[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81907":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":14,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":9,"pushedAt":9,"updatedAt":25,"readmeContent":26,"aiSummary":27,"trendingCount":15,"starSnapshotCount":15,"syncStatus":28,"lastSyncTime":29,"discoverSource":30},81907,"ps5debug-NG","OpenSourcereR-dev\u002Fps5debug-NG","OpenSourcereR-dev","PS5 debugger payload — userland TCP wire-protocol server hosted inside SceShellCore. GPL-3.",null,"C",62,12,4,1,0,9,29,3,52.74,"GNU General Public License v3.0",false,"master",true,[],"2026-06-12 04:01:36","# ps5debug-NG\r\n\r\nA debugger payload for jailbroken PlayStation 5 consoles. Ships a userland\r\ncommand server that runs inside SceShellCore, letting remote clients inspect\r\nand manipulate running processes, the kernel itself, and the system UI over a\r\nsimple TCP protocol.\r\n\r\nps5debug-NG is inspired by Ctn's `ps5debug 1.0b5` and is wire-compatible with\r\nit - existing clients should work without modification. It is licensed under\r\nGPL-3.\r\n\r\nDiscord Server: [Team Reaper](https:\u002F\u002Fdiscord.gg\u002F7bjtgZf4PY)\r\n\r\n---\r\n\r\n## Supported firmwares\r\n\r\nThe kernel kpatch routine in [installer\u002Fsource\u002Fmain.c](installer\u002Fsource\u002Fmain.c)\r\nrecognises the following firmware families. Booting on an unsupported FW prints\r\n`port_outer: kpatch SKIP - unsupported FW magic 0x...` to the kernel log and\r\naborts cleanly.\r\n\r\n| Family | Label in code |\r\n|--------------------|----------------------------|\r\n| 3.xx | `FW 3.x` |\r\n| 4.xx | `FW 4.x` |\r\n| 5.xx | `FW 5.x` |\r\n| 6.xx | `FW 6.x` |\r\n| 7.xx | `FW 7.x` |\r\n| 7.5x | `FW 7.5x` |\r\n\r\nEach family covers several point releases - see the switch in\r\n[installer\u002Fsource\u002Fmain.c](installer\u002Fsource\u002Fmain.c) for the exact set of FW\r\nmagic values recognised per family. Clients can read the running FW with\r\n`CMD_FW_VERSION` (returns the kernel's raw FW magic word).\r\n\r\n---\r\n\r\n## Primary Features\r\n\r\n### Process inspection and manipulation\r\n- **Enumerate processes** (`p_comm` + pid list).\r\n- **Read and write target memory** in streamed chunks.\r\n- **List virtual memory maps** - ranges, protections, backing names.\r\n- **Query process metadata** - name, path, titleId, contentId.\r\n- **Identify the foreground app** (`0xBDDD0006`) - returns pid + titleid +\r\n contentid + process name + the game's version, parsed server-side from the\r\n title's `param.sfo`. Useful for clients that need to know what's currently\r\n running without listing every process.\r\n- **Server-side stack walk** (`CMD_PROC_READ_STACK`) - the server walks the\r\n RBP chain itself (up to 64 frames) and bundles each frame's saved-RBP,\r\n return address, frame-local bytes, and a 200-byte code window around the\r\n return address into one response. Clients avoid paying many TCP round-trips\r\n per stack frame.\r\n- **Change memory protection** on arbitrary target regions.\r\n- **Allocate \u002F free \u002F hint-allocate** memory inside any target process.\r\n\r\n### In-target code execution\r\n- **Install an RPC stub** (`CMD_PROC_INSTALL`) - injects a reusable trampoline\r\n with its own thread into the target.