Advertising (This ad goes away for registered users. You can Login or Register)

PS4Ring0

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
nvieen69
Posts: 4
Joined: Mon Jan 10, 2022 2:43 am

PS4Ring0

Post by nvieen69 »

following ...
OpenTyrian PS4 PKG Homebrew Game Port by Cpasjuste Arrives
Proceeding the initial news of an OpenTyrian Beta PS4 Homebrew Game Port in development, today @Cpasjuste made available via @oneman123 (aka ZiL0G80 on Twitter) an OpenTyrian PS4 PKG Homebrew Game...
https://www.psxhax.com/threads/opentyri ... ves.11382/
PS4GDB_Desktop: How to Debug PS4 Applications by M0rph3us1987
PS4 Guides and Tutorials Thread starterPSXHAX Start date Jan 4, 2022 at 6:15 AM 4,388 21
Following his Exploiting PS4 Video Apps Presentation to run unsigned code regardless of Firmware version, his PS4GDB GDB Stub PS4 Port to Debug Userland Apps and PS4GDB Ring 0: GDB Stub to Debug PS4 Kernel today PlayStation 4 Scene developer m0rph3us1987 shared via Twitter a write-up on Github outlining how to debug PS4 applications with PS4GDB_Desktop which is the PC-side component to communicate with PS4GDB. image.gif
Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload
This comes proceeding several PlayStation 4 debugging / memory editing tools, and for those new in the scene the related articles can be found below sorted by date with the oldest first:
PS4 ShellUI Debug Functions
PS4 Real Time Memory Editor for Linux
PS4ME (PS4 Memory Editor) & PS4METool Payload
JKPatch: PS4 Kernel Patches & Process Memory View Tool
PS4 Debugger for Use With PS4API.bin
PlayStation 4 Debugger Oni Framework
DebugWatch / PlayStation 4 Debugger Updates
PS4_debug_module PRX with FileSystem Access
PS4 Debugger Open Source PlayStation 4 Debugging
MEMAPI PS4 Debugger
PS4 Memory Editor & ELF Loader
OrbisDbg / OrbisDbgUI PS4 Payload & Code Library
GhidraPS4Loader PS4 ELF Loader
GhidraOrbisTools: PS4 Loader and IDA Script Ports
Renesas PS4 Debug Protocols for RL78
PS4 Debug Watch App Port
Orbis Suite for PS4 Homebrew Development
PS4 KHook: Kernel Hooking Payload for Exploit Debugging
PS4 DevKit / TestKit Memory Tool Preview
GhidraOrbis: Updated Ghidra PS4 Loader Plugin
PS4 AIO v1.9.0 Memory Editor
PS4 DX / Watch 1.0 Disassembler / Assembler / Debugger
PlayStation 4 Gamepad Tester / Debugger
PlayStation 4 Tool Box 2.1.10.286
PS4 ReaperStudio Debugger
From the PS4GDB_Desktop Github README.md: PS4GDB

PS4GDB consists of two components. The first component is the gdbstub running on your ps4 and the second one is ps4gdb_desktop.

gdbstub

The gdbstub is integrated into Mira as a plugin. PS4GDB has implemented all features except x86 debug registers. I never needed them, but since it's part of Mira and Mira is open source, feel free to add features you miss. When the stub is loaded it creates a new kernel process, this process will then listen for incoming connections on port 8146.

What is port 8146 used for?

We somehow need to tell the ps4 what process we want to debug, and since hardcoding pids into PS4GDB is not an option, we need a way to communicate and tell PS4GDB what it is supposed to do for us. This communication is done over port 8146. PS4GDB spawns a little RPC server, which accepts a couple of commands. Here is where the second component ps4gdb_desktop comes into play.

ps4gdb_desktop

ps4gdb_desktop is the component running on your PC able to communicate with PS4GDB. It's written in Go and the protocol behind it is trivial. It gives you the ability to read a list of processes running on your ps4, attach to a certain pid or kill the PS4GDB kernel process.

