HENkaku: more steps of the exploit reverse engineered
Developers KoriTama and “H” have stepped up for Yifanlu’s challenge to reverse engineer the HENkaku exploit. After H’s explanation of the first stage of the exploit a few days ago, more has been pouring in today.
KoriTama first posted an explanation of the exploit’s second stage, followed quickly by H. If I’m following correctly refers to this step as “stage 3, ROP payload 2”, but their pastebins are about the same stage of the exploit. Both hackers explain that this step’s role is to leak kernel pointers and create a kernel thread to basically do privilege escalation. This seems to confirm, for those who still doubted it, that HENkaku indeed ships with a Kernel exploit. The Kernel vulnerability apparently lies in some APIs of the Vita’s Network library (SceNet).
I won’t copy the pastebins this time (that’s a lot of code!), but you can find them here: H’s Pastebin and KoriTama’s pastebin respectively (personal preference: H’s explanation gives more details).
If you want to look into this and try to understand what’s going on, it’s recommended that you read these explanations while yourself attempting the reverse (the files can be found on Yifanlu’s github here)
H says:
The second ROP payload prepares the stage for a kernel attack. After it’s done, another ROP chain should be starting on the kernel side. This chain relies on kernel pointers that were leaked during the second payload’s execution and is built beforehand. The data portion of the chain is additionally obfuscated/encrypted with kernel-only functions.
To further reverse the exploit, one must dump the target kernel modules, rebuild the kernel ROP and deobfuscate/decrypt the data region.
First we have kernel !!! 😀
I KNEW IT!!! I knew that HENkaku was running on a kxploit. Nobody trust me, but NOW?! do you still think that HENkaku is running in userland?! Thanks prophet
it runs also on userland…
I get it now…
Well played, Yifan.
Well I’m excited to see what can be done here .. it’s just a matter of time now lads!
So good, so soon! I hear a train a comin’, comin’ round the bend…
TOLD YOU GUYS, KERNEL EXPLOIT (WITH PIRACY) WILL BE LEAKED!
Yifan lu wants us to find it ourselves and serve it to ourselves, if he does it, he will have to take the blame and also he is against piracy so he doesn’t want it to spread to all of us, he wants us to earn it ourselves. 🙂
And somebody once called me a genius…..
No one wants to admit they’re a pirate without anonymity. We always have to be very indirect, such as mentioning sites instead of direct links, and saying “backups”.
i’m pretty sure only 1% of total vita users are against piracy!
but they all act like they are very original and rich, I’m pretty sure many will now comment “i am really against piracy”, but in advance, heres my reply, “Don’t Give Me That $hi7” 🙂
This is actually bs… I enjoy purchasing vita games and don’t really need to pirate anything. I’ve got a 3.55 PS3 that’s running rebug and I never use the damn thing for piracy. I personally only care about the emulation side of things. I wanna see a Vita CFW for ease of emulation and that’s about it.
guess ur one of the 1% guy 😀
Guess what ***, you are a pirate. “Only care about the emulation side of things”… Bet you have ROMs instead of homebrew for those emulators. Step off your soapbox and quit being stupid. Everyone has pirated something in their life, they just don’t admit it.
emulation of other consoles and there games is piracy sir
Is it really necessary to be for or against piracy? Am I allowed to not care?
Because I really don’t care about native piracy on the Vita. Everything it has that I consider worth playing I bought/imported long ago, and what’s released nowadays doesn’t interest me enough to bother pirating even if I could pirate it.
uedyaaannn,,,iki tho LAST MINUTE BLOG,,,komennya sak gudang boooo,,::Joepindah??? MATAMU!!! mlebune nganggo darah je,,,ealah, dike’i koyo ngene,,,mana sih IPku??
I love reading these articles because they’re short but informative.
I carry on listening to the rumor speak about receiving boundless online grant applications so I have been looking around for the finest site to get one. Could you tell me please, where could i acquire some?
Konstig beteckning för tje-ljudDet här med "sch" som beteckning för tje-ljudet är något som har förbryllat mig allt sedan diskussionen om Arlas . Det är konstigt, för liksom Ulla antyder uttalas ju "sch" i alla svenska ord där det förekommer som ett sje-ljud, inte ett tje-ljud, och likadant i tyska varifrån det väl ursprungligen kommer. Kan någon ge en vettig förklaring?
The end of the space program helped to stop growth and end horizons too.The science behind it invented jobs, opened up possibilities that the gov no longer can see.
Lol……now dont we all feel relaxed after accepting that we are pirates 😀
@Anon
And if more interesting games arrise woulnt you pirate that too Anon?
They won’t. It’s too late already. And even if they miraculously will, they will be multiplatform with objectively superior versions released on the PS4/PC/elsewhere.
But to answer your question: yes, if I’m forced to. As in, there’s an imaginary.Vita-exclusive digital only game with no demo which is only available uncensored on some Asian PSN. I’ll pirate it because I can’t be bothered to switch accounts and I won’t buy its censored and/or dub only western counterpart because of principles/taste.
It’s a purely hypothetical situation in 2016 A.D. of course.
hmmm…..man why don’t you just accept all of us are pirates except for a few special cases (mind probably upside down), just accept it once and you will be free in the vast sea! 🙂
What if counter strike 1.6 gets a release on vita? 🙂 (I know i just sounded like a special case)
Mr. Garrison too accepts he is g@y in one episode of south park 😀
Accept it, mkay? 😮
Minding Your Mitochondria  Food Cravings? Here Is What Your Body Really Wants Home Composting Easy Recipes for Natural Homemade Cleaners Engineered Pest Problems GMO Researchers Attacked, Evidence Denied, and a Population at Risk
I thought I’d have to read a book for a discovery like this!
Stupid question number 1-what is devctl?
I tried to reverse engineer the .bin files from HENkaku (any eboot.bin in a vpk is the binary who will be executed as a programm from the psvita ,as far i understood). But any possible decompiler for ARM (since psvita processor is an ARM-cortex-A9 ) tells me that i must enter the section VM Address and the entry point adress of the binary (eboot.bin of vpk file) ,how i can know these adresses,and i’m wondered why any decompiler cannot determine himself where these adresses starts.When i used Olly Dbg or IDA pro for reverse enginering a Window executable the entire decompilation was made automaticly.
I tried to reverse engineer the .bin files from HENkaku (any eboot.bin in a vpk is the binary who will be executed as a programm from the psvita ,as far i understood). But any possible decompiler for ARM (since psvita processor is an ARM-cortex-A9 ) tells me that i must enter the section VM Address and the entry point adress of the binary (eboot.bin of vpk file) ,how i can know these adresses,and i’m wondered why any decompiler cannot determine himself where these adresses starts.When i used Olly Dbg or IDA pro for reverse enginering a Window executable the entire decompilation was made automaticly.
Help me if you can
I recommend going into the /talk forums or the r/vitahacks subreddit for help
Mulburry Mitzy, that was cold – seriously cold.Zumba! Glad you could return – and thank you for the makeup tutorial. I wouldn’t suggest my readers check them out though, because my readers are expressly forbidden from wearing make up.And CHRISTMAS! You made it – and with youtube links about christmas lights to boot!
CNN just announced that only Ron Paul and John McCain agreed to appear in the Republican YouTube event. It seems that Mitt and Rudy are scared of facing Ron Paul again in the debates that will have unscripted questions. Paul's straight forward and honest answers will make the others look terrible.
@Alex: Why you need this? It’s already open source: https://github.com/henkaku/VitaShell
Hmm is now the time to update my 3.18 vita
you are late to the party, but not late for the parade. Grab the update NOW before it’s to late!
It’s never late, manual updating is a thing.
you are late to the party, but not late for the parade. Grab the update NOW before it’s too late!
I updated my 2 of PS VITA and 1 PS TV to 3.60!
Yay for me I guess. Hahahaha
I thiught everyone knew all along that we had kernel access
what the *** going on and can somebody please may a video fo idiots like me and thank you to all the hackers for doing this
So i can upgrade from 3.18 right? ^^
I, for one, am still sitting tight with 3.18 waiting for PSP ISOs and PS1 EBOOTs support on 3.60 before I consider updating, because 3.18 is the best firmware for those games. If you don’t really care about them, feel free to upgrade (and sync your trophies while you have a chance).
I downloaded OFW 3.60 PUPs to be able to update to 3.60 via QCMA if/when I want to, which I also advise to do to everyone staying on older firmwares.
On topic: hopefully someone will port HENkaku to older firmwares when it’s fully detailed.
Thx for your reply! l in the end i did update one vita and kept the other on 3.18 ^^
Eva just brought me back some paprika from Hungary and I’m keen to use it up. I haven’t roasted pumpkin seeds before but this sounds like a good fall thing to do…that and making time to take in the beauty of the changing season …on a park bench or near a window.
Beast,Can you please restate question. last year was 14 week quarter and blowout. Reported eps was almost 13,87 and normalized eps was 12.88.12.88 * 20% growth is 15.46.This why guidance will be fine IMO.
Did those yummy pumpkin bars come from that “pumpcan”? Hope you had a truly wonderful Thanksgiving Day. By the way, those arm warmers look like the perfect gift for you!!!
