yuanzhe1999/ps5-linux-loader
1
0
Fork 0
mirror of https://github.com/ps5-linux/ps5-linux-loader.git synced 2026-05-13 18:22:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

some tidy up

Browse Source
This commit is contained in:
Mateico
2026-05-13 09:37:44 +02:00
parent 8e60126031
commit 01436f0a6b
13 changed files with 180 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
include/loader.h
View File

@@ -1,3 +1,6 @@
#ifndef LOADER_H
#define LOADER_H
#include "utils.h"
#include <stdint.h>
@@ -8,3 +11,5 @@ void pte_store(uintptr_t ptep, uint64_t pte);
int read_file(const char *path, void *buf, size_t bufsize);
void trim_newline(char *s);
int fetch_linux(struct linux_info *info);
#endif

8
include/main.h
View File

@@ -1,8 +0,0 @@
#ifndef MAIN_H
#define MAIN_H
int main(void);
int setup_env(void);
int prepare_resume(void);
#endif

12
include/prepare_resume.h Normal file
View File

@@ -0,0 +1,12 @@
#ifndef PREPARE_RESUME_H
#define PREPARE_RESUME_H
#include "utils.h"
extern struct linux_info linux_i;
int prepare_resume(void);
int update_sck_data_ptr (void* sc, uint64_t dest_text, uint64_t dest_data);
void hook_call_near(uint64_t hook, uint64_t dst);
void prepare_sck_args(uint64_t dest_data);
#endif

12
include/utils.h
View File

@@ -56,6 +56,18 @@ extern uint32_t fw; // Defined on utils.c
extern uint64_t vmcb_pa[16]; // Defined on hv_defeat.c
extern struct linux_info linux_i; // Declared on main.c
int setup_env(void);
static inline void kwrite_large(uint64_t ka, void* src, uint64_t len) {
uint32_t CHUNK = 0x1000;
uint64_t written = 0;
while (written < len) {
uint32_t n = (len - written > CHUNK) ? CHUNK : (uint32_t)(len - written);
kernel_copyin(src + written, ka + written, n);
written += n;
}
}
static inline void kwrite(uint64_t ka, void *src, uint64_t len) {
kernel_copyin(src, ka, len);
}

6
shellcode_hypervisor/main.c
View File

@@ -6,8 +6,6 @@
__attribute__((section(".entry_point"), naked)) uint32_t main(void) {
// We enter this function after CR3 was updated to 1:1 mapping
// We need to point RSP/RBP to a good known valid address
uint32_t ebax, ebx, ecx, edx;
uint32_t cpu_id;
@@ -17,12 +15,10 @@ __attribute__((section(".entry_point"), naked)) uint32_t main(void) {
cpu_id = (ebx >> 24) & 0xFF;
// We point to a location after the main linux boot code
// Each CPU should have a different location
// Each CPU should have a different stack
uintptr_t new_rsp =
(uintptr_t)hv_base_rsp + ((uint64_t)(cpu_id)*hv_stack_size);
// WARNING: This invalidates current local variables
__asm__ volatile("movq %0, %%rsp \n\t"
"movq %%rsp, %%rbp \n\t"
:

8
shellcode_hypervisor/shellcode_hypervisor_args.h
View File

@@ -1,9 +1,7 @@
// This file is shared between kernel shellcode and hypervisor shellcode
#include <stdint.h>
typedef struct {
uint64_t bzimage_pa; // Already relocated by Kernel shellcode
uint64_t initrd_pa; // Already relocated by Kernel shellcode
uint64_t linux_info_pa; // Already relocated by Kernel shellcode
uint64_t bzimage_pa;
uint64_t initrd_pa;
uint64_t linux_info_pa;
} shellcode_hypervisor_args;

2
shellcode_hypervisor/utils.c
View File

@@ -96,12 +96,10 @@ void wrmsr(uint32_t msr, uint64_t val) {
__asm__ __volatile__("wrmsr" : : "a"(low), "d"(high), "c"(msr));
}
// Map FreeBSD atomic_add_32 to GCC builtin
void atomic_add_32(volatile uint32_t *p, uint32_t v) {
__sync_fetch_and_add(p, v);
}
// Map FreeBSD atomic_cmpset_32 to GCC builtin
int atomic_cmpset_32(volatile uint32_t *dst, uint32_t exp, uint32_t src) {
return __sync_bool_compare_and_swap(dst, exp, src);
}

39
shellcode_kernel/kernel_code.c
View File

@@ -9,11 +9,11 @@
#define TRANSMITTER_CONTROL_ENABLE 1
#define TRANSMITTER_CONTROL_SET_VOLTAGE_AND_PREEMPASIS 11
int (*transmitter_control)(int cmd, void *control) = NULL; // Filled by main.c
int (*mp3_initialize)(int vmid) = NULL; // Filled by main.c
int (*mp3_invoke)(int cmd_id, void *req, void *rsp) = NULL; // Filled by main.c
int (*transmitter_control)(int cmd, void *control) = NULL;
int (*mp3_initialize)(int vmid) = NULL;
int (*mp3_invoke)(int cmd_id, void *req, void *rsp) = NULL;
uint64_t g_vbios; // Filled by main.c
uint64_t g_vbios;
typedef struct {
uint8_t lanenum;
@@ -95,39 +95,31 @@ static int mp3_enable_output(int be, int mode) {
static void patch_hv(void) {
// Install identity map for HV
// HV Shellcode 1 it's updating CR3
uint64_t identity_cr3 = cave_hv_paging; // P, RW, US=0
uint64_t identity_pml4_0 =
identity_cr3 +
0x1003ULL; // P, RW, US=0 - 512GB // offset 0 +0x1000 from PML4
uint64_t l40_l3_addr = PAGE_PA(identity_pml4_0); // addr PML4[0]
uint64_t identity_cr3 = cave_hv_paging;
uint64_t identity_pml4_0 = identity_cr3 + 0x1003ULL;
uint64_t l40_l3_addr = PAGE_PA(identity_pml4_0);
uint64_t identity_pml40_l3[] = {
0x0000000000000083, // P, RW, US=0 - 0 GB to 1 GB
0x0000000040000083, // P, RW, US=0 - 1 GB to 2 GB
0x0000000080000083, // P, RW, US=0 - 3 GB to 3 GB
0x00000000C0000083, // P, RW, US=0 - 4 GB to 4 GB
0x0000000100000083 // P, RW, US=0 - 5 GB to 6 GB --> Our paging structure
0x0000000000000083,
0x0000000040000083,
0x0000000080000083,
0x00000000C0000083,
0x0000000100000083
};
uint64_t l3_size = sizeof(identity_pml40_l3) / sizeof(identity_pml40_l3[0]);
// Create the map in memory
*(uint64_t *)PHYS_TO_DMAP(identity_cr3) = identity_pml4_0;
for (uint64_t i = 0; i < l3_size; i++) {
*(uint64_t *)PHYS_TO_DMAP(l40_l3_addr + i * 8) = identity_pml40_l3[i];
}
// Install hv_shellcode 2
memcpy((void *)PHYS_TO_DMAP(cave_hv_code), shellcode_hypervisor,
shellcode_hypervisor_len);
// Jump to shellcode final identity mapping
uint8_t shellcode_jmp[] = {
0x48, 0xC7, 0xC0, 0x00, 0x6F, 0x80, 0x62, // mov rax, 0x62806f00
0xFF, 0xE0, 0xC3, 0xC3, 0xC3, 0xC3, 0xC3, // jmp rax
0x48, 0xC7, 0xC0, 0x00, 0x6F, 0x80, 0x62,
0xFF, 0xE0, 0xC3, 0xC3, 0xC3, 0xC3, 0xC3,
0xC3, 0xC3};
// Update code cave in hv 1:1 region
*(uint32_t *)(&shellcode_jmp[3]) = (uint32_t)args.hv_code_cave_pa;
// Just patch the VMEXIT handler directly, avoiding all checks
@@ -143,12 +135,9 @@ static void patch_hv(void) {
0xFF, 0xE0 // jmp rax
};
// Update CR3 PA (from config)
*(uint64_t *)(&shellcode_identity_and_jmp[2]) = cave_hv_paging;
// Update HV shellcode cave
*(uint64_t *)(&shellcode_identity_and_jmp[15]) = cave_hv_code;
// Install shellcode 1 to update CR3 and jump to main HV shellcode
memcpy((void *)PHYS_TO_DMAP(args.hv_code_cave_pa), shellcode_identity_and_jmp,
sizeof(shellcode_identity_and_jmp));
}