\r\n- **Call arbitrary functions** with up to six SysV ABI register arguments and\r\n read back `rax` (`CMD_PROC_CALL`).\r\n- **Load ELFs** into a target process - either jump to the entry point\r\n immediately (`CMD_PROC_ELF`) or return the entry for later invocation\r\n (`CMD_PROC_ELF_RPC`).\r\n\r\n### Full userland debugger\r\n- **Attach** to a single target with `CMD_DEBUG_ATTACH` (sets up an async\r\n interrupt channel back to the client).\r\n- **Software breakpoints** - up to **30** slots, transparent `0xCC` injection.\r\n- **Hardware watchpoints** - up to **4** DR0-DR3 slots with read \u002F write \u002F\r\n read-write and 1\u002F2\u002F4\u002F8-byte granularity.\r\n- **Thread control** - list, suspend, resume, single-step, per-thread step.\r\n- **Full register access** - general-purpose, FPU + YMM, and debug registers.\r\n- **Continue \u002F stop \u002F halt** the whole process from one command.\r\n- **Asynchronous interrupt packets** delivered on a separate TCP connection so\r\n the client never polls.\r\n\r\n### Kernel access\r\n- Get the **kernel base address**.\r\n- **Read** arbitrary kernel memory.\r\n- **Write** arbitrary kernel memory.\r\n\r\n### Built-in Zydis disassembler\r\nLarge memory regions never leave the PS5. Three server-side decoder commands\r\nkeep bandwidth low:\r\n- `CMD_PROC_DISASM_REGION` - packed 32-byte-per-instruction stream with\r\n control-flow, memory-operand, and RIP-relative metadata.\r\n- `CMD_PROC_EXTRACT_CODE_XREFS` - all resolved RIP-relative branch\u002Fcall\r\n targets in a region, deduplicated.\r\n- `CMD_PROC_FIND_XREFS_TO` - only instructions that reference a specific\r\n target address.\r\n\r\n### Built-in Keystone assembler (x86-64)\r\nA cross-compiled LLVM-MC Keystone (x86-only, no exceptions \u002F no RTTI, static\r\n~4 MB) is embedded in the payload, exposed via the raw-literal opcode\r\n`0xBDAA0024`. Lets clients assemble asm text into machine code on the console\r\nitself.\r\n- Pure userspace - needs no attached process and no `CMD_PROC_AUTH` handshake.\r\n- Request: `u64 base_addr; u32 ks_opt_syntax;` + asm text (NUL not required).\r\n `ks_opt_syntax` defaults to Intel; pass 1\u002F2\u002F4\u002F8\u002F0x10 for Intel\u002FATT\u002FNASM\u002FMASM\u002FGAS.\r\n- Response: `CMD_SUCCESS` + `u32 byte_len; u32 insn_count;` + machine bytes,\r\n or `CMD_ERROR` + `u32 ks_errno; u32 msg_len;` + Keystone's human-readable error.\r\n- The opcode is deliberately a raw literal (no `CMD_*` macro) so the published\r\n `CMD_*` set that some clients enumerate stays unchanged.\r\n\r\n### Memory scanning\r\n- **Value scan** (`CMD_PROC_SCAN`) - single-pass, 12 value types × 13 compare\r\n modes (exact, fuzzy, bigger\u002Fsmaller, between, increased, decreased, changed,\r\n etc.).\r\n- **Iterative scan session** (`SCAN_START` → `SCAN_COUNT` → `SCAN_GET`) - lets\r\n clients narrow a result set server-side over many passes.\r\n- **AOB scan** (`CMD_PROC_SCAN_AOB`) - byte patterns with `??` wildcards.\r\n- **Multi-pattern AOB scan** (`CMD_PROC_SCAN_AOB_MULTI`) - many patterns in\r\n one pass.\r\n- **Auth-gated** - scan commands require a prior `CMD_PROC_AUTH` handshake.\r\n\r\n### System UI integration\r\n- **Push notifications** to the user's screen with arbitrary UTF-8 text.