Vita webkit hack: Codelion releases memtools_vita

wololo

We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!

48 Responses

  1. CodeLion says:

    The bulk of the server was written by someone who did not want credit for it, I added the automated parsing, reloading, some stability…

  2. AE says:

    What’s the”special python server”

  3. SLynch says:

    Just to clear this up, the known and used webkit exploit basically grants user-mode code execution of the webkit modules? That is to say, we have to find a vulnerability with those modules to break out?

    • CodeLion says:

      well you’re close. It gives us the ability to read the entire webkit process ram, as well as execute ROP chains. There’s a few things in the way of actual code running, but we’re getting there

  4. anonanon says:

    Not a developer, but couldn’t resist playing around with this a bit 😀

    Files hosted by wololo seem to be bad, get this when running serv.py
    Traceback (most recent call last):
    File “./serv.py”, line 15, in
    from progress.bar import Bar
    ImportError: No module named progress.bar

    Files on github run fine.

    • anonanon says:

      Probably a permission error or something but it doesn’t seem to be able to dump the files for me
      http://puu.sh/crqky/fca33d33aa.jpg

      Bed time for me, I’ll probably play around with it tomorrow and see

      • codelion says:

        I removed the code for progress bar because it wasn’t neccessary. I removed the import statement on the github copy. Create the dump folder in the main directory alongside inc, serv.py, etc and it will dump correctly. The server should check if the folder exists but I haven’t added that yet

        • anonanon says:

          Oh my bad, I just assumed it’d create the folder itself.

          • codelion says:

            it really should, it just doesn’t… gotta fix that

          • anonanon says:

            Thanks, managed to dump
            SceHafnium.bin 270.3KB
            SceLibVitaJSExtObj.bin 20.5KB
            ScePsp2Compat.bin 5.5MB
            SceWebFiltering.bin 16.4KB
            SceWebKit.bin 7.0MB

            Using Autodump On 3.18. Might be over my head, but looks like this will be interesting to play with :3

          • wth says:

            @anonanon. lol. there is a file named SceLibVitaJSExtObj.bin ? you sure? that is one easter egg. haha

  5. theXmen says:

    Does this work on 3.30?

  6. codelion says:

    I removed the code for progress bar because it wasn’t neccessary. I removed the import statement on the github copy. Create the dump folder in the main directory alongside inc, serv.py, etc and it will dump correctly. The server should check if the folder exists but I haven’t added that yet

  7. Akabane87 says:

    Not really the same usage but I made a memory browser using the same base code (thanks to Davee’s code), that allows you to easilly browse the vita’s webkit from the vita directly. Since the vita’s webbrowser is the worst browser ever created (can’t copy paste things), I made it smart by allowing you to click on memory’s value to auto copy it in the region input (for easy pointer tracking).

    I share it only because it could spare a lot of time when debugging ROP.

    http://yosh.ovh/vita.htm
    (thanks to yosh for puting the files on its server)

    • lmao says:

      nope, you’re spreading misinformation. 3ds browser is worse than vita.

      • Akabane87 says:

        lol… I prefer not imagine what it looks like ^^
        Any device with a touchscreen should at least allow users to copy paste text in the wab browser’s pages.

  8. Mat says:

    I guess it’s time for Sony to remove web browser, remember Linux on PS3. Hacking has consequences, I hope this thing is worth it.

    • nope says:

      That, or they can just update to a newer webkit version which patches this vulnerability…? You know, like they did?

      • CycloneFox says:

        They did. It’s standard procedure for any device. This exploit doesn’t work on firmware 3.30 anymore.

  9. solidsnake says:

    I am the End User!!

  10. OmarFahmy says:

    After finishing installation of Python27 and the capstone and then i run the serv.py file ,it opens then dissappear..
    i wrote in the Python path:-
    ”’
    chmod a+x serv.py
    ./serv.py
    ”’
    but after that it gives me ‘\nchmod a+x serv.py\n./serv.py\n’
    whats wrong might i do ?

  11. didIunderstandYouCorrectly says:

    No need to edit the python path, just make the file executable before running it, don’t run both commands together.

    1. chmod a+x serv.py
    If that doesn’t give any error then run
    2. ./serv.py

  12. lmao says:

    I wonder when is PSP3 gonna released?

  13. Twisted says:

    Is there a particular reason none of these modules appear to have any type of header?

    • Twisted says:

      On further inspection is appears memtools_vita is just dumping data from random offsets (not proper modules) not sure the signatures it’s searching for are reliable.

  14. abc says:

    Could you make a video about this tool step by step?

    • anonanon says:

      This really is not useful to us end users, and to be honest, if you’re not capable of installing python, executing a python script and reading a readme, without a video tutorial, this isn’t for you and toy should probably be staying away from tools like this

  15. shinbvk says:

    I am already installaltion python 2.7.6 32bit and capstone 2.1.2 for python27 32bit but it just show me a python.exe window and without any input functions when i try to open serv.py

  16. kasami harami says:

    The million dollar question: When can we download games from TPB and play it on vita? Everything else is irrelevant

  17. Memtools Vita 0.3.2 says:

    Traceback (most recent call last):
    File “./serv.py”, line 13, in
    from capstone import CS_MODE_THUMB, CS_MODE_ARM, Cs, CS_ARCH_ARM, CS_MODE_LITTLE_ENDIAN
    ImportError: No module named capstone