Linux loader for 7.02

[ghost]

Hi Anyone work on port Linux loader for 7.02? Really looking forward to this thing.

[tihmstar]

I found some offsets (untested) for 7.02, maybe that's helpful to someone

#define syscall_offset 0x1c0        
#define printf_offset 0x000BC730    
#define kmem_alloc_offset 0x001170F0 (fixed to be same as mira)  
#define kernel_map_offset 0x21c8ee0

Although i'm currently struggeling to compile everything (i.e. setting up cross compile toolchain on macOS).

Haven't looked up offsets for ps4-kexec 7.02 yet...

[sleirsgoevy]

These ones are in upstream Mira already.

[tihmstar]

Here are some more (for ps4-kexec)

#define kern_off_snprintf 0xbca30
#define kern_off_copyinstr 0x2f6e0
#define kern_off_kmem_alloc_contig 0x430780 //unsure
#define kern_off_kmem_free 0x1172c0
#define kern_off_kernel_map 0x21c8ee0
#define kern_off_kern_reboot 0x2cd780

It's probably easier to "port" offsets from older kernel than trying to "map" freebsd sourcecode from github to the binary. Gonna see if i can find a 6.72 dump somewhere...

Also where i can find "upstream Mira offsets" so that i don't do twice the work?

[sleirsgoevy]

Here they are: https://github.com/OpenOrbis/mira-project/blob/port/700-702/kernel/src/Utils/Kdlsym/Orbis702.hpp

[tihmstar]

Alright, found all offsets for ps4-kexec:

#elif defined PS4_7_00
#define kern_off_printf 0x000BC730 //mira
#define kern_off_snprintf 0x000BCA30 //mira
#define kern_off_copyin 0x0002F230 //mira
#define kern_off_copyout 0x0002F140 //mira
#define kern_off_copyinstr 0x0002F6E0 //mira
#define kern_off_kmem_alloc_contig 0x430780 //unsure
#define kern_off_kmem_free 0x001172C0 //mira
#define kern_off_pmap_extract 0x3ded30
#define kern_off_pmap_protect 0x3dff70
#define kern_off_sched_pin 0x329870
#define kern_off_sched_unpin 0x329890
#define kern_off_smp_rendezvous 0x4447a0
#define kern_off_smp_no_rendevous_barrier 0x444560
#define kern_off_icc_query_nowait 0x3b2f80
#define kern_off_kernel_map 0x021C8EE0 //mira
#define kern_off_sysent 0x01125660 //mira
#define kern_off_kernel_pmap_store 0x22c5268
// #define kern_off_Starsha_UcodeInfo 0
#define kern_off_gpu_devid_is_9924 0x4ee3c0
#define kern_off_gc_get_fw_info 0x4f6830
#define kern_off_pml4pml4i 0x22c5258
#define kern_off_dmpml4i 0x22c525c
#define kern_off_dmpdpi 0x22c5260
#define kern_off_eap_hdd_key 0x26e0cd0
#define kern_off_edid 0x27645e0
#define kern_off_wlanbt 0xdecb0
#define kern_off_kern_reboot 0x002CD780 //mira
#endif

Would you be so kind to compile that for me? Still haven't figured out how to setup the toolchain :/

[sleirsgoevy]

@tihmstar Will test today.

[tihmstar]

Awesome thank you! :D

[tihmstar]

Alright, giving up for today :/

I managed to somehow compile (not sure if i compiled correctly though) using some docker+linux image with some freebsd crosscompiling toolchain.

Tried both:

• converting payload to js and launching that
• launching netcat702-mira.html, then sending the payload over to port 9021

Either way the page just hangs. Browser doesn't crash (regardless of whether a USB drive with initramfs/kernel is connected or not). I can close the browser, but when i try to re-open the system freezes.

Will wait until you had time to run your tests. I assume the binary i built is bad due to my compiling setup. I'm curious: Is there some information on how to setup a toolchain to build payloads like this?

[sleirsgoevy]

The linux payload in ps4jb has hardcoded 6.72 offsets. Will fix.