\r\n- **Print** to the kernel console.\r\n- **Reboot** the console.\r\n\r\n### Klog forwarder\r\n- TCP **3232** streams the kernel log to a connected client (host-side\r\n `klog reader` style). Survives suspend\u002Fresume the same as the main server.\r\n\r\n### Discovery\r\n- A UDP broadcast responder on port `1010` echoes a handshake magic\r\n (`0xFFFFAAAA`) so clients can find the PS5 on the LAN without hard-coding\r\n an IP.\r\n\r\n### Rest-mode support\r\n- The payload **survives suspend \u002F resume** without needing to be reloaded.\r\n A supervisory loop polls the network periodically: when the console drops\r\n into rest mode the server exits cleanly, and as soon as the network comes\r\n back the server restarts and a fresh \"online\" notification fires.\r\n- Clients see a clean disconnect on port 744 when rest mode begins and can\r\n simply reconnect after wake.\r\n\r\n### Performance-oriented design\r\n- Non-blocking sockets with `TCP_NODELAY`, `SO_KEEPALIVE`, large transfer\r\n chunks.\r\n- Zydis amalgamation compiled at `-O3 -DNDEBUG` for maximum decode throughput.\r\n- Link-time dead stripping (`-ffunction-sections -fdata-sections\r\n -Wl,--gc-sections`).\r\n- Interrupt packets streamed over a dedicated side channel to avoid blocking\r\n the command loop.\r\n\r\n---\r\n\r\n## Architecture\r\n\r\nThe deployable artifact `ps5debug-NG.elf` is a two-component build:\r\n\r\n```\r\n┌──────────────────────────────────────────────────────────────┐\r\n│ ps5debug-NG.elf │\r\n│ │\r\n│ ┌───────────────────┐ injects ┌───────────────────┐ │\r\n│ │ installer ELF │─────────────▶│ debugger ELF │ │\r\n│ │ (umtx-loaded PIE) │ │ (in SceShellCore) │ │\r\n│ └───────────────────┘ └────────┬──────────┘ │\r\n│ │ │\r\n│ ┌────────────────▼─────────┐ │\r\n│ │ - TCP server :744 │ │\r\n│ │ - debug async :755 │ │\r\n│ │ - klog forward :3232 │ │\r\n│ │ - UDP bcast :1010 │ │\r\n│ └──────────────────────────┘ │\r\n└──────────────────────────────────────────────────────────────┘\r\n```\r\n\r\n- **installer** - umtx-loaded SDK PIE. Finds SceShellCore, sets up the\r\n target's KEX state and syscall-origin filter, then calls the SCE-side\r\n `inject_remote_thread_create` primitive to run the embedded debugger as\r\n a SceShellCore-internal thread.\r\n- **debugger** - runs inside SceShellCore once injected. Implements the\r\n wire protocol, breakpoints \u002F watchpoints \u002F single-step, memory scan, RPC,\r\n and ELF inject. Built into `debugger\u002Fbuild\u002Fdebugger.elf`, then embedded as\r\n a `.rodata` blob into the installer via `.incbin`.\r\n\r\nRunning the wire protocol from inside SceShellCore is what lets `PT_ATTACH`\r\non game pids look kernel-side like an SCE-originated debug attach, which\r\nPS5's AppContext gating allows. A standalone process doing `PT_ATTACH` gets\r\nthe game flagged and stops progressing.\r\n\r\n---\r\n\r\n## Network protocol at a glance\r\n\r\n| Port | Proto | Direction | Purpose |\r\n|-------|-------|----------------|--------------------------------------|\r\n| 744 | TCP | client → PS5 | Command server |\r\n| 755 | TCP | PS5 → client | Async debug interrupts |\r\n| 3232 | TCP | PS5 → client | Kernel log forwarder |\r\n| 1010 | UDP | bidirectional | Discovery beacon (`0xFFFFAAAA`) |\r\n\r\nEvery command begins with a 12-byte header:\r\n\r\n```c\r\nstruct cmd_packet {\r\n uint32_t magic; \u002F\u002F 0xFFAABBCC\r\n uint32_t cmd; \u002F\u002F 0xBDAA..., 0xBDBB..., 0xBDCC..., 0xBDDD...