To get a list of processes running on your ps4, you just need to run the following command (change the ip to your ps4 ip)
Code:
ps4gdb_desktop 192.168.0.102:8146 get-pids
This should give you a result similiar to this:

PS4GDB_Desktop How to Debug PS4 Applications by M0rph3us1987 2.png


This pictures shows the processes running on the ps4 and the corresponding pids. If now for example we want to debug SceRemotePlay we would execute following command:
Code:
ps4gdb_desktop 192.168.0.102:8146 attach 95
This is basically all you need to know about ps4gdb_desktop. In the next section I will show how to connect to PS4GDB with gdb and debug an application.

Debug Playroom

In this section I will show you how to debug playroom. What you see here applies to any other userland application. I assume Mira is already loaded at this point. If you have the possibility to disable userland ASLR do it, because it will make your life much easier.

There are a couple of commands we need to pass to gdb in every debug session, to avoid this i created a file in my home directory that's called ps4.source, the content looks like this:
Code:
set architecture i386:oops:86-64
target remote 192.168.0.2:8846
You must replace my ps4 ip with yours in the second line.
Start Playroom
When playroom is running we need to find out it's pid, so we ask ps4gdb_desktop to give us the pid list:
Code:
ps4gdb_desktop 192.168.0.102:8146 get-pids
This is what the result looks like:

PS4GDB_Desktop How to Debug PS4 Applications by M0rph3us1987 3.png


eboot.bin pid 112 is our candidate. In your case the pid might be different.
Next we attach to pid 112 with the following command:
Code:
ps4gdb_desktop 192.168.0.102:8146 attach 112
As soon as you issue the command, Playroom will freeze, this is normal. In kernel log you should see that PS4GDB has now taken control.
Code:
[handle_exception] gdb_stub: handle exception start...
[handle_exception] remcomOutBuffer allocated at 0xffff9fbf37108000
[print_register_info] received interrupt 01 - errorCode: 0x0
[print_register_info] RAX: 0x0000000000000004 RBX: 0x000000088005aa80
[print_register_info] RCX: 0x000000088005aa80 RDX: 0x0000000000000006
[print_register_info] RSI: 0x0000000000000008 RDI: 0x000000088005ab24
[print_register_info] RBP: 0x00000007ed761850 RSP: 0x00000007ed7617a8
[print_register_info] R8: 0x0000000000000000 R9: 0x000000000102023d
[print_register_info] R10: 0x000000000515ca11 R11: 0x00000000000002d0
[print_register_info] R12: 0x0000000000000000 R13: 0x000000088005ab20
[print_register_info] R14: 0x0000000000024c5a R15: 0x0000000000000000
[print_register_info] RIP: 0x0000000800002c4c FLAGS:0x0000000000000247
[print_register_info] CS: 0x0000000000000043 SS: 0x000000000000003b
[print_register_info] DS: 0x000000000000003b ES: 0x000000000000003b
[print_register_info] FS: 0x0000000000000013 GS: 0x000000000000001b
[handle_exception] gdb_stub: Entering main loop...
[getpacket] remcomInBuffer allocated at 0xffff9fbf07ee0000
Now we start gdb
Code:
gdb
Next we load our ps4.source file created at the beginning using the source command
Code:
source ps4.source
After issuing the command, gdb connects to PS4GDB and you can start debugging like you would debug any other PC application. This is what it looks like for me:

PS4GDB_Desktop How to Debug PS4 Applications by M0rph3us1987 4.png


gdb looks like this because I use Andrea Cardacis gdb-dashboard.

Have fun and happy debugging.

Tips
When you finish debugging, always detach from the process. You can detach by issuing command q in gdb.
Beforing resuming execution, make sure you have first set some breakpoints. If after resuming execution your breakpoints don't trigger, you wont be able to detach from the process anymore.
PS4GDB Mira Develop Branch
PS4GDB_Desktop How to Debug PS4 Applications by M0rph3us1987.png





Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload
PS4 Guides and Tutorials Thread starterPSXHAX Start date Jan 5, 2022 at 4:01 PM 2,499 2
Yesterday we saw a How to Debug PS4 Applications via PS4GDB Desktop Tutorial from PS4Scene developer m0rph3us1987, and today he's back as promised via Twitter with a brief guide covering How to Trigger RING0GDB to Debug PS4 Kernel on PlayStation 4 with the precompiled triggerRING0.bin kernel payload below. image.gif

Download: triggerRING0.bin (16.2 KB) / triggerRING0-master.zip / GIT

:arrow: For those new to the PlayStation 4 Scene, below are some previous articles of interest (sorted by date with the oldest first):
PS4 Kernel Exploit Root FS Dump and List of PIDs
FreeBSD Kernel Exploit Discovered
PS4 Kernel ELF Loading and Hooking
PS4 DevKit / TestKit Root Kernel Dump
PS4 Kernel Dumped Revealing PS4 ShellUI Debug Functions
PS4 Game Decryption / Homebrew Kernel Console IDPS Address
PS4 Executable Files with Kernel Access
PS4 Syscall Kernel Patch for Game Modifications
PS4 Kernel Memory Dump with Full Kernel Symbols
PS4KernelHooksHelper
PS4 Crashdumps & Dumping a Kernel in Only 6 Days
PS4 EAP Kernel Dumps
Hacking the PS4: From Zero to Ring Zero in Two Easy Steps (PDF)
Flexible Kernel Dumper Payload for PS4
PS4 Kernel Loaders for IDA 7.0+
PS4KernelDlSym Symbol Resolver / Reference Analyzer
PS4 Kernel Fixup Script for IDA 7.0-7.2
PS4GDB Ring 0: GDB Stub to Debug PS4 Kernel
PS4 CR0.WP Protection Kernel Security Bypass
PS4 9.00 Jailbreak Kernel Exploit
And from the included README.md, to quote: RING0GDB

RING0GDB is a gdbstub that gives you the ability to debug your ps4 kernel using gdb. Like PS4GDB it's integrated into Mira and starts in the background as soon as you load Mira.

In the next sections I will show you what steps are needed to get started.

How to trigger RING0GDB

RING0GDB is automatically started during the loading process of Mira. From a technical point of view, it does not really get started, but installation happens by overwriting two ISRs (Interrupt Service Routine). We overwrite the routines for INT1 (debug) and INT3 (breakpoint).

This means that as soon as one of these two interrupts get fired, RING0GDB takes control and allows us to connect to it with gdb just like we can do for PS4GDB.

Example debugging exec_self_imgact

exec_self_imgact is responsinble for loading/starting executable files on the ps4. So our goal is to set a breakpoint into this function, and debug it as soon as it gets called by the kernel.

Like mentioned before, we must trigger one of the two interrupts. This can be easily achieved by running a kernel payload that looks like this:
Code:
int main(int argc, char *argv[]){
asm("int $3");
return 0;
}
In this repository you can find a precompiled binary triggerRING0.bin which contains this code.

At this point the ModuleLoader i've added to Mira comes very handy. Because we can send this binary to port 9025 and it will start RING0GDB for us.

As soon as we send the payload to port 9025 klog should show us something like this:
Code:
[handle_exceptionRing0] remcomOutBuffer allocated at 0xffffa6eb440dc000
received interrupt 03 - errorCode: 0x0
RAX: 0x0000000000000202 RBX: 0xffffa6eb12eac590
RCX: 0x000000000000040d RDX: 0xffffffff841101ef
RSI: 0xffffff8065b8bab0 RDI: 0x0000000000000000
RBP: 0xffffff8065b8baa0 RSP: 0xffffff8065b8ba58
R8: 0xffffff8065b8bb80 R9: 0xffffffff85c40a78
R10: 0x0000000000000001 R11: 0xffffffff85ba0f98
R12: 0x0000000000000000 R13: 0xffffa6eb13540b68
R14: 0xffffff8065b8bab0 R15: 0xffffff8065dd4000
RIP: 0xffffff8065dd401a FLAGS:0x0000000000000286
CS: 0x0000000000000020 SS: 0x0000000000000028
DS: 0xe8afafafafaf003b ES: 0x000000000000003b
FS: 0x0080000000000013 GS: 0x0000000880b8001b
kernelbase: 0xffffffff8394c000
[handle_exceptionRing0] gdb_stub: Entering main loop...
[getpacketRing0] remcomInBufferRing0 allocated at 0xffffa6eb273b0000

<-[gdb_start_serverRing0] gdb_start_server
[gdb_start_serverRing0] sys_socket: 0x3
[gdb_start_serverRing0] sys_bind: 0x0
At this point RING0GDB is waiting for gdb to connect on port 9946.

