Advertising (This ad goes away for registered users. You can Login or Register)

0xFFFFFFFFailSploit Explanation

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
some1
HBL Collaborator
Posts: 139
Joined: Sun Dec 12, 2010 4:19 am

0xFFFFFFFFailSploit Explanation

Post by some1 » Sun May 29, 2011 4:08 pm

So, this is going to be an explaination of my 6.38/6.39 kernel exploit which was used in my downgrader, 6.39 ME, and 6.39 Pro.

After the Genesis Competition was announced, I set a goal, to find a kernel exploit and port Davee's 6.35/6.31 downgrader. Now, having zero experience in finding kernel exploit, this seemed very unlikely to happen, but I was determined.

After two weeks of searching, I had successfully found three kernel exploits, one which I released in my downgrader. So, this kernel exploit was found in http_storage.prx, in the function sceHttpStorageOpen. This vulnerability allowed me to write -1 to anywhere in memory, including kernel memory.

Now, how it works:

Code: Select all

sltiu      $v1, $a0, 2
beqz       $v1, loc_0000005C
As you can see, they do indeed have checks on arg0(but forget to do k1 checks), which is supposed to be only 0 or 1, however, instead of returning an error, they foolishly do some more code, even though they know that a0 is something other than 0 and 1:

Code: Select all

loc_0000005C:		; Refs: 0x00000034 0x000000D4 
; Data ref 0x000009F0 ... 0xFFFFFFFF 0xFFFFFFFF 0x00000000 0x00000000 
	0x0000005C: 0x267409F0 '..t&' - addiu      $s4, $s3, 2544
	0x00000060: 0x02348821 '!.4.' - addu       $s1, $s1, $s4
	0x00000064: 0x8E240000 '..$.' - lw         $a0, 0($s1)
	0x00000068: 0x04820005 '....' - bltzl      $a0, loc_00000080
	0x0000006C: 0x0240D821 '!.@.' - move       $k1, $s2
	0x00000070: 0x0C0001B3 '....' - jal        IoFileMgrForKernel_810C4BC3
	0x00000074: 0x2413FFFF '...$' - li         $s3, -1
	0x00000078: 0xAE330000 '..3.' - sw         $s3, 0($s1)
	0x0000007C: 0x0240D821 '!.@.' - move       $k1, $s2
Okay, as you can see here (earlier arg0 was sll'd by 2 into s1), it adds the sll'd arg0 to a global variable, and then writes -1(in register s3) to that address.

Okay, now, here was the hard part, finding how to use -1 to gain kernel mode. This wasted ALOT of my time, at least one month I would say, trying to find some type of struct or global variable to set to -1 to gain kernel mode. Especially since, -1 as an instruction (vsync 0xFFFF) was crashing the psp.

After lots of searching through asm, I revisited -1 as an instruction, and I finally realized what the exception truly meant, "Coprocessor Unusable", it suddenly hit me, VFPU isn't enabled!

So, once adding VFPU attributes to the thread, I could then use -1 (vsync 0xFFFF) as if it were a nop, I add -0x990 to the global variable to overwrite the adding of the global:

Code: Select all

0x00000060: 0x02348821 '!.4.' - addu       $s1, $s1, $s4
And finally, I can now write directly to any address, and I use this to nop/vsync out sceKernelPowerLock.

@Mods: Is this the right section?
Advertising
way to keep a secret malloxis...erm jeerum
Hmm, a demo user mode exploit doesn't seem as important anymore, I wonder why... xP

Dbrandy
Posts: 13
Joined: Tue Apr 19, 2011 9:34 pm

Re: 0xFFFFFFFFailSploit Explanation

Post by Dbrandy » Sun May 29, 2011 4:22 pm

some1 wrote:So, this is going to be an explaination of my 6.38/6.39 kernel exploit which was used in my downgrader, 6.39 ME, and 6.39 Pro.

After the Genesis Competition was announced, I set a goal, to find a kernel exploit and port Davee's 6.35/6.31 downgrader. Now, having zero experience in finding kernel exploit, this seemed very unlikely to happen, but I was determined.

