Advertising (This ad goes away for registered users. You can Login or Register)

CodeLion POC (works on 3.18)

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: CodeLion POC (works on 3.18)

Post by yifanlu »

gnubaver wrote:
josh_axey wrote:We're an incredibly long way out from native modified/custom firmware. Let's not misrepresent things in this thread..
Are we talking years?
I'm hoping that hacking isn't linear but if we look at the two data points we have:
2012: Vita releases
2013: Userland memory dump
2014: First public userland hack
...
Milestones before "CFW"
-System userland hack (less limitations in apps like CMA)
-Kernel hack
-Secure kernel hack
-Boot loader hack
-Custom firmware (?)
Advertising
Bmakk205
Posts: 50
Joined: Tue Sep 28, 2010 12:12 pm

Re: CodeLion POC (works on 3.18)

Post by Bmakk205 »

So what can come out of this native Vita hack?
Advertising
Acid_Snake
Retired Mod
Posts: 3100
Joined: Tue May 01, 2012 11:32 am
Location: Behind you!

Re: CodeLion POC (works on 3.18)

Post by Acid_Snake »

Bmakk205 wrote:So what can come out of this native Vita hack?
Being able to run some code via ROP, and most importantly, being able to dump modules and libraries to further analyze.
cormaltes
Posts: 65
Joined: Wed Jan 08, 2014 11:13 am

Re: CodeLion POC (works on 3.18)

Post by cormaltes »

....
Last edited by cormaltes on Mon Nov 03, 2014 5:30 pm, edited 3 times in total.
lightrays
Posts: 1
Joined: Sun Apr 21, 2013 8:40 pm

Re: CodeLion POC Technical Question

Post by lightrays »

Can I ask something silly? What's the point of using netcat here? If I put this on my own server, php is server side and I'm sending the log via POST requests, so essentially I'm netcat'ing from localhost to localhost. Why not just fopen() a file with write access in append mode?

Also, I merged bits of this POC with Davee's and modified it to do a RAM dump from u32[0x0 - 0xffffffff]. It keeps dropping internet during early memory reads - I'm losing more bytes than I'd like. Any ideas to make it more reliable? (Although, admittedly, I have no clue what to do with a RAM dump besides search for identifiable data)
josh_axey
Retired Mod
Posts: 266
Joined: Sun Oct 07, 2012 10:14 pm
Location: /dev/null
Contact:

Re: CodeLion POC (works on 3.18)

Post by josh_axey »

I have just cleaned up off-topic posts and posts below the threshold of relevance for these topics.

Please stay on topic and contribute only useful information and questions, lest we lose interesting anecdotes in a sea of google-able content.
Catch me: on Twitter | on GitHub | Rambling
【・ヘ・?】0b00000101
durpflip
Posts: 83
Joined: Sat Jan 25, 2014 5:39 pm
Location: canhurrdurr

Re: CodeLion POC (works on 3.18)

Post by durpflip »

pardon my ignorance,but,would it be possible to load a CFW i.e. uOFW or UVL with all of the vita's resources on the memcard (transfered with openCMA/QCMA) via ROP? or is ROP limited to read-only?
devices ;
m$ surface pro
samsung note 3 (hltecan) 32GB,CM12
iphone 4S 32GB
dell XPS 8500,12GB DDR3,core i7-3770,GTX 750 ti 2GB
HTPC custom,AMD 5150,4GB DDR3,GT 620 1GB
alienware m17x r4,core i7-3610QM,8GB DDR3,GTX 660M 2GB
rumblpak
Posts: 5
Joined: Fri Jun 21, 2013 2:49 pm

Re: CodeLion POC (works on 3.18)

Post by rumblpak »

durpflip wrote:pardon my ignorance,but,would it be possible to load a CFW i.e. uOFW or UVL with all of the vita's resources on the memcard (transfered with openCMA/QCMA) via ROP? or is ROP limited to read-only?
ROP allows devs to easily execute code in usermode. Another example of this is the recently released exploit for Wii U. In order to do things like a CFW we'd need a kernel mode exploit beyond what we already have. From here though it is possible to dump memory after code is run so we can potentially find out much more than we previously could.
twisted
Posts: 7
Joined: Mon Mar 05, 2012 4:43 pm

Re: CodeLion POC (works on 3.18)

Post by twisted »

Managed to get a ~6mb memory dump from webkit, if anyone wants a link to download drop me a PM.

Edit:

Couple people asking how I dumped the memory, this is my code

Note: if you dump an address and get a please wait screen its likely you've tried to read an invalid address.

Code: Select all

function Dump()
{
	try {   
		var ar = new Uint32Array(1024)
		for (var i = 0; i < 1024; i++)
		{
			ar[i] = u32[addr++];
		}
		var jcall = $.ajax({
		  type: "POST",
		  url: "dump.php",
		  data: {d: JSON.stringify(ar)},
		  async: false,
		  success: function() {
			
		  }
		});
	}
	catch(e) {
	    alert("Error: " + e);
	}
	//alert(addr);
}
function btnDump()
{
	while(true)
	{
		Dump();
	}
}
And the dump.php file

Code: Select all

<?php
	$json = json_decode($_POST['d']);
	$write = '';
	for($i = 0; $i < $json->length; $i++) {
		$write .= pack('V', $json->{$i});
	}

	file_put_contents('upload/dump.bin', $write, FILE_APPEND);

?> 

Edit2: It seems some people are having trouble running this, it's not some magic code that you can just copy and paste, you'll need to do some work.
You'll need to run the exploit first obviously to setup u32, depending on where you place this code (I have the javascript at the end of my main vita.htm file) you'll also need to make u32 global so you can access it. You'll also need to setup a variable called addr so you can set the address to dump.
in order to run the exploit then the dump I have 2 buttons set up at the end of the page:

Code: Select all

<button style="width:100px;" onclick="btnClick();">Start</button>
<button style="width:100px;" onclick="btnDump();">Dump</button>
Last edited by twisted on Fri Oct 24, 2014 8:07 am, edited 3 times in total.
Zecoxao
Posts: 280
Joined: Mon Sep 27, 2010 7:27 pm

Re: CodeLion POC (works on 3.18)

Post by Zecoxao »

i assume the first code goes inside log.js and the second code goes inside log.php? it doesn't seem to work in my case, as no dump is formed.
My sig is original :D
Locked

Return to “Programming and Security”