Advertising (This ad goes away for registered users. You can Login or Register)

Kernel Exploit Hen Question

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
thecobra
HBL Collaborator
Posts: 167
Joined: Thu Feb 24, 2011 7:50 pm

Kernel Exploit Hen Question

Post by thecobra » Sun May 06, 2012 4:25 pm

Hi Everyone,

I want to ask a quick question. Let say for argument sake that I found a kernel exploit and i wanted to make a HEN out of it for 6.60. What source code or what information should i look at? It just a quick question i asking to know what i should do after I find an exploit which may take a while but i like to know what i should do after that.


Thank you.
Advertising
Image
Cheap & Fast VPS Server from DigitalOcean
PSVita 3.xx eCFW <Thank to wololo Community>
PSVita 1.67 vHBL Dead :(
PSP FAT 6.60 - CFW pro

jigsaw
Posts: 255
Joined: Sat Dec 18, 2010 12:49 pm

Re: Kernel Exploit Hen Question

Post by jigsaw » Sun May 06, 2012 6:03 pm

thecobra wrote:Hi Everyone,

I want to ask a quick question. Let say for argument sake that I found a kernel exploit and i wanted to make a HEN out of it for 6.60. What source code or what information should i look at? It just a quick question i asking to know what i should do after I find an exploit which may take a while but i like to know what i should do after that.


Thank you.
Make a PoC first, once u find it. The PoC is as simple as reading from 0x88000000.
Then port it to procfw. That's all.
Advertising

User avatar
Coldbird
Guru
Posts: 472
Joined: Sun Nov 14, 2010 12:33 am

Re: Kernel Exploit Hen Question

Post by Coldbird » Sun May 06, 2012 6:22 pm

jigsaw wrote:
thecobra wrote:Hi Everyone,

I want to ask a quick question. Let say for argument sake that I found a kernel exploit and i wanted to make a HEN out of it for 6.60. What source code or what information should i look at? It just a quick question i asking to know what i should do after I find an exploit which may take a while but i like to know what i should do after that.


Thank you.
Make a PoC first, once u find it. The PoC is as simple as reading from 0x88000000.
Then port it to procfw. That's all.
+1. The first step is always dumping the kernel range memory.
For that you can check into procfw too, as there is a kernel dumper example code for kxploit creation in it that is enabled if you build with the DEBUG=1 flag.
Usually, dumping the kernel memory works like this... you create a kernel callback from your kxploit which gets executed in a kernel context, this piece of code clones the kernel memory range into the p2 user partition... and upon returning to user context, you dump the now p2 located kernel clone to a file via the sceIo functions.
Image
PSP N-1000 ✔ / 6.20 PRO NIGHTLY ✔ / PRO ONLINE ✔

thecobra
HBL Collaborator
Posts: 167
Joined: Thu Feb 24, 2011 7:50 pm

Re: Kernel Exploit Hen Question

Post by thecobra » Sun May 06, 2012 6:36 pm

Coldbird wrote:
jigsaw wrote:
thecobra wrote:Hi Everyone,

I want to ask a quick question. Let say for argument sake that I found a kernel exploit and i wanted to make a HEN out of it for 6.60. What source code or what information should i look at? It just a quick question i asking to know what i should do after I find an exploit which may take a while but i like to know what i should do after that.


Thank you.
Make a PoC first, once u find it. The PoC is as simple as reading from 0x88000000.
Then port it to procfw. That's all.
+1. The first step is always dumping the kernel range memory.
For that you can check into procfw too, as there is a kernel dumper example code for kxploit creation in it that is enabled if you build with the DEBUG=1 flag.
Usually, dumping the kernel memory works like this... you create a kernel callback from your kxploit which gets executed in a kernel context, this piece of code clones the kernel memory range into the p2 user partition... and upon returning to user context, you dump the now p2 located kernel clone to a file via the sceIo functions.
Thanks but i can't find the kernel dump in the Google procfw source code. I looking at the code and i see how he/she launches the installer and all of that but i can't find the simple dumper. :(
Image
Cheap & Fast VPS Server from DigitalOcean
PSVita 3.xx eCFW <Thank to wololo Community>
PSVita 1.67 vHBL Dead :(
PSP FAT 6.60 - CFW pro

thecobra
HBL Collaborator
Posts: 167
Joined: Thu Feb 24, 2011 7:50 pm

Re: Kernel Exploit Hen Question

Post by thecobra » Sun May 06, 2012 6:53 pm

I found this in the vHBL codes:

