How many kexploits have been published? 4 or more?

[jigsaw]

Advertising

Of course there are many kexploits that are not released. But let's review those published ones.

Starting from ChickHEN, we have so far 4 kexploits published:

1. 503 - psheet
2. 620 - power
3. 639 - httpstorage
4. 660 - ifhandler

Since I started PSP coding quite late (620), so I'm not so aware of the history.

Thus the question: Is there any kexploits published before 503?

[FrEdDy]

Advertising

Of course.
http://hitmen.c02.at/files/yapspd/psp_doc/chap29.html#sec29.4
There was one for 5.02 too (not released iirc), these 2 are just the earliest ones.

[jigsaw]

Of course.
http://hitmen.c02.at/files/yapspd/psp_doc/chap29.html#sec29.4
There was one for 5.02 too (not released iirc), these 2 are just the earliest ones.

ok...so only 6 are published?

i'd thought there were a dozen when i saw the long list of CFWs.
i was thinking reviewing all of them, but now it's pointless coz all have been explained in details.


EDIT:

my bad. i didn't scroll down that page.

[Coldbird]

Thats easily explained really because back in 1.X times there was no real need for kernel exploits... the firmware didn't really protect itself against handcrafted kernel modules...
They simply... worked... more or less.

[The Z]

Of course there are many kexploits that are not released. But let's review those published ones.

Starting from ChickHEN, we have so far 4 kexploits published:

1. 503 - psheet
2. 620 - power
3. 639 - httpstorage
4. 660 - ifhandler

Since I started PSP coding quite late (620), so I'm not so aware of the history.

Thus the question: Is there any kexploits published before 503?

Wasnt there one kxploit for every downgrader? So there would be some kxploits for downgrading from 2.00 -> 1.50, from 2.50/2.60 -> 2.00/1.50 (afaik had this been the GTA LCS exploit, which had been closed from 2.80 - 2.82, but reopened in 3.0x), and 3.50 (lumines).

So it would be 9 kxploits:

1. 2.00/2.01 - tiff exploit
2. 2.50/2.60/3.0x - gta lcs exploit
3. 2.71 - kxploit (hen, downgrader)
4. 3.50 - lumines exploit
5. 5.02 - gripshift exploit
6. 5.03 - tiff exploit
7. 6.20 - power exploit
8. 639 - httpstorage exploit
9. 660 - ifhandler exploit

[jigsaw]

@Z tiff, gta, etc. are just user level exploits.

[Davee]

@Z tiff, gta, etc. are just user level exploits.

I think he means the associated kernel level exploits.

basically though, from what I've seen:

• kernel flagged ELF - 1.00
• swaptrick/kxploit - 1.50
• Reused index.dat key - 2.00/2.01
• loadexec buffer overflow - 2.50/2.60 (2.71?)
• Registry error store 2.80 + ?
• service mode - 3.52+
• psheet - 5.03
• ifhandle - 5.70
• utility/power - 6.10/6.20
• http storage - 6.39
• ifhandle - 6.60

Thats a basic list off the top of my head of public exploits. There are a bunch that are patched, such as the GEN/M33 contested wlan exploit which exists upto 5.50 and such. I've been working on compiling a list of the previous exploits as a learning resource so if you need to know any details on an exploit, feel free to ask.

[jigsaw]

@Z tiff, gta, etc. are just user level exploits.

I think he means the associated kernel level exploits.

basically though, from what I've seen:

• kernel flagged ELF - 1.00
• swaptrick/kxploit - 1.50
• Reused index.dat key - 2.00/2.01
• loadexec buffer overflow - 2.50/2.60 (2.71?)
• Registry error store 2.80 + ?
• service mode - 3.52+
• psheet - 5.03
• ifhandle - 5.70
• utility/power - 6.10/6.20
• http storage - 6.39
• ifhandle - 6.60

Thats a basic list off the top of my head of public exploits. There are a bunch that are patched, such as the GEN/M33 contested wlan exploit which exists upto 5.50 and such. I've been working on compiling a list of the previous exploits as a learning resource so if you need to know any details on an exploit, feel free to ask.

That would be GREAT. AFAICT, kexploits from 503 and later have already been explained in depth by Freddy, Davee and some1.
But I can't find src code or explanation to the older ones. (older than 503).

[FrEdDy]

@Z tiff, gta, etc. are just user level exploits.

I think he means the associated kernel level exploits.

basically though, from what I've seen:

• kernel flagged ELF - 1.00
• swaptrick/kxploit - 1.50
• Reused index.dat key - 2.00/2.01
• loadexec buffer overflow - 2.50/2.60 (2.71?)
• Registry error store 2.80 + ?
• service mode - 3.52+
• psheet - 5.03
• ifhandle - 5.70
• utility/power - 6.10/6.20
• http storage - 6.39
• ifhandle - 6.60

Thats a basic list off the top of my head of public exploits. There are a bunch that are patched, such as the GEN/M33 contested wlan exploit which exists upto 5.50 and such. I've been working on compiling a list of the previous exploits as a learning resource so if you need to know any details on an exploit, feel free to ask.

That would be GREAT. AFAICT, kexploits from 503 and later have already been explained in depth by Freddy, Davee and some1.
But I can't find src code or explanation to the older ones. (older than 503).

I know about the loadexec buffer overflow, since the fix in loadexec is "evident", just a quick explanation:
There was one subroutine that took a path as an argument, it looked for the character ":" in that path, and calculated the lenght of the drive name from that (e.g. "ms0:"), it then copied the drive name onto the stack with strncpy, using the calculated lenght, you can guess how it was exploited, can't you?
In later firmwares, loadexec checks if the drive name is longer than 0x1F bytes, if it is, it gives an error.
Look at sub_21E0 (taken from 6.60 loadexec_01g) and you'll see
Service mode exploit was explained by SilverSpring here
I don't know about the others, except for the swap/kxploit that involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one (I believe) or using the path hack.

[Yoti]

I've been working on compiling a list of the previous exploits as a learning resource so if you need to know any details on an exploit, feel free to ask.

May you post a sample (hello k-world) for 5.03/psheet?