This repo contains some exploits for use on early PS Vita firmware. There are two examples of kernel execution using the syscall handler overflow vulnerability found in firmware prior to 1.61 for pkg decryption and NAND dumping.
There is also code which exploits a function in libSceNgsInternal, which involves crafting a custom library which is used in the compilation of the application.
See: https://github.com/mathieulh/PS-Vita-Early-Kernel-Exploit-Toolbox/blob/master/kdumper/README.md
A simple NAND dumper.
The code currently supports 0.945, 0.995 and 1.500, however can be adapted for any firmware prior to 1.61.
A simple PKG decrypter. Currently only supports FW 1.500, but can be ported by dumping the appropriate regions and finding the new offset for the functions required.
The code currently only supports 1.500 for PKG decryption.
-
Clone the repo and ensure you have the appropriate SDK and tools installed for the target FW.
-
Right-click kexec project -> Post-Build Event. Edit the path to match the location of
new.c
and the path to copy the payload to (default isC:\FSD\kexec.bin
). -
Adjust the preprocessor definitions at the top of BOTH
main.c
andnew.c
to suit the firmware the target Vita is currently on. -
Compile and run the user process either from within Visual Studio or manually via
Neighborhood -> Load Executable
.
new.c
should NOT be compiled by SNC/MSBuild or any of the VS Tools, it is built using yagarto, specifically with the buildme.bat
script. This is then copied to the file serving directory as kexec.bin
.
Alternatively, find the following line in kexec.vcxproj
and adjust the paths appropriately:
<Command>$(SolutionDir)\..\yagarto\bin\buildme.bat "C:\Users\PS3SDK\Desktop\1.03_kdump\post\yagarto\bin\new.c" "C:\FSD\kexec.bin"</Command>
Thanks to mathieulh, LemonHaze, CelesteBlue, The Flow and Proxima.