Editing PSJailbreak Exploit Payload Reverse Engineering

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= Writeup by phire =
Page Will be Updated Soon,stay tuned...
 
''' Source: phire at [https://web.archive.org/web/20120829232220/http://ps3wiki.lan.st/index.php/PSJailbreak_Exploit_Reverse_Engineering ps3wiki.lan.st]'''
----
 
== Analysis of the PSJailbreak Exploit ==
 
=== Intro ===
 
The PSJailbreak dongle is a modchip for the PlayStation3 that allows users to backup and play games off the harddrive. Unlike the modchips of the Previous generation, or the modchips so far for the Xbox360 and Wii, this modchip simply plugs into the USB port on the front of the PS3, avoiding the need for complex soldering and voiding of your warranty.
 
As the time of writing this document, the final PSJailbreak has not been released, but a number of samples were given out and at least one fell into the hands of someone who owned a USB sniffer. This analysis of the exploit is based on those USB sniffer logs, issues encountered during the development of the opensource [http://github.com/psgroove/psgroove PSGroove] version of the exploit and a number of educated guesses. It will probably be updated as new information comes in.
 
The initial analysis by [http://www.gamefreax.de/psjailbreak-reverse-engineered.html gamefreax.de] suggested that it was a Stack overflow attack. After further analist it turns out that this exploit is a [http://en.wikipedia.org/wiki/Heap_overflow Heap Overflow] attack. The exploit carefully manipulates the heap by plugging and unplugging fake usb devices with large device descriptors until the device on port 4 which misreports its size to overwrite one of malloc's boundary tags.
 
----
 
=== The state of the PS3 ===
 
The exploit takes place while the PS3 is looking for the Jig (triggered by pressing eject within 200ms of pressing power). It is suspected that the ps3 spends around 5 seconds doing nothing but initializing devices on the USB bus, so there is little extra code running to mess the exploit up.
 
=== Setting up the heap ===
 
The PSJailbreak dongle emulates a 6 port USB hub. By attaching and detaching fake devices to the ports of the hub the dongle has control over the mallocing and freeing of various blocks of memory that hold the device and configuration descriptors.
 
==== Port one ====
 
After the hub has been initialized, a device is plugged into port one with a pid/vid of 0xAAAA/0x5555, It has 4 configurations with each one is 0xf00 bytes long. This is just under the size of 4k page, so malloc will have probably have request a new page for each one, unless it already has enough free space, but at least one will be aligned at the start of a page.
 
The dongle also changes the configuration the 2nd time it is read so that the configuration in the ps3 memory is only 18 bytes long.
 
It just so happens that that this data contains the payload that the exploit will jump to after gaining control of the execution, but that is not important for the exploit.
 
==== Port two ====
 
After the PS3 has finished reading the port one device descriptors, the dongle switches back to the address of the hub and reports that a device has been plugged into port two.
 
This device has a pid/vid of 0xAAAA/0xBBBB, and it has 1 configuration descriptor which is 22 bytes long. Only the first 18 bytes are real usb data and the remaining 4 bytes are:
<pre>  04 21 B4 2F 
</pre>
With a length of 04 and an invalid type byte, anything interpreting it as USB descriptor will probably skip over it and the last 2 bytes. It is suspected that this is just here to make this descriptor take up an exact amount of heap space.
 
==== Port Three ====
 
The port three device has a pid/vid of 0xAAAA/0x5555, the same as port one. Unlike the port one device it has 2 configuration descirptors, each 0xa4d bytes long The data that fills them is junk but it may or may not be relevant that if you treat the data as descriptors they will have valid lengths. These descriptors will probably be allocated to the start of a fresh 4kb page that follows the page with the last port one descriptor and port three descriptors.
 
==== Port Two Disconnect ====
 
After port three is connected, port two will be disconnected, this will cause the port two descriptors to be freed, which frees up some space between the Port One and Port Three descriptors.
 
----
 
=== The exploit ===
 
The heap is now prepared for our exploit.
 
==== Port Four Connection ====
 
A device is connected to port 4, with a pid/vid of 0xAAAA/0x5555 and 3 configurations.  
 
===== Configuration A =====
 
This is a normal configuration, 18 bytes long
 
===== Configuration B =====
 
This configuration is the same as Configuration A, except it changes its total length from 18 bytes to to zero bytes after the PS3 has read it the first time and allocated space for it.  
 
This is where things get vague, this is key to the exploit and will somehow cause the the extra data at the end of Configuration C to overwrite one of malloc's boundary tag, most likely the one belonging to Port Three.  
 
But the exact reason for this buffer overrun is hard to guess without actually seeing the exploited code.
 
===== Configuration C =====
 
This starts the same as configuration A, but has 14 bytes of extra data at the end.
<pre>.. .. 3e 21 00 00 00 00
fa ce b0 03 aa bb cc dd
80 00 00 00 00 46 50 00
80 00 00 00 00 3d ee 70
</pre>
The first 6 are just padding (but the 3e might be important if this ever gets interpreted as a USB descriptor.) Then there are 3 u64 values, each 8 bytes long.
 
The first two values are stored for use by the shell code later just before malloc's boundary tag.
 
The 3rd value overwrites the first value of the boundary tag, which is pointer to the next free section of memory. The replacement pointer will point to a function somewhere. This will cause a malloc to allocate memory in the wrong place, sometime in the future, allowing the exploit to overwrite an existing function.
 
==== Port Five ====
 
The dongle plugs the fake Jig into Port Five right after Port Four has done its job. It uses the same PID/VID that the original Sony Jig uses (0x054C/0x02EB) and probably the same configuration with the same end points.
 
It is suspected that because the Jig is a known device that the PS3 was waiting for, it's device and configuration descriptors will not be malloced into the heap.
 
The PS3 sends a 64 byte challenge to the fake Jig to authenticate it, and the dongle replies with 64 bytes of static data. The PS3 will malloc space for this response, and because the boundary tags have been modified by Port Four, malloc will return a pointer to 24 bytes before a function that has something to do with free and the 64 bytes of data will be written over top of the function.
 
At the point, no code has been patched yet, so the Jig's static response will fail to authenticate the jig.
 
==== Unplug Port Three ====
 
The dongle now sends a message that port 3 has been unplugged. This will cause the PS3 to free the Port Three's configuration data, the very same buffer which had its boundary tag overwritten by Port Four.
 
So our shellcode gets called, with R3 pointing to the boundary tag before Port Three's Configuration data.
 
==== The Shellcode ====
 
PPC Assembly:
<pre> ROM:00000018                ld    &nbsp;%r4, -0x10(%r3)
ROM:0000001C                ld    &nbsp;%r3, -8(%r3)
ROM:00000020
ROM:00000020 loc_20:                                # CODE XREF: sub_18+14�j
ROM:00000020                ld    &nbsp;%r5, 0x18(%r3)
ROM:00000024                addi  &nbsp;%r3,&nbsp;%r3, 0x1000
ROM:00000028                cmpw  &nbsp;%r4,&nbsp;%r5
ROM:0000002C                bne    loc_20
ROM:00000030                addi  &nbsp;%r6,&nbsp;%r3, -0xFE0
ROM:00000034                mtctr  &nbsp;%r6
ROM:00000038                bctr
</pre>
This takes a pointer to the corrupted boundary tags in r3.
 
r4 is loaded with the 0xFACEB003AABBCCDD tag, then r3 is loaded with 0x8000000000465000, both of these values are stored just before the boundary tag.
 
The shell code then scans every 4KB block (0x1000 bytes) starting at 0x8000000000465000, checking for 0xFACEB003AABBCCDD tag in the u64 at 0x18 in each page.
 
When it finds it, the shellcode will jump to offset 0x20 in the payload.
 
----
 
=== After the exploit ===
 
==== Cleanup ====
 
The exploit is now completed: Port Five, Port Four then Port One will be unplugged.
 
