From 74c87547d3e9832de48c58787ec8bb60c72de3dd Mon Sep 17 00:00:00 2001
From: CTurt <ecturt@gmail.com>
Date: Sat, 18 Jul 2020 23:27:01 +0100
Subject: [PATCH] 3.03

---
 index.html        |  2 ++
 portingnotes.html | 67 ++++++++++++++++++++++++++---------------------
 2 files changed, 39 insertions(+), 30 deletions(-)

diff --git a/index.html b/index.html
index f467e83..0c44c85 100644
--- a/index.html
+++ b/index.html
@@ -3,6 +3,8 @@
 <ul>
 <li>
 	<a href="https://cturt.github.io/freedvdboot.html">Technical writeup for initial exploit of firmware 3.10</a>
+</li>
+<li>
 	<a href="portingnotes.html">Notes on reverse engineering and exploiting different DVD player firmwares</a>
 </li>
 </ul>
diff --git a/portingnotes.html b/portingnotes.html
index d6988cd..7107b80 100644
--- a/portingnotes.html
+++ b/portingnotes.html
@@ -40,7 +40,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>getDiscData</th>
-    <td></td>
+    <td>0x243438</td>
     <td>0x23e150</td>
     <td>0x23e138</td>
     <td>0x25c9f0</td>
@@ -48,7 +48,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>getDiscByte</th>
-    <td></td>
+    <td>0x243368</td>
     <td></td>
     <td>0x23e068</td>
     <td>0x25c920</td>
@@ -56,7 +56,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>currentDiscBytePointer</th>
-    <td></td>
+    <td>0x15f42a4</td>
     <td></td>
     <td>0x16ceee4</td>
     <td>0x1411fe4</td>
@@ -64,7 +64,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>endDiscBytePointer</th>
-    <td></td>
+    <td>0x15f42a8</td>
     <td></td>
     <td>0x16ceee8</td>
     <td>0x1411fe8</td>
@@ -72,7 +72,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>0xff * 3 * 8 overflow</th>
-    <td></td>
+    <td>0x241d0c</td>
     <td></td>
     <td>0x23cb04</td>
     <td>0x25b3bc</td>
@@ -80,7 +80,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>fpIndex</th>
-    <td></td>
+    <td>0x15f4b0a</td>
     <td></td>
     <td>0x16cf74a</td>
     <td>0x141284a</td>
@@ -88,7 +88,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>fpArray</th>
-    <td></td>
+    <td>0x923d88</td>
     <td></td>
     <td>0x95ace8</td>
     <td>0x5b9d40</td>
@@ -96,7 +96,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>OOB call</th>
-    <td></td>
+    <td>0x0244E1C</td>
     <td></td>
     <td>0x23faac</td>
     <td>0x25e388</td>
@@ -104,7 +104,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>getBufferInternal</th>
-    <td></td>
+    <td>0x262360</td>
     <td></td>
     <td>0x261548</td>
     <td></td>
@@ -112,7 +112,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>pointToIFO</th>
-    <td></td>
+    <td>0x2432c8</td>
     <td></td>
     <td>0x23dfc8</td>
     <td></td>
@@ -128,7 +128,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>SifInitRpc</th>
-    <td></td>
+    <td>0x2082a0</td>
     <td></td>
     <td>0x208260</td>
     <td></td>
@@ -136,7 +136,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>SifExitRpc</th>
-    <td></td>
+    <td>0x208440</td>
     <td></td>
     <td>0x208400</td>
     <td></td>
@@ -144,7 +144,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>SifIopReset</th>
-    <td></td>
+    <td>0x291fb8</td>
     <td></td>
     <td>0x291358</td>
     <td></td>
@@ -152,7 +152,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>SifIopSync</th>
-    <td></td>
+    <td>0x292138</td>
     <td></td>
     <td>0x2914d8</td>
     <td></td>
@@ -163,7 +163,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>Destination of large copy</th>
-    <td></td>
+    <td>0x15ec890</td>
     <td></td>
     <td>0x16c8cd4</td>
     <td>0x140bdd4</td>
@@ -171,26 +171,18 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>Destination + max size</th>
-    <td></td>
+    <td>0x176C878</td>
     <td></td>
     <td>0x1848CBC</td>
     <td>0x158BDBC</td>
     <td>0x15B51B4</td>
   </tr>
-  <tr>
-    <th>Sector buffer (getDiscByteInternal)</th>
-    <td></td>
-    <td></td>
-    <td>0x16cad40</td>
-    <td>0x140de40</td>
-    <td></td>
-  </tr>
   <tr>
   	<th style="text-align: center" colspan="6">Exploit values</th>
   </tr>
   <tr>
     <th>currentDiscBytePointer value at overwrite</th>
-    <td></td>
+    <td>0x015f1008</td>
     <td></td>
     <td>0x016ce444</td>
     <td>0x01411544</td>
@@ -198,7 +190,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>Jump target</th>
-    <td></td>
+    <td>0x15ea540</td>
     <td></td>
     <td>0x01800180</td>
     <td>0x01500014</td>
@@ -206,7 +198,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
     <th>Address of jump target</th>
-    <td></td>
+    <td>0x928D24</td>
     <td></td>
     <td>0x95CF40</td>
     <td>0x5f1f38</td>
@@ -217,7 +209,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
   	<th>currentDiscBytePointer</th>
-    <td></td>
+    <td>0x1c6c</td>
     <td></td>
     <td>0x2744</td>
     <td>0x2744</td>
@@ -225,7 +217,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
   	<th>fpIndex</th>
-    <td></td>
+    <td>0x24D2</td>
     <td></td>
     <td></td>
     <td></td>
@@ -233,7 +225,7 @@ tr:nth-child(even) {
   </tr>
   <tr>
   	<th>Payload</th>
-    <td></td>
+    <td>0x0e8c</td>
     <td></td>
     <td>0x2d00</td>
     <td>0x2bb4</td>
@@ -243,6 +235,21 @@ tr:nth-child(even) {
 
 <br>
 
+<h2>3.03</h2>
+<p>
+  3.03 has a couple of additional tricks going on. There are no jump targets which lie within our controlled range from any buffer overflows, however the jump target 0x15ea540 is very close to the beginning of our IFO file contents (0x15ea620).
+</p>
+
+<p>
+  The memory between the jump target and the start of the IFO (0x15ea540 - 0x15ea620) is all zeroes, so that's just a NOP-sled. Then the IFO header "DVDVIDEO-VMG" turns out to decode to a conditional relative branch which not only happens to be taken, but also jumps to fully controlled contents later in the IFO:
+</p>
+
+<pre><code>bnel    s2,a0,pos_015FFF34</code></pre>
+
+<br>
+
+<br>
+
 <h2>Conflicts</h2>
 <p>
 	In order to merge 2 exploits into a single ISO there must be either: