Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
Proceeding the 7.02 PS4 Kernel Exploit (KEX), previous Mira Project Updates and Payloads, potential New WebKit Exploit discovery and 702_MACROSS_COLLECTION_FOR_SLEIRSGOEVY.rar (7.02 PS4 Decrypted Kernel file pack) comes some Mira 7.00-7.02 PS4 Ports from @Al Azif, who noted the following on this work-in-progress (WIP) via Twitter in the Tweets below:
  • The super time consuming part for porting Mira to 7.00-7.02 is done-ish... this does NOT mean an exploit is coming soon.

  • The time consuming part of porting Mira is finding the offsets for functions/hooks/struts/etc. A decrypted kernel file was posted so I was able to use that to find a majority of the used locations.

  • Well, thanks to notzecoxao I was able to get the rest of the remaining offsets/patches for 7.02... Still the same situation though. It may look to be on the cusp of being ready but I have no way to test it and no ETA for an exploit.
🔥 For those who missed it, as covered previously the MACROSS (Retail) 7.02 Collection via zecoxao includes the following decrypted ELF files for PS4 scene devs:
  • 80010002_702_MACROSS.elf
  • libc_702_MACROSS.elf
  • libkernel_702_MACROSS.elf
  • libkernel_sys_702_MACROSS.elf
  • libkernel_web_702_MACROSS.elf
  • libSceWebKit2_702_MACROSS.elf
  • libSceWebKit2ForVideoService_702_MACROSS.elf
  • libSceWebKit2Secure_702_MACROSS.elf
From Patches702-Loader.cpp:
Code:
// This is an open source non-commercial project. Dear PVS-Studio, please check it.
// PVS-Studio Static Code Analyzer for C, C++, C#, and Java: http://www.viva64.com

#include <Boot/Patches.hpp>

/*
    Please, please, please!
    Keep patches consistent with the used patch style for readability.
*/
void Mira::Boot::Patches::install_prerunPatches_702()
{
#if MIRA_PLATFORM == MIRA_PLATFORM_ORBIS_BSD_702
    // NOTE: Only apply patches that the loader requires to run, the rest of them should go into Mira's ELF
    // You must assign the kernel base pointer before anything is done
    if (!gKernelBase)
        return;

    // Use "kmem" for all patches
    uint8_t *kmem;

    // Enable UART
    kmem = (uint8_t *)&gKernelBase[0x01A6EAA0];
    kmem[0] = 0x00;

    // Patch sys_dynlib_dlsym: Allow from anywhere
    kmem = (uint8_t *)&gKernelBase[0x0009547B];
    kmem[0] = 0xE9;
    kmem[1] = 0xBD;
    kmem[2] = 0x01;
    kmem[3] = 0x00;
    kmem[4] = 0x00;

    kmem = (uint8_t *)&gKernelBase[0x002F2C20];
    kmem[0] = 0x31;
    kmem[1] = 0xC0;
    kmem[2] = 0xC3;

    // Patch sys_mmap: Allow RWX (read-write-execute) mapping
    kmem = (uint8_t *)&gKernelBase[0x001D2336];
    kmem[0] = 0x37;
    kmem[3] = 0x37;

    // Patch setuid: Don't run kernel exploit more than once/privilege escalation
    kmem = (uint8_t *)&gKernelBase[0x00087B70];
    kmem[0] = 0xB8;
    kmem[1] = 0x00;
    kmem[2] = 0x00;
    kmem[3] = 0x00;
    kmem[4] = 0x00;

    // Enable RWX (kmem_alloc) mapping
    kmem = (uint8_t *)&gKernelBase[0x001171BE];
    kmem[0] = 0x07;

    kmem = (uint8_t *)&gKernelBase[0x001171C6];
    kmem[0] = 0x07;

    // Patch copyin/copyout: Allow userland + kernel addresses in both params
    // copyin
    kmem = (uint8_t *)&gKernelBase[0x0002F287];
    kmem[0] = 0x90;
    kmem[1] = 0x90;

    kmem = (uint8_t *)&gKernelBase[0x0002F293];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;

    // copyout
    kmem = (uint8_t *)&gKernelBase[0x0002F192];
    kmem[0] = 0x90;
    kmem[1] = 0x90;

    kmem = (uint8_t *)&gKernelBase[0x0002F19E];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;

    // Patch copyinstr
    kmem = (uint8_t *)&gKernelBase[0x0002F733];
    kmem[0] = 0x90;
    kmem[1] = 0x90;

    kmem = (uint8_t *)&gKernelBase[0x0002F73F];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;

    // Patch memcpy stack
    kmem = (uint8_t *)&gKernelBase[0x0002F04D];
    kmem[0] = 0xEB;

    // Patch mprotect: Allow RWX (mprotect) mapping
    kmem = (uint8_t *)&gKernelBase[0x00264C08];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;
    kmem[3] = 0x90;
    kmem[4] = 0x90;
    kmem[5] = 0x90;

#endif
}
From Patches702-Kernel.cpp:
Code:
// This is an open source non-commercial project. Dear PVS-Studio, please check it.
// PVS-Studio Static Code Analyzer for C, C++, C#, and Java: http://www.viva64.com

#include <Boot/Patches.hpp>

/*
    Please, please, please!
    Keep patches consistent with the used patch style for readability.
*/
void Mira::Boot::Patches::install_prerunPatches_702()
{
#if MIRA_PLATFORM == MIRA_PLATFORM_ORBIS_BSD_702
    // You must assign the kernel base pointer before anything is done
    if (!gKernelBase)
        return;

    // Use "kmem" for all patches
    uint8_t *kmem;

    // Enable UART
    kmem = (uint8_t *)&gKernelBase[0x01A6EAA0];
    kmem[0] = 0x00;

    // Verbose Panics
    kmem = (uint8_t *)&gKernelBase[0x0013A4AE];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;
    kmem[3] = 0x90;
    kmem[4] = 0x90;

    // sceSblACMgrIsAllowedSystemLevelDebugging
    kmem = (uint8_t *)&gKernelBase[0x001CB060];
    kmem[0] = 0xB8;
    kmem[1] = 0x01;
    kmem[2] = 0x00;
    kmem[3] = 0x00;
    kmem[4] = 0x00;
    kmem[5] = 0xC3;

    kmem = (uint8_t *)&gKernelBase[0x001CB880];
    kmem[0] = 0xB8;
    kmem[1] = 0x01;
    kmem[2] = 0x00;
    kmem[3] = 0x00;
    kmem[4] = 0x00;
    kmem[5] = 0xC3;

    kmem = (uint8_t *)&gKernelBase[0x001CB8A0];
    kmem[0] = 0xB8;
    kmem[1] = 0x01;
    kmem[2] = 0x00;
    kmem[3] = 0x00;
    kmem[4] = 0x00;
    kmem[5] = 0xC3;

    // Enable rwx mapping
    kmem = (uint8_t *)&gKernelBase[0x001171BE];
    kmem[0] = 0x07;

    kmem = (uint8_t *)&gKernelBase[0x001171C6];
    kmem[0] = 0x07;

    // Patch copyin/copyout: Allow userland + kernel addresses in both params
    // copyin
    kmem = (uint8_t *)&gKernelBase[0x0002F287];
    kmem[0] = 0x90;
    kmem[1] = 0x90;

    kmem = (uint8_t *)&gKernelBase[0x0002F293];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;

    // copyout
    kmem = (uint8_t *)&gKernelBase[0x0002F192];
    kmem[0] = 0x90;
    kmem[1] = 0x90;

    kmem = (uint8_t *)&gKernelBase[0x0002F19E];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;

    // Enable MAP_SELF
    kmem = (uint8_t *)&gKernelBase[0x001CB8F0];
    kmem[0] = 0xB8;
    kmem[1] = 0x01;
    kmem[2] = 0x00;
    kmem[3] = 0x00;
    kmem[4] = 0x00;
    kmem[5] = 0xC3;

    kmem = (uint8_t *)&gKernelBase[0x001CB910];
    kmem[0] = 0xB8;
    kmem[1] = 0x01;
    kmem[2] = 0x00;
    kmem[3] = 0x00;
    kmem[4] = 0x00;
    kmem[5] = 0xC3;

    kmem = (uint8_t *)&gKernelBase[0x001D40BB];
    kmem[0] = 0x31;
    kmem[1] = 0xC0;
    kmem[2] = 0x90;
    kmem[3] = 0x90;
    kmem[4] = 0x90;

