml4e);
uint64_t find_pdpe(uint64_t pmap, uint64_t va, uint64_t *out_pdpe);
uint64_t find_pde(uint64_t pmap, uint64_t va, uint64_t *out_pde);
uint64_t find_pte(uint64_t pmap, uint64_t va, uint64_t *out_pte);
int downgrade_kernel_superpages(uint64_t va, uint64_t kernel_pt_addr);
uint64_t remap_page(uint64_t pmap, uint64_t va, uint64_t new_pa);
#endif // PAGING_H

178
Source Code/bootstrapper/Byepervisor/include/patches/1_00.h Normal file
View File

@@ -0,0 +1,178 @@
#ifndef PATCHES_1_00_H
#define PATCHES_1_00_H
#include "patch_common.h"
struct hook g_kernel_hooks_100[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
"sys_is_development_mode() -> isDevelopmentMode()",
0x44000,
0x9071AB
},
};
struct patch g_kernel_patches_100[] = {
{
/*
mov qword ptr [rdi + 0x408], 0xc0ffee;
xor eax, eax;
ret
*/
"sys_getgid()",
0x2f17a0,
"\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3",
14
},
{
// mov eax, 1; ret
"sceSblACMgrHasMmapSelfCapability()",
0x5a9710,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// mov eax, 1; ret
"sceSblACMgrIsAllowedToMmapSelf()",
0x5a9720,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// xor eax, eax; 3x nop
"vm_mmap sceSblAuthMgrIsLoadable() call",
0x981099,
"\x31\xC0\x90\x90\x90",
5
},
{
// xor eax, eax; ret
"cfi_check_fail()",
0x4587e0,
"\xC3",
1
},
{
// jmp qword ptr [rsi]
"kexec trampoline gadget",
0x0042000,
"\xFF\x26",
2
},
{
"sysveri flag",
0x40b0d20,
"\x00",
1
},
{
"panic patch 1",
0x721d40,
"\xC3",
1
},
{
"panic patch 2",
0x40514b,
"\xEB\xFE",
2
},
{
"panic patch 3",
0x7223b0,
"\xC3",
1
},
{
"panic patch 4",
0x7228a0,
"\xC3",
1
},
{
"panic patch 5",
0x722450,
"\xC3",
1
},
{
"panic patch 6",
0x7225a0,
"\xC3",
1
},
{
"panic patch 7",
0x722720,
"\xC3",
1
},
{
"panic patch 8",
0x722950,
"\xC3",
1
},
{
"panic patch 9",
0x722a10,
"\xC3",
1
},
{
"panic patch 10",
0x722ad0,
"\xC3",
1
},
{
"panic patch 11",
0x722ba0,
"\xC3",
1
},
{
"panic patch 12",
0x722c70,
"\xC3",
1
},
{
"panic patch 13",
0x722d50,
"\xC3",
1
},
{
"panic patch 14",
0x71d12e,
"\xB8\x00\x00\x00\x00",
5
},
{
"panic patch 15",
0x71d15b,
"\xB8\x00\x00\x00\x00",
5
},
{
"MMAP_RWX_PATCH_1",
0x97F914,
"\xF7",
1
},
{
"MMAP_RWX_PATCH_1",
0x97F997,
"\xF7",
1
},
{
"MPTROTECT_PATCH",
0x312A01,
"\x00\x00\x00\x00",
4
}
};
#endif // PATCHES_1_00_H

