First a huge thanks to Gusha for his huge support donating a lot of time for testing stuff on his TA-88v3, cheers mate! This post I’ll describe what I have found out so far with the TA-88v3 and provide a model representing the security and operation of the TA-88v3 pre-IPL. Unfortunately, the hash has not been broken but this could be some useful information.
Sony, being as sneaky as they are decided to do a rather interesting move. As researched by Coyotebean, Sony started enforcing using a public key method of verifying KIRK data and removing the ability to load the old types of data. As they did this, firmware 6.30+ cannot decrypt the updater and the PRX inside and therefore cannot use the index.dat spoofing to downgrade.
Now that 6.20 TN-A is out in the open, allow me to describe the kernel vulnerability used. Back in 5.70/6.00 Sony introduced a feature into the sceUtility_private library that allowed to set and unset a callback with kernel privileges.
sceUtility_private_764F5A3C //Set power callback sceUtility_private_2DC8380C // release (unset) power callback
These two functions are not normally imported so they require some special techniques such as syscall estimation to reach them in order to utilise their functionality.
Now, how does this kernel exploit work?
Hello everyone, this is my blog! After owning x-fusion for nearly four years, decided I should get a new domain, hence this blog. I've never had a blog before, so bear with me whilst I get used to all this fancy software (currently using wordpress atm). Back to the point, I made this blog in order to share research and…