From b784c2124c5a2005676ca48a39d6f62c150735d1 Mon Sep 17 00:00:00 2001 From: Al Azif <33132478+Al-Azif@users.noreply.github.com> Date: Fri, 5 Sep 2025 10:35:26 -0700 Subject: [PATCH 1/3] Add AIO patch for 7.0x --- src/kpatch/700.c | 54 +++++++++++++++++++++++++++++++++++++++++++++--- src/kpatch/750.c | 2 +- 2 files changed, 52 insertions(+), 4 deletions(-) diff --git a/src/kpatch/700.c b/src/kpatch/700.c index 53d214a..96a73de 100644 --- a/src/kpatch/700.c +++ b/src/kpatch/700.c @@ -63,13 +63,61 @@ static inline void restore(void *kbase, struct kexec_args *uap) { } } -// TODO: __attribute__((always_inline)) static inline void patch_aio(void *kbase) { - const u64 aio_off = 0x04a1bb1; - disable_cr0_wp(); + const u64 aio_off = 0x4a1bb1; + + // patch = {0xeb} + write8(kbase, aio_off, 0xeb); + + // offset = 0x3d + // patch = {0xeb, 0x07} + write16(kbase, aio_off + 0x3d, 0x07eb); + + // offset = 0x46 + // patch = {0x41, 0x83, 0xbf, 0xa0, 0x04, 0x00, 0x00, 0x00, 0x90} + write64(kbase, aio_off + 0x46, 0x00000004a0bf8341); + write8(kbase, aio_off + 0x4e, 0x90); + + // offset = 0x57 + // patch = {0x87} + write8(kbase, aio_off + 0x57, 0x87); + + // offset = 0x64 + // patch = {0xb7} + write8(kbase, aio_off + 0x64, 0xb7); + + // offset = 0x7c + // patch = {0x87} + write8(kbase, aio_off + 0x7c, 0x87); + + // offset = 0x89 + // patch = {0xb7} + write8(kbase, aio_off + 0x89, 0xb7); + + // offset = 0xa1 + // patch = {0xbf} + write8(kbase, aio_off + 0xa1, 0xbf); + + // offset = 0xad + // patch = {0xbf} + write8(kbase, aio_off + 0xad, 0xbf); + + // offset = 0xb9 + // patch = {0xbf} + write8(kbase, aio_off + 0xb9, 0xbf); + + // offset = 0xc5 + // patch = {0xbf} + write8(kbase, aio_off + 0xc5, 0xbf); + + // offset = 0xd4 + // patch = {0x49, 0x8b, 0xff} + write16(kbase, aio_off + 0xd4, 0x8b49); + write8(kbase, aio_off + 0xd6, 0xff); + enable_cr0_wp(); } diff --git a/src/kpatch/750.c b/src/kpatch/750.c index 3e9b565..a7097cc 100644 --- a/src/kpatch/750.c +++ b/src/kpatch/750.c @@ -106,7 +106,7 @@ static inline void patch_aio(void *kbase) { write8(kbase, aio_off + 0x4b, 0x00); // offset = 0x5d - // patch = {0x49, 0x8d, 0xBe, 0xc0, 0x00, 0x00, 0x00} + // patch = {0x49, 0x8d, 0xbe, 0xc0, 0x00, 0x00, 0x00} write32(kbase, aio_off + 0x5d, 0xc0be8d49); write16(kbase, aio_off + 0x61, 0x0000); write8(kbase, aio_off + 0x63, 0x00); From 08ecf038c94aa99b56e46c9f32e2e486f83656b6 Mon Sep 17 00:00:00 2001 From: Al Azif <33132478+Al-Azif@users.noreply.github.com> Date: Fri, 5 Sep 2025 11:41:15 -0700 Subject: [PATCH 2/3] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1c6c1d8..1d81ee5 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,8 @@ _Note: Support for other firmwares listed in the "Vulnerability Scope" table may ## TODO List -- [ ] Blackscreen/Save issue with certain games +- [X] ~~Blackscreen/Save issue with certain games~~ Issue is patched post-exploit + - [ ] Determine root cause and fix more directly - [ ] `lapse.mjs`: Just set the bits for JIT privs - [ ] `view.mjs`: Assumes PS4, support PS5 as well - [ ] Add PS5 support From 37c6646b87846a42995b11806315bc5f0d61a94b Mon Sep 17 00:00:00 2001 From: ArabPixel Date: Fri, 5 Sep 2025 21:11:55 +0200 Subject: [PATCH 3/3] 7.0x kpatch update --- src/kpatch/700.bin | Bin 474 -> 594 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/src/kpatch/700.bin b/src/kpatch/700.bin index 0fa47ba757d2a6b56c399114793bda318130e68e..bd94c7738357811287e7b7e671f53f3b96efddef 100644 GIT binary patch delta 167 zcmcb`e2Ha)CS(1M*X#@o#~L?EdojFD>uh`nq&;>xHt%1+!oa}b(b@PND6qq``~UxA zjsJnn3C9{aWV{&Kk2Q({sqM!abs;<}2rmdo?LXES2cfbcR2hf@n%xSdk2SUf$^ZNc r2RwKg7#JBQ8!`4vr}4|T0BvJn;NNE8&|$*l(R_f>)AB&+ht~}NDv>=r delta 37 scmcb_a*KI`CgbG!j58$pB0NNW2vj6}9