172
Source Code/bootstrapper/Byepervisor/include/patches/1_01.h Normal file
View File

@@ -0,0 +1,172 @@
#ifndef PATCHES_1_01_H
#define PATCHES_1_01_H
#include "patch_common.h"
struct hook g_kernel_hooks_101[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
"sys_is_development_mode() -> isDevelopmentMode()",
0x44000,
0x90720B
},
};
struct patch g_kernel_patches_101[] = {
{
/*
mov qword ptr [rdi + 0x408], 0xc0ffee;
xor eax, eax;
ret
*/
"sys_getgid()",
0x2f17a0,
"\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3",
14
},
{
// mov eax, 1; ret
"sceSblACMgrHasMmapSelfCapability()",
0x5a9730,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// mov eax, 1; ret
"sceSblACMgrIsAllowedToMmapSelf()",
0x5a9740,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// xor eax, eax; 3x nop
"vm_mmap sceSblAuthMgrIsLoadable() call",
0x981109,
"\x31\xC0\x90\x90\x90",
5
},
{
// xor eax, eax; ret
"cfi_check_fail()",
0x4587e0,
"\xC3",
1
},
{
// jmp qword ptr [rsi]
"kexec trampoline gadget",
0x0042000,
"\xFF\x26",
2
},
{
"sysveri flag",
0x40b0d20,
"\x00",
1
},
{
"panic patch 1",
0x721db0,
"\xC3",
1
},
{
"panic patch 2",
0x40514b,
"\xEB\xFE",
2
},
{
"panic patch 3",
0x722420,
"\xC3",
1
},
{
"panic patch 4",
0x722910,
"\xC3",
1
},
{
"panic patch 5",
0x7224C0,
"\xC3",
1
},
{
"panic patch 6",
0x722610,
"\xC3",
1
},
{
"panic patch 7",
0x722790,
"\xC3",
1
},
{
"panic patch 8",
0x7229C0,
"\xC3",
1
},
{
"panic patch 9",
0x722A80,
"\xC3",
1
},
{
"panic patch 10",
0x722B40,
"\xC3",
1
},
{
"panic patch 11",
0x722C10,
"\xC3",
1
},
{
"panic patch 12",
0x722CE0,
"\xC3",
1
},
{
"panic patch 13",
0x722DC0,
"\xC3",
1
},
{
"panic patch 14",
0x71D19E,
"\xB8\x00\x00\x00\x00",
5
},
{
"MMAP_RWX_PATCH_1",
0x97F984,
"\xF7",
1
},
{
"MMAP_RWX_PATCH_1",
0x97FA07,
"\xF7",
1
},
{
"MPTROTECT_PATCH",
0x312A01,
"\x00\x00\x00\x00",
4
}
};
#endif // PATCHES_1_01_H

178
Source Code/bootstrapper/Byepervisor/include/patches/1_02.h Normal file
View File

@@ -0,0 +1,178 @@
#ifndef PATCHES_1_02_H
#define PATCHES_1_02_H
#include "patch_common.h"
struct hook g_kernel_hooks_102[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
"sys_is_development_mode() -> isDevelopmentMode()",
0x44000,
0x9071CB
},
};
struct patch g_kernel_patches_102[] = {
{
/*
mov qword ptr [rdi + 0x408], 0xc0ffee;
xor eax, eax;
ret
*/
"sys_getgid()",
0x2f17a0,
"\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3",
14
},
{
// mov eax, 1; ret
"sceSblACMgrHasMmapSelfCapability()",
0x5a9740,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// mov eax, 1; ret
"sceSblACMgrIsAllowedToMmapSelf()",
0x5a9750,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// xor eax, eax; 3x nop
"vm_mmap sceSblAuthMgrIsLoadable() call",
0x9810c9,
"\x31\xC0\x90\x90\x90",
5
},
{
// xor eax, eax; ret
"cfi_check_fail()",
0x4587e0,
"\xC3",
1
},
{
// jmp qword ptr [rsi]
"kexec trampoline gadget",
0x0042000,
"\xFF\x26",
2
},
{
"sysveri flag",
0x40b0d20,
"\x00",
1
},
{
"panic patch 1",
0x721d70,
"\xC3",
1
},
{
"panic patch 2",
0x40514b,
"\xEB\xFE",
2
},
{
"panic patch 3",
0x7223e0,
"\xC3",
1
},
{
"panic patch 4",
0x7228d0,
"\xC3",
1
},
{
"panic patch 5",
0x722480,
"\xC3",
1
},
{
"panic patch 6",
0x7225d0,
"\xC3",
1
},
{
"panic patch 7",
0x722750,
"\xC3",
1
},
{
"panic patch 8",
0x722980,
"\xC3",
1
},
{
"panic patch 9",
0x722a40,
"\xC3",
1
},
{
"panic patch 10",
0x722b00,
"\xC3",
1
},
{
"panic patch 11",
0x722bd0,
"\xC3",
1
},
{
"panic patch 12",
0x722ca0,
"\xC3",
1
},
{
"panic patch 13",
0x722d80,
"\xC3",
1
},
{
"panic patch 14",
0x71d15e,
"\xB8\x00\x00\x00\x00",
5
},
{
"panic patch 15",
0x71d18b,
"\xB8\x00\x00\x00\x00",
5
},
{
"MMAP_RWX_PATCH_1",
0x97F944,
"\xF7",
1
},
{
"MMAP_RWX_PATCH_1",
0x97F9C7,
"\xF7",
1
},
{
"MPTROTECT_PATCH",
0x312A01,
"\x00\x00\x00\x00",
4
}
};
#endif // PATCHES_1_02_H

178
Source Code/bootstrapper/Byepervisor/include/patches/1_05.h Normal file
View File

@@ -0,0 +1,178 @@
#ifndef PATCHES_1_05_H
#define PATCHES_1_05_H
#include "patch_common.h"
struct hook g_kernel_hooks_105[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
"sys_is_development_mode() -> isDevelopmentMode()",
0x44000,
0x9079BB
},
};
struct patch g_kernel_patches_105[] = {
{
/*
mov qword ptr [rdi + 0x408], 0xc0ffee;
xor eax, eax;
ret
*/
"sys_getgid()",
0x02f17d0,
"\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3",
14
},
{
// mov eax, 1; ret
"sceSblACMgrHasMmapSelfCapability()",
0x5a9c20,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// mov eax, 1; ret
"sceSblACMgrIsAllowedToMmapSelf()",
0x5a9c30,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// xor eax, eax; 3x nop
"vm_mmap sceSblAuthMgrIsLoadable() call",
0x981909,
"\x31\xC0\x90\x90\x90",
5
},
{
// xor eax, eax; ret
"cfi_check_fail()",
0x458c10,
"\xC3",
1
},
{
// jmp qword ptr [rsi]
"kexec trampoline gadget",
0x0042000,
"\xFF\x26",
2
},
{
"sysveri flag",
0x40b0da0,
"\x00",
1
},
{
"panic patch 1",
0x7222e0,
"\xC3",
1
},
{
"panic patch 2",
0x40561b,
"\xEB\xFE",
2
},
{
"panic patch 3",
0x722950,
"\xC3",
1
},
{
"panic patch 4",
0x722e40,
"\xC3",
1
},
{
"panic patch 5",
0x7229f0,
"\xC3",
1
},
{
"panic patch 6",
0x722b40,
"\xC3",
1
},
{
"panic patch 7",
0x722cc0,
"\xC3",
1
},
{
"panic patch 8",
0x722ef0,
"\xC3",
1
},
{
"panic patch 9",
0x722fb0,
"\xC3",
1
},
{
"panic patch 10",
0x723070,
"\xC3",
1
},
{
"panic patch 11",
0x723140,
"\xC3",
1
},
{
"panic patch 12",
0x723210,
"\xC3",
1
},
{
"panic patch 13",
0x7232f0,
"\xC3",
1
},
{
"panic patch 14",
0x71d6ce,
"\xB8\x00\x00\x00\x00",
5
},
{
"panic patch 15",
0x71d6fb,
"\xB8\x00\x00\x00\x00",
5
},
{
"MMAP_RWX_PATCH_1",
0x980184,
"\xF7",
1
},
{
"MMAP_RWX_PATCH_1",
0x980207,
"\xF7",
1
},
{
"MPTROTECT_PATCH",
0x312B41,
"\x00\x00\x00\x00",
4
}
};
#endif // PATCHES_1_05_H

178
Source Code/bootstrapper/Byepervisor/include/patches/1_10.h Normal file
View File

@@ -0,0 +1,178 @@
#ifndef PATCHES_1_10_H
#define PATCHES_1_10_H
#include "patch_common.h"
struct hook g_kernel_hooks_110[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
"sys_is_development_mode() -> isDevelopmentMode()",
0x44000,
0x9079BB
},
};
struct patch g_kernel_patches_110[] = {
{
/*
mov qword ptr [rdi + 0x408], 0xc0ffee;
xor eax, eax;
ret
*/
"sys_getgid()",
0x2F1810,
"\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3",
14
},
{
// mov eax, 1; ret
"sceSblACMgrHasMmapSelfCapability()",
0x5A9C60,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// mov eax, 1; ret
"sceSblACMgrIsAllowedToMmapSelf()",
0x5A9C70,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// xor eax, eax; 3x nop
"vm_mmap sceSblAuthMgrIsLoadable() call",
0x981919,
"\x31\xC0\x90\x90\x90",
5
},
{
// xor eax, eax; ret
"cfi_check_fail()",
0x458C50,
"\xC3",
1
},
{
// jmp qword ptr [rsi]
"kexec trampoline gadget",
0x0042000,
"\xFF\x26",
2
},
{
"sysveri flag",
0x40B0DA0,
"\x00",
1
},
{
"panic patch 1",
0x7222F0,
"\xC3",
1
},
{
"panic patch 2",
0x40565b,
"\xEB\xFE",
2
},
{
"panic patch 3",
0x722960,
"\xC3",
1
},
{
"panic patch 4",
0x722E50,
"\xC3",
1
},
{
"panic patch 5",
0x722A00,
"\xC3",
1
},
{
"panic patch 6",
0x722B50,
"\xC3",
1
},
{
"panic patch 7",
0x722CD0,
"\xC3",
1
},
{
"panic patch 8",
0x722F00,
"\xC3",
1
},
{
"panic patch 9",
0x722FC0,
"\xC3",
1
},
{
"panic patch 10",
0x723080,
"\xC3",
1
},
{
"panic patch 11",
0x723150,
"\xC3",
1
},
{
"panic patch 12",
0x723220,
"\xC3",
1
},
{
"panic patch 13",
0x723300,
"\xC3",
1
},
{
"panic patch 14",
0x71D6DE,
"\xB8\x00\x00\x00\x00",
5
},
{
"panic patch 15",
0x71D70B,
"\xB8\x00\x00\x00\x00",
5
},
{
"MMAP_RWX_PATCH_1",
0x980194,
"\xF7",
1
},
{
"MMAP_RWX_PATCH_1",
0x980217,
"\xF7",
1
},
{
"MPTROTECT_PATCH",
0x312B81,
"\x00\x00\x00\x00",
4
}
};
#endif // PATCHES_1_10_H

