3.03

2026-02-26 17:04:31 +00:00 · 2020-07-18 23:27:01 +01:00
parent 025b142928
commit 74c87547d3
2 changed files with 39 additions and 30 deletions
--- a/index.html
+++ b/index.html
@@ -3,6 +3,8 @@
 <ul>
 <li>
 	<a href="https://cturt.github.io/freedvdboot.html">Technical writeup for initial exploit of firmware 3.10</a>
+</li>
+<li>
 	<a href="portingnotes.html">Notes on reverse engineering and exploiting different DVD player firmwares</a>
 </li>
 </ul>
--- a/portingnotes.html
+++ b/portingnotes.html
@@ -40,7 +40,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>getDiscData</th>
-    <td></td>
+    <td>0x243438</td>
    <td>0x23e150</td>
    <td>0x23e138</td>
    <td>0x25c9f0</td>
@@ -48,7 +48,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>getDiscByte</th>
-    <td></td>
+    <td>0x243368</td>
    <td></td>
    <td>0x23e068</td>
    <td>0x25c920</td>
@@ -56,7 +56,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>currentDiscBytePointer</th>
-    <td></td>
+    <td>0x15f42a4</td>
    <td></td>
    <td>0x16ceee4</td>
    <td>0x1411fe4</td>
@@ -64,7 +64,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>endDiscBytePointer</th>
-    <td></td>
+    <td>0x15f42a8</td>
    <td></td>
    <td>0x16ceee8</td>
    <td>0x1411fe8</td>
@@ -72,7 +72,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>0xff * 3 * 8 overflow</th>
-    <td></td>
+    <td>0x241d0c</td>
    <td></td>
    <td>0x23cb04</td>
    <td>0x25b3bc</td>
@@ -80,7 +80,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>fpIndex</th>
-    <td></td>
+    <td>0x15f4b0a</td>
    <td></td>
    <td>0x16cf74a</td>
    <td>0x141284a</td>
@@ -88,7 +88,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>fpArray</th>
-    <td></td>
+    <td>0x923d88</td>
    <td></td>
    <td>0x95ace8</td>
    <td>0x5b9d40</td>
@@ -96,7 +96,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>OOB call</th>
-    <td></td>
+    <td>0x0244E1C</td>
    <td></td>
    <td>0x23faac</td>
    <td>0x25e388</td>
@@ -104,7 +104,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>getBufferInternal</th>
-    <td></td>
+    <td>0x262360</td>
    <td></td>
    <td>0x261548</td>
    <td></td>
@@ -112,7 +112,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>pointToIFO</th>
-    <td></td>
+    <td>0x2432c8</td>
    <td></td>
    <td>0x23dfc8</td>
    <td></td>
@@ -128,7 +128,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>SifInitRpc</th>
-    <td></td>
+    <td>0x2082a0</td>
    <td></td>
    <td>0x208260</td>
    <td></td>
@@ -136,7 +136,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>SifExitRpc</th>
-    <td></td>
+    <td>0x208440</td>
    <td></td>
    <td>0x208400</td>
    <td></td>
@@ -144,7 +144,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>SifIopReset</th>
-    <td></td>
+    <td>0x291fb8</td>
    <td></td>
    <td>0x291358</td>
    <td></td>
@@ -152,7 +152,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>SifIopSync</th>
-    <td></td>
+    <td>0x292138</td>
    <td></td>
    <td>0x2914d8</td>
    <td></td>
@@ -163,7 +163,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>Destination of large copy</th>
-    <td></td>
+    <td>0x15ec890</td>
    <td></td>
    <td>0x16c8cd4</td>
    <td>0x140bdd4</td>
@@ -171,26 +171,18 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>Destination + max size</th>
-    <td></td>
+    <td>0x176C878</td>
    <td></td>
    <td>0x1848CBC</td>
    <td>0x158BDBC</td>
    <td>0x15B51B4</td>
  </tr>
-  <tr>
-    <th>Sector buffer (getDiscByteInternal)</th>
-    <td></td>
-    <td></td>
-    <td>0x16cad40</td>
-    <td>0x140de40</td>
-    <td></td>
-  </tr>
  <tr>
  	<th style="text-align: center" colspan="6">Exploit values</th>
  </tr>
  <tr>
    <th>currentDiscBytePointer value at overwrite</th>
-    <td></td>
+    <td>0x015f1008</td>
    <td></td>
    <td>0x016ce444</td>
    <td>0x01411544</td>
@@ -198,7 +190,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>Jump target</th>
-    <td></td>
+    <td>0x15ea540</td>
    <td></td>
    <td>0x01800180</td>
    <td>0x01500014</td>
@@ -206,7 +198,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
    <th>Address of jump target</th>
-    <td></td>
+    <td>0x928D24</td>
    <td></td>
    <td>0x95CF40</td>
    <td>0x5f1f38</td>
@@ -217,7 +209,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
  	<th>currentDiscBytePointer</th>
-    <td></td>
+    <td>0x1c6c</td>
    <td></td>
    <td>0x2744</td>
    <td>0x2744</td>
@@ -225,7 +217,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
  	<th>fpIndex</th>
-    <td></td>
+    <td>0x24D2</td>
    <td></td>
    <td></td>
    <td></td>
@@ -233,7 +225,7 @@ tr:nth-child(even) {
  </tr>
  <tr>
  	<th>Payload</th>
-    <td></td>
+    <td>0x0e8c</td>
    <td></td>
    <td>0x2d00</td>
    <td>0x2bb4</td>
@@ -243,6 +235,21 @@ tr:nth-child(even) {

 <br>

+<h2>3.03</h2>
+<p>
+  3.03 has a couple of additional tricks going on. There are no jump targets which lie within our controlled range from any buffer overflows, however the jump target 0x15ea540 is very close to the beginning of our IFO file contents (0x15ea620).
+</p>
+
+<p>
+  The memory between the jump target and the start of the IFO (0x15ea540 - 0x15ea620) is all zeroes, so that's just a NOP-sled. Then the IFO header "DVDVIDEO-VMG" turns out to decode to a conditional relative branch which not only happens to be taken, but also jumps to fully controlled contents later in the IFO:
+</p>
+
+<pre><code>bnel    s2,a0,pos_015FFF34</code></pre>
+
+<br>
+
+<br>
+
 <h2>Conflicts</h2>
 <p>
 	In order to merge 2 exploits into a single ISO there must be either: