Added 9.03 support

README.md

@@ -178,11 +178,12 @@ The custom version of stage2 first looks for the payload in the root directory o
 
 Supported versions are:
 - FW 9.00
+- FW 9.03
 - FW 9.60
 - FW 10.00 / 10.01
 - FW 10.50 / 10.70 / 10.71
 - FW 11.00
 
 Next versions are:
-- FW 9.03
+- FW 7.XX
 - TBD

stage2/offsets.h

@@ -158,6 +158,15 @@
 #define kdlsym_addr_copyinstr_patch2 0xffffffff8247182f
 #define kdlsym_addr_copyinstr_patch3 0xffffffff82471860
 
+#define kdlsym_addr_kernel_map 0xffffffff84464d48
+#define kdlsym_addr_kmem_alloc 0xffffffff8257a070
+#define kdlsym_addr_kmem_free 0xffffffff8257a23b
+
+#define kdlsym_addr_sceKernelSendNotificationRequest 0xffffffff8259fd30
+#define kdlsym_addr_vsprintf 0xffffffff822b7cb0
+#define kdlsym_addr_snprintf 0xffffffff822b7ce0
+#define kdlsym_addr_strlen 0xffffffff8250f0f0
+
 
 #elif (FIRMWARE == 950 || FIRMWARE == 951 || FIRMWARE == 960) // FW 9.50 / 9.51 / 9.60
 

stage2/stage2.c

@@ -305,7 +305,7 @@ int file_copy(struct thread *td, char* src, char* dst) {
 
 void exec_payload(struct thread *td, char* payload_path) {
   void *file_buffer;
-  size_t file_size;
+  size_t file_size, file_buffer_size;
 
   uint64_t kaslr_offset = rdmsr(MSR_LSTAR) - kdlsym_addr_Xfast_syscall;
 
@@ -331,7 +331,8 @@ void exec_payload(struct thread *td, char* payload_path) {
   }
 
   file_size = file_offset;
-  file_buffer = kmem_alloc(*kernel_map, ROUND_PG(file_size));
+  file_buffer_size = ROUND_PG(file_size + 0x80000);
+  file_buffer = kmem_alloc(*kernel_map, file_buffer_size);
 
   if (file_buffer == NULL) {
     printf("[-] Error creating memory buffer\n");
@@ -343,7 +344,7 @@ void exec_payload(struct thread *td, char* payload_path) {
 
   if (bytes_read != file_size) {
     printf("[-] Error reading the file\n");
-    kmem_free(*kernel_map, file_buffer, ROUND_PG(file_size));
+    kmem_free(*kernel_map, file_buffer, file_buffer_size);
     ksys_close(td, fd);
     return;
   }