Hopefully the Payload will have copied itself out of the heap before Port One is unplugged.
 
==== Port Six ====
 
The device that gets plugged into Port Six has nothing to do with the exploit. It has a vid/pid of 0xAAAA/0xDEC0 (on the PPC, which is big endian, the pid is 0xC0DE).
 
The payload sends it a single byte (0xAA) control transfer so that the dongle will know that the exploit was successful so it can turn the green LED on to signal the user.
 
A function in the original PSJailbreak Payload will make sure that this device stays plugged in. If it is ever unplugged then it will call LV1_Panic and your PS3 will shutdown. PSGroove has removed this 'feature'.
 
----
 
=== The Payload ===
 
The actual payload is outside the scope of this document (There might be a 2nd document discussing the original PSJailbreak payload), but we will discuss the environment.
 
The payload will start in an unknown position, aligned to a 4KB boundary, it should either use position independent code, or copy itself to a known location. The payload has full control over the lv2 (aka gameos) kernel and anything below it. It doesn't have any control over lv1 (aka the hypervisor) without a 2nd exploit (the original Geohot exploit should still work.)
 
The Jig authentication code is most likely running in lv1 or an isolated SPU so it is not possible to patch it with this exploit.
 
The lv2 kernel is loaded at the time of the exploit, perfect for patching or you could replace it with something better like a linux kernel. A linux kernel running in this environment would have all the privilege of the regular gameos kernel.
 
----
 
''Written up by phire (aka phiren on EFnet). Thanks to Matt_P, subdub and others for helping develop this theory.''
 
''If you have any information to add, feel free to edit this document or use the discussion page.''
 
= Writeup by Mathieulh =
 
Here is my understanding of what the exploit payload does:
 
#It gets control at exploit_entry, which copies the rest of the payload to the fixed address 0x8000000000700000 and jumps to exploit_main.
 
#exploit_main copies a resident part of the payload to another location, creates virtual usb device driver called "mod" with 3 functions, hooks some vsh functions via toc entry and does some permanent in-ram patching. When the work is done it zeroes itself out.
 
#The resident part has basically 3 purposes: it manages virtual usb device, it does some on-the-fly patching and it hooks all the game disk file accesses from the vsh.
 
##The virtual usb device is needed to make sure the original ps3jb device is plugged in. Once the correct usb device is plugged (the one with the AAAAC0DE), device driver initializes the variable INITIALIZED to 1 (see kmod_func1 - probably "identify device", and kmod_func2 - "initialize device"). If one plugs the device out, the function kmod_func3_call_panic aka "term device" is called which causes a kernel panic. All the virtual usb device code can be removed completely from the open PSJB implementation since it is just a way of protection for the original ps3jb.
 
##The on-the-fly patching part of the code is probably called on virtual memory page remapping and does additional patching in-place. It identifies if the pages require patching but calculating its "hash" and comparing to the table entries. One of the patches enables developer menu/settings called "category_game_tool2.xml#root" which probably enables support of the pkgs and other dev stuff.
 
##The hooks from the vsh are intended to redirect all on-bdvd file requests (or probably just "open") from vsh to the hdd saved backup. The launcher saves the base directory of the game started and after that all the filenames are prepended with it. That is how the backup feature works. The lv1 still needs bdvd auth to launch the game, so the original disc in bdvd is still required.<br>
 
#Adds a Syscall (Syscall 36) which will be called by Backup Loader to activate the virtual bluray drive with the correct backed upped disk.
 
#Patches the return value from hypercall 99 so that we can launch unsigned apps.
 
The code below is from my idb of the payload:
<pre>
# ---------------------------------------------------------------------------
struct_patch_table struc # (sizeof=0x8)
addr_offset: .long&nbsp;? # offset
patch_value: .long&nbsp;? # value
struct_patch_table ends
 
# ===========================================================================
ROM:0000000000050B3C
ROM:0000000000050B3C # This looks like an existing function being overwritten to return 1 and use its content's space
ROM:0000000000050B3C # to add the payload.. any idea what was in it ?
ROM:0000000000050B3C sub_50B3C:
ROM:0000000000050B3C                li    &nbsp;%r3, 1
ROM:0000000000050B40                blr
ROM:0000000000050B40 # End of function sub_50B3C
ROM:0000000000050B40
ROM:0000000000050B44 # ---------------------------------------------------------------------------
ROM:0000000000050B44                b      some_additional_patching_on_the_fly
ROM:0000000000050B48 # ---------------------------------------------------------------------------
ROM:0000000000050B48                b      hook_open
ROM:0000000000050B48 # ---------------------------------------------------------------------------
ROM:0000000000050B4C                .quad 0x8000000000050CA8 # 50CA8 - ptr to Syscall 36
ROM:0000000000050B54                .quad 0x800000000033E720
ROM:0000000000050B5C                .quad 0x8000000000051032 # 51032 - structure for add_kmod {char* name, = "mod"
ROM:0000000000050B64                .quad 0x8000000000050B7C # 50B7C                          struct func *probe,
ROM:0000000000050B6C                .quad 0x8000000000050B8C # 50B8C                          struct func *initialize,
ROM:0000000000050B74                .quad 0x8000000000050B9C # 50B9C                          struct func *disconnect}
ROM:0000000000050B7C                .quad 0x8000000000050BD4 # 50BD4 - struct func {function_ptr, = kmod_func1
ROM:0000000000050B84                .quad 0x800000000033E720 #                      user_data?}
ROM:0000000000050B8C                .quad 0x8000000000050C1C # 50C1C - struct func {function_ptr, = kmod_func2
ROM:0000000000050B94                .quad 0x800000000033E720 #                      user_data?}
ROM:0000000000050B9C                .quad 0x8000000000050C78 # 50C78 - struct func {function_ptr, = kmod_func3
ROM:0000000000050BA4                .quad 0x800000000033E720 #                      user_data?}
ROM:0000000000050BAC                .quad 0x8000000000050C84 # 50C84 - ptr to set_initialized_flag (unused)
ROM:0000000000050BB4                .quad 0x800000000033E720 #                      user_data?}
ROM:0000000000050BBC GAME_NAME_PTR:  .quad 0
ROM:0000000000050BC4 GAME_MOUNTPOINT_PTR:.quad 0
ROM:0000000000050BCC INITIALIZED:    .long 0
ROM:0000000000050BD0                .byte    0
ROM:0000000000050BD1                .byte    0
ROM:0000000000050BD2                .byte    0
ROM:0000000000050BD3                .byte    0
ROM:0000000000050BD4
ROM:0000000000050BD4 # =============== S U B R O U T I N E =======================================
ROM:0000000000050BD4
ROM:0000000000050BD4
ROM:0000000000050BD4 kmod_func1:
ROM:0000000000050BD4
ROM:0000000000050BD4 .set var_80, -0x80
ROM:0000000000050BD4 .set arg_90,  0x90
ROM:0000000000050BD4
ROM:0000000000050BD4                stdu  &nbsp;%sp, var_80(%sp)
ROM:0000000000050BD8                mflr  &nbsp;%r0
ROM:0000000000050BDC                std    &nbsp;%r0, arg_90(%sp)
ROM:0000000000050BE0                li    &nbsp;%r4, 0
ROM:0000000000050BE4                li    &nbsp;%r5, 1
ROM:0000000000050BE8                bl      unk_D2998
ROM:0000000000050BEC                lwz    &nbsp;%r5, 8(%r3)
ROM:0000000000050BF0                li    &nbsp;%r3, 0
ROM:0000000000050BF4                lis    &nbsp;%r4, -0x5556 # 0xAAAAC0DE
ROM:0000000000050BF8                ori    &nbsp;%r4,&nbsp;%r4, -0x3F22 # 0xAAAAC0DE
ROM:0000000000050BFC                cmplw  &nbsp;%r4,&nbsp;%r5
ROM:0000000000050C00                beq    loc_50C08
ROM:0000000000050C04                li    &nbsp;%r3, -1
ROM:0000000000050C08
ROM:0000000000050C08 loc_50C08:                              # CODE XREF: kmod_func1+2C�j
ROM:0000000000050C08                extsw  &nbsp;%r3,&nbsp;%r3
ROM:0000000000050C0C                ld    &nbsp;%r0, arg_90(%sp)
ROM:0000000000050C10                mtlr  &nbsp;%r0
ROM:0000000000050C14                addi  &nbsp;%sp,&nbsp;%sp, 0x80
ROM:0000000000050C18                blr
ROM:0000000000050C18 # End of function kmod_func1
ROM:0000000000050C18
ROM:0000000000050C18 # ---------------------------------------------------------------------------
ROM:0000000000050C18
ROM:0000000000050C18            kmod_func1 (arg1):
ROM:0000000000050C18            {
ROM:0000000000050C18                char *desc = unk_D2998(arg1, 0, 1); /* get_device_descriptor? */
ROM:0000000000050C18                if(*(uint32_t *)(desc+8) == 0xAAAAC0DE) /* sorry for the ugly cast */
ROM:0000000000050C18                  return 0;
ROM:0000000000050C18                else
ROM:0000000000050C18                  return -1;
ROM:0000000000050C18            }
ROM:0000000000050C18
ROM:0000000000050C1C
ROM:0000000000050C1C # =============== S U B R O U T I N E =======================================
ROM:0000000000050C1C
ROM:0000000000050C1C
ROM:0000000000050C1C kmod_func2:
ROM:0000000000050C1C
ROM:0000000000050C1C .set var_80, -0x80
ROM:0000000000050C1C .set arg_70,  0x70
ROM:0000000000050C1C .set arg_90,  0x90
ROM:0000000000050C1C
ROM:0000000000050C1C                stdu  &nbsp;%sp, var_80(%sp)
ROM:0000000000050C20                mflr  &nbsp;%r0
ROM:0000000000050C24                std    &nbsp;%r0, arg_90(%sp)
ROM:0000000000050C28                li    &nbsp;%r4, 0
ROM:0000000000050C2C                bl      unk_D29C4
ROM:0000000000050C30                addi  &nbsp;%r4,&nbsp;%sp, arg_70
ROM:0000000000050C34                li    &nbsp;%r5, 0
ROM:0000000000050C38                std    &nbsp;%r5, 0(%r4)
ROM:0000000000050C3C                li    &nbsp;%r6, 0x21AA
ROM:0000000000050C40                sth    &nbsp;%r6, 0(%r4)
ROM:0000000000050C44                li    &nbsp;%r6, 0
ROM:0000000000050C48                sth    &nbsp;%r6, 6(%r4)
ROM:0000000000050C4C                li    &nbsp;%r6, 1
ROM:0000000000050C50                rldicr &nbsp;%r6,&nbsp;%r6, 63,0
ROM:0000000000050C54                oris  &nbsp;%r6,&nbsp;%r6, 5
ROM:0000000000050C58                ori    &nbsp;%r6,&nbsp;%r6, 0xBAC # 50bac, desc for set_initialized_flag
ROM:0000000000050C5C                li    &nbsp;%r7, 0
ROM:0000000000050C60                bl      unk_D292C
ROM:0000000000050C64                li    &nbsp;%r3, 0
ROM:0000000000050C68                ld    &nbsp;%r0, arg_90(%sp)
ROM:0000000000050C6C                mtlr  &nbsp;%r0
ROM:0000000000050C70                addi  &nbsp;%sp,&nbsp;%sp, 0x80
ROM:0000000000050C74                blr
ROM:0000000000050C74 # End of function kmod_func2
ROM:0000000000050C74
ROM:0000000000050C74 # ---------------------------------------------------------------------------
ROM:0000000000050C74
ROM:0000000000050C74            kmod_func2 (arg1):
ROM:0000000000050C74            {
ROM:0000000000050C74                uint64 buf;
ROM:0000000000050C74
ROM:0000000000050C74                unk_D29C4 (arg1, 0);
ROM:0000000000050C74                buf = 0;
ROM:0000000000050C74                ((short *)&amp;buf)[0] = 0x21AA;
ROM:0000000000050C74                ((short *)&amp;buf)[3] = 0;
ROM:0000000000050C74                unk_D292C (arg1, buf, 0, ptr_to_set_initialized_flag, 0) /* send 0xAA class-type SETUP request to the device */
ROM:0000000000050C74                return 0;
ROM:0000000000050C74            }
ROM:0000000000050C74
ROM:0000000000050C78
