Advertising (This ad goes away for registered users. You can Login or Register)

PSVita Webkit exploit for 2.60 PoC

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
Akabane87
Posts: 35
Joined: Fri Feb 11, 2011 12:51 pm
Contact:

Re: PSVita Webkit exploit for 2.60 PoC

Post by Akabane87 »

Archaemic wrote:Yeah, there are a handful of modules floating around below 0x82000000 that I dumped a while ago. I guess their location can change though.

As for memory mapping, the Vita most definitely has virtual memory mapping, pretty much by necessity. The Vita's OS is built off of FreeBSD and the hardware has an MMU, so it'd be practically impossible for it to not have virtual memory mapping :P

FWIW, the PSP did NOT have an MMU and everything was physical memory addressing, but it still had memory protection on kernel addresses and unmapped regions of the address space, so reading from some memory would still cause an abort. Just because it has a 4 GiB address space doesn't mean the whole thing is filled. ;)
Ok. And what about other processes' memory. Is there any protection on it. Suppose you start a game, come back to the desktop and start the webbrowser with the exploit and try to read the memory region containing the game (randomly to try to find it). Will there be other protection preventing you to do this ?
Advertising
endrift
Guru
Posts: 42
Joined: Mon Feb 27, 2012 10:43 pm
Location: California
Contact:

Re: PSVita Webkit exploit for 2.60 PoC

Post by endrift »

Yes, that's half the point of virtual memory. Each process can only see its own memory--the kernel is the only portion of the OS that can see the whole set of physical memory. The address you see in a process is just an arbitrary mapping passed down from the kernel; it (usually) has no actual relation to where in physical memory those pages reside.
Advertising
Akabane87
Posts: 35
Joined: Fri Feb 11, 2011 12:51 pm
Contact:

Re: PSVita Webkit exploit for 2.60 PoC

Post by Akabane87 »

Erf exactly what I feared with virtual memory stuff...
Netrix
Posts: 82
Joined: Thu Jun 27, 2013 3:45 am

Re: PSVita Webkit exploit for 2.60 PoC

Post by Netrix »

Archaemic wrote:Yeah, I have a ~7.9MB dump starting at 0x81B00000 that's the bulk of WebCore. It's from 3.01 though.

Also of note: kernel interfaces start somewhere above 0xE0000000. I have some small dumps from 0xE0001000 and 0xE0006000, but again on 3.01. I haven't poked at 3.18 at all.

E] SceLibKernel starts at 0xE0001000, it seems.

E2] For those curious, the Vita DOES use WebKit2, hence why crashing the web page doesn't take down the whole browser. There's a process separation model, so the actual process running the web page is a different process than the GUI. This'll probably wrinkle some things, but that's kind of the point. More info on WK2 is on this pretty out-of-date page: https://trac.webkit.org/wiki/WebKit2
Yeah, it also explains why every time the web page crashes, the memory mapping is different and everything has to be resolved again (i.e. it's actually an entirely new process).
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: PSVita Webkit exploit for 2.60 PoC

Post by yifanlu »

Archaemic wrote:Yeah, I have a ~7.9MB dump starting at 0x81B00000 that's the bulk of WebCore. It's from 3.01 though.

Also of note: kernel interfaces start somewhere above 0xE0000000. I have some small dumps from 0xE0001000 and 0xE0006000, but again on 3.01. I haven't poked at 3.18 at all.

E] SceLibKernel starts at 0xE0001000, it seems.

E2] For those curious, the Vita DOES use WebKit2, hence why crashing the web page doesn't take down the whole browser. There's a process separation model, so the actual process running the web page is a different process than the GUI. This'll probably wrinkle some things, but that's kind of the point. More info on WK2 is on this pretty out-of-date page: https://trac.webkit.org/wiki/WebKit2
I don't think it's WebKit2 but the vita does use process sandboxing. SceWebBrowser (NPXS10003) is the browser app (defining the gui, menus, etc) and SceWebCore (NPXS10017) is the WebKit renderer process. In fact, other system apps that use webkit (email, maps, etc) also invoke SceWebCore to do the rendering. Although WebKit is the renderer, most of the rest of the components are sony made. They like using heavy metals as their library names. SceWebCore has the 0x8000 auth id flag set, which isn't set for any other vs0 eboots. This likely is the flag for limited system access.
josh_axey
Retired Mod
Posts: 266
Joined: Sun Oct 07, 2012 10:14 pm
Location: /dev/null
Contact:

Re: PSVita Webkit exploit for 2.60 PoC

Post by josh_axey »

yifanlu wrote: ...In fact, other system apps that use webkit (email, maps, etc) also invoke SceWebCore to do the rendering...
Not like anyone doubts Yifan, but I can back that info up.
Catch me: on Twitter | on GitHub | Rambling
【・ヘ・?】0b00000101
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: PSVita Webkit exploit for 2.60 PoC

Post by yifanlu »

josh_axey wrote:
yifanlu wrote: ...In fact, other system apps that use webkit (email, maps, etc) also invoke SceWebCore to do the rendering...
Not like anyone doubts Yifan, but I can back that info up.
I think we have the same source though, unless you independently verified.
josh_axey
Retired Mod
Posts: 266
Joined: Sun Oct 07, 2012 10:14 pm
Location: /dev/null
Contact:

Re: PSVita Webkit exploit for 2.60 PoC

Post by josh_axey »

yifanlu wrote:
josh_axey wrote:
yifanlu wrote: ...In fact, other system apps that use webkit (email, maps, etc) also invoke SceWebCore to do the rendering...
Not like anyone doubts Yifan, but I can back that info up.
I think we have the same source though, unless you independently verified.
Yeah, independently verified.
Catch me: on Twitter | on GitHub | Rambling
【・ヘ・?】0b00000101
endrift
Guru
Posts: 42
Joined: Mon Feb 27, 2012 10:43 pm
Location: California
Contact:

Re: PSVita Webkit exploit for 2.60 PoC

Post by endrift »

I'm...pretty sure I had evidence that they were using WK2 but I don't recall what it was since this was back in March :lol:

Ah yes here we go...Source/WebKit2 has Manx code, and afaict Manx is the codename for part of the Vita, given that it's copyright 2012 SCEI.
Locked

Return to “Programming and Security”