Editing PS3 Payload Development
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
== | === Preface === | ||
=== About KDSBest === | |||
I'm working as an software engineer. I started developing software when i was an 12 years old kid. Later i started working on my reversing and hackings skills. I always wanted to jump on a console hacking scene. I was always well informed about the different console scenes, but most scene start with a nearly full hack, PS3 is different, nothing was known when the PSJailbreak Team came up with his hack. Now here i am, trying to help developers to develope payloads. I learn at the moment alot myself, so don't blame me to hard if i make an mistake. ;) | |||
KDSBest's Twitter | |||
=== Assembler is dead -.- === | |||
It's true, almost no one need assembler anymore but for reversing we need it, because we need to understand what the CPU does. In alot cases we just have an dump to extract this information. I use the PL3 lv2_dump_analyser.idc script to reverse my lv2 dump with IDA. | |||
=== Resources === | === Resources === | ||
IBM Instruction Set | |||
Another Instruction Set | |||
Thanks to KaKaRoToKS | |||
=== | === Why do we develope Payloads? === | ||
There are alot reasons. I give you some: | |||
*Want to have a better knowledge about the GameOS/Hypervisor | |||
*Want to play backups (Hermes Gamepad patch etc.) | |||
*Want to cheat or modify a game | |||
*Want to have fun | |||
*... | |||
=== PL3 === | |||
Structure of PL3 | |||
payload_dev.S Is the main "File", this includes everything and has the jailbreak in it (payload_main:) | payload_dev.S Is the main "File", this includes everything and has the jailbreak in it (payload_main:) | ||
Line 25: | Line 34: | ||
'''firmware_symbols.h.S''' Defines the most common firmware Symbols (ex. strncmp) | '''firmware_symbols.h.S''' Defines the most common firmware Symbols (ex. strncmp) | ||
'''map_open_path.h.S''' Base function for the Syscall 35 which is added. | '''map_open_path.h.S''' Base function for the Syscall 35 which is added. (dunno much about it at the moment) | ||
'''memory_patching.h.S''' | '''memory_patching.h.S''' dunno at the moment | ||
'''send_eth.h.S''' Function used to init the eth device. | '''send_eth.h.S''' Function used to init the eth device. | ||
Line 33: | Line 42: | ||
'''send_eth_res.h.S''' Function for sending data via eth. (Protocol is 0x1337) | '''send_eth_res.h.S''' Function for sending data via eth. (Protocol is 0x1337) | ||
'''memory_patching_res.h.S''' | '''memory_patching_res.h.S''' dunno at the moment | ||
'''dev_syscalls.h.S''' Peek and Poke functions | '''dev_syscalls.h.S''' Peek and Poke functions | ||
Line 58: | Line 67: | ||
=== Handy Macros === | === Handy Macros === | ||
'''MEM_BASE2''' is defined in the '''firmware_symbols.h.S''' | '''MEM_BASE2''' is defined in the '''firmware_symbols.h.S''' | ||
'''ADDR_IN_PAGE''' | |||
<pre> | |||
#define ADDR_IN_PAGE(target) (PAYLOAD_OFFSET_IN_PAGE + (target) - payload_entry) | |||
<pre> | |||
'''ADDR_IN_MEM2''' calculates the adress relative to the RESIDENT_AREA_OFFSET (resident_area_start) | '''ADDR_IN_MEM2''' calculates the adress relative to the RESIDENT_AREA_OFFSET (resident_area_start) | ||
<pre>#define ADDR_IN_MEM2(target) ((target) - RESIDENT_AREA_OFFSET)</pre> | <pre>#define ADDR_IN_MEM2(target) ((target) - RESIDENT_AREA_OFFSET)</pre> | ||
'''ABSOLUTE_MEM2''' | '''ABSOLUTE_MEM2''' calculates the adress relative to the current position. So you can give your banches an absolute memory address and it calculates the branch address to it for you. | ||
calculates the adress relative to the current position. So you can give your banches an absolute memory address and it calculates the branch address to it for you. | |||
<pre>// Absolute branching | <pre>// Absolute branching | ||
#define ABSOLUTE_MEM2(target) (target - (MEM_BASE2 + ADDR_IN_MEM2(.)))</pre> | #define ABSOLUTE_MEM2(target) (target - (MEM_BASE2 + ADDR_IN_MEM2(.)))</pre> | ||
<pre>// Dynamic macros to load a label into a register | <pre>// Dynamic macros to load a label into a register | ||
define MEM_BASE(dest) \ | |||
li dest, 1; \ | li dest, 1; \ | ||
Line 90: | Line 103: | ||