60
shellcode_kernel/main.c
View File

@@ -3,19 +3,11 @@
#include "utils.h"
#include <stdint.h>
#define MSR_EFER 0xC0000080
shellcode_kernel_args args = {0};
shellcode_kernel_args args = {
.fw_version = 0xDEADBEEF, .fun_printf = 0x0, .vmcb = {0}};
// We are being called instead of AcpiSetFirmwareWakingVector from
// acpi_wakeup_machdep
__attribute__((section(".entry_point"))) uint32_t main(uint64_t add1,
uint64_t add2) {
// We will do main checks on .text only with a reference to .data to avoid
// fixed offsets first After NPTs are disabled, we can continue nornmally
// using all the variables in .data that are embedded in shellcode
volatile shellcode_kernel_args *args_ptr =
(volatile shellcode_kernel_args
*)0x11AA11AA11AA11AA; // To be replaced with proper address in .kdata
@@ -24,12 +16,10 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1,
// "Hide" the pointer from the optimizer
__asm__ volatile("" : "+r"(args_ptr));
// We don't have required information - Abort
if ((args_ptr->fun_printf & 0xFFFF) == 0) {
goto out;
}
// Activate UART on Kernel
uint32_t *uart_va = (uint32_t *)(args_ptr->dmap_base + 0xC0115110ULL);
*uart_va &= ~0x200;
uint32_t *override_char_va = (uint32_t *)args_ptr->kernel_uart_override;
@@ -45,7 +35,6 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1,
uint64_t unk;
int n_devices;
// Reconfigure IOMMU calling the HV
int ret = ((uint64_t(*)(uint64_t, uint64_t, uint64_t, uint64_t,
int *))args_ptr->fun_hv_iommu_set_buffers)(
iommu_cb2_pa, iommu_cb3_pa, iommu_eb_pa, (uint64_t) &unk, &n_devices);
@@ -65,7 +54,6 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1,
goto out;
}
// Wait for completion
ret = ((uint64_t(*)(void))args_ptr->fun_hv_iommu_wait_completion)();
if (ret == 0) {
@@ -83,7 +71,6 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1,
putc_uart(args_ptr->dmap_base, 'K');
putc_uart(args_ptr->dmap_base, '\n');
// Allow R/W on HV and Kernel area
if (tmr_disable(args_ptr->dmap_base)) {
putc_uart(args_ptr->dmap_base, 'T');
@@ -104,7 +91,6 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1,
putc_uart(args_ptr->dmap_base, 'K');
putc_uart(args_ptr->dmap_base, '\n');
// Patch HV
patch_vmcb(args_ptr);
putc_uart(args_ptr->dmap_base, 'V');
@@ -145,9 +131,6 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1,
boot_linux();
printf("Linux prepared OK\n");
// Activate HV UART - Not really needed but good for debugging
// *(uint32_t*)PHYS_TO_DMAP(args.hv_uart_override_pa) = 0x0;
printf("Calling smp_rendezvous to exit all cores to HV with ptr: %016lx\n",
(uint64_t)vmmcall_dummy);
printf("Good Bye VM :)\n");
@@ -186,36 +169,28 @@ __attribute__((noinline, optimize("O0"), naked)) void vmmcall_dummy(void) {
void halt(void) { __asm__ __volatile__("hlt"); }
// Submit a single 16-byte command and wait for completion
__attribute__((noinline, optimize("O0"))) void
iommu_submit_cmd(volatile shellcode_kernel_args *args_ptr, uint64_t *cmd) {
// Read the offset of current tail of command list
uint64_t curr_tail = *(
(uint64_t *)args_ptr->iommu_mmio_va +
IOMMU_MMIO_CB_TAIL /
8); // Offset in IOMMU Command Buffer - Downscale the size of the ptr
uint64_t next_tail = (curr_tail + IOMMU_CMD_ENTRY_SIZE) &
