Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS5 CFW and Hacks       Thread starter PSXHAX       Start date Feb 9, 2023 at 3:08 PM       7      
Status
Not open for further replies.
Recently cheburek3000 made available Meme_Dumper, a Meme Dumper for PS5 Scene developers to access PlayStation 5 memory via physical address which is mapped without any protection instead of through virtual address. :geek:

Download: meme_dumper-main.zip / GIT

Here's more from the README.md, as follows: Meme dumper

Summary


Why access memory through virtual address when you can access it through physical address, which is mapped without any protection? :)

With this idea in mind, this tool will run a server, which will dump you almost any memory, which would normally be protected from user/kernel.

How to use
  • Download and build PS5SDK and set environment variable PS5SDK to folder with ***.
  • Run something on your PC to serve a logger, like ncat -k -l 5655
  • Replace PC_IP and PC_PORT macros on lines 10-11 with your logger server's IP/port.
  • This tool is firmware-dependent and will only work on firmwares supported by the *** for kernel hacking. See PS5SDK README.md for this information.
  • Set PS5SDK_FW to the correct target before building. For example, to target 4.03, PS5SDK_FW should be set to 0x403.
  • Run ./build.sh.
  • Deploy bin/meme_dumper.elf to ELF loader.
  • Send your command to a target, for example echo -n 'dump_paddr 0x21784000 0x1000' | nc $PS5_HOST 9081 > dump.bin
Commands
  • dump_vaddr 0x{vaddr} 0x{size} - resolve virtual address to physical and ask kernel to dump {size} bytes from physical memory.
  • dump_paddr 0x{paddr} 0x{size} - dump {size} bytes from physical memory from physical address.
  • dump_ranges - dump all mapping from virtual memory to physical in human readable format.
  • stop - stop the server, for example, to deploy another ELF.
Not so useful commands
  • dump_abs 0x{absolute address} 0x{size} - ask kernel to dump {size} bytes from specified address. Not very useful, since all page protections will apply to this query.
  • dump_base 0x{offset from kernel data base} 0x{size} - ask kernel to dump {size} bytes from specified offset from kernel data base. Not very useful, since all page protections will apply to this query.
Expected result

Log:
Code:
[+] kernel .data base is ffffffffdb050000, pipe 10->11, rw pair 12->121, pipe addr is ffffbbc23772d8c0
[+] kernel_pmap_store offset 0x3257a78, pm_pml4 0xffffbbbe21784000, pm_cr3 0x21784000, dmap_base 0xffffbbbe00000000
[+] got command = dump_paddr 0x21784000 0x1000
[+] dumping 0x1000 bytes from 0xffffbbbe21784000
[+] got command = stop
[+] stopping
stopped
How it works
  1. Find kernel_pmap_store offset in kernel data. You can guess its location by specific signature (see guess_kernel_pmap_store_offset code).
  2. Luckily it has physical and virtual addresses for PML4. And through them you can find physical memory mapped directly to the kernel memory (DMAP). See PADDR_TO_DMAP macro and vmparam.h from FreeBSD for reference.
  3. Use page tables to convert any kernel address to physical address (see vaddr_to_paddr code).
  4. Access data by physical address through DMAP.
Authors
  • cheburek3000
Special thanks
  • Specter (*** and examples)
  • Znullptr (*** and examples)
  • ChendoChap (*** and examples)
Meme_Dumper Meme Dumper for PS5 Developers by Cheburek3000.jpg
 

Comments

A job well done!!! I’m sure this is great for someone who knows how this stuff actually works. As an average user, I can just thank you all for putting your time into this so we can get closer to a JB.
 
wow thats awesome, i see the potential for this however lack the resources to utilize it. however this is again one more foot in the door to inderstanding how the ps5 works on a fundamental level and shed light on ways we could achieve our own utilities and programs on this hardware, aka homebrew and the such.
 
This will do you no good without hypervisor hacked which will never happen. This hasn’t been done since the ps3.
 
Status
Not open for further replies.
Back
Top