PS Vita kernel exploit: Xyz explains the Henkaku kernel exploit
Developer Xyz of team molecule posted a new article on his recently-created blog, to explain how the kernel exploit (used in HENkaku for the PS Vita hack) works.
This follows the release of more of the HENkaku source code by Yifanlu, after several hackers (in particular St4rk and hexkyz) proved they had been able to reverse engineer most of the exploit.
On a side note, hexkyz stated in one of his writeups that he was able to leak kernel memory, a.k.a a new kernel exploit.
Luckily for me, I already found a way to leak kernel memory while playing with the SceNet syscalls, so, stage 3 is on its way.
Back to the HENkaku kernel exploit, the vulnerability is in SceNetIoctl and is a “use after free” vulnerability. For those of you not familiar with it, it’s basically a pointer that the code forgot to get rid of after freeing the data it was pointing to. The general idea is that two threads are pointing to the same data, and one of the threads is freeing the data in order to then write whatever it wants to it, while the other thread is on hold. By the time the second thread accesses its pointer, it’s pointing to completely arbitrary data (“malicious” code).
Of course, I make it sound easier than it is. Team molecule had to make this happen under the constraints of the exploited functions, and had to defeat ASLR and NX as well. As always, I strongly recommend you read the whole thing while looking at the source code, at the source below.
Source: xyz
Sounds like PSP/PS1 soon… er… I mean First!
Goddammit
usually these first comments are annoying but according to wololo’s time-stamps you 2 posted at 2:32am mere moments apart
alice……….just go back to wonderland
First
Wait, so does this mean he found an additional kernel exploit along side what Team Molecule had already found?
Wat? XYZ is Team Molecule.
I think he was referring to hexkyz not xyz.
Correct. My fault for not being specific.
Sure reads that way to me. That’s hilarious, awesome, and impressive.
First
everyone is really focused on the vita, I bet PS4 hackers are using this distraction to quietly make something, especially when henkaku uses the same exploit for the 3.55 PS4
That would be nice if true~!
What happened to all the old comments?
Not bad
Did any of the arise from the $1000 donation on the Vita CPU information?
Farts
pls help 3.61 and break 3.61 pls
3.61 help please
hahah …. maybe.. only time will tell
there is nothing for you just dust
break 3.61, plz plz plz plz 🙁
at the end of the the 1st paragraph of the blog “All Vita devices and firmwares before 3.61 are affected.” .. Does this mean that it is possible to have this in lower firmwares? Henkaku for lower firmwares anybody?
There’s no reason it shouldn’t work, unless the exploit is written on code that came after a certain firmware. From the sound of the articles linked and explanation given, it sounds like they used the lower firmwares to run the hack and tested it on the latest available firmware at the time. Since Sony didn’t patch the exploit used until 3.61, I would bet that it works on any firmware that is 3.60 or less; but the lower firmwares are still reliant on the code they have available and some newer homebrews will fail to run or crash do to the lack of code necessary to run them.