Following the previous work, PlayStation 3 developer @zecoxao with help from Zer0Tolerance, IronMan and AlexAltea updated their PS3 RSXploit with details below.
Download: rsxploit.7z (154.79 KB)
To quote from zecoxao on the update: So, after some deliberation with Zer0Tolerance, we decided to release an updated version of the lv2 exploit that my friend released a long time ago.
First, some notes:
You can test this for instance on a 4.21 cfw console by specifying an address in one of the parameters and then dumping memory before and after running the syscall. just be careful that you need to be able to write to that region!
Many thanks to IronMan and AlexAltea for the help. this exploit will be even better later, so stick around
Update: In related PS3 hacking news, ZeroTolerance has released ps3encdec which is a port of flat_z's encdec emulator to C. source code (and binaries) can be found here:
Download: ps3encdec_saucy.rar (224.74 KB)
"The encdec emulator supports all crypto types (NAND/NOR/ARCADE NAND/ ARCADE NOR) and, being is C, is faster than the original one (between 1-3MBps on creating decrypted/encrypted file) and this can be improved by using OpenCL or other multithreading tools"
"ZeroTolerance just made version 0.1.0 of ps3encdec. users will notice a significant improvement in speed (from 3MBps max to 96MBps max). readme (with working examples) is also added. and finally, a timer was added to do benchmarks of the program"
Cheers to @SSShowmik for the news tip in the PSXHAX Shoutbox this afternoon!
Download: rsxploit.7z (154.79 KB)
To quote from zecoxao on the update: So, after some deliberation with Zer0Tolerance, we decided to release an updated version of the lv2 exploit that my friend released a long time ago.
First, some notes:
- This exploit was patched on 4.40, NOT on 4.45
- There isn't just ONE non checked pointer, there are FOUR! they are all 4 now checked in 4.40
Code:
/*
* lv2 SysCall 670 (0x29E): sys_rsx_context_allocate
* @param context_id (OUT): RSX context, E.g. 0x55555555 (in vsh.self)
* @param lpar_dma_control (OUT): Control register area. E.g. 0x60100000 (in vsh.self)
* @param lpar_driver_info (OUT): RSX data like frequencies, sizes, version... E.g. 0x60200000 (in vsh.self)
* @param lpar_reports (OUT): Report data area. E.g. 0x60300000 (in vsh.self)
* @param mem_ctx (IN): mem_ctx given by sys_rsx_memory_allocate
* @param system_mode (IN):
*/
/*
After some verification it turns out that 4 pointers aren't checked
They are:
context_id
lpar_dma_control
lpar_driver_info
lpar_reports
we can write values at:
rsx_context + 0x04 (4Bytes) - context_id
rsx_context + 0x20 (8Bytes) - lpar_dma_control
rsx_context + 0x30 (8Bytes) - lpar_driver_info
rsx_context + 0x40 (8Bytes) - lpar_reports
to properly specify a kernel address use ULL for big numbers
*/
Many thanks to IronMan and AlexAltea for the help. this exploit will be even better later, so stick around
Update: In related PS3 hacking news, ZeroTolerance has released ps3encdec which is a port of flat_z's encdec emulator to C. source code (and binaries) can be found here:
Download: ps3encdec_saucy.rar (224.74 KB)
"The encdec emulator supports all crypto types (NAND/NOR/ARCADE NAND/ ARCADE NOR) and, being is C, is faster than the original one (between 1-3MBps on creating decrypted/encrypted file) and this can be improved by using OpenCL or other multithreading tools"
"ZeroTolerance just made version 0.1.0 of ps3encdec. users will notice a significant improvement in speed (from 3MBps max to 96MBps max). readme (with working examples) is also added. and finally, a timer was added to do benchmarks of the program"
Cheers to @SSShowmik for the news tip in the PSXHAX Shoutbox this afternoon!