/LibPspExploit

Library for the exploitation of the PSP Kernel.

Primary LanguageCDo What The F*ck You Want To Public LicenseWTFPL

LibPspExploit

Library for the exploitation of the PSP Kernel with the aim of easing the creation of OFW-compatible homebrew with kernel access.

Preamble

With the use of signing utilities, it is simple and easy to create homebrew for the PSP that runs on Official Firmware. These homebrew however only have access to user-mode API, meaining it's access to the system is restricted.

This library provides an easy-to-use universal solution for writing homebrew with kernel access for OFW.

Usage

You must include libpspexploit.h and libpspexploit.a into your homebrew and use the API to elevate privilages in your homebrew.

The functions to be called (in order) to achive kernel priviledge are the following:

  • pspXploitInitKernelExploit: initializes the necessary information to trigger the kernel vulnerability. Takes no arguments. Returns 0 on success.
  • pspXploitDoKernelExploit: corrupts the kernel memory to allow escalation of priviledges. Takes no arguments. Returns 0 on success.
  • pspXploitExecuteKernel: takes a pointer to a function as argument and executes that function with kernel priviledges. Returns nothing.
  • pspXploitRepairKernel: repairs damage done to kernel by pspXploitDoKernelExploit. This will revert the kernel exploit.

Once kernel access has been granted, the following functions can be used to aid in the creation of your homebrew:

  • pspXploitSetUserLevel: allows setting user level to a higher priviledge one.
  • pspXploitFindFunction: resolve the exact address of a function via its module name, library name and NID.
  • pspXploitFindModuleByName: obtain the SceModule structure via the module name.
  • pspXploitFindTextAddrByName: obtain the module's text address via its name.

The library also offers a table of common kernel functions, which can be initialized by calling pspXploitScanKernelFunctions, as well as a variety of macros and algorithms to help with the development of kernel-mode homebrew in OFW.

How it works

The library combines several vulnerabilities and algorithms that have been developed throught the years of the PSP scene. The most important vulnerabilities used are:

  • sceRtcCompareTick: a read-only vulnerability. Allows us to obtain the precise data at any kernel address. This lets us analyze the kernel before even attempting to corrupt it.
  • sceSdGetLastIndex: a write vulnerability. Allows us to partially write to any address in kernel memory, vulnerating the behaviour of the kernel to allow escalating priviledges.

These two vulnerabilities were chosen because they are both available on firmwares 2.80 all the way up to 6.61, which are the the firmware versions we aim for since they can run demos (which is how we sign our homebrew). They might exist in lower firmwares, but other methods of executing your EBOOT.PBP will be required (such as plain ELF on 1.00, the kxploit format on 1.50 or eLoader on 2.00).

Samples

A few kernel homebrew that have already been ported to OFW are:

  • Universal Flash Dumper: dumps files in PSP flash and other useful information. https://github.com/PSP-Archive/Universal-Flash-Dumper
  • PSP Ident: displays very helpful information about your PSP. To be released.
  • PSP MSID dumper: dumps the ID of your memory stick. To be released.
  • PSP IDPS dumper: dumps the IDPS of your PSP. To be released.

Credits

  • qwikrazor87: for his discovery of the kernel vulnerability in sceSdGetLastIndex.
  • Davee: for figuring out the sceRtcCompareTick kernel exploit.
  • CelesteBlue: for the simple, fast and robust implementation of sceRtcCompareTick.
  • Acid_Snake: for implementing sceSdGetLastIndex kernel exploit and this very library.