Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       Start date Jun 24, 2017 at 1:34 AM       9      
Status
Not open for further replies.
Following the Stack Clash Vulnerability and recent PS4 MEME's, fx0code passed along news of EapDev on Twitter which is an experimental toolchain FreeBSD 9 for ARM Cortex-A8.

He thanks the following developers for their help: BigBoss for committing EapDev on Github, VVildCard777 for coding, notzecoxao for inspiration and also ZiL0G80 and droogie1xp. (y)

Download: eapdev-master.zip / GIT

From the README.md: Brief History

PlayStation 4 is based on Freebsd 9, source reference is from September 10, 2011 named release 900044.

Main processor is AMD based but there is an infamous chip from Marvell that also use Freebsd but based on ARM.

Some people have been working in arm-eabi branch in freebsd since a few years ago, adding a armv6 target with support for some arm boards but the main work is in freebsd 10.x so i have been backporting some of their patches to freebsd 9.

What does this do?

This is a experimental patch to let compile arm contex-a8 eabi V code in freebsd 9 for educational purposes only

What do i need?

A virtual machine with Freebsd 9.0 Release installed from: FreeBSD-9.0-RELEASE-amd64-dvd1.iso

1. Install it with virtualbox

You must choose install src, you will need it to patch after install. Create a non root user and add to wheel group

2. Login with your created non root user

3. Install sudo port
Code:
$ su -
eapjutsu# cd /usr/ports/security/sudo
eapjutsu# make install

uncomment group wheel to let use sudo to our user

eapjutsu# vi /usr/local/etc/sudoers
4. Install gmake port
Code:
eapjutsu# cd /usr/ports/devel/gmake
eapjutsu# make install
eapjutsu# exit
5. Download repository

6. Copy local sources to our working directory
Code:
$ cd
$ mkdir work
$
$ cd /usr
$ tar cvf /home/bigboss/work/src.tar ./src
$ cd
$ cd work
$ tar xf src.tar
$ cd src
$ patch -p1 < ../eapjutsu_patch.txt
7. Compile cross toolchain for armv6 target

$ sudo make XDEV=arm XDEV_ARCH=armv6 xdev

8. Native clang is invoking /usr/bin/ld change to use our generated ld
Code:
$ cd /usr/bin
$ sudo cp ld ld.orig
$ sudo rm ld
$ sudo ln -s armv6-freebsd-ld ld
9. Use Makefile included with your main.c
Code:
$ make
clang -v -march=armv7-a -mfloat-abi=hard -ccc-host-triple arm-elf -integrated-as --sysroot /usr/armv6-freebsd -static -c main.c
FreeBSD clang version 3.0 (branches/release_30 142614) 20111021
Target: arm-elf-
Thread model: posix
 "/usr/bin/clang" -cc1 -triple armv7-elf- -emit-obj -mrelax-all -disable-free -main-file-name main.c -static-define -mrelocation-model static -mdisable-fp-elim -mconstructor-aliases -target-abi apcs-gnu -target-cpu cortex-a8 -mfloat-abi hard -momit-leaf-frame-pointer -v -coverage-file main.o -resource-dir /usr/bin/../lib/clang/3.0 -isysroot /usr/armv6-freebsd -fmodule-cache-path /var/tmp/clang-module-cache -ferror-limit 19 -fmessage-length 80 -fno-signed-char -fgnu-runtime -fobjc-runtime-has-arc -fobjc-runtime-has-weak -fobjc-fragile-abi -fdiagnostics-show-option -fcolor-diagnostics -o main.o -x c main.c
clang -cc1 version 3.0 based upon llvm 3.0 hosted on x86_64-unknown-freebsd9.0
ignoring nonexistent directory "/usr/armv6-freebsd/usr/local/include"
ignoring nonexistent directory "/usr/bin/../lib/clang/3.0/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/armv6-freebsd/usr/include
End of search list.
clang -v -march=armv7-a -mfloat-abi=hard -ccc-host-triple arm-elf -integrated-as --sysroot /usr/armv6-freebsd -static main.c -lc -o sample.elf
FreeBSD clang version 3.0 (branches/release_30 142614) 20111021
Target: arm-elf-
Thread model: posix
 "/usr/bin/clang" -cc1 -triple armv7-elf- -emit-obj -mrelax-all -disable-free -main-file-name main.c -static-define -mrelocation-model static -mdisable-fp-elim -mconstructor-aliases -target-abi apcs-gnu -target-cpu cortex-a8 -mfloat-abi hard -momit-leaf-frame-pointer -v -resource-dir /usr/bin/../lib/clang/3.0 -isysroot /usr/armv6-freebsd -fmodule-cache-path /var/tmp/clang-module-cache -ferror-limit 19 -fmessage-length 80 -fno-signed-char -fgnu-runtime -fobjc-runtime-has-arc -fobjc-runtime-has-weak -fobjc-fragile-abi -fdiagnostics-show-option -fcolor-diagnostics -o /tmp/main-9GeDko_O -x c main.c
clang -cc1 version 3.0 based upon llvm 3.0 hosted on x86_64-unknown-freebsd9.0
ignoring nonexistent directory "/usr/armv6-freebsd/usr/local/include"
ignoring nonexistent directory "/usr/bin/../lib/clang/3.0/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/armv6-freebsd/usr/include
End of search list.
 "/usr/bin/gcc" -v -march=armv7-a -mfloat-abi=hard --sysroot=/usr/armv6-freebsd -static -o sample.elf /tmp/main-9GeDko_O -lc
Using built-in specs.
Target: amd64-undermydesk-freebsd
Configured with: FreeBSD/amd64 system compiler
Thread model: posix
gcc version 4.2.1 20070831 patched [FreeBSD]

/usr/bin/ld --sysroot=/usr/armv6-freebsd -V -Bstatic -o sample.elf /usr/armv6-freebsd/usr/lib/crt1.o /usr/armv6-freebsd/usr/lib/crti.o /usr/armv6-freebsd/usr/lib/crtbeginT.o -L/usr/armv6-freebsd/usr/lib -L/usr/armv6-freebsd/usr/lib /tmp/main-9GeDko_O -lc -lgcc -lgcc_eh -lc -lgcc -lgcc_eh /usr/armv6-freebsd/usr/lib/crtend.o /usr/armv6-freebsd/usr/lib/crtn.o

Code:
GNU ld 2.17.50 [FreeBSD] 2007-07-03
  Supported emulations:
   armelf_fbsd
armv6-freebsd-strip sample.elf
10. Checks
Code:
$ readelf -h sample.elf
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           ARM
  Version:                           0x1
  Entry point address:               0x8100
  Start of program headers:          52 (bytes into file)
  Start of section headers:          119964 (bytes into file)
  Flags:                             0x5000202, has entry point, Version5 EABI, <unknown>
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         3
  Size of section headers:           40 (bytes)
  Number of section headers:         15
  Section header string table index: 14
$ readelf -A sample.elf
Attribute Section: aeabi
File Attributes
  Tag_CPU_name: "CORTEX-A8"
  Tag_CPU_arch: v7
  Tag_CPU_arch_profile: Application
  Tag_ARM_ISA_use: Yes
  Tag_THUMB_ISA_use: Thumb-2
  Tag_VFP_arch: VFPv3
  Tag_NEON_arch: NEONv1
  Tag_ABI_FP_denormal: Needed
  Tag_ABI_FP_exceptions: Needed
  Tag_ABI_FP_number_model: IEEE 754
  Tag_ABI_align8_needed: Yes
  Tag_ABI_align8_preserved: Yes, except leaf SP
Many thanks to HI_Ricky (aka @rickylyh) for the documentation on the proto board EDM-AR10, which successfully identifies the following chips:
  • Infineon H2007A75 TPM Chip
  • Mediatek MT3613CT Southbridge
  • Marvell SS1320BWV SSD Controller
EapDev Experimental Toolchain Freebsd 9 for Arm Cortex-a8.jpg
 

Comments

I remember marcan at c3 conference talking about this chip and how dumb Sony is for putting it there. It's for downloading/installing stuff in low power mode. Since theres so much modding of arm stuff, it could be promising.

Ps4 scene lit yo! :p Let's hope it blows the fook up soon!
 
look at the src using a triple tunnel from armv6 like seriously it's not something new being ported from board to board to board

system V? lmfao yet was rumoured that Samsung had a port on specific chipset with in-house programmers.

armv7= cortex-A7/A9/A15
 
Code:
+ { .name = "cortex-a7", .initfn = cortex_a7_initfn },
{ .name = "cortex-a8", .initfn = cortex_a8_initfn },
{ .name = "cortex-a9", .initfn = cortex_a9_initfn },
{ .name = "cortex-a15", .initfn = cortex_a15_initfn },
arm: add Cortex A7 CPU parameters

Add the "cortex-a7" CPU with features and registers matching the Cortex-A7
MPCore Technical Reference Manual and the Cortex-A7 Floating-Point Unit
Technical Reference Manual. The A7 is very similar to the A15.
 
Status
Not open for further replies.
Back
Top