Change auth info for the initial ucred to a proper one #377
Comments
|
@red-prig do you know the name of (S)ELF file of the process that |
|
@ultimaweapon I suspect that it is somewhere in the depths of vsh, but I have not found the exact location. |
|
Thanks. |
|
@ultimaweapon Here is a log dump from the console, I think in combination with FW research, this can be used to judge the order of initialization |
|
Thanks. |
|
I think I found it. It is |
|
@VocalFan can you help on finding auth info for |
|
Where is this specifically? |
|
It need to be dumped from the kernel somehow. The scene developers should be able to give you some clues. |
|
okay so, /system/vsh is the location. Will try to snag later :P |
No, it is Found some evident that it is |
|
Eh, I found a SceSysCore.elf in /vsh/ ... Not sure how to snag the /sys/ elf if there is one. |
|
Uh, email. |
|
That one is |
|
...I am the dumb. |
|
I found a payload that can get authinfo values, will do when home. |
|
Or uh... https://www.psdevwiki.com/ps4/Program_Authority_ID#User_Modules |
|
Strange. Why the value for exe and library does not match with #329 (comment). We still need the value for capabilities and attributes. |
|
It seems that using |
|
@red-prig looking good! The problem is it seems like this syscall need to be called from the process we want to dump the auth info. |
|
Wait, seems like the first parameter is the path for the SELF file to get the auth info! |
|
Soooo, good thing, Ultima? |
|
Yeah, I guess the payload you mentioned use this syscall to dump the auth info. |
|
https://github.com/stooged/Auth-Info-Dumper/blob/master/Auth_Info_Dumper/source/main.c Can you build a 9.00 payload for me @ultimaweapon ? Latest official build is for 5.05 |
|
Seems like it have more works than just compiling. Let me check to see if we can build a simple payload just for |
|
Alright, because this payload just either kills the GUI, or kernel panics |
|
Required some works because we can't just call |
|
Alrighty, just keep me updated! |
|
I'm also confused by |
We already escaped from the sandbox by calling jailbreak.
Sorry I don't understand what you mean. Could you elaborate this? |
|
I think I found the bug in my code now. The second parameter for |
Yes, you are jailbreaking, but in what context does the application launch? If it's an imitation of a game, then it's a sandbox. |
|
@VocalFan this should work. |
Yes it is copied. |
Normally the payload will be executed by the web browser. Not sure what method of Guest Payload that @VocalFan use. |
I think |
i mean: |
|
Although if args is copied simply as a link, then for |
I use AlAzif's Payload Guest, which puts the payload into GoldenHen's payload server... Basically, it has jailbreak/admin access. |
|
@VocalFan see my above comments for the newer version. That one should work. |
|
I am having the ultimate battle of moving myself from my bed. |
Or just whole: |
|
Seems true |
Its similar to another SELF's Auth Info |
0000 01 00 00 00 00 10 00 38 00 00 00 00 00 1c 00 40 .......8.......@ 0010 00 ff 00 00 00 00 00 80 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 c0 00 40 00 40 .............@.@ 0030 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 f0 ................ 0040 00 40 ff ff 00 00 00 f0 00 00 00 00 00 00 00 00 .@.............. 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0080 00 00 00 00 00 00 00 00orbis_swu.self 0000 07 00 00 00 00 00 00 38 00 00 00 00 00 1c 00 40 .......8.......@ 0010 00 ff 00 00 00 00 00 80 00 00 00 00 00 00 00 00 .ÿ.....€........ 0020 00 00 00 00 00 00 00 00 00 00 00 80 00 40 00 40 ...........€.@.@ 0030 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 08 .......€........ 0040 00 40 ff ff 00 00 00 f0 00 00 00 00 00 00 00 00 .@ÿÿ...ð........ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0080 00 00 00 00 00 00 00 00SceSysCore.self Note, I added SceSysCore to the Wiki's Auth Info page now, but it's pending approval... Either way, these two SELFs are similar in some ways, different in others. |
Judging by: https://www.psdevwiki.com/ps4/Program_Authority_ID#User_Modules 3800000000000007 this is SceSysCore.self so I think everything is correct |
|
@red-prig do you know what is Decid process? |
This probably has something to do with the debug, I didn't dig into it. Probably the hackers who broke the console can tell you more. |
|
Thanks. |
|
@ultimaweapon |
|
It is just a very basic payload with hard coded input. Also it is fixed to 9.0 kernel only. So I don't want to create a repository for a quick and dirty thing. |
But 9.00 is the latest jailbreakable, plus people can just modify the input before compiling. |
Need to find (or dump?) auth info from the PS4 process that run
execon the game binary after forked.The text was updated successfully, but these errors were encountered: