Initial update

The first upload of the source code.
EternalModz · Sep 8, 2022 · 995f842 · 995f842
1 parent 4e787e2
commit 995f842
Show file tree

Hide file tree

Showing 154 changed files with 77,679 additions and 0 deletions.
diff --git a/coldboot/coldboot-installer.html b/coldboot/coldboot-installer.html
@@ -0,0 +1,205 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="ps3xploit_v30.js"></script>
+<meta charset="UTF-8"> 
+<title>PS3Xploit Tools v3.0 - Cold Boot Installer</title>
+<script>
+function initROP(init)
+{
+	try
+	{
+		if(init===true){frame_fails=0;search_base_off=0;search_size_ext=0;}
+		if(t_out!==0){clearTimeout(t_out);t_out=0;}
+		offset_array=[];
+		disable_all();
+		clearLogEntry();
+		store_idx_arr1=new Array(3);
+		store_idx_arr2=new Array(3);
+		xtra_data_addr=0;
+		stack_frame_addr=0;
+		jump_2_addr=0;
+		jump_1_addr=0;
+		var reboot_sf_addr=0,coldboot_multi_usb_addr=0, coldboot_multi_blind_addr=0,coldboot_multi_usbfd_addr=0,coldboot_multi_usb_readlen_addr=0,coldboot_multi_blindfd_addr=0,coldboot_multi_blind_writelen_addr=0,coldboot_raf_usb_addr=0, coldboot_raf_blind_addr=0,coldboot_raf_usbfd_addr=0,coldboot_raf_usb_readlen_addr=0,coldboot_raf_blindfd_addr=0,coldboot_raf_blind_writelen_addr=0,mount_path_addr=0,fs_addr=0, flash_partition_addr=0, null_addr=0, stat_addr=0, coldboot_stereo_usb_addr=0, coldboot_stereo_blind_addr=0,coldboot_stereo_usbfd_addr=0,coldboot_stereo_usb_readlen_addr=0,coldboot_stereo_blindfd_addr=0,coldboot_stereo_blind_writelen_addr=0,dummy1_usb_addr=0, dummy1_blind_addr=0, dummy2_usb_addr=0, dummy2_blind_addr=0,dummy2_usbfd_addr=0,dummy2_usb_readlen_addr=0,dummy2_blindfd_addr=0,dummy2_blind_writelen_addr=0,dummy1_usbfd_addr=0,dummy1_usb_readlen_addr=0,dummy1_blindfd_addr=0,dummy1_blind_writelen_addr=0;
+		var coldboot_stereo_buf_addr=0x8B000000;
+		var coldboot_raf_buf_addr=0x8B200000;
+		var coldboot_multi_buf_addr=0x8B600000;
+		var dummy2_buf_addr=0x8BA00000;
+		var dummy1_buf_addr=0x8BC00000;
+		var search_max_threshold=70*0x100000; // 70Mb maximum memory search
+		var search_base=0x80200000;//0x80190000;//
+		var search_size=2*mbytes;
+		search_base_off=0*mbytes;
+		search_size_ext=2*mbytes;
+		total_loops++;
+
+		xtra_data=flash_partition.convert()
+		+filesystem.convert()
+		+mount_path.convert()
+		+getPath(coldboot_raf_usb).convert()
+		+fill_by_4bytes(0xC,dbyte00)
+		+coldboot_raf_blind.convert()
+		+fill_by_4bytes(0xC,dbyte00)
+		+getPath(coldboot_multi_usb).convert()
+		+fill_by_4bytes(0xC,dbyte00)
+		+coldboot_multi_blind.convert()
+		+fill_by_4bytes(0xC,dbyte00)
+		+getPath(coldboot_stereo_usb).convert()
+		+fill_by_4bytes(0xC,dbyte00)
+		+coldboot_stereo_blind.convert()
+		+fill_by_4bytes(0xC,dbyte00)
+		+fill_by_16bytes(0x70,dbyte00)
+		+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)+callsub(gadget12_addr,2,0,0,0,0,0,0,0,0,0x80)+syscall(sc_sm_shutdown,hard_reboot,0,0,0,0,0,0,0)
+		+unescape("\uFD7E");
+		while(xtra_data_addr===0)
+		{
+			if(search_max_threshold<search_size){load_check();return;}
+			xtra_data=xtra_data.replaceAt(0,hexh2bin(0x7EFD));
+			xtra_data_addr=findJsVariableOffset("xtra_data",xtra_data,search_base,search_size);
+			search_max_threshold-=search_size;
+		}
+
+		flash_partition_addr=xtra_data_addr;
+		fs_addr=flash_partition_addr+flash_partition.convertedSize()-0x4;
+		mount_path_addr=fs_addr+filesystem.convertedSize();
+
+		coldboot_raf_usb_addr=mount_path_addr+mount_path.convertedSize();
+		coldboot_raf_usbfd_addr=coldboot_raf_usb_addr+getPath(coldboot_raf_usb).convertedSize();
+		coldboot_raf_usb_readlen_addr=coldboot_raf_usbfd_addr+word_size;
+
+		coldboot_raf_blind_addr=coldboot_raf_usb_readlen_addr+dword_size;
+		coldboot_raf_blindfd_addr=coldboot_raf_blind_addr+coldboot_raf_blind.convertedSize();
+		coldboot_raf_blind_writelen_addr=coldboot_raf_blindfd_addr+word_size;
+		store_idx_arr1[0]=(coldboot_raf_blind_writelen_addr-flash_partition_addr+0x8)/2;
+
+		coldboot_multi_usb_addr=coldboot_raf_blind_writelen_addr+dword_size;
+		coldboot_multi_usbfd_addr=coldboot_multi_usb_addr+getPath(coldboot_multi_usb).convertedSize();
+		coldboot_multi_usb_readlen_addr=coldboot_multi_usbfd_addr+word_size;
+
+		coldboot_multi_blind_addr=coldboot_multi_usb_readlen_addr+dword_size;
+		coldboot_multi_blindfd_addr=coldboot_multi_blind_addr+coldboot_multi_blind.convertedSize();
+		coldboot_multi_blind_writelen_addr=coldboot_multi_blindfd_addr+word_size;
+		store_idx_arr1[1]=(coldboot_multi_blind_writelen_addr-flash_partition_addr+0x8)/2;
+
+		coldboot_stereo_usb_addr=coldboot_multi_blind_writelen_addr+dword_size;
+		coldboot_stereo_usbfd_addr=coldboot_stereo_usb_addr+getPath(coldboot_stereo_usb).convertedSize();
+		coldboot_stereo_usb_readlen_addr=coldboot_stereo_usbfd_addr+word_size;
+
+		coldboot_stereo_blind_addr=coldboot_stereo_usb_readlen_addr+dword_size;
+		coldboot_stereo_blindfd_addr=coldboot_stereo_blind_addr+coldboot_stereo_blind.convertedSize();
+		coldboot_stereo_blind_writelen_addr=coldboot_stereo_blindfd_addr+word_size;
+		store_idx_arr1[2]=(coldboot_stereo_blind_writelen_addr-flash_partition_addr+0x8)/2;
+
+		null_addr=coldboot_stereo_blind_writelen_addr+dword_size;
+		store_idx_arr2[0]=(null_addr-flash_partition_addr+0xC)/2;
+		store_idx_arr2[1]=(null_addr-flash_partition_addr+0x10)/2;
+		store_idx_arr2[2]=(null_addr-flash_partition_addr+0x14)/2;
+		stat_addr=null_addr+dword_size*0x3;
+		reboot_sf_addr=stat_addr+dword_size*0xB;
+//############################ Building stack frame ###############################################################
+		stack_frame=stack_frame_hookup()
+		+syscall(sc_fs_umount,flash_partition_addr,fs_addr,mount_path_addr,0,0,0,0,0)
+		+copy_file_overwrite(coldboot_raf_usb_addr,coldboot_raf_blind_addr,coldboot_raf_usbfd_addr,coldboot_raf_blindfd_addr,coldboot_raf_buf_addr,coldboot_raf_usb_readlen_addr,coldboot_raf_blind_writelen_addr,stat_addr,null_addr,null_addr+0x8)
+		+copy_file_overwrite(coldboot_multi_usb_addr,coldboot_multi_blind_addr,coldboot_multi_usbfd_addr,coldboot_multi_blindfd_addr,coldboot_multi_buf_addr,coldboot_multi_usb_readlen_addr,coldboot_multi_blind_writelen_addr,stat_addr,null_addr,null_addr+0xC)
+		+copy_file_overwrite(coldboot_stereo_usb_addr,coldboot_stereo_blind_addr,coldboot_stereo_usbfd_addr,coldboot_stereo_blindfd_addr,coldboot_stereo_buf_addr,coldboot_stereo_usb_readlen_addr,coldboot_stereo_blind_writelen_addr,stat_addr,null_addr,null_addr+0x10)
+		+optional_reboot3(reboot_sf_addr,coldboot_raf_blind_writelen_addr,coldboot_multi_blind_writelen_addr,coldboot_stereo_blind_writelen_addr)
+		//+callsub(gadget12_addr,2,0,0,0,0,0,0,0,0,0x80)
+		//+syscall(sc_sm_shutdown,hard_reboot,0,0,0,0,0,0,0)
