-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdevice6_kmod.h.S
executable file
·148 lines (141 loc) · 3.42 KB
/
device6_kmod.h.S
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
/*
* device6_kmod.h.S -- PS3 Jailbreak payload - Device6 kernel module
*
* Copyright (C) Youness Alaoui (KaKaRoTo)
* Copyright (C) Aaron Lindsay (Aaron')
* Copyright (C) (subdub)
*
* This software is distributed under the terms of the GNU General Public
* License ("GPL") version 3, as published by the Free Software Foundation.
*
* This payload is a modified version of the original PSJailbreak's payload.
* The people behing PSJailbrak are the original authors and copyright holders
* of the code they wrote.
*/
kernel_module_name:
.string "mod"
kernel_module_struct:
QUAD_MEM2 (kernel_module_name)
QUAD_MEM2 (device_match_desc)
QUAD_MEM2 (device_connect_desc)
QUAD_MEM2 (device_disconnect_desc)
device_match_desc:
QUAD_MEM2 (device_match)
.quad user_data //3.15=8000000033DA10
device_connect_desc:
QUAD_MEM2 (device_connect)
.quad user_data //3.15=8000000033DA10
device_disconnect_desc:
QUAD_MEM2 (device_disconnect)
.quad user_data //3.15=8000000033DA10
device_setup_response_desc:
QUAD_MEM2 (device_setup_response)
.quad user_data //3.15=8000000033DA10
/**
* device_match:
* @arg: Some unknown argument, maybe a driver structure
*
* This checks for new USB device insertion and validates the
* vendorID/productID to match 0xaaaac0de (device 6).
* returns 0 to handle it or -1 to refuse it.
*
* device_match(arg):
* {
* char *descriptor = USBGetDeviceDescriptor(arg, 0, 1);
*
* if (*(uint32 *) (descriptor + 8)) == "0xAAAAC0DE)
* return 0;
* else
* return -1;
* }
*/
.align 4
device_match:
stdu %r1, -0x80(%r1)
mflr %r0
std %r0, 0x90(%r1)
li %r4, 0
li %r5, 1
bl ABSOLUTE_MEM2(USBGetDeviceDescriptor)
lwz %r5, 8(%r3)
li %r3, 0
lis %r4, 0xAAAA
ori %r4, %r4, 0xCCCC
cmplw %r4, %r5
beq l_device_found
li %r3, -1
l_device_found:
extsw %r3, %r3
ld %r0, 0x90(%r1)
mtlr %r0
addi %r1, %r1, 0x80
blr
/**
* device_connect:
* @arg: Some unknown argument, maybe a driver structure
*
* This handles a connection of a USB device with the proper
* productID/vendorID
*
* device_connect(arg):
* {
* short buf[8];
*
* USBOpenEndpoint(arg, 0);
* *((uint64_t *)buf) = 0;
* buf[0] = 0x21AA;
* buf[3] = 0;
* USBControlTransfer(arg, buf, 0, device_setup_response_desc, 0);
* return 0;
* }
*/
device_connect:
stdu %r1, -0x80(%r1)
mflr %r0
std %r0, 0x90(%r1)
li %r4, 0
bl ABSOLUTE_MEM2(USBOpenEndpoint)
addi %r4, %r1, 0x70 // Set %r4 to a pointer in the stack
li %r5, 0
std %r5, 0(%r4) // %r4[0] = 0;
li %r6, 0x21aa
sth %r6, 0(%r4) // %r4[0] = 0x21aa;
li %r6, 0
sth %r6, 6(%r4) // %r4[6] = 0;
MEM_BASE (%r6)
LOADI_LABEL2 (%r6, device_setup_response_desc)
li %r7, 0
bl ABSOLUTE_MEM2(USBControlTransfer)
li %r3, 0
ld %r0, 0x90(%r1)
mtlr %r0
addi %r1, %r1, 0x80
blr
/**
* device_discconnect:
* @arg: Some unknown argument, maybe a driver structure
*
* This handles a disconnection of a prviously handled USB device
*
* device_discconnect(arg):
* {
* }
*/
device_disconnect:
li %r3, 0
blr
li %r11, 0xFF
sc 1
/**
* device_setup_response:
* @arg: Some unknown argument, maybe a driver structure
*
* This seems to be a callback that gets called once the USB device
* responds to a SETUP request.
*
* device_setup_response(arg):
* {
* }
*/
device_setup_response:
blr