ROM:0000000000050C78 # =============== S U B R O U T I N E =======================================
ROM:0000000000050C78
ROM:0000000000050C78
ROM:0000000000050C78 kmod_func3_call_panic:
ROM:0000000000050C78                li    &nbsp;%r3, 0
ROM:0000000000050C7C                li    &nbsp;%r11, 0xFF
ROM:0000000000050C80                hvsc
ROM:0000000000050C80 # End of function kmod_func3_call_panic
ROM:0000000000050C80
ROM:0000000000050C80 # ---------------------------------------------------------------------------
ROM:0000000000050C80
ROM:0000000000050C80            kmod_func3:
ROM:0000000000050C80            {
ROM:0000000000050C80                hvsc(-1, 0); /* LV1 panic */
ROM:0000000000050C80            }
ROM:0000000000050C80
ROM:0000000000050C84
ROM:0000000000050C84 # =============== S U B R O U T I N E =======================================
ROM:0000000000050C84
ROM:0000000000050C84
ROM:0000000000050C84 set_initialized_flag:
ROM:0000000000050C84                cmpwi  &nbsp;%r3, 0
ROM:0000000000050C88                bne    locret_50CA4
ROM:0000000000050C8C                li    &nbsp;%r3, 1
ROM:0000000000050C90                rldicr &nbsp;%r3,&nbsp;%r3, 63,0
ROM:0000000000050C94                oris  &nbsp;%r3,&nbsp;%r3, 5
ROM:0000000000050C98                ori    &nbsp;%r3,&nbsp;%r3, 0xBBC # 50bbc
ROM:0000000000050C9C                li    &nbsp;%r4, 1
ROM:0000000000050CA0                stw    &nbsp;%r4, 0x10(%r3)  # INITIALIZED
ROM:0000000000050CA4
ROM:0000000000050CA4 locret_50CA4:                          # CODE XREF: set_initialized_flag+4�j
ROM:0000000000050CA4                blr
ROM:0000000000050CA4 # End of function set_initialized_flag
ROM:0000000000050CA4
ROM:0000000000050CA4 # ---------------------------------------------------------------------------
ROM:0000000000050CA4
ROM:0000000000050CA4            set_initialized_flag:
ROM:0000000000050CA4            {
ROM:0000000000050CA4                ptr_to_initialized = 1;
ROM:0000000000050CA4            }
ROM:0000000000050CA4
ROM:0000000000050CA8
ROM:0000000000050CA8 # =============== S U B R O U T I N E =======================================
ROM:0000000000050CA8
ROM:0000000000050CA8
ROM:0000000000050CA8 Syscall_36_activate_virtual_bluray_drive:
ROM:0000000000050CA8
ROM:0000000000050CA8 .set var_D0, -0xD0
ROM:0000000000050CA8 .set arg_70,  0x70
ROM:0000000000050CA8 .set arg_C8,  0xC8
ROM:0000000000050CA8 .set arg_E0,  0xE0
ROM:0000000000050CA8
ROM:0000000000050CA8                stdu  &nbsp;%sp, var_D0(%sp)
ROM:0000000000050CAC                mflr  &nbsp;%r0
ROM:0000000000050CB0                std    &nbsp;%r0, arg_E0(%sp)
ROM:0000000000050CB4                std    &nbsp;%r31, arg_C8(%sp)
ROM:0000000000050CB8                addi  &nbsp;%r4,&nbsp;%sp, arg_70
ROM:0000000000050CBC                bl      unk_1B3B3C                    # strdup %r3 into %r4 (pointing to arg_70 on the stack)
ROM:0000000000050CC0                li    &nbsp;%r31, 1
ROM:0000000000050CC4                rldicr &nbsp;%r31,&nbsp;%r31, 63,0
ROM:0000000000050CC8                oris  &nbsp;%r31,&nbsp;%r31, 5
ROM:0000000000050CCC                ori    &nbsp;%r31,&nbsp;%r31, 0xBBC # 50bbc
ROM:0000000000050CD0                ld    &nbsp;%r3, 0(%r31)
ROM:0000000000050CD4                cmpdi  &nbsp;%r3, 0
ROM:0000000000050CD8                beq    loc_50CE4
ROM:0000000000050CDC                li    &nbsp;%r4, 0x27      # we free previous redirected name if we must
ROM:0000000000050CE0                bl      free
ROM:0000000000050CE4
ROM:0000000000050CE4 loc_50CE4:                              # CODE XREF: +30�j
ROM:0000000000050CE4                li    &nbsp;%r4, 0x27
ROM:0000000000050CE8                li    &nbsp;%r3, 0x800      # alloc new one
ROM:0000000000050CEC                bl      alloc
ROM:0000000000050CF0                std    &nbsp;%r3, 0(%r31)
ROM:0000000000050CF4                ld    &nbsp;%r4, arg_70(%sp) # and copy new one here
ROM:0000000000050CF8                bl      strcpy
ROM:0000000000050CFC                ld    &nbsp;%r3, arg_70(%sp) # we free the passed one
ROM:0000000000050D00                li    &nbsp;%r4, 0x27
ROM:0000000000050D04                bl      free
ROM:0000000000050D08                ld    &nbsp;%r3, 0(%r31)
ROM:0000000000050D0C                bl      byte_4D318
ROM:0000000000050D10                ld    &nbsp;%r4, 0(%r31)    # we get strlen of game name
ROM:0000000000050D14                add    &nbsp;%r3,&nbsp;%r4,&nbsp;%r3
ROM:0000000000050D18                std    &nbsp;%r3, 8(%r31)    # and save the game path + strlen (the end of the string) in the mount path var
ROM:0000000000050D1C                li    &nbsp;%r3, 0
ROM:0000000000050D20                ld    &nbsp;%r31, arg_C8(%sp)
ROM:0000000000050D24                ld    &nbsp;%r0, arg_E0(%sp)
ROM:0000000000050D28                addi  &nbsp;%sp,&nbsp;%sp, 0xD0
ROM:0000000000050D2C                mtlr  &nbsp;%r0
ROM:0000000000050D30                blr
ROM:0000000000050D30 # End of function Syscall_36_activate_virtual_bluray_drive
ROM:0000000000050D30
ROM:0000000000050D30                Syscall_36_activate_virtual_bluray_drive (path):
ROM:0000000000050D30                {
ROM:0000000000050D30                  char *tmp = strdup (path);
ROM:0000000000050D30               
ROM:0000000000050D30                  if (global_game_path)
ROM:0000000000050D30                    free(global_game_path);
ROM:0000000000050D30                 
ROM:0000000000050D30                  global_game_path = malloc (2048);
ROM:0000000000050D30                  strcpy(global_game_path, tmp);
ROM:0000000000050D30                  free (tmp);
ROM:0000000000050D30                  global_game_path_end = global_game_path + strlen(global_game_path);
ROM:0000000000050D30                }
ROM:0000000000050D30               
ROM:0000000000050D30               
ROM:0000000000050D34
ROM:0000000000050D34 # =============== S U B R O U T I N E =======================================
ROM:0000000000050D34
ROM:0000000000050D34
ROM:0000000000050D34 hook_open:
ROM:0000000000050D34                                        # CODE XREF: ROM:0000000000050B48�j
ROM:0000000000050D34
ROM:0000000000050D34 .set var_A0, -0xA0
ROM:0000000000050D34 .set arg_70,  0x70
ROM:0000000000050D34 .set arg_78,  0x78
ROM:0000000000050D34 .set arg_80,  0x80
ROM:0000000000050D34 .set arg_88,  0x88
ROM:0000000000050D34 .set arg_98,  0x98
ROM:0000000000050D34 .set arg_B0,  0xB0
ROM:0000000000050D34
ROM:0000000000050D34                stdu  &nbsp;%sp, var_A0(%sp)
ROM:0000000000050D38                mflr  &nbsp;%r0
ROM:0000000000050D3C                std    &nbsp;%r28, arg_80(%sp)
ROM:0000000000050D40                std    &nbsp;%r29, arg_88(%sp)
ROM:0000000000050D44                std    &nbsp;%r31, arg_98(%sp)
ROM:0000000000050D48                std    &nbsp;%r26, arg_70(%sp)
ROM:0000000000050D4C                std    &nbsp;%r27, arg_78(%sp)
ROM:0000000000050D50                std    &nbsp;%r0, arg_B0(%sp)
ROM:0000000000050D54                mr    &nbsp;%r28,&nbsp;%r4
ROM:0000000000050D58                mr    &nbsp;%r29,&nbsp;%r3
ROM:0000000000050D5C                li    &nbsp;%r31, 1
ROM:0000000000050D60                rldicr &nbsp;%r31,&nbsp;%r31, 63,0
ROM:0000000000050D64                mr    &nbsp;%r3,&nbsp;%r29
ROM:0000000000050D68                mr    &nbsp;%r4,&nbsp;%r31
ROM:0000000000050D6C                oris  &nbsp;%r4,&nbsp;%r4, 5
ROM:0000000000050D70                ori    &nbsp;%r4,&nbsp;%r4, 0x1028 # 51028
ROM:0000000000050D74                li    &nbsp;%r5, 9
ROM:0000000000050D78                bl      strncmp        # we check if the file was requested from the bdvd
ROM:0000000000050D7C                cmpldi &nbsp;%r3, 0
ROM:0000000000050D80                bne    proceed
ROM:0000000000050D84                oris  &nbsp;%r31,&nbsp;%r31, 5
ROM:0000000000050D88                ori    &nbsp;%r31,&nbsp;%r31, 0xBBC # 50bbc
ROM:0000000000050D8C                lwz    &nbsp;%r3, 0x10(%r31) # we check if we initialized
ROM:0000000000050D8C                                        # see INITIALIZED set by a usb device kmod
ROM:0000000000050D8C                                        #
ROM:0000000000050D8C                                        # probably can remove this check without any consequences
ROM:0000000000050D90                cmplwi &nbsp;%r3, 0
ROM:0000000000050D94                beq    proceed
ROM:0000000000050D98                ld    &nbsp;%r3, 0(%r31)    # we check if we have GAME_NAME buffer allocated
ROM:0000000000050D9C                cmpldi &nbsp;%r3, 0
ROM:0000000000050DA0                beq    proceed
ROM:0000000000050DA4                ld    &nbsp;%r3, 8(%r31)    # GAME_MOUNTPOINT_PTR
ROM:0000000000050DA8                addi  &nbsp;%r4,&nbsp;%r29, 9    # we copy the path (+9) into the GAME_NAME allocated buffer
ROM:0000000000050DAC                bl      strcpy
ROM:0000000000050DB0                ld    &nbsp;%r29, 0(%r31)            # Change the path to the GAME_NAME buffer
ROM:0000000000050DB4
ROM:0000000000050DB4 proceed:                                # CODE XREF: calback_from_vsh_accessing_any_game_file+4C�j
ROM:0000000000050DB4                                        # calback_from_vsh_accessing_any_game_file+60�j ...
ROM:0000000000050DB4                mr    &nbsp;%r3,&nbsp;%r29
ROM:0000000000050DB8                b      proceed_to_original_call
ROM:0000000000050DB8 # End of function hook_open
ROM:0000000000050DB8               
ROM:0000000000050DB8               
ROM:0000000000050DB8                hook_open (path, mode, etc...):
ROM:0000000000050DB8                {
ROM:0000000000050DB8                  if (strncmp(path, "/dev_bdvd", 9) == 0 && initialized_flag == 1 && global_game_path != NULL) {
ROM:0000000000050DB8                      strcpy (global_game_path_end, path + 9);
ROM:0000000000050DB8                      path = global_game_path;
ROM:0000000000050DB8                  }
ROM:0000000000050DB8                  return original_open(path, mode, etc...);
ROM:0000000000050DB8                }
ROM:0000000000050DB8               
ROM:0000000000050DB8               
ROM:0000000000050DBC
ROM:0000000000050DBC # =============== S U B R O U T I N E =======================================
ROM:0000000000050DBC
ROM:0000000000050DBC
ROM:0000000000050DBC some_additional_patching_on_the_fly:    # CODE XREF: ROM:0000000000050B44�j
ROM:0000000000050DBC
ROM:0000000000050DBC .set var_1A0, -0x1A0
ROM:0000000000050DBC .set arg_78,  0x78
ROM:0000000000050DBC .set arg_80,  0x80
ROM:0000000000050DBC .set arg_88,  0x88
ROM:0000000000050DBC .set arg_90,  0x90
ROM:0000000000050DBC .set arg_98,  0x98
ROM:0000000000050DBC .set arg_1B0,  0x1B0
ROM:0000000000050DBC
ROM:0000000000050DBC                mflr  &nbsp;%r0
ROM:0000000000050DC0                stdu  &nbsp;%sp, var_1A0(%sp)
ROM:0000000000050DC4                std    &nbsp;%r27, arg_78(%sp)
ROM:0000000000050DC8                std    &nbsp;%r28, arg_80(%sp)
ROM:0000000000050DCC                std    &nbsp;%r29, arg_88(%sp)
ROM:0000000000050DD0                std    &nbsp;%r30, arg_90(%sp)
ROM:0000000000050DD4                std    &nbsp;%r31, arg_98(%sp)
ROM:0000000000050DD8                std    &nbsp;%r0, arg_1B0(%sp)
ROM:0000000000050DDC                mr    &nbsp;%r29,&nbsp;%r3
ROM:0000000000050DE0                mr    &nbsp;%r30,&nbsp;%r4
ROM:0000000000050DE4                li    &nbsp;%r31, 1
ROM:0000000000050DE8                rldicr &nbsp;%r31,&nbsp;%r31, 63,0
ROM:0000000000050DEC                ld    &nbsp;%r28, -0x6A00(%rtoc)
ROM:0000000000050DF0                ld    &nbsp;%r28, 0x68(%r28)
ROM:0000000000050DF4                ld    &nbsp;%r28, 0x18(%r28)
ROM:0000000000050DF8                ld    &nbsp;%r27, 0xF08(%rtoc)
ROM:0000000000050DFC                ld    &nbsp;%r9, 0x18(%r29)
ROM:0000000000050E00                lwz    &nbsp;%r9, 0x30(%r9)
ROM:0000000000050E04                rldicl &nbsp;%r9,&nbsp;%r9, 48,16
ROM:0000000000050E08                cmpwi  &nbsp;%r9, 0x29
ROM:0000000000050E0C                bne    loc_50E64
ROM:0000000000050E10                ld    &nbsp;%r4, 0x10(%r28)
ROM:0000000000050E14                rldicr &nbsp;%r5,&nbsp;%r4, 24,39
ROM:0000000000050E18                rldicl &nbsp;%r5,&nbsp;%r5, 8,56
ROM:0000000000050E1C                cmpwi  &nbsp;%r5, 0xFF
ROM:0000000000050E20                beq    loc_50E38
ROM:0000000000050E24                ori    &nbsp;%r4,&nbsp;%r4, 3
ROM:0000000000050E28                std    &nbsp;%r4, 0x10(%r28)
ROM:0000000000050E2C                li    &nbsp;%r3, 6
ROM:0000000000050E30                stw    &nbsp;%r3, 0(%r30)
ROM:0000000000050E34                b      loc_50E48
ROM:0000000000050E38 # ---------------------------------------------------------------------------
ROM:0000000000050E38
ROM:0000000000050E38 loc_50E38:                              # CODE XREF: some_additional_patching_on_the_fly+64�j
ROM:0000000000050E38                ori    &nbsp;%r4,&nbsp;%r4, 2
ROM:0000000000050E3C                std    &nbsp;%r4, 0x10(%r28)
ROM:0000000000050E40                li    &nbsp;%r3, 0x2C
ROM:0000000000050E44                stw    &nbsp;%r3, 0(%r30)
ROM:0000000000050E48
ROM:0000000000050E48 loc_50E48:                              # CODE XREF: some_additional_patching_on_the_fly+78�j
ROM:0000000000050E48                lwz    &nbsp;%r5, 4(%r28)
ROM:0000000000050E4C                ld    &nbsp;%r4, 8(%r28)
ROM:0000000000050E50                ld    &nbsp;%r3, 0(%r27)
ROM:0000000000050E54                add    &nbsp;%r9,&nbsp;%r3,&nbsp;%r5
ROM:0000000000050E58                std    &nbsp;%r9, 0(%r27)
ROM:0000000000050E5C                bl      memcpy
ROM:0000000000050E60                b      loc_50F24
ROM:0000000000050E64 # ---------------------------------------------------------------------------
ROM:0000000000050E64
ROM:0000000000050E64 loc_50E64:                              # CODE XREF: some_additional_patching_on_the_fly+50�j
ROM:0000000000050E64                mr    &nbsp;%r3,&nbsp;%r29
ROM:0000000000050E68                mr    &nbsp;%r4,&nbsp;%r30
ROM:0000000000050E6C                bl      unk_4E81C
ROM:0000000000050E70                mr    &nbsp;%r29,&nbsp;%r31
ROM:0000000000050E74                oris  &nbsp;%r29,&nbsp;%r29, 5
ROM:0000000000050E78                ori    &nbsp;%r29,&nbsp;%r29, 0xBD0 # 50bd0
ROM:0000000000050E7C                lwz    &nbsp;%r3, 0(%r29)
ROM:0000000000050E80                lwz    &nbsp;%r5, 4(%r28)
ROM:0000000000050E84                add    &nbsp;%r3,&nbsp;%r3,&nbsp;%r5
ROM:0000000000050E88                stw    &nbsp;%r3, 0(%r29)
ROM:0000000000050E8C                ld    &nbsp;%r4, 0x10(%r28)
ROM:0000000000050E90                rldicr &nbsp;%r5,&nbsp;%r4, 24,39
ROM:0000000000050E94                rldicl &nbsp;%r5,&nbsp;%r5, 8,56
ROM:0000000000050E98                cmpwi  &nbsp;%r5, 0xFF
ROM:0000000000050E9C                bne    loc_50F24
ROM:0000000000050EA0                ld    &nbsp;%r3, 0(%r27)    # here we probably are messing up with the htab entries
ROM:0000000000050EA0                                        # trying to patch the page on page change
ROM:0000000000050EA4                li    &nbsp;%r4, 0
ROM:0000000000050EA8                li    &nbsp;%r6, 0
ROM:0000000000050EAC
ROM:0000000000050EAC loc_50EAC:                              # CODE XREF: some_additional_patching_on_the_fly+104�j
ROM:0000000000050EAC                add    &nbsp;%r7,&nbsp;%r3,&nbsp;%r4
ROM:0000000000050EB0                lwz    &nbsp;%r5, 0(%r7)
ROM:0000000000050EB4                xor    &nbsp;%r6,&nbsp;%r6,&nbsp;%r5
ROM:0000000000050EB8                addi  &nbsp;%r4,&nbsp;%r4, 4
ROM:0000000000050EBC                cmpldi &nbsp;%r4, 0x400
ROM:0000000000050EC0                bne    loc_50EAC      # some kind of page hash
ROM:0000000000050EC4                lwz    &nbsp;%r3, 0(%r29)
ROM:0000000000050EC8                rldicr &nbsp;%r6,&nbsp;%r6, 32,31
ROM:0000000000050ECC                or    &nbsp;%r6,&nbsp;%r6,&nbsp;%r3
ROM:0000000000050ED0                li    &nbsp;%r3, 0
ROM:0000000000050ED4                stw    &nbsp;%r3, 0(%r29)
ROM:0000000000050ED8                mr    &nbsp;%r7,&nbsp;%r31
ROM:0000000000050EDC                oris  &nbsp;%r7,&nbsp;%r7, 5
ROM:0000000000050EE0                ori    &nbsp;%r7,&nbsp;%r7, 0xF70 # 50f70
ROM:0000000000050EE4
ROM:0000000000050EE4 loc_50EE4:                              # CODE XREF: some_additional_patching_on_the_fly+13C�j
ROM:0000000000050EE4                ld    &nbsp;%r3, 0(%r7)
ROM:0000000000050EE8                cmpldi &nbsp;%r3, 0
ROM:0000000000050EEC                beq    loc_50F24
ROM:0000000000050EF0                addi  &nbsp;%r7,&nbsp;%r7, 0x10  # we comapre the hash to the value in the table
ROM:0000000000050EF0                                        # and select a patch table accordingly
ROM:0000000000050EF4                cmpld  &nbsp;%r3,&nbsp;%r6
ROM:0000000000050EF8                bne    loc_50EE4
ROM:0000000000050EFC                ld    &nbsp;%r5, -8(%r7)
ROM:0000000000050F00                ld    &nbsp;%r7, 0(%r27)
ROM:0000000000050F04
ROM:0000000000050F04 loc_50F04:                              # CODE XREF: some_additional_patching_on_the_fly+164�j
ROM:0000000000050F04                lwz    &nbsp;%r3, 0(%r5)
ROM:0000000000050F08                cmplwi &nbsp;%r3, 0
ROM:0000000000050F0C                beq    loc_50F24
ROM:0000000000050F10                lwz    &nbsp;%r4, 4(%r5)
ROM:0000000000050F14                add    &nbsp;%r3,&nbsp;%r3,&nbsp;%r7
ROM:0000000000050F18                stw    &nbsp;%r4, 0(%r3)
ROM:0000000000050F1C                addi  &nbsp;%r5,&nbsp;%r5, 8    # we do the patching like we did it before
ROM:0000000000050F20                b      loc_50F04
ROM:0000000000050F24 # ---------------------------------------------------------------------------
ROM:0000000000050F24
ROM:0000000000050F24 loc_50F24:                              # CODE XREF: some_additional_patching_on_the_fly+A4�j
ROM:0000000000050F24                                        # some_additional_patching_on_the_fly+E0�j ...
ROM:0000000000050F24                li    &nbsp;%r3, 0
ROM:0000000000050F28                ld    &nbsp;%r27, arg_78(%sp)
ROM:0000000000050F2C                ld    &nbsp;%r28, arg_80(%sp)
ROM:0000000000050F30                ld    &nbsp;%r29, arg_88(%sp)
ROM:0000000000050F34                ld    &nbsp;%r30, arg_90(%sp)
ROM:0000000000050F38                ld    &nbsp;%r31, arg_98(%sp)
ROM:0000000000050F3C                ld    &nbsp;%r0, arg_1B0(%sp)
ROM:0000000000050F40                addi  &nbsp;%sp,&nbsp;%sp, 0x1A0
ROM:0000000000050F44                mtlr  &nbsp;%r0
ROM:0000000000050F48                blr
ROM:0000000000050F48 # End of function some_additional_patching_on_the_fly
ROM:0000000000050F48
ROM:0000000000050F4C
ROM:0000000000050F4C # =============== S U B R O U T I N E =======================================
ROM:0000000000050F4C
ROM:0000000000050F4C
ROM:0000000000050F4C sub_50F4C:
ROM:0000000000050F4C
ROM:0000000000050F4C .set var_B0, -0xB0
ROM:0000000000050F4C .set arg_98,  0x98
ROM:0000000000050F4C .set arg_A0,  0xA0
ROM:0000000000050F4C .set arg_A8,  0xA8
ROM:0000000000050F4C .set arg_C0,  0xC0
ROM:0000000000050F4C
ROM:0000000000050F4C                stdu  &nbsp;%sp, var_B0(%sp)
ROM:0000000000050F50                mflr  &nbsp;%r0
ROM:0000000000050F54                std    &nbsp;%r30, arg_A0(%sp)
ROM:0000000000050F58                std    &nbsp;%r31, arg_A8(%sp)
ROM:0000000000050F5C                std    &nbsp;%r29, arg_98(%sp)
ROM:0000000000050F60                std    &nbsp;%r0, arg_C0(%sp)
ROM:0000000000050F64                li    &nbsp;%r30, 0xFA0
ROM:0000000000050F68                li    &nbsp;%r31, 0xC8
ROM:0000000000050F6C                b      0xAB04
ROM:0000000000050F6C # End of function sub_50F4C
ROM:0000000000050F6C
ROM:0000000000050F6C # ---------------------------------------------------------------------------
ROM:0000000000050F70                .quad 0xA0556F3D002CB8FD
ROM:0000000000050F78                .quad 0x8000000000050FB8 # 50FB8
ROM:0000000000050F80                .quad 0x8C0A948C000D99B1
ROM:0000000000050F88                .quad 0x8000000000050FE0 # 50FE0
ROM:0000000000050F90                .quad 0xA2BC1A5600052ADC
ROM:0000000000050F98                .quad 0x8000000000051004 # 51004
ROM:0000000000050FA0                .quad 0x6B70280200020017
ROM:0000000000050FA8                .quad 0x8000000000050FD4 # 50FD4
ROM:0000000000050FB0                .quad 0
ROM:0000000000050FB8                patch &lt;0x305354, 0x38600082&gt;
ROM:0000000000050FC0                patch &lt;0x5F3FC0, 0x38600001&gt;
ROM:0000000000050FC8                patch &lt;0x5F3FC4, 0x4E800020&gt;
ROM:0000000000050FD0                .byte    0
ROM:0000000000050FD1                .byte    0
ROM:0000000000050FD2                .byte    0
ROM:0000000000050FD3                .byte    0
ROM:0000000000050FD4                patch &lt;0x2ED0C, 0x3BA00001&gt;
ROM:0000000000050FDC                .byte    0
ROM:0000000000050FDD                .byte    0
ROM:0000000000050FDE                .byte    0
ROM:0000000000050FDF                .byte    0
ROM:0000000000050FE0                patch &lt;0x22B888, 0x5F746F6F&gt; # here we patch vsh to use developer game_tool2.xml
ROM:0000000000050FE0                                        # instead of the retail xml
ROM:0000000000050FE8                patch &lt;0x22B88C, 0x6C322E78&gt;
ROM:0000000000050FF0                patch &lt;0x22B890, 0x6D6C2372&gt;
ROM:0000000000050FF8                patch &lt;0x22B894, 0x6F6F7400&gt;
ROM:0000000000051000                .byte    0
ROM:0000000000051001                .byte    0
ROM:0000000000051002                .byte    0
ROM:0000000000051003                .byte    0
ROM:0000000000051004                patch &lt;0xD68B8, 0x5F746F6F&gt; # same here
ROM:000000000005100C                patch &lt;0xD68BC, 0x6C322E78&gt;
ROM:0000000000051014                patch &lt;0xD68C0, 0x6D6C2372&gt;
ROM:000000000005101C                patch &lt;0xD68C4, 0x6F6F7400&gt;
ROM:0000000000051024                .byte    0
ROM:0000000000051025                .byte    0
ROM:0000000000051026                .byte    0
ROM:0000000000051027                .byte    0
ROM:0000000000051028 aDev_bdvd:      .string "/dev_bdvd"
ROM:0000000000051028                .byte 0
ROM:0000000000051032 aMod:          .string "mod"
ROM:0000000000051032                .byte 0
 
