Jump to content
zecoxao

[Release] rsxploit updated and working

Recommended Posts

so, after some deliberation with Zer0Tolerance, we decided to release an updated version of the lv2 exploit that my friend released a long time ago.

First, some notes:
This exploit was patched on 4.40, NOT on 4.45
There isn't just ONE non checked pointer, there are FOUR! they are all 4 now checked in 4.40
 

	/*
	 * lv2 SysCall 670 (0x29E): sys_rsx_context_allocate
	 * @param context_id (OUT): RSX context, E.g. 0x55555555 (in vsh.self)
	 * @param lpar_dma_control (OUT): Control register area. E.g. 0x60100000 (in vsh.self)
	 * @param lpar_driver_info (OUT): RSX data like frequencies, sizes, version... E.g. 0x60200000 (in vsh.self)
	 * @param lpar_reports (OUT): Report data area. E.g. 0x60300000 (in vsh.self)
	 * @param mem_ctx (IN): mem_ctx given by sys_rsx_memory_allocate
	 * @param system_mode (IN):
	 */
	
	/*
	After some verification it turns out that 4 pointers aren't checked
	They are:
	context_id
	lpar_dma_control
	lpar_driver_info
	lpar_reports
	
	we can write values at:
	rsx_context + 0x04 (4Bytes) - context_id
	rsx_context + 0x20 (8Bytes) - lpar_dma_control
	rsx_context + 0x30 (8Bytes) - lpar_driver_info
	rsx_context + 0x40 (8Bytes) - lpar_reports
	
	to properly specify a kernel address use ULL for big numbers
	*/

you can test this for instance on a 4.21 cfw console by specifying an address in one of the parameters and then dumping memory before and after running the syscall. just be careful that you need to be able to write to that region!

https://www.sendspace.com/file/rnf0eg
^

link to the exploit
Many thanks to @IronMan and @AlexAltea for the help. this exploit will be even better later, so stick around :)

Share this post


Link to post
Share on other sites

Nice :) thx to all dev involved !

Share this post


Link to post
Share on other sites

Could this be used in conjunction with an old web browser exploit (or yours) for a HEN? 

Share this post


Link to post
Share on other sites
11 hours ago, Derf said:

Could this be used in conjunction with an old web browser exploit (or yours) for a HEN? 

Not yet. first we'd need to have peek and poke. and to do that we need to be able to write to the area where the code is. and we cannot because it is protected by a hash that only exists in lv1 memory.
BUT IF we have a browser exploit and this on < 4.40 we can write to lv2 accessible regions, yes. and we could try to get out of it (we're working on it right now)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×