IOMMU_CB_MASK; // Offset in IOMMU Command Buffer
IOMMU_MMIO_CB_TAIL / 8);
uint64_t next_tail = (curr_tail + IOMMU_CMD_ENTRY_SIZE) & IOMMU_CB_MASK;
// We write the command in the current empty entry
uint64_t *cmd_buffer =
(uint64_t *)args_ptr->iommu_cb2_va + curr_tail / 8; // Downscale the size of the ptr
// Copy 0x10 bytes (CMD Size)
(uint64_t *)args_ptr->iommu_cb2_va + curr_tail / 8;
cmd_buffer[0] = cmd[0];
cmd_buffer[1] = cmd[1];
__asm__ volatile("" : : : "memory"); // Prevent reordering
*((uint64_t *)args_ptr->iommu_mmio_va + IOMMU_MMIO_CB_TAIL / 8) =
next_tail; // Indicate the IOMMU that there is a CMD - Downscale the size
// of the ptr
next_tail;
// Wait CMD processing completion - Head will be the Tail
while (*((uint64_t *)args_ptr->iommu_mmio_va + IOMMU_MMIO_CB_HEAD / 8) !=
*((uint64_t *)args_ptr->iommu_mmio_va + IOMMU_MMIO_CB_TAIL / 8))
;
}
// Write 8 bytes to a physical address using IOMMU completion wait store
__attribute__((noinline, optimize("O0"))) void
iommu_write8_pa(volatile shellcode_kernel_args *args_ptr, uint64_t pa, uint64_t val) {
uint32_t cmd[4] = {0};
@@ -230,26 +205,22 @@ __attribute__((noinline, optimize("O0"))) void
patch_vmcb(volatile shellcode_kernel_args *args_ptr) {
for (int i = 0; i < 16; i++) {
uint64_t pa = args_ptr->vmcb[i];
// args_ptr->fun_printf("Patching core: %02d VMCB_PA: 0x%016lx\n", i,
// args_ptr->vmcb[i]);
iommu_write8_pa(args_ptr, pa + 0x00,
0x0000000000000000ULL); // Clear all intercepts (R/W) to
// CR0-CR15 and DR0-DR15
0x0000000000000000ULL);
iommu_write8_pa(args_ptr, pa + 0x08,
0x0004000000000000ULL); // Clear all intercepts of except.
// vectors but CPUID
0x0004000000000000ULL);
iommu_write8_pa(args_ptr, pa + 0x10,
0x000000000000000FULL); // Clear all except VMMCALL, VMLOAD,
// VMSAVE, VMRUN
0x000000000000000FULL);
iommu_write8_pa(args_ptr, pa + 0x58,
0x0000000000000001ULL); // Guest ASID ... 1 ?
0x0000000000000001ULL);
iommu_write8_pa(args_ptr, pa + 0x90,
0x0000000000000000ULL); // Disable NP_ENABLE
0x0000000000000000ULL);
}
}
__attribute__((noinline, optimize("O0"))) uint32_t tmr_read(uint64_t dmap,
uint32_t addr) {
__attribute__((noinline, optimize("O0")))
uint32_t tmr_read(uint64_t dmap, uint32_t addr) {
*(uint32_t *)(dmap + ECAM_B0D18F2 + TMR_INDEX_OFF) = addr;
return *(uint32_t *)(dmap + ECAM_B0D18F2 + TMR_DATA_OFF);
}
@@ -260,8 +231,6 @@ tmr_write(uint64_t dmap, uint32_t addr, uint32_t val) {
*(uint32_t *)(dmap + ECAM_B0D18F2 + TMR_DATA_OFF) = val;
}
// On 1.xx and 2.xx the HV is embedded in kernel area on TMR 16
// On 3.xx and 4.xx there are multiple TMR protecting HV and Kernel
__attribute__((noinline, optimize("O0"))) int tmr_disable(uint64_t dmap) {
for (int i = 0; i < 24; i++) {
if (tmr_read(dmap, TMR_CONFIG(i)) != 0) {
@@ -282,7 +251,6 @@ void init_global_pointers(volatile shellcode_kernel_args *args_ptr) {
smp_rendezvous = (void (*)(void (*)(void), void (*)(void),
void (*)(void), void *)) args.fun_smp_rendezvous;
smp_no_rendevous_barrier = (void (*)(void)) args.fun_smp_no_rendevous_barrier;
transmitter_control = (int (*) (int, void*)) args.fun_transmitter_control;
mp3_initialize = (int (*) (int)) args.fun_mp3_initialize;
mp3_invoke = (int (*) (int, void*, void*)) args.fun_mp3_invoke;

