Skip to content

Instantly share code, notes, and snippets.

TheOfficialFloW

View GitHub Profile
@TheOfficialFloW
TheOfficialFloW / 370_jailbreak_psa.md
Last active Apr 21, 2019
PS Vita 3.69/3.70 Jailbreak Public Service Announcement
View 370_jailbreak_psa.md

PS Vita 3.69/3.70 Jailbreak PSA

First of all, thank you for your patience and support, your wait will soon be over. It's been more than half a year since the release of h-encore and it has reached nearly half a million downloads!
Now it's time for my second and last jailbreak for the PS Vita. Unlike previous exploits chains, this one will not use a WebKit or savedata exploit as entry point, but a novel one.

The upcoming exploit chain consists of a PSP Emulator Escape. This means it is exploiting bugs in the emulator to escape the sandbox and run native ARM code. While this is cool and technically very interesting, there is a catch: your device must be linked and activated with a PSN account, such that you can download and install a PSP game from the store. The problem is that in case Sony releases a new firmware which fixes this entry point, you'll not be a

@TheOfficialFloW
TheOfficialFloW / fd_fix.c
Last active Feb 27, 2019
File descriptor fix
View fd_fix.c
#include <psp2kern/kernel/modulemgr.h>
#include <stdio.h>
#include <string.h>
#include <taihen.h>
static tai_hook_ref_t ksceVfsNodeInitializePartitionRef;
static SceUID hookid = -1;
View kernel_read.c
// Kernel read exploit for devkits with FW < 3.68 by TheFloW
#include <psp2/appmgr.h>
#include <psp2/io/dirent.h>
#include <psp2/io/fcntl.h>
#include <psp2/io/stat.h>
#include <psp2/io/devctl.h>
#include <stdio.h>
#include <string.h>
View exploits_hunting.md

How to find savedata exploits

Since the release of h-encore you might be wondering how such a user entry point is even possible. It is possible because games that were developed with an SDK around 3.00 and lower were compiled as a statically linked executable, thus its loading address is always the same and it cannot be relocated to an other region, which means that if we have an exploit in such a game, we can happily do ROP and don't need to deal with ASLR. They also don't have stack protection enabled by default, so stack smashing is the easiest way to trigger user ROP execution. Savedata exploits are more powerful than WebKit exploits in terms of available syscalls. The reason for that is after firmware 3.30 or so, Sony introduced sceKernelInhibitLoadingModule in their browser, which prevented us from loading additional modules. This limitation is crucial, since this was the only way to get syscalls, as they are randomized at boot.

*Note that the following guide is written for people with few knowl

@TheOfficialFloW
TheOfficialFloW / libarchive-3.3.2-vita.patch
Created Jan 14, 2018
libarchive 3.3.2 patch for vita
View libarchive-3.3.2-vita.patch
diff -Naur libarchive-3.3.2.orig/libarchive/archive_ppmd7.c libarchive-3.3.2/libarchive/archive_ppmd7.c
--- libarchive-3.3.2.orig/libarchive/archive_ppmd7.c 2016-06-20 00:54:34.000000000 +0200
+++ libarchive-3.3.2/libarchive/archive_ppmd7.c 2018-01-14 19:27:34.502464400 +0100
@@ -4,7 +4,7 @@
#include "archive_platform.h"
-#include <memory.h>
+// #include <memory.h>
View generate_challenge.c
#define KIRK_CMD_ENCRYPT_IV_0 4
#define KIRK_CMD_DECRYPT_IV_0 7
#define KIRK_CMD_SHA1_HASH 11
#define KIRK_CMD_PRNG 14
static int DecryptIV0(u32 *buf, u32 size, u32 code) {
buf[0] = 5;
buf[1] = 0;
buf[2] = 0;
buf[3] = code;
@TheOfficialFloW
TheOfficialFloW / titleidvalue.c
Created Jun 17, 2017
Get titleid value. Used in ScePspemu for specific title adjustment
View titleidvalue.c
uint32_t getTitleIdValue(const char *titleid) {
uint32_t titleid_number = strtol(titleid+4, 0, 16);
uint32_t titleid_prefix = titleid[3] | (titleid[2] << 8) | (titleid[1] << 16) | (titleid[0] << 24);
uint32_t titleid_value = (titleid_number + (titleid_number << 12)) ^ titleid_prefix;
return titleid_value;
}
@TheOfficialFloW
TheOfficialFloW / rif_name.c
Created Jun 17, 2017
RIF name calcuation
View rif_name.c
uint8_t rif_name_keys[0x10] = {
0x19, 0xDD, 0x4F, 0xB9, 0x89, 0x48, 0x2B, 0xD4,
0xCB, 0x9E, 0xC9, 0xC7, 0x9A, 0x2E, 0xFB, 0xD0
};
int aes_encrypt(const void *buf, int size, uint8_t *keys) {
AES_ctx ctx;
AES_set_key(&ctx, rif_name_keys, 0x80);
int i;
You can’t perform that action at this time.