Top Menu

Webkit is pretty buggy, we know that. My PSVita is on 1.80 and thus, some wonder how I’ve been doing things with my vita. How about a history lesson?

It all started in early 2012 with a bunch of people looking into webkit. After a bit of time, a really smart dude called @cmwdotme shows us string dumps and a table of a few memory locations for the vita, and tells us that they were obtained using webkit. He tells us that he couldn’t share the bug used to dump but that ROP can be achieved using CVE-2010-1807. Then we didn’t hear much from him afterwards. No interest perhaps, but regardless I had work to do. Motivation was dwindling as my knowledge about the system and software was poor; i’d never hacked anything other than the PSP which is honestly a joke of security. A read bug was required for us to get any details out of the system. Performing ROP blindly is extremely difficult.

Then a small breakthrough for us after searching hours and hours through CVE records we found this: CVE-2010-4577. This allows an attack to perform a remote read, which is perfect for us. We need to read some memory to do make ROP feasible. So I started work on getting ROP. It didn’t take long, things fell like dominos and I soon had very tediously written ROP. So, my 1.61 vita was running “code”, this was a good day for me.

So now you know the story, here is the program used to convert ROPTool payloads to exploitable html files: HTMLIt

Currently only supports 1.50, 1 .691 and 1.80/1.81 but should be trivial to extend.

Embarrassingly, my vita was (unintentionally) updated to firmware 1.80 before this tool or roptool was complete.

As always, the credits:

Proxima – Webkit stuff and 1.50 support

Bubbletune – float-pointing crap

Cheers,

Davee

About The Author

3 Comments

  1. I’ve improved the source code of the 150_exploit.js if you intresse to the new version and want to test it you can write to me

  2. Hi Davee
    I would like to talk to you about your latest work.
    Do y use IRC ? Just name time and Programm ^^

  3. Hey Davee, if you’re interested, I have a new, unopened, launch day PS4. Firmware should still be 1.00, same as what my personal everyday PS4 came with (also a launch day unit).

    Looking to sell it, to the right dev of course. I talked to Wololo yesterday, and he pointed me to you. Id prefer not to just plaster my email here, but if love to see if your interested in it. Let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Close