From 8871d2c0ec2b3d4c362a586df44a9a5d8fa5bbf2 Mon Sep 17 00:00:00 2001 From: LightningMods Date: Sun, 6 Sep 2020 21:46:00 -0400 Subject: [PATCH] Added testkit support --- kernel/src/Boot/InitParams.hpp | 13 +- kernel/src/Driver/CtrlDriver.cpp | 59 +- kernel/src/Mira.cpp | 195 +-- kernel/src/OrbisOS/Utilities.cpp | 554 +++++--- kernel/src/OrbisOS/Utilities.hpp | 41 +- kernel/src/Plugins/FakePkg/FakePkgManager.cpp | 1259 +++++++++++++---- kernel/src/Plugins/FakePkg/FakePkgManager.hpp | 55 +- .../MorpheusEnabler/MorpheusEnabler.cpp | 10 +- kernel/src/Plugins/PluginManager.cpp | 154 +- kernel/src/Plugins/PluginManager.hpp | 1 + .../RemotePlayEnabler/RemotePlayEnabler.cpp | 76 +- kernel/src/Utils/Kdlsym/Default.hpp | 1 + kernel/src/Utils/Kdlsym/Orbis176.hpp | 1 + kernel/src/Utils/Kdlsym/Orbis405.hpp | 2 + kernel/src/Utils/Kdlsym/Orbis455.hpp | 3 +- kernel/src/Utils/Kdlsym/Orbis474.hpp | 2 +- kernel/src/Utils/Kdlsym/Orbis501.hpp | 2 +- kernel/src/Utils/Kdlsym/Orbis503.hpp | 1 + kernel/src/Utils/Kdlsym/Orbis505.hpp | 2 +- kernel/src/Utils/Kdlsym/Orbis620.hpp | 3 +- kernel/src/Utils/Kdlsym/Orbis650.hpp | 4 + kernel/src/Utils/Kdlsym/Orbis672.hpp | 1 + kernel/src/Utils/Kernel.hpp | 50 +- 23 files changed, 1666 insertions(+), 823 deletions(-) diff --git a/kernel/src/Boot/InitParams.hpp b/kernel/src/Boot/InitParams.hpp index d4695113..8f730aca 100644 --- a/kernel/src/Boot/InitParams.hpp +++ b/kernel/src/Boot/InitParams.hpp @@ -23,20 +23,21 @@ namespace Mira uint64_t allocatedBase; // Kernel process handle - struct proc* process; + struct proc *process; // Entrypoint // Userland should set this to NULL - void(*entrypoint)(void*); + void (*entrypoint)(void *); // ElfLoader - MiraLoader::Loader* elfLoader; + MiraLoader::Loader *elfLoader; // If this is an elf launch or not uint8_t isElf : 1; - + // If the kproc is currently running uint8_t isRunning : 1; + } InitParams; - } -} \ No newline at end of file + } // namespace Boot +} // namespace Mira \ No newline at end of file diff --git a/kernel/src/Driver/CtrlDriver.cpp b/kernel/src/Driver/CtrlDriver.cpp index 96f07f67..67b24641 100644 --- a/kernel/src/Driver/CtrlDriver.cpp +++ b/kernel/src/Driver/CtrlDriver.cpp @@ -158,6 +158,9 @@ int32_t CtrlDriver::OnIoctl(struct cdev* p_Device, u_long p_Command, caddr_t p_D //auto copyout = (int(*)(const void *kaddr, void *udaddr, size_t len))kdlsym(copyout); //auto copyin = (int(*)(const void* uaddr, void* kaddr, size_t len))kdlsym(copyin); + p_Command = p_Command & 0xFFFFFFFF; // Clear the upper32 + + if (p_Thread != nullptr && p_Thread->td_proc) WriteLog(LL_Debug, "ctrl driver ioctl from tid: (%d) pid: (%d).", p_Thread->td_tid, p_Thread->td_proc->p_pid); @@ -675,6 +678,12 @@ int32_t CtrlDriver::OnMiraThreadCredentials(struct cdev* p_Device, u_long p_Comm return (s_Result < 0 ? s_Result : -s_Result); } +// Failsafe in case that a provided number is 0 or negative + if (s_Input.ThreadId <= 0) + s_Input.ThreadId = p_Thread->td_tid; + +WriteLog(LL_Debug, "thread id (%d).\n", p_Thread->td_tid); + MiraThreadCredentials* s_Output = nullptr; switch (s_Input.State) @@ -724,10 +733,12 @@ int32_t CtrlDriver::OnMiraThreadCredentials(struct cdev* p_Device, u_long p_Comm bool CtrlDriver::SetThreadCredentials(int32_t p_ProcessId, int32_t p_ThreadId, MiraThreadCredentials& p_Input) { - auto spinlock_exit = (void(*)(void))kdlsym(spinlock_exit); + + + auto spinlock_exit = (void(*)(void))kdlsym(spinlock_exit); auto _thread_lock_flags = (void(*)(struct thread *, int, const char *, int))kdlsym(_thread_lock_flags); auto pfind = (struct proc* (*)(pid_t processId))kdlsym(pfind); - auto _mtx_unlock_flags = (void(*)(struct mtx *mutex, int flags))kdlsym(_mtx_unlock_flags); + auto _mtx_unlock_flags = (void(*)(struct mtx *mutex, int flags))kdlsym(_mtx_unlock_flags); // Make sure that we are setting threads if (p_Input.State != MiraThreadCredentials::_State::Set) @@ -740,7 +751,7 @@ bool CtrlDriver::SetThreadCredentials(int32_t p_ProcessId, int32_t p_ThreadId, M WriteLog(LL_Error, "could not find process for pid (%d).", p_ProcessId); return false; } - + bool s_ThreadModified = false; do { @@ -749,10 +760,14 @@ bool CtrlDriver::SetThreadCredentials(int32_t p_ProcessId, int32_t p_ThreadId, M { thread_lock(l_Thread); + WriteLog(LL_Debug, "checking tid: (%d) == (%d).", l_Thread->td_tid, p_ThreadId); + do { if (p_ThreadId == -1 || l_Thread->td_tid == p_ThreadId) { + + auto l_ThreadCredential = l_Thread->td_ucred; if (l_ThreadCredential == nullptr) { @@ -761,25 +776,48 @@ bool CtrlDriver::SetThreadCredentials(int32_t p_ProcessId, int32_t p_ThreadId, M } // ucred + l_ThreadCredential->cr_uid = p_Input.EffectiveUserId; l_ThreadCredential->cr_ruid = p_Input.RealUserId; l_ThreadCredential->cr_svuid = p_Input.SavedUserId; l_ThreadCredential->cr_ngroups = p_Input.NumGroups; l_ThreadCredential->cr_rgid = p_Input.RealGroupId; + l_ThreadCredential->cr_groups[0] = 0; l_ThreadCredential->cr_svgid = p_Input.SavedGroupId; - - // prison - if (p_Input.Prison == MiraThreadCredentials::_MiraThreadCredentialsPrison::Root) - l_ThreadCredential->cr_prison = *(struct prison**)kdlsym(prison0); - - l_ThreadCredential->cr_sceAuthID = p_Input.SceAuthId; - + + if( p_Input.SceAuthId) + l_ThreadCredential->cr_sceAuthID = p_Input.SceAuthId; + else + WriteLog(LL_Debug, "no SceAuthId, skipping\n"); + + // TODO: Static assert that these are equal memcpy(l_ThreadCredential->cr_sceCaps, p_Input.Capabilities, sizeof(l_ThreadCredential->cr_sceCaps)); // TODO: Static assert that sizeof are equal memcpy(l_ThreadCredential->cr_sceAttr, p_Input.Attributes, sizeof(l_ThreadCredential->cr_sceAttr)); + // Update the rootvnode + auto l_FileDesc = s_Process->p_fd; + if (l_FileDesc && p_Input.Prison == MiraThreadCredentials::_MiraThreadCredentialsPrison::Root) + { + + l_ThreadCredential->cr_sceAuthID = SceAuthenticationId_t::MaxAccess; + l_ThreadCredential->cr_sceAttr[0] = SceCapabilities_t::Max; + l_ThreadCredential->cr_sceCaps[0] = SceCapabilities_t::Max; + + + l_FileDesc->fd_rdir = *(struct vnode**)kdlsym(rootvnode); + l_FileDesc->fd_jdir = *(struct vnode**)kdlsym(rootvnode); + WriteLog(LL_Debug, "setting prison0"); + l_ThreadCredential->cr_prison = *(struct prison**)kdlsym(prison0); + + } + + + + + s_ThreadModified = true; } @@ -824,6 +862,7 @@ bool CtrlDriver::GetThreadCredentials(int32_t p_ProcessId, int32_t p_ThreadId, M // Lock the thread thread_lock(l_Thread); + // If the thread id's match then we need to copy this data out if (l_Thread->td_tid == p_ThreadId) { diff --git a/kernel/src/Mira.cpp b/kernel/src/Mira.cpp index e5b39e80..bce0dcc0 100644 --- a/kernel/src/Mira.cpp +++ b/kernel/src/Mira.cpp @@ -42,26 +42,28 @@ // extern "C" { - #include - #include // sysent_t - #include // proc - #include // filedesc - #include - #include - #include - #include - #include - #include - #include +#include +#include // sysent_t +#include // proc +#include // filedesc +#include +#include +#include +#include +#include +#include +#include } +const char *gNull = "(null)"; +uint8_t *gKernelBase = nullptr; +struct logger_t *gLogger = nullptr; +using namespace Mira::OrbisOS; -const char* gNull = "(null)"; -uint8_t* gKernelBase = nullptr; -struct logger_t* gLogger = nullptr; +bool is_Kit; -Mira::Framework* Mira::Framework::m_Instance = nullptr; -Mira::Framework* Mira::Framework::GetFramework() +Mira::Framework *Mira::Framework::m_Instance = nullptr; +Mira::Framework *Mira::Framework::GetFramework() { if (m_Instance == nullptr) m_Instance = new Mira::Framework(); @@ -69,19 +71,17 @@ Mira::Framework* Mira::Framework::GetFramework() return m_Instance; } -Mira::Framework::Framework() : - m_InitParams(), - m_EventHandlersInstalled(false), - m_SuspendTag(nullptr), - m_ResumeTag(nullptr), - m_ProcessExec(nullptr), - m_ProcessExecEnd(nullptr), - m_ProcessExit(nullptr), - m_PluginManager(nullptr), - m_MessageManager(nullptr), - m_CtrlDriver(nullptr) +Mira::Framework::Framework() : m_InitParams(), + m_EventHandlersInstalled(false), + m_SuspendTag(nullptr), + m_ResumeTag(nullptr), + m_ProcessExec(nullptr), + m_ProcessExecEnd(nullptr), + m_ProcessExit(nullptr), + m_PluginManager(nullptr), + m_MessageManager(nullptr), + m_CtrlDriver(nullptr) { - } Mira::Framework::~Framework() @@ -92,10 +92,10 @@ Mira::Framework::~Framework() WriteLog(LL_Info, "terminated successfully"); } -extern "C" void mira_entry(void* args) +extern "C" void mira_entry(void *args) { // Fill the kernel base address - gKernelBase = (uint8_t*)kernelRdmsr(0xC0000082) - kdlsym_addr_Xfast_syscall; + gKernelBase = (uint8_t *)kernelRdmsr(0xC0000082) - kdlsym_addr_Xfast_syscall; cpu_disable_wp(); @@ -103,20 +103,20 @@ extern "C" void mira_entry(void* args) cpu_enable_wp(); - auto kthread_exit = (void(*)(void))kdlsym(kthread_exit); + auto kthread_exit = (void (*)(void))kdlsym(kthread_exit); //auto kproc_exit = (void(*)(int ecode))kdlsym(kproc_exit); - auto vmspace_alloc = (struct vmspace* (*)(vm_offset_t min, vm_offset_t max))kdlsym(vmspace_alloc); - auto pmap_activate = (void(*)(struct thread *td))kdlsym(pmap_activate); - auto printf = (void(*)(const char *format, ...))kdlsym(printf); + auto vmspace_alloc = (struct vmspace * (*)(vm_offset_t min, vm_offset_t max)) kdlsym(vmspace_alloc); + auto pmap_activate = (void (*)(struct thread * td)) kdlsym(pmap_activate); + auto printf = (void (*)(const char *format, ...))kdlsym(printf); //auto avcontrol_sleep = (void(*)(int milliseconds))kdlsym(avcontrol_sleep); - // Let'em know we made it + // Let'em know we made it printf("[+] mira has reached stage 2\n"); - // These are the initialization parameters from the loader - Mira::Boot::InitParams* initParams = static_cast(args); - if (initParams == nullptr) - { + // These are the initialization parameters from the loader + Mira::Boot::InitParams *initParams = static_cast(args); + if (initParams == nullptr) + { printf("[-] no init params\n"); kthread_exit(); return; @@ -130,6 +130,7 @@ extern "C" void mira_entry(void* args) kthread_exit(); return; } + // Create new credentials WriteLog(LL_Debug, "Creating new thread credentials"); (void)ksetuid_t(0, curthread); @@ -146,10 +147,10 @@ extern "C" void mira_entry(void* args) curthread->td_ucred->cr_ruid = 0; if (curthread->td_ucred->cr_prison) - curthread->td_ucred->cr_prison = *(struct prison**)kdlsym(prison0); + curthread->td_ucred->cr_prison = *(struct prison **)kdlsym(prison0); if (curthread->td_proc->p_fd) - curthread->td_proc->p_fd->fd_rdir = curthread->td_proc->p_fd->fd_jdir = *(struct vnode**)kdlsym(rootvnode); + curthread->td_proc->p_fd->fd_rdir = curthread->td_proc->p_fd->fd_jdir = *(struct vnode **)kdlsym(rootvnode); // Set our auth id as debugger curthread->td_ucred->cr_sceAuthID = SceAuthenticationId::Decid; @@ -174,7 +175,7 @@ extern "C" void mira_entry(void* args) // Create new vm_space WriteLog(LL_Debug, "Creating new vm space"); - struct vmspace* vmspace = vmspace_alloc(0, PAGE_SIZE * 2048); // Allocate 8MiB + struct vmspace *vmspace = vmspace_alloc(0, PAGE_SIZE * 2048); // Allocate 8MiB WriteLog(LL_Debug, "here"); if (!vmspace) { @@ -193,8 +194,9 @@ extern "C" void mira_entry(void* args) // Because we have now forked into a new realm of fuckery // We need to reserve the first 3 file descriptors in our process + WriteLog(LL_Debug, "Creating initial 3 file descriptors (0, 1, 2)."); - int descriptor = kopen_t(const_cast("/dev/console"), 1, 0, curthread); + int descriptor = kopen_t(const_cast("/dev/console"), 1, 0, curthread); WriteLog(LL_Debug, "/dev/console descriptor: %d", descriptor); WriteLog(LL_Info, "dup2(desc, 1) result: %d", kdup2_t(descriptor, 1, curthread)); WriteLog(LL_Info, "dup2(1, 2) result: %d", kdup2_t(1, 2, curthread)); @@ -227,8 +229,9 @@ extern "C" void mira_entry(void* args) kthread_exit(); } -bool Mira::Framework::SetInitParams(Mira::Boot::InitParams* p_Params) +bool Mira::Framework::SetInitParams(Mira::Boot::InitParams *p_Params) { + if (p_Params == NULL) return false; @@ -249,6 +252,11 @@ bool Mira::Framework::Initialize() // TODO: Load settings WriteLog(LL_Warn, "FIXME: loading settings not implemented!!!!"); + if (!Utilities::isAssistMode() || !Utilities::isTestkit()) + is_Kit = false; + else + is_Kit = true; + // Initialize message manager WriteLog(LL_Debug, "Initializing the message manager"); m_MessageManager = new Mira::Messaging::MessageManager(); @@ -295,14 +303,24 @@ bool Mira::Framework::Initialize() // Set the running flag m_InitParams.isRunning = true; - // Mira is now ready ! Now Killing SceShellUI for relaunching UI Process :D - struct proc* ui_proc = Mira::OrbisOS::Utilities::FindProcessByName("SceShellUI"); - if (ui_proc) { - Mira::OrbisOS::Utilities::KillProcess(ui_proc); - } else { - WriteLog(LL_Error, "Unable to find SceShellUI Process !"); - } - + // causes testkit IPC to kpanic the console on relaunch + ////////////////////////////////////////////////////////////// + + if (is_Kit) + WriteLog(LL_Debug, "Testkit Detected, No patches will be applied\n"); + else + { + struct proc *ui_proc = Utilities::FindProcessByName("SceShellUI"); + + if (ui_proc) + { + Utilities::KillProcess(ui_proc); + } + else + { + WriteLog(LL_Error, "Unable to find SceShellUI Process !"); + } + } return true; } @@ -333,17 +351,17 @@ bool Mira::Framework::Terminate() return true; } -struct thread* Mira::Framework::GetMainThread() +struct thread *Mira::Framework::GetMainThread() { - auto _mtx_lock_flags = (void(*)(struct mtx *mutex, int flags))kdlsym(_mtx_lock_flags); - auto _mtx_unlock_flags = (void(*)(struct mtx *mutex, int flags))kdlsym(_mtx_unlock_flags); + auto _mtx_lock_flags = (void (*)(struct mtx * mutex, int flags)) kdlsym(_mtx_lock_flags); + auto _mtx_unlock_flags = (void (*)(struct mtx * mutex, int flags)) kdlsym(_mtx_unlock_flags); auto s_Process = m_InitParams.process; if (s_Process == nullptr) return nullptr; _mtx_lock_flags(&s_Process->p_mtx, 0); - struct thread* s_Thread = s_Process->p_singlethread; + struct thread *s_Thread = s_Process->p_singlethread; if (s_Thread == nullptr) s_Thread = FIRST_THREAD_IN_PROC(s_Process); _mtx_unlock_flags(&s_Process->p_mtx, 0); @@ -351,10 +369,10 @@ struct thread* Mira::Framework::GetMainThread() return s_Thread; } -struct thread* Mira::Framework::GetSyscoreThread() +struct thread *Mira::Framework::GetSyscoreThread() { - auto _mtx_lock_flags = (void(*)(struct mtx *mutex, int flags))kdlsym(_mtx_lock_flags); - auto _mtx_unlock_flags = (void(*)(struct mtx *mutex, int flags))kdlsym(_mtx_unlock_flags); + auto _mtx_lock_flags = (void (*)(struct mtx * mutex, int flags)) kdlsym(_mtx_lock_flags); + auto _mtx_unlock_flags = (void (*)(struct mtx * mutex, int flags)) kdlsym(_mtx_unlock_flags); auto s_Process = OrbisOS::Utilities::FindProcessByName("SceSysCore"); if (s_Process == nullptr) { @@ -362,7 +380,7 @@ struct thread* Mira::Framework::GetSyscoreThread() return nullptr; } - struct thread* s_MainThread = nullptr; + struct thread *s_MainThread = nullptr; _mtx_lock_flags(&s_Process->p_mtx, 0); s_MainThread = FIRST_THREAD_IN_PROC(s_Process); @@ -371,18 +389,18 @@ struct thread* Mira::Framework::GetSyscoreThread() return s_MainThread; } -struct thread* Mira::Framework::GetShellcoreThread() +struct thread *Mira::Framework::GetShellcoreThread() { - auto _mtx_lock_flags = (void(*)(struct mtx *mutex, int flags))kdlsym(_mtx_lock_flags); - auto _mtx_unlock_flags = (void(*)(struct mtx *mutex, int flags))kdlsym(_mtx_unlock_flags); - struct ::proc* s_Process = OrbisOS::Utilities::FindProcessByName("SceShellCore"); + auto _mtx_lock_flags = (void (*)(struct mtx * mutex, int flags)) kdlsym(_mtx_lock_flags); + auto _mtx_unlock_flags = (void (*)(struct mtx * mutex, int flags)) kdlsym(_mtx_unlock_flags); + struct ::proc *s_Process = OrbisOS::Utilities::FindProcessByName("SceShellCore"); if (s_Process == nullptr) { WriteLog(LL_Error, "could not get SceShellCore process."); return nullptr; } - struct thread* s_MainThread = nullptr; + struct thread *s_MainThread = nullptr; _mtx_lock_flags(&s_Process->p_mtx, 0); s_MainThread = FIRST_THREAD_IN_PROC(s_Process); @@ -396,18 +414,17 @@ bool Mira::Framework::InstallEventHandlers() if (m_EventHandlersInstalled) return false; - auto eventhandler_register = (eventhandler_tag - (*)(struct eventhandler_list *list, const char *name, - void *func, void *arg, int priority))kdlsym(eventhandler_register); + auto eventhandler_register = (eventhandler_tag(*)(struct eventhandler_list * list, const char *name, + void *func, void *arg, int priority)) kdlsym(eventhandler_register); // Register our event handlers //const int32_t prio = 1337; - m_SuspendTag = EVENTHANDLER_REGISTER(system_suspend_phase1, reinterpret_cast(Mira::Framework::OnMiraSuspend), GetFramework(), EVENTHANDLER_PRI_FIRST); - m_ResumeTag = EVENTHANDLER_REGISTER(system_resume_phase1, reinterpret_cast(Mira::Framework::OnMiraResume), GetFramework(), EVENTHANDLER_PRI_LAST); + m_SuspendTag = EVENTHANDLER_REGISTER(system_suspend_phase1, reinterpret_cast(Mira::Framework::OnMiraSuspend), GetFramework(), EVENTHANDLER_PRI_FIRST); + m_ResumeTag = EVENTHANDLER_REGISTER(system_resume_phase1, reinterpret_cast(Mira::Framework::OnMiraResume), GetFramework(), EVENTHANDLER_PRI_LAST); - m_ProcessExec = EVENTHANDLER_REGISTER(process_exec, reinterpret_cast(Mira::Framework::OnMiraProcessExec), GetFramework(), EVENTHANDLER_PRI_ANY); - m_ProcessExecEnd = EVENTHANDLER_REGISTER(process_exec_end, reinterpret_cast(Mira::Framework::OnMiraProcessExecEnd), GetFramework(), EVENTHANDLER_PRI_LAST); - m_ProcessExit = EVENTHANDLER_REGISTER(process_exit, reinterpret_cast(Mira::Framework::OnMiraProcessExit), GetFramework(), EVENTHANDLER_PRI_FIRST); + m_ProcessExec = EVENTHANDLER_REGISTER(process_exec, reinterpret_cast(Mira::Framework::OnMiraProcessExec), GetFramework(), EVENTHANDLER_PRI_ANY); + m_ProcessExecEnd = EVENTHANDLER_REGISTER(process_exec_end, reinterpret_cast(Mira::Framework::OnMiraProcessExecEnd), GetFramework(), EVENTHANDLER_PRI_LAST); + m_ProcessExit = EVENTHANDLER_REGISTER(process_exit, reinterpret_cast(Mira::Framework::OnMiraProcessExit), GetFramework(), EVENTHANDLER_PRI_FIRST); // Set our event handlers as installed m_EventHandlersInstalled = true; @@ -423,12 +440,12 @@ bool Mira::Framework::RemoveEventHandlers() if (m_SuspendTag == nullptr || m_ResumeTag == nullptr) return false; - auto eventhandler_deregister = (void(*)(struct eventhandler_list* a, struct eventhandler_entry* b))kdlsym(eventhandler_deregister); - auto eventhandler_find_list = (struct eventhandler_list * (*)(const char *name))kdlsym(eventhandler_find_list); + auto eventhandler_deregister = (void (*)(struct eventhandler_list * a, struct eventhandler_entry * b)) kdlsym(eventhandler_deregister); + auto eventhandler_find_list = (struct eventhandler_list * (*)(const char *name)) kdlsym(eventhandler_find_list); EVENTHANDLER_DEREGISTER(system_suspend_phase1, m_SuspendTag); EVENTHANDLER_DEREGISTER(system_resume_phase1, m_ResumeTag); - + EVENTHANDLER_DEREGISTER(process_exec, m_ProcessExec); EVENTHANDLER_DEREGISTER(process_exec_end, m_ProcessExecEnd); EVENTHANDLER_DEREGISTER(process_exit, m_ProcessExit); @@ -445,7 +462,7 @@ bool Mira::Framework::RemoveEventHandlers() return true; } -void Mira::Framework::OnMiraSuspend(void* __unused p_Reserved) +void Mira::Framework::OnMiraSuspend(void *__unused p_Reserved) { if (GetFramework() == nullptr) return; @@ -457,7 +474,7 @@ void Mira::Framework::OnMiraSuspend(void* __unused p_Reserved) s_PluginManager->OnSuspend(); } -void Mira::Framework::OnMiraResume(void* __unused p_Reserved) +void Mira::Framework::OnMiraResume(void *__unused p_Reserved) { if (GetFramework() == nullptr) return; @@ -470,10 +487,10 @@ void Mira::Framework::OnMiraResume(void* __unused p_Reserved) s_PluginManager->OnResume(); } -void Mira::Framework::OnMiraShutdown(void* __unused p_Reserved) +void Mira::Framework::OnMiraShutdown(void *__unused p_Reserved) { - auto kproc_exit = (int(*)(int code))kdlsym(kproc_exit); - auto kthread_exit = (void(*)(void))kdlsym(kthread_exit); + auto kproc_exit = (int (*)(int code))kdlsym(kproc_exit); + auto kthread_exit = (void (*)(void))kdlsym(kthread_exit); WriteLog(LL_Warn, "SHUTDOWN SHUTDOWN SHUTDOWN"); @@ -490,14 +507,14 @@ void Mira::Framework::OnMiraShutdown(void* __unused p_Reserved) kthread_exit(); } -void Mira::Framework::OnMiraProcessExec(void* p_Framework, struct proc* p_Process) +void Mira::Framework::OnMiraProcessExec(void *p_Framework, struct proc *p_Process) { - WriteLog(LL_Warn, "Process Executing: "); - + WriteLog(LL_Warn, "Process Executing: "); + auto s_Framework = GetFramework(); if (s_Framework == nullptr) return; - + auto s_PluginManager = s_Framework->GetPluginManager(); if (s_PluginManager) { @@ -509,14 +526,14 @@ void Mira::Framework::OnMiraProcessExec(void* p_Framework, struct proc* p_Proces s_Framework->m_CtrlDriver->OnProcessExec(p_Framework, p_Process); } -void Mira::Framework::OnMiraProcessExecEnd(void* p_Framework, struct proc* p_Process) +void Mira::Framework::OnMiraProcessExecEnd(void *p_Framework, struct proc *p_Process) { WriteLog(LL_Warn, "Process Ending: "); auto s_Framework = GetFramework(); if (s_Framework == nullptr) return; - + auto s_PluginManager = s_Framework->GetPluginManager(); if (s_PluginManager) { @@ -525,13 +542,13 @@ void Mira::Framework::OnMiraProcessExecEnd(void* p_Framework, struct proc* p_Pro } } -void Mira::Framework::OnMiraProcessExit(void* p_Framework, struct proc* p_Process) +void Mira::Framework::OnMiraProcessExit(void *p_Framework, struct proc *p_Process) { WriteLog(LL_Warn, "Process Exiting: "); if (GetFramework() == nullptr) return; - + if (!GetFramework()->GetPluginManager()->OnProcessExit(p_Process)) { WriteLog(LL_Error, "could not call exit process on plugin manager."); diff --git a/kernel/src/OrbisOS/Utilities.cpp b/kernel/src/OrbisOS/Utilities.cpp index f76a6188..2d6b6eac 100644 --- a/kernel/src/OrbisOS/Utilities.cpp +++ b/kernel/src/OrbisOS/Utilities.cpp @@ -12,89 +12,130 @@ extern "C" { - #include - #include +#include +#include - #include - #include - #include - #include +#include +#include +#include +#include - #include - #include - #include +#include +#include +#include - #include - #include - #include +#include +#include +#include - #include - #include +#include +#include }; using namespace Mira::OrbisOS; // Credits: m0rph (https://github.com/m0rph3us1987) // This allows the short jump hooks to jump far (into Mira's dynamically allocated memory, which could be anywhere) -void Utilities::HookFunctionCall(uint8_t* p_HookTrampoline, void* p_Function, void* p_Address) +void Utilities::HookFunctionCall(uint8_t *p_HookTrampoline, void *p_Function, void *p_Address) { - uint8_t* s_HookPayload = p_HookTrampoline; - uint16_t* s_TempAddress = reinterpret_cast(p_HookTrampoline); - s_TempAddress++; + uint8_t *s_HookPayload = p_HookTrampoline; + uint16_t *s_TempAddress = reinterpret_cast(p_HookTrampoline); + s_TempAddress++; - uint64_t* s_FunctionAddress = reinterpret_cast(s_TempAddress); + uint64_t *s_FunctionAddress = reinterpret_cast(s_TempAddress); - cpu_disable_wp(); + cpu_disable_wp(); - // mov rax - s_HookPayload[0] = 0x48; - s_HookPayload[1] = 0xB8; + // mov rax + s_HookPayload[0] = 0x48; + s_HookPayload[1] = 0xB8; - *s_FunctionAddress = reinterpret_cast(p_Function); + *s_FunctionAddress = reinterpret_cast(p_Function); - s_HookPayload[0x0A] = 0xFF; - s_HookPayload[0x0B] = 0xE0; + s_HookPayload[0x0A] = 0xFF; + s_HookPayload[0x0B] = 0xE0; - int32_t s_CallAddress = (int32_t)(p_HookTrampoline - (uint8_t*)p_Address) - 5; - s_HookPayload = reinterpret_cast(p_Address); - s_HookPayload++; - int32_t* s_Pointer = reinterpret_cast(s_HookPayload); - *s_Pointer = s_CallAddress; + int32_t s_CallAddress = (int32_t)(p_HookTrampoline - (uint8_t *)p_Address) - 5; + s_HookPayload = reinterpret_cast(p_Address); + s_HookPayload++; + int32_t *s_Pointer = reinterpret_cast(s_HookPayload); + *s_Pointer = s_CallAddress; - cpu_enable_wp(); + cpu_enable_wp(); } -uint64_t Utilities::PtraceIO(int32_t p_ProcessId, int32_t p_Operation, void* p_DestAddress, void* p_ToReadWriteAddress, size_t p_ToReadWriteSize) +uint64_t Utilities::PtraceIO(int32_t p_ProcessId, int32_t p_Operation, void *p_DestAddress, void *p_ToReadWriteAddress, size_t p_ToReadWriteSize) { - if (p_ProcessId < 0) - return -EIO; - - struct thread* s_DebuggerThread = curthread; - - struct ptrace_io_desc s_Desc - { - .piod_op = p_Operation, - .piod_offs = p_DestAddress, - .piod_addr = p_ToReadWriteAddress, - .piod_len = p_ToReadWriteSize - }; - - uint64_t s_Ret = kptrace_t(PT_IO, p_ProcessId, (caddr_t)&s_Desc, 0, s_DebuggerThread); - if (s_Ret != 0) - return s_Ret; - else - return (uint64_t)s_Desc.piod_len; + if (p_ProcessId < 0) + return -EIO; + + struct thread *s_DebuggerThread = curthread; + + struct ptrace_io_desc s_Desc + { + .piod_op = p_Operation, + .piod_offs = p_DestAddress, + .piod_addr = p_ToReadWriteAddress, + .piod_len = p_ToReadWriteSize + }; + + uint64_t s_Ret = kptrace_t(PT_IO, p_ProcessId, (caddr_t)&s_Desc, 0, s_DebuggerThread); + if (s_Ret != 0) + return s_Ret; + else + return (uint64_t)s_Desc.piod_len; +} + +bool Utilities::isAssistMode() +{ + char rtv[32]; + + //I reversed the func params myself, thnx sony for the ez params + auto sceRegMgrGetBin = (uint32_t(*)(uint32_t p_Id, char *p_OutValue, size_t size))kdlsym(sceRegMgrGetBin); + + // 0x78020300 is Release Check Mode regkey ONLY KITS HAVE IT + auto s_Ret = sceRegMgrGetBin(0x78020300, (char *)&rtv, 32); + + if (s_Ret != 0) + { + //retail will likely error out + WriteLog(LL_Debug, "IS_RETAIL with code (0x%lx)\n", s_Ret); + return false; + } + else if (*rtv == 0x4) + { + WriteLog(LL_Info, "Is in bootmode AssistMode"); + return true; + } + else + { + WriteLog(LL_Debug, "Bootmode returned with key val (0x%x)\n", *rtv); + return false; + } + + return false; +} + +bool Utilities::isTestkit() +{ + + WriteLog(LL_Debug, "Target ID Reported as (%x)\n", *(uint8_t *)kdlsym(target_id)); + + if (*(uint8_t *)kdlsym(target_id) == 0x82) + return true; + else + return false; } // Credits: flatz (https://github.com/flatz) -int Utilities::ProcessReadWriteMemory(struct ::proc* p_Process, void* p_DestAddress, size_t p_Size, void* p_ToReadWriteAddress, size_t* p_BytesReadWrote, bool p_Write) +int Utilities::ProcessReadWriteMemory(struct ::proc *p_Process, void *p_DestAddress, size_t p_Size, void *p_ToReadWriteAddress, size_t *p_BytesReadWrote, bool p_Write) { if (p_Process == nullptr) return -EPROCUNAVAIL; - + if (p_DestAddress == nullptr) return -EINVAL; - + if (p_ToReadWriteAddress == nullptr) return -EINVAL; @@ -109,12 +150,15 @@ int Utilities::ProcessReadWriteMemory(struct ::proc* p_Process, void* p_DestAddr struct uio s_Uio; int s_Ret = 0; - if (!p_Process) { + if (!p_Process) + { return 1; } - if (p_Size == 0) { - if (p_BytesReadWrote) { + if (p_Size == 0) + { + if (p_BytesReadWrote) + { *p_BytesReadWrote = 0; } @@ -134,10 +178,11 @@ int Utilities::ProcessReadWriteMemory(struct ::proc* p_Process, void* p_DestAddr s_Uio.uio_rw = p_Write ? UIO_WRITE : UIO_READ; s_Uio.uio_td = s_DebuggerThread; - auto proc_rwmem = (int (*)(struct proc *p, struct uio *uio))kdlsym(proc_rwmem); + auto proc_rwmem = (int (*)(struct proc * p, struct uio * uio)) kdlsym(proc_rwmem); s_Ret = proc_rwmem(p_Process, &s_Uio); - if (p_BytesReadWrote) { + if (p_BytesReadWrote) + { *p_BytesReadWrote = (size_t)((uint64_t)p_Size - s_Uio.uio_resid); } @@ -145,19 +190,19 @@ int Utilities::ProcessReadWriteMemory(struct ::proc* p_Process, void* p_DestAddr } // Credits: flatz -struct proc* Utilities::FindProcessByName(const char* p_Name) +struct proc *Utilities::FindProcessByName(const char *p_Name) { - auto _sx_slock = (int(*)(struct sx *sx, int opts, const char *file, int line))kdlsym(_sx_slock); - auto _sx_sunlock = (void(*)(struct sx *sx, const char *file, int line))kdlsym(_sx_sunlock); - auto _mtx_unlock_flags = (void(*)(struct mtx *m, int opts, const char *file, int line))kdlsym(_mtx_unlock_flags); - auto _mtx_lock_flags = (void(*)(struct mtx *m, int opts, const char *file, int line))kdlsym(_mtx_lock_flags); + auto _sx_slock = (int (*)(struct sx * sx, int opts, const char *file, int line)) kdlsym(_sx_slock); + auto _sx_sunlock = (void (*)(struct sx * sx, const char *file, int line)) kdlsym(_sx_sunlock); + auto _mtx_unlock_flags = (void (*)(struct mtx * m, int opts, const char *file, int line)) kdlsym(_mtx_unlock_flags); + auto _mtx_lock_flags = (void (*)(struct mtx * m, int opts, const char *file, int line)) kdlsym(_mtx_lock_flags); auto strlen = (size_t(*)(const char *str))kdlsym(strlen); - auto strncmp = (int(*)(const char *, const char *, size_t))kdlsym(strncmp); + auto strncmp = (int (*)(const char *, const char *, size_t))kdlsym(strncmp); - struct sx* allproclock = (struct sx*)kdlsym(allproc_lock); - struct proclist* allproc = (struct proclist*)*(uint64_t*)kdlsym(allproc); + struct sx *allproclock = (struct sx *)kdlsym(allproc_lock); + struct proclist *allproc = (struct proclist *)*(uint64_t *)kdlsym(allproc); - struct proc* s_FoundProc = nullptr; + struct proc *s_FoundProc = nullptr; if (!p_Name) return NULL; @@ -166,13 +211,14 @@ struct proc* Utilities::FindProcessByName(const char* p_Name) do { - struct proc* s_Proc = nullptr; + struct proc *s_Proc = nullptr; - FOREACH_PROC_IN_SYSTEM(s_Proc) + FOREACH_PROC_IN_SYSTEM(s_Proc) { PROC_LOCK(s_Proc); - if (strncmp(p_Name, s_Proc->p_comm, strlen(p_Name)) == 0) { + if (strncmp(p_Name, s_Proc->p_comm, strlen(p_Name)) == 0) + { s_FoundProc = s_Proc; PROC_UNLOCK(s_Proc); break; @@ -187,42 +233,45 @@ struct proc* Utilities::FindProcessByName(const char* p_Name) return s_FoundProc; } - // Credits: flatz -int Utilities::GetProcessVmMap(struct ::proc* p_Process, ProcVmMapEntry** p_Entries, size_t* p_NumEntries) +int Utilities::GetProcessVmMap(struct ::proc *p_Process, ProcVmMapEntry **p_Entries, size_t *p_NumEntries) { - auto _mtx_unlock_flags = (void(*)(struct mtx *m, int opts, const char *file, int line))kdlsym(_mtx_unlock_flags); - auto _mtx_lock_flags = (void(*)(struct mtx *m, int opts, const char *file, int line))kdlsym(_mtx_lock_flags); - auto vmspace_acquire_ref = (struct vmspace* (*)(struct proc *))kdlsym(vmspace_acquire_ref); - auto vmspace_free = (void(*)(struct vmspace *))kdlsym(vmspace_free); - auto wakeup = (void(*)(void*))kdlsym(wakeup); - auto _vm_map_lock_read = (void(*)(vm_map_t map, const char *file, int line))kdlsym(_vm_map_lock_read); - auto _vm_map_unlock_read = (void(*)(vm_map_t map, const char *file, int line))kdlsym(_vm_map_unlock_read); - auto faultin = (void(*)(struct proc *p))kdlsym(faultin); - - struct vmspace* vm = nullptr; - ProcVmMapEntry* info = nullptr; + auto _mtx_unlock_flags = (void (*)(struct mtx * m, int opts, const char *file, int line)) kdlsym(_mtx_unlock_flags); + auto _mtx_lock_flags = (void (*)(struct mtx * m, int opts, const char *file, int line)) kdlsym(_mtx_lock_flags); + auto vmspace_acquire_ref = (struct vmspace * (*)(struct proc *)) kdlsym(vmspace_acquire_ref); + auto vmspace_free = (void (*)(struct vmspace *))kdlsym(vmspace_free); + auto wakeup = (void (*)(void *))kdlsym(wakeup); + auto _vm_map_lock_read = (void (*)(vm_map_t map, const char *file, int line))kdlsym(_vm_map_lock_read); + auto _vm_map_unlock_read = (void (*)(vm_map_t map, const char *file, int line))kdlsym(_vm_map_unlock_read); + auto faultin = (void (*)(struct proc * p)) kdlsym(faultin); + + struct vmspace *vm = nullptr; + ProcVmMapEntry *info = nullptr; vm_map_t map = nullptr; vm_map_entry_t entry = nullptr; size_t n, i = 0; int ret = 0; - size_t allocSize = 0;// n * sizeof(*info); + size_t allocSize = 0; // n * sizeof(*info); - if (!p_Process) { + if (!p_Process) + { ret = EINVAL; goto error; } - if (!p_Entries) { + if (!p_Entries) + { ret = EINVAL; goto error; } - if (!p_NumEntries) { + if (!p_NumEntries) + { ret = EINVAL; goto error; } PROC_LOCK(p_Process); - if (p_Process->p_flag & P_WEXIT) { + if (p_Process->p_flag & P_WEXIT) + { PROC_UNLOCK(p_Process); ret = ESRCH; goto error; @@ -231,7 +280,8 @@ int Utilities::GetProcessVmMap(struct ::proc* p_Process, ProcVmMapEntry** p_Entr PROC_UNLOCK(p_Process); vm = vmspace_acquire_ref(p_Process); - if (!vm) { + if (!vm) + { PRELE(p_Process); ret = ESRCH; goto error; @@ -239,17 +289,19 @@ int Utilities::GetProcessVmMap(struct ::proc* p_Process, ProcVmMapEntry** p_Entr map = &vm->vm_map; vm_map_lock_read(map); - for (entry = map->header.next, n = 0; entry != &map->header; entry = entry->next) { + for (entry = map->header.next, n = 0; entry != &map->header; entry = entry->next) + { if (entry->eflags & MAP_ENTRY_IS_SUB_MAP) continue; ++n; } if (n == 0) goto done; - - allocSize = n * sizeof(*info); - info = (ProcVmMapEntry*)new uint8_t[allocSize]; - if (!info) { + + allocSize = n * sizeof(*info); + info = (ProcVmMapEntry *)new uint8_t[allocSize]; + if (!info) + { vm_map_unlock_read(map); vmspace_free(vm); @@ -259,7 +311,8 @@ int Utilities::GetProcessVmMap(struct ::proc* p_Process, ProcVmMapEntry** p_Entr goto error; } memset(info, 0, n * sizeof(*info)); - for (entry = map->header.next, i = 0; entry != &map->header; entry = entry->next) { + for (entry = map->header.next, i = 0; entry != &map->header; entry = entry->next) + { if (entry->eflags & MAP_ENTRY_IS_SUB_MAP) continue; @@ -297,145 +350,159 @@ int Utilities::GetProcessVmMap(struct ::proc* p_Process, ProcVmMapEntry** p_Entr error: if (info) - delete [] info; - //kfree(info, allocSize); + delete[] info; + //kfree(info, allocSize); return ret; } // Allow / Disallow to write on a executable -int Utilities::ExecutableWriteProtection(struct proc* p, bool write_allowed) { - struct thread* s_ProcessThread = FIRST_THREAD_IN_PROC(p); - - if (!s_ProcessThread) { - WriteLog(LL_Error, "[%d] Could not get the first thread.", p->p_pid); - return -1; - } - - // Get the start text address of my process - uint64_t s_TextStart = 0; - uint64_t s_TextSize = 0; - ProcVmMapEntry* s_Entries = nullptr; - size_t s_NumEntries = 0; - auto s_Ret = Utilities::GetProcessVmMap(p, &s_Entries, &s_NumEntries); - if (s_Ret < 0) - { - WriteLog(LL_Error, "[%d] Could not get the VM Map.", p->p_pid); - return -2; - } - - if (s_Entries == nullptr || s_NumEntries == 0) - { - WriteLog(LL_Error, "[%d] Invalid entries (%p) or numEntries (%d)", p->p_pid, s_Entries, s_NumEntries); - return -3; - } - - for (auto i = 0; i < s_NumEntries; ++i) - { - if (s_Entries[i].prot == (PROT_READ | PROT_EXEC)) - { - s_TextStart = (uint64_t)s_Entries[i].start; - s_TextSize = ((uint64_t)s_Entries[i].end - (uint64_t)s_Entries[i].start); - break; - } - } - - if (s_TextStart == 0 || s_TextSize) - { - WriteLog(LL_Error, "[%d] Could not find text start or size for this process !", p->p_pid); - WriteLog(LL_Error, "[%d] Could not find text start or size for this process !", p->p_pid); - - // Free the s_Entries - delete [] s_Entries; - s_Entries = nullptr; - return -4; - } else { - WriteLog(LL_Info, "[%d] text pointer: %p !", p->p_pid, s_TextStart); - } - - if (write_allowed) { - s_Ret = kmprotect_t((void*)s_TextStart, s_TextSize, (PROT_READ | PROT_WRITE | PROT_EXEC), s_ProcessThread); - if (s_Ret < 0) { - WriteLog(LL_Error, "[%d] Unable to mprotect(1) ! (err: %d)", p->p_pid, s_Ret); - } - } else { - s_Ret = kmprotect_t((void*)s_TextStart, s_TextSize, (PROT_READ | PROT_EXEC), s_ProcessThread); - if (s_Ret < 0) { - WriteLog(LL_Error, "[%d] Unable to mprotect(2) ! (err: %d)", p->p_pid, s_Ret); - } - } - - // Free the s_Entries - delete [] s_Entries; - s_Entries = nullptr; - return 0; +int Utilities::ExecutableWriteProtection(struct proc *p, bool write_allowed) +{ + struct thread *s_ProcessThread = FIRST_THREAD_IN_PROC(p); + + if (!s_ProcessThread) + { + WriteLog(LL_Error, "[%d] Could not get the first thread.", p->p_pid); + return -1; + } + + // Get the start text address of my process + uint64_t s_TextStart = 0; + uint64_t s_TextSize = 0; + ProcVmMapEntry *s_Entries = nullptr; + size_t s_NumEntries = 0; + auto s_Ret = Utilities::GetProcessVmMap(p, &s_Entries, &s_NumEntries); + if (s_Ret < 0) + { + WriteLog(LL_Error, "[%d] Could not get the VM Map.", p->p_pid); + return -2; + } + + if (s_Entries == nullptr || s_NumEntries == 0) + { + WriteLog(LL_Error, "[%d] Invalid entries (%p) or numEntries (%d)", p->p_pid, s_Entries, s_NumEntries); + return -3; + } + + for (auto i = 0; i < s_NumEntries; ++i) + { + if (s_Entries[i].prot == (PROT_READ | PROT_EXEC)) + { + s_TextStart = (uint64_t)s_Entries[i].start; + s_TextSize = ((uint64_t)s_Entries[i].end - (uint64_t)s_Entries[i].start); + break; + } + } + + if (s_TextStart == 0 || s_TextSize) + { + WriteLog(LL_Error, "[%d] Could not find text start or size for this process !", p->p_pid); + WriteLog(LL_Error, "[%d] Could not find text start or size for this process !", p->p_pid); + + // Free the s_Entries + delete[] s_Entries; + s_Entries = nullptr; + return -4; + } + else + { + WriteLog(LL_Info, "[%d] text pointer: %p !", p->p_pid, s_TextStart); + } + + if (write_allowed) + { + s_Ret = kmprotect_t((void *)s_TextStart, s_TextSize, (PROT_READ | PROT_WRITE | PROT_EXEC), s_ProcessThread); + if (s_Ret < 0) + { + WriteLog(LL_Error, "[%d] Unable to mprotect(1) ! (err: %d)", p->p_pid, s_Ret); + } + } + else + { + s_Ret = kmprotect_t((void *)s_TextStart, s_TextSize, (PROT_READ | PROT_EXEC), s_ProcessThread); + if (s_Ret < 0) + { + WriteLog(LL_Error, "[%d] Unable to mprotect(2) ! (err: %d)", p->p_pid, s_Ret); + } + } + + // Free the s_Entries + delete[] s_Entries; + s_Entries = nullptr; + return 0; } // Mount NullFS folder -int Utilities::MountNullFS(char* where, char* what, int flags) +int Utilities::MountNullFS(char *where, char *what, int flags) { - auto mount_argf = (struct mntarg*(*)(struct mntarg *ma, const char *name, const char *fmt, ...))kdlsym(mount_argf); - auto kernel_mount = (int(*)(struct mntarg *ma, int flags))kdlsym(kernel_mount); + auto mount_argf = (struct mntarg * (*)(struct mntarg * ma, const char *name, const char *fmt, ...)) kdlsym(mount_argf); + auto kernel_mount = (int (*)(struct mntarg * ma, int flags)) kdlsym(kernel_mount); - struct mntarg* ma = NULL; + struct mntarg *ma = NULL; - ma = mount_argf(ma, "fstype", "%s", "nullfs"); - ma = mount_argf(ma, "fspath", "%s", where); - ma = mount_argf(ma, "target", "%s", what); + ma = mount_argf(ma, "fstype", "%s", "nullfs"); + ma = mount_argf(ma, "fspath", "%s", where); + ma = mount_argf(ma, "target", "%s", what); - if (ma == NULL) { - WriteLog(LL_Error, "Something is wrong, ma value is null after argument"); - return 50; - } + if (ma == NULL) + { + WriteLog(LL_Error, "Something is wrong, ma value is null after argument"); + return 50; + } - return kernel_mount(ma, flags); + return kernel_mount(ma, flags); } // Kill a process by this proc -int Utilities::KillProcess(struct proc* p) +int Utilities::KillProcess(struct proc *p) { - auto killproc = (int(*)(struct proc *p, const char *why))kdlsym(killproc); + auto killproc = (int (*)(struct proc * p, const char *why)) kdlsym(killproc); return killproc(p, "Mira"); } // Based on the work of JOGolden (JKPatch) // Create a PThread (POSIX Thread) on remote process -int Utilities::CreatePOSIXThread(struct proc* p, void* entrypoint) { - auto thr_create = (int (*)(struct thread * td, uint64_t ctx, void* start_func, void *arg, char *stack_base, size_t stack_size, char *tls_base, long * child_tid, long * parent_tid, uint64_t flags, uint64_t rtp))kdlsym(kern_thr_create); +int Utilities::CreatePOSIXThread(struct proc *p, void *entrypoint) +{ + auto thr_create = (int (*)(struct thread * td, uint64_t ctx, void *start_func, void *arg, char *stack_base, size_t stack_size, char *tls_base, long *child_tid, long *parent_tid, uint64_t flags, uint64_t rtp)) kdlsym(kern_thr_create); if (p == nullptr) { WriteLog(LL_Error, "invalid proc!"); return -1; } - struct thread* s_ProcessThread = FIRST_THREAD_IN_PROC(p); + struct thread *s_ProcessThread = FIRST_THREAD_IN_PROC(p); // Check if arguments is correct - if (!p || !entrypoint) { + if (!p || !entrypoint) + { WriteLog(LL_Error, "Invalid argument !"); return -2; } // Got substitute plugin - Plugins::Substitute* substitute = Mira::Plugins::Substitute::GetPlugin(); - if (!substitute) { + Plugins::Substitute *substitute = Mira::Plugins::Substitute::GetPlugin(); + if (!substitute) + { WriteLog(LL_Error, "Substitute dependency is required."); return -3; } size_t s_Size = 0; int s_Ret = 0; - char* s_TitleId = (char*)((uint64_t)p + 0x390); + char *s_TitleId = (char *)((uint64_t)p + 0x390); WriteLog(LL_Info, "[%s] Creating POSIX Thread (Entrypoint: %p) ...", s_TitleId, entrypoint); // Resolve all addresses - void* s_scePthreadAttrInit = substitute->FindOriginalAddress(p, "scePthreadAttrInit", 0); - void* s_scePthreadAttrSetstacksize = substitute->FindOriginalAddress(p, "scePthreadAttrSetstacksize", 0); - void* s_scePthreadCreate = substitute->FindOriginalAddress(p, "scePthreadCreate", 0); - void* s_pthread_getthreadid_np = substitute->FindOriginalAddress(p, "pthread_getthreadid_np", 0); + void *s_scePthreadAttrInit = substitute->FindOriginalAddress(p, "scePthreadAttrInit", 0); + void *s_scePthreadAttrSetstacksize = substitute->FindOriginalAddress(p, "scePthreadAttrSetstacksize", 0); + void *s_scePthreadCreate = substitute->FindOriginalAddress(p, "scePthreadCreate", 0); + void *s_pthread_getthreadid_np = substitute->FindOriginalAddress(p, "pthread_getthreadid_np", 0); - if (!s_scePthreadAttrInit || !s_scePthreadAttrSetstacksize || !s_scePthreadCreate || !s_pthread_getthreadid_np) { + if (!s_scePthreadAttrInit || !s_scePthreadAttrSetstacksize || !s_scePthreadCreate || !s_pthread_getthreadid_np) + { WriteLog(LL_Error, "[%s] Unable to resolve addresses !", s_TitleId); WriteLog(LL_Error, "[%s] scePthreadAttrInit: %p", s_TitleId, s_scePthreadAttrInit); WriteLog(LL_Error, "[%s] scePthreadAttrSetstacksize: %p", s_TitleId, s_scePthreadAttrSetstacksize); @@ -449,31 +516,34 @@ int Utilities::CreatePOSIXThread(struct proc* p, void* entrypoint) { unsigned char s_ValidInstruction[3]; s_Size = sizeof(s_ValidInstruction); s_Ret = proc_rw_mem(p, s_pthread_getthreadid_np, s_Size, s_ValidInstruction, &s_Size, false); - if (s_Ret > 0) { + if (s_Ret > 0) + { WriteLog(LL_Error, "[%s] Unable to read process memory at %p !", s_TitleId, s_pthread_getthreadid_np); return -5; } - if ( !(s_ValidInstruction[0] == 0x48 && s_ValidInstruction[1] == 0x83 && s_ValidInstruction[2] == 0x3D) ) { + if (!(s_ValidInstruction[0] == 0x48 && s_ValidInstruction[1] == 0x83 && s_ValidInstruction[2] == 0x3D)) + { WriteLog(LL_Error, "[%s] Invalid instruction detected ! Abord.", s_TitleId); return -6; - } + } uint64_t s_RelativeAddress = 0; s_Size = sizeof(uint32_t); - s_Ret = proc_rw_mem(p, (void*)((uint64_t)s_pthread_getthreadid_np + 0x3), s_Size, &s_RelativeAddress, &s_Size, false); - if (s_Ret > 0) { - WriteLog(LL_Error, "[%s] Unable to read process memory at %p !", s_TitleId, (void*)((uint64_t)s_pthread_getthreadid_np + 0x3)); + s_Ret = proc_rw_mem(p, (void *)((uint64_t)s_pthread_getthreadid_np + 0x3), s_Size, &s_RelativeAddress, &s_Size, false); + if (s_Ret > 0) + { + WriteLog(LL_Error, "[%s] Unable to read process memory at %p !", s_TitleId, (void *)((uint64_t)s_pthread_getthreadid_np + 0x3)); return -7; } - void* s_thr_initial = (void*)((uint64_t)s_pthread_getthreadid_np + s_RelativeAddress + 0x8); + void *s_thr_initial = (void *)((uint64_t)s_pthread_getthreadid_np + s_RelativeAddress + 0x8); // Payload containts all call needed for create a thread (The payload is inside the folders is in /src/OrbisOS/asm/, compile with NASM) unsigned char s_Payload[0x150] = "\x4D\x49\x52\x41\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x72\x70\x63\x73\x74\x75\x62\x00\x48\x8B\x3D\xD9\xFF\xFF\xFF\x48\x8B\x37\x48\x8B\xBE\xE0\x01\x00\x00\xE8\x7D\x00\x00\x00\x48\x8D\x3D\xD3\xFF\xFF\xFF\x4C\x8B\x25\xA4\xFF\xFF\xFF\x41\xFF\xD4\xBE\x00\x00\x08\x00\x48\x8D\x3D\xBD\xFF\xFF\xFF\x4C\x8B\x25\x96\xFF\xFF\xFF\x41\xFF\xD4\x4C\x8D\x05\xB4\xFF\xFF\xFF\xB9\x00\x00\x00\x00\x48\x8B\x15\x70\xFF\xFF\xFF\x48\x8D\x35\x99\xFF\xFF\xFF\x48\x8D\x3D\x8A\xFF\xFF\xFF\x4C\x8B\x25\x73\xFF\xFF\xFF\x41\xFF\xD4\xC7\x05\x4A\xFF\xFF\xFF\x01\x00\x00\x00\xBF\x00\x00\x00\x00\xE8\x01\x00\x00\x00\xC3\xB8\xAF\x01\x00\x00\x49\x89\xCA\x0F\x05\xC3\xB8\xA5\x00\x00\x00\x49\x89\xCA\x0F\x05\xC3\x55\x48\x89\xE5\x53\x48\x83\xEC\x18\x48\x89\x7D\xE8\x48\x8D\x75\xE8\xBF\x81\x00\x00\x00\xE8\xDA\xFF\xFF\xFF\x48\x83\xC4\x18\x5B\x5D\xC3"; // Setup payload - struct posixldr_header* s_PayloadHeader = (struct posixldr_header*)s_Payload; + struct posixldr_header *s_PayloadHeader = (struct posixldr_header *)s_Payload; s_PayloadHeader->ldrdone = 0; s_PayloadHeader->stubentry = (uint64_t)entrypoint; s_PayloadHeader->scePthreadAttrInit = (uint64_t)s_scePthreadAttrInit; @@ -485,27 +555,30 @@ int Utilities::CreatePOSIXThread(struct proc* p, void* entrypoint) { size_t s_StackSize = 0x8000; size_t s_PayloadSize = sizeof(s_Payload) + s_StackSize; // 0x8000 is stack auto s_PayloadSpace = kmmap_t(nullptr, s_PayloadSize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PREFAULT_READ, -1, 0, s_ProcessThread); - if (s_PayloadSpace == nullptr || s_PayloadSpace == MAP_FAILED || (uint64_t)s_PayloadSpace < 0) { + if (s_PayloadSpace == nullptr || s_PayloadSpace == MAP_FAILED || (uint64_t)s_PayloadSpace < 0) + { WriteLog(LL_Error, "[%s] Unable to allocate remote process memory (%llx size) (ret: %llx)", s_TitleId, s_PayloadSize, s_PayloadSpace); return -8; } // Copy payload to process s_Size = sizeof(s_Payload); - s_Ret = proc_rw_mem(p, (void*)(s_PayloadSpace), s_Size, s_Payload, &s_Size, true); - if (s_Ret > 0) { - WriteLog(LL_Error, "[%s] Unable to write process memory at %p !", s_TitleId, (void*)(s_PayloadSpace)); + s_Ret = proc_rw_mem(p, (void *)(s_PayloadSpace), s_Size, s_Payload, &s_Size, true); + if (s_Ret > 0) + { + WriteLog(LL_Error, "[%s] Unable to write process memory at %p !", s_TitleId, (void *)(s_PayloadSpace)); kmunmap_t(s_PayloadSpace, s_PayloadSize, s_ProcessThread); return -9; } // Define stack address - char* s_StackAddr = (char*)((uint64_t)s_PayloadSpace + sizeof(s_Payload)); - void* s_PayloadEntrypoint = (void*)((uint64_t)s_PayloadSpace + s_PayloadHeader->entrypoint); + char *s_StackAddr = (char *)((uint64_t)s_PayloadSpace + sizeof(s_Payload)); + void *s_PayloadEntrypoint = (void *)((uint64_t)s_PayloadSpace + s_PayloadHeader->entrypoint); // Create thread s_Ret = thr_create(s_ProcessThread, NULL, s_PayloadEntrypoint, NULL, s_StackAddr, s_StackSize, NULL, NULL, NULL, 0, NULL); - if (s_Ret) { + if (s_Ret) + { WriteLog(LL_Error, "[%s] Unable to launch thread ! (ret: %d)", s_TitleId, s_Ret); kmunmap_t(s_PayloadSpace, s_PayloadSize, s_ProcessThread); return -10; @@ -513,10 +586,12 @@ int Utilities::CreatePOSIXThread(struct proc* p, void* entrypoint) { // Wait until it's done uint32_t result = 0; - while (!result) { + while (!result) + { s_Size = sizeof(uint32_t); - s_Ret = proc_rw_mem(p, (void*)(s_PayloadSpace + sizeof(uint32_t) + sizeof(uint64_t)), s_Size, &result, &s_Size, false); - if (s_Ret) { + s_Ret = proc_rw_mem(p, (void *)(s_PayloadSpace + sizeof(uint32_t) + sizeof(uint64_t)), s_Size, &result, &s_Size, false); + if (s_Ret) + { WriteLog(LL_Error, "[%s] Unable to read process memory at %p !", s_TitleId, s_PayloadSpace); } } @@ -530,85 +605,94 @@ int Utilities::CreatePOSIXThread(struct proc* p, void* entrypoint) { } // Load SPRX via a POSIX Thread -int Utilities::LoadPRXModule(struct proc* p, const char* prx_path) +int Utilities::LoadPRXModule(struct proc *p, const char *prx_path) { - struct thread* s_ProcessThread = FIRST_THREAD_IN_PROC(p); - if (!s_ProcessThread) { + struct thread *s_ProcessThread = FIRST_THREAD_IN_PROC(p); + if (!s_ProcessThread) + { WriteLog(LL_Error, "Invalid process !"); - return -1; - } + return -1; + } // Check if arguments is correct - if (!p || !prx_path || strlen(prx_path) > PATH_MAX) { + if (!p || !prx_path || strlen(prx_path) > PATH_MAX) + { WriteLog(LL_Error, "Invalid argument !"); return -1; } // Got substitute plugin - Plugins::Substitute* substitute = Mira::Plugins::Substitute::GetPlugin(); - if (!substitute) { + Plugins::Substitute *substitute = Mira::Plugins::Substitute::GetPlugin(); + if (!substitute) + { WriteLog(LL_Error, "Substitute dependency is required."); return -2; } size_t s_Size = 0; int s_Ret = 0; - char* s_TitleId = (char*)((uint64_t)p + 0x390); + char *s_TitleId = (char *)((uint64_t)p + 0x390); WriteLog(LL_Info, "[%s] Loading PRX (%s) over POSIX ...", s_TitleId, prx_path); - // Find sceKernelLoadStartModule address - void* s_LoadStartModule = substitute->FindOriginalAddress(p, "sceKernelLoadStartModule", 0); - if (!s_LoadStartModule) { - WriteLog(LL_Error, "[%s] could not find sceKernelLoadStartModule !", s_TitleId); - return -3; - } + // Find sceKernelLoadStartModule address + void *s_LoadStartModule = substitute->FindOriginalAddress(p, "sceKernelLoadStartModule", 0); + if (!s_LoadStartModule) + { + WriteLog(LL_Error, "[%s] could not find sceKernelLoadStartModule !", s_TitleId); + return -3; + } // Payload containts all call needed for create a thread (The payload is inside the folders is in /src/OrbisOS/asm/, compile with NASM) - unsigned char s_Payload[0x100] = "\x4D\x49\x52\x41\x28\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x72\x78\x73\x74\x75\x62\x00\x48\x8B\x3D\xE1\xFF\xFF\xFF\x48\x31\xF6\x48\x31\xD2\x48\x31\xC9\x4D\x31\xC0\x4D\x31\xC9\x4C\x8B\x25\xD3\xFF\xFF\xFF\x41\xFF\xD4\xC7\x05\xBA\xFF\xFF\xFF\x01\x00\x00\x00\x31\xC0\xC3"; + unsigned char s_Payload[0x100] = "\x4D\x49\x52\x41\x28\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x72\x78\x73\x74\x75\x62\x00\x48\x8B\x3D\xE1\xFF\xFF\xFF\x48\x31\xF6\x48\x31\xD2\x48\x31\xC9\x4D\x31\xC0\x4D\x31\xC9\x4C\x8B\x25\xD3\xFF\xFF\xFF\x41\xFF\xD4\xC7\x05\xBA\xFF\xFF\xFF\x01\x00\x00\x00\x31\xC0\xC3"; // Allocate memory size_t s_PayloadSize = 0x8000; //sizeof(s_Payload) + PATH_MAX