...
ROM:0000000000700000 USB_desc:      .byte 9, 2, 0x12, 0, 1, 0, 0, 0x80, 0xFA, 9, 4, 0, 0, 0, 0xFE, 1, 2, 0, 0, 0, 0, 0, 0, 0, 0xFA, 0xCE, 0xB0, 3, 0xAA, 0xBB, 0xCC, 0xDD
ROM:0000000000700020
ROM:0000000000700020 # =============== S U B R O U T I N E =======================================
ROM:0000000000700020
ROM:0000000000700020
ROM:0000000000700020 exploit_entry:
ROM:0000000000700020                addi  &nbsp;%r3,&nbsp;%r3, -0x1000 # copy code and jump to main
ROM:0000000000700024                li    &nbsp;%r5, 0x1000
ROM:0000000000700028                li    &nbsp;%r4, 1
ROM:000000000070002C                rldicr &nbsp;%r4,&nbsp;%r4, 63,0
ROM:0000000000700030                oris  &nbsp;%r4,&nbsp;%r4, 0x70
ROM:0000000000700034
ROM:0000000000700034 loc_700034:                            # CODE XREF: exploit_entry+24�j
ROM:0000000000700034                addi  &nbsp;%r5,&nbsp;%r5, -8
ROM:0000000000700038                ldx    &nbsp;%r6,&nbsp;%r3,&nbsp;%r5
ROM:000000000070003C                stdx  &nbsp;%r6,&nbsp;%r4,&nbsp;%r5
ROM:0000000000700040                cmpldi &nbsp;%r5, 0
ROM:0000000000700044                bne    loc_700034
ROM:0000000000700048                addi  &nbsp;%r4,&nbsp;%r4, 0x80  # exploit_main
ROM:000000000070004C                mtctr  &nbsp;%r4
ROM:0000000000700050                bctr
ROM:0000000000700050 # End of function exploit_entry
ROM:0000000000700050
ROM:0000000000700050 # ---------------------------------------------------------------------------
ROM:0000000000700054            Shell code copy code:
ROM:0000000000700054
ROM:0000000000700054            t_u64* src_addr_r3 = start section ROM Addr
ROM:0000000000700054            t_u64* dest_addr_r4 = 0x8000 0000 0070 0000
ROM:0000000000700054            t_u64 size_bytes_r5 = 0x1000 / 4096
ROM:0000000000700054            t_u64 temp_value;
ROM:0000000000700054
ROM:0000000000700054            do
ROM:0000000000700054            {
ROM:0000000000700054              size_bytes_r5 -= 8;
ROM:0000000000700054              temp_value = *(t_u64*)(src_addr_r3+size_bytes_r5);
ROM:0000000000700054              *(t_u64*)(dest_addr_r4+size_bytes_r5) = temp_value;
ROM:0000000000700054            }while(size_bytes_r5&nbsp;!= 0)
ROM:0000000000700054            dest_addr_r4 = dest_addr_r4 + 0x80;
ROM:0000000000700054            jump dest_addr_r4;
ROM:0000000000700054
ROM:0000000000700054                .byte    0
...
ROM:000000000070007F                .byte    0
ROM:0000000000700080
ROM:0000000000700080 # =============== S U B R O U T I N E =======================================
ROM:0000000000700080
ROM:0000000000700080
ROM:0000000000700080 exploit_main:
ROM:0000000000700080
ROM:0000000000700080 .set var_B0, -0xB0
ROM:0000000000700080 .set var_A0, -0xA0
ROM:0000000000700080 .set arg_78,  0x78
ROM:0000000000700080 .set arg_80,  0x80
ROM:0000000000700080 .set arg_88,  0x88
ROM:0000000000700080 .set arg_90,  0x90
ROM:0000000000700080 .set arg_98,  0x98
ROM:0000000000700080 .set arg_A0,  0xA0
ROM:0000000000700080 .set arg_A8,  0xA8
ROM:0000000000700080 .set arg_B0,  0xB0
ROM:0000000000700080 .set arg_C0,  0xC0
ROM:0000000000700080
ROM:0000000000700080                mflr  &nbsp;%r0
ROM:0000000000700084                stdu  &nbsp;%sp, var_A0(%sp)
ROM:0000000000700088                std    &nbsp;%r27, arg_78(%sp)
ROM:000000000070008C                std    &nbsp;%r28, arg_80(%sp)
ROM:0000000000700090                std    &nbsp;%r29, arg_88(%sp)
ROM:0000000000700094                std    &nbsp;%r30, arg_90(%sp)
ROM:0000000000700098                std    &nbsp;%r31, arg_98(%sp)
ROM:000000000070009C                std    &nbsp;%r0, arg_B0(%sp)
ROM:00000000007000A0                li    &nbsp;%r31, 1
ROM:00000000007000A4                rldicr &nbsp;%r31,&nbsp;%r31, 63,0
ROM:00000000007000A8                mr    &nbsp;%r3,&nbsp;%r31
ROM:00000000007000AC                oris  &nbsp;%r3,&nbsp;%r3, 5
ROM:00000000007000B0                ori    &nbsp;%r3,&nbsp;%r3, 0xB3C # 50b3c
ROM:00000000007000B4                mr    &nbsp;%r4,&nbsp;%r31
ROM:00000000007000B8                oris  &nbsp;%r4,&nbsp;%r4, 0x70
ROM:00000000007000BC                ori    &nbsp;%r4,&nbsp;%r4, 0x1AC # 7001ac
ROM:00000000007000C0                li    &nbsp;%r5, 0x4FA
ROM:00000000007000C4                bl      memcpy          # we copy a part of the shellcode
ROM:00000000007000C8                mr    &nbsp;%r3,&nbsp;%r31
ROM:00000000007000CC                oris  &nbsp;%r3,&nbsp;%r3, 5
ROM:00000000007000D0                ori    &nbsp;%r3,&nbsp;%r3, 0xB3C
ROM:00000000007000D4                addi  &nbsp;%r3,&nbsp;%r3, 0x20  # 50b5c
ROM:00000000007000D8                bl      add_kmod_      # here we probably add some kernel module
ROM:00000000007000D8                                        # called "mod" for some usb? device
ROM:00000000007000D8                                        #
ROM:00000000007000D8                                        # it has 3 functions, see 50b5c +8,+10,+18
ROM:00000000007000DC                mr    &nbsp;%r3,&nbsp;%r31
ROM:00000000007000E0                oris  &nbsp;%r3,&nbsp;%r3, 5
ROM:00000000007000E4                ori    &nbsp;%r3,&nbsp;%r3, 0xB3C # 50b3c
ROM:00000000007000E8                mr    &nbsp;%r4,&nbsp;%r31
ROM:00000000007000EC                oris  &nbsp;%r4,&nbsp;%r4, 0x2E
ROM:00000000007000F0                ori    &nbsp;%r4,&nbsp;%r4, -0x4ED8 # 2eb128, Address of syscall table
ROM:00000000007000F4                addi  &nbsp;%r3,&nbsp;%r3, 0x10  # 50b4c
ROM:00000000007000F8                std    &nbsp;%r3, 0x120(%r4) # 2eb248 - this is in the syscall table
ROM:00000000007000F8                                        # we add a system call so that Backup Manager can
ROM:00000000007000F8                                        # activate the virtual bluray drive.
ROM:00000000007000FC                mr    &nbsp;%r5,&nbsp;%r31
ROM:0000000000700100                oris  &nbsp;%r5,&nbsp;%r5, 0x70
ROM:0000000000700104                ori    &nbsp;%r5,&nbsp;%r5, 0x150 # 700150
ROM:0000000000700108
ROM:0000000000700108 loc_700108:                            # CODE XREF: exploit_main+A4�j
ROM:0000000000700108                lwz    &nbsp;%r3, 0(%r5)
