Added 9.60 support

README.md

@@ -173,5 +173,15 @@ This has been tested using VMware Fusion 13.5.1, with the VM Guest as Ubuntu 24.
 
 ## Notes for GoldHEN version
 This loader only supports payloads with a kernel entrypoint.
-The custom version of stage2 first looks for the payload in the root directory of the USB drive, and if found, it is copied to the internal HDD at this path: /data/GoldHEN/payloads/goldhen.bin. The internal payload is then loaded and is no longer needed on the external USB drive.
-At the moment, only firmware versions 9.00, 10.00, 10.01 and 11.00 are supported. Other versions like 9.60 will also be supported.
+
+The custom version of stage2 first looks for the payload in the root directory of the USB drive, and if found, it is copied to the internal HDD at this path: `/data/GoldHEN/payloads/goldhen.bin`. The internal payload is then loaded and is no longer needed on the external USB drive.
+
+Supported versions are:
+- FW 9.00
+- FW 9.60
+- FW 10.00 / 10.01
+- FW 11.00
+
+Next versions are:
+- FW 10.50
+- TBD

stage2/offsets.h

@@ -181,6 +181,15 @@
 #define kdlsym_addr_copyinstr_patch2 0xffffffff824023bf
 #define kdlsym_addr_copyinstr_patch3 0xffffffff824023f0
 
+#define kdlsym_addr_kernel_map 0xFFFFFFFF84347830
+#define kdlsym_addr_kmem_alloc 0xFFFFFFFF823889D0
+#define kdlsym_addr_kmem_free 0xFFFFFFFF82388BA0
+
+#define kdlsym_addr_sceKernelSendNotificationRequest 0xFFFFFFFF82663060
+#define kdlsym_addr_vsprintf 0xFFFFFFFF82405740
+#define kdlsym_addr_snprintf 0xFFFFFFFF82405770
+#define kdlsym_addr_strlen 0xFFFFFFFF825F1980
+
 
 #elif (FIRMWARE == 1000 || FIRMWARE == 1001) // FW 10.00 / 10.01
 

stage2/stage2.c

@@ -253,28 +253,28 @@ int file_exists(struct thread *td, const char *path) {
     return ksys_access(td, &uap) == 0;
 }
 
-void file_copy(struct thread *td, char* src, char* dst) {
+int file_copy(struct thread *td, char* src, char* dst) {
   uint64_t kaslr_offset = rdmsr(MSR_LSTAR) - kdlsym_addr_Xfast_syscall;
   int (*printf)(const char *format, ...) = (void *)kdlsym(printf);
 
   if (!file_exists(td, src)) {
     printf("[-] Error: Source file %s does not exist\n", src);
-    return;
+    return 0;
   }
 
   create_dir(td, PAYLOAD_INT_PATH);
 
   int src_fd = ksys_open(td, src, O_RDONLY, 0);
   if (src_fd < 0) {
     printf("[-] Error: Unable to open source file %s\n", src);
-    return;
+    return 0;
   }
 
   int dest_fd = ksys_open(td, dst, O_WRONLY | O_CREAT | O_TRUNC, 0644);
   if (dest_fd < 0) {
     printf("[-] Error: Unable to create destination file %s\n", dst);
     ksys_close(td, src_fd);
-    return;
+    return 0;
   }
 
   char buffer[1024];
@@ -287,19 +287,20 @@ void file_copy(struct thread *td, char* src, char* dst) {
       printf("[-] Error: Unable to write to destination file %s\n", dst);
       ksys_close(td, src_fd);
       ksys_close(td, dest_fd);
-      return;
+      return 0;
     }
   }
 
   if (bytes_read < 0) {
     printf("[-] Error: Unable to read from source file %s\n", src);
     ksys_close(td, src_fd);
     ksys_close(td, dest_fd);
-    return;
+    return 0;
   }
 
   ksys_close(td, src_fd);
   ksys_close(td, dest_fd);
+  return 1;
 }
 
 void exec_payload(struct thread *td, char* payload_path) {
@@ -370,7 +371,9 @@ void inject_payload(struct thread *td) {
       }
     }
 
-    file_copy(td, PAYLOAD_EXT_PATH, PAYLOAD_INT_PATH);
+    if (file_copy(td, PAYLOAD_EXT_PATH, PAYLOAD_INT_PATH)) {
+        notify("Payload successfully transferred to internal HDD!");
+    }
   }
 
   if (!file_exists(td, PAYLOAD_INT_PATH)) {