initial commit support 3.xx and 4.xx

2026-05-09 00:24:16 +00:00 · 2026-04-24 17:30:06 +02:00
commit 4fc5de4d36
41 changed files with 4509 additions and 0 deletions
--- a/shellcode_hypervisor/Makefile
+++ b/shellcode_hypervisor/Makefile
@@ -0,0 +1,32 @@
+ifndef PS5_PAYLOAD_SDK
+    PS5_PAYLOAD_SDK = /opt/ps5-payload-sdk/
+endif
+
+# 1. Variables
+CC      = gcc
+LD      = ld
+CFLAGS  = -O2 -fno-stack-protector -ffreestanding -nostdlib -fcf-protection=none -I$(PS5_PAYLOAD_SDK)/target/include
+LDFLAGS = -T linker.ld
+TARGET  = shellcode_hypervisor.elf
+TEXT_BIN = shellcode_hypervisor.bin
+dump = shellcode_hypervisor.h
+
+SRC = main.c utils.c boot_linux.c
+OBJ = $(SRC:.c=.o)
+
+all: $(dump)
+
+$(TARGET): $(OBJ)
+	$(CC) $(CFLAGS) $(LDFLAGS) $(OBJ) -o $(TARGET)
+
+%.o: %.c
+	$(CC) $(CFLAGS) -c $< -o $@
+
+$(TEXT_BIN): $(TARGET)
+	objcopy -O binary -j .shell_code $(TARGET) $(TEXT_BIN)
+
+clean:
+	rm -f $(OBJ) $(TARGET) $(TEXT_BIN) $(dump)
+
+$(dump): $(TEXT_BIN)
+	python3 bin_to_c_hypervisor.py $(TEXT_BIN)
--- a/shellcode_hypervisor/bin_to_c_hypervisor.py
+++ b/shellcode_hypervisor/bin_to_c_hypervisor.py
@@ -0,0 +1,46 @@
+import sys
+import os
+
+def create_shellcode_header(input_file):
+    if not os.path.exists(input_file):
+        print(f"Error: {input_file} not found.")
+        return
+
+    # Read binary data_text
+    with open(input_file, "rb") as f:
+        data_text = f.read()
+
+    # Hardcoded output name
+    output_name = "shellcode_hypervisor.h"
+    array_name = "shellcode_hypervisor"
+    
+    with open(output_name, "w") as f:
+        f.write(f"// Generated from {input_file}\n")
+        f.write(f"#ifndef SHELLCODE_HV_H\n")
+        f.write(f"#define SHELLCODE_HV_H\n\n")
+        f.write(f"#include <unistd.h>\n\n")
+
+        f.write(f"uint8_t {array_name}[] = {{\n    ")
+        
+        for i, byte in enumerate(data_text):
+            f.write(f"0x{byte:02X}")
+            
+            if i < len(data_text) - 1:
+                f.write(", ")
+            
+            # New line every 12 bytes
+            if (i + 1) % 12 == 0:
+                f.write("\n    ")
+        
+        f.write(f"\n}};\n\n")
+        f.write(f"uint64_t {array_name}_len = {len(data_text)};\n\n")
+
+        f.write(f"#endif // SHELLCODE_HV_H\n")
+
+    print(f"Done! Created {output_name} ({len(data_text)} bytes)")
+
+if __name__ == "__main__":
+    if len(sys.argv) < 2:
+        print("Usage: python bin_to_c_hypervisor.py <shellcode.bin>")
+    else:
+        create_shellcode_header(sys.argv[1])
--- a/shellcode_hypervisor/boot_linux.c
+++ b/shellcode_hypervisor/boot_linux.c
@@ -0,0 +1,173 @@
+#include "boot_linux.h"
+#include "../include/config.h"
+#include "linux.h"
+#include "utils.h"
+#include <stddef.h>
+#include <stdint.h>
+
+struct linux_info {
+  uintptr_t bzimage;
+  size_t bzimage_size;
+  uintptr_t initrd;
+  size_t initrd_size;
+  size_t vram_size;
+  char cmdline[2048];
+};
+
+static struct linux_info info;
+
+static volatile int exited_cpus = 0;
+
+static void configure_vram(uint64_t fb_start, uint64_t vram_start,
+                           uint64_t vram_size) {
+  uint64_t vram_end = vram_start + vram_size - 1;
+  uint64_t fb_top = fb_start + vram_size - 1;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + RCC_CONFIG_MEMSIZE) = vram_size >> 20;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_FB_OFFSET) = vram_start >> 24;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_LOCAL_HBM_ADDRESS_START) =
+      vram_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_LOCAL_HBM_ADDRESS_END) =
+      vram_end >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_FB_LOCATION_BASE) = fb_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_FB_LOCATION_TOP) = fb_top >> 24;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_FB_OFFSET) = vram_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_LOCAL_HBM_ADDRESS_START) =
+      vram_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_LOCAL_HBM_ADDRESS_END) =
+      vram_end >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_FB_LOCATION_BASE) = fb_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_FB_LOCATION_TOP) = fb_top >> 24;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMHUBBUB_WHITELIST_BASE_ADDR_0) =
