The developer EchoStretch may soon focus on searching for the offsets to make the payload kstuff compatible with the 5.xx firmware of the PlayStation 5 console. This is the last missing piece to allow backups on those firmwares.
Through a recently shared message, he expressed his intention to start the search on the weekend if the weather permits, also adding an appeal to anyone who has useful references from the Sleirexgoevy port script, asking to send them to him via private message.
The kstuff payload plays a key role, as it allows the execution of fPKG games without altering the console hypervisor.
This approach makes it a less invasive solution than other methods, avoiding direct interference with the system’s security functions.
However, porting to new firmware versions is extremely complex, mainly due to the use of a custom XOM, which makes it more difficult to spot the required offsets.
Subsequently, the developer Sleirsgoevy, a reference point in the scene of the gaming on PlayStation 5, has divided the fundamental offsets into several categories, facilitating their identification, also through the debugger frankenELF in prosperous0gdb.
1. Offset of kernel data
This category includes offsets that can be extracted from kernel dumps not protected by XOM. The main references in this section include:
- Offset IDT (Interrupt Descriptor Table)
- Offset TSS (Task State Segment, for CPU)
- PCPU offset (for CPU, represents the GS base of the kernel)
- Offset sysentvecs (both native and PS4)
- crypt?singleton?array
The search for these offsets is based on the in-depth analysis of kernel memory dumps, trying to circumvent the protections imposed by the system.
2. Kernel text offsets from kernel data
These are references related to interrupt handlers, usually identifiable in the dump of the IDT offset. For the ps5-kstuff payload, two of these offsets are particularly relevant:
- Xinvtlb
- Xjustreturn
3. Offset “doreti-iret”
This offset is of crucial importance for the project, as it allows you to establish the primacy of singlestep kernel, necessary to identify other fundamental offsets.
However, its detection is particularly difficult since it is not directly connected to kernel data.
4. Offset found by the single-stepping of kernel functions
Single-stepping analysis of kernel functions allows you to identify some particularly useful offsets, including:
- rdmsr (Read Model-Specific Register)
- wrmsr?ret (Write Model-Specific Register with return)
- Gadget “rep movsb; pop rbp; ret”, used in tracking programs for kernel memory reading/writing
These offsets are identified through a meticulous analysis of the kernel instructions.
5. Offset found in ps5-kstuff (“parasites”) logs
The logs generated by ps5-kstuff contain references called “parasites”“parasites”, which may or may not be useful depending on the context. This data is carefully analyzed to select only the information that is really relevant to the purpose of porting.
Subsequent intervention by the developer zecoxao highlights a complication in the kstuff porting process on the PlayStation 5 firmware 5, revealing that its contact for the keys will no longer help him, due to an error.
Despite this hurdle, zecoxao has already shared the correct kernels with some collaborators so that they can take care of the necessary offsets.
The last step left to complete the process is the implementation of MAP_SELF mmapby Sleirsgoevy, a key element to ensure the correct functioning of the payload kstuff on the latest firmware versions.
Source: BiteYourConsole
Comments