Skip to content

Instantly share code, notes, and snippets.

@kmeps4

kmeps4/enable-debug-settings.c

Created September 19, 2022 19:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kmeps4/b4799c09f1c1228c070c688a2e11e76f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kmeps4/b4799c09f1c1228c070c688a2e11e76f to your computer and use it in GitHub Desktop.
Download ZIP
Enable debug settings payload for PS4 9.00
Raw
enable-debug-settings.c
// Ported to 9.00 by github.com/LemonHaze420
#include "ps4.h"
#define KERN_XFAST_SYSCALL 0x1C0
#define KERN_PRISON_0 0x0111F870
#define KERN_ROOTVNODE 0x021EFF20
/*
flagged updater = qa_flags[0] & 0x1
force update = qa_flags[0] & 0x2
int dev, int dev for internal libc, allow init vtrm = qa_flags[0] & 0x4
allow registry access = qa_flags[0] & 0x8
int dev for psm, allow psm debug = qa_flags[0] & 0x10
special i = qa_flags[0] & 0x40
allow ul debugger = qa_flags[1] & 0x1
allow sl debugger = qa_flags[1] & 0x2
beta update test = qa_flags[1] & 0x4
debug menu, debug menu for psm = qa_flags[2] & 0x1
allow ad clock = qa_flags[2] & 0x2
fake finalize = qa_flags[2] & 0x10
psn access trace log = qa_flags[2] & 0x40
debug menu mini = qa_flags[3] & 0x2
store mode = utoken_flags[0] & 0x1
data execution = utoken_flags[0] & 0x2
use weakened port restriction = utoken_flags[0] & 0x4
use softwagner = utoken_flags[0] & 0x8
flagged updater = utoken_flags[0] & 0x10
np env switching = utoken_flags[0] & 0x20
save data repair = utoken_flags[0] & 0x40
fake sharefactory = utoken_flags[0] & 0x80
*/
int debug_menu_mini(struct thread* td)
{
struct ucred* cred;
struct filedesc* fd;
fd = td->td_proc->p_fd;
cred = td->td_proc->p_ucred;
uint8_t* kernel_base = (uint8_t*)(__readmsr(0xC0000082) - KERN_XFAST_SYSCALL);
uint8_t* kernel_ptr = (uint8_t*)kernel_base;
void** got_prison0 = (void**)&kernel_ptr[KERN_PRISON_0];
void** got_rootvnode = (void**)&kernel_ptr[KERN_ROOTVNODE];
cred->cr_uid = 0;
cred->cr_ruid = 0;
cred->cr_rgid = 0;
cred->cr_groups[0] = 0;
cred->cr_prison = *got_prison0;
fd->fd_rdir = fd->fd_jdir = *got_rootvnode;
// escalate ucred privs, needed for access to the filesystem ie* mounting & decrypting files
void* td_ucred = *(void**)(((char*)td) + 304); // p_ucred == td_ucred
// sceSblACMgrIsSystemUcred
uint64_t* sonyCred = (uint64_t*)(((char*)td_ucred) + 96);
*sonyCred = 0xffffffffffffffff;
// sceSblACMgrGetDeviceAccessType
uint64_t* sceProcType = (uint64_t*)(((char*)td_ucred) + 88);
*sceProcType = 0x3801000000000013; // Max access
// sceSblACMgrHasSceProcessCapability
uint64_t* sceProcCap = (uint64_t*)(((char*)td_ucred) + 104);
*sceProcCap = 0xffffffffffffffff; // Sce Process
// Disable write protection
uint64_t cr0 = readCr0();
writeCr0(cr0 & ~X86_CR0_WP);
// hack(tm) - 9.00
// rcmgr_intdev
kernel_base[0x306866] = 0x90;
kernel_base[0x306867] = 0x90;
kernel_base[0x306929] = 0x90;
kernel_base[0x30692A] = 0x90;
kernel_base[0x3069D6] = 0x90;
kernel_base[0x3069D7] = 0x90;
kernel_base[0x306A99] = 0x90;
kernel_base[0x306A9A] = 0x90;
kernel_base[0x306B69] = 0x90;
kernel_base[0x306B6A] = 0x90;
// debug_menu_mini
kernel_base[0x306C16] = 0x90;
kernel_base[0x306C17] = 0x90;
// rcmgr_flaged_updater
for (int iteration = 0; iteration < 6; ++iteration) {
kernel_base[0x306CC6 + (0xB0 * iteration)] = 0x90;
kernel_base[0x306CC7 + (0xB0 * iteration)] = 0x90;
}
// rcmgr_utoken_store_mode
for (int iteration = 0; iteration < 8; ++iteration) {
kernel_base[0x3071C6 + (0xB0 * iteration)] = 0x90;
kernel_base[0x3071C7 + (0xB0 * iteration)] = 0x90;
}
/* qa_flags */
//flagged updater = qa_flags[0] & 0x1
kernel_base[0x22168A8] |= 0x1;
//force update = qa_flags[0] & 0x2
kernel_base[0x22168A8] |= 0x2;
//int dev, int dev for internal libc, allow init vtrm = qa_flags[0] & 0x4
kernel_base[0x22168A8] |= 0x4;
//allow registry access = qa_flags[0] & 0x8
kernel_base[0x22168A8] |= 0x8;
//int dev for psm, allow psm debug = qa_flags[0] & 0x10
kernel_base[0x22168A8] |= 0x10;
//special i = qa_flags[0] & 0x40
kernel_base[0x22168A8] |= 0x40;
//allow ul debugger = qa_flags[1] & 0x1