+      vram_start >> 12;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMHUBBUB_WHITELIST_TOP_ADDR_0) =
+      vram_end >> 12;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + DCHUBBUB_WHITELIST_BASE_ADDR_0) =
+      vram_start >> 12;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + DCHUBBUB_WHITELIST_TOP_ADDR_0) =
+      vram_end >> 12;
+}
+
+static void append_e820_table(struct boot_params *bp, uint64_t start,
+                              uint64_t end, uint32_t type) {
+  uint8_t idx = bp->e820_entries;
+  bp->e820_table[idx].addr = start;
+  bp->e820_table[idx].size = end - start;
+  bp->e820_table[idx].type = type;
+  bp->e820_entries++;
+}
+
+static void e820_memory_setup(struct boot_params *bp) {
+  append_e820_table(bp, 0x000000000, 0x000001000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x000001000, 0x000070000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x000070000, 0x0000a0000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x0000a0000, 0x0000c0000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x0000c0000, 0x000100000, E820_TYPE_RESERVED); // VBIOS
+  append_e820_table(bp, 0x000100000, 0x03fffc000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x03fffc000, 0x040000000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x040000000, 0x060000000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x060000000, 0x060800000, E820_TYPE_RESERVED); // MP4
+  append_e820_table(bp, 0x060800000, 0x060c00000, E820_TYPE_RESERVED); // VCN FW
+  append_e820_table(bp, 0x060c00000, 0x062800000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x062800000, 0x064800000, E820_TYPE_RESERVED); // HV
+  append_e820_table(bp, 0x064800000, 0x064829000, E820_TYPE_RESERVED); // MP3
+  append_e820_table(bp, 0x064829000, 0x07f9d0000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x07f9d0000, 0x07fd5f000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x07fd5f000, 0x07fd63000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x07fd63000, 0x07fd67000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x07fd67000, 0x07fd6f000, E820_TYPE_NVS);
+  append_e820_table(bp, 0x07fd6f000, 0x07fd8f000, E820_TYPE_ACPI);
+  append_e820_table(bp, 0x07fd8f000, 0x07fd90000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x07fd90000, 0x080000000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x080000000, 0x0c4400000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x0d0000000, 0x0e0700000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x0f0000000, 0x0f8000000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x100000000, VRAM_BASE, E820_TYPE_RAM);
+  append_e820_table(bp, VRAM_BASE, 0x470000000, E820_TYPE_RESERVED); // VRAM
+  append_e820_table(bp, 0x470000000, 0x47f300000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x47f300000, 0x480000000, E820_TYPE_RESERVED);
+}
+
+void boot_linux(void) {
+  uintptr_t kernel_pa = 0x100000;
+  uintptr_t setup_pa = 0x10000;
+  uintptr_t cmdline_pa = 0x20000;
+
+  struct boot_params *bzimage_bp = (struct boot_params *)info.bzimage;
+
+  struct boot_params *bp = (struct boot_params *)setup_pa;
+  struct setup_header *shdr = &bp->hdr;
+
+  memset(bp, 0, sizeof(struct boot_params));
+
+  memcpy(shdr, &bzimage_bp->hdr, sizeof(struct setup_header));
+
+  e820_memory_setup(bp);
+
+  shdr->hardware_subarch = X86_SUBARCH_PS5;
+  shdr->type_of_loader = 0xff;
+  shdr->cmd_line_ptr = cmdline_pa;
+  shdr->ramdisk_image = info.initrd & 0xffffffff;
+  shdr->ramdisk_size = info.initrd_size & 0xffffffff;
+  bp->ext_ramdisk_image = info.initrd >> 32;
+  bp->ext_ramdisk_size = info.initrd_size >> 32;
+  bp->acpi_rsdp_addr = ACPI_RSDP_ADDRESS;
+
+  strcpy((char *)cmdline_pa, info.cmdline);
+
+  size_t setup_size = (shdr->setup_sects + 1) * 512;
+  size_t kernel_size = shdr->syssize * 16;
+
+  memcpy((void *)kernel_pa, (void *)(info.bzimage + setup_size), kernel_size);
+
+  // printf("This is kernel_pa: "); print_val64(kernel_pa); printf("\n");
+  void (*startup_64)(uint64_t physaddr, struct boot_params *bp) =
+      (void *)(kernel_pa + 0x200);
+  startup_64(kernel_pa, bp);
+}
+
+void entry(void) {
+
+  disable_intr();
+
+  // Set global interrupt flag.
+  __asm__ volatile("stgi\n");
+
+  // Clear SVM flag.
+  wrmsr(MSR_EFER, rdmsr(MSR_EFER) & ~EFER_SVM);
+
+  // Disable INIT redirection.
+  wrmsr(MSR_VM_CR, rdmsr(MSR_VM_CR) & ~VM_CR_R_INIT);
+
+  // Clean up mtrr.
+  wrmsr(MSR_MTRR4kBase + 0, 0);
+
+  wrmsr(MSR_MTRR4kBase + 1, 0);
+
+  wrmsr(MSR_MTRRVarBase + 7 * 2 + 1, 0);
+
+  atomic_add_32(&exited_cpus, 1);
+
+  while (atomic_cmpset_32(&exited_cpus, MAXCPU, MAXCPU) == 0)
+    ;
+
+  if (get_cpu() != 0) {
+    while (1) {
+      halt();
+    }
+  }
+
+  // Disable IOMMU.
+  *(volatile uint64_t *)0xfdd80018 &= ~1;
+
+  memcpy(&info, (void *)(cave_linux_info), sizeof(struct linux_info));
+
+  configure_vram(FB_BASE, VRAM_BASE, info.vram_size);
+
+  printf("[*] Booting Linux in bare metal...\n");
+  boot_linux();
+}
--- a/shellcode_hypervisor/boot_linux.h
+++ b/shellcode_hypervisor/boot_linux.h
@@ -0,0 +1,43 @@
+
+#define MSR_EFER 0xc0000080
+#define EFER_SVM (1ULL << 12) // Bit 12: Secure Virtual Machine Enable
+
+// // Virtual Machine Control Register (VM_CR)
+#define MSR_VM_CR 0xc0010114
+#define VM_CR_R_INIT (1ULL << 1) // Bit 1: Intercept INIT
+
+// // MTRRs (Memory Type Range Registers)
+#define MSR_MTRR4kBase 0x00000268  // MSR_MTRRfix4K_C0000 (primer registro 4k)
+#define MSR_MTRRVarBase 0x00000200 // MTRR variable base (MSR_MTRRphysBase0)
+
+#define VRAM_BASE (0x470000000 - info.vram_size)
+
+#define FB_BASE 0xf400000000
+
+#define ACPI_RSDP_ADDRESS 0x7fd8e014
+
+#define AMDGPU_MMIO_BASE 0xe0600000
+
+#define RCC_CONFIG_MEMSIZE 0x378c
+
+#define GCMC_VM_FB_OFFSET 0xa5ac
+#define GCMC_VM_LOCAL_HBM_ADDRESS_START 0xa5d4
+#define GCMC_VM_LOCAL_HBM_ADDRESS_END 0xa5d8
+#define GCMC_VM_FB_LOCATION_BASE 0xa600
+#define GCMC_VM_FB_LOCATION_TOP 0xa604
+
+#define MMMC_VM_FB_OFFSET 0x6a15c
+#define MMMC_VM_LOCAL_HBM_ADDRESS_START 0x6a184
+#define MMMC_VM_LOCAL_HBM_ADDRESS_END 0x6a188
+#define MMMC_VM_FB_LOCATION_BASE 0x6a1b0
+#define MMMC_VM_FB_LOCATION_TOP 0x6a1b4
+
+#define MMHUBBUB_WHITELIST_BASE_ADDR_0 0x24850
+#define MMHUBBUB_WHITELIST_TOP_ADDR_0 0x24854
+#define DCHUBBUB_WHITELIST_BASE_ADDR_0 0x24878
+#define DCHUBBUB_WHITELIST_TOP_ADDR_0 0x2487c
+
+#define MAXCPU 16
+
+void entry(void);
+void boot_linux(void);
--- a/shellcode_hypervisor/linker.ld
+++ b/shellcode_hypervisor/linker.ld
@@ -0,0 +1,18 @@
+/* linker.ld */
+ENTRY(main)
+
+SECTIONS
+{
+    . = 0x1000; /* 0x1000 to avoid warnings from linker */
+    /* Place our custom header first */
+    .shell_code :
+    {
+        *(.entry_point)
+        *(.text)
+        *(.text.*)
+        *(.data*)
+        *(.rodata*)
+        *(.bss)
+        *(.bss.*)
+    }
+}
--- a/shellcode_hypervisor/linux.h
+++ b/shellcode_hypervisor/linux.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2026 Andy Nguyen
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+
+#ifndef __LINUX_H__
+#define __LINUX_H__
+
+#include <stdint.h>
+
+#define X86_SUBARCH_PS5 5
+
+enum e820_type {
+  E820_TYPE_RAM = 1,
