zo0/PSFree-Enhanced-Dockerized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bcbca6a727245c017794503c1ce20c766c9d4a46
PSFree-Enhanced-Dockerized/CHANGELOG.md
Al Azif bcbca6a727 Tweaks before tackling the new ROP chains 
- Added read8/read16/write8/write16 functions
- Simplify shellcode a little bit more
- Didn't init chain before using it for setuid check
2025-06-03 00:05:44 -07:00

3.2 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Added

  • Kernel patches from pOOBs4 by @ChendoChap and ported for 8.00-9.60
    • 233 bytes to 307 bytes
  • Payload loader from pOOBs4 by @ChendoChap
  • PROT_READ, PROT_WRITE, PROT_EXEC constants for payload loader by @janisslsm
  • Added loading payload from file
  • Added read8/read16/write8/write16 functions

Fixed

  • Fixed corrupt pointer cleanup by abc
  • Fixed ip6po_rthdr offset for PS5 by abc
  • Verified the number of blocking requests needed to be two by abc
  • Only run kernel exploit once by checking setuid by @JTAG7371
  • Restore syscall 661 (sys_aio_submit()) after patching by @janisslsm

Changed

  • Cleanup/Linting/Tweaks/Fixes/etc
    • Default Prettier config w/ 999 line length
    • Default eslint config "problems" list trimmed down
  • Reorder make_aliased_pktopts to try and reclaim memory earlier, by abc
  • Simplify shellcode a little bit more
    • No external headers
    • Added -fcf-protection=none flag to skip added "endbr64" instructions
      • 307 bytes to 295 bytes
    • Changed restore and do_patch to be inlined
      • 307 bytes to 282 bytes
    • Changed to -03 for execution speed optimization
      • 282 bytes to 345 bytes

1.5.1 - 2025-05-12

Added

  • .gitignore for kpatch output
  • Auto detect console type and firmware in config.mjs
    • Used elsewhere to determine which offsets/patches/ROP chain are used
  • WIP: Add 8.50-9.60 support
    • All offsets found
    • Running into some issue here. Wiped out my JOP chains to redo them...

Fixed

  • Call lapse.mjs rather than code.mjs
  • Makefile for kpatch builds all currently available

Changed

  • Use relative locations rather than absolute
  • Changed kpatch binaries to just be shellcode vs full ELFs
    • 5,216 bytes to 257 bytes.
  • Build kpatch binaries with -Os rather than -O
    • 257 bytes to 233 bytes.
  • Renamed/Formatted CHANGELOG.md, README.md, and LICENSE

1.5.0 - 2025-05-08

Added

  • Lapse kernel exploit

Fixed

  • Rewrite PSFree exploit

1.4.0 - 2024-01-25

Added

  • Kernel patch payload for 8.0x

Fixed

  • Remove the risk of crashing from using the Chain classes
  • Remove the risk of crashing from using make_buffer()
  • (PS5 < 3.00) use valid config at exploit.mjs:setup_ssv_data

1.3.0 - ????-??-??

Added

  • ROP chain managers for 8.5x, 9.0x, 9.5x

Fixed

  • Improve the speed and reliability of the exploit (exploit.mjs)

Removed

  • Support for webkitgtk 2.34.4, see 1.0.0 for a working implementation

1.2.0 - 2023-12-03

Added

  • Support for PS4 6.00-6.20

1.1.0 - ????-??-??

Added

  • Support for running ROP chains (PS4 8.03)
  • Support for calling syscalls (PS4 8.03)

1.0.0 - ????-??-??

Added

  • Proof-of-concept code to gain arbitrary read/write (PS4 6.50-9.60/PS5 1.00-5.50)
Reference in New Issue View Git Blame Copy Permalink