forked from kakaroto/PL3
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmacros.h.S
350 lines (296 loc) · 9.49 KB
/
macros.h.S
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
/*
* macros.h -- PS3 Jailbreak payload macros
*
* Copyright (C) Youness Alaoui (KaKaRoTo)
* Copyright (C) Aaron Lindsay (Aaron')
* Copyright (C) (subdub)
*
* This software is distributed under the terms of the GNU General Public
* License ("GPL") version 3, as published by the Free Software Foundation.
*
*/
#ifndef __MACRO_H_S__
#define __MACRO_H_S__
#include "config.h"
#ifdef FIRMWARE_3_41
/* Common Symbols */
#define memcpy 0x7c01c
#define memset 0x4d144
#define strcpy 0x4d2f0
#define strncmp 0x4d344
#define strlen 0x4d318
#define strdup_from_user 0x1b3b3c // FIXME: unsure of the name!
#define alloc 0x62088
#define free 0x624c8
#define add_kernel_module 0xd22d8
#define syscall_table 0x2eb128
#define get_device_descriptor 0xd2998 // FIXME: unsure of the name!
#define unknown_func1 0xd29c4 // FIXME
#define unknown_func2 0xd292c // FIXME
#define memory_patch_func 0x4e81c
#define patch_func1 0x0490AC
#define patch_func1_offset 0x34
#define patch_func2 0x04F07C
#define patch_func2_offset 0x2C
#define patch_func3 0x2aafc8
#define patch_func3_offset 0x24
#define patch_func4 0x04ed18
#define patch_func4_offset 0x0
#define patch_func5 0x0505d0
#define patch_func5_offset 0x0
#define patch_func6 0x0234d0
#define patch_func6_offset 0x0
#define patch_func7 0x0e83d4
#define patch_func7_offset 0x0
#define patch_func8 0x057214 //lv2open update patch
#define patch_func8_offset1 0xA4 //lv2open update patch
#define patch_func8_offset2 0x208 //lv2open update patch
#define patch_data1 0x3ba890
#define rtoc_entry_1 0xf08
#define rtoc_entry_2 -0x6a00
// Payload bases
#define MEM_BASE2 (0x50B3C)
#define RESIDENT_PAYLOAD_MAXSIZE (1296)
#define HASH_TABLE_1 0xa0556f3d002cb8fd
#define HASH_TABLE_2 0x6b70280200020017
#define HASH_TABLE_3 0x8c0a948c000d99b1
#define HASH_TABLE_4 0xa2bc1a5600052adc
#define elf1_func1 0x5f3fc0
#define elf1_func1_offset 0x00
#define elf1_func2 0x305354
#define elf1_func2_offset 0x14
#define elf2_func1 0x2eb7c
#define elf2_func1_offset 0x374
#define elf3_data 0x0022b888
#define elf4_data 0x000d68b8
#elif defined(FIRMWARE_3_15)
/* Common Symbols */
#define memcpy 0x7be9c
#define memset 0x4cc00
#define strcpy 0x4cdac
#define strncmp 0x4ce00
#define strlen 0x4cdd4
#define strdup_from_user 0x1b3d08 // FIXME: unsure of the name!
#define alloc 0x61cf0
#define free 0x62138
#define add_kernel_module 0x12A7AC // DONE
#define syscall_table 0x2ea820
#define get_device_descriptor 0x12A1B4 // DONE
#define unknown_func1 0xE0928 // DONE
#define unknown_func2 0xD3408 // DONE
#define memory_patch_func 0x4e310
#define patch_func1 0x048a64
#define patch_func1_offset 0x34
#define patch_func2 0x04eb48
#define patch_func2_offset 0x2C
#define patch_func3 0x2aabec
#define patch_func3_offset 0x24
#define patch_func4 0x04e7e4
#define patch_func4_offset 0x0
#define patch_func5 0x05009c
#define patch_func5_offset 0x0
#define patch_func6 0x237E0
#define patch_func6_offset 0x0
#define patch_func7 0xE8E98
#define patch_func7_offset 0x0
#define patch_func8 0x56C3C
#define patch_func8_offset1 0x68
#define patch_func8_offset2 0x1CC
#define patch_data1 0x3B9910
#define rtoc_entry_1 0xd58
#define rtoc_entry_2 -0x6b08
// Payload bases
#define MEM_BASE2 (0x50608)
#define RESIDENT_PAYLOAD_MAXSIZE (1296)
#define HASH_TABLE_1 0xA06FF29B002C284A
#define HASH_TABLE_2 0x6B7028220001E53E
#define HASH_TABLE_3 0x8C0A948C000C7AA6
#define HASH_TABLE_4 0x7FE3F53F000508D5
#define elf1_func1 0x5e3aec
#define elf1_func1_offset 0x00
#define elf1_func2 0x2fb05c
#define elf1_func2_offset 0x14
#define elf2_func1 0xe518
#define elf2_func1_offset 0x374
#define elf3_data 0x00204048
#define elf4_data 0x000d3e10
#elif defined(FIRMWARE_3_10)
#define memcpy 0x7BE98
#define memset 0x4CBFC
#define strcpy 0x4CDA8
#define strncmp 0x4CDFC
#define strlen 0x4CDD0
#define strdup_from_user 0x1b3d14 // FIXME: unsure of the name!