\r\n uint32_t datalen; \u002F\u002F length of request body that follows\r\n};\r\n```\r\n\r\nFollowed by the command's fixed request struct (if any), any trailing\r\nvariable-length payload, and a `uint32_t` status code reply.\r\n\r\n**Note on status words.** The status `uint32_t` on PS5 is transmitted with\r\nits bit pairs swapped (`net_send_int32` swaps even\u002Fodd-bit positions). Clients\r\nmust un-bitswap incoming status values before comparing to `CMD_SUCCESS` \u002F\r\n`CMD_ERROR` \u002F `CMD_DATA_NULL` \u002F `CMD_ALREADY_DEBUG`. Subsequent payload bytes\r\nare sent raw.\r\n\r\n**Full protocol specification:** [PROTOCOL.md](PROTOCOL.md) - every command,\r\nevery packet struct, every enum, every status code, with `file:line`\r\ncitations.\r\n\r\n---\r\n\r\n## Command coverage\r\n\r\n| Namespace | Count | Examples |\r\n|---------------|-------|------------------------------------------------------------|\r\n| Info \u002F ping | 5 | `VERSION`, `FW_VERSION`, `BRANDING`, `PLATFORM_ID`, `NOP` |\r\n| Process | 26 | `READ`, `WRITE`, `MAPS`, `CALL`, `SCAN_*`, `DISASM_*` |\r\n| Debug | 18 | `ATTACH`, `SET_BREAKPOINT`, `GETREGS`, `STEP`, `CONTINUE` |\r\n| Kernel R\u002FW | 3 | `KERN_BASE`, `KERN_READ`, `KERN_WRITE` |\r\n| Console | 6 | `NOTIFY`, `PRINT`, `REBOOT`, `INFO`, `END`, `FOREGROUND_APP` |\r\n| **Total** | **58**| |\r\n\r\n---\r\n\r\n## Building\r\n\r\nPrerequisites (Ubuntu \u002F Debian):\r\n\r\n```sh\r\nsudo apt install bash clang-18 lld-18\r\n```\r\n\r\nBuild:\r\n\r\n```sh\r\n.\u002Fbuild.sh\r\n```\r\n\r\nThis builds the SDK first (one-time, cached), then the debugger, then the\r\ninstaller (which embeds the debugger), then publishes `ps5debug-NG.elf` at\r\nthe top level. Subsequent runs only rebuild what changed.\r\n\r\nClean (including the SDK install):\r\n\r\n```sh\r\n.\u002Fbuild.sh clean\r\n```\r\n\r\n---\r\n\r\n## Deploying\r\n\r\n`ps5debug-NG.elf` is loaded onto the PS5 via a umtx-based ELF loader (e.g.\r\nelfldr from etaHEN-class loaders).\r\n\r\nYou should see a system notification confirming the payload is alive:\r\n\r\n```\r\nps5debug-NG by OSR v1.2.3 loaded!\r\nCoded by OpenSourcereR\r\nSpecial thanks to\r\ngolden, Ctn & SiSTRo! ♥\r\n```\r\n\r\n---\r\n\r\n## Writing your own client\r\n\r\nThe protocol is deliberately simple - a raw TCP client in any language can\r\ndrive it. Example: pinging the server and reading its branding string, in\r\nPython (don't forget the bit-pair swap on the status word):\r\n\r\n```python\r\nimport socket, struct\r\n\r\nPACKET_MAGIC = 0xFFAABBCC\r\nCMD_BRANDING = 0xBD000501\r\nCMD_SUCCESS = 0x40000000\r\n\r\ndef bitswap32(x):\r\n x &= 0xFFFFFFFF\r\n return ((x \u003C\u003C 1) & 0xAAAAAAAA) | ((x >> 1) & 0x55555555)\r\n\r\ns = socket.create_connection((\"\u003CPS5_IP>\", 744))\r\ns.sendall(struct.pack(\"\u003CIII\", PACKET_MAGIC, CMD_BRANDING, 0))\r\n(status_raw,) = struct.unpack(\"\u003CI\", s.recv(4))\r\nassert bitswap32(status_raw) == CMD_SUCCESS\r\n(length,) = struct.unpack(\"\u003CI\", s.recv(4))\r\nprint(\"server branding:\", s.recv(length).decode())\r\n```\r\n\r\nSee [PROTOCOL.md](PROTOCOL.md) for the exact byte layout of every command,\r\nresponse, and async interrupt packet.\r\n\r\n---\r\n\r\n## Source layout\r\n\r\n```\r\n.\r\n├── build.sh # one-command full build\r\n│\r\n├── common\u002F # headers + sources shared by both components\r\n│ ├── include\u002F # protocol.h, sdk_shim.h, net.h, proc.h, ...\r\n│ └── source\u002F\r\n│\r\n├── debugger\u002F # in-SceShellCore wire-protocol debugger\r\n│ ├── Makefile source\u002F include\u002F\r\n│ └── third_party\u002F # Zydis (decoder) + Keystone (assembler)\r\n│\r\n├── installer\u002F # umtx-loaded SceShellCore installer\r\n│ ├── Makefile source\u002F\r\n│ └── source\u002Fembedded_inner.S # embeds debugger.elf via .incbin\r\n│\r\n├── ps5-payload-sdk\u002F # vendored John Törnblom SDK\r\n└── third_party\u002F # keystone-0.9.2 full source (for rebuilds)\r\n```\r\n\r\nThree source files (`kern_rw_fast.c`, `proc_elf.c`, `proc_remote.c`) and\r\n`main.c` exist in **both** `debugger\u002Fsource\u002F` and `installer\u002Fsource\u002F` because\r\nthey genuinely diverge between the two builds - same code specialized for\r\neach component's role.\r\n\r\n---\r\n\r\n## SDK pin\r\n\r\nThe vendored SDK is **ps5-payload-sdk v0.38** (commit\r\n`6ae1470fd50c5791e8a8bb728627e657e36eb55a`, dated 2026-04-02). Upstream:\r\nhttps:\u002F\u002Fgithub.com\u002Fps5-payload-dev\u002Fsdk\r\n\r\nTo upgrade the SDK:\r\n\r\n```sh\r\n.\u002Fbuild.sh clean\r\nrm -rf ps5-payload-sdk\r\ncurl -fsSL https:\u002F\u002Fgithub.com\u002Fps5-payload-dev\u002Fsdk\u002Farchive\u002Frefs\u002Ftags\u002F\u003CTAG>.tar.gz \\\r\n | tar xz -C \u002Ftmp\r\nmv \u002Ftmp\u002Fsdk-\u003CTAG_WITHOUT_v> ps5-payload-sdk\r\n.\u002Fbuild.sh\r\n```\r\n\r\n---\r\n\r\n## Credits\r\n\r\n- **jogolden** - original public `ps4debug` and the wire protocol this project\r\n indirectly inherits.\r\n- **Ctn & SiSTRo** - `ps5debug` authors; this project is wire-compatible with\r\n their implementation.\r\n- **DeathRGH** - Frame4 author. Inspiration.\r\n- **John Törnblom** - `ps5-payload-sdk`, the vendored SDK \u002F toolchain.\r\n- **Zydis** - x86 disassembler used in decoder-only mode (`ZYAN_NO_LIBC`,\r\n `-DNDEBUG`). Third-party, unmodified; MIT-licensed.\r\n- **Keystone** - LLVM-MC-based assembler; cross-compiled here for the PS5\r\n payload (x86-only, `-fno-exceptions -fno-rtti`, static).\r\n- **OSR** (OpenSourcereR) - author.\r\n\r\n---\r\n\r\n## License\r\n\r\nLicensed under the **GNU General Public License v3.0** - see [LICENSE.txt](LICENSE.txt)\r\nfor the full text.\r\n\r\nIn short:\r\n- You may use, study, modify, and redistribute this software freely.\r\n- If you distribute a modified binary, you **must** also make the complete\r\n corresponding source code available under the same license.\r\n- The software is provided **without warranty** of any kind.\r\n","ps5debug-NG 是一个针对已破解 PlayStation 5 游戏机的调试工具,它在 SceShellCore 中运行一个用户空间命令服务器,允许远程客户端通过简单的 TCP 协议检查和操控正在运行的进程、内核以及系统界面。项目采用 C 语言编写,支持多种 PS5 固件版本,并兼容 Ctn 的 `ps5debug 1.0b5`。其主要功能包括进程枚举与内存读写、虚拟内存映射列表、进程元数据查询、前台应用识别、栈跟踪、内存保护修改及内存分配等。此外,还支持在目标进程中安装 RPC 存根、调用任意函数和加载 ELF 文件等功能。适用于需要对 PS5 进行深入调试和开发的研究人员和技术爱好者。",2,"2026-06-11 04:07:10","CREATED_QUERY"]