Skip to content

Instantly share code, notes, and snippets.

View sleirsgoevy's full-sized avatar

sleirsgoevy

678 followers · 2 following
View GitHub Profile
@sleirsgoevy
sleirsgoevy / OnOffsets.md
Created October 6, 2023 17:36
View OnOffsets.md

On offsets

After the recent release of ps5-kstuff with support for PS4 fpkg files, there is a lot of questions about porting this to other firmwares (4.50 and 4.51 are important in particular, because users of those firmwares can't update to 4.03, but they are still vulnerable to all of the used exploits). The main problem with these ports it the bespoke XOM, which prevents finding the offsets by simply examining the dumps. So in this document I'm going to go over what offsets are important for ps5-kstuff, and how I found them for 4.03.

These are the main categories of offsets:

  1. Kernel data offsets, those can be found from data dumps that are not XOM-protected
  2. Kernel text offsets pointed to by kernel data
  3. doreti_iret offset (that's one offset, but it deserves its own word)
  4. Offsets found from single-stepping of kernel functions
@sleirsgoevy
sleirsgoevy / ff-addons.c
Created February 15, 2022 19:02
Firefox for Android custom addons hack
View ff-addons.c
#include <sys/socket.h>
#include <sys/un.h>
#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>
#include <unistd.h>
#include <stddef.h>
void write_request(int fd, const char* c)
{
@sleirsgoevy
sleirsgoevy / serve_img.sh
Created December 14, 2021 15:42
Script for enabling mass storage emulation on rooted Samsung phones
View serve_img.sh
A=/sys/class/android_usb/android0
set -x
killall -STOP adbd
sleep 1
echo 0 > $A/enable
echo mass_storage > $A/functions
echo disk > $A/f_mass_storage/luns
echo 1 > $A/enable
sleep 1
@sleirsgoevy
sleirsgoevy / ps4.html
Created October 27, 2021 16:06
PS4 WebKit exploit on 9.00
View ps4.html
<script>
var PAGE_SIZE = 16384;
var SIZEOF_CSS_FONT_FACE = 0xb8;
var HASHMAP_BUCKET = 208;
var STRING_OFFSET = 20;
var SPRAY_FONTS = 0x1000;
var GUESS_FONT = 0x200430000;
var NPAGES = 20;
var INVALID_POINTER = 0;
var HAMMER_FONT_NAME = "font8"; //must take bucket 3 of 8 (counting from zero)
@sleirsgoevy
sleirsgoevy / ipv6-df-2.c
Last active March 8, 2021 15:34
FreeBSD 9 PoC of kernel code execution using the new TheFlow vulnerability
View ipv6-df-2.c
#include <sys/types.h>
#include <sys/param.h>
#include <sys/cpuset.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <sys/sysctl.h>
#include <sys/vmmeter.h>
#include <netinet/in.h>
#include <string.h>
#include <unistd.h>
@sleirsgoevy
sleirsgoevy / stats.json
Created December 27, 2020 22:52
Address statistics (7.02)
View stats.json
This file has been truncated, but you can view the full file.
{8640422552: 5, 8644121880: 2, 8608874096: 2, 8641777240: 6, 8644278192: 4, 8637739248: 6, 8641933552: 8, 8610228784: 1, 8640943600: 7, 8645137904: 4, 8607050504: 1, 8604705864: 2, 8638260296: 5, 8640109960: 7, 8612104520: 6, 8640787320: 7, 8640292344: 10, 8643991672: 5, 8639953680: 5, 8637609040: 5, 8645502672: 5, 8640813392: 3, 8645007696: 3, 8604419344: 2, 8606920296: 1, 8611114600: 3, 8604575656: 1, 8606086656: 2, 8638989800: 6, 8639146112: 7, 8643340416: 7, 8609291008: 2, 8638156160: 6, 8642350464: 6, 8644851416: 3, 8608301056: 2, 8641516824: 9, 8605617752: 3, 8609968368: 4, 8642871512: 7, 8640683184: 4, 8604940424: 2, 8642037872: 6, 8606790088: 2, 8631460936: 5, 8608144776: 1, 8611505440: 6, 8609160800: 2, 8640370592: 6, 8644564896: 8, 8604132856: 1, 8639536952: 7, 8612026488: 4, 8641386616: 6, 8609681848: 2, 8609838160: 3, 8606503568: 2, 8610697872: 4, 8606659880: 3, 8608014568: 2, 8612208872: 6, 8638729384: 5, 8642923688: 6, 8645424640: 5, 8640240384: 7, 8644434688: 4, 8608040640: 3, 8618278912: 1, 86
@sleirsgoevy
sleirsgoevy / sbrowse.py
Last active March 15, 2019 21:30
SBrowse - a minimalistic pure-Python text-mode browser
View sbrowse.py
import html.parser, urllib.parse, urllib.request, pydoc, random
class Parser(html.parser.HTMLParser):
def __init__(self):
html.parser.HTMLParser.__init__(self)
self.li_stack = [None]
self.table_stack = [None]
self.tag_stack = []
self.repr_stack = ['']
self.form_stack = [None]