    // Patch copyinstr
    kmem = (uint8_t *)&gKernelBase[0x0002F733];
    kmem[0] = 0x90;
    kmem[1] = 0x90;

    kmem = (uint8_t *)&gKernelBase[0x0002F73F];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;

    // Patch memcpy stack
    kmem = (uint8_t *)&gKernelBase[0x0002F04D];
    kmem[0] = 0xEB;

    // ptrace patches
    kmem = (uint8_t *)&gKernelBase[0x000448D5];
    kmem[0] = 0xEB;

    // second ptrace patch
    /*kmem = (uint8_t *)&gKernelBase[0x00044DAF];
    kmem[0] = 0xE9;
    kmem[1] = 0xE2;
    kmem[2] = 0x02;
    kmem[3] = 0x00;
    kmem[4] = 0x00;
  */

    // setlogin patch (for autolaunch check)
    kmem = (uint8_t *)&gKernelBase[0x0008A8EC];
    kmem[0] = 0x48;
    kmem[1] = 0x31;
    kmem[2] = 0xC0;
    kmem[3] = 0x90;
    kmem[4] = 0x90;

    // Patch to remove vm_fault: fault on nofault entry, addr %llx
    kmem = (uint8_t *)&gKernelBase[0x002BF756];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;
    kmem[3] = 0x90;
    kmem[4] = 0x90;
    kmem[5] = 0x90;

    // Patch mprotect: Allow RWX (mprotect) mapping
    kmem = (uint8_t *)&gKernelBase[0x00264C08];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;
    kmem[3] = 0x90;
    kmem[4] = 0x90;
    kmem[5] = 0x90;

    // flatz disable pfs signature check
    kmem = (uint8_t *)&gKernelBase[0x006BE880];
    kmem[0] = 0x31;
    kmem[1] = 0xC0;
    kmem[2] = 0xC3;

    // flatz enable debug RIFs
    kmem = (uint8_t *)&gKernelBase[0x00668270];
    kmem[0] = 0xB0;
    kmem[1] = 0x01;
    kmem[2] = 0xC3;

    kmem = (uint8_t *)&gKernelBase[0x006682A0];
    kmem[0] = 0xB0;
    kmem[1] = 0x01;
    kmem[2] = 0xC3;

    // Enable *all* debugging logs (in vprintf)
    // Patch by: SiSTRo
    kmem = (uint8_t *)&gKernelBase[0x000BC817];
    kmem[0] = 0xEB;
    kmem[1] = 0x3B;

    // flatz allow mangled symbol in dynlib_do_dlsym
    kmem = (uint8_t *)&gKernelBase[0x002F0367];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;
    kmem[3] = 0x90;
    kmem[4] = 0x90;
    kmem[5] = 0x90;

    // Enable mount for unprivileged user
    kmem = (uint8_t *)&gKernelBase[0x0029636A];
    kmem[0] = 0x90;
    kmem[1] = 0x90;
    kmem[2] = 0x90;
    kmem[3] = 0x90;
    kmem[4] = 0x90;
    kmem[5] = 0x90;

    // patch suword_lwpid
    // has a check to see if child_tid/parent_tid is in kernel memory, and it in so patch it
    // Patch by: JOGolden
    kmem = (uint8_t *)&gKernelBase[0x0002F552];
    kmem[0] = 0x90;
    kmem[1] = 0x90;

    kmem = (uint8_t *)&gKernelBase[0x0002F561];
    kmem[0] = 0x90;
    kmem[1] = 0x90;

    // Patch debug setting errors
    kmem = (uint8_t *)&gKernelBase[0x005016FA];
    kmem[0] = 0x00;
    kmem[1] = 0x00;
    kmem[2] = 0x00;
    kmem[3] = 0x00;

    kmem = (uint8_t *)&gKernelBase[0x0050296C];
    kmem[0] = 0x00;
    kmem[1] = 0x00;
    kmem[2] = 0x00;
    kmem[3] = 0x00;