<pre>// Add system calls. Use only in exploit_main because of registers used... | <pre>// Add system calls. Use only in exploit_main because of registers used... | ||
define ADD_SYSCALL(source, ptr, num) \ | |||
LOAD_LABEL2 (%r3, source, ptr); \ | LOAD_LABEL2 (%r3, source, ptr); \ | ||
Line 97: | Line 110: | ||
<pre>// For loading an absolute value | <pre>// For loading an absolute value | ||
define LOAD_ABS(dest, source, address) LOAD_LABEL(0, dest, source, address) | |||
define LOADI_ABS(dest, address) LOAD_ABS(dest, dest, address)</pre> | |||
<pre>// Absolute .quads | <pre>// Absolute .quads | ||
Line 105: | Line 118: | ||
// makes it easy since PPC is big endian. | // makes it easy since PPC is big endian. | ||
define QUAD_MEM2(address) \ | |||
.long 0x80000000; \ | .long 0x80000000; \ | ||
Line 111: | Line 124: | ||
<pre>/* Patch Table Macros */ | <pre>/* Patch Table Macros */ | ||
define PATCH_INST(offset, instruction...) \ | |||
.long offset; \ | .long offset; \ | ||
Line 191: | Line 204: | ||
<pre>// Copy functions that need to stay resident in memory to MEM_BASE2 | <pre>// Copy functions that need to stay resident in memory to MEM_BASE2 | ||
define COPY_RESIDENT_AREA(base, page) \ | |||
LOAD_LABEL (MEM_BASE2, %r3, base, 0); \ | LOAD_LABEL (MEM_BASE2, %r3, base, 0); \ | ||
Line 198: | Line 211: | ||
bl pl3_memcpy; \ | bl pl3_memcpy; \ | ||
</pre> | </pre> | ||
Source codes are from PL3 | |||
=== Understanding the Hack === | === Understanding the Hack === | ||
=== Patching === | === Patching === | ||
=== Hooking a function (strncmp) === | === Hooking a function (strncmp) === | ||
I try to explain how to do it with the PL3. PL3 loads a patch_table (see below). This patches are applied to the memory. | I try to explain how to do it with the PL3. PL3 loads a patch_table (see below). This patches are applied to the memory. | ||
Line 312: | Line 322: | ||
Now our strncmp gets hooked and our function will get called and we jump back to the strncmp. | Now our strncmp gets hooked and our function will get called and we jump back to the strncmp. | ||
Why this won't work that easy and why we jump to "strncmp+4" will be more clear in "Recreate overwritten code". | Why this won't work that easy and why we jump to "strncmp+4" will be more clear in "Recreate overwritten code". | ||
=== Recreate overwritten code === | === Recreate overwritten code === | ||
Line 407: | Line 417: | ||
#endif | #endif | ||
</pre> | </pre> | ||
That we jump to "strncmp+4" should be clear now, we have to "overjump" our branch to hook_strncmp. | That we jump to "strncmp+4" should be clear now, we have to "overjump" our branch to hook_strncmp. | ||
=== Saving the Register === | === Saving the Register === | ||
Line 449: | Line 459: | ||
After that we get space on the stack for our register data. | After that we get space on the stack for our register data. | ||
stdu %r1, -0x100(%r1) | |||
Saving the register | Saving the register | ||
Line 463: | Line 473: | ||
<pre> mtlr %r0 </pre> | <pre> mtlr %r0 </pre> | ||
[Not tested] We use this in our code, so we can do our own crap without destroying something: | [Not tested] We use this in our code, so we can do our own crap without destroying something: | ||
<pre> | <pre> | ||
#ifndef __STRNCMP_HACK_H_S__ | #ifndef __STRNCMP_HACK_H_S__ | ||
Line 482: | Line 491: | ||
bl load_regs | bl load_regs | ||
//Restore stack | //Restore stack | ||
<pre> addi %r1, %r1, 0x100 </pre> | |||
//Restore link Register | //Restore link Register | ||
mtlr %r0 | mtlr %r0 | ||
Line 489: | Line 498: | ||
//Branch original strncmp | //Branch original strncmp | ||
b ABSOLUTE_MEM2(strncmp + 4) | b ABSOLUTE_MEM2(strncmp + 4) | ||
#endif | #endif | ||
=== Doing our own crap === | <pre> | ||
=== Modify a function === | |||
=== Doing our own crap === | |||
=== Debug via ETH === | === Debug via ETH === | ||
=== Creating a Syscall (explained on Peek & Poke) === | |||
=== What next? === | |||
</pre> | |||
Credit | |||
Tutorial written by KDSBest | |||
=== Creating a Syscall (explained on Peek & Poke) === | |||
=== | |||
Thanks to | |||
KaKaRoToKS | |||
Mathieulh | |||
Hermes | |||
brandonw | |||
Irv | |||
phirenz | |||
Retrieved from "http://ps3wiki.lan.st/index.php/PS3_Payload_Developement" |