How the Vita 3.36 eCFW hack works: PSP Kernel exploits explained
/talk member and dev Guidobot (if your PS vita is hacked, you’re probably using his 138Menu, unless you decided to give a try to the recently released OneMenu) posted yesterday a pretty cool explanation on how the latest PSP Kernel exploit (running on the PSP emulator on Vita Firmware 3.36) actually works.
If you remember, I stated a couple days ago that it was apparently relying on a race condition, and it seems I was right (although that was only part of the story).
For those of you not familiar with the term, race conditions occur when two events in the code happen in an unexpected order. Those can be pretty common in multithreaded code, if proper locking of shared resources is not done by the threads.
In this case, the exploited function checks that the parameters are valid before proceeding, but before it can actually use these values, another (“malicious”) thread changes the content of the parameters with exploited content.
In this case specifically, the function giving us kernel access is “sceMeVideo_driver_4D78330C“, (that would be “do_some_stuff” in my picture above), while the function with a race condition is scevideoCodecStop (that would be “myfunction” in my picture).
That’s it for the general idea. To understand how this specific exploit works from End to End though, you’ll have to read the details in GBOT’s original thread.
If you’re interested in more PSP Kernel exploit explanations, you can also check GBOT’s explanation of the sceSdGetLastIndex exploit (2014), Some1’s explanation of the 0xFFFFFFFFailSploit (2011), and Acid_Snake’s “Kernel Exploit: how they work” summary article (2013).
Source: GBOT on /talk
nice write up!
2advanced4me
Nice write up though
3 third
so is ther a release coming in a downloadable package of this kmode bug ?
It has already been released, along with ark-2, for 3.36
Thank you
That is a good, short and informative read.
i wish i coud
So i can play umds on my vita now?
I am glad news like this gets published. It is important so that others may get involved in the scene that have skill. Thanks!
What game can run exploit in JP Store?
i wonder what could be done to prevent/fix this exploit ?
Don*t update the FW?
no i mean how sony could fix this
Just asking (again), but is it possible to install any of this on a Vanilla PS VITA 3:36? I don’t have an exploit game (or know of any that work now) or anything needed to start. Have I missed the ship?
I have gods eater burst (as a psp game), could I start from there? Or should I just wait a couple more years for a hack to get brain dead easy (like the PSP’s final days) after sony drops vita support? 🙁
Ugg Milano Rivenditori He can handle it,” says a senior Democratic aide when asked about the phenomenonLOréal Paris Lumi Magique Illuminating Powder (8Everyone must push for more transparency and timely reporting by issuersIts ripe, smooth and textured with a hint of fig and a sweetly fruited finish”I’ve always really felt that where you’re going is a heck of a lot more important than where you’ve come from,” Harbaugh said”Other countries cannot afford to lose their nursing staff and
Firmware 3,36 installed via VHBL arcade Darts and APE quest,sc*** АRK-2 menu to the game Beta Bloc-first time run through the main menu – then got error C0-1136-2,but if you run into VHBL folder ARK_12345,ARK-2 start menu and in the GAME section of the game are visible(and in iso and in cso and in pbp)I threw VITA via FTP to a folder or ISO PSP/GAME-but if I press X then instead of running PSP game-I can’t acces the menu VHBL(ms0:/PSP/VHBL/) and writes a fraction of a second ms0:/PSP/SAVEDATA/VHBL01234/HBLCONF.TXT
https://youtu.be/SHLOwlRR4OU
help me