but need more for allow the allocation auto s_PayloadSpace = kmmap_t(nullptr, s_PayloadSize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PREFAULT_READ, -1, 0, s_ProcessThread); - if (s_PayloadSpace == nullptr || s_PayloadSpace == MAP_FAILED || (uint64_t)s_PayloadSpace < 0) { + if (s_PayloadSpace == nullptr || s_PayloadSpace == MAP_FAILED || (uint64_t)s_PayloadSpace < 0) + { WriteLog(LL_Error, "[%s] Unable to allocate remote process memory (%llx size) (ret: %llx)", s_TitleId, s_PayloadSize, s_PayloadSpace); return -3; } // Setup payload - struct prxldr_header* s_PayloadHeader = (struct prxldr_header*)s_Payload; + struct prxldr_header *s_PayloadHeader = (struct prxldr_header *)s_Payload; s_PayloadHeader->prxdone = 0; s_PayloadHeader->prx_path = (uint64_t)((uint64_t)s_PayloadSpace + sizeof(s_Payload)); s_PayloadHeader->sceKernelLoadStartModule = (uint64_t)s_LoadStartModule; // Copy payload to process s_Size = sizeof(s_Payload); - s_Ret = proc_rw_mem(p, (void*)(s_PayloadSpace), s_Size, s_Payload, &s_Size, true); - if (s_Ret > 0) { - WriteLog(LL_Error, "[%s] Unable to write process memory at %p !", s_TitleId, (void*)(s_PayloadSpace)); + s_Ret = proc_rw_mem(p, (void *)(s_PayloadSpace), s_Size, s_Payload, &s_Size, true); + if (s_Ret > 0) + { + WriteLog(LL_Error, "[%s] Unable to write process memory at %p !", s_TitleId, (void *)(s_PayloadSpace)); return -4; } // Copy path to process s_Size = strlen(prx_path) + 1; - s_Ret = proc_rw_mem(p, (void*)(s_PayloadHeader->prx_path), s_Size, (void*)prx_path, &s_Size, true); - if (s_Ret > 0) { - WriteLog(LL_Error, "[%s] Unable to write process memory at %p !", s_TitleId, (void*)(s_PayloadHeader->prx_path)); + s_Ret = proc_rw_mem(p, (void *)(s_PayloadHeader->prx_path), s_Size, (void *)prx_path, &s_Size, true); + if (s_Ret > 0) + { + WriteLog(LL_Error, "[%s] Unable to write process memory at %p !", s_TitleId, (void *)(s_PayloadHeader->prx_path)); return -5; } // Calculate entrypoint - void* s_Entrypoint = (void*)((uint64_t)s_PayloadSpace + s_PayloadHeader->entrypoint); + void *s_Entrypoint = (void *)((uint64_t)s_PayloadSpace + s_PayloadHeader->entrypoint); // Create a POSIX Thread CreatePOSIXThread(p, s_Entrypoint); // Wait until it's done uint32_t result = 0; - while (!result) { + while (!result) + { s_Size = sizeof(uint32_t); - s_Ret = proc_rw_mem(p, (void*)(s_PayloadSpace + sizeof(uint32_t) + sizeof(uint64_t)), s_Size, &result, &s_Size, false); - if (s_Ret) { + s_Ret = proc_rw_mem(p, (void *)(s_PayloadSpace + sizeof(uint32_t) + sizeof(uint64_t)), s_Size, &result, &s_Size, false); + if (s_Ret) + { WriteLog(LL_Error, "[%s] Unable to read process memory at %p !", s_TitleId, s_PayloadSpace); } } diff --git a/kernel/src/OrbisOS/Utilities.hpp b/kernel/src/OrbisOS/Utilities.hpp index 95ee08c6..f8637ede 100644 --- a/kernel/src/OrbisOS/Utilities.hpp +++ b/kernel/src/OrbisOS/Utilities.hpp @@ -5,7 +5,8 @@ struct proc; struct thread; -struct posixldr_header { +struct posixldr_header +{ uint32_t magic; uint64_t entrypoint; uint32_t ldrdone; @@ -16,7 +17,8 @@ struct posixldr_header { uint64_t thr_initial; } __attribute__((packed)); -struct prxldr_header { +struct prxldr_header +{ uint32_t magic; uint64_t entrypoint; uint32_t prxdone; @@ -24,33 +26,34 @@ struct prxldr_header { uint64_t sceKernelLoadStartModule; } __attribute__((packed)); + namespace Mira { namespace OrbisOS { class Utilities { + private: - static Utilities* m_Instance; + static Utilities *m_Instance; Utilities(); protected: - - public: - static Utilities* GetInstance(); - - static void HookFunctionCall(uint8_t* p_HookTrampoline, void* p_Function, void* p_Address); - static uint64_t PtraceIO(int32_t p_ProcessId, int32_t p_Operation, void* p_DestAddress, void* p_ToReadWriteAddress, size_t p_ToReadWriteSize); - static struct ::proc* FindProcessByName(const char* name); - static int ExecutableWriteProtection(struct proc* p, bool write_allowed); - static int ProcessReadWriteMemory(struct ::proc* p_Process, void* p_DestAddress, size_t p_Size, void* p_ToReadWriteAddress, size_t* p_ReadWriteSize, bool p_Write); - static int GetProcessVmMap(struct ::proc* p_Process, ProcVmMapEntry** p_Entries, size_t* p_NumEntries); - static int MountNullFS(char* where, char* what, int flags); - static int CreatePOSIXThread(struct proc* p, void* entrypoint); - static int LoadPRXModule(struct proc* p, const char* prx_path); - static int KillProcess(struct proc* p); + static Utilities *GetInstance(); + static bool isAssistMode(); + static bool isTestkit(); + static void HookFunctionCall(uint8_t *p_HookTrampoline, void *p_Function, void *p_Address); + static uint64_t PtraceIO(int32_t p_ProcessId, int32_t p_Operation, void *p_DestAddress, void *p_ToReadWriteAddress, size_t p_ToReadWriteSize); + static struct ::proc *FindProcessByName(const char *name); + static int ExecutableWriteProtection(struct proc *p, bool write_allowed); + static int ProcessReadWriteMemory(struct ::proc *p_Process, void *p_DestAddress, size_t p_Size, void *p_ToReadWriteAddress, size_t *p_ReadWriteSize, bool p_Write); + static int GetProcessVmMap(struct ::proc *p_Process, ProcVmMapEntry **p_Entries, size_t *p_NumEntries); + static int MountNullFS(char *where, char *what, int flags); + static int CreatePOSIXThread(struct proc *p, void *entrypoint); + static int LoadPRXModule(struct proc *p, const char *prx_path); + static int KillProcess(struct proc *p); }; - } -} + } // namespace OrbisOS +} // namespace Mira diff --git a/kernel/src/Plugins/FakePkg/FakePkgManager.cpp b/kernel/src/Plugins/FakePkg/FakePkgManager.cpp index 23ca437c..5e4919ed 100644 --- a/kernel/src/Plugins/FakePkg/FakePkgManager.cpp +++ b/kernel/src/Plugins/FakePkg/FakePkgManager.cpp @@ -23,135 +23,747 @@ extern "C" { - #include - #include - #include - #include - #include - #include - #include +#include +#include +#include +#include +#include +#include +#include }; using namespace Mira::Plugins; using namespace Mira::OrbisOS; +extern bool is_Kit; #pragma region "Fake-Self-Keys" const uint8_t FakePkgManager::g_ypkg_p[] = -{ - 0x2D, 0xE8, 0xB4, 0x65, 0xBE, 0x05, 0x78, 0x6A, 0x89, 0x31, 0xC9, 0x5A, 0x44, 0xDE, 0x50, 0xC1, - 0xC7, 0xFD, 0x9D, 0x3E, 0x21, 0x42, 0x17, 0x40, 0x79, 0xF9, 0xC9, 0x41, 0xC1, 0xFC, 0xD7, 0x0F, - 0x34, 0x76, 0xA3, 0xE2, 0xC0, 0x1B, 0x5A, 0x20, 0x0F, 0xAF, 0x2F, 0x52, 0xCD, 0x83, 0x34, 0x72, - 0xAF, 0xB3, 0x12, 0x33, 0x21, 0x2C, 0x20, 0xB0, 0xC6, 0xA0, 0x2D, 0xB1, 0x59, 0xE3, 0xA7, 0xB0, - 0x4E, 0x1C, 0x4C, 0x5B, 0x5F, 0x10, 0x9A, 0x50, 0x18, 0xCC, 0x86, 0x79, 0x25, 0xFF, 0x10, 0x02, - 0x8F, 0x90, 0x03, 0xA9, 0x37, 0xBA, 0xF2, 0x1C, 0x13, 0xCC, 0x09, 0x45, 0x15, 0xB8, 0x55, 0x74, - 0x0A, 0x28, 0x24, 0x04, 0xD1, 0x19, 0xAB, 0xB3, 0xCA, 0x44, 0xB6, 0xF8, 0x3D, 0xB1, 0x2A, 0x72, - 0x88, 0x35, 0xE4, 0x86, 0x6B, 0x55, 0x47, 0x08, 0x25, 0x16, 0xAB, 0x69, 0x1D, 0xBF, 0xF6, 0xFE, + { + 0x2D, + 0xE8, + 0xB4, + 0x65, + 0xBE, + 0x05, + 0x78, + 0x6A, + 0x89, + 0x31, + 0xC9, + 0x5A, + 0x44, + 0xDE, + 0x50, + 0xC1, + 0xC7, + 0xFD, + 0x9D, + 0x3E, + 0x21, + 0x42, + 0x17, + 0x40, + 0x79, + 0xF9, + 0xC9, + 0x41, + 0xC1, + 0xFC, + 0xD7, + 0x0F, + 0x34, + 0x76, + 0xA3, + 0xE2, + 0xC0, + 0x1B, + 0x5A, + 0x20, + 0x0F, + 0xAF, + 0x2F, + 0x52, + 0xCD, + 0x83, + 0x34, + 0x72, + 0xAF, + 0xB3, + 0x12, + 0x33, + 0x21, + 0x2C, + 0x20, + 0xB0, + 0xC6, + 0xA0, + 0x2D, + 0xB1, + 0x59, + 0xE3, + 0xA7, + 0xB0, + 0x4E, + 0x1C, + 0x4C, + 0x5B, + 0x5F, + 0x10, + 0x9A, + 0x50, + 0x18, + 0xCC, + 0x86, + 0x79, + 0x25, + 0xFF, + 0x10, + 0x02, + 0x8F, + 0x90, + 0x03, + 0xA9, + 0x37, + 0xBA, + 0xF2, + 0x1C, + 0x13, + 0xCC, + 0x09, + 0x45, + 0x15, + 0xB8, + 0x55, + 0x74, + 0x0A, + 0x28, + 0x24, + 0x04, + 0xD1, + 0x19, + 0xAB, + 0xB3, + 0xCA, + 0x44, + 0xB6, + 0xF8, + 0x3D, + 0xB1, + 0x2A, + 0x72, + 0x88, + 0x35, + 0xE4, + 0x86, + 0x6B, + 0x55, + 0x47, + 0x08, + 0x25, + 0x16, + 0xAB, + 0x69, + 0x1D, + 0xBF, + 0xF6, + 0xFE, }; const uint8_t FakePkgManager::g_ypkg_q[] = -{ - 0x23, 0x80, 0x77, 0x84, 0x4D, 0x6F, 0x9B, 0x24, 0x51, 0xFE, 0x2A, 0x6B, 0x28, 0x80, 0xA1, 0x9E, - 0xBD, 0x6D, 0x18, 0xCA, 0x8D, 0x7D, 0x9E, 0x79, 0x5A, 0xE0, 0xB8, 0xEB, 0xD1, 0x3D, 0xF3, 0xD9, - 0x02, 0x90, 0x2A, 0xA7, 0xB5, 0x7E, 0x9A, 0xA2, 0xD7, 0x2F, 0x21, 0xA8, 0x50, 0x7D, 0x8C, 0xA1, - 0x91, 0x2F, 0xBF, 0x97, 0xBE, 0x92, 0xC2, 0xC1, 0x0D, 0x8C, 0x0C, 0x1F, 0xDE, 0x31, 0x35, 0x15, - 0x39, 0x90, 0xCC, 0x97, 0x47, 0x2E, 0x7F, 0x09, 0xE9, 0xC3, 0x9C, 0xCE, 0x91, 0xB2, 0xC8, 0x58, - 0x76, 0xE8, 0x70, 0x1D, 0x72, 0x5F, 0x4A, 0xE6, 0xAA, 0x36, 0x22, 0x94, 0xC6, 0x52, 0x90, 0xB3, - 0x9F, 0x9B, 0xF0, 0xEF, 0x57, 0x8E, 0x53, 0xC3, 0xE3, 0x30, 0xC9, 0xD7, 0xB0, 0x3A, 0x0C, 0x79, - 0x1B, 0x97, 0xA8, 0xD4, 0x81, 0x22, 0xD2, 0xB0, 0x82, 0x62, 0x7D, 0x00, 0x58, 0x47, 0x9E, 0xC7, + { + 0x23, + 0x80, + 0x77, + 0x84, + 0x4D, + 0x6F, + 0x9B, + 0x24, + 0x51, + 0xFE, + 0x2A, + 0x6B, + 0x28, + 0x80, + 0xA1, + 0x9E, + 0xBD, + 0x6D, + 0x18, + 0xCA, + 0x8D, + 0x7D, + 0x9E, + 0x79, + 0x5A, + 0xE0, + 0xB8, + 0xEB, + 0xD1, + 0x3D, + 0xF3, + 0xD9, + 0x02, + 0x90, + 0x2A, + 0xA7, + 0xB5, + 0x7E, + 0x9A, + 0xA2, + 0xD7, + 0x2F, + 0x21, + 0xA8, + 0x50, + 0x7D, + 0x8C, + 0xA1, + 0x91, + 0x2F, + 0xBF, + 0x97, + 0xBE, + 0x92, + 0xC2, + 0xC1, + 0x0D, + 0x8C, + 0x0C, + 0x1F, + 0xDE, + 0x31, + 0x35, + 0x15, + 0x39, + 0x90, + 0xCC, + 0x97, + 0x47, + 0x2E, + 0x7F, + 0x09, + 0xE9, + 0xC3, + 0x9C, + 0xCE, + 0x91, + 0xB2, + 0xC8, + 0x58, + 0x76, + 0xE8, + 0x70, + 0x1D, + 0x72, + 0x5F, + 0x4A, + 0xE6, + 0xAA, + 0x36, + 0x22, + 0x94, + 0xC6, + 0x52, + 0x90, + 0xB3, + 0x9F, + 0x9B, + 0xF0, + 0xEF, + 0x57, + 0x8E, + 0x53, + 0xC3, + 0xE3, + 0x30, + 0xC9, + 0xD7, + 0xB0, + 0x3A, + 0x0C, + 0x79, + 0x1B, + 0x97, + 0xA8, + 0xD4, + 0x81, + 0x22, + 0xD2, + 0xB0, + 0x82, + 0x62, + 0x7D, + 0x00, + 0x58, + 0x47, + 0x9E, + 0xC7, }; const uint8_t FakePkgManager::g_ypkg_dmp1[] = -{ - 0x25, 0x54, 0xDB, 0xFD, 0x86, 0x45, 0x97, 0x9A, 0x1E, 0x17, 0xF0, 0xE3, 0xA5, 0x92, 0x0F, 0x12, - 0x2A, 0x5C, 0x4C, 0xA6, 0xA5, 0xCF, 0x7F, 0xE8, 0x5B, 0xF3, 0x65, 0x1A, 0xC8, 0xCF, 0x9B, 0xB9, - 0x2A, 0xC9, 0x90, 0x5D, 0xD4, 0x08, 0xCF, 0xF6, 0x03, 0x5A, 0x5A, 0xFC, 0x9E, 0xB6, 0xDB, 0x11, - 0xED, 0xE2, 0x3D, 0x62, 0xC1, 0xFC, 0x88, 0x5D, 0x97, 0xAC, 0x31, 0x2D, 0xC3, 0x15, 0xAD, 0x70, - 0x05, 0xBE, 0xA0, 0x5A, 0xE6, 0x34, 0x9C, 0x44, 0x78, 0x2B, 0xE5, 0xFE, 0x38, 0x56, 0xD4, 0x68, - 0x83, 0x13, 0xA4, 0xE6, 0xFA, 0xD2, 0x9C, 0xAB, 0xAC, 0x89, 0x5F, 0x10, 0x8F, 0x75, 0x6F, 0x04, - 0xBC, 0xAE, 0xB9, 0xBC, 0xB7, 0x1D, 0x42, 0xFA, 0x4E, 0x94, 0x1F, 0xB4, 0x0A, 0x27, 0x9C, 0x6B, - 0xAB, 0xC7, 0xD2, 0xEB, 0x27, 0x42, 0x52, 0x29, 0x41, 0xC8, 0x25, 0x40, 0x54, 0xE0, 0x48, 0x6D, + { + 0x25, + 0x54, + 0xDB, + 0xFD, + 0x86, + 0x45, + 0x97, + 0x9A, + 0x1E, + 0x17, + 0xF0, + 0xE3, + 0xA5, + 0x92, + 0x0F, + 0x12, + 0x2A, + 0x5C, + 0x4C, + 0xA6, + 0xA5, + 0xCF, + 0x7F, + 0xE8, + 0x5B, + 0xF3, + 0x65, + 0x1A, + 0xC8, + 0xCF, + 0x9B, + 0xB9, + 0x2A, + 0xC9, + 0x90, + 0x5D, + 0xD4, + 0x08, + 0xCF, + 0xF6, + 0x03, + 0x5A, + 0x5A, + 0xFC, + 0x9E, + 0xB6, + 0xDB, + 0x11, + 0xED, + 0xE2, + 0x3D, + 0x62, + 0xC1, + 0xFC, + 0x88, + 0x5D, + 0x97, + 0xAC, + 0x31, + 0x2D, + 0xC3, + 0x15, + 0xAD, + 0x70, + 0x05, + 0xBE, + 0xA0, + 0x5A, + 0xE6, + 0x34, + 0x9C, + 0x44, + 0x78, + 0x2B, + 0xE5, + 0xFE, + 0x38, + 0x56, + 0xD4, + 0x68, + 0x83, + 0x13, + 0xA4, + 0xE6, + 0xFA, + 0xD2, + 0x9C, + 0xAB, + 0xAC, + 0x89, + 0x5F, + 0x10, + 0x8F, + 0x75, + 0x6F, + 0x04, + 0xBC, + 0xAE, + 0xB9, + 0xBC, + 0xB7, + 0x1D, + 0x42, + 0xFA, + 0x4E, + 0x94, + 0x1F, + 0xB4, + 0x0A, + 0x27, + 0x9C, + 0x6B, + 0xAB, + 0xC7, + 0xD2, + 0xEB, + 0x27, + 0x42, + 0x52, + 0x29, + 0x41, + 0xC8, + 0x25, + 0x40, + 0x54, + 0xE0, + 0x48, + 0x6D, }; const uint8_t FakePkgManager::g_ypkg_dmq1[] = -{ - 0x4D, 0x35, 0x67, 0x38, 0xBC, 0x90, 0x3E, 0x3B, 0xAA, 0x6C, 0xBC, 0xF2, 0xEB, 0x9E, 0x45, 0xD2, - 0x09, 0x2F, 0xCA, 0x3A, 0x9C, 0x02, 0x36, 0xAD, 0x2E, 0xC1, 0xB1, 0xB2, 0x6D, 0x7C, 0x1F, 0x6B, - 0xA1, 0x8F, 0x62, 0x20, 0x8C, 0xD6, 0x6C, 0x36, 0xD6, 0x5A, 0x54, 0x9E, 0x30, 0xA9, 0xA8, 0x25, - 0x3D, 0x94, 0x12, 0x3E, 0x0D, 0x16, 0x1B, 0xF0, 0x86, 0x42, 0x72, 0xE0, 0xD6, 0x9C, 0x39, 0x68, - 0xDB, 0x11, 0x80, 0x96, 0x18, 0x2B, 0x71, 0x41, 0x48, 0x78, 0xE8, 0x17, 0x8B, 0x7D, 0x00, 0x1F, - 0x16, 0x68, 0xD2, 0x75, 0x97, 0xB5, 0xE0, 0xF2, 0x6D, 0x0C, 0x75, 0xAC, 0x16, 0xD9, 0xD5, 0xB1, - 0xB5, 0x8B, 0xE8, 0xD0, 0xBF, 0xA7, 0x1F, 0x61, 0x5B, 0x08, 0xF8, 0x68, 0xE7, 0xF0, 0xD1, 0xBC, - 0x39, 0x60, 0xBF, 0x55, 0x9C, 0x7C, 0x20, 0x30, 0xE8, 0x50, 0x28, 0x44, 0x02, 0xCE, 0x51, 0x2A, + { + 0x4D, + 0x35, + 0x67, + 0x38, + 0xBC, + 0x90, + 0x3E, + 0x3B, + 0xAA, + 0x6C, + 0xBC, + 0xF2, + 0xEB, + 0x9E, + 0x45, + 0xD2, + 0x09, + 0x2F, + 0xCA, + 0x3A, + 0x9C, + 0x02, + 0x36, + 0xAD, + 0x2E, + 0xC1, + 0xB1, + 0xB2, + 0x6D, + 0x7C, + 0x1F, + 0x6B, + 0xA1, + 0x8F, + 0x62, + 0x20, + 0x8C, + 0xD6, + 0x6C, + 0x36, + 0xD6, + 0x5A, + 0x54, + 0x9E, + 0x30, + 0xA9, + 0xA8, + 0x25, + 0x3D, + 0x94, + 0x12, + 0x3E, + 0x0D, + 0x16, + 0x1B, + 0xF0, + 0x86, + 0x42, + 0x72, + 0xE0, + 0xD6, + 0x9C, + 0x39, + 0x68, + 0xDB, + 0x11, + 0x80, + 0x96, + 0x18, + 0x2B, + 0x71, + 0x41, + 0x48, + 0x78, + 0xE8, + 0x17, + 0x8B, + 0x7D, + 0x00, + 0x1F, + 0x16, + 0x68, + 0xD2, + 0x75, + 0x97, + 0xB5, + 0xE0, + 0xF2, + 0x6D, + 0x0C, + 0x75, + 0xAC, + 0x16, + 0xD9, + 0xD5, + 0xB1, + 0xB5, + 0x8B, + 0xE8, + 0xD0, + 0xBF, + 0xA7, + 0x1F, + 0x61, + 0x5B, + 0x08, + 0xF8, + 0x68, + 0xE7, + 0xF0, + 0xD1, + 0xBC, + 0x39, + 0x60, + 0xBF, + 0x55, + 0x9C, + 0x7C, + 0x20, + 0x30, + 0xE8, + 0x50, + 0x28, + 0x44, + 0x02, + 0xCE, + 0x51, + 0x2A, }; const uint8_t FakePkgManager::g_ypkg_iqmp[] = -{ - 0xF5, 0x73, 0xB8, 0x7E, 0x5C, 0x98, 0x7C, 0x87, 0x67, 0xF1, 0xDA, 0xAE, 0xA0, 0xF9, 0x4B, 0xAB, - 0x77, 0xD8, 0xCE, 0x64, 0x6A, 0xC1, 0x4F, 0xA6, 0x9B, 0xB9, 0xAA, 0xCC, 0x76, 0x09, 0xA4, 0x3F, - 0xB9, 0xFA, 0xF5, 0x62, 0x84, 0x0A, 0xB8, 0x49, 0x02, 0xDF, 0x9E, 0xC4, 0x1A, 0x37, 0xD3, 0x56, - 0x0D, 0xA4, 0x6E, 0x15, 0x07, 0x15, 0xA0, 0x8D, 0x97, 0x9D, 0x92, 0x20, 0x43, 0x52, 0xC3, 0xB2, - 0xFD, 0xF7, 0xD3, 0xF3, 0x69, 0xA2, 0x28, 0x4F, 0x62, 0x6F, 0x80, 0x40, 0x5F, 0x3B, 0x80, 0x1E, - 0x5E, 0x38, 0x0D, 0x8B, 0x56, 0xA8, 0x56, 0x58, 0xD8, 0xD9, 0x6F, 0xEA, 0x12, 0x2A, 0x40, 0x16, - 0xC1, 0xED, 0x3D, 0x27, 0x16, 0xA0, 0x63, 0x97, 0x61, 0x39, 0x55, 0xCC, 0x8A, 0x05, 0xFA, 0x08, - 0x28, 0xFD, 0x55, 0x56, 0x31, 0x94, 0x65, 0x05, 0xE7, 0xD3, 0x57, 0x6C, 0x0D, 0x1C, 0x67, 0x0B, + { + 0xF5, + 0x73, + 0xB8, + 0x7E, + 0x5C, + 0x98, + 0x7C, + 0x87, + 0x67, + 0xF1, + 0xDA, + 0xAE, + 0xA0, + 0xF9, + 0x4B, + 0xAB, + 0x77, + 0xD8, + 0xCE, + 0x64, + 0x6A, + 0xC1, + 0x4F, + 0xA6, + 0x9B, + 0xB9, + 0xAA, + 0xCC, + 0x76, + 0x09, + 0xA4, + 0x3F, + 0xB9, + 0xFA, + 0xF5, + 0x62, + 0x84, + 0x0A, + 0xB8, + 0x49, + 0x02, + 0xDF, + 0x9E, + 0xC4, + 0x1A, + 0x37, + 0xD3, + 0x56, + 0x0D, + 0xA4, + 0x6E, + 0x15, + 0x07, + 0x15, + 0xA0, + 0x8D, + 0x97, + 0x9D, + 0x92, + 0x20, + 0x43, + 0x52, + 0xC3, + 0xB2, + 0xFD, + 0xF7, + 0xD3, + 0xF3, + 0x69, + 0xA2, + 0x28, + 0x4F, + 0x62, + 0x6F, + 0x80, + 0x40, + 0x5F, + 0x3B, + 0x80, + 0x1E, + 0x5E, + 0x38, + 0x0D, + 0x8B, + 0x56, + 0xA8, + 0x56, + 0x58, + 0xD8, + 0xD9, + 0x6F, + 0xEA, + 0x12, + 0x2A, + 0x40, + 0x16, + 0xC1, + 0xED, + 0x3D, + 0x27, + 0x16, + 0xA0, + 0x63, + 0x97, + 0x61, + 0x39, + 0x55, + 0xCC, + 0x8A, + 0x05, + 0xFA, + 0x08, + 0x28, + 0xFD, + 0x55, + 0x56, + 0x31, + 0x94, + 0x65, + 0x05, + 0xE7, + 0xD3, + 0x57, + 0x6C, + 0x0D, + 0x1C, + 0x67, + 0x0B, }; const uint8_t FakePkgManager::g_RifDebugKey[] = -{ - 0x96, 0xC2, 0x26, 0x8D, 0x69, 0x26, 0x1C, 0x8B, 0x1E, 0x3B, 0x6B, 0xFF, 0x2F, 0xE0, 0x4E, 0x12 -}; + { + 0x96, 0xC2, 0x26, 0x8D, 0x69, 0x26, 0x1C, 0x8B, 0x1E, 0x3B, 0x6B, 0xFF, 0x2F, 0xE0, 0x4E, 0x12}; const uint8_t FakePkgManager::g_FakeKeySeed[] = -{ - 0x46, 0x41, 0x4B, 0x45, 0x46, 0x41, 0x4B, 0x45, 0x46, 0x41, 0x4B, 0x45, 0x46, 0x41, 0x4B, 0x45, + { + 0x46, + 0x41, + 0x4B, + 0x45, + 0x46, + 0x41, + 0x4B, + 0x45, + 0x46, + 0x41, + 0x4B, + 0x45, + 0x46, + 0x41, + 0x4B, + 0x45, }; #pragma endregion -FakePkgManager::FakePkgManager() : - m_NpdrmDecryptIsolatedRifHook(nullptr), - m_NpdrmDecryptRifNewHook(nullptr), - m_SceSblDriverSendMsgHook(nullptr), - m_SceSblKeymgrInvalidateKey(nullptr), - m_SceSblPfsSetKeysHook(nullptr) +FakePkgManager::FakePkgManager() : m_NpdrmDecryptIsolatedRifHook(nullptr), + m_NpdrmDecryptRifNewHook(nullptr), + m_SceSblDriverSendMsgHook(nullptr), + m_SceSblKeymgrInvalidateKey(nullptr), + m_SceSblPfsSetKeysHook(nullptr) { - auto sv = (struct sysentvec*)kdlsym(self_orbis_sysvec); - struct sysent* sysents = sv->sv_table; - uint8_t* s_TrampolineF = reinterpret_cast(sysents[SYS___MAC_GET_LINK].sy_call); // syscall #410 - uint8_t* s_TrampolineG = reinterpret_cast(sysents[SYS___MAC_SET_FD].sy_call); // syscall #388 - uint8_t* s_TrampolineH = reinterpret_cast(sysents[SYS___MAC_SET_FILE].sy_call); // syscall #389 - uint8_t* s_TrampolineI = reinterpret_cast(sysents[SYS___MAC_SET_LINK].sy_call); // syscall #411 - uint8_t* s_TrampolineJ = reinterpret_cast(sysents[SYS_MAC_SYSCALL].sy_call); // syscall #394 - uint8_t* s_TrampolineK = reinterpret_cast(sysents[SYS___MAC_EXECVE].sy_call); // syscall #415 - - Utilities::HookFunctionCall(s_TrampolineF, reinterpret_cast(OnNpdrmDecryptIsolatedRif), kdlsym(npdrm_decrypt_isolated_rif__sceSblKeymgrSmCallfunc_hook)); - Utilities::HookFunctionCall(s_TrampolineG, reinterpret_cast(OnNpdrmDecryptRifNew), kdlsym(npdrm_decrypt_rif_new__sceSblKeymgrSmCallfunc_hook)); - Utilities::HookFunctionCall(s_TrampolineH, reinterpret_cast(OnSceSblPfsSetKeys), kdlsym(mountpfs__sceSblPfsSetKeys_hookA)); - Utilities::HookFunctionCall(s_TrampolineI, reinterpret_cast(OnSceSblPfsSetKeys), kdlsym(mountpfs__sceSblPfsSetKeys_hookB)); - Utilities::HookFunctionCall(s_TrampolineJ, reinterpret_cast(OnSceSblDriverSendMsg), kdlsym(sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook)); - Utilities::HookFunctionCall(s_TrampolineK, reinterpret_cast(OnSceSblKeymgrInvalidateKeySxXlock), kdlsym(sceSblKeymgrInvalidateKey__sx_xlock_hook)); + auto sv = (struct sysentvec *)kdlsym(self_orbis_sysvec); + struct sysent *sysents = sv->sv_table; + uint8_t *s_TrampolineF = reinterpret_cast(sysents[SYS___MAC_GET_LINK].sy_call); // syscall #410 + uint8_t *s_TrampolineG = reinterpret_cast(sysents[SYS___MAC_SET_FD].sy_call); // syscall #388 + uint8_t *s_TrampolineH = reinterpret_cast(sysents[SYS___MAC_SET_FILE].sy_call); // syscall #389 + uint8_t *s_TrampolineI = reinterpret_cast(sysents[SYS___MAC_SET_LINK].sy_call); // syscall #411 + uint8_t *s_TrampolineJ = reinterpret_cast(sysents[SYS_MAC_SYSCALL].sy_call); // syscall #394 + uint8_t *s_TrampolineK = reinterpret_cast(sysents[SYS___MAC_EXECVE].sy_call); // syscall #415 + + Utilities::HookFunctionCall(s_TrampolineF, reinterpret_cast(OnNpdrmDecryptIsolatedRif), kdlsym(npdrm_decrypt_isolated_rif__sceSblKeymgrSmCallfunc_hook)); + Utilities::HookFunctionCall(s_TrampolineG, reinterpret_cast(OnNpdrmDecryptRifNew), kdlsym(npdrm_decrypt_rif_new__sceSblKeymgrSmCallfunc_hook)); + Utilities::HookFunctionCall(s_TrampolineH, reinterpret_cast(OnSceSblPfsSetKeys), kdlsym(mountpfs__sceSblPfsSetKeys_hookA)); + Utilities::HookFunctionCall(s_TrampolineI, reinterpret_cast(OnSceSblPfsSetKeys), kdlsym(mountpfs__sceSblPfsSetKeys_hookB)); + Utilities::HookFunctionCall(s_TrampolineJ, reinterpret_cast(OnSceSblDriverSendMsg), kdlsym(sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook)); + Utilities::HookFunctionCall(s_TrampolineK, reinterpret_cast(OnSceSblKeymgrInvalidateKeySxXlock), kdlsym(sceSblKeymgrInvalidateKey__sx_xlock_hook)); WriteLog(LL_Debug, "Installed fpkg hooks"); } FakePkgManager::~FakePkgManager() { - } bool FakePkgManager::ShellCorePatch() { WriteLog(LL_Debug, "patching SceShellCore"); - - struct ::proc* s_Process = Utilities::FindProcessByName("SceShellCore"); + struct ::proc *s_Process = Utilities::FindProcessByName("SceShellCore"); if (s_Process == nullptr) { WriteLog(LL_Error, "could not find SceShellCore"); return false; } - ProcVmMapEntry* s_Entries = nullptr; + ProcVmMapEntry *s_Entries = nullptr; size_t s_NumEntries = 0; auto s_Ret = Utilities::GetProcessVmMap(s_Process, &s_Entries, &s_NumEntries); if (s_Ret < 0) @@ -166,12 +778,12 @@ bool FakePkgManager::ShellCorePatch() return false; } - uint8_t* s_TextStart = nullptr; + uint8_t *s_TextStart = nullptr; for (auto i = 0; i < s_NumEntries; ++i) { if (s_Entries[i].prot == (PROT_READ | PROT_EXEC)) { - s_TextStart = (uint8_t*)s_Entries[i].start; + s_TextStart = (uint8_t *)s_Entries[i].start; break; } } @@ -185,10 +797,10 @@ bool FakePkgManager::ShellCorePatch() WriteLog(LL_Debug, "SceShellCore .text: (%p)", s_TextStart); // Free the entries we got returned - delete [] s_Entries; + delete[] s_Entries; s_Entries = nullptr; - uint8_t xor__eax_eax[5] = { 0x31, 0xC0, 0x90, 0x90, 0x90 }; + uint8_t xor__eax_eax[5] = {0x31, 0xC0, 0x90, 0x90, 0x90}; /* s_Ret = kptrace_t(PT_ATTACH, s_Process->p_pid, 0, 0, s_MainThread); @@ -202,72 +814,72 @@ bool FakePkgManager::ShellCorePatch() s_Ret = kwait4_t(s_Process->p_pid, &s_Status, WUNTRACED, nullptr, s_MainThread); WriteLog(LL_Debug, "wait4 returned (%d)", s_Ret);*/ - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_sceKernelIsGenuineCEX_patchA), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_sceKernelIsGenuineCEX_patchA), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssc_sceKernelIsGenuineCEX_patchA"); return false; } - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_sceKernelIsGenuineCEX_patchB), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_sceKernelIsGenuineCEX_patchB), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssc_sceKernelIsGenuineCEX_patchB"); return false; } - - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_sceKernelIsGenuineCEX_patchC), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); + + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_sceKernelIsGenuineCEX_patchC), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssc_sceKernelIsGenuineCEX_patchC"); return false; } - - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_sceKernelIsGenuineCEX_patchD), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); + + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_sceKernelIsGenuineCEX_patchD), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssc_sceKernelIsGenuineCEX_patchD"); return false; } - - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_nidf_libSceDipsw_patchA), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); + + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_nidf_libSceDipsw_patchA), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssc_nidf_libSceDipsw_patchA"); return false; } - - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_nidf_libSceDipsw_patchB), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); + + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_nidf_libSceDipsw_patchB), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssc_nidf_libSceDipsw_patchB"); return false; } - - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_nidf_libSceDipsw_patchC), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); + + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_nidf_libSceDipsw_patchC), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssc_nidf_libSceDipsw_patchC"); return false; } - - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_nidf_libSceDipsw_patchD), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); + + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_nidf_libSceDipsw_patchD), sizeof(xor__eax_eax), xor__eax_eax, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssc_nidf_libSceDipsw_patchD"); return false; } -#if MIRA_PLATFORM==MIRA_PLATFORM_ORBIS_BSD_505 - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_enable_fakepkg_patch), 8, (void*)"\xE9\x96\x00\x00\x00\x90\x90\x90", nullptr, true); - if (s_Ret < 0) - { - WriteLog(LL_Error, "ssc_enable_fakepkg_patch"); - return false; - } +#if MIRA_PLATFORM == MIRA_PLATFORM_ORBIS_BSD_505 + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_enable_fakepkg_patch), 8, (void *)"\xE9\x96\x00\x00\x00\x90\x90\x90", nullptr, true); + if (s_Ret < 0) + { + WriteLog(LL_Error, "ssc_enable_fakepkg_patch"); + return false; + } #endif - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_TextStart + ssc_fake_to_free_patch), 4, (void*)"free", nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_TextStart + ssc_fake_to_free_patch), 4, (void *)"free", nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssc_fake_to_free_patch"); @@ -298,14 +910,14 @@ bool FakePkgManager::ShellUIPatch() { WriteLog(LL_Debug, "patching SceShellUI"); - struct ::proc* s_Process = Utilities::FindProcessByName("SceShellUI"); + struct ::proc *s_Process = Utilities::FindProcessByName("SceShellUI"); if (s_Process == nullptr) { WriteLog(LL_Error, "could not find SceShellUI"); return false; } - ProcVmMapEntry* s_Entries = nullptr; + ProcVmMapEntry *s_Entries = nullptr; size_t s_NumEntries = 0; auto s_Ret = Utilities::GetProcessVmMap(s_Process, &s_Entries, &s_NumEntries); if (s_Ret < 0) @@ -320,12 +932,12 @@ bool FakePkgManager::ShellUIPatch() return false; } - uint8_t* s_LibKernelTextStart = nullptr; + uint8_t *s_LibKernelTextStart = nullptr; for (auto i = 0; i < s_NumEntries; ++i) { if (!memcmp(s_Entries[i].name, "libkernel_sys.sprx", 18) && s_Entries[i].prot >= (PROT_READ | PROT_EXEC)) { - s_LibKernelTextStart = (uint8_t*)s_Entries[i].start; + s_LibKernelTextStart = (uint8_t *)s_Entries[i].start; break; } } @@ -339,30 +951,30 @@ bool FakePkgManager::ShellUIPatch() WriteLog(LL_Debug, "SceShellUI libkernel_sys.sprx .text: (%p)", s_LibKernelTextStart); // Free the entries we got returned - delete [] s_Entries; + delete[] s_Entries; s_Entries = nullptr; - // TODO: Fix all fw suport; I don't feel like fixing 1.76 support atm -kd - #if MIRA_PLATFORM <= MIRA_PLATFORM_ORBIS_BSD_176 || MIRA_PLATFORM > MIRA_PLATFORM_ORBIS_BSD_505 && MIRA_PLATFORM!=MIRA_PLATFORM_ORBIS_BSD_620 - #else +// TODO: Fix all fw suport; I don't feel like fixing 1.76 support atm -kd +#if MIRA_PLATFORM <= MIRA_PLATFORM_ORBIS_BSD_176 || MIRA_PLATFORM > MIRA_PLATFORM_ORBIS_BSD_505 && MIRA_PLATFORM != MIRA_PLATFORM_ORBIS_BSD_620 +#else - uint8_t mov__eax_1__ret[6] = { 0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3 }; + uint8_t mov__eax_1__ret[6] = {0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3}; - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_LibKernelTextStart + ssu_sceSblRcMgrIsAllowDebugMenuForSettings_patch), sizeof(mov__eax_1__ret), mov__eax_1__ret, nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_LibKernelTextStart + ssu_sceSblRcMgrIsAllowDebugMenuForSettings_patch), sizeof(mov__eax_1__ret), mov__eax_1__ret, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssu_sceSblRcMgrIsAllowDebugMenuForSettings_patch"); return false; } - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_LibKernelTextStart + ssu_sceSblRcMgrIsStoreMode_patch), sizeof(mov__eax_1__ret), mov__eax_1__ret, nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_LibKernelTextStart + ssu_sceSblRcMgrIsStoreMode_patch), sizeof(mov__eax_1__ret), mov__eax_1__ret, nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssu_sceSblRcMgrIsStoreMode_patch"); return false; } - #endif +#endif WriteLog(LL_Debug, "SceShellUI successfully patched"); @@ -378,14 +990,18 @@ void FakePkgManager::ResumeEvent() void FakePkgManager::ProcessStartEvent(void *arg, struct ::proc *p) { - auto strncmp = (int(*)(const char *, const char *, size_t))kdlsym(strncmp); + auto strncmp = (int (*)(const char *, const char *, size_t))kdlsym(strncmp); if (!p) return; - char* s_TitleId = (char*)((uint64_t)p + 0x390); - if (strncmp(s_TitleId, "NPXS20001", 9) == 0) { - ShellUIPatch(); + char *s_TitleId = (char *)((uint64_t)p + 0x390); + if (strncmp(s_TitleId, "NPXS20001", 9) == 0) + { + if (is_Kit) + WriteLog(LL_Debug, "Testkit Detected, No patches will be applied is_Kit(%i).\n", is_Kit); + else + ShellUIPatch(); } return; @@ -400,29 +1016,36 @@ bool FakePkgManager::OnLoad() return false; } - ShellCorePatch(); - ShellUIPatch(); + if (is_Kit) + WriteLog(LL_Debug, "Testkit Detected, No patches will be applied\n"); + else + { + ShellCorePatch(); + ShellUIPatch(); + } // Initialize the event handlers - auto eventhandler_register = (eventhandler_tag(*)(struct eventhandler_list *list, const char *name, void *func, void *arg, int priority))kdlsym(eventhandler_register); + auto eventhandler_register = (eventhandler_tag(*)(struct eventhandler_list * list, const char *name, void *func, void *arg, int priority)) kdlsym(eventhandler_register); - m_processStartEvent = eventhandler_register(NULL, "process_exec_end", reinterpret_cast(FakePkgManager::ProcessStartEvent), NULL, EVENTHANDLER_PRI_LAST); - m_resumeEvent = eventhandler_register(NULL, "system_resume_phase4", reinterpret_cast(FakePkgManager::ResumeEvent), NULL, EVENTHANDLER_PRI_LAST); + m_processStartEvent = eventhandler_register(NULL, "process_exec_end", reinterpret_cast(FakePkgManager::ProcessStartEvent), NULL, EVENTHANDLER_PRI_LAST); + m_resumeEvent = eventhandler_register(NULL, "system_resume_phase4", reinterpret_cast(FakePkgManager::ResumeEvent), NULL, EVENTHANDLER_PRI_LAST); return true; } bool FakePkgManager::OnUnload() { - auto eventhandler_deregister = (void(*)(struct eventhandler_list* a, struct eventhandler_entry* b))kdlsym(eventhandler_deregister); - auto eventhandler_find_list = (struct eventhandler_list * (*)(const char *name))kdlsym(eventhandler_find_list); + auto eventhandler_deregister = (void (*)(struct eventhandler_list * a, struct eventhandler_entry * b)) kdlsym(eventhandler_deregister); + auto eventhandler_find_list = (struct eventhandler_list * (*)(const char *name)) kdlsym(eventhandler_find_list); - if (m_processStartEvent) { + if (m_processStartEvent) + { EVENTHANDLER_DEREGISTER(process_exec_end, m_processStartEvent); m_processStartEvent = nullptr; } - if (m_resumeEvent) { + if (m_resumeEvent) + { EVENTHANDLER_DEREGISTER(process_exit, m_resumeEvent); m_resumeEvent = nullptr; } @@ -440,7 +1063,7 @@ bool FakePkgManager::OnResume() return true; } -void FakePkgManager::GenPfsCryptoKey(uint8_t* p_EncryptionKeyPFS, uint8_t p_Seed[PFS_SEED_SIZE], uint32_t p_Index, uint8_t p_Key[PFS_FINAL_KEY_SIZE]) +void FakePkgManager::GenPfsCryptoKey(uint8_t *p_EncryptionKeyPFS, uint8_t p_Seed[PFS_SEED_SIZE], uint32_t p_Index, uint8_t p_Key[PFS_FINAL_KEY_SIZE]) { auto s_Thread = curthread; FakeKeyD s_D; @@ -450,39 +1073,39 @@ void FakePkgManager::GenPfsCryptoKey(uint8_t* p_EncryptionKeyPFS, uint8_t p_Seed memcpy(s_D.seed, p_Seed, PFS_SEED_SIZE); // fpu_kern_enter - auto fpu_kern_enter = (int(*)(struct thread *td, struct fpu_kern_ctx *ctx, u_int flags))kdlsym(fpu_kern_enter); - auto fpu_kern_leave = (int (*)(struct thread *td, struct fpu_kern_ctx *ctx))kdlsym(fpu_kern_leave); + auto fpu_kern_enter = (int (*)(struct thread * td, struct fpu_kern_ctx * ctx, u_int flags)) kdlsym(fpu_kern_enter); + auto fpu_kern_leave = (int (*)(struct thread * td, struct fpu_kern_ctx * ctx)) kdlsym(fpu_kern_leave); - auto fpu_ctx = (fpu_kern_ctx*)kdlsym(fpu_kern_ctx); - auto Sha256Hmac = (void (*)(uint8_t hash[0x20], const uint8_t* data, size_t data_size, const uint8_t* key, int key_size))kdlsym(Sha256Hmac); + auto fpu_ctx = (fpu_kern_ctx *)kdlsym(fpu_kern_ctx); + auto Sha256Hmac = (void (*)(uint8_t hash[0x20], const uint8_t *data, size_t data_size, const uint8_t *key, int key_size))kdlsym(Sha256Hmac); fpu_kern_enter(s_Thread, fpu_ctx, 0); - Sha256Hmac(p_Key, (const uint8_t*)&s_D, sizeof(s_D), p_EncryptionKeyPFS, EKPFS_SIZE); + Sha256Hmac(p_Key, (const uint8_t *)&s_D, sizeof(s_D), p_EncryptionKeyPFS, EKPFS_SIZE); fpu_kern_leave(s_Thread, fpu_ctx); } -void FakePkgManager::GenPfsEncKey(uint8_t* p_EncryptionKeyPFS, uint8_t p_Seed[PFS_SEED_SIZE], uint8_t p_Key[PFS_FINAL_KEY_SIZE]) +void FakePkgManager::GenPfsEncKey(uint8_t *p_EncryptionKeyPFS, uint8_t p_Seed[PFS_SEED_SIZE], uint8_t p_Key[PFS_FINAL_KEY_SIZE]) { GenPfsCryptoKey(p_EncryptionKeyPFS, p_Seed, 1, p_Key); } -void FakePkgManager::GenPfsSignKey(uint8_t* p_EncryptionKeyPFS, uint8_t p_Seed[PFS_SEED_SIZE], uint8_t p_Key[PFS_FINAL_KEY_SIZE]) +void FakePkgManager::GenPfsSignKey(uint8_t *p_EncryptionKeyPFS, uint8_t p_Seed[PFS_SEED_SIZE], uint8_t p_Key[PFS_FINAL_KEY_SIZE]) { GenPfsCryptoKey(p_EncryptionKeyPFS, p_Seed, 2, p_Key); } -int FakePkgManager::DecryptNpdrmDebugRif(uint32_t p_Type, uint8_t* p_Data) +int FakePkgManager::DecryptNpdrmDebugRif(uint32_t p_Type, uint8_t *p_Data) { auto s_Thread = __curthread(); if (s_Thread == nullptr) return SCE_SBL_ERROR_NPDRM_ENOTSUP; - - auto fpu_kern_enter = (int(*)(struct thread *td, struct fpu_kern_ctx *ctx, u_int flags))kdlsym(fpu_kern_enter); - auto fpu_kern_leave = (int (*)(struct thread *td, struct fpu_kern_ctx *ctx))kdlsym(fpu_kern_leave); - auto fpu_ctx = (fpu_kern_ctx*)kdlsym(fpu_kern_ctx); + + auto fpu_kern_enter = (int (*)(struct thread * td, struct fpu_kern_ctx * ctx, u_int flags)) kdlsym(fpu_kern_enter); + auto fpu_kern_leave = (int (*)(struct thread * td, struct fpu_kern_ctx * ctx)) kdlsym(fpu_kern_leave); + auto fpu_ctx = (fpu_kern_ctx *)kdlsym(fpu_kern_ctx); //auto AesCbcCfb128Encrypt = (int (*)(uint8_t* out, const uint8_t* in, size_t data_size, const uint8_t* key, int key_size, uint8_t* iv))kdlsym(AesCbcCfb128Encrypt); - auto AesCbcCfb128Decrypt = (int (*)(uint8_t* out, const uint8_t* in, size_t data_size, const uint8_t* key, int key_size, uint8_t* iv))kdlsym(AesCbcCfb128Decrypt); - + auto AesCbcCfb128Decrypt = (int (*)(uint8_t * out, const uint8_t *in, size_t data_size, const uint8_t *key, int key_size, uint8_t *iv)) kdlsym(AesCbcCfb128Decrypt); + auto s_Ret = 0; fpu_kern_enter(s_Thread, fpu_ctx, 0); s_Ret = AesCbcCfb128Decrypt(p_Data + RIF_DIGEST_SIZE, p_Data + RIF_DIGEST_SIZE, RIF_DATA_SIZE, g_RifDebugKey, sizeof(g_RifDebugKey) * 8, p_Data); @@ -493,7 +1116,7 @@ int FakePkgManager::DecryptNpdrmDebugRif(uint32_t p_Type, uint8_t* p_Data) return s_Ret; } -SblMapListEntry* FakePkgManager::SceSblDriverFindMappedPageListByGpuVa(vm_offset_t p_GpuVa) +SblMapListEntry *FakePkgManager::SceSblDriverFindMappedPageListByGpuVa(vm_offset_t p_GpuVa) { if (p_GpuVa == 0) { @@ -501,12 +1124,12 @@ SblMapListEntry* FakePkgManager::SceSblDriverFindMappedPageListByGpuVa(vm_offset return nullptr; } - auto _mtx_lock_flags = (void(*)(struct mtx *m, int opts, const char *file, int line))kdlsym(_mtx_lock_flags); - auto _mtx_unlock_flags = (void(*)(struct mtx *m, int opts, const char *file, int line))kdlsym(_mtx_unlock_flags); - auto s_SblDrvMsgMtx = (struct mtx*)kdlsym(sbl_drv_msg_mtx); + auto _mtx_lock_flags = (void (*)(struct mtx * m, int opts, const char *file, int line)) kdlsym(_mtx_lock_flags); + auto _mtx_unlock_flags = (void (*)(struct mtx * m, int opts, const char *file, int line)) kdlsym(_mtx_unlock_flags); + auto s_SblDrvMsgMtx = (struct mtx *)kdlsym(sbl_drv_msg_mtx); - SblMapListEntry* s_Entry = *(SblMapListEntry**)kdlsym(gpu_va_page_list); - SblMapListEntry* s_FinalEntry = nullptr; + SblMapListEntry *s_Entry = *(SblMapListEntry **)kdlsym(gpu_va_page_list); + SblMapListEntry *s_FinalEntry = nullptr; // Lock before we iterate this list, because other paths can absolutely use it concurrently _mtx_lock_flags(s_SblDrvMsgMtx, 0, __FILE__, __LINE__); @@ -526,29 +1149,28 @@ SblMapListEntry* FakePkgManager::SceSblDriverFindMappedPageListByGpuVa(vm_offset return s_FinalEntry; } -vm_offset_t FakePkgManager::SceSblDriverGpuVaToCpuVa(vm_offset_t p_GpuVa, size_t* p_NumPageGroups) +vm_offset_t FakePkgManager::SceSblDriverGpuVaToCpuVa(vm_offset_t p_GpuVa, size_t *p_NumPageGroups) { auto s_Entry = SceSblDriverFindMappedPageListByGpuVa(p_GpuVa); if (s_Entry == nullptr) return 0; - + if (p_NumPageGroups != nullptr) *p_NumPageGroups = s_Entry->numPageGroups; - + return s_Entry->cpuVa; } - -int FakePkgManager::OnSceSblDriverSendMsg(SblMsg* p_Message, size_t p_Size) __attribute__ ((optnone)) +int FakePkgManager::OnSceSblDriverSendMsg(SblMsg *p_Message, size_t p_Size) __attribute__((optnone)) { - auto sceSblDriverSendMsg = (int (*)(SblMsg* msg, size_t size))kdlsym(sceSblDriverSendMsg); + auto sceSblDriverSendMsg = (int (*)(SblMsg * msg, size_t size)) kdlsym(sceSblDriverSendMsg); if (p_Message->hdr.cmd != SBL_MSG_CCP) return sceSblDriverSendMsg(p_Message, p_Size); - - union ccp_op* s_Op = &p_Message->service.ccp.op; + + union ccp_op *s_Op = &p_Message->service.ccp.op; if (CCP_OP(s_Op->common.cmd) != CCP_OP_AES) return sceSblDriverSendMsg(p_Message, p_Size); - + uint32_t s_Mask = CCP_USE_KEY_FROM_SLOT | CCP_GENERATE_KEY_AT_SLOT; if ((s_Op->aes.cmd & s_Mask) != s_Mask || (s_Op->aes.key_index != PFS_FAKE_OBF_KEY_ID)) return sceSblDriverSendMsg(p_Message, p_Size); @@ -566,23 +1188,23 @@ int FakePkgManager::OnSceSblDriverSendMsg(SblMsg* p_Message, size_t p_Size) __at return sceSblDriverSendMsg(p_Message, p_Size); } -int FakePkgManager::OnSceSblPfsSetKeys(uint32_t* ekh, uint32_t* skh, uint8_t* eekpfs, Ekc* eekc, uint32_t pubkey_ver, uint32_t key_ver, PfsHeader* hdr, size_t hdr_size, uint32_t type, uint32_t finalized, uint32_t is_disc) +int FakePkgManager::OnSceSblPfsSetKeys(uint32_t *ekh, uint32_t *skh, uint8_t *eekpfs, Ekc *eekc, uint32_t pubkey_ver, uint32_t key_ver, PfsHeader *hdr, size_t hdr_size, uint32_t type, uint32_t finalized, uint32_t is_disc) { - auto sceSblPfsSetKeys = (int(*)(uint32_t* p_Ekh, uint32_t* p_Skh, uint8_t* p_Eekpfs, Ekc* p_Eekc, unsigned int p_PubkeyVer, unsigned int p_KeyVer, PfsHeader* p_Header, size_t p_HeaderSize, unsigned int p_Type, unsigned int p_Finalized, unsigned int p_IsDisc))kdlsym(sceSblPfsSetKeys); - auto RsaesPkcs1v15Dec2048CRT = (int (*)(RsaBuffer* out, RsaBuffer* in, RsaKey* key))kdlsym(RsaesPkcs1v15Dec2048CRT); - auto fpu_kern_enter = (int(*)(struct thread *td, struct fpu_kern_ctx *ctx, u_int flags))kdlsym(fpu_kern_enter); - auto fpu_kern_leave = (int (*)(struct thread *td, struct fpu_kern_ctx *ctx))kdlsym(fpu_kern_leave); - auto sbl_pfs_sx = (struct sx*)kdlsym(sbl_pfs_sx); - auto fpu_kern_ctx = (struct fpu_kern_ctx*)kdlsym(fpu_kern_ctx); + auto sceSblPfsSetKeys = (int (*)(uint32_t * p_Ekh, uint32_t * p_Skh, uint8_t * p_Eekpfs, Ekc * p_Eekc, unsigned int p_PubkeyVer, unsigned int p_KeyVer, PfsHeader *p_Header, size_t p_HeaderSize, unsigned int p_Type, unsigned int p_Finalized, unsigned int p_IsDisc)) kdlsym(sceSblPfsSetKeys); + auto RsaesPkcs1v15Dec2048CRT = (int (*)(RsaBuffer * out, RsaBuffer * in, RsaKey * key)) kdlsym(RsaesPkcs1v15Dec2048CRT); + auto fpu_kern_enter = (int (*)(struct thread * td, struct fpu_kern_ctx * ctx, u_int flags)) kdlsym(fpu_kern_enter); + auto fpu_kern_leave = (int (*)(struct thread * td, struct fpu_kern_ctx * ctx)) kdlsym(fpu_kern_leave); + auto sbl_pfs_sx = (struct sx *)kdlsym(sbl_pfs_sx); + auto fpu_kern_ctx = (struct fpu_kern_ctx *)kdlsym(fpu_kern_ctx); //int (*A_sx_xlock_hard)(struct sx *sx, uintptr_t tid, int opts, const char *file, int line) = kdlsym(_sx_xlock); - //void (*A_sx_xunlock_hard)(struct sx *sx, uintptr_t tid, const char *file, int line) = kdlsym(_sx_xunlock); - auto A_sx_xlock_hard = (int (*)(struct sx *sx, int opts))kdlsym(_sx_xlock); - auto A_sx_xunlock_hard = (int (*)(struct sx *sx))kdlsym(_sx_xunlock); - auto AesCbcCfb128Encrypt = (int (*)(uint8_t* out, const uint8_t* in, size_t data_size, const uint8_t* key, int key_size, uint8_t* iv))kdlsym(AesCbcCfb128Encrypt); - auto sceSblKeymgrSetKeyForPfs = (int (*)(SblKeyDesc* key, unsigned int* handle))kdlsym(sceSblKeymgrSetKeyForPfs); + //void (*A_sx_xunlock_hard)(struct sx *sx, uintptr_t tid, const char *file, int line) = kdlsym(_sx_xunlock); + auto A_sx_xlock_hard = (int (*)(struct sx * sx, int opts)) kdlsym(_sx_xlock); + auto A_sx_xunlock_hard = (int (*)(struct sx * sx)) kdlsym(_sx_xunlock); + auto AesCbcCfb128Encrypt = (int (*)(uint8_t * out, const uint8_t *in, size_t data_size, const uint8_t *key, int key_size, uint8_t *iv)) kdlsym(AesCbcCfb128Encrypt); + auto sceSblKeymgrSetKeyForPfs = (int (*)(SblKeyDesc * key, unsigned int *handle)) kdlsym(sceSblKeymgrSetKeyForPfs); auto sceSblKeymgrClearKey = (int (*)(uint32_t kh))kdlsym(sceSblKeymgrClearKey); - struct thread* td; + struct thread *td; RsaBuffer in_data; RsaBuffer out_data; RsaKey key; @@ -593,115 +1215,124 @@ int FakePkgManager::OnSceSblPfsSetKeys(uint32_t* ekh, uint32_t* skh, uint8_t* ee int32_t ret, orig_ret = 0; ret = orig_ret = sceSblPfsSetKeys(ekh, skh, eekpfs, eekc, pubkey_ver, key_ver, hdr, hdr_size, type, finalized, is_disc); - - if (ret) { - if (finalized && is_disc != 0) - { - ret = sceSblPfsSetKeys(ekh, skh, eekpfs, eekc, pubkey_ver, key_ver, hdr, hdr_size, type, finalized, 0); /* always use is_disc=0 here */ - if (ret) { - ret = orig_ret; - goto err; - } - } else { - memset(&in_data, 0, sizeof(in_data)); - in_data.ptr = eekpfs; - in_data.size = EEKPFS_SIZE; - - memset(&out_data, 0, sizeof(out_data)); - out_data.ptr = ekpfs; - out_data.size = EKPFS_SIZE; - - memset(&key, 0, sizeof(key)); - key.p = (uint8_t*)g_ypkg_p; - key.q = (uint8_t*)g_ypkg_q; - key.dmp1 = (uint8_t*)g_ypkg_dmp1; - key.dmq1 = (uint8_t*)g_ypkg_dmq1; - key.iqmp = (uint8_t*)g_ypkg_iqmp; - - td = curthread; - - fpu_kern_enter(td, fpu_kern_ctx, 0); - { - ret = RsaesPkcs1v15Dec2048CRT(&out_data, &in_data, &key); - } - fpu_kern_leave(td, fpu_kern_ctx); - - if (ret) { - ret = orig_ret; - goto err; - } - - A_sx_xlock_hard(sbl_pfs_sx,0); - { - memset(&enc_key_desc, 0, sizeof(enc_key_desc)); - { - enc_key_desc.Pfs.obfuscatedKeyId = PFS_FAKE_OBF_KEY_ID; - enc_key_desc.Pfs.keySize = sizeof(enc_key_desc.Pfs.escrowedKey); - - GenPfsEncKey(ekpfs, hdr->cryptSeed, enc_key_desc.Pfs.escrowedKey); - - fpu_kern_enter(td, fpu_kern_ctx, 0); - { - memset(iv, 0, sizeof(iv)); - ret = AesCbcCfb128Encrypt(enc_key_desc.Pfs.escrowedKey, enc_key_desc.Pfs.escrowedKey, sizeof(enc_key_desc.Pfs.escrowedKey), g_FakeKeySeed, sizeof(g_FakeKeySeed) * 8, iv); - } - fpu_kern_leave(td, fpu_kern_ctx); - } - if (ret) { + + if (ret) + { + if (finalized && is_disc != 0) + { + ret = sceSblPfsSetKeys(ekh, skh, eekpfs, eekc, pubkey_ver, key_ver, hdr, hdr_size, type, finalized, 0); /* always use is_disc=0 here */ + if (ret) + { + ret = orig_ret; + goto err; + } + } + else + { + memset(&in_data, 0, sizeof(in_data)); + in_data.ptr = eekpfs; + in_data.size = EEKPFS_SIZE; + + memset(&out_data, 0, sizeof(out_data)); + out_data.ptr = ekpfs; + out_data.size = EKPFS_SIZE; + + memset(&key, 0, sizeof(key)); + key.p = (uint8_t *)g_ypkg_p; + key.q = (uint8_t *)g_ypkg_q; + key.dmp1 = (uint8_t *)g_ypkg_dmp1; + key.dmq1 = (uint8_t *)g_ypkg_dmq1; + key.iqmp = (uint8_t *)g_ypkg_iqmp; + + td = curthread; + + fpu_kern_enter(td, fpu_kern_ctx, 0); + { + ret = RsaesPkcs1v15Dec2048CRT(&out_data, &in_data, &key); + } + fpu_kern_leave(td, fpu_kern_ctx); + + if (ret) + { + ret = orig_ret; + goto err; + } + + A_sx_xlock_hard(sbl_pfs_sx, 0); + { + memset(&enc_key_desc, 0, sizeof(enc_key_desc)); + { + enc_key_desc.Pfs.obfuscatedKeyId = PFS_FAKE_OBF_KEY_ID; + enc_key_desc.Pfs.keySize = sizeof(enc_key_desc.Pfs.escrowedKey); + + GenPfsEncKey(ekpfs, hdr->cryptSeed, enc_key_desc.Pfs.escrowedKey); + + fpu_kern_enter(td, fpu_kern_ctx, 0); + { + memset(iv, 0, sizeof(iv)); + ret = AesCbcCfb128Encrypt(enc_key_desc.Pfs.escrowedKey, enc_key_desc.Pfs.escrowedKey, sizeof(enc_key_desc.Pfs.escrowedKey), g_FakeKeySeed, sizeof(g_FakeKeySeed) * 8, iv); + } + fpu_kern_leave(td, fpu_kern_ctx); + } + if (ret) + { WriteLog(LL_Error, "AesCbcCfb128Encrypt returned (%d)", ret); - A_sx_xunlock_hard(sbl_pfs_sx); - ret = orig_ret; - goto err; - } - - memset(&sign_key_desc, 0, sizeof(sign_key_desc)); - { - sign_key_desc.Pfs.obfuscatedKeyId = PFS_FAKE_OBF_KEY_ID; - sign_key_desc.Pfs.keySize = sizeof(sign_key_desc.Pfs.escrowedKey); - - GenPfsSignKey(ekpfs, hdr->cryptSeed, sign_key_desc.Pfs.escrowedKey); - - fpu_kern_enter(td, fpu_kern_ctx, 0); - { - memset(iv, 0, sizeof(iv)); - ret = AesCbcCfb128Encrypt(sign_key_desc.Pfs.escrowedKey, sign_key_desc.Pfs.escrowedKey, sizeof(sign_key_desc.Pfs.escrowedKey), g_FakeKeySeed, sizeof(g_FakeKeySeed) * 8, iv); - } - fpu_kern_leave(td, fpu_kern_ctx); - } - if (ret) { + A_sx_xunlock_hard(sbl_pfs_sx); + ret = orig_ret; + goto err; + } + + memset(&sign_key_desc, 0, sizeof(sign_key_desc)); + { + sign_key_desc.Pfs.obfuscatedKeyId = PFS_FAKE_OBF_KEY_ID; + sign_key_desc.Pfs.keySize = sizeof(sign_key_desc.Pfs.escrowedKey); + + GenPfsSignKey(ekpfs, hdr->cryptSeed, sign_key_desc.Pfs.escrowedKey); + + fpu_kern_enter(td, fpu_kern_ctx, 0); + { + memset(iv, 0, sizeof(iv)); + ret = AesCbcCfb128Encrypt(sign_key_desc.Pfs.escrowedKey, sign_key_desc.Pfs.escrowedKey, sizeof(sign_key_desc.Pfs.escrowedKey), g_FakeKeySeed, sizeof(g_FakeKeySeed) * 8, iv); + } + fpu_kern_leave(td, fpu_kern_ctx); + } + if (ret) + { WriteLog(LL_Error, "AesCbcCfb128Encrypt returned (%d).", ret); - A_sx_xunlock_hard(sbl_pfs_sx); - ret = orig_ret; - goto err; - } - - ret = sceSblKeymgrSetKeyForPfs(&enc_key_desc, ekh); - if (ret) { - if (*ekh != 0xFFFFFFFF) - sceSblKeymgrClearKey(*ekh); - - A_sx_xunlock_hard(sbl_pfs_sx); - ret = orig_ret; - goto err; - } - - ret = sceSblKeymgrSetKeyForPfs(&sign_key_desc, skh); - if (ret) { - if (*skh != 0xFFFFFFFF) - sceSblKeymgrClearKey(*skh); - A_sx_xunlock_hard(sbl_pfs_sx); - ret = orig_ret; - goto err; - } - } - A_sx_xunlock_hard(sbl_pfs_sx); - - ret = 0; - } - } + A_sx_xunlock_hard(sbl_pfs_sx); + ret = orig_ret; + goto err; + } + + ret = sceSblKeymgrSetKeyForPfs(&enc_key_desc, ekh); + if (ret) + { + if (*ekh != 0xFFFFFFFF) + sceSblKeymgrClearKey(*ekh); + + A_sx_xunlock_hard(sbl_pfs_sx); + ret = orig_ret; + goto err; + } + + ret = sceSblKeymgrSetKeyForPfs(&sign_key_desc, skh); + if (ret) + { + if (*skh != 0xFFFFFFFF) + sceSblKeymgrClearKey(*skh); + A_sx_xunlock_hard(sbl_pfs_sx); + ret = orig_ret; + goto err; + } + } + A_sx_xunlock_hard(sbl_pfs_sx); + + ret = 0; + } + } err: - return ret; + return ret; /* auto sceSblPfsSetKeys = (int(*)(uint32_t* p_Ekh, uint32_t* p_Skh, uint8_t* p_Eekpfs, Ekc* p_Eekc, unsigned int p_PubkeyVer, unsigned int p_KeyVer, PfsHeader* p_Header, size_t p_HeaderSize, unsigned int p_Type, unsigned int p_Finalized, unsigned int p_IsDisc))kdlsym(sceSblPfsSetKeys); @@ -834,14 +1465,14 @@ int FakePkgManager::OnSceSblPfsSetKeys(uint32_t* ekh, uint32_t* skh, uint8_t* ee return 0;*/ } -int FakePkgManager::OnNpdrmDecryptIsolatedRif(KeymgrPayload* p_Payload) +int FakePkgManager::OnNpdrmDecryptIsolatedRif(KeymgrPayload *p_Payload) { - auto sceSblKeymgrSmCallfunc = (int (*)(KeymgrPayload* payload))kdlsym(sceSblKeymgrSmCallfunc); + auto sceSblKeymgrSmCallfunc = (int (*)(KeymgrPayload * payload)) kdlsym(sceSblKeymgrSmCallfunc); // it's SM request, thus we have the GPU address here, so we need to convert it to the CPU address - KeymgrRequest* s_Request = reinterpret_cast(SceSblDriverGpuVaToCpuVa(p_Payload->data, nullptr)); + KeymgrRequest *s_Request = reinterpret_cast(SceSblDriverGpuVaToCpuVa(p_Payload->data, nullptr)); - // // try to decrypt rif normally + // // try to decrypt rif normally int s_Ret = sceSblKeymgrSmCallfunc(p_Payload); if ((s_Ret != 0 || p_Payload->status != 0) && s_Request) { @@ -857,15 +1488,15 @@ int FakePkgManager::OnNpdrmDecryptIsolatedRif(KeymgrPayload* p_Payload) return s_Ret; } -int FakePkgManager::OnNpdrmDecryptRifNew(KeymgrPayload* p_Payload) +int FakePkgManager::OnNpdrmDecryptRifNew(KeymgrPayload *p_Payload) { - auto sceSblKeymgrSmCallfunc = (int (*)(KeymgrPayload* payload))kdlsym(sceSblKeymgrSmCallfunc); + auto sceSblKeymgrSmCallfunc = (int (*)(KeymgrPayload * payload)) kdlsym(sceSblKeymgrSmCallfunc); - // it's SM request, thus we have the GPU address here, so we need to convert it to the CPU address + // it's SM request, thus we have the GPU address here, so we need to convert it to the CPU address uint64_t s_BufferGpuVa = p_Payload->data; - auto s_Request = reinterpret_cast(SceSblDriverGpuVaToCpuVa(s_BufferGpuVa, nullptr)); - auto s_Response = reinterpret_cast(s_Request); - + auto s_Request = reinterpret_cast(SceSblDriverGpuVaToCpuVa(s_BufferGpuVa, nullptr)); + auto s_Response = reinterpret_cast(s_Request); + // try to decrypt rif normally int s_Ret = sceSblKeymgrSmCallfunc(p_Payload); int s_OriginalRet = s_Ret; @@ -874,7 +1505,7 @@ int FakePkgManager::OnNpdrmDecryptRifNew(KeymgrPayload* p_Payload) if ((s_Ret != 0 || p_Payload->status != 0) && s_Request) { if (s_Request->DecryptEntireRif.rif.format != 2) - { + { // not fake? s_Ret = s_OriginalRet; goto err; @@ -892,13 +1523,13 @@ int FakePkgManager::OnNpdrmDecryptRifNew(KeymgrPayload* p_Payload) consult with kernel code if offsets needs to be changed */ memcpy(s_Response->DecryptEntireRif.raw, s_Request->DecryptEntireRif.rif.digest, sizeof(s_Request->DecryptEntireRif.rif.digest) + sizeof(s_Request->DecryptEntireRif.rif.data)); - memset(s_Response->DecryptEntireRif.raw + - sizeof(s_Request->DecryptEntireRif.rif.digest) + - sizeof(s_Request->DecryptEntireRif.rif.data), - 0, - sizeof(s_Response->DecryptEntireRif.raw) - - (sizeof(s_Request->DecryptEntireRif.rif.digest) + - sizeof(s_Request->DecryptEntireRif.rif.data))); + memset(s_Response->DecryptEntireRif.raw + + sizeof(s_Request->DecryptEntireRif.rif.digest) + + sizeof(s_Request->DecryptEntireRif.rif.data), + 0, + sizeof(s_Response->DecryptEntireRif.raw) - + (sizeof(s_Request->DecryptEntireRif.rif.digest) + + sizeof(s_Request->DecryptEntireRif.rif.data))); p_Payload->status = s_Ret; s_Ret = 0; @@ -908,9 +1539,9 @@ int FakePkgManager::OnNpdrmDecryptRifNew(KeymgrPayload* p_Payload) return s_Ret; } -SblKeyRbtreeEntry* FakePkgManager::sceSblKeymgrGetKey(unsigned int p_Handle) +SblKeyRbtreeEntry *FakePkgManager::sceSblKeymgrGetKey(unsigned int p_Handle) { - SblKeyRbtreeEntry* s_Entry = *(SblKeyRbtreeEntry**)kdlsym(sbl_keymgr_key_rbtree); + SblKeyRbtreeEntry *s_Entry = *(SblKeyRbtreeEntry **)kdlsym(sbl_keymgr_key_rbtree); while (s_Entry) { @@ -925,14 +1556,14 @@ SblKeyRbtreeEntry* FakePkgManager::sceSblKeymgrGetKey(unsigned int p_Handle) return nullptr; } -int FakePkgManager::OnSceSblKeymgrInvalidateKeySxXlock(struct sx* p_Sx, int p_Opts, const char* p_File, int p_Line) +int FakePkgManager::OnSceSblKeymgrInvalidateKeySxXlock(struct sx *p_Sx, int p_Opts, const char *p_File, int p_Line) { //WriteLog(LL_Debug, "OnSceSblKeymgrInvalidateKeySxXlock"); auto sceSblKeymgrSetKeyStorage = (int (*)(uint64_t key_gpu_va, unsigned int key_size, uint32_t key_id, uint32_t key_handle))kdlsym(sceSblKeymgrSetKeyStorage); auto sblKeymgrKeySlots = (_SblKeySlotQueue *)kdlsym(sbl_keymgr_key_slots); - auto sblKeymgrBufVa = (uint8_t*)kdlsym(sbl_keymgr_buf_va); - auto sblKeymgrBufGva = (uint64_t*)kdlsym(sbl_keymgr_buf_gva); - auto _sx_xlock = (int(*)(struct sx *sx, int opts, const char *file, int line))kdlsym(_sx_xlock); + auto sblKeymgrBufVa = (uint8_t *)kdlsym(sbl_keymgr_buf_va); + auto sblKeymgrBufGva = (uint64_t *)kdlsym(sbl_keymgr_buf_gva); + auto _sx_xlock = (int (*)(struct sx * sx, int opts, const char *file, int line)) kdlsym(_sx_xlock); SblKeyRbtreeEntry *keyDesc; SblKeySlotDesc *keySlotDesc; @@ -948,27 +1579,32 @@ int FakePkgManager::OnSceSblKeymgrInvalidateKeySxXlock(struct sx* p_Sx, int p_Op TAILQ_FOREACH(keySlotDesc, sblKeymgrKeySlots, list) { keyHandle = keySlotDesc->keyHandle; - if (keyHandle == (unsigned int) -1) { + if (keyHandle == (unsigned int)-1) + { /* unbounded */ WriteLog(LL_Debug, "unbounded"); continue; } keyDesc = sceSblKeymgrGetKey(keyHandle); - if (!keyDesc) { + if (!keyDesc) + { /* shouldn't happen in normal situations */ WriteLog(LL_Debug, "shouldn't happen in normal situations"); continue; } - if (!keyDesc->occupied) { + if (!keyDesc->occupied) + { WriteLog(LL_Debug, "!occupied"); continue; } - if (keyDesc->desc.Pfs.obfuscatedKeyId != PFS_FAKE_OBF_KEY_ID) { + if (keyDesc->desc.Pfs.obfuscatedKeyId != PFS_FAKE_OBF_KEY_ID) + { /* not our key, just skip, so it will be handled by original code */ WriteLog(LL_Debug, "not our key, just skip, so it will be handled by original code"); continue; } - if (keyDesc->desc.Pfs.keySize != sizeof(keyDesc->desc.Pfs.escrowedKey)) { + if (keyDesc->desc.Pfs.keySize != sizeof(keyDesc->desc.Pfs.escrowedKey)) + { /* something weird with key params, just ignore and app will just crash... */ WriteLog(LL_Debug, "something weird with key params, just ignore and app will just crash..."); continue; @@ -976,7 +1612,8 @@ int FakePkgManager::OnSceSblKeymgrInvalidateKeySxXlock(struct sx* p_Sx, int p_Op memcpy(sblKeymgrBufVa, keyDesc->desc.Pfs.escrowedKey, keyDesc->desc.Pfs.keySize); //WriteLog(LL_Debug, "sblKeymgrBufGva %p %p", sblKeymgrBufGva, *sblKeymgrBufGva); ret2 = sceSblKeymgrSetKeyStorage(*sblKeymgrBufGva, keyDesc->desc.Pfs.keySize, keyDesc->desc.Pfs.obfuscatedKeyId, keySlotDesc->keyId); - if (ret2) { + if (ret2) + { WriteLog(LL_Debug, "wtf?"); /* wtf? */ continue; diff --git a/kernel/src/Plugins/FakePkg/FakePkgManager.hpp b/kernel/src/Plugins/FakePkg/FakePkgManager.hpp index 6d19ccf3..f7cd8d1c 100644 --- a/kernel/src/Plugins/FakePkg/FakePkgManager.hpp +++ b/kernel/src/Plugins/FakePkg/FakePkgManager.hpp @@ -14,25 +14,25 @@ extern "C" { - #include +#include }; + namespace Mira { namespace Plugins { - class FakePkgManager : - public Mira::Utils::IModule + class FakePkgManager : public Mira::Utils::IModule { private: - Utils::Hook* m_NpdrmDecryptIsolatedRifHook; - Utils::Hook* m_NpdrmDecryptRifNewHook; - Utils::Hook* m_SceSblDriverSendMsgHook; - Utils::Hook* m_SceSblKeymgrInvalidateKey; - Utils::Hook* m_SceSblPfsSetKeysHook; + Utils::Hook *m_NpdrmDecryptIsolatedRifHook; + Utils::Hook *m_NpdrmDecryptRifNewHook; + Utils::Hook *m_SceSblDriverSendMsgHook; + Utils::Hook *m_SceSblKeymgrInvalidateKey; + Utils::Hook *m_SceSblPfsSetKeysHook; - eventhandler_entry* m_processStartEvent; - eventhandler_entry* m_resumeEvent; + eventhandler_entry *m_processStartEvent; + eventhandler_entry *m_resumeEvent; static const uint8_t g_ypkg_p[0x80]; static const uint8_t g_ypkg_q[0x80]; @@ -42,7 +42,7 @@ namespace Mira static const uint8_t g_RifDebugKey[0x10]; static const uint8_t g_FakeKeySeed[0x10]; - + public: FakePkgManager(); virtual ~FakePkgManager(); @@ -54,29 +54,28 @@ namespace Mira private: // Helper functions - static void GenPfsCryptoKey(uint8_t* p_EncryptionKeyPFS, uint8_t p_Seed[OrbisOS::PFS_SEED_SIZE], uint32_t p_Index, uint8_t p_Key[OrbisOS::PFS_FINAL_KEY_SIZE]); - static void GenPfsEncKey(uint8_t* p_EncryptionKeyPFS, uint8_t p_Seed[OrbisOS::PFS_SEED_SIZE], uint8_t p_Key[OrbisOS::PFS_FINAL_KEY_SIZE]); - static void GenPfsSignKey(uint8_t* p_EncryptionKeyPFS, uint8_t p_Seed[OrbisOS::PFS_SEED_SIZE], uint8_t p_Key[OrbisOS::PFS_FINAL_KEY_SIZE]); - static int DecryptNpdrmDebugRif(uint32_t p_Type, uint8_t* p_Data); - static OrbisOS::SblMapListEntry* SceSblDriverFindMappedPageListByGpuVa(vm_offset_t p_GpuVa); - static vm_offset_t SceSblDriverGpuVaToCpuVa(vm_offset_t p_GpuVa, size_t* p_NumPageGroups); + static void GenPfsCryptoKey(uint8_t *p_EncryptionKeyPFS, uint8_t p_Seed[OrbisOS::PFS_SEED_SIZE], uint32_t p_Index, uint8_t p_Key[OrbisOS::PFS_FINAL_KEY_SIZE]); + static void GenPfsEncKey(uint8_t *p_EncryptionKeyPFS, uint8_t p_Seed[OrbisOS::PFS_SEED_SIZE], uint8_t p_Key[OrbisOS::PFS_FINAL_KEY_SIZE]); + static void GenPfsSignKey(uint8_t *p_EncryptionKeyPFS, uint8_t p_Seed[OrbisOS::PFS_SEED_SIZE], uint8_t p_Key[OrbisOS::PFS_FINAL_KEY_SIZE]); + static int DecryptNpdrmDebugRif(uint32_t p_Type, uint8_t *p_Data); + static OrbisOS::SblMapListEntry *SceSblDriverFindMappedPageListByGpuVa(vm_offset_t p_GpuVa); + static vm_offset_t SceSblDriverGpuVaToCpuVa(vm_offset_t p_GpuVa, size_t *p_NumPageGroups); - static int SceSblPfsSetKeys(uint32_t* p_Ekh, uint32_t* p_Skh, uint8_t* p_EekPfs, OrbisOS::Ekc* p_Eekc, uint32_t p_PubKeyVersion, uint32_t p_KeyVersion, OrbisOS::PfsHeader* p_Header, size_t p_HeaderSize, uint32_t p_Type, uint32_t p_Finalized, uint32_t p_IsDisc); - static OrbisOS::SblKeyRbtreeEntry* sceSblKeymgrGetKey(unsigned int p_Handle); + static int SceSblPfsSetKeys(uint32_t *p_Ekh, uint32_t *p_Skh, uint8_t *p_EekPfs, OrbisOS::Ekc *p_Eekc, uint32_t p_PubKeyVersion, uint32_t p_KeyVersion, OrbisOS::PfsHeader *p_Header, size_t p_HeaderSize, uint32_t p_Type, uint32_t p_Finalized, uint32_t p_IsDisc); + static OrbisOS::SblKeyRbtreeEntry *sceSblKeymgrGetKey(unsigned int p_Handle); protected: // Hooked Functions - static int OnSceSblPfsSetKeys(uint32_t* p_Ekh, uint32_t* p_Skh, uint8_t* p_EekPfs, OrbisOS::Ekc* p_Eekc, uint32_t p_PubKeyVersion, uint32_t p_KeyVersion, OrbisOS::PfsHeader* p_Header, size_t p_HeaderSize, uint32_t p_Type, uint32_t p_Finalized, uint32_t p_IsDisc); - static int OnNpdrmDecryptIsolatedRif(OrbisOS::KeymgrPayload* p_Payload); - static int OnNpdrmDecryptRifNew(OrbisOS::KeymgrPayload* p_Payload); - static int OnSceSblDriverSendMsg(OrbisOS::SblMsg* p_Message, size_t p_Size); - static int OnSceSblKeymgrInvalidateKeySxXlock(struct sx* p_Sx, int p_Opts, const char* p_File, int p_Line); + static int OnSceSblPfsSetKeys(uint32_t *p_Ekh, uint32_t *p_Skh, uint8_t *p_EekPfs, OrbisOS::Ekc *p_Eekc, uint32_t p_PubKeyVersion, uint32_t p_KeyVersion, OrbisOS::PfsHeader *p_Header, size_t p_HeaderSize, uint32_t p_Type, uint32_t p_Finalized, uint32_t p_IsDisc); + static int OnNpdrmDecryptIsolatedRif(OrbisOS::KeymgrPayload *p_Payload); + static int OnNpdrmDecryptRifNew(OrbisOS::KeymgrPayload *p_Payload); + static int OnSceSblDriverSendMsg(OrbisOS::SblMsg *p_Message, size_t p_Size); + static int OnSceSblKeymgrInvalidateKeySxXlock(struct sx *p_Sx, int p_Opts, const char *p_File, int p_Line); static bool ShellCorePatch(); static bool ShellUIPatch(); static void ResumeEvent(); static void ProcessStartEvent(void *arg, struct ::proc *p); - - }; - } -} \ No newline at end of file + }; + } // namespace Plugins +} // namespace Mira \ No newline at end of file diff --git a/kernel/src/Plugins/MorpheusEnabler/MorpheusEnabler.cpp b/kernel/src/Plugins/MorpheusEnabler/MorpheusEnabler.cpp index cb009294..41a457cd 100644 --- a/kernel/src/Plugins/MorpheusEnabler/MorpheusEnabler.cpp +++ b/kernel/src/Plugins/MorpheusEnabler/MorpheusEnabler.cpp @@ -36,8 +36,9 @@ void MorpheusEnabler::ProcessStartEvent(void *arg, struct ::proc *p) char* s_TitleId = (char*)((uint64_t)p + 0x390); if (strncmp(s_TitleId, "NPXS20001", 9) == 0) { - DoPatch(); - } + DoPatch(); + } + return; } @@ -122,7 +123,10 @@ bool MorpheusEnabler::OnLoad() m_processStartEvent = eventhandler_register(NULL, "process_exec_end", reinterpret_cast(MorpheusEnabler::ProcessStartEvent), NULL, EVENTHANDLER_PRI_LAST); m_resumeEvent = eventhandler_register(NULL, "system_resume_phase4", reinterpret_cast(MorpheusEnabler::ResumeEvent), NULL, EVENTHANDLER_PRI_LAST); - return DoPatch(); + + return DoPatch(); + + } bool MorpheusEnabler::OnUnload() diff --git a/kernel/src/Plugins/PluginManager.cpp b/kernel/src/Plugins/PluginManager.cpp index f1a464bb..c05637b2 100644 --- a/kernel/src/Plugins/PluginManager.cpp +++ b/kernel/src/Plugins/PluginManager.cpp @@ -22,26 +22,26 @@ extern "C" { - #include +#include }; using namespace Mira::Plugins; - -PluginManager::PluginManager() : - m_Logger(nullptr), - m_Debugger(nullptr), - m_FileManager(nullptr), - m_FakeSelfManager(nullptr), - m_FakePkgManager(nullptr), - m_EmuRegistry(nullptr), - m_Substitute(nullptr), - m_BrowserActivator(nullptr), - m_MorpheusEnabler(nullptr), - m_RemotePlayEnabler(nullptr), - m_SyscallGuard(nullptr) +using namespace Mira::OrbisOS; + +PluginManager::PluginManager() : m_Logger(nullptr), + m_Debugger(nullptr), + m_FileManager(nullptr), + m_FakeSelfManager(nullptr), + m_FakePkgManager(nullptr), + m_EmuRegistry(nullptr), + m_Substitute(nullptr), + m_BrowserActivator(nullptr), + m_MorpheusEnabler(nullptr), + m_RemotePlayEnabler(nullptr), + m_SyscallGuard(nullptr) { // Hushes error: private field 'm_FileManager' is not used [-Werror,-Wunused-private-field] - m_Logger = nullptr; + m_Logger = nullptr; m_FileManager = nullptr; } @@ -74,17 +74,57 @@ bool PluginManager::OnLoad() break; } if (!m_SyscallGuard->OnLoad()) - WriteLog(LL_Error, "could not load syscall guard.");*/ + WriteLog(LL_Error + , "could not load syscall guard.");*/ + + WriteLog(LL_Debug, " m_InitParams.is_Kit %i\n", is_Kit); - // Initialize Logger - m_Logger = new Mira::Plugins::LogManagerExtent::LogManager(); - if (m_Logger == nullptr) + if (is_Kit) { - WriteLog(LL_Error, "could not allocate log manager."); - return false; + WriteLog(LL_Debug, "Skipping Some Plugins due to Testkit lock on klog is_Kit(%i).\n", is_Kit); + m_TTYRedirector = nullptr; + } + else + { + + // Initialize Logger + m_Logger = new Mira::Plugins::LogManagerExtent::LogManager(); + if (m_Logger == nullptr) + { + WriteLog(LL_Error, "could not allocate log manager."); + return false; + } + if (!m_Logger->OnLoad()) + WriteLog(LL_Error, "could not load logmanager"); + + m_TTYRedirector = new Mira::Plugins::TTYRedirector(); + if (m_TTYRedirector == nullptr) + { + WriteLog(LL_Error, "could not allocate tty redirector."); + s_Success = false; + break; + } + + // skipping til can confirm it work on testkit + // Initialize RemotePlayEnabler + m_RemotePlayEnabler = new Mira::Plugins::RemotePlayEnabler(); + if (m_RemotePlayEnabler == nullptr) + { + WriteLog(LL_Error, "could not allocate remote play enabler."); + s_Success = false; + break; + } + + // skipping til can confirm it work on testkit + // Initialize MorpheusEnabler + m_MorpheusEnabler = new Mira::Plugins::MorpheusEnabler(); + if (m_MorpheusEnabler == nullptr) + { + WriteLog(LL_Error, "could not allocate morpheus enabler."); + s_Success = false; + break; + } } - if (!m_Logger->OnLoad()) - WriteLog(LL_Error, "could not load logmanager"); // Initialize file manager m_FileManager = new Mira::Plugins::FileManagerExtent::FileManager(); @@ -113,13 +153,20 @@ bool PluginManager::OnLoad() break; } - // Initialize Substitute - m_Substitute = new Mira::Plugins::Substitute(); - if (m_Substitute == nullptr) + if (is_Kit) { - WriteLog(LL_Error, "could not allocate substitute."); - s_Success = false; - break; + m_Substitute = nullptr; + WriteLog(LL_Debug, "Skipping Substitute."); + } + else + { + m_Substitute = new Mira::Plugins::Substitute(); + if (m_Substitute == nullptr) + { + WriteLog(LL_Error, "could not allocate substitute."); + s_Success = false; + break; + } } // Initialize BrowserActivator @@ -131,32 +178,6 @@ bool PluginManager::OnLoad() break; } - // Initialize MorpheusEnabler - m_MorpheusEnabler = new Mira::Plugins::MorpheusEnabler(); - if (m_MorpheusEnabler == nullptr) - { - WriteLog(LL_Error, "could not allocate morpheus enabler."); - s_Success = false; - break; - } - - // Initialize RemotePlayEnabler - m_RemotePlayEnabler = new Mira::Plugins::RemotePlayEnabler(); - if (m_RemotePlayEnabler == nullptr) - { - WriteLog(LL_Error, "could not allocate remote play enabler."); - s_Success = false; - break; - } - - // Initialize TTYRedirector - m_TTYRedirector = new Mira::Plugins::TTYRedirector(); - if (m_TTYRedirector == nullptr) - { - WriteLog(LL_Error, "could not allocate tty redirector."); - s_Success = false; - break; - } } while (false); if (m_Debugger) @@ -243,7 +264,7 @@ bool PluginManager::OnUnload() s_AllUnloadSuccess = false; WriteLog(LL_Info, "plugin (%s) unloaded %s", - l_Plugin->GetName(), s_UnloadResult ? "successfully" : "unsuccessfully"); + l_Plugin->GetName(), s_UnloadResult ? "successfully" : "unsuccessfully"); WriteLog(LL_Debug, "freeing plugin"); // Delete the plugin @@ -424,8 +445,8 @@ bool PluginManager::OnSuspend() // Debugging status WriteLog(LL_Info, "plugin (%s) suspend %s", - l_Plugin->GetName(), - s_SuspendResult ? "success" : "failure"); + l_Plugin->GetName(), + s_SuspendResult ? "success" : "failure"); } // Suspend the built in plugins @@ -580,8 +601,8 @@ bool PluginManager::OnResume() // Debugging status WriteLog(LL_Info, "plugin (%s) resume %s", - l_Plugin->GetName(), - s_ResumeResult ? "success" : "failure"); + l_Plugin->GetName(), + s_ResumeResult ? "success" : "failure"); } WriteLog(LL_Debug, "resuming file manager"); @@ -591,7 +612,6 @@ bool PluginManager::OnResume() WriteLog(LL_Error, "file manager resume failed"); } - WriteLog(LL_Debug, "resuming fake self manager"); if (m_FakeSelfManager) { @@ -605,11 +625,11 @@ bool PluginManager::OnResume() return s_AllSuccess; } -bool PluginManager::OnProcessExec(struct proc* p_Process) +bool PluginManager::OnProcessExec(struct proc *p_Process) { if (p_Process == nullptr) return false; - + if (m_Substitute) { if (!m_Substitute->OnProcessExec(p_Process)) @@ -625,11 +645,11 @@ bool PluginManager::OnProcessExec(struct proc* p_Process) return true; } -bool PluginManager::OnProcessExecEnd(struct proc* p_Process) +bool PluginManager::OnProcessExecEnd(struct proc *p_Process) { if (p_Process == nullptr) return false; - + if (m_Substitute) { if (!m_Substitute->OnProcessExecEnd(p_Process)) @@ -639,11 +659,11 @@ bool PluginManager::OnProcessExecEnd(struct proc* p_Process) return true; } -bool PluginManager::OnProcessExit(struct proc* p_Process) +bool PluginManager::OnProcessExit(struct proc *p_Process) { if (p_Process == nullptr) return false; - + if (m_Substitute) { if (!m_Substitute->OnProcessExit(p_Process)) diff --git a/kernel/src/Plugins/PluginManager.hpp b/kernel/src/Plugins/PluginManager.hpp index 1f4e6aee..21b57590 100644 --- a/kernel/src/Plugins/PluginManager.hpp +++ b/kernel/src/Plugins/PluginManager.hpp @@ -8,6 +8,7 @@ extern "C" #include } +extern bool is_Kit; namespace Mira { namespace Plugins diff --git a/kernel/src/Plugins/RemotePlayEnabler/RemotePlayEnabler.cpp b/kernel/src/Plugins/RemotePlayEnabler/RemotePlayEnabler.cpp index e24ddd36..3f39d317 100644 --- a/kernel/src/Plugins/RemotePlayEnabler/RemotePlayEnabler.cpp +++ b/kernel/src/Plugins/RemotePlayEnabler/RemotePlayEnabler.cpp @@ -10,8 +10,8 @@ extern "C" { - #include - #include +#include +#include }; using namespace Mira::Plugins; @@ -19,22 +19,20 @@ using namespace Mira::OrbisOS; RemotePlayEnabler::RemotePlayEnabler() { - } RemotePlayEnabler::~RemotePlayEnabler() { - } void RemotePlayEnabler::ProcessStartEvent(void *arg, struct ::proc *p) { - auto strncmp = (int(*)(const char *, const char *, size_t))kdlsym(strncmp); + auto strncmp = (int (*)(const char *, const char *, size_t))kdlsym(strncmp); if (!p) return; - char* s_TitleId = (char*)((uint64_t)p + 0x390); + char *s_TitleId = (char *)((uint64_t)p + 0x390); if (strncmp(s_TitleId, "NPXS20001", 9) == 0 && strcmp(p->p_comm, "SceShellUI") == 0) ShellUIPatch(); @@ -47,7 +45,9 @@ void RemotePlayEnabler::ProcessStartEvent(void *arg, struct ::proc *p) void RemotePlayEnabler::ResumeEvent() { + ShellUIPatch(); + RemotePlayPatch(); WriteLog(LL_Debug, "InstallEventHandlers