Managed to get a ~6mb memory dump from webkit, if anyone wants a link to download drop me a PM.
Edit:
Couple people asking how I dumped the memory, this is my code
Note: if you dump an address and get a please wait screen its likely you've tried to read an invalid address.
Code: Select all
function Dump()
{
try {
var ar = new Uint32Array(1024)
for (var i = 0; i < 1024; i++)
{
ar[i] = u32[addr++];
}
var jcall = $.ajax({
type: "POST",
url: "dump.php",
data: {d: JSON.stringify(ar)},
async: false,
success: function() {
}
});
}
catch(e) {
alert("Error: " + e);
}
//alert(addr);
}
function btnDump()
{
while(true)
{
Dump();
}
}
And the dump.php file
Code: Select all
<?php
$json = json_decode($_POST['d']);
$write = '';
for($i = 0; $i < $json->length; $i++) {
$write .= pack('V', $json->{$i});
}
file_put_contents('upload/dump.bin', $write, FILE_APPEND);
?>
Edit2: It seems some people are having trouble running this, it's not some magic code that you can just copy and paste, you'll need to do some work.
You'll need to run the exploit first obviously to setup u32, depending on where you place this code (I have the javascript at the end of my main vita.htm file) you'll also need to make u32 global so you can access it. You'll also need to setup a variable called addr so you can set the address to dump.
in order to run the exploit then the dump I have 2 buttons set up at the end of the page:
Code: Select all
<button style="width:100px;" onclick="btnClick();">Start</button>
<button style="width:100px;" onclick="btnDump();">Dump</button>