#define alloc 0x61CEC
#define free 0x62134
#define syscall_table 0x2EA820
#define memory_patch_func 0x4E30C
#define patch_func1 0x48A60
#define patch_func1_offset 0x34
#define patch_func2 0x4EB44
#define patch_func2_offset 0x2C
#define patch_func3 0x2AABF4
#define patch_func3_offset 0x24
#define patch_func4 0x4E7E0
#define patch_func4_offset 0x0
#define patch_func5 0x50098
#define patch_func5_offset 0x0
#define patch_func6 0
#define patch_func6_offset 0
#define patch_func7 0
#define patch_func7_offset 0
#define patch_func8 0
#define patch_func8_offset 0
#define patch_data1 0x3B9990
#define rtoc_entry_1 0xD60
#define rtoc_entry_2 -0x6B08
#define MEM_BASE2 (0x50604)
#define RESIDENT_PAYLOAD_MAXSIZE (1296)
#define HASH_TABLE_1 0xA06F35DB002C221E
#define HASH_TABLE_2 0x6B7028220001E535
#define HASH_TABLE_3 0x8C0A948C000C79E5
#define HASH_TABLE_4 0x7FE3F5CF000508A4
#define elf1_func1 0x5E2C7C
#define elf1_func1_offset 0x00
#define elf1_func2 0x2FAA14
#define elf1_func2_offset 0x14
#define elf2_func1 0xe518
#define elf2_func1_offset 0x374
#define elf3_data 0x203e90
#define elf4_data 0xd3e28
#elif defined(FIRMWARE_3_01)
#define memcpy 0x77E84
#define memset 0x4A95C
#define strcpy 0x4AAC4
#define strncmp 0x4AB18
#define strlen 0x4AAEC
#define strdup_from_user 0x1ACAF4 // FIXME: unsure of the name!
#define alloc 0x5DF4C
#define free 0x5E38C
#define add_kernel_module
#define syscall_table 0x2CFB40
#define get_device_descriptor // FIXME: unsure of the name!
#define unknown_func1 // FIXME
#define unknown_func2 // FIXME
#define memory_patch_func 0x4BFF0
#define patch_func1 0x468C4
#define patch_func1_offset 0x34
#define patch_func2 0x04C824
#define patch_func2_offset 0x2C
#define patch_func3 0x291DEC
#define patch_func3_offset 0x24
#define patch_func4 0x4C4C0
#define patch_func4_offset 0x0
#define patch_func5 0x04DCA8
#define patch_func5_offset 0x0
#define patch_func6 0
#define patch_func6_offset 0
#define patch_func7 0
#define patch_func7_offset 0
#define patch_func8 0
#define patch_func8_offset 0
#define patch_data1 0x39C010
#define rtoc_entry_1 0xD00
#define rtoc_entry_2 -0x6B30
#define MEM_BASE2 (0x04E214)
#define RESIDENT_PAYLOAD_MAXSIZE (1296)
#define HASH_TABLE_1 0xA00A6748002B0669
#define HASH_TABLE_2 0x6331A81B0001F7AC
#define HASH_TABLE_3 0x6A05EE84000BEBFC
#define HASH_TABLE_4 0xBF5574E70004FDD5
#define elf1_func1 0x5B009C
#define elf1_func1_offset 0x00
#define elf1_func2 0x219B44
#define elf1_func2_offset 0x14
#define elf2_func1 0xe578
#define elf2_func1_offset 0x374
#define elf3_data 0x001EAE98
#define elf4_data 0x000D1D00
#endif
#define PAGE_SIZE 0x1000
#ifdef USE_JIG
#define PAYLOAD_OFFSET_IN_PAGE 0x20
#else
#define PAYLOAD_OFFSET_IN_PAGE 0x38
#endif
#define PAYLOAD_SIZE ADDR_IN_PAGE(payload_end)
#define RESIDENT_PAYLOAD_OFFSET (overwritten_kernel_function)
#define RESIDENT_PAYLOAD_SIZE (payload_end - RESIDENT_PAYLOAD_OFFSET)
#define ADDR_IN_PAGE(target) (PAYLOAD_OFFSET_IN_PAGE + (target) - payload_start)
#define ADDR_IN_MEM2(target) ((target) - RESIDENT_PAYLOAD_OFFSET)
/* Addressing Macros */
// Absolute branching
#define ABSOLUTE_MEM2(target) (target - (MEM_BASE2 + ADDR_IN_MEM2(.)))
// Dynamic macros to load a label into a register
#define MEM_BASE(dest) \
li dest, 1; \
rldicr dest, dest, 63, 0;
#define LOAD_LABEL(base, dest, source, address) \
oris dest, source, ((base) + (address))@h; \
ori dest, dest, ((base) + (address))@l;
#define LOAD_LABEL2(dest, source, address) \
LOAD_LABEL(MEM_BASE2, dest, source, ADDR_IN_MEM2 (address))
#define LOADI_LABEL2(dest, address) \
LOAD_LABEL2(dest, dest, address)
#define LOAD_MEM_BASE2(dest) \
MEM_BASE (dest) \
LOAD_LABEL (MEM_BASE2, dest, dest, 0)
// Add system calls. Use only in exploit_main because of registers used...
#define ADD_SYSCALL(source, ptr, num) \
LOAD_LABEL2 (%r3, source, ptr); \
LOAD_ABS (%r4, source, syscall_table); \
std %r3, 0x08*num(%r4); \
// For loading an absolute value
#define LOAD_ABS(dest, source, address) LOAD_LABEL(0, dest, source, address)
#define LOADI_ABS(dest, address) LOAD_ABS(dest, dest, address)
// Absolute .quads
// HACK ALERT: the open toolchain bugs during compilation when trying to add
// a 'bignum' with address or MEM_BASE1.. so we split it here into two .long
// makes it easy since PPC is big endian.
#define QUAD_MEM2(address) \
.long 0x80000000; \
.long MEM_BASE2 + ADDR_IN_MEM2(address);
/* Patch Table Macros */
#define PATCH_INST(offset, instruction...) \
.long offset; \
instruction;
#define PATCH_DATA(offset, data...) \
.long offset; \
.long data;
#define PATCH_BRANCH(offset, op, target) \
.long offset; \
op ((target) - (offset));
#define PATCH_BRANCH_MEM2(offset, op, target) \
PATCH_BRANCH (offset, op, (MEM_BASE2 + ADDR_IN_MEM2(target)));
#define BRANCH_ABSOLUTE(dest, target) \
MEM_BASE (dest); \
oris dest, dest, target@h; \
ori dest, dest, target@l; \
mtctr dest; \
bctrl;
#define GET_CURRENT_PAGE(temp, dest) \
bl get_current_page; \
b got_current_page; \
get_current_page: \
mflr dest; \
blr; \
got_current_page: \
li temp, 0xfff; \
nor temp, temp, temp; \
and dest, dest, temp;
#define PANIC() \
li %r3, 0; \
li %r11, 255; \
sc 1;
// Allocate new memory and copy a function to it. R3 to R11 will be lost
// pl3_memcpy must be included!
#define ALLOC_AND_COPY_PROC(base_reg, function, size) \
li %r3, size; \
li %r4, 0x27; \
BRANCH_ABSOLUTE (%r6, alloc); \
mr %r7, %r3; \
addi %r4, base_reg, ADDR_IN_PAGE(function); \
li %r5, size; \
bl pl3_memcpy; \
mr %r3, %r7;
#endif /* __MACRO_H_S */