6
shellcode_kernel/utils.c
View File

@@ -16,9 +16,9 @@ void memcpy(void *dest, void *src, uint64_t len) {
uint64_t read_cr3(void) {
uint64_t cr3;
__asm__ volatile("mov %%cr3, %0"
: "=r"(cr3) // Output: move CR3 into the variable 'cr3'
: // No inputs
: // No clobbered registers
: "=r"(cr3)
:
:
);
return cr3;
}

147
source/main.c
View File

@@ -1,11 +1,8 @@
#include "main.h"
#include "../shellcode_kernel/shellcode_kernel.h"
#include "hv_defeat.h"
#include "loader.h"
#include "offsets.h"
#include "utils.h"
#include <stdio.h>
#include <unistd.h>
#include "utils.h"
#include "hv_defeat.h"
#include "prepare_resume.h"
#include "loader.h"
int main(void) {
@@ -36,143 +33,9 @@ int main(void) {
sleep(5);
enter_rest_mode();
while (1) {
while (1) {
sleep(30);
}
return 0;
}
int setup_env(void) {
notify("Welcome to ps5-linux-loader. We'll defeat HV and prepare the system "
"to boot Linux on sleep resume.\n");
if (set_offsets())
return -1;
if (init_global_vars())
return -1;
return 0;
}
int prepare_resume(void) {
if (env_offset.KERNEL_CODE_CAVE == 0) {
printf("Error: missing code cave offset\n");
return -1;
}
if (env_offset.KERNEL_DATA_CAVE == 0) {
printf("Error: missing data cave offset\n");
return -1;
}
printf("\nWriting Shell Code for WakeUp path and patching "
"AcpiSetFirmwareWakingVector in acpi_wakeup_machdep\n");
uint64_t dest_text = ktext + env_offset.KERNEL_CODE_CAVE;
uint64_t dest_data =
ktext + env_offset.KERNEL_DATA_CAVE; // For arguments only, rest of .data
// variables are in shellcode
uint64_t sz = shellcode_kernel_text_len;
uint32_t CHUNK = 0x1000;
uint64_t written = 0;
while (written < sz) {
uint32_t n = (sz - written > CHUNK) ? CHUNK : (uint32_t)(sz - written);
kernel_copyin(&shellcode_kernel_text[written], dest_text + written, n);
written += n;
}
DEBUG_PRINT(" copied %d bytes to text cave\n", sz);
DEBUG_PRINT("\n\nI wrote this shellcode text on %016lx (ktext+%08lx):\n",
dest_text, env_offset.KERNEL_CODE_CAVE);
for (uint64_t i = 0; i < sz; i++) {
DEBUG_PRINT("%02x", kread8(dest_text + i));
}
DEBUG_PRINT("\n\n");
shellcode_kernel_args args;
// Fill structure of ShellCode Arguments
args.fw_version = kernel_get_fw_version() & 0xFFFF0000;
args.ktext = ktext;
args.kdata = kdata;
args.dmap_base = dmap;
args.fun_printf = ktext + env_offset.FUN_PRINTF;
args.fun_va_to_pa = ktext + env_offset.FUN_VA_TO_PA;
args.fun_hv_iommu_set_buffers = ktext + env_offset.FUN_HV_IOMMU_SET_BUFFERS;
args.fun_hv_iommu_wait_completion =
