Following the Chaitin Tech PS4 ROP Tool, 5lipper recently added PlayStation 4 Kaslr (Kernel Address Space Layout Randomization) 3.55, 4.00 and 4.01 Firmware support in fail0verflow's PS4 Kexec GIT.
While that was done a few days ago and mentioned by @Fimo among others in the Shoutbox and on Twitter (below), today @RazorMC shared some additional details from the GIT via Hydrogen at NGU, to quote:
Hello NextGenUpdate, yesterday, a user named 5lipper, has now added extra support for kaslr on PS4 for firmwares: 3.55, 4.00, and 4.01. If you find it interesting, and useful. They have added it onto fail0verflow's PS4 Kexec GitHub.
To find it and use it, click here: Fail0verflow's PS4 Kexec GitHub
--Makefile--
--README.md--
--firmware.c--
There's a lot more, but overall they are all there posted go check it out!
While that was done a few days ago and mentioned by @Fimo among others in the Shoutbox and on Twitter (below), today @RazorMC shared some additional details from the GIT via Hydrogen at NGU, to quote:
Hello NextGenUpdate, yesterday, a user named 5lipper, has now added extra support for kaslr on PS4 for firmwares: 3.55, 4.00, and 4.01. If you find it interesting, and useful. They have added it onto fail0verflow's PS4 Kexec GitHub.
To find it and use it, click here: Fail0verflow's PS4 Kexec GitHub
--Makefile--
Code:
@@ -1,11 +1,8 @@
-ifdef DDO_NOT_REMAP_RWX
-DO_NOT_REMAP_RWX := -DDO_NOT_REMAP_RWX
-endif
-
-CFLAGS := -march=btver2 -masm=intel -std=gnu11 -ffreestanding -fno-common \
+CFLAGS=$(CFLAG)
+CFLAGS += -march=btver2 -masm=intel -std=gnu11 -ffreestanding -fno-common \
-fPIC -fomit-frame-pointer -nostdlib -nostdinc \
-fno-asynchronous-unwind-tables \
- -Os -Wall -Werror -Wl,--build-id=none,-T,kexec.ld,--nmagic $(DO_NOT_REMAP_RWX)
+ -Os -Wall -Werror -Wl,--build-id=none,-T,kexec.ld,--nmagic
SOURCES := kernel.c kexec.c linux_boot.c linux_thunk.S uart.c firmware.c
Code:
@@ -34,6 +34,14 @@ You may pass something other than NULL as `early_printf`. In that case, that
function will be used for debug output during early symbol resolution, before
printf is available.
+Since PS4 3.55(?), KASLR(Kernel Address Space Layout Randomization) is
+enabled by default, symtab also disappears in newer kernel, we have to
+hardcode offsets for some symbols. Currently we use the `early_printf`
+given by user to caculate the base address of kernel, then relocate all the
+symbols from the kernel base. You could enable this feature like this:
+
+ make CFLAG='-DPS4_4_00 -DKASLR -DNO_SYMTAB'
+
If you do not want to call the syscall from userspace, you can pass the address
of a function pointer as `sys_kexec_ptr`. `kexec_init` will write to it the
address of `sys_kexec`, so you can invoke it manually (see kexec.h for
Code:
@@ -109,7 +109,7 @@ ssize_t firmware_extract(void *dest)
u8 *p = dest;
// Yeah, this calls it Starsha... Liverpool, Starsha, ThebeJ, whatever.
- struct fw_info_t *info = kernel_resolve("Starsha_UcodeInfo");
+ struct fw_info_t *info = kern.Starsha_UcodeInfo;
if (!info) {
kern.printf("firmware_extract: Could not locate firmware table");
return -1;