Library for the exploitation of the PSP Kernel with the aim of easing the creation of OFW-compatible homebrew with kernel access.
With the use of signing utilities, it is simple and easy to create homebrew for the PSP that runs on Official Firmware.
These homebrew however only have access to user-mode API, meaning its access to the system is restricted.
This library provides an easy-to-use universal solution for writing homebrew with kernel access for OFW.
You must include libpspexploit.h and libpspexploit.a into your homebrew and use the API to elevate privileges in your homebrew.
The functions to be called (in order) to achieve kernel privilege are the following:
pspXploitInitKernelExploit: initializes the necessary information to trigger the kernel vulnerability. Takes no arguments. Returns 0 on success.pspXploitDoKernelExploit: corrupts the kernel memory to allow escalation of privileges. Takes no arguments. Returns 0 on success.pspXploitExecuteKernel: takes a pointer to a function as argument and executes that function with kernel privileges. Returns nothing.pspXploitRepairKernel: repairs damage done to kernel bypspXploitDoKernelExploit. This will revert the kernel exploit. Can only be called within a kernel-privileged function.
Once kernel access has been granted, the following functions can be used to aid in the creation of your homebrew:
pspXploitSetUserLevel: allows setting the user level to a higher privilege one.pspXploitFindFunction: resolve the exact address of a function via its module name, library name and NID.pspXploitFindModuleByName: obtain the SceModule structure via the module name.pspXploitFindTextAddrByName: obtain the module's text address via its name.
The library also offers a table of common kernel functions, which can be initialized by calling pspXploitScanKernelFunctions,
as well as a variety of macros and algorithms to help with the development of kernel-mode homebrew in OFW.
The library combines several vulnerabilities and algorithms that have been developed through the years of the PSP scene.
The most important vulnerabilities used are:
sceRtcCompareTick: a read-only vulnerability. Allows us to obtain the precise data at any kernel address. This lets us analyze the kernel before even attempting to corrupt it.sceSdGetLastIndex: a write vulnerability. Allows us to partially write to any address in kernel memory, vulnerating the behaviour of the kernel to allow escalating privileges.
These two vulnerabilities were chosen because they are both available on firmwares 2.80 all the way up to 6.61, which are the firmware versions we aim for since they can run demos (which is how we sign our homebrew).
They might exist in lower firmwares, but other methods of executing your EBOOT.PBP will be required (such as plain ELF on 1.00, the kxploit format on 1.50 or eLoader on 2.00).
A few kernel homebrew that have already been ported to OFW are:
- Universal Flash Dumper: dumps files in PSP flash and other useful information. https://github.com/PSP-Archive/Universal-Flash-Dumper
- PSP Ident: displays very helpful information about your PSP. https://github.com/yoti/psp_pspident
- PSP MSID dumper: dumps the ID of your memory stick.
To be released. - PSP IDPS dumper: dumps the IDPS of your PSP.
To be released.
qwikrazor87: for his discovery of the kernel vulnerability insceSdGetLastIndex.Davee: for figuring out thesceRtcCompareTickkernel exploit.CelesteBlue: for the simple, fast and robust implementation ofsceRtcCompareTick.Acid_Snake: for implementingsceSdGetLastIndexkernel exploit and this very library.