#endif
}
And from Orbis702.cpp:
Code:
#pragma once
#include <Boot/Config.hpp>

#if MIRA_PLATFORM == MIRA_PLATFORM_ORBIS_BSD_702
/*
    These are the required functions in order for the Oni Framework to operate properly
    These are all offsets into the base of the kernel. They expect all standard FreeBSD 9 prototypes

    The reason we do not hardcode offsets here, is due to the different platforms that are supported, and
    for the platforms that do enable kernel ASLR (Address Space Layout Randomization?)
*/

#define kdlsym_addr__mtx_lock_flags                        0x000BB060
#define kdlsym_addr__mtx_lock_sleep                        0x000BB100
#define kdlsym_addr__mtx_lock_spin_flags                   0x000BB490
#define kdlsym_addr__mtx_unlock_flags                      0x000BB330
#define kdlsym_addr__mtx_unlock_sleep                      0x000BB430
#define kdlsym_addr__mtx_unlock_spin_flags                 0x000BB650
#define kdlsym_addr__sceSblAuthMgrGetSelfInfo              0x00660A90
#define kdlsym_addr__sceSblAuthMgrSmStart                  0x0065A560
#define kdlsym_addr__sx_init_flags                         0x001ADDB0
#define kdlsym_addr__sx_slock                              0x001ADE50
#define kdlsym_addr__sx_sunlock                            0x001AE130
#define kdlsym_addr__sx_xlock                              0x001AE030
#define kdlsym_addr__sx_xunlock                            0x001AE1F0
#define kdlsym_addr__thread_lock_flags                     0x000BB7B0
#define kdlsym_addr__vm_map_lock_read                      0x0025FB90
#define kdlsym_addr__vm_map_unlock_read                    0x0025FBE0
#define kdlsym_addr_AesCbcCfb128Decrypt                    0x001DA640
#define kdlsym_addr_AesCbcCfb128Encrypt                    0x001DA410
#define kdlsym_addr_allproc                                0x01B48318
#define kdlsym_addr_allproc_lock                           0x01B482B8
#define kdlsym_addr_avcontrol_sleep                        0x00704E00
#define kdlsym_addr_cloneuio                               0x0020E7D0
#define kdlsym_addr_console_cdev                           0x021F0778
#define kdlsym_addr_console_write                          0x0021D3E0
#define kdlsym_addr_contigfree                             0x00430AD0
#define kdlsym_addr_contigmalloc                           0x00430710
#define kdlsym_addr_copyin                                 0x0002F230
#define kdlsym_addr_copyinstr                              0x0002F6E0
#define kdlsym_addr_copyout                                0x0002F140
#define kdlsym_addr_critical_enter                         0x003832B0
#define kdlsym_addr_critical_exit                          0x003832D0
#define kdlsym_addr_deci_tty_write                         0x004AA3A0
#define kdlsym_addr_destroy_dev                            0x00422710
#define kdlsym_addr_dmem_start_app_process                 0x00245B80
#define kdlsym_addr_dynlib_do_dlsym                        0x002F02A0
#define kdlsym_addr_dynlib_find_obj_by_handle              0x002F1410
#define kdlsym_addr_eventhandler_deregister                0x00483BB0
#define kdlsym_addr_eventhandler_find_list                 0x00483DB0
#define kdlsym_addr_eventhandler_register                  0x00483810
#define kdlsym_addr_exec_new_vmspace                       0x0008E310
#define kdlsym_addr_faultin                                0x002C9D70
#define kdlsym_addr_fget_unlocked                          0x00324270
#define kdlsym_addr_fpu_kern_ctx                           0x0267B640
#define kdlsym_addr_fpu_kern_enter                         0x002CEBF0
#define kdlsym_addr_fpu_kern_leave                         0x002CECE0
#define kdlsym_addr_free                                   0x00301A40
#define kdlsym_addr_gdt                                    0x022E37E0
#define kdlsym_addr_gpu_va_page_list                       0x02669E48
#define kdlsym_addr_icc_nvs_read                           0x00348AA0
#define kdlsym_addr_kern_close                             0x00321B90
#define kdlsym_addr_kern_ioctl                             0x00192060
#define kdlsym_addr_kern_mkdirat                           0x0035AAC0