After two weeks of searching, I had successfully found three kernel exploits, one which I released in my downgrader.
Gosh, well analysed.. Respect to you 'some1', you just too good.
Advertising

User avatar
Zecoxao
Posts: 281
Joined: Mon Sep 27, 2010 7:27 pm

Re: 0xFFFFFFFFailSploit Explanation

Post by Zecoxao » Sun May 29, 2011 5:34 pm

So THAT was the reason you kept asking about vsync 0xFFFF some time ago :o . Nicely done ;)
My sig is original :D

the-green
Posts: 45
Joined: Sun Jan 16, 2011 2:10 pm

Re: 0xFFFFFFFFailSploit Explanation

Post by the-green » Sun May 29, 2011 10:30 pm

thanks some1...excellent job ;) ;)

bluemimmosa
Posts: 17
Joined: Thu Nov 25, 2010 10:43 am

Re: 0xFFFFFFFFailSploit Explanation

Post by bluemimmosa » Mon May 30, 2011 7:35 am

@some1

Code: Select all

 sltiu      $v1, $a0, 2   ;here $a0 is checked against 2, if its less than 2 then $v1 is set 0 otherwise 1
 beqz       $v1, loc_0000005C   ;branch to loc_0000005C if $v1 is 0
well now what i didnt understand was the following comments..

Code: Select all

loc_0000005C:      ; Refs: 0x00000034 0x000000D4 
; Data ref 0x000009F0 ... 0xFFFFFFFF 0xFFFFFFFF 0x00000000 0x00000000 
   0x0000005C: 0x267409F0 '..t&' - addiu      $s4, $s3, 2544
   0x00000060: 0x02348821 '!.4.' - addu       $s1, $s1, $s4
   0x00000064: 0x8E240000 '..$.' - lw         $a0, 0($s1)
   0x00000068: 0x04820005 '....' - bltzl      $a0, loc_00000080
   0x0000006C: 0x0240D821 '!.@.' - move       $k1, $s2
   0x00000070: 0x0C0001B3 '....' - jal        IoFileMgrForKernel_810C4BC3
   0x00000074: 0x2413FFFF '...$' - li         $s3, -1
   0x00000078: 0xAE330000 '..3.' - sw         $s3, 0($s1)
   0x0000007C: 0x0240D821 '!.@.' - move       $k1, $s2
Okay, as you can see here (earlier arg0 was sll'd by 2 into s1), it adds the sll'd arg0 to a global variable, and then writes -1(in register s3) to that address.

Well, where are the global variables, are you referring to $s1 and $s3 here as global variables, since they are preserved across function calls, ie caller saved..


now, since you said arg0 was sll'd , i dont see sll instruction there too, so how was it shifted left, and i know it writes -1 in s3,

so i hope for a step by step explanation,
thanks in advance,,.,

wololo
Site Admin
Posts: 3612
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: 0xFFFFFFFFailSploit Explanation

Post by wololo » Mon May 30, 2011 1:26 pm

some1 wrote: @Mods: Is this the right section?
Yup.
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

djmati11
Posts: 278
Joined: Sun Dec 26, 2010 3:31 pm
Location: Poland :)

Re: 0xFFFFFFFFailSploit Explanation

Post by djmati11 » Mon May 30, 2011 4:32 pm

Maybe an tutorial how to find kxploit. xD

Can you publish other kxploits?
PSP 3004 3g | PRO CFW 6.20 Perma patch
PS Vita PCH-1104, Datacode 2A | Mad Blocker Alpha: ROTF TN-B 1.81

RaFa
Posts: 21
Joined: Tue Feb 15, 2011 2:38 pm

Re: 0xFFFFFFFFailSploit Explanation

Post by RaFa » Mon May 30, 2011 5:47 pm

djmati11 wrote:Can you publish other kxploits?
I don't think that is good idea... If he has plans for releasing he should first wait SONY to patch this one and then releasing the others one by one.

npt
VIP
Posts: 154
Joined: Wed Oct 27, 2010 3:32 pm

Re: 0xFFFFFFFFailSploit Explanation

Post by npt » Mon May 30, 2011 7:16 pm

djmati11 wrote:Maybe an tutorial how to find kxploit. xD

Can you publish other kxploits?
Of course he is not going to publish those. Think about it. What sense would that make? : )

Regards,

npt

:ugeek:

User avatar
The Z
VIP
Posts: 5554
Joined: Thu Jan 27, 2011 4:26 pm
Location: PREUẞEN, DEUTSCHLAND
Contact:

Re: 0xFFFFFFFFailSploit Explanation

Post by The Z » Mon May 30, 2011 7:25 pm

RaFa wrote:
djmati11 wrote:Can you publish other kxploits?
I don't think that is good idea... If he has plans for releasing he should first wait SONY to patch this one and then releasing the others one by one.
He should keep one, for the next "big" new feature of new OFW ^^
White PSV TV - 32GB - 3.60 CFW
White PSV 1000 - 32GB - 3.65 CFW
2x PSV 2000 - 32/64GB - 3.65 CFW
PSP Fat 1000 - TA-081 - 6.61 ME-2.3
PSP Slim 2000 - TA-085¹ - 6.61 ME-2.3
4x PSPgo & 1x PSP 3kº⁴ᶢ - 6.61 LME-2.3∞

Post Reply

Return to “Programming and Security”