178
Source Code/bootstrapper/Byepervisor/include/patches/1_11.h Normal file
View File

@@ -0,0 +1,178 @@
#ifndef PATCHES_1_11_H
#define PATCHES_1_11_H
#include "patch_common.h"
struct hook g_kernel_hooks_111[] = {
{
HOOK_TEST_SYS_IS_DEVELOPMENT_MODE,
"sys_is_development_mode() -> isDevelopmentMode()",
0x44000,
0x907b0b
},
};
struct patch g_kernel_patches_111[] = {
{
/*
mov qword ptr [rdi + 0x408], 0xc0ffee;
xor eax, eax;
ret
*/
"sys_getgid()",
0x2F1810,
"\x48\xC7\x87\x08\x04\x00\x00\xEE\xFF\xC0\x00\x31\xC0\xC3",
14
},
{
// mov eax, 1; ret
"sceSblACMgrHasMmapSelfCapability()",
0x5A9C80,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// mov eax, 1; ret
"sceSblACMgrIsAllowedToMmapSelf()",
0x5A9C90,
"\xB8\x01\x00\x00\x00\xC3",
6
},
{
// xor eax, eax; 3x nop
"vm_mmap sceSblAuthMgrIsLoadable() call",
0x981A69,
"\x31\xC0\x90\x90\x90",
5
},
{
// xor eax, eax; ret
"cfi_check_fail()",
0x458D10,
"\xC3",
1
},
{
// jmp qword ptr [rsi]
"kexec trampoline gadget",
0x0042000,
"\xFF\x26",
2
},
{
"sysveri flag",
0x40B0DA0,
"\x00",
1
},
{
"panic patch 1",
0x7223E0,
"\xC3",
1
},
{
"panic patch 2",
0x40565B,
"\xEB\xFE",
2
},
{
"panic patch 3",
0x722A50,
"\xC3",
1
},
{
"panic patch 4",
0x722F40,
"\xC3",
1
},
{
"panic patch 5",
0x722AF0,
"\xC3",
1
},
{
"panic patch 6",
0x722C40,
"\xC3",
1
},
{
"panic patch 7",
0x722DC0,
"\xC3",
1
},
{
"panic patch 8",
0x722FF0,
"\xC3",
1
},
{
"panic patch 9",
0x7230B0,
"\xC3",
1
},
{
"panic patch 10",
0x723170,
"\xC3",
1
},
{
"panic patch 11",
0x723240,
"\xC3",
1
},
{
"panic patch 12",
0x723310,
"\xC3",
1
},
{
"panic patch 13",
0x7233F0,
"\xC3",
1
},
{
"panic patch 14",
0x71D7CE,
"\xB8\x00\x00\x00\x00",
5
},
{
"panic patch 15",
0x71D7FB,
"\xB8\x00\x00\x00\x00",
5
},
{
"MMAP_RWX_PATCH_1",
0x9802E4,
"\xF7",
1
},
{
"MMAP_RWX_PATCH_1",
0x980367,
"\xF7",
1
},
{
"MPTROTECT_PATCH",
0x312B81,
"\x00\x00\x00\x00",
4
}
};
#endif // PATCHES_1_11_H

Some files were not shown because too many files have changed in this diff Show More