Full Read/Write access to ELF .text sections

[_cmx_]

Not sure if anyone else has found this patch, but it's quite useful to be able to modify executable sections of any launched SELF file after you patch the kernel and exit to VSH to reload the SELF with the patch enabled.

It's inside of a function named:
ROM:800000000005BBD8 set_pte:

Code:

ROM:800000000005BD18 39 60 01 BF                             li      %r11, 0x1BF
ROM:800000000005BD1C 38 60 00 00                             li      %r3, 0
ROM:800000000005BD20 7E 80 58 38                             and     %r0, %r20, %r11
ROM:800000000005BD24 7F A4 EB 78                             mr      %r4, %r29
ROM:800000000005BD28 7C DC 03 78                             or      %r28, %r6, %r0
ROM:800000000005BD2C 7F E5 FB 78                             mr      %r5, %r31
ROM:800000000005BD30 7F 86 E3 78                             mr      %r6, %r28
ROM:800000000005BD34 39 60 00 01                             li      %r11, 1
ROM:800000000005BD38 44 00 00 22                             hvsc                    # write_htab_entry

Patch 1: li %r11, 0x1BF, patch this to li %r11, 0x1BE
Patch 2: mr %r6, %r28, patch this to ori %r6, %r28, 2

With both of these patches, it will ensure that the htab written will have the lower PP bits set to 10 binary or 0x02 hex. This will yield read/write everything. I have not tested it patched into the payload, but I'm betting that if patched into the payload even the VSH will be loaded with these flags set and if so, it would allow patches to be made to the VSH in memory live in real time without crashing the system.

Patched code will look like:

Code:

ROM:800000000005BD18 39 60 01 BE                             li      %r11, 0x1BE
ROM:800000000005BD1C 38 60 00 00                             li      %r3, 0
ROM:800000000005BD20 7E 80 58 38                             and     %r0, %r20, %r11
ROM:800000000005BD24 7F A4 EB 78                             mr      %r4, %r29
ROM:800000000005BD28 7C DC 03 78                             or      %r28, %r6, %r0
ROM:800000000005BD2C 7F E5 FB 78                             mr      %r5, %r31
ROM:800000000005BD30 63 86 00 02                             ori     %r6, %r28, 2
ROM:800000000005BD34 39 60 00 01                             li      %r11, 1
ROM:800000000005BD38 44 00 00 22                             hvsc

I have created assembly cheats for God of War 3 already using this patch, so I know it works for games loaded already.

-CMX

[jaekid]

here is the hermes v4b hex i just compiled for the Teensy++ 2.0 with the two new patches for those interested:


ps i haven't had a chance to test this yet, but it should work fine.

EDIT: btw- pretty cool find you've got here...

[mary1988]

Not sure if anyone else has found this patch, but it's quite useful to be able to modify executable sections of any launched SELF file after you patch the kernel and exit to VSH to reload the SELF with the patch enabled.

It's inside of a function named:
ROM:800000000005BBD8 set_pte:

Code:

ROM:800000000005BD18 39 60 01 BF                             li      %r11, 0x1BF
ROM:800000000005BD1C 38 60 00 00                             li      %r3, 0
ROM:800000000005BD20 7E 80 58 38                             and     %r0, %r20, %r11
ROM:800000000005BD24 7F A4 EB 78                             mr      %r4, %r29
ROM:800000000005BD28 7C DC 03 78                             or      %r28, %r6, %r0
ROM:800000000005BD2C 7F E5 FB 78                             mr      %r5, %r31
ROM:800000000005BD30 7F 86 E3 78                             mr      %r6, %r28
ROM:800000000005BD34 39 60 00 01                             li      %r11, 1
ROM:800000000005BD38 44 00 00 22                             hvsc                    # write_htab_entry

Patch 1: li %r11, 0x1BF, patch this to li %r11, 0x1BE
Patch 2: mr %r6, %r28, patch this to ori %r6, %r28, 2

With both of these patches, it will ensure that the htab written will have the lower PP bits set to 10 binary or 0x02 hex. This will yield read/write everything. I have not tested it patched into the payload, but I'm betting that if patched into the payload even the VSH will be loaded with these flags set and if so, it would allow patches to be made to the VSH in memory live in real time without crashing the system.

Patched code will look like:

Code:

ROM:800000000005BD18 39 60 01 BE                             li      %r11, 0x1BE
ROM:800000000005BD1C 38 60 00 00                             li      %r3, 0
ROM:800000000005BD20 7E 80 58 38                             and     %r0, %r20, %r11
ROM:800000000005BD24 7F A4 EB 78                             mr      %r4, %r29
ROM:800000000005BD28 7C DC 03 78                             or      %r28, %r6, %r0
ROM:800000000005BD2C 7F E5 FB 78                             mr      %r5, %r31
ROM:800000000005BD30 63 86 00 02                             ori     %r6, %r28, 2
ROM:800000000005BD34 39 60 00 01                             li      %r11, 1
ROM:800000000005BD38 44 00 00 22                             hvsc

I have created assembly cheats for God of War 3 already using this patch, so I know it works for games loaded already.

-CMX

Careful reading, thanks for sharing