+  E820_TYPE_RESERVED = 2,
+  E820_TYPE_ACPI = 3,
+  E820_TYPE_NVS = 4,
+  E820_TYPE_UNUSABLE = 5,
+  E820_TYPE_PMEM = 7,
+  E820_TYPE_PRAM = 12,
+  E820_TYPE_SOFT_RESERVED = 0xefffffff,
+};
+
+struct boot_e820_entry {
+  uint64_t addr;
+  uint64_t size;
+  uint32_t type;
+} __attribute__((packed));
+
+struct setup_header {
+  uint8_t setup_sects;
+  uint16_t root_flags;
+  uint32_t syssize;
+  uint16_t ram_size;
+  uint16_t vid_mode;
+  uint16_t root_dev;
+  uint16_t boot_flag;
+  uint16_t jump;
+  uint32_t header;
+  uint16_t version;
+  uint32_t realmode_swtch;
+  uint16_t start_sys_seg;
+  uint16_t kernel_version;
+  uint8_t type_of_loader;
+  uint8_t loadflags;
+  uint16_t setup_move_size;
+  uint32_t code32_start;
+  uint32_t ramdisk_image;
+  uint32_t ramdisk_size;
+  uint32_t bootsect_kludge;
+  uint16_t heap_end_ptr;
+  uint8_t ext_loader_ver;
+  uint8_t ext_loader_type;
+  uint32_t cmd_line_ptr;
+  uint32_t initrd_addr_max;
+  uint32_t kernel_alignment;
+  uint8_t relocatable_kernel;
+  uint8_t min_alignment;
+  uint16_t xloadflags;
+  uint32_t cmdline_size;
+  uint32_t hardware_subarch;
+  uint64_t hardware_subarch_data;
+  uint32_t payload_offset;
+  uint32_t payload_length;
+  uint64_t setup_data;
+  uint64_t pref_address;
+  uint32_t init_size;
+  uint32_t handover_offset;
+  uint32_t kernel_info_offset;
+} __attribute__((packed));
+
+#define E820_MAX_ENTRIES_ZEROPAGE 128
+
+struct boot_params {
+  uint8_t screen_info[0x40];       // 0x000
+  uint8_t apm_bios_info[0x14];     // 0x040
+  uint8_t _pad2[4];                // 0x054
+  uint64_t tboot_addr;             // 0x058
+  uint8_t ist_info[0x10];          // 0x060
+  uint64_t acpi_rsdp_addr;         // 0x070
+  uint8_t _pad3[8];                // 0x078
+  uint8_t hd0_info[16];            // 0x080
+  uint8_t hd1_info[16];            // 0x090
+  uint8_t sys_desc_table[0x10];    // 0x0a0
+  uint8_t olpc_ofw_header[0x10];   // 0x0b0
+  uint32_t ext_ramdisk_image;      // 0x0c0
+  uint32_t ext_ramdisk_size;       // 0x0c4
+  uint32_t ext_cmd_line_ptr;       // 0x0c8
+  uint8_t _pad4[112];              // 0x0cc
+  uint32_t cc_blob_address;        // 0x13c
+  uint8_t edid_info[0x80];         // 0x140
+  uint8_t efi_info[0x20];          // 0x1c0
+  uint32_t alt_mem_k;              // 0x1e0
+  uint32_t scratch;                // 0x1e4
+  uint8_t e820_entries;            // 0x1e8
+  uint8_t eddbuf_entries;          // 0x1e9
+  uint8_t edd_mbr_sig_buf_entries; // 0x1ea
+  uint8_t kbd_status;              // 0x1eb
+  uint8_t secure_boot;             // 0x1ec
+  uint8_t _pad5[2];                // 0x1ed
+  uint8_t sentinel;                // 0x1ef
+  uint8_t _pad6[1];                // 0x1f0
+  struct setup_header hdr;         // 0x1f1
+  uint8_t _pad7[0x290 - 0x1f1 - sizeof(struct setup_header)];
+  uint32_t edd_mbr_sig_buffer[16];                              // 0x290
+  struct boot_e820_entry e820_table[E820_MAX_ENTRIES_ZEROPAGE]; // 0x2d0