finished"); return; @@ -57,14 +57,14 @@ bool RemotePlayEnabler::ShellUIPatch() { WriteLog(LL_Debug, "patching SceShellUI"); - struct ::proc* s_Process = Utilities::FindProcessByName("SceShellUI"); + struct ::proc *s_Process = Utilities::FindProcessByName("SceShellUI"); if (s_Process == nullptr) { WriteLog(LL_Error, "could not find SceShellUI"); return false; } - ProcVmMapEntry* s_Entries = nullptr; + ProcVmMapEntry *s_Entries = nullptr; size_t s_NumEntries = 0; auto s_Ret = Utilities::GetProcessVmMap(s_Process, &s_Entries, &s_NumEntries); if (s_Ret < 0) @@ -79,12 +79,12 @@ bool RemotePlayEnabler::ShellUIPatch() return false; } - uint8_t* s_ShellUITextStart = nullptr; + uint8_t *s_ShellUITextStart = nullptr; for (auto i = 0; i < s_NumEntries; ++i) { if (!memcmp(s_Entries[i].name, "executable", 10) && s_Entries[i].prot >= (PROT_READ | PROT_EXEC)) { - s_ShellUITextStart = (uint8_t*)s_Entries[i].start; + s_ShellUITextStart = (uint8_t *)s_Entries[i].start; break; } } @@ -97,19 +97,19 @@ bool RemotePlayEnabler::ShellUIPatch() WriteLog(LL_Debug, "SceShellUI .text: (%p)", s_ShellUITextStart); - uint8_t* s_ShellUIAppTextStart = nullptr; + uint8_t *s_ShellUIAppTextStart = nullptr; for (auto i = 0; i < s_NumEntries; ++i) { #if MIRA_PLATFORM < MIRA_PLATFORM_ORBIS_BSD_500 if (!memcmp(s_Entries[i].name, "libSceVsh_aot.sprx", 18) && s_Entries[i].prot >= (PROT_READ | PROT_EXEC)) { - s_ShellUIAppTextStart = (uint8_t*)s_Entries[i].start; + s_ShellUIAppTextStart = (uint8_t *)s_Entries[i].start; break; } #else if (!memcmp(s_Entries[i].name, "app.exe.sprx", 10) && s_Entries[i].prot >= (PROT_READ | PROT_EXEC)) { - s_ShellUIAppTextStart = (uint8_t*)s_Entries[i].start; + s_ShellUIAppTextStart = (uint8_t *)s_Entries[i].start; break; } #endif @@ -124,11 +124,11 @@ bool RemotePlayEnabler::ShellUIPatch() WriteLog(LL_Debug, "SceShellUI App .text: (%p)", s_ShellUIAppTextStart); // Free the entries we got returned - delete [] s_Entries; + delete[] s_Entries; s_Entries = nullptr; // `/system_ex/app/NPXS20001/eboot.bin` - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_ShellUITextStart + ssu_CreateUserForIDU_patch), 4, (void*)"\x48\x31\xC0\xC3", nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_ShellUITextStart + ssu_CreateUserForIDU_patch), 4, (void *)"\x48\x31\xC0\xC3", nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "ssu_CreateUserForIDU_patch"); @@ -137,19 +137,19 @@ bool RemotePlayEnabler::ShellUIPatch() #if MIRA_PLATFORM == MIRA_PLATFORM_ORBIS_BSD_405 // `/system_ex/app/NPXS20001/libSceVsh_aot.sprx` - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void*)"\xE9\x64\x02\x00\x00", nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void *)"\xE9\x64\x02\x00\x00", nullptr, true); #elif MIRA_PLATFORM >= MIRA_PLATFORM_ORBIS_BSD_455 && MIRA_PLATFORM <= MIRA_PLATFORM_ORBIS_BSD_474 // `/system_ex/app/NPXS20001/libSceVsh_aot.sprx` - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void*)"\xE9\x22\x02\x00\x00", nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void *)"\xE9\x22\x02\x00\x00", nullptr, true); #elif MIRA_PLATFORM >= MIRA_PLATFORM_ORBIS_BSD_500 && MIRA_PLATFORM <= MIRA_PLATFORM_ORBIS_BSD_507 // `/system_ex/app/NPXS20001/psm/Application/app.exe.sprx` - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void*)"\xE9\x82\x02\x00\x00", nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void *)"\xE9\x82\x02\x00\x00", nullptr, true); #elif MIRA_PLATFORM == MIRA_PLATFORM_ORBIS_BSD_620 // `/system_ex/app/NPXS20001/psm/Application/app.exe.sprx` - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void*)"\xE9\xB8\x02\x00\x00", nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void *)"\xE9\xB8\x02\x00\x00", nullptr, true); #elif MIRA_PLATFORM == MIRA_PLATFORM_ORBIS_BSD_672 // `/system_ex/app/NPXS20001/psm/Application/app.exe.sprx` - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void*)"\xE9\xBA\x02\x00\x00", nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_ShellUIAppTextStart + ssu_remote_play_menu_patch), 5, (void *)"\xE9\xBA\x02\x00\x00", nullptr, true); #else s_Ret = -1; #endif @@ -168,14 +168,14 @@ bool RemotePlayEnabler::RemotePlayPatch() { WriteLog(LL_Debug, "patching SceRemotePlay"); - struct ::proc* s_Process = Utilities::FindProcessByName("SceRemotePlay"); + struct ::proc *s_Process = Utilities::FindProcessByName("SceRemotePlay"); if (s_Process == nullptr) { WriteLog(LL_Error, "could not find SceRemotePlay"); return false; } - ProcVmMapEntry* s_Entries = nullptr; + ProcVmMapEntry *s_Entries = nullptr; size_t s_NumEntries = 0; auto s_Ret = Utilities::GetProcessVmMap(s_Process, &s_Entries, &s_NumEntries); if (s_Ret < 0) @@ -190,12 +190,12 @@ bool RemotePlayEnabler::RemotePlayPatch() return false; } - uint8_t* s_RemotePlayTextStart = nullptr; + uint8_t *s_RemotePlayTextStart = nullptr; for (auto i = 0; i < s_NumEntries; ++i) { if (!memcmp(s_Entries[i].name, "executable", 10) && s_Entries[i].prot >= (PROT_READ | PROT_EXEC)) { - s_RemotePlayTextStart = (uint8_t*)s_Entries[i].start; + s_RemotePlayTextStart = (uint8_t *)s_Entries[i].start; break; } } @@ -209,11 +209,11 @@ bool RemotePlayEnabler::RemotePlayPatch() WriteLog(LL_Debug, "SceRemotePlay .text: (%p)", s_RemotePlayTextStart); // Free the entries we got returned - delete [] s_Entries; + delete[] s_Entries; s_Entries = nullptr; // `/system/vsh/app/NPXS21006/eboot.bin` - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_RemotePlayTextStart + srp_enabler_patchA), 1, (void*)"\x01", nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_RemotePlayTextStart + srp_enabler_patchA), 1, (void *)"\x01", nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "srp_enabler_patchA"); @@ -221,7 +221,7 @@ bool RemotePlayEnabler::RemotePlayPatch() } // `/system/vsh/app/NPXS21006/eboot.bin` - s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void*)(s_RemotePlayTextStart + srp_enabler_patchB), 2, (void*)"\xEB\x1E", nullptr, true); + s_Ret = Utilities::ProcessReadWriteMemory(s_Process, (void *)(s_RemotePlayTextStart + srp_enabler_patchB), 2, (void *)"\xEB\x1E", nullptr, true); if (s_Ret < 0) { WriteLog(LL_Error, "srp_enabler_patchB"); @@ -240,23 +240,25 @@ bool RemotePlayEnabler::OnLoad() { WriteLog(LL_Error, "could not get main mira thread"); return false; - } + } // Initialize the event handlers - auto eventhandler_register = (eventhandler_tag(*)(struct eventhandler_list *list, const char *name, void *func, void *arg, int priority))kdlsym(eventhandler_register); + auto eventhandler_register = (eventhandler_tag(*)(struct eventhandler_list * list, const char *name, void *func, void *arg, int priority)) kdlsym(eventhandler_register); - m_processStartEvent = eventhandler_register(NULL, "process_exec_end", reinterpret_cast(RemotePlayEnabler::ProcessStartEvent), NULL, EVENTHANDLER_PRI_LAST); - m_resumeEvent = eventhandler_register(NULL, "system_resume_phase4", reinterpret_cast(RemotePlayEnabler::ResumeEvent), NULL, EVENTHANDLER_PRI_LAST); + m_processStartEvent = eventhandler_register(NULL, "process_exec_end", reinterpret_cast(RemotePlayEnabler::ProcessStartEvent), NULL, EVENTHANDLER_PRI_LAST); + m_resumeEvent = eventhandler_register(NULL, "system_resume_phase4", reinterpret_cast(RemotePlayEnabler::ResumeEvent), NULL, EVENTHANDLER_PRI_LAST); - auto s_Ret = ShellUIPatch(); - if (s_Ret == false) { - WriteLog(LL_Error, "could not patch SceShellUI"); + auto s_Ret = RemotePlayPatch(); + if (s_Ret == false) + { + WriteLog(LL_Error, "could not patch SceRemotePlay"); return false; } - s_Ret = RemotePlayPatch(); - if (s_Ret == false) { - WriteLog(LL_Error, "could not patch SceRemotePlay"); + s_Ret = ShellUIPatch(); + if (s_Ret == false) + { + WriteLog(LL_Error, "could not patch SceShellUI"); return false; } diff --git a/kernel/src/Utils/Kdlsym/Default.hpp b/kernel/src/Utils/Kdlsym/Default.hpp index bfa76798..f8312d90 100644 --- a/kernel/src/Utils/Kdlsym/Default.hpp +++ b/kernel/src/Utils/Kdlsym/Default.hpp @@ -173,6 +173,7 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_vsnprintf 0xDEADCODE #define kdlsym_addr_wakeup 0xDEADCODE #define kdlsym_addr_Xfast_syscall 0xDEADCODE +#define kdlsym_addr_target_id 0xDEADCODE // FakeSelf hooks #define kdlsym_addr_sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId_hook 0xDEADCODE diff --git a/kernel/src/Utils/Kdlsym/Orbis176.hpp b/kernel/src/Utils/Kdlsym/Orbis176.hpp index 925105f1..1a81628c 100644 --- a/kernel/src/Utils/Kdlsym/Orbis176.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis176.hpp @@ -34,6 +34,7 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_critical_enter 0x0023DC30 #define kdlsym_addr_critical_exit 0x0023DC40 #define kdlsym_addr_dmem_start_app_process 0x0 +#define kdlsym_addr_target_id 0x0 #define kdlsym_addr_eventhandler_register 0x00267250 #define kdlsym_addr_exec_new_vmspace 0x00206A10 #define kdlsym_addr_faultin 0x003AA000 diff --git a/kernel/src/Utils/Kdlsym/Orbis405.hpp b/kernel/src/Utils/Kdlsym/Orbis405.hpp index 9bba1799..093873a0 100644 --- a/kernel/src/Utils/Kdlsym/Orbis405.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis405.hpp @@ -181,6 +181,8 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_vsnprintf 0x00347900 #define kdlsym_addr_wakeup 0x0008A7C0 #define kdlsym_addr_Xfast_syscall 0x0030EB30 +//check +#define kdlsym_addr_target_id 0x0200151C // Kernel Hooks #define kdlsym_addr_printf_hook 0x018876A8 diff --git a/kernel/src/Utils/Kdlsym/Orbis455.hpp b/kernel/src/Utils/Kdlsym/Orbis455.hpp index 76476ddc..81cb2f7d 100644 --- a/kernel/src/Utils/Kdlsym/Orbis455.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis455.hpp @@ -181,7 +181,8 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_vsnprintf 0x000182D0 #define kdlsym_addr_wakeup 0x00261140 #define kdlsym_addr_Xfast_syscall 0x003095D0 - +//check +#define kdlsym_addr_target_id 0x01B6D08C // Kernel Hooks #define kdlsym_addr_printf_hook 0x0199BDC8 diff --git a/kernel/src/Utils/Kdlsym/Orbis474.hpp b/kernel/src/Utils/Kdlsym/Orbis474.hpp index eb72d869..7bff185b 100644 --- a/kernel/src/Utils/Kdlsym/Orbis474.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis474.hpp @@ -181,7 +181,7 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_vsnprintf 0x000182D0 #define kdlsym_addr_wakeup 0x002635C0 #define kdlsym_addr_Xfast_syscall 0x0030B7D0 - +#define kdlsym_addr_target_id 0x0 // Kernel Hooks #define kdlsym_addr_printf_hook 0x019A3E18 diff --git a/kernel/src/Utils/Kdlsym/Orbis501.hpp b/kernel/src/Utils/Kdlsym/Orbis501.hpp index b2f9a4bb..caa71dbd 100644 --- a/kernel/src/Utils/Kdlsym/Orbis501.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis501.hpp @@ -179,7 +179,7 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_vsnprintf 0x00436020 #define kdlsym_addr_wakeup 0x003FB570 #define kdlsym_addr_Xfast_syscall 0x000001C0 - +#define kdlsym_addr_target_id 0x0 // Kernel Hooks #define kdlsym_addr_printf_hook 0x019FC168 diff --git a/kernel/src/Utils/Kdlsym/Orbis503.hpp b/kernel/src/Utils/Kdlsym/Orbis503.hpp index bf977091..042ad5bb 100644 --- a/kernel/src/Utils/Kdlsym/Orbis503.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis503.hpp @@ -179,6 +179,7 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_vsnprintf 0x004363B0 #define kdlsym_addr_wakeup 0x003FB940 #define kdlsym_addr_Xfast_syscall 0x000001C0 +#define kdlsym_addr_target_id 0x0 // Kernel Hooks #define kdlsym_addr_printf_hook 0x019FC168 diff --git a/kernel/src/Utils/Kdlsym/Orbis505.hpp b/kernel/src/Utils/Kdlsym/Orbis505.hpp index a87d78ee..9e9a7318 100644 --- a/kernel/src/Utils/Kdlsym/Orbis505.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis505.hpp @@ -180,7 +180,7 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_vsnprintf 0x004363F0 #define kdlsym_addr_wakeup 0x003FB940 #define kdlsym_addr_Xfast_syscall 0x000001C0 - +#define kdlsym_addr_target_id 0x01CD068D // Kernel Hooks #define kdlsym_addr_printf_hook 0x019FC168 diff --git a/kernel/src/Utils/Kdlsym/Orbis620.hpp b/kernel/src/Utils/Kdlsym/Orbis620.hpp index bb70065e..75690910 100644 --- a/kernel/src/Utils/Kdlsym/Orbis620.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis620.hpp @@ -213,7 +213,8 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_deci_tty_write 0x00185B00 #define kdlsym_addr_cloneuio 0x00396310 #define kdlsym_addr_printf_hook 0x01A9FD28 - +#define kdlsym_addr_target_id 0x0215DB8D +#define kdlsym_addr_sceRegMgrGetBin 0x00503E70 // SceShellCore patches - call sceKernelIsGenuineCEX #define ssc_sceKernelIsGenuineCEX_patchA 0x00186170 #define ssc_sceKernelIsGenuineCEX_patchB 0x0081ED20 diff --git a/kernel/src/Utils/Kdlsym/Orbis650.hpp b/kernel/src/Utils/Kdlsym/Orbis650.hpp index a265cb85..f92202f2 100644 --- a/kernel/src/Utils/Kdlsym/Orbis650.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis650.hpp @@ -133,6 +133,7 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define kdlsym_addr_vsnprintf 0x004363F0 // FFFFFFFF82323280 #define kdlsym_addr_Xfast_syscall 0x000001C0 // FFFFFFFF822001C0 lol #define kdlsym_addr_wakeup 0x003FB940 // FFFFFFFF82429CF0 +#define kdlsym_addr_target_id 0x0 // FakeSelf hooks #define kdlsym_addr_sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId_hook 0x0 @@ -157,12 +158,15 @@ for the platforms that do enable kernel ASLR (Address Space Layout Randomization #define ssc_sceKernelIsGenuineCEX_patchC 0x0 #define ssc_sceKernelIsGenuineCEX_patchD 0x0 + // SceShellCore patches - call nidf_libSceDipsw #define ssc_nidf_libSceDipsw_patchA 0x0 #define ssc_nidf_libSceDipsw_patchB 0x0 #define ssc_nidf_libSceDipsw_patchC 0x0 #define ssc_nidf_libSceDipsw_patchD 0x0 + + // SceShellCore patches - use free prefix instead fake #define ssc_fake_to_free_patch 0x0 diff --git a/kernel/src/Utils/Kdlsym/Orbis672.hpp b/kernel/src/Utils/Kdlsym/Orbis672.hpp index 4710bb0d..fd16049d 100644 --- a/kernel/src/Utils/Kdlsym/Orbis672.hpp +++ b/kernel/src/Utils/Kdlsym/Orbis672.hpp @@ -180,6 +180,7 @@ #define kdlsym_addr_vsnprintf 0x00123630 #define kdlsym_addr_wakeup 0x0022A0A0 #define kdlsym_addr_Xfast_syscall 0x000001C0 +#define kdlsym_addr_target_id 0x01BD800D // Kernel Hooks #define kdlsym_addr_printf_hook 0x01A9FE98 diff --git a/kernel/src/Utils/Kernel.hpp b/kernel/src/Utils/Kernel.hpp index 7584edc2..e924a5c8 100644 --- a/kernel/src/Utils/Kernel.hpp +++ b/kernel/src/Utils/Kernel.hpp @@ -32,19 +32,43 @@ typedef struct _ProcVmMapEntry #ifdef __cplusplus typedef enum SceAuthenticationId_t : uint64_t { - SceVdecProxy = 0x3800000000000003ULL, - SceVencProxy = 0x3800000000000004ULL, - Orbis_audiod = 0x3800000000000005ULL, - Coredump = 0x3800000000000006ULL, - SceSysCore = 0x3800000000000007ULL, - Orbis_setip = 0x3800000000000008ULL, - GnmCompositor = 0x3800000000000009ULL, - SceShellUI = 0x380000000000000fULL, // NPXS20001 - SceShellCore = 0x3800000000000010ULL, - NPXS20103 = 0x3800000000000011ULL, - NPXS21000 = 0x3800000000000012ULL, - // TODO: Fill in the rest - Decid = 0x3800000000010003, + + SceVdecProxy = 0x3800000000000003ULL, //same as SceSpkService + SceVencProxy = 0x3800000000000004ULL, + Orbis_audiod = 0x3800000000000005ULL, + Coredump = 0x3800000000000006ULL,// same as orbis-jsc-compiler.self + SceSysCore = 0x3800000000000007ULL, + Orbis_setip = 0x3800000000000008ULL, + GnmCompositor = 0x3800000000000009ULL, + SceShellUI = 0x380000000000000fULL, // NPXS20001 + SceShellCore = 0x3800000000000010ULL, + NPXS20103 = 0x3800000000000011ULL, + SceGameLiveStreaming = 0x3800000000000012ULL, //NPXS21000 samething and SceNKNetworkProcess + SCE_SYS_SERVICES = 0x3800000000010003ULL, + ScePartyDaemon = 0x3800000000000014ULL, + MaxAccess = 0x3801000000000013ULL, + SceAvCapture = 0x3800000000000015ULL, + SceVideoCoreServer = 0x3800000000000016ULL, + SceRemotePlay = 0x3800000000000019ULL, + mini_syscore = 0x3800000000000022ULL, + UNK_ICC = 0x3800800000000024ULL, + SceCloudClientDaemon = 0x3800000000000028ULL, + fs_cleaner = 0x380000000000001dULL, + sceSblACMgrIsAllowedToUsePupUpdate0 = 0x3800100000000001ULL, + SceNKWebProcess = 0x3800000000010003ULL, + SecureWebProcess = 0x3800000010000003ULL, + SecureUIProcess = 0x3800000000000033ULL, + SceSysAvControl = 0x380000000000001fULL, + SceSocialScreenMgr = 0x3800000000000037ULL, + SceSpZeroConf = 0x380000001000000EULL, + SceMusicCoreServer = 0x380000000000001aULL, + SceNKUIProcess = 0x380000000000003cULL, + sceSblACMgrHasUseHp3dPipeCapability = 0x3800000010000009ULL, + UNK_PFS = 0x380100000000000AULL, + sceSblACMgrHasUseHp3dPipeCapability2 = 0x380100000000002CULL, + OS_UPDATE = 0x3801000000000024ULL, + VTRM_ADMIN = 0x3800800000000002ULL, + Decid = 0x3800000000010003, } SceAuthenticationId; typedef enum SceCapabilities_t : uint64_t