Like I did for PS4GDB, I've created a file (kernel.source) with the necessary commands gdb should execute at launch, the file looks like this:
Code:
set architecture i386:oops:86-64
set disassembly-flavor intel
target remote 192.168.0.2:9946
Remember to replace the ip address with the ip address of your ps4.

Next we start gdb and load the source file, this is what the result looks like:

Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload 2.png


So gdb is connected and we can start debugging. Our goal was to set a breakpoint at exec_self_imgact, so we need to find it's address.

In the previous klog, you see the kernel base address which in my case is 0xffffffff8394c000, and i know the slide of exec_self_imgact is 0x3CE730 (fw 6.72). So we have all we need to calculate the address to where we need to set our breakpoint.
Code:
0xFFFFFFFF8394C000 + 0x3CE730 = 0xFFFFFFFF83D1A730
So we set our breakpoint

Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload 3.png


At this point we can tell gdb to continue (continue command), the control is passed back to gdb as soon as our breakpoint gets triggered.

To trigger the breakpoint it should be enough to start an application, in my case Playroom. As we can see, as soon as Playroom gets loaded our breakpoint triggers and we can continue with our debugging session.

Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload 4.png


Conclusion

Debugging kernel can be a pain because of kaslr and a lot of timing and lock problems that can happen when you keep resources locked for too long. So do not expect too much from this image.gif

Have fun and don't be evil image.gif
Let's Debug Some PS4 Kernel
Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload.pngimage.gif
Advertising
nvieen69
Posts: 4
Joined: Mon Jan 10, 2022 2:43 am

Re: PS4Ring0

Post by nvieen69 »

following ...
OpenTyrian PS4 PKG Homebrew Game Port by Cpasjuste Arrives
Proceeding the initial news of an OpenTyrian Beta PS4 Homebrew Game Port in development, today @Cpasjuste made available via @oneman123 (aka ZiL0G80 on Twitter) an OpenTyrian PS4 PKG Homebrew Game...
https://www.psxhax.com/threads/opentyri ... ves.11382/
PS4GDB_Desktop: How to Debug PS4 Applications by M0rph3us1987
PS4 Guides and Tutorials Thread starterPSXHAX Start date Jan 4, 2022 at 6:15 AM 4,388 21
Following his Exploiting PS4 Video Apps Presentation to run unsigned code regardless of Firmware version, his PS4GDB GDB Stub PS4 Port to Debug Userland Apps and PS4GDB Ring 0: GDB Stub to Debug PS4 Kernel today PlayStation 4 Scene developer m0rph3us1987 shared via Twitter a write-up on Github outlining how to debug PS4 applications with PS4GDB_Desktop which is the PC-side component to communicate with PS4GDB. image.gif
Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload
This comes proceeding several PlayStation 4 debugging / memory editing tools, and for those new in the scene the related articles can be found below sorted by date with the oldest first:
PS4 ShellUI Debug Functions
PS4 Real Time Memory Editor for Linux
PS4ME (PS4 Memory Editor) & PS4METool Payload
JKPatch: PS4 Kernel Patches & Process Memory View Tool
PS4 Debugger for Use With PS4API.bin
PlayStation 4 Debugger Oni Framework
DebugWatch / PlayStation 4 Debugger Updates
PS4_debug_module PRX with FileSystem Access
PS4 Debugger Open Source PlayStation 4 Debugging
MEMAPI PS4 Debugger
PS4 Memory Editor & ELF Loader
OrbisDbg / OrbisDbgUI PS4 Payload & Code Library
GhidraPS4Loader PS4 ELF Loader
GhidraOrbisTools: PS4 Loader and IDA Script Ports
Renesas PS4 Debug Protocols for RL78
PS4 Debug Watch App Port
Orbis Suite for PS4 Homebrew Development
PS4 KHook: Kernel Hooking Payload for Exploit Debugging
PS4 DevKit / TestKit Memory Tool Preview
GhidraOrbis: Updated Ghidra PS4 Loader Plugin
PS4 AIO v1.9.0 Memory Editor
PS4 DX / Watch 1.0 Disassembler / Assembler / Debugger
PlayStation 4 Gamepad Tester / Debugger
PlayStation 4 Tool Box 2.1.10.286
PS4 ReaperStudio Debugger
From the PS4GDB_Desktop Github README.md: PS4GDB

PS4GDB consists of two components. The first component is the gdbstub running on your ps4 and the second one is ps4gdb_desktop.

gdbstub

The gdbstub is integrated into Mira as a plugin. PS4GDB has implemented all features except x86 debug registers. I never needed them, but since it's part of Mira and Mira is open source, feel free to add features you miss. When the stub is loaded it creates a new kernel process, this process will then listen for incoming connections on port 8146.

What is port 8146 used for?

We somehow need to tell the ps4 what process we want to debug, and since hardcoding pids into PS4GDB is not an option, we need a way to communicate and tell PS4GDB what it is supposed to do for us. This communication is done over port 8146. PS4GDB spawns a little RPC server, which accepts a couple of commands. Here is where the second component ps4gdb_desktop comes into play.

ps4gdb_desktop

ps4gdb_desktop is the component running on your PC able to communicate with PS4GDB. It's written in Go and the protocol behind it is trivial. It gives you the ability to read a list of processes running on your ps4, attach to a certain pid or kill the PS4GDB kernel process.

To get a list of processes running on your ps4, you just need to run the following command (change the ip to your ps4 ip)
Code:
ps4gdb_desktop 192.168.0.102:8146 get-pids
This should give you a result similiar to this:

PS4GDB_Desktop How to Debug PS4 Applications by M0rph3us1987 2.png


This pictures shows the processes running on the ps4 and the corresponding pids. If now for example we want to debug SceRemotePlay we would execute following command:
Code:
ps4gdb_desktop 192.168.0.102:8146 attach 95
This is basically all you need to know about ps4gdb_desktop. In the next section I will show how to connect to PS4GDB with gdb and debug an application.

Debug Playroom

In this section I will show you how to debug playroom. What you see here applies to any other userland application. I assume Mira is already loaded at this point. If you have the possibility to disable userland ASLR do it, because it will make your life much easier.

There are a couple of commands we need to pass to gdb in every debug session, to avoid this i created a file in my home directory that's called ps4.source, the content looks like this:
Code:
set architecture i386:oops:86-64
target remote 192.168.0.2:8846
You must replace my ps4 ip with yours in the second line.
Start Playroom
When playroom is running we need to find out it's pid, so we ask ps4gdb_desktop to give us the pid list:
Code:
ps4gdb_desktop 192.168.0.102:8146 get-pids
This is what the result looks like:

PS4GDB_Desktop How to Debug PS4 Applications by M0rph3us1987 3.png


eboot.bin pid 112 is our candidate. In your case the pid might be different.
Next we attach to pid 112 with the following command:
Code:
ps4gdb_desktop 192.168.0.102:8146 attach 112
As soon as you issue the command, Playroom will freeze, this is normal. In kernel log you should see that PS4GDB has now taken control.
Code:
[handle_exception] gdb_stub: handle exception start...
[handle_exception] remcomOutBuffer allocated at 0xffff9fbf37108000
[print_register_info] received interrupt 01 - errorCode: 0x0
[print_register_info] RAX: 0x0000000000000004 RBX: 0x000000088005aa80
[print_register_info] RCX: 0x000000088005aa80 RDX: 0x0000000000000006
[print_register_info] RSI: 0x0000000000000008 RDI: 0x000000088005ab24
[print_register_info] RBP: 0x00000007ed761850 RSP: 0x00000007ed7617a8
[print_register_info] R8: 0x0000000000000000 R9: 0x000000000102023d
[print_register_info] R10: 0x000000000515ca11 R11: 0x00000000000002d0
[print_register_info] R12: 0x0000000000000000 R13: 0x000000088005ab20
[print_register_info] R14: 0x0000000000024c5a R15: 0x0000000000000000
[print_register_info] RIP: 0x0000000800002c4c FLAGS:0x0000000000000247
[print_register_info] CS: 0x0000000000000043 SS: 0x000000000000003b
[print_register_info] DS: 0x000000000000003b ES: 0x000000000000003b
[print_register_info] FS: 0x0000000000000013 GS: 0x000000000000001b
[handle_exception] gdb_stub: Entering main loop...
[getpacket] remcomInBuffer allocated at 0xffff9fbf07ee0000
Now we start gdb
Code:
gdb
Next we load our ps4.source file created at the beginning using the source command
Code:
source ps4.source
After issuing the command, gdb connects to PS4GDB and you can start debugging like you would debug any other PC application. This is what it looks like for me:

PS4GDB_Desktop How to Debug PS4 Applications by M0rph3us1987 4.png


gdb looks like this because I use Andrea Cardacis gdb-dashboard.

Have fun and happy debugging.

Tips
When you finish debugging, always detach from the process. You can detach by issuing command q in gdb.
Beforing resuming execution, make sure you have first set some breakpoints. If after resuming execution your breakpoints don't trigger, you wont be able to detach from the process anymore.
PS4GDB Mira Develop Branch
PS4GDB_Desktop How to Debug PS4 Applications by M0rph3us1987.png





Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload
PS4 Guides and Tutorials Thread starterPSXHAX Start date Jan 5, 2022 at 4:01 PM 2,499 2
Yesterday we saw a How to Debug PS4 Applications via PS4GDB Desktop Tutorial from PS4Scene developer m0rph3us1987, and today he's back as promised via Twitter with a brief guide covering How to Trigger RING0GDB to Debug PS4 Kernel on PlayStation 4 with the precompiled triggerRING0.bin kernel payload below. image.gif

Download: triggerRING0.bin (16.2 KB) / triggerRING0-master.zip / GIT

:arrow: For those new to the PlayStation 4 Scene, below are some previous articles of interest (sorted by date with the oldest first):
PS4 Kernel Exploit Root FS Dump and List of PIDs
FreeBSD Kernel Exploit Discovered
PS4 Kernel ELF Loading and Hooking
PS4 DevKit / TestKit Root Kernel Dump
PS4 Kernel Dumped Revealing PS4 ShellUI Debug Functions
PS4 Game Decryption / Homebrew Kernel Console IDPS Address
PS4 Executable Files with Kernel Access
PS4 Syscall Kernel Patch for Game Modifications
PS4 Kernel Memory Dump with Full Kernel Symbols
PS4KernelHooksHelper
PS4 Crashdumps & Dumping a Kernel in Only 6 Days
PS4 EAP Kernel Dumps
Hacking the PS4: From Zero to Ring Zero in Two Easy Steps (PDF)
Flexible Kernel Dumper Payload for PS4
PS4 Kernel Loaders for IDA 7.0+
PS4KernelDlSym Symbol Resolver / Reference Analyzer
PS4 Kernel Fixup Script for IDA 7.0-7.2
PS4GDB Ring 0: GDB Stub to Debug PS4 Kernel
PS4 CR0.WP Protection Kernel Security Bypass
PS4 9.00 Jailbreak Kernel Exploit
And from the included README.md, to quote: RING0GDB

RING0GDB is a gdbstub that gives you the ability to debug your ps4 kernel using gdb. Like PS4GDB it's integrated into Mira and starts in the background as soon as you load Mira.

In the next sections I will show you what steps are needed to get started.

How to trigger RING0GDB

RING0GDB is automatically started during the loading process of Mira. From a technical point of view, it does not really get started, but installation happens by overwriting two ISRs (Interrupt Service Routine). We overwrite the routines for INT1 (debug) and INT3 (breakpoint).