+  uint8_t _pad8[48];                                            // 0xcd0
+  uint8_t eddbuf[0x1ec];                                        // 0xd00
+  uint8_t _pad9[276];                                           // 0xeec
+} __attribute__((packed));
+
+#endif
--- a/shellcode_hypervisor/main.c
+++ b/shellcode_hypervisor/main.c
@@ -0,0 +1,37 @@
+#include "main.h"
+#include "../include/config.h"
+#include "boot_linux.h"
+#include "utils.h"
+#include <cpuid.h>
+#include <machine/atomic.h>
+#include <machine/cpufunc.h>
+#include <stdint.h>
+#include <sys/types.h>
+
+__attribute__((section(".entry_point"), naked)) uint32_t main(void) {
+
+  // We enter this function after CR3 was updated to 1:1 mapping
+  // We need to point RSP/RBP to a good known valid address
+  uint32_t ebax, ebx, ecx, edx;
+  uint32_t cpu_id;
+
+  __asm__ volatile("cpuid"
+                   : "=a"(ebax), "=b"(ebx), "=c"(ecx), "=d"(edx)
+                   : "a"(1));
+
+  cpu_id = (ebx >> 24) & 0xFF;
+
+  // We point to a location after the main linux boot code
+  // Each CPU should have a different location
+  uintptr_t new_rsp =
+      (uintptr_t)hv_base_rsp + ((uint64_t)(cpu_id)*hv_stack_size);
+
+  // WARNING: This invalidates current local variables
+  __asm__ volatile("movq %0, %%rsp \n\t"
+                   "movq %%rsp, %%rbp \n\t"
+                   :
+                   : "r"(new_rsp)
+                   : "rsp", "rbp", "memory");
+
+  entry();
+}
--- a/shellcode_hypervisor/main.h
+++ b/shellcode_hypervisor/main.h
@@ -0,0 +1,3 @@
+#include "shellcode_hypervisor_args.h"
+#include <stdarg.h>
+#include <stdint.h>
--- a/shellcode_hypervisor/shellcode_hypervisor_args.h
+++ b/shellcode_hypervisor/shellcode_hypervisor_args.h
@@ -0,0 +1,9 @@
+// This file is shared between kernel shellcode and hypervisor shellcode
+
+#include <stdint.h>
+
+typedef struct {
+  uint64_t bzimage_pa;    // Already relocated by Kernel shellcode
+  uint64_t initrd_pa;     // Already relocated by Kernel shellcode
+  uint64_t linux_info_pa; // Already relocated by Kernel shellcode
+} shellcode_hypervisor_args;
--- a/shellcode_hypervisor/utils.c
+++ b/shellcode_hypervisor/utils.c
@@ -0,0 +1,114 @@
+#include "utils.h"
+#include "shellcode_hypervisor_args.h"
+#include <cpuid.h>
+
+extern shellcode_hypervisor_args args;
+
+__attribute__((noinline, optimize("O0"))) uint32_t putc_uart(uint8_t tx_byte) {
+  volatile uint32_t *uart_tx = 0xc1010104ULL;
+  volatile uint32_t *uart_busy = 0xc101010cULL;
+  uint64_t timeout = 0xFFFFFFFF;
+  do {
+    timeout--;
+    if (timeout == 0)
+      break;
+  } while (((*uart_busy) & 0x20) == 0);
+
+  if (timeout == 0)
+    return -1;
+
+  *uart_tx = (uint32_t)tx_byte & 0xFF;
+  return 0;
+}
+
+// Variable for val to hex
+uint8_t hex_val[17];
+
+__attribute__((noinline, optimize("O0"))) uint8_t *
+u64_to_hex_custom(uint64_t val, uint8_t *dest) {
+
+  const uint8_t hex_chars[] = "0123456789abcdef";
+  dest[16] = '\0';
+
+  for (int i = 15; i >= 0; i--) {