WHAT DAH heck, i HAVE BEEN HAVING COMMUNICATION VIA EMAILS IN REGARDS TO BE APPOINTED A BENEFIARY FOR A PERSON WHO SEEMS TO BE A GOOD VALUES AND NOW IM THINKING TWICE ABOUT IT. WHATS TO LOSE. iF THEY ASK FOR MONEY THAN IT STOPS RIGHT THERE. NO MORE COMMUNICATION N RESPECT.
😀 should i update my vita to 3.60?
Is there some way to run the exploit without the website? http://go.henkaku.xyz/payload.js
payload = [2119192402,65537,0,0,1840,0,0,0,1016,0,787595,0,1512,0,56,0,0,4294967295,0,0,4294967295,0,0,4294967295,0,0,4294967295,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1886680168,1731145530,1701326447,1801546606,2037919349,7876474,0,0,3306611,0,0,1026646335,30757,0,1026711846,1629911077,2015706419,1026842918,2521125,0,0,1026908454,1629911077,2015706422,1027039526,2521125,0,0,7496812,0,9316293,64,40,1077189,84601,0,787595,787595,9296309,255,1008,40,0,26460,0,1035707,0,787595,9316293,440,1272,1077189,84601,0,787595,787595,9335877,1092,1272,431537,26476,1035707,0,787595,9296309,1752,21704,268435712,6291456,44233,0,785297,0,0,0,787595,8999557,4,1077189,84601,0,787595,9316293,124,52,1077189,84601,0,787595,787595,9335877,4,52,431537,42897,1035707,0,787595,9335877,104,4096,431537,1247765,1035707,0,787595,8999557,28,1077189,84601,0,787595,9316293,188,1720,26485,84601,0,787595,787595,9296309,28,0,9316293,0,0,1035707,431537,26045,2204309,708,256,1764,1860711,0,787595,9316293,188,708,26485,84601,0,787595,787595,9296309,708,256,1776,0,26045,0,785297,0,0,0,787595,9316293,188,708,26485,84601,0,787595,787595,9296309,708,256,1804,0,26045,0,785297,0,0,0,787595,9316293,188,708,26485,84601,0,787595,787595,9550269,65536,37629,1035707,0,787595,9296309,1832,2,1,0,38011,0,1035707,0,787595,9289173,188,0,38155,1074781,0,787595,787595,8783415,0,188,0,38399,785297,0,0,0,787595,8999557,16,1077189,84601,0,787595,9316293,16,0,0,431537,39221,1035707,0,787595,787595,8932229,6291456,9597461,28,432379,0,9597461,16,431537,39299,1035707,0,787595,787595,9335877,28,992,431537,1077189,1035707,0,787595,9316293,787595,996,1077189,84601,0,787595,787595,9316293,4,28,972,431537,42889,1035707,0,787595,787595,9316293,4,0,0,431537,5885,1035707,0,787595,787595];
relocs = [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,1,2,2,0,2,2,2,0,1,1,0,3,0,2,0,2,2,0,1,2,2,0,2,2,2,1,1,2,3,2,0,2,2,1,2,0,0,3,0,2,0,0,0,2,2,1,2,2,0,2,2,0,1,2,2,0,2,2,2,1,1,2,3,2,0,2,2,1,0,2,2,2,0,2,2,1,2,2,0,2,2,1,1,4,2,0,2,2,2,1,0,2,0,0,2,2,4,2,1,0,1,2,0,2,2,1,1,4,2,0,2,2,2,1,0,1,2,4,0,2,3,4,0,2,2,1,1,4,2,0,2,2,2,1,0,1,5,4,0,2,6,7,0,2,2,1,1,4,2,0,2,2,2,0,5,2,0,2,2,1,0,0,0,5,0,2,0,2,2,1,0,5,2,0,2,2,2,0,1,0,5,2,0,0,0,2,2,1,2,2,0,2,2,1,0,0,2,5,2,0,2,2,2,0,2,1,2,0,2,1,2,5,2,0,2,2,2,1,1,2,2,2,0,2,2,2,1,2,2,0,2,2,2,1,0,1,2,3,2,0,2,2,2,1,0,0,2,3,2,0,2,2];
https://dropfile.to/kqbBNZm
https://dropfile.to/J5VAsLU
Kernel hack?
http://boards.4chan.org/v/thread/347501294/henkaku-is-a-kernel-exploit
so isnt that the reason theres psplink for psp
and psp2link for psvita ?
put molecule make in mode that it installs even if the ploit is active
dump data .d section
hmm lost my keys at home again 😉
/images/facebook/000/131/443/tumblr_liebpzbCOv1qdkf2k.gif