#define kdlsym_addr_kern_open                              0x00355960
#define kdlsym_addr_kern_openat                            0x003559C0
#define kdlsym_addr_kern_readv                             0x00191230
#define kdlsym_addr_kern_reboot                            0x002CD780
#define kdlsym_addr_kern_sysents                           0x01125660
#define kdlsym_addr_kern_thr_create                        0x000842E0
#define kdlsym_addr_kernel_map                             0x021C8EE0
#define kdlsym_addr_kernel_mount                           0x00299080
#define kdlsym_addr_killproc                               0x00313B90
#define kdlsym_addr_kmem_alloc                             0x001170F0
#define kdlsym_addr_kmem_free                              0x001172C0
#define kdlsym_addr_kproc_create                           0x000C4170
#define kdlsym_addr_kproc_exit                             0x000C43E0
#define kdlsym_addr_kthread_add                            0x000C46D0
#define kdlsym_addr_kthread_exit                           0x000C49C0
#define kdlsym_addr_M_IOV                                  0x01A64270
#define kdlsym_addr_M_LINKER                               0x01A7B690
#define kdlsym_addr_M_MOUNT                                0x01A71A70
#define kdlsym_addr_M_TEMP                                 0x01A7AE50
#define kdlsym_addr_make_dev_p                             0x004221E0
#define kdlsym_addr_malloc                                 0x00301840
#define kdlsym_addr_memcmp                                 0x00207500
#define kdlsym_addr_memcpy                                 0x0002F040
#define kdlsym_addr_memmove                                0x002B9EF0
#define kdlsym_addr_memset                                 0x002DFC20
#define kdlsym_addr_mini_syscore_self_binary               0x01555BD8
#define kdlsym_addr_mount_arg                              0x00298DE0
#define kdlsym_addr_mount_argb                             0x002973B0
#define kdlsym_addr_mount_argf                             0x00298ED0
#define kdlsym_addr_mtx_destroy                            0x000BBB80
#define kdlsym_addr_mtx_init                               0x000BBB10
#define kdlsym_addr_mtx_lock_sleep                         0x000BB100
#define kdlsym_addr_mtx_unlock_sleep                       0x000BB430
#define kdlsym_addr_name_to_nids                           0x002F0580
#define kdlsym_addr_pause                                  0x0016EEE0
#define kdlsym_addr_pfind                                  0x00015AC0
#define kdlsym_addr_pmap_activate                          0x003EAB30
#define kdlsym_addr_printf                                 0x000BC730
#define kdlsym_addr_prison0                                0x0113E398
#define kdlsym_addr_proc0                                  0x021EF890
#define kdlsym_addr_proc_reparent                          0x001AFCB0
#define kdlsym_addr_proc_rwmem                             0x00043E80
#define kdlsym_addr_realloc                                0x00301B70
#define kdlsym_addr_rootvnode                              0x022C5750
#define kdlsym_addr_RsaesPkcs1v15Dec2048CRT                0x001DD540
#define kdlsym_addr_sbl_eap_internal_partition_key         0x026E0CD0
#define kdlsym_addr_sbl_keymgr_buf_gva                     0x0269C808
#define kdlsym_addr_sbl_keymgr_buf_va                      0x0269C000
#define kdlsym_addr_sbl_keymgr_key_rbtree                  0x02698858
#define kdlsym_addr_sbl_keymgr_key_slots                   0x02698848
#define kdlsym_addr_sbl_pfs_sx                             0x026945C0
#define kdlsym_addr_sbl_drv_msg_mtx                        0x02669E50
#define kdlsym_addr_sceSblACMgrGetPathId                   0x001CB930
#define kdlsym_addr_sceSblAuthMgrIsLoadable2               0x00660210
#define kdlsym_addr_sceSblAuthMgrSmVerifyHeader            0x0065C340
#define kdlsym_addr_sceSblAuthMgrVerifyHeader              0x00660270
#define kdlsym_addr_sceSblDriverSendMsg                    0x006376A0
#define kdlsym_addr_sceSblGetEAPInternalPartitionKey       0x00645810
#define kdlsym_addr_sceSblKeymgrClearKey                   0x006489D0
#define kdlsym_addr_sceSblKeymgrSetKeyForPfs               0x00648650
#define kdlsym_addr_sceSblKeymgrSetKeyStorage              0x0063E230
#define kdlsym_addr_sceSblKeymgrSmCallfunc                 0x00648220
#define kdlsym_addr_sceSblPfsSetKeys                       0x00647000
#define kdlsym_addr_sceSblRngGetRandomNumber               0x00664190
#define kdlsym_addr_sceSblServiceMailbox                   0x0064C110
#define kdlsym_addr_sched_prio                             0x003281F0
#define kdlsym_addr_self_orbis_sysvec                      0x01A4F460
#define kdlsym_addr_Sha256Hmac                             0x00205F50
#define kdlsym_addr_snprintf                               0x000BCA30
#define kdlsym_addr_spinlock_exit                          0x00493FB0
#define kdlsym_addr_sprintf                                0x000BC970
#define kdlsym_addr_sscanf                                 0x002077A0
#define kdlsym_addr_strcmp                                 0x0043B5F0
#define kdlsym_addr_strdup                                 0x000382B0
#define kdlsym_addr_strlen                                 0x00093FF0
#define kdlsym_addr_strncmp                                0x003DABE0
#define kdlsym_addr_strstr                                 0x00005740
#define kdlsym_addr_sys_accept                             0x002902A0
#define kdlsym_addr_sys_bind                               0x0028F930
#define kdlsym_addr_sys_close                              0x00321B80
#define kdlsym_addr_sys_dup2                               0x0031FD50
#define kdlsym_addr_sys_fstat                              0x00322100
#define kdlsym_addr_sys_getdents                           0x0035B270
#define kdlsym_addr_sys_kill                               0x00311490
#define kdlsym_addr_sys_listen                             0x0028FB70
#define kdlsym_addr_sys_lseek                              0x00357940
#define kdlsym_addr_sys_mkdir                              0x0035AA40
#define kdlsym_addr_sys_mlock                              0x001D2F80
#define kdlsym_addr_sys_mlockall                           0x001D3030
#define kdlsym_addr_sys_mmap                               0x001D1F50
#define kdlsym_addr_sys_munmap                             0x001D26A0
#define kdlsym_addr_sys_nmount                             0x00295AC0
#define kdlsym_addr_sys_open                               0x00355940
#define kdlsym_addr_sys_ptrace                             0x00044510
#define kdlsym_addr_sys_read                               0x001911C0
#define kdlsym_addr_sys_recvfrom                           0x00291550
#define kdlsym_addr_sys_rmdir                              0x0035ADC0
#define kdlsym_addr_sys_sendto                             0x00290E20
#define kdlsym_addr_sys_setuid                             0x00087A50
#define kdlsym_addr_sys_shutdown                           0x002917A0
#define kdlsym_addr_sys_socket                             0x0028F010
#define kdlsym_addr_sys_stat                               0x00357F20
#define kdlsym_addr_sys_unlink                             0x00357310
#define kdlsym_addr_sys_unmount                            0x002973D0
#define kdlsym_addr_sys_wait4                              0x001AFDF0
#define kdlsym_addr_sys_write                              0x00191790
#define kdlsym_addr_trap_fatal                             0x0013A450
#define kdlsym_addr_utilUSleep                             0x00679E30
#define kdlsym_addr_vm_fault_disable_pagefaults            0x002C3AC0
#define kdlsym_addr_vm_fault_enable_pagefaults             0x002C3AF0
#define kdlsym_addr_vm_map_lookup_entry                    0x00260190
#define kdlsym_addr_vmspace_acquire_ref                    0x0025F9F0
#define kdlsym_addr_vmspace_alloc                          0x0025F570
#define kdlsym_addr_vmspace_free                           0x0025F820
#define kdlsym_addr_vn_fullpath                            0x0015F470
#define kdlsym_addr_vsnprintf                              0x000BCAD0
#define kdlsym_addr_wakeup                                 0x0016EF00
#define kdlsym_addr_Xfast_syscall                          0x000001C0

// Kernel Hooks
#define kdlsym_addr_printf_hook                            0x01AA0058

// FakeSelf Hooks
#define kdlsym_addr_sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId_hook        0x0065E97C
#define kdlsym_addr_sceSblAuthMgrIsLoadable2_hook                             0x0065EACF
#define kdlsym_addr_sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox_hook   0x0065D669
#define kdlsym_addr_sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox_hook 0x0065CA0D
#define kdlsym_addr_sceSblAuthMgrVerifyHeader_hookA                           0x0065F256
#define kdlsym_addr_sceSblAuthMgrVerifyHeader_hookB                           0x0065FEF8

// FakePkg Hooks
#define kdlsym_addr_sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook       0x0063E2D5
#define kdlsym_addr_sceSblKeymgrInvalidateKey__sx_xlock_hook                  0x0064989D
#define kdlsym_addr_npdrm_decrypt_isolated_rif__sceSblKeymgrSmCallfunc_hook   0x00668A50
#define kdlsym_addr_npdrm_decrypt_rif_new__sceSblKeymgrSmCallfunc_hook        0x0066985E
#define kdlsym_addr_mountpfs__sceSblPfsSetKeys_hookA                          0x006B534B
#define kdlsym_addr_mountpfs__sceSblPfsSetKeys_hookB                          0x006B557C

// sceRegMgr
#define kdlsym_addr_sceRegMgrGetInt                        0x00502650
#define kdlsym_addr_sceRegMgrSetInt                        0x005013B0
#define kdlsym_addr_sceRegMgrGetBin                        0x00502FB0
#define kdlsym_addr_sceRegMgrSetBin                        0x00502F00
#define kdlsym_addr_sceRegMgrGetStr                        0x00502E30
#define kdlsym_addr_sceRegMgrSetStr                        0x00502C70

// SceShellCore patches - call sceKernelIsGenuineCEX
#define ssc_sceKernelIsGenuineCEX_patchA                   0x0
#define ssc_sceKernelIsGenuineCEX_patchB                   0x0
#define ssc_sceKernelIsGenuineCEX_patchC                   0x0
#define ssc_sceKernelIsGenuineCEX_patchD                   0x0

// SceShellCore patches - call nidf_libSceDipsw
#define ssc_nidf_libSceDipsw_patchA                        0x0
#define ssc_nidf_libSceDipsw_patchB                        0x0
#define ssc_nidf_libSceDipsw_patchC                        0x0
#define ssc_nidf_libSceDipsw_patchD                        0x0

#define ssc_enable_fakepkg_patch                           0x0

// SceShellCore patches - use free prefix instead fake
#define ssc_fake_to_free_patch                             0x0

// SceShellCore patches - enable remote pkg installer
#define ssc_enable_data_mount_patch                        0x0

// SceShellCore patches - enable VR without spoof
#define ssc_enable_vr_patch                                0x0

// SceShellCore patches - enable official external HDD support (Support added in 4.50)
#define ssc_external_hdd_pkg_installer_patch               0x0
#define ssc_external_hdd_version_patchA                    0x0
#define ssc_external_hdd_version_patchB                    0x0

// SceShellUI patches - debug patches
#define ssu_sceSblRcMgrIsAllowDebugMenuForSettings_patch   0x0
#define ssu_sceSblRcMgrIsStoreMode_patch                   0x0

// SceShellUI - remote play related patching
#define ssu_CreateUserForIDU_patch                         0x0
#define ssu_remote_play_menu_patch                         0x0

// SceRemotePlay - enabler patches
#define srp_enabler_patchA                                 0x0
#define srp_enabler_patchB                                 0x0

#endif
Code:
9A885073F1D5154BE1B286D897CA9B0A9BA29F3C1F759EC697819DD016CC7A42
Use the following Ghidra script on a decrypted libkernel_sys.sprx loaded with GhidraOrbis to add mast1c0re support for other firmware versions (Dumps the `***/include/offsets/ps/libkernel/psx/xx.xx.hpp` file)
Mira 7.00-7.02 PS4 WIP Ports by Al Azif & MACROSS (Retail) 7.02 ELF Collection.jpg
 

Comments

Status
Not open for further replies.
Back
Top