+    dest[i] = hex_chars[val & 0xf];
+    val >>= 4;
+  }
+  return dest;
+}
+
+__attribute__((noinline, optimize("O0"))) int printf(const uint8_t *msg) {
+  uint32_t max = 255;
+  int ret = 0;
+
+  for (int i = 0; i < 255; i++) {
+    if (msg[i] == '\0') {
+      break;
+    }
+    if (msg[i] == '\n') {
+      putc_uart('\r');
+    }
+    ret = putc_uart(msg[i]);
+  }
+
+  return ret;
+}
+
+__attribute__((noinline, optimize("O0"))) void memcpy(void *dest, void *src,
+                                                      uint64_t len) {
+  uint8_t *d = (uint8_t *)dest;
+  const uint8_t *s = (const uint8_t *)src;
+  for (uint64_t i = 0; i < len; i++) {
+    d[i] = s[i];
+  }
+}
+
+__attribute__((noinline, optimize("O0"))) char *strcpy(char *dest,
+                                                       const char *src) {
+  char *d = dest;
+  while ((*d++ = *src++)) {
+  }
+  return dest;
+}
+
+__attribute__((noinline, optimize("O0"))) void *memset(void *s, int c,
+                                                       uint64_t n) {
+  unsigned char *p = (unsigned char *)s;
+  while (n--) {
+    *p++ = (unsigned char)c;
+  }
+  return s;
+}
+
+void disable_intr(void) { __asm__ __volatile__("cli" : : : "memory"); }
+
+void halt(void) { __asm__ __volatile__("hlt"); }
+
+uint64_t rdmsr(uint32_t msr) {
+  uint32_t low, high;
+  __asm__ __volatile__("rdmsr" : "=a"(low), "=d"(high) : "c"(msr));
+  return ((uint64_t)high << 32) | low;
+}
+
+void wrmsr(uint32_t msr, uint64_t val) {
+  uint32_t low = val & 0xFFFFFFFF;
+  uint32_t high = val >> 32;
+  __asm__ __volatile__("wrmsr" : : "a"(low), "d"(high), "c"(msr));
+}
+
+// Map FreeBSD atomic_add_32 to GCC builtin
+void atomic_add_32(volatile uint32_t *p, uint32_t v) {
+  __sync_fetch_and_add(p, v);
+}
+
+// Map FreeBSD atomic_cmpset_32 to GCC builtin
+int atomic_cmpset_32(volatile uint32_t *dst, uint32_t exp, uint32_t src) {
+  return __sync_bool_compare_and_swap(dst, exp, src);
+}
+
+uint8_t get_cpu(void) {
+  uint32_t eax, ebx, ecx, edx;
+  __get_cpuid(1, &eax, &ebx, &ecx, &edx);
+  uint8_t cpu_id = (ebx >> 24) & 0xFF;
+  return cpu_id;
+}
--- a/shellcode_hypervisor/utils.h
+++ b/shellcode_hypervisor/utils.h
@@ -0,0 +1,28 @@
+#ifndef UTILS_H
+#define UTILS_H
+
+#include <stdint.h>
+
+uint32_t putc_uart(uint8_t tx_byte);
+int printf(const uint8_t *msg);
+uint8_t *u64_to_hex_custom(uint64_t val, uint8_t *dest);
+
+extern uint8_t hex_val[17];
+
+inline int print_val64(uint64_t val) {
+  return printf(u64_to_hex_custom(val, hex_val));
+}
+
+void memcpy(void *dest, void *src, uint64_t len);
+char *strcpy(char *dest, const char *src);
+void *memset(void *s, int c, uint64_t n);
+
+void disable_intr(void);
+void halt(void);
+uint64_t rdmsr(uint32_t msr);
+void wrmsr(uint32_t msr, uint64_t val);
+void atomic_add_32(volatile uint32_t *p, uint32_t v);
+int atomic_cmpset_32(volatile uint32_t *dst, uint32_t exp, uint32_t src);
+uint8_t get_cpu(void);
+
+#endif