Sponsored Links

Sponsored Links

PS3 LV2_Kernel Exploit Sample Implementation By Naehrwert


Sponsored Links
109w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.

To quote from his blog: Exploiting (?) lv2

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.

2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

[Register or Login to view code]

From Mathieulh (via pastebin.com/naxXkv3M):

[Register or Login to view code]

The footer signature is still not checked upon npdrm self files execution as of 4.21.

Because kakaroto says something that doesn't make it true. Basically he found a check in 3.55 that was not even called and assumed they used it in 3.60+.

Of course they do whitelist npdrm now so even if the footer isn't checked you cannot run your own npdrm selfs signed with keyset lower than 0x0D making the whole debate rather pointless. Aditional checks are now performed on the actual file format as well such as the segment counter flag that needs to be set to 0x01 except for the very last segment.

Finally, from KDSBest (via twitlonger.com/show/jcmh80): Since naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA.

Btw. It just crashes the console for now, since I totally overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^

[Register or Login to view code]

I didn't managed to make it work on 4.21 so I just did on 4.20






Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 235 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

StanSmith's Avatar
#200 - StanSmith - 86w ago
It would be nice if it cleaned properly. I did an eboot, it worked BUT and this is the BIG problem, when you click 3 to exit it DELETES that new eboot and still leaves a heap of crap files. LOL

PS3 News's Avatar
#199 - PS3 News - 86w ago
Following up on his previous revisions, today PlayStation 3 homebrew developer RazorX has updated the PS3 CFW EBOOT Resigner to version 1.07 followed by v1.08, v1.09, v1.10, v1.11, v1.12, v1.13, v1.14, v1.15, v1.16, v1.17, v1.18 and v1.19 for updating 3.55 and 3.41 CFW game files for use on 4.XX CFW.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links]

Below are the changes, as follows:

Update 7:

  • added create pkg.
  • fixed a few code issues.
  • setup automatic contentid extraction from pkg files so it's now even easier to use this app.
  • added display after contentid extraction that shows you the pkgs contentid and titleid so you can make sure there correct before you try to repack pkg file.

Note: please use the exit on the app rather than hitting the [X] so it can cleanup the temp files and prevent errors.

Update 8:

  • fixed issue with unpacking pkg, patching eboot then repacking pkg in same session.
  • changed menu to make it easier to understand and more sensible.
  • updated various sections of code.
  • added the ability to change the param.sfo or contentid before repack incase of mismatched titleid and contentid.

Update 9:

  • removed some unneeded code and cleaned up some others.
  • tidied up some of the info screens to make them more clear and easy to understand.
  • removed timeouts to speed up the process.
  • fixed issue with exiting app after unpacking pkg, resigning eboot then repacking pkg.
  • fixed exiting app not removing some of the files.

Update 10:

  • added quick menu.
  • set (y) as default on eboot resigner so now you just need to hit enter or type (n) if the content id is wrong.
  • neatened up screens.

Version 1.10 Changelog:

Hey guys I've released v1.10 of my app this one is just a small update a few tweeks here and there i have also added FixELF for when resigning eboots to 3.60 and 4.20 you will be given the option of doing this so it's not something that will just happen so this may or may not fix any problems you may have with a resigned eboot but it's never 100% guaranteed but then what is hopefully it will help you i have also uploaded more pics for you so if your not familiar with this app you can see what it's all about.

For those of you who don't know what this is about it's all in the title of the app this is for unpacking, repacking pkg files and resigning eboots but it will also help you if all you want to do is alter a param.sfo in a pkg file or simply view the contentid of it here are some images for you.

Note: Please use the exit on the app rather than hitting the [X] so it can cleanup the temp files and prevent errors.

