Site Logo
Twitter update is unavailable at this time

MAZIORA PLEIADES-2

Source: Davee's Blog

MAZIORA PLEIADES-2 is not the codename for a military operating but actually is the name of a pigment. MAZIORA pigments change colour respective to the viewing angle, one angle might be red whilst another being blue. The video below is taken from wikipedia and demonstrate the colour changing effect.


Continue reading...

PSVita Webkit for < 2.00

Source: Davee's Blog

Webkit is pretty buggy, we know that. My PSVita is on 1.80 and thus, some wonder how I've been doing things with my vita. How about a history lesson?

It all started in early 2012 with a bunch of people looking into webkit. After a bit of time, a really smart dude called @cmwdotme shows us string dumps and a table of a few memory locations for the vita, and tells us that they were obtained using webkit. He tells us that he couldn't share the bug used to dump but that ROP can be achieved using CVE-2010-1807. Then we didn't hear much from him afterwards. No interest perhaps, but regardless I had work to do. Motivation was dwindling as my knowledge about the system and software was poor; i'd never hacked anything other than the PSP which is honestly a joke of security. A read bug was required for us to get any details out of the system. Performing ROP blindly is extremely difficult.

Then a small breakthrough for us after searching hours and hours through CVE records we found this: CVE-2010-4577. This allows an attack to perform a remote read, which is perfect for us. We need to read some memory to do make ROP feasible. So I started work on getting ROP. It didn't take long, things fell like dominos and I soon had very tediously written ROP. So, my 1.61 vita was running "code", this was a good day for me.

So now you know the story, here is the program used to convert ROPTool payloads to exploitable html files: HTMLIt

Currently only supports 1.50, 1 .691 and 1.80/1.81 but should be trivial to extend.

Embarrassingly, my vita was (unintentionally) updated to firmware 1.80 before this tool or roptool was complete.

As always, the credits:

Proxima - Webkit stuff and 1.50 support

Bubbletune - float-pointing crap

Cheers,

Davee

PSVita Webkit Exploit - Information and Credits

Source: Davee's Blog

As you have probably seen, a small PoC webkit exploit for 2.60 was released for the psvita. You can test your vita yourself by visiting the link here: http://lolhax.org/vita.htm

At first the exploit only supported 2.60, which happens to be the firmware my vita is on. The exploit now supports up-to version 3.18 and code execution demo with ROPTool will be shown over the next while.

Lets talk about how this all came to be. Thanks to a tweet from @yifanlu, news exploded onto the internet about this hack and what it means for the vita. Problem is, most of you don't know what it means for the vita and franky, nor do I. I've been working with webkit for over 2 years now but there are many other brains behind the scenes doing work, which I would like to talk about.

First off, there is Codelion or @BBalling1. He is a strong driving force in a small development group that just struggled to gain momentum. People left, people lost interest. This guy managed to keep in the game and deserves as much credit as you give me. He even posted a description of the exploit on his twitter over a week ago, so make sure to follow him.

Secondly, there is Josh Axey @Josh_Axey, another member of the group. As I said, people lost interest the group cohesion broke and people worked on their own. This guy also made use of the packetstorm webkit bug.

Thirdly, @Archaemic. I haven't spoken to this guy, but I can take yifan's word that he has been working on the exploit for a long time and even has produced dumps from as early as April, goodjob man!

Thank you all for the praise, but I would like these guys to get a mention too, they are hardworkers and probably spent a lot of time on this bug too. If you're interested in getting involved either drop me or any of these guys a tweet, I'm sure they'll be glad to get a few extra devs.

Cheers,

Davee

ROPTool

Source: Davee's Blog

I've done a post about Return Orientated Programming (ROP) before where I described basic operation of a ROP chain. The public domain of pentest security tools involving ROP is largely orientated around intel architecture x86. Now I have my own contribution to the security world.

Continue reading...

The effect of disclosure

Source: Davee's Blog

Once again, I've not posted in a while, so I'll start off my apologising for that. Today, I'm gonna talk about the reality of computer security. When I say reality, I immediately put my hands up and say that I'm talking bullshit and really just gonna spew a lot of my opinion in regards to computer security. So, here goes...

