0. Introduction - What are stealth extensions

This document is made in 3 parts:
1. Definitions for using stealth extensions in your code:
2. Using cobra stealth:
3. The "new" cobra stealth code.


Cobra protects the syscall table.
It detect and blocks some changes, and it allows other changes but log's them and keep being runned.
The only way to really disabled the "special" cfw syscalls is to do it from inside the cobra core itself.

Stealth extensions were made thinking in giving cobra the possibility of hidden itself by mimicking lv2 sysclls as if they were disabled (6,7,8,9,10,11,35 a 36).
For this, it was implemented an easy flag system.
Then, when the flag was raised, all those syscalls reported as being disabled.
This was made with the intent of a possible latter re-enabling cfw without a reboot.
After a lot of test and thinking, I've seen that this is not needed at all: after all, a reboot is a fast and easy thing to do :)

There was also a special processing for syscall 8, in order to keep feeding the "old" cobra version spoofing method even with "disabled syscalls".
Unfortunately the dynamic cobra versions spoofing from vsh memory stopped working for psn connection after version 4.60

All this said, I've decided to simplify cobra stealth extensions A LOT - in fact they should not be called stealth extensions any more, but more like "cobra internal syscall disabling" or something like that.
Either way, the simplification I've made is very easy to explain:
When syscall8 is called with op-code 0x3995, it will place all the cfw syscall entries (6,7,8,9,10,11,35 a 36) with the undefined syscall handler got from syscall0.
This is very easy because cobra keeps the syscall table start in a specific variable, it maps lv2 to standard memory (when running in cobra core) and without any protection at this level.
The code for this op-code is explained latter in part 3 of this document.

With the now easy and code disabling aproach used in "stealth extensions" I feel there is no secret anymore and doesn't need to be kept private.
You that have now access to it, are free to use it in your own code or even releasing it to the public.

I strongly suggest that future CFW Cobra versions include theses op-codes in its syscall 8 handler at main.c (keep reading).


It is no way mandatory, but a reference to "KW" will be apreciated if using these ideas in your code ;)


=========================================================================================================

1. Definitions for using stealth extensions in your code:

#define SYSCALL8_OPCODE_STEALTH_TEST			0x3993  // gets SYSCALL8_STEALTH_OK if Stealth extensions are installed
#define SYSCALL8_OPCODE_STEALTH_ACTIVATE		0x3995  // gets SYSCALL8_STEALTH_OK if Syscalls were disabled
#define SYSCALL8_STEALTH_OK					0x5555
  
static uint64_t call_syscall8(uint64_t func)
{
	system_call_1(8, func);
	return_to_user_prog(uint64_t);
}


// tests if cobra stealth extensions are installed,
// return 1 if ok.
int test_cobra_stealth(void)
{
	return (call_syscall8(SYSCALL8_OPCODE_STEALTH_TEST) == SYSCALL8_STEALTH_OK);
}
		
		
// activates cobra stealth in cobra if there are stealth extensions
// returns 1 if ok.
int do_cobra_stealth(void)
{
	return (call_syscall8(SYSCALL8_OPCODE_STEALTH_ACTIVATE) == SYSCALL8_STEALTH_OK);
}


=========================================================================================================

2. Using cobra stealth:

if (test_cobra_stealth() )
{
	// stealth extensions are installed and running in this system !!!
}


if (do_cobra_stealth())
{
	// CFW was disabled by cobra core by using cobra stealth extensions !!!!!
}
	

========================================================================================================

	
3. The "new" cobra stealth code.

This code should go into stage2 main.c syscall8 handler as 2 new op-codes.
You must understand what this means.
You must have the correct toolchain installed and able to compile cobra's stage2.bin
Failing to do so will soft-brick your ps3 !
You should know how to solve a soft-brick before playing around with cobra code :)
If you don't understand this, stop reading !



a) Insert in the definition area of stage2 main.c:

/////////////////// KW BEGIN

#define COBRA_STEALTH

#ifdef COBRA_STEALTH
  #define SYSCALL8_OPCODE_STEALTH_TEST			0x3993  // gets SYSCALL8_STEALTH_OK if Stealth extensions are installed
  #define SYSCALL8_OPCODE_STEALTH_ACTIVATE		0x3995  // gets SYSCALL8_STEALTH_OK if Stealth extensions are activated and syscalls were properly disabled.
  #define SYSCALL8_STEALTH_OK					0x5555  // return OK value.
#endif

/////////////////// KW END


b) Insert inside the stage2 main.c syscall8 handler "LV2_SYSCALL2(int64_t, syscall8 ....", at the start of the switch(function)


	switch (function)
	{
		///////////// KW BEGIN //////////////
		case SYSCALL8_OPCODE_STEALTH_TEST:
		    DPRINTF("SYSCALL_OPCODE_STEALTH_TEST\n");
			return SYSCALL8_STEALTH_OK;
		break;

		case SYSCALL8_OPCODE_STEALTH_ACTIVATE: // disables syscalls		
		{
			uint64_t syscall_not_impl = *(uint64_t *)MKA(syscall_table_symbol);
			DPRINTF("SYSCALL_OPCODE_STEALTH_ACTIVATE\n");
			DPRINTF ("Syscall Table %llx, syscall_not_impl %llx\n",
			          (unsigned long long)MKA(syscall_table_symbol), (unsigned long long)syscall_not_impl);

			// poking syscall entries 6,7,8,9,10,11,35,36 
			*(uint64_t *)MKA(syscall_table_symbol+ 8* 8) = syscall_not_impl;
			*(uint64_t *)MKA(syscall_table_symbol+ 8* 9) = syscall_not_impl;
			*(uint64_t *)MKA(syscall_table_symbol+ 8*10) = syscall_not_impl;
			*(uint64_t *)MKA(syscall_table_symbol+ 8*11) = syscall_not_impl;
			*(uint64_t *)MKA(syscall_table_symbol+ 8*35) = syscall_not_impl;
			*(uint64_t *)MKA(syscall_table_symbol+ 8*36) = syscall_not_impl;
			*(uint64_t *)MKA(syscall_table_symbol+ 8* 6) = syscall_not_impl;
			*(uint64_t *)MKA(syscall_table_symbol+ 8* 7) = syscall_not_impl;
			return SYSCALL8_STEALTH_OK;
		}
		break;
		//////////// KW END ////////////////////////
	.
	.
	.
	.
	.
	

In attach to this document goes a main.c with this code injected and commented between "KW BEGIN" and "KW END" comments

That's it !
KW

