Request for kenvp dumping from the kernel #513
Replies: 4 comments 9 replies
-
|
Here is what it does: #include <ps4.h>
struct dump_kenv_req {
char *buf;
size_t len;
};
struct dump_kenv_args {
void *handler;
struct dump_kenv_req *req;
};
static int dump_kenv(struct thread *td, struct dump_kenv_args *args) {
void *kernel_base;
char **kenvp, *src;
size_t i, j;
// get kernel addresses
kernel_base = &((uint8_t *)__readmsr(0xC0000082))[-K900_XFAST_SYSCALL];
kenvp = (char **)*(long *)(kernel_base + 0x21F4498);
// dump
for (i = 0, j = 0; (src = kenvp[i]); i++) {
for (; *src; src++) {
if (j == args->req->len) {
return 22;
}
args->req->buf[j++] = *src;
}
if (j == args->req->len) {
return 22;
}
args->req->buf[j++] = 0;
}
return 0;
}
int _main(struct thread *td) {
int fd;
struct dump_kenv_req req;
char *p, *e;
initKernel();
initLibc();
jailbreak();
initSysUtil();
// dump
req.buf = malloc(1024 * 1024);
memset(req.buf, 0, 1024 * 1024);
if (kexec(dump_kenv, &req) < 0) {
printf_notification("Failed to dump kenv.");
free(req.buf);
return 0;
}
// write the dump
fd = open("/mnt/usb0/kenv.bin", O_WRONLY | O_CREAT | O_TRUNC, 0777);
if (fd < 0) {
printf_notification("Failed to create /mnt/usb0/auth-info.bin.");
free(req.buf);
return 0;
}
p = req.buf;
e = req.buf + 1024 * 1024;
while (p < e) {
ssize_t n = write(fd, p, e - p);
if (n < 0) {
printf_notification("Failed to write /mnt/usb0/auth-info.bin.");
free(req.buf);
close(fd);
return 0;
}
p += n;
}
free(req.buf);
close(fd);
printf_notification("kenv dump complete!");
return 0;
} |
Beta Was this translation helpful? Give feedback.
-
|
It's great having a payload you can freely modify, eh? |
Beta Was this translation helpful? Give feedback.
-
|
Wish you timed that a little better tho, got that right as I arrived at work. |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
It says it completed, but its ALL 00 |
Beta Was this translation helpful? Give feedback.
-
|
I guess the PS4 clear this data after it was booted. |
Beta Was this translation helpful? Give feedback.
-
|
What was this for? |
Beta Was this translation helpful? Give feedback.
-
|
I'm looking for how the PS4 mount its root FS. It read where is the root FS from kenv |
Beta Was this translation helpful? Give feedback.
-
|
Okay found what I'm looking from booting log: https://www.psdevwiki.com/ps4/Bootprocess |
Beta Was this translation helpful? Give feedback.
-
@VocalFan can you run this payload and send me
kenv.binon the root of USB?dump-kenv.zip
Beta Was this translation helpful? Give feedback.
All reactions