Code: Select all

// Dumps kmem
void get_kmem_dump()
{
	SceUID dump_fd;
	
	dump_fd = sceIoOpen(KDUMP_PATH, PSP_O_CREAT | PSP_O_WRONLY, 0777);

	if (dump_fd >= 0)
	{
		sceIoWrite(dump_fd, (void*) 0x08000000, (unsigned int)0x400000);
		sceIoClose(dump_fd);
	}
}
Is this what you guys referring to dumping the kernel memory?
Image
Cheap & Fast VPS Server from DigitalOcean
PSVita 3.xx eCFW <Thank to wololo Community>
PSVita 1.67 vHBL Dead :(
PSP FAT 6.60 - CFW pro

jigsaw
Posts: 255
Joined: Sat Dec 18, 2010 12:49 pm

Re: Kernel Exploit Hen Question

Post by jigsaw » Sun May 06, 2012 7:05 pm

It doesn't have to be that "complicated".
As simple as:

Code: Select all

printf("%08x\n", *(u32 *) 0x88000000);
You should be able to call the code directly in the kernel callback. Otherwise the PoC fails.

thecobra
HBL Collaborator
Posts: 167
Joined: Thu Feb 24, 2011 7:50 pm

Re: Kernel Exploit Hen Question

Post by thecobra » Sun May 06, 2012 7:23 pm

jigsaw wrote:It doesn't have to be that "complicated".
As simple as:

Code: Select all

printf("%08x\n", *(u32 *) 0x88000000);
You should be able to call the code directly in the kernel callback. Otherwise the PoC fails.
oh, the think is i did not want/can't yet print anything to the screen. I wanted to use the sceio function to write to a file and save it. I doing this in asm code Based of the Bin Loader. I got k1 = 0 which is good but right now trying to write to the memory stick fails it seems because it seem it was writing to it but when i open up the file there nothing there. Maybe sceioclose Fail? :(
Image
Cheap & Fast VPS Server from DigitalOcean
PSVita 3.xx eCFW <Thank to wololo Community>
PSVita 1.67 vHBL Dead :(
PSP FAT 6.60 - CFW pro

jigsaw
Posts: 255
Joined: Sat Dec 18, 2010 12:49 pm

Re: Kernel Exploit Hen Question

Post by jigsaw » Sun May 06, 2012 7:51 pm

thecobra wrote:
jigsaw wrote:It doesn't have to be that "complicated".
As simple as:

Code: Select all

printf("%08x\n", *(u32 *) 0x88000000);
You should be able to call the code directly in the kernel callback. Otherwise the PoC fails.
oh, the think is i did not want/can't yet print anything to the screen. I wanted to use the sceio function to write to a file and save it. I doing this in asm code Based of the Bin Loader. I got k1 = 0 which is good but right now trying to write to the memory stick fails it seems because it seem it was writing to it but when i open up the file there nothing there. Maybe sceioclose Fail? :(
This is not usual - can't print to screen.
But there's another option.

Code: Select all

u32 kmem = -1U; // a global var

...
// in kernel callback
kmem = *(u32 *) 0x88000000;
...

// after return from syscall
printf("kmem=%08x\n", kmem); // should be sth. other than 0xffffffff


User avatar
FrEdDy
HBL Collaborator
Posts: 243
Joined: Mon Sep 27, 2010 7:08 pm
Contact:

Re: Kernel Exploit Hen Question

Post by FrEdDy » Sun May 06, 2012 8:29 pm

Another way, is writing to a kernel address and looking there with psplink, which is even easier.

Code: Select all

int kmode(void)
{
	_sw(0x12345678, 0x88000000);
	__asm__("break");
	return 0;
}
Of course, you need to be able to write to kernel memory first, not just a readonly exploit
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES

thecobra
HBL Collaborator
Posts: 167
Joined: Thu Feb 24, 2011 7:50 pm

Re: Kernel Exploit Hen Question

Post by thecobra » Sun May 06, 2012 9:41 pm

OK Thanks guys. That help me verify i don't have kernel Access yet :(
Image
Cheap & Fast VPS Server from DigitalOcean
PSVita 3.xx eCFW <Thank to wololo Community>
PSVita 1.67 vHBL Dead :(
PSP FAT 6.60 - CFW pro

Post Reply

Return to “Programming and Security”