kernel_base[0x22168A9] |= 0x1;
//allow sl debugger = qa_flags[1] & 0x2
kernel_base[0x22168A9] |= 0x2;
//beta update test = qa_flags[1] & 0x4
kernel_base[0x22168A9] |= 0x4;
//debug menu, debug menu for psm = qa_flags[2] & 0x1
kernel_base[0x22168AA] |= 0x1; /*switch with debug menu mini when necessary*/
//allow ad clock = qa_flags[2] & 0x2
kernel_base[0x22168AA] |= 0x2;
//fake finalize = qa_flags[2] & 0x10
kernel_base[0x22168AA] |= 0x10;
//psn access trace log = qa_flags[2] & 0x40
kernel_base[0x22168AA] |= 0x40;
//debug menu mini = qa_flags[3] & 0x2
//kernel_base[0x22168AB] |= 0x2; /*switch with debug menu when necessary*/
/*utoken_flags*/
//store mode = utoken_flags[0] & 0x1
kernel_base[0x22168C8] |= 0x1;
//data execution = utoken_flags[0] & 0x2
kernel_base[0x22168C8] |= 0x2;
//use weakened port restriction = utoken_flags[0] & 0x4
kernel_base[0x22168C8] |= 0x4;
//use softwagner = utoken_flags[0] & 0x8
kernel_base[0x22168C8] |= 0x8;
//flagged updater = utoken_flags[0] & 0x10
kernel_base[0x22168C8] |= 0x10;
//np env switching = utoken_flags[0] & 0x20
kernel_base[0x22168C8] |= 0x20;
//save data repair = utoken_flags[0] & 0x40
kernel_base[0x22168C8] |= 0x40;
//fake sharefactory = utoken_flags[0] & 0x80
kernel_base[0x22168C8] |= 0x80;
// Restore write protection
writeCr0(cr0);
return 0;
}
int _main(struct thread* td)
{
initKernel();
initLibc();
jailbreak();
syscall(11, debug_menu_mini, td);
// Enable debug menu
uint32_t enable;
size_t size;
enable = 1;
size = sizeof(enable);
//int dev, int dev for internal libc, allow init vtrm = qa_flags[0] & 0x4
sysctlbyname("machdep.rcmgr_intdev", NULL, NULL, &enable, size);
//int dev for psm, allow psm debug = qa_flags[0] & 0x10
sysctlbyname("machdep.rcmgr_psm_intdev", NULL, NULL, &enable, size);
//allow sl debugger = qa_flags[1] & 0x2
sysctlbyname("machdep.rcmgr_sl_debugger", NULL, NULL, &enable, size);
//debug menu, debug menu for psm = qa_flags[2] & 0x1
sysctlbyname("machdep.rcmgr_debug_menu", NULL, NULL, &enable, size);
//debug menu mini = qa_flags[3] & 0x2
//sysctlbyname("machdep.rcmgr_debug_menu_mini", NULL, NULL, &enable, size);
//flagged updater = qa_flags[0] & 0x1
sysctlbyname("machdep.rcmgr_flaged_updater", NULL, NULL, &enable, size);
//force update = qa_flags[0] & 0x2
sysctlbyname("machdep.rcmgr_force_update", NULL, NULL, &enable, size);
//special i = qa_flags[0] & 0x40
sysctlbyname("machdep.rcmgr_special_i", NULL, NULL, &enable, size);
//fake finalize = qa_flags[2] & 0x10
sysctlbyname("machdep.rcmgr_fake_finalize", NULL, NULL, &enable, size);
//psn access trace log = qa_flags[2] & 0x40
sysctlbyname("machdep.rcmgr_psn_access_trace_log", NULL, NULL, &enable, size);
//beta update test = qa_flags[1] & 0x4
sysctlbyname("machdep.rcmgr_beta_update_test", NULL, NULL, &enable, size);
//use in case of emergency, toggles everything
sysctlbyname("machdep.rcmgr_any_qaf", NULL, NULL, &enable, size);
//store mode = utoken_flags[0] & 0x1
sysctlbyname("machdep.rcmgr_utoken_store_mode", NULL, NULL, &enable, size);
//data execution = utoken_flags[0] & 0x2
sysctlbyname("machdep.rcmgr_utoken_data_execution", NULL, NULL, &enable, size);
//use weakened port restriction = utoken_flags[0] & 0x4
sysctlbyname("machdep.rcmgr_utoken_weakened_port_restriction", NULL, NULL, &enable, size);
//flagged updater = utoken_flags[0] & 0x10
sysctlbyname("machdep.rcmgr_utoken_flaged_updater", NULL, NULL, &enable, size);
//np env switching = utoken_flags[0] & 0x20
sysctlbyname("machdep.rcmgr_utoken_np_env_switching", NULL, NULL, &enable, size);
//save data repair = utoken_flags[0] & 0x40
sysctlbyname("machdep.rcmgr_utoken_save_data_repair", NULL, NULL, &enable, size);
//fake sharefactory = utoken_flags[0] & 0x80
sysctlbyname("machdep.rcmgr_utoken_fake_sharefactory", NULL, NULL, &enable, size);
//use softwagner = utoken_flags[0] & 0x8
sysctlbyname("machdep.rcmgr_utoken_use_softwagner", NULL, NULL, &enable, size);
initSysUtil();
printf_notification("Debug Menu Enabled");
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment