Make a PoC first, once u find it. The PoC is as simple as reading from 0x88000000.thecobra wrote:Hi Everyone,
I want to ask a quick question. Let say for argument sake that I found a kernel exploit and i wanted to make a HEN out of it for 6.60. What source code or what information should i look at? It just a quick question i asking to know what i should do after I find an exploit which may take a while but i like to know what i should do after that.
Thank you.
+1. The first step is always dumping the kernel range memory.jigsaw wrote:Make a PoC first, once u find it. The PoC is as simple as reading from 0x88000000.thecobra wrote:Hi Everyone,
I want to ask a quick question. Let say for argument sake that I found a kernel exploit and i wanted to make a HEN out of it for 6.60. What source code or what information should i look at? It just a quick question i asking to know what i should do after I find an exploit which may take a while but i like to know what i should do after that.
Thank you.
Then port it to procfw. That's all.
Thanks but i can't find the kernel dump in the Google procfw source code. I looking at the code and i see how he/she launches the installer and all of that but i can't find the simple dumper.Coldbird wrote:+1. The first step is always dumping the kernel range memory.jigsaw wrote:Make a PoC first, once u find it. The PoC is as simple as reading from 0x88000000.thecobra wrote:Hi Everyone,
I want to ask a quick question. Let say for argument sake that I found a kernel exploit and i wanted to make a HEN out of it for 6.60. What source code or what information should i look at? It just a quick question i asking to know what i should do after I find an exploit which may take a while but i like to know what i should do after that.
Thank you.
Then port it to procfw. That's all.
For that you can check into procfw too, as there is a kernel dumper example code for kxploit creation in it that is enabled if you build with the DEBUG=1 flag.
Usually, dumping the kernel memory works like this... you create a kernel callback from your kxploit which gets executed in a kernel context, this piece of code clones the kernel memory range into the p2 user partition... and upon returning to user context, you dump the now p2 located kernel clone to a file via the sceIo functions.
Code: Select all
// Dumps kmem
void get_kmem_dump()
{
SceUID dump_fd;
dump_fd = sceIoOpen(KDUMP_PATH, PSP_O_CREAT | PSP_O_WRONLY, 0777);
if (dump_fd >= 0)
{
sceIoWrite(dump_fd, (void*) 0x08000000, (unsigned int)0x400000);
sceIoClose(dump_fd);
}
}Code: Select all
printf("%08x\n", *(u32 *) 0x88000000);
oh, the think is i did not want/can't yet print anything to the screen. I wanted to use the sceio function to write to a file and save it. I doing this in asm code Based of the Bin Loader. I got k1 = 0 which is good but right now trying to write to the memory stick fails it seems because it seem it was writing to it but when i open up the file there nothing there. Maybe sceioclose Fail?jigsaw wrote:It doesn't have to be that "complicated".
As simple as:
You should be able to call the code directly in the kernel callback. Otherwise the PoC fails.Code: Select all
printf("%08x\n", *(u32 *) 0x88000000);
This is not usual - can't print to screen.thecobra wrote:oh, the think is i did not want/can't yet print anything to the screen. I wanted to use the sceio function to write to a file and save it. I doing this in asm code Based of the Bin Loader. I got k1 = 0 which is good but right now trying to write to the memory stick fails it seems because it seem it was writing to it but when i open up the file there nothing there. Maybe sceioclose Fail?jigsaw wrote:It doesn't have to be that "complicated".
As simple as:
You should be able to call the code directly in the kernel callback. Otherwise the PoC fails.Code: Select all
printf("%08x\n", *(u32 *) 0x88000000);
Code: Select all
u32 kmem = -1U; // a global var
...
// in kernel callback
kmem = *(u32 *) 0x88000000;
...
// after return from syscall
printf("kmem=%08x\n", kmem); // should be sth. other than 0xffffffff
Code: Select all
int kmode(void)
{
_sw(0x12345678, 0x88000000);
__asm__("break");
return 0;
}