Version 1.11 Changelog:

  • updated repack pkg proccess to fix issue with packages that have large amounts of files such as PAC-MAN Championship Edition DX, now when creating a package file a new window pops up for the packing process don't close this or it will not create your package.
  • updated app to include more info so it's easier to understand and follow what it's doing every step of the way.
  • setup the app so when repacking games if it also contains the PARAM.SFO in C00 it will overwrite it with the PARAM.SFO in USRDIR after the step that allows you to alter it so if you do decide to alter the PARAM.SFO it will then be copied to C00 if it exists so you won't get a PARAM.SFO mismatch error when trying to repack the pkg file.

Version 1.12 Changelog:

  • added support for ps2 package files.

Version 1.13 Changelog:

  • updated the process for repacking ps2 package files.
  • added create license pkg.

Version 1.14 Changelog:

  • added 3.55 alternative eboot resign.
  • added dex eboot option.




Version 1.15 Changelog:

  • removed first param editor screen since you have the option on the screen that follows it anyway.
  • updated tools.
  • when resigning an eboot it will automatically change the ps3 system version in the param.sfo if it exists in the root folder with the eboot.
  • when unpacking a mini, ps1 or ps2 game instead of having to then goto repack pkg it will do it automatically after you have unpacked it.
  • setup automatic retrieval of the title id from the content id itself so if the title id is wrong or you are doing a ps1 game were the title id is always different and prevents you from repacking it will automatically replace it for you so by the time you get to the info screen that tells you the games content id and title id for you to check it will have been changed to match the content id.




Version 1.16 Changelog:

  • fixed issues with gamedata.
  • fixed issues with dlc.
  • separated gamedata & dlc to separate options.
  • cleaned up some code.




Version 1.17 Changelog:

  • increased eboot compatibility, when booting app it will create a ps3 folder if you have your act.dat and idps or idps.bin simply copy them into this folder the folder will not be deleted on exiting.
  • added extras menu.
  • added the ability to convert ps2 isos or bins to ISO.BIN.ENC.
  • added the ability to create a ps2 classic pkgs from the newly created ISO.BIN.ENC this will create pkg files you can install on your ps3 at the same time not 1 pkg that will overwrite.




Version 1.18 Changelog:

  • updated PS2 classics code.
  • creates "custom" folder before making PKG for you to add ICON0.PNG, PIC0.PNG, PIC1.PNG and PIC2.PNG images if you want to customize your PS2 games.
  • speeded up the process of making PS2 classics.
  • added more info to screens so its easier to follow whats happening when making a PS2 classic.

Note: to better ensure your game will work have your ps2 game in iso format as ISO9660 MODE1/2048.

Version 1.19 Changelog:

  • updated PS2 classics code some more.




FAQ:

[Q] i really dont understand how to unpack a pkg
[A] all you do is put your pkg file in the same folder as my app then goto option 6 and then option 1 to unpack the pkg

[Q] how do you get content id?
[A] if the pkg file is a game/homebrew pkg file it will get it automatically and say is this your content id then you say yes but for the others you will have to enter it manually as far as getting that in the next version i will release tomorrow i will include an option in the package menu to boot up an app from aldostools that will tell you it then you just copy and paste it

[Q] how do you get package version?
[A] the package version is contained in the param.sfo but for the most part its 01.00 and even if its not and you set it to 01.00 nothing bad will happen it wont make any difference to the app

[Q] why there is a difference between ps1 games, homebrew, and data packages? how do i know what kind of package is mine?
[A] there is a difference because each package tells the ps3 what it is and how to deal with it and stuff as far as telling if you dont know what you pkg is then its probably not worth messing around with it till you learn more about pkgs and there functions etc

More PlayStation 3 News...

AbkarinoMHM's Avatar
#198 - AbkarinoMHM - 86w ago
Thank you for this news

PS3 News's Avatar
#197 - PS3 News - 86w ago
I updated the main article with version 1.03, which contains some updates and fixes, etc.

StanSmith's Avatar
#196 - StanSmith - 86w ago
Didn't work for me. Says it cant decrypt the eboot but other resigners work fine with it.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News