Continue reading...

ClipUpload SCP

Source: Davee's Blog

Today is a short post, but I've recently started playing around with ClipUpload. ClipUpload is a very clever, yet very simple clipboard upload tool which will upload whatever is in your clipboard to a variety of sources including: facebook, imgur, pastebin or even your own FTP server.

Whilst I think it is pretty cool to upload to an FTP server, I'd much rather have the ability for a secure transfer. That being said, I forked the code and with the help of SharpSSH I modified the FTP addon and produced a fully working SCP addon.

So, if you use clip upload, give it a try (especially if you prefer secure transfers). If not, you should give it a try, it's a really useful application.

ClipUpload SCP Fork: https://github.com/DaveeFTW/ClipUpload

Introduction to Return Oriented Programming

Source: Davee's Blog

This will be a small introduction into return oriented programming, commonly referred to as ROP. I've had a lot of experience with security measures (duh) but never really had any hands on experience with more modern security technologies such as non-executable stack/data (DEP, NX, XN, W^X) or Address Space Layout Randomisation (ASLR).

The non-executable stack isn't really limited to just the stack, anything that isn't code memory can't be executed. So as in PSP, you can't just jump to the savedata and have the day's work done. No, instead the only code executable is real code provided by the OS when binaries are loaded. This is a nice and funky way but ROP is the counter and tends to poop on this method.

Continue reading...

PSVita Native Hack, c'mon devs!

Source: Davee's Blog

Just to start, congratulation to yifanlu for his excellent work on gaining the first vita native hack. I'd like to note that I'm just relaying information from a forum post by yifanlu and did not have any input on yifanlu's work, it's all his!

Also, if you're not a developer, please note that there is currently no way to run homebrew, colour your screen, download binaries, hack your device, make a milkshake from 10 miles away or such. This post is purely informational.

Continuing on, considering my audience gathers quite a few developers I think this post should complement the cause. So, if you don't know, vita dev yifanlu has been looking around for developers who are interested in developing native software on the vita. He is calling out for developers to help him develop an ELF loader.

Continue reading...

I'm baaaack!

Source: Davee's Blog

Well, this place has been cleaned up a little bit and I can log back in again. You might of noticed that I've changed the theme, and you'll probably find out that I do this often!

Well this post is going summarise what the hell I've been doing since my last post in terms of development and perhaps you'll be disappointed. Follow the link and find out! 

Continue reading...

Kermit

Source: Davee's Blog

Turns out he's not just a green frog! So, I've been throwing this word around recently and it's probably about time I explain. Kermit, either a protocol or perhaps a funny name (see KIRK/SPOCK) is a communication interface for the PSP emu. Specifically it allows the PSP to talk to the host.

Now, I can tell there aren't as many developers here, so I'll try to simplify for the curious minds but this stuff is pretty complicated. I'll only explain the API in detail as the lower level still need a little bit of clearing up, but here goes. 

Continue reading...

PS Vita PSP HEN

Source: Davee's Blog

First thing first, huge thanks to Proxima and some1. They've provided key utilities and advice for this research. So, yeah, it was really only a matter of time till this kind of thing happened. Sony dont just emulate the userland process of a PSP game, they emulate the entire kernel albeit, a modified kernel. The PSP emu has limited access to hardware, with interfacing the hardware done via a Kermit module. Kermit is a old-timers transmission protocol, likely used to talk to the native Vita.

Continue reading...

Can you crack it? + Solution

Source: Davee's Blog

Thanks to a facebook message from my dad yesterday, I was informed of this website: Can you Crack it?. So, promptly, I got onto the job and it was surprisingly easy and I imagine it will be for most people who can reverse engineer and has experience doing so.

Click read more to see how I did it, but I suggest you have a good attempt beforehand. It's a nice little reverse engineering exercise.

Continue reading...

"Chronoswitch" Downgrader 5.0. Advanced 09g Support!

