Sponsored Links

Sponsored Links

PS3 LV2_Kernel Exploit Sample Implementation By Naehrwert


Sponsored Links
118w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.

To quote from his blog: Exploiting (?) lv2

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.

2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

[Register or Login to view code]

From Mathieulh (via pastebin.com/naxXkv3M):

[Register or Login to view code]

The footer signature is still not checked upon npdrm self files execution as of 4.21.

Because kakaroto says something that doesn't make it true. Basically he found a check in 3.55 that was not even called and assumed they used it in 3.60+.

Of course they do whitelist npdrm now so even if the footer isn't checked you cannot run your own npdrm selfs signed with keyset lower than 0x0D making the whole debate rather pointless. Aditional checks are now performed on the actual file format as well such as the segment counter flag that needs to be set to 0x01 except for the very last segment.

Finally, from KDSBest (via twitlonger.com/show/jcmh80): Since naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA.

Btw. It just crashes the console for now, since I totally overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^

[Register or Login to view code]

I didn't managed to make it work on 4.21 so I just did on 4.20






Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew releases!

Comments 273 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
 
#113 - zeroblu3 - 110w ago
zeroblu3's Avatar
Following up on my previous update, today I decided to take my PS3 Resigner Script even further and came up with something I'm very excited about - I present to you CFW 4.xx+ F.A.R. Script v0.5b (F.A.R. standing for "Full Auto Resigner" ^^).

Download: [Register or Login to view links]

Changes since previous Resigner Script:

  • Automatically unpacks, resigns, finds/adds "Content and Title ID" to package.conf and repacks .pkg files (Just drag and drop your .pkg file on the "CFW 4.xx+F.A.R. Script (Drag Here).bat")
  • Automatically detects if the input file is an EBOOT.BIN and is able resign DISC and NPDRM EBOOT.BIN's (Drag and drop the EBOOT.BIN on the .bat and select DISC or NPDRM at the prompt)
  • Automatically makes a .BAK (backup) of your original EBOOT in it's source folder.

Hope you enjoy it

For questions and bug reports don't hesitate to contact me.

More PlayStation 3 News...

#112 - niwakun - 111w ago
niwakun's Avatar
scetool can be used for BD Eboots. Dont make such statement that is baseless

the only thing that had scetool is a bug, it doesnt fetch the keysets correctly, since it looks for the revision+self_type
maybe this can be fixed on next version

but theres a way to decrypt BD eboots correctly, just use the option -keyset and manually apply the keys (erk,riv,pub) and it will be decrypted

#111 - zeroblu3 - 111w ago
zeroblu3's Avatar
this isn't reccommended cause it is only for NPDRM EBOOT's be careful not to use it with disk eboots

#110 - Ausdim - 111w ago
Ausdim's Avatar
Hello.

In the new v0.3.5 i dont see the option to sign only the EBOOT.BIN file.

So i edit a little the bat to search first if any EBOOT.BIN are in root of app folder.

Just replace the CFW 4.xx .pkg Resigner Script START.bat

Thanks

#109 - wega - 111w ago
wega's Avatar
excellent guide perfect...

 

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News