This means that as soon as one of these two interrupts get fired, RING0GDB takes control and allows us to connect to it with gdb just like we can do for PS4GDB.

Example debugging exec_self_imgact

exec_self_imgact is responsinble for loading/starting executable files on the ps4. So our goal is to set a breakpoint into this function, and debug it as soon as it gets called by the kernel.

Like mentioned before, we must trigger one of the two interrupts. This can be easily achieved by running a kernel payload that looks like this:
Code:
int main(int argc, char *argv[]){
asm("int $3");
return 0;
}
In this repository you can find a precompiled binary triggerRING0.bin which contains this code.

At this point the ModuleLoader i've added to Mira comes very handy. Because we can send this binary to port 9025 and it will start RING0GDB for us.

As soon as we send the payload to port 9025 klog should show us something like this:
Code:
[handle_exceptionRing0] remcomOutBuffer allocated at 0xffffa6eb440dc000
received interrupt 03 - errorCode: 0x0
RAX: 0x0000000000000202 RBX: 0xffffa6eb12eac590
RCX: 0x000000000000040d RDX: 0xffffffff841101ef
RSI: 0xffffff8065b8bab0 RDI: 0x0000000000000000
RBP: 0xffffff8065b8baa0 RSP: 0xffffff8065b8ba58
R8: 0xffffff8065b8bb80 R9: 0xffffffff85c40a78
R10: 0x0000000000000001 R11: 0xffffffff85ba0f98
R12: 0x0000000000000000 R13: 0xffffa6eb13540b68
R14: 0xffffff8065b8bab0 R15: 0xffffff8065dd4000
RIP: 0xffffff8065dd401a FLAGS:0x0000000000000286
CS: 0x0000000000000020 SS: 0x0000000000000028
DS: 0xe8afafafafaf003b ES: 0x000000000000003b
FS: 0x0080000000000013 GS: 0x0000000880b8001b
kernelbase: 0xffffffff8394c000
[handle_exceptionRing0] gdb_stub: Entering main loop...
[getpacketRing0] remcomInBufferRing0 allocated at 0xffffa6eb273b0000

<-[gdb_start_serverRing0] gdb_start_server
[gdb_start_serverRing0] sys_socket: 0x3
[gdb_start_serverRing0] sys_bind: 0x0
At this point RING0GDB is waiting for gdb to connect on port 9946.

Like I did for PS4GDB, I've created a file (kernel.source) with the necessary commands gdb should execute at launch, the file looks like this:
Code:
set architecture i386:oops:86-64
set disassembly-flavor intel
target remote 192.168.0.2:9946
Remember to replace the ip address with the ip address of your ps4.

Next we start gdb and load the source file, this is what the result looks like:

Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload 2.png


So gdb is connected and we can start debugging. Our goal was to set a breakpoint at exec_self_imgact, so we need to find it's address.

In the previous klog, you see the kernel base address which in my case is 0xffffffff8394c000, and i know the slide of exec_self_imgact is 0x3CE730 (fw 6.72). So we have all we need to calculate the address to where we need to set our breakpoint.
Code:
0xFFFFFFFF8394C000 + 0x3CE730 = 0xFFFFFFFF83D1A730
So we set our breakpoint

Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload 3.png


At this point we can tell gdb to continue (continue command), the control is passed back to gdb as soon as our breakpoint gets triggered.

To trigger the breakpoint it should be enough to start an application, in my case Playroom. As we can see, as soon as Playroom gets loaded our breakpoint triggers and we can continue with our debugging session.

Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload 4.png


Conclusion

Debugging kernel can be a pain because of kaslr and a lot of timing and lock problems that can happen when you keep resources locked for too long. So do not expect too much from this image.gif

Have fun and don't be evil image.gif
Let's Debug Some PS4 Kernel
Triggering RING0GDB to Debug PS4 Kernel via TriggerRING0.bin Payload.pngimage.gif
Advertising
Locked

Return to “Programming and Security”