ROM:000000000070010C                cmplwi &nbsp;%r3, 0
ROM:0000000000700110                beq    loc_700128      # do patching by table
ROM:0000000000700114                lwz    &nbsp;%r4, 4(%r5)
ROM:0000000000700118                add    &nbsp;%r3,&nbsp;%r3,&nbsp;%r31
ROM:000000000070011C                stw    &nbsp;%r4, 0(%r3)
ROM:0000000000700120                addi  &nbsp;%r5,&nbsp;%r5, 8
ROM:0000000000700124                b      loc_700108
ROM:0000000000700128 # ---------------------------------------------------------------------------
ROM:0000000000700128
ROM:0000000000700128            Patch table code:
ROM:0000000000700128            t_u64 base_addr_r31 = 0x8000 0000 0000 0000
ROM:0000000000700128            t_u32* src_addr_r5 = 0x80000000 00070150
ROM:0000000000700128            t_u32 offset_dest_addr_r3;
ROM:0000000000700128            t_u32* dest_addr_r3;
ROM:0000000000700128            t_u32 tmp_value;
ROM:0000000000700128
ROM:0000000000700128            do
ROM:0000000000700128            {
ROM:0000000000700128                offset_dest_addr_r3 = src_addr_r5[0];
ROM:0000000000700128                if(offset_dest_addr_r3 == 0) /* End of Patch Tag */
ROM:0000000000700128                {
ROM:0000000000700128                  break;
ROM:0000000000700128                }
ROM:0000000000700128                tmp_value = src_addr_r5[1];
ROM:0000000000700128                dest_addr_r3 = (t_u32*)((t_u64)offset_dest_addr_r3+base_addr_r31);
ROM:0000000000700128                *dest_addr_r3 = tmp_value;
ROM:0000000000700128                src_addr_r5 = src_addr_r5+8;
ROM:0000000000700128            }while(1);
ROM:0000000000700128
ROM:0000000000700128
ROM:0000000000700128 loc_700128:                            # CODE XREF: exploit_main+90�j
ROM:0000000000700128                b      loc_7006B0
ROM:000000000070012C # ---------------------------------------------------------------------------
ROM:000000000070012C                stdu  &nbsp;%sp, var_B0(%sp)
ROM:0000000000700130                mflr  &nbsp;%r0
ROM:0000000000700134                std    &nbsp;%r30, arg_A0(%sp)
ROM:0000000000700138                std    &nbsp;%r31, arg_A8(%sp)
ROM:000000000070013C                std    &nbsp;%r29, arg_98(%sp)
ROM:0000000000700140                std    &nbsp;%r0, arg_C0(%sp)
ROM:0000000000700144                li    &nbsp;%r30, 2000
ROM:0000000000700148                li    &nbsp;%r31, 200
ROM:000000000070014C                b      0xAB04
ROM:000000000070014C # ---------------------------------------------------------------------------
ROM:0000000000700150
ROM:0000000000700150
ROM:0000000000700150 # struct  struct_patch_table { uint32_t addr_offset, uint32_t patch_value; }
ROM:0000000000700150 # Final addr patch =&gt; *(t_u32*)(0x80000000 00000000 + addr_offset) = patch_value
ROM:0000000000700150 patch_table_data:          struct_patch_table &lt;0x490E0, 0xE8820F08&gt; # ld      r4,3848(r2) } Patches return from
ROM:0000000000700158                            struct_patch_table &lt;0x490E4, 0xE87C0020&gt; # ld      r3,32(r28)  } Hypercall 99 so that
ROM:0000000000700160                            struct_patch_table &lt;0x490E8, 0xF8640000&gt; # std    r3,0(r4)    } we can launch unsigned apps.
ROM:0000000000700168                            struct_patch_table &lt;0x4F0A8, 0x48001A9D&gt; # bl      $+0x1a9c
ROM:0000000000700170                            struct_patch_table &lt;0x2AAFC8, 0x4BDA5B80&gt; # b      $+0xffda5b80
ROM:0000000000700178                            struct_patch_table &lt;0x4ED18, 0x38800000&gt; # li      r4,0
ROM:0000000000700180                            struct_patch_table &lt;0x4ED1C, 0x90830000&gt; # stw    r4,0(r3)
ROM:0000000000700188                            struct_patch_table &lt;0x4ED20, 0x4E800020&gt; # blr
ROM:0000000000700190                            struct_patch_table &lt;0x3BA890, 0x1000000&gt; # .long 0x1000000
ROM:0000000000700198                            struct_patch_table &lt;0x505D0, 0x38600001&gt; # li      r3,1
ROM:00000000007001A0                            struct_patch_table &lt;0x505D4, 0x4E800020&gt; # Last Tag; blr
ROM:00000000007001A8                            .long 0
ROM:00000000007001AC RELOCATED_CODE  .byte 0x38, 0x60, 0, 1, 0x4E, 0x80, 0, 0x20, 0x48, 0, 2, 0x78, 0x48, 0, 1, 0xEC, 0x80, 0, 0, 0, 0, 5, 0xC, 0xA8, 0x80, 0, 0, 0, 0, 0x33,
...
ROM:00000000007001AC                .byte 0x64, 0
ROM:00000000007006A6                .byte    0
ROM:00000000007006A7                .byte    0
ROM:00000000007006A8                .byte    0
ROM:00000000007006A9                .byte    0
ROM:00000000007006AA                .byte    0
ROM:00000000007006AB                .byte    0
ROM:00000000007006AC                .byte    0
ROM:00000000007006AD                .byte    0
ROM:00000000007006AE                .byte    0
ROM:00000000007006AF                .byte    0
ROM:00000000007006B0 # ---------------------------------------------------------------------------
ROM:00000000007006B0
ROM:00000000007006B0 loc_7006B0:                            # CODE XREF: exploit_main:loc_700128�j
ROM:00000000007006B0                ld    &nbsp;%r27, arg_78(%sp)
ROM:00000000007006B4                ld    &nbsp;%r28, arg_80(%sp)
ROM:00000000007006B8                ld    &nbsp;%r29, arg_88(%sp)
ROM:00000000007006BC                ld    &nbsp;%r30, arg_90(%sp)
ROM:00000000007006C0                ld    &nbsp;%r31, arg_98(%sp)
ROM:00000000007006C4                ld    &nbsp;%r0, arg_B0(%sp)
ROM:00000000007006C8                addi  &nbsp;%sp,&nbsp;%sp, 0xA0
ROM:00000000007006CC                mtlr  &nbsp;%r0
ROM:00000000007006D0                li    &nbsp;%r3, 1
ROM:00000000007006D4                rldicr &nbsp;%r3,&nbsp;%r3, 63,0
ROM:00000000007006D8                oris  &nbsp;%r3,&nbsp;%r3, 0x70  # 700000
ROM:00000000007006DC                li    &nbsp;%r4, 0
ROM:00000000007006E0                li    &nbsp;%r5, 0x6E8
ROM:00000000007006E4                b      memset          # we exit by zeroing the payload in mem
ROM:00000000007006E4 # End of function exploit_main
</pre>
 
 
{{Custom Firmware}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)