Source: Davee's Blog

As an ongoing project, me and some1 have been enhancing this downgrader from birth on the 6.31/6.35 firmwares. This multi-firmware downgrader allows you to install a lower (or higher) firmware without any fuss. No complex flash0 sharing, just running the firmware update.
However, there comes restriction with PSP models and compatible firmware. For example, a PSPgo cannot run 1.50 as there are no drivers for the system and the IPL format is incompatible. Much like this, the PSP 3000 09g is unable to install firmwares < 6.30 which removes it's ability to appreciate the flexibility of permanent custom firmware.

This is no longer the case.

Continue reading...

Arduino projects.

Source: Davee's Blog

Well, I'm no beginner to electronics, but this is my first microcontroller that can directly interface them! So yeah, pretty cool, never messed with AVR in my life, always used PIC for my USB controller. So I've been messing around a bit and I've done some very basic stuff working with components here and there.

Read on to see the stuff I've done.

Continue reading...

KIRK 0x10 Private Key

Source: Davee's Blog

The private key for the KIRK 0x10 functionality is known to be stored in a encrypted buffer of 0x20 bytes. Proxima discovered that the KIRK 0x10 operates as this:

Kirk 0x10 - ECDSA Sign hash
Invocation:
u8 buffer[0x34]
u8 encryptedprivatekey[0x20] - the private key returned by KIRK 0xC must be AES encrypted somehow
u8 SHA1hashofmessagetosign[0x14]
memcpy(buffer,encryptedprivatekey,0x20)
memcpy(buffer+0x20,SHA1hashofmessagetosign,0x14)
sceUtilsBufferCopyWithRange(newsig,0x28,buffer,0x34,0x10);

newsig will have the r and s values for an ECDSA signature

This isn't that useful since it is not clear how to encrypt the private key to sign the message. There are some examples in IDStorage where a pre-encrypted private key and public key pair can be used, but no general cases yet.



Continue reading...

A look at the TA-88v3 IPL Hash.

Source: Davee's Blog

First a huge thanks to Gusha for his huge support donating a lot of time for testing stuff on his TA-88v3, cheers mate! This post I'll describe what I have found out so far with the TA-88v3 and provide a model representing the security and operation of the TA-88v3 pre-IPL. Unfortunately, the hash has not been broken but this could be some useful information.

Continue reading...

LOL TX

Source: Davee's Blog

this is a test. cheers guys.

6.35 and 6.31 Downgrader

Source: Davee's Blog

Sony, being as sneaky as they are decided to do a rather interesting move. As researched by Coyotebean, Sony started enforcing using a public key method of verifying KIRK data and removing the ability to load the old types of data. As they did this, firmware 6.30+ cannot decrypt the updater and the PRX inside and therefore cannot use the index.dat spoofing to downgrade.

Continue reading...

Arcanum.

Source: Davee's Blog

Now that 6.20 TN-A is out in the open, allow me to describe the kernel vulnerability used. Back in 5.70/6.00 Sony introduced a feature into the sceUtility_private library that allowed to set and unset a callback with kernel privileges.

sceUtility_private_764F5A3C //Set power callback
sceUtility_private_2DC8380C // release (unset) power callback


These two functions are not normally imported so they require some special techniques such as syscall estimation to reach them in order to utilise their functionality.

Now, how does this kernel exploit work?

Continue reading...

Wooooo! I have a blog!

Source: Davee's Blog

Hello everyone, this is my blog! After owning x-fusion for nearly four years, decided I should get a new domain, hence this blog.

I've never had a blog before, so bear with me whilst I get used to all this fancy software (currently using wordpress atm). Back to the point, I made this blog in order to share research and post stuff that interest me when I see them. I'm currently actively working on the PS3 and the PSP so no doubt I'll post some information regarding whatever I find.

In specifics, I am working on the PSPgo privately researching the firmware and the hardware for changes between the previous models. I am also actively working on the lv2 reverse-engineering of the PS3.

In other notes, I am ment to be playing at a music festival with my band on the 29th May, 2010. So, I'm looking forward to that. If you didn't know I play in a band called "Guide the Light". You should check us out, I mean we played with Pearl and the Puppets (who are really good and you should also check out).

Anyway, think I'mma finish off there, ran out of things to say.

- Davee 2010


Advertisement


Page generated in 0.1192 seconds.