ktext + env_offset.FUN_HV_IOMM_WAIT_COMPLETION;
args.fun_smp_rendezvous = ktext + env_offset.FUN_SMP_RENDEZVOUS;
args.fun_smp_no_rendevous_barrier =
ktext + env_offset.FUN_SMP_NO_RENDEVOUS_BARRIER;
args.g_vbios = ktext + env_offset.G_VBIOS;
args.fun_transmitter_control = ktext + env_offset.FUN_TRANSMITTER_CONTROL;
args.fun_mp3_initialize = ktext + env_offset.FUN_MP3_INITIALIZE;
args.fun_mp3_invoke = ktext + env_offset.FUN_MP3_INVOKE;
args.iommu_mmio_va = iommu->mmio_va;
args.iommu_cb2_va = iommu->cb2_base;
args.iommu_cb3_va = iommu->cb3_base;
args.iommu_eb_va = iommu->eb_base;
memcpy(&args.vmcb[0], &vmcb_pa[0], sizeof(args.vmcb[0]) * 16);
args.kernel_uart_override = ktext + env_offset.KERNEL_UART_OVERRIDE;
args.hv_handle_vmexit_pa = env_offset.HV_HANDLE_VMEXIT_PA;
args.hv_code_cave_pa = env_offset.HV_CODE_CAVE_PA;
args.hv_uart_override_pa = env_offset.HV_UART_OVERRIDE_PA;
args.linux_info_va = linux_i.linux_info; // To relocate by kernel shellcode
// bzimage_va and initrd_va are passed in the linux_info structure
// Copy arguments to small .data cave
kernel_copyin(&args, dest_data, sizeof(args));
DEBUG_PRINT("\n\nI wrote this arguments data on %016lx (ktext+%08lx):\n",
dest_data, env_offset.KERNEL_DATA_CAVE);
for (uint64_t i = 0; i < sz; i++) {
DEBUG_PRINT("%02x", kread8(dest_data + i));
}
DEBUG_PRINT("\n\n");
// Now find the address 0x11AA11AA11AA11AA used as marker for args_ptr and
// overwrite it with proper VA in .data for arguments
int offset = -1;
for (int i = 0; i < 0x40; i++) {
if (*(uint64_t *)((uint64_t)shellcode_kernel_text + i) ==
0x11AA11AA11AA11AA) {
offset = i;
break;
}
}
if (offset == -1) {
notify("Could not find offset of args_ptr address - Aborting\n");
}
kwrite64(dest_text + offset, dest_data);
DEBUG_PRINT("\n\nI wrote this ptr %016lx on %016lx (offset %08lx)\n",
dest_data, dest_text + offset, offset);
uint64_t instr_to_patch =
ktext + env_offset.HOOK_ACPI_WAKEUP_MACHDEP; // AcpiSetFirmwareWakingVector
// in acpi_wakeup_machdep
int64_t diff_call = dest_text - instr_to_patch;
uint8_t new_instr[5];
new_instr[0] = 0xE8; // Call Near
*((uint32_t *)&new_instr[1]) =
(int32_t)(diff_call - 5); // Call Offset is relative to the next
// instruction and Call uses 5 bytes
// Patch instruction
kernel_copyin(new_instr, instr_to_patch, 5);
DEBUG_PRINT("Instruction patched\n");
// Patch debug exception
kwrite8(ktext + env_offset.KERNEL_DEBUG_PATCH, 0xC3);
// Patch cfi_check
kwrite8(ktext + env_offset.KERNEL_CFI_CHECK, 0xC3);
return 0;
}

101
source/prepare_resume.c Normal file
View File

@@ -0,0 +1,101 @@
#include <stdio.h>
#include <stdint.h>
#include "prepare_resume.h"
#include "iommu.h"
#include "../shellcode_kernel/shellcode_kernel.h"
#include "offsets.h"
#include "utils.h"
int prepare_resume(void) {
if (env_offset.KERNEL_CODE_CAVE == 0) {
printf("Error: missing code cave offset\n");
return -1;
}
if (env_offset.KERNEL_DATA_CAVE == 0) {
printf("Error: missing data cave offset\n");
return -1;
}
printf("\nWriting Shell Code for WakeUp path and patching "
"AcpiSetFirmwareWakingVector in acpi_wakeup_machdep\n");
uint64_t dest_text = ktext + env_offset.KERNEL_CODE_CAVE;
uint64_t dest_data = ktext + env_offset.KERNEL_DATA_CAVE;
kwrite_large(dest_text, shellcode_kernel_text, shellcode_kernel_text_len);
prepare_sck_args(dest_data);
if(update_sck_data_ptr(shellcode_kernel_text, dest_text, dest_data))
return -1;
hook_call_near(ktext + env_offset.HOOK_ACPI_WAKEUP_MACHDEP, dest_text);
kwrite8(ktext + env_offset.KERNEL_DEBUG_PATCH, 0xC3);
kwrite8(ktext + env_offset.KERNEL_CFI_CHECK, 0xC3);
return 0;
}
int update_sck_data_ptr (void* sc, uint64_t dest_text, uint64_t dest_data) {
// Find the address 0x11AA11AA11AA11AA used as marker
int offset = -1;
for (int i = 0; i < 0x40; i++) {
if (*(uint64_t *)((uint64_t)sc + i) == 0x11AA11AA11AA11AA) {
offset = i;
break;
}
}
if (offset == -1) {
notify("Could not find offset of args_ptr address - Aborting\n");
return -1;
}
kwrite64(dest_text + offset, dest_data);
return 0;
}
void hook_call_near(uint64_t hook, uint64_t dst) {
int64_t diff_call = dst - hook;
uint8_t new_instr[5]; new_instr[0] = 0xE8;
*((uint32_t *)&new_instr[1]) = (int32_t)(diff_call - 5);
kernel_copyin(new_instr, hook, 5);
DEBUG_PRINT("Instruction patched\n");
}
void prepare_sck_args(uint64_t dest_data) {
shellcode_kernel_args args;
args.fw_version = kernel_get_fw_version() & 0xFFFF0000;
args.ktext = ktext;
args.kdata = kdata;
args.dmap_base = dmap;
args.fun_printf = ktext + env_offset.FUN_PRINTF;
args.fun_va_to_pa = ktext + env_offset.FUN_VA_TO_PA;
args.fun_hv_iommu_set_buffers = ktext + env_offset.FUN_HV_IOMMU_SET_BUFFERS;
args.fun_hv_iommu_wait_completion =
ktext + env_offset.FUN_HV_IOMM_WAIT_COMPLETION;
args.fun_smp_rendezvous = ktext + env_offset.FUN_SMP_RENDEZVOUS;
args.fun_smp_no_rendevous_barrier =
ktext + env_offset.FUN_SMP_NO_RENDEVOUS_BARRIER;
args.g_vbios = ktext + env_offset.G_VBIOS;
args.fun_transmitter_control = ktext + env_offset.FUN_TRANSMITTER_CONTROL;
args.fun_mp3_initialize = ktext + env_offset.FUN_MP3_INITIALIZE;
args.fun_mp3_invoke = ktext + env_offset.FUN_MP3_INVOKE;
args.iommu_mmio_va = iommu->mmio_va;
args.iommu_cb2_va = iommu->cb2_base;
args.iommu_cb3_va = iommu->cb3_base;
args.iommu_eb_va = iommu->eb_base;
memcpy(&args.vmcb[0], &vmcb_pa[0], sizeof(args.vmcb[0]) * 16);
args.kernel_uart_override = ktext + env_offset.KERNEL_UART_OVERRIDE;
args.hv_handle_vmexit_pa = env_offset.HV_HANDLE_VMEXIT_PA;
args.hv_code_cave_pa = env_offset.HV_CODE_CAVE_PA;
args.hv_uart_override_pa = env_offset.HV_UART_OVERRIDE_PA;
args.linux_info_va = linux_i.linux_info;
kernel_copyin(&args, dest_data, sizeof(args));
}

10
source/utils.c
View File

@@ -17,6 +17,16 @@ uint64_t cr3;
uint32_t fw;
struct linux_info linux_i;
int setup_env(void) {
notify("Welcome to ps5-linux-loader. We'll defeat HV and prepare the system "
"to boot Linux on sleep resume.\n");
if (set_offsets())
return -1;
if (init_global_vars())
return -1;
return 0;
}
int set_offsets(void) {
fw = kernel_get_fw_version() >> 16;
if (fw == 0)