+		//graceful exit
+		+stack_frame_exit();
+//############################ End stack frame ###############################################################		
+		while(stack_frame_addr===0)
+		{
+			if(search_max_threshold<search_size+search_size_ext){frame_fails++;if((frame_fails%10)===0){search_base_off+=0;search_size_ext+=0;}load_check();return;}
+			stack_frame=stack_frame.replaceAt(0,hexh2bin(0x2A2F));
+			stack_frame_addr=findJsVariableOffset("stack_frame",stack_frame,search_base+search_base_off,search_size+search_size_ext);
+			if(stack_frame_addr==-1)if(search_max_threshold<search_size+search_size_ext){frame_fails++;load_check();return;}
+			search_max_threshold-=search_size+search_size_ext;
+		}
+		jump_2=unescape("\u0102\u7EFB")+fill_by_16bytes(0x30,dbyte41)+hexw2bin(stack_frame_addr)+unescape("\uFB7E");		
+		while(jump_2_addr===0)
+		{
+			if(search_max_threshold<search_size){load_check();return;}
+			jump_2=jump_2.replaceAt(0,hexh2bin(0x7EFB));
+			jump_2_addr=findJsVariableOffset("jump_2",jump_2,search_base,search_size);
+			if(jump_2_addr==-1)if(search_max_threshold<search_size){load_check();return;}
+			search_max_threshold-=search_size;
+		}
+		jump_1=unescape("\u4141\u7EFA")+hexw2bin(jump_2_addr)+unescape("\uFA7E");
+		while(jump_1_addr===0)
+		{
+			if(search_max_threshold<search_size){load_check();return;}
+			jump_1=jump_1.replaceAt(0,hexh2bin(0x7EFA));
+			jump_1_addr=findJsVariableOffset("jump_1",jump_1,search_base,search_size);
+			if(jump_1_addr==-1)if(search_max_threshold<search_size){load_check();return;}
+			search_max_threshold-=search_size;
+		}
+		var sf=checkMemory(stack_frame_addr-0x4,0x10000,stack_frame.length);
+		var x=checkMemory(xtra_data_addr-0x4,0x2000,xtra_data.length);
+		var j2=checkMemory(jump_2_addr-0x4,0x800,jump_2.length);
+		var j1=checkMemory(jump_1_addr-0x4,0x800,jump_1.length);
+		if((j2===jump_2)&&(j1===jump_1)&&(x===xtra_data)&&(sf===stack_frame))
+		{
+			if(t_out!==0){clearTimeout(t_out);}
+			showResult(hr+"<h1><b><font color=%22386E38%22>Cold Boot Installer initialized successfully.</font></b></h1><h3><b><span style='color:#000000;'>You can now launch Cold Boot Installer.</span></b></h3>");
+			enable_trigger();
+		}
+		else
+		{
+			if(x!==xtra_data)logAdd("xtra_data mismatch in memory!");
+			if(sf!==stack_frame)logAdd("stack_frame mismatch in memory!");
+			if(j2!==jump_2)logAdd("jump_2 mismatch in memory!");
+			if(j1!==jump_1)logAdd("jump_1 mismatch in memory!");
+			//logAdd("String mismatch in memory!");
+			load_check();
+		}
+	}
+	catch(e)
+	{
+		debug=true;
+		logAdd(br+"Cold Boot Installer initialization failed because the following exception was thrown during execution:"+br+e+" at : "+e.lineNumber);
+		debug=false;
+	}
+}
+
+function triggerX()
+{
+		clearLogEntry();
+		showResult(hr+"<h2><b><span style='color:#000000;'>Installing Cold Boot...</span></b></h2>");
+		disable_all();
+		setTimeout(trigger,1000,jump_1_addr);
+		setTimeout(rop_exit_3val,2000,hr+"<h1><b><font color=%22386E38%22>Cold Boot Installation succeeded!</font></span></b></h1>",hr+"<h1><b><font color='red'>Cold Boot Installation failed!</font></b></h1><h3><b><span style='color:#000000;'>Error copying file(s):</span></b></h3>","<h3><b><span style='color:#000000;'>coldboot.raf</span></b></h3>","<h3><b><span style='color:#000000;'>coldboot_multi.ac3</span></b></h3>","<h3><b><span style='color:#000000;'>coldboot_stereo.ac3</span></b></h3>");
+		cleanGUI();
+}
+</script>
+</head>
+	<body id="bodyId" style="background-color:#FFD097">
+	<div id="headerId" style="color:#CC2010">
+	<h1>PS3Xploit Tools v3.0 - Cold Boot Installer</h1>
+	<h2><span style="color:#000000">Courtesy of PS3Xploit Team</span></h2><b>esc0rtd3w </b><span style="color:#000000;"> (Debugging & Testing) <b>|</b> </span><b>habib </b><span style="color:#000000"> (Reverse Engineering & Debugging) <b>|</b> </span><b>bguerville </b><span style="color:#000000"> (ROP, Javascript & Debugging)</span><hr>
+		<span style="color:#000000">Many thanks to xerpi for porting the memory leak exploit to ps3, zecoxao & Joonie for their early & renewed support, mysis for documenting vsh/lv2, SSL for his regular & precious advice, kakaroto for the PS3 IDA tools, naherwert for scetool, Rebug Team for producing/updating the only CFW adequate to develop this work & Cobra team for sharing their CobraUSB source, the psdevwiki team of course, STLcardsWS for his long standing contribution & ever constant support.<br>We also wish to thank all the ps3 community hackers/devs, past & present, who directly or indirectly helped us put this project together, you know who you are...<br><br><b>Big thanks to @StarMelter for providing the default image and @d1mtr7 for providing the sound!</b></span><hr>
+	<h3>Supports OFW and CFW CEX/DEX 4.81+ Firmware</h3>
+	<p><span style="color:#000000">More details & news on</span> <a href="http://www.psx-place.com/forums/ps3xploit">http://www.psx-place.com</a></p>
+	<hr></div>
+	<p><b>Place these files in root source path: 
+	<br>coldboot.raf
+	<br>coldboot_multi.ac3
+	<br>coldboot_stereo.ac3</b><br><br>
+	<span style="color:#000000">Root Path </span>
+	<select id="combofilePath" name="fPath" size="1" onChange="selectfilePath()">
+	<option id="usb_0" selected="selected" value="/dev_usb000">/dev_usb000</option><option id="usb_1" value="/dev_usb001">/dev_usb001</option><option id="usb_6" value="/dev_usb006">/dev_usb006</option><option id="xploit_extras" value="/dev_hdd0/game/PS3XPLOIT/USRDIR/extras">/dev_hdd0/game/PS3XPLOIT/USRDIR/extras</option><option id="han_toolbox" value="/dev_hdd0/game/HANTOOLBX/USRDIR/files/">/dev_hdd0/game/HANTOOLBX/USRDIR/files/</option>
+	</select> | Auto-Close Browser <input type="checkbox" id="auto_close" name="aclose" onclick="autoclose();"/> | Auto-Reboot <input type="checkbox" id="auto_reboot" name="areboot" checked="checked" onclick="autoreboot();"/>
+	<span id="dex_txt" style="visibility:hidden"> | DEX mode<input type="checkbox" id="dex" name="DEX" disabled="" onclick="dex();"/></span></p>
+	<p><button id="btnROP" type="button" onclick="initROP(true);" autofocus>Initialize Cold Boot Installer</button> | 
+	<button id="btnTrigger" disabled="" type="button" onclick="triggerX();">Launch Cold Boot Installation</button><span id="reset" style="visibility:hidden"> | <button id="btnReset" type="button" onclick="disable_trigger();">Reset</button></span></p>
+	<div id="result" style="color:#CC2010"></div><br>
+	<div id="log"></div>
+	<div id="exploit" ></div>
+	<div id="trigger"></div>
+	<div id="footer"></div>
+	<script>
+		writeEnvInfo();
+		ps3chk();
+	</script>
+	</body>
+</html>