✨ Added support for FW 8.50

[iMrDJAi]

This one is for those who are stuck on FW 8.50 and cannot update due to broken BD! (Nice move Sony 🤦‍♂️)

I need testers on other 8.xx firmware versions to see what else could these offsets support.

[lompaket]

great work!

[Cardoso17]

Thank you!! Can you do 8.03 please?

[TheOfficialFloW]

Has this been tested?

[iMrDJAi]

@TheOfficialFloW I screwed up something. Still looking...

pppoe0: lcp TO(ack-sent) rst_counter = 10
pppoe0: ipcp TO(ack-sent) rst_counter = 10
sppp:sppp_cp_input:2117: TERM_REQ received. proto(lcp) state(opened)
pppoe0: lcp TO(stopping) rst_counter = 0
pppoe0: lcp TO(req-sent) rst_counter = 10


Fatal trap 12: page fault while in kernel mode

[nickcat325]

8.50 jailbreak finally? If you can jailbreak the 8.XX firmwares, it should be possible to update the fw to 9.00, basically using the jailbreak as a stepping stone.

[iMrDJAi]

Funny how it was the very last one. Testing now...

[fabianlanza]

Funny how it was the very last one. Testing now...

Were you able to test it?

[iMrDJAi]

@fabianlanza Nah, looking for testers. I'd appreciate if you do.

[fabianlanza]

@fabianlanza Nah, looking for testers. I'd appreciate if you do.

@iMrDJAi Let me see If I have a friend

[fabianlanza]

@fabianlanza Nah, looking for testers. I'd appreciate if you do.

@iMrDJAi Let me see If I have a friend

@iMrDJAi had no luck finding someone :(

[AmineSimcos]

can you do 11.50 please?

[fffoo]

can you do 11.50 please?

Nah wtf, go fuck yourself. You updated, you gotta wait a year or 2

[GVO72]

@fabianlanza Nah, looking for testers. I'd appreciate if you do.

@iMrDJAi Let me see If I have a friend

@iMrDJAi had no luck finding someone :(

I have an 8.03, I can test on that when available.

[TheOneEyedGrimReaper]

@fabianlanza Nah, looking for testers. I'd appreciate if you do.

You can count me in.
I have a 8.xx slim console too with broken bd.
I gonna check what 8.xx fw this console has when i arrive home.

[se2crid]

can you do 11.50 please?

to be rude but you can leave

[Skwalker416]

This code has offset issues. They will be fixed soon.

Will not pass "waiting for stage1 to resume"
And takes alot of tries for the code execution yo be triggered

[iMrDJAi]

So yeah, I checked every single offset more than once, I verified all gadgets, and they all seem correct. There is no reason why this shouldn't work, unless...

There is one single possibility left. I noticed that FIRST_GADGET offset was from the .data section of the kernel. This could be the reason since .text is where executable code lives.

[iMrDJAi]

PPPwned! 🎉

[rafaelflromao]

PPPwned! 🎉

Was it tested?

[iMrDJAi]

@rafaelflromao Zecoxao just tested it for me.

Still need testers on other 8.xx FWs, probably they have the same offsets.

[Cardoso17]

I didn't find the first 8 offsets, if someone can help - FW 8.03

FW 8.03

class OffsetsFirmware_803:
 PPPOE_SOFTC_LIST = 0xffffffff843ed9f8 #NEED

  KERNEL_MAP = 0xffffffff84468d48 #NEED

  SETIDT = 0xffffffff82512c40 #NEED 

  KMEM_ALLOC = 0xffffffff8257be70 #NEED
  KMEM_ALLOC_PATCH1 = 0xffffffff8257bf3c #NEED 
  KMEM_ALLOC_PATCH2 = 0xffffffff8257bf44 #NEED

  MEMCPY = 0xffffffff824714b0 #NEED 

  MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb949 #NEED

  SECOND_GADGET_OFF = 0x3b

  # 0xffffffff82245f1d : jmp qword ptr [rsi + 0x3b]
  FIRST_GADGET = 0xffffffff82245f1d

  # 0xffffffff82c72e66 : push rbp ; jmp qword ptr [rsi]
  PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c72e66

  # 0xffffffff823b3311 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10]
  POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff823b3311

  # 0xffffffff8293bb06 : lea rsp, [rsi + 0x20] ; repz ret
  LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8293bb06

  # 0xffffffff826aeada : add rsp, 0x28 ; pop rbp ; ret
  ADD_RSP_28_POP_RBP_RET = 0xffffffff826aeada

  # 0xffffffff8267b46f : add rsp, 0xb0 ; pop rbp ; ret
  ADD_RSP_B0_POP_RBP_RET = 0xffffffff8267b46f

  # 0xffffffff8287c1c6 : ret
  RET = 0xffffffff8287c1c6

  # 0xffffffff82652d81 : pop rdi ; ret
  POP_RDI_RET = 0xffffffff82652d81

  # 0xffffffff82212728 : pop rsi ; ret
  POP_RSI_RET = 0xffffffff82212728

  # 0xffffffff82482342 : pop rdx ; ret
  POP_RDX_RET = 0xffffffff82482342

  # 0xffffffff82233677 : pop rcx ; ret
  POP_RCX_RET = 0xffffffff82233677

  # 0xffffffff82293727 : pop r8 ; pop rbp ; ret
  POP_R8_POP_RBP_RET = 0xffffffff82293727

  # 0xffffffff8279b42f : pop r12 ; ret
  POP_R12_RET = 0xffffffff8279b42f

  # 0xffffffff8223711d : pop rax ; ret
  POP_RAX_RET = 0xffffffff8223711d

  # 0xffffffff822008df : pop rbp ; ret
  POP_RBP_RET = 0xffffffff822008df

  # 0xffffffff82bb35ba : push rsp ; pop rsi ; ret
  PUSH_RSP_POP_RSI_RET = 0xffffffff82bb35ba

  # 0xffffffff82529060 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax
  MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82529060

  # 0xffffffff82b7124e : mov byte ptr [rcx], al ; ret
  MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b7124e

  # 0xffffffff8232e9ac : mov rdi, rbx ; call r12
  MOV_RDI_RBX_CALL_R12 = 0xffffffff8232e9ac

  # 0xffffffff8232e7e7 : mov rdi, r14 ; call r12
  MOV_RDI_R14_CALL_R12 = 0xffffffff8232e7e7

  # 0xffffffff823d049e : mov rsi, rbx ; call rax
  MOV_RSI_RBX_CALL_RAX = 0xffffffff823d049e

  # 0xffffffff825dc638 : mov r14, rax ; call r8
  MOV_R14_RAX_CALL_R8 = 0xffffffff825dc638

  # 0xffffffff82cb305a : add rdi, rcx ; ret
  ADD_RDI_RCX_RET = 0xffffffff82cb305a

  # 0xffffffff8266f467 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret
  SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff8266f467

  # 0xffffffff82b82393 : jmp r14
  JMP_R14 = 0xffffffff82b82393

[iMrDJAi]

@Cardoso17 You can reach me out on PS5 R&D Discord and I'll will help you figuring it out.

Well, now we know that 8.50 offsets don't cover 8.0x.

[loskutov]

@Cardoso17:

PPPOE_SOFTC_LIST = 0xffffffff84422370

KERNEL_MAP = 0xffffffff83d243e0

SETIDT = 0xffffffff82249dd0

KMEM_ALLOC = 0xffffffff8221b3f0
KMEM_ALLOC_PATCH1 = 0xffffffff8221b4bc
KMEM_ALLOC_PATCH2 = 0xffffffff8221b4c4

MEMCPY = 0xffffffff8245e1c0

MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff82660609

[zecoxao]

8.00

800k.txt:0xffffffff82c72e66 : push rbp ; jmp qword ptr [rsi]
800k.txt:0xffffffff823b3311 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10]
800k.txt:0xffffffff8293bb06 : lea rsp, [rsi + 0x20] ; repz ret
800k.txt:0xffffffff826aeada : add rsp, 0x28 ; pop rbp ; ret
800k.txt:0xffffffff8267b46f : add rsp, 0xb0 ; pop rbp ; ret
800k.txt:0xffffffff82200431 : ret
800k.txt:0xffffffff82652d81 : pop rdi ; ret
800k.txt:0xffffffff82212728 : pop rsi ; ret
800k.txt:0xffffffff82482342 : pop rdx ; ret
800k.txt:0xffffffff82233677 : pop rcx ; ret
800k.txt:0xffffffff82293727 : pop r8 ; pop rbp ; ret
800k.txt:0xffffffff8279b42f : pop r12 ; ret
800k.txt:0xffffffff8223711d : pop rax ; ret
800k.txt:0xffffffff822008df : pop rbp ; ret
800k.txt:0xffffffff82bb35ba : push rsp ; pop rsi ; ret
800k.txt:0xffffffff82529060 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax
800k.txt:0xffffffff82b7124e : mov byte ptr [rcx], al ; ret
800k.txt:0xffffffff8232e9ac : mov rdi, rbx ; call r12
800k.txt:0xffffffff8232e7e7 : mov rdi, r14 ; call r12
800k.txt:0xffffffff823d049e : mov rsi, rbx ; call rax
800k.txt:0xffffffff825dc638 : mov r14, rax ; call r8
800k.txt:0xffffffff82cb305a : add rdi, rcx ; ret
800k.txt:0xffffffff8266f467 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret
800k.txt:0xffffffff82b82393 : jmp r14

[iMrDJAi]

No one on 8.51 8.52 to test?

[zecoxao]

No one on 8.51 to test?

8.52 exists, 8.51 does not (afaict)

[iMrDJAi]

@TheOfficialFloW I guess at this point you may merge this PR. We can always add alias to 8.52 later.

[Cardoso17]

@iMrDJAi What's your name in discord?

[Cardoso17]

Someone can create stage1 and stage2 for 8.03?

Example FW 8.03

#define kdlsym_addr_Xfast_syscall
#define kdlsym_addr_printf
#define kdlsym_addr_sysent

#define kdlsym_addr_amd_syscall_patch1
#define kdlsym_addr_amd_syscall_patch2
#define kdlsym_addr_amd_syscall_patch3
#define kdlsym_addr_amd_syscall_patch4

#define kdlsym_addr_copyin_patch1
#define kdlsym_addr_copyin_patch2

#define kdlsym_addr_copyout_patch1
#define kdlsym_addr_copyout_patch2

#define kdlsym_addr_copyinstr_patch1
#define kdlsym_addr_copyinstr_patch2
#define kdlsym_addr_copyinstr_patch3

[iMrDJAi]

@Cardoso17 Test these #47

[Cardoso17]

@iMrDJAi finally tested and worked perfectly!! Awaiting now for no bd update

Thank you!