A Brief History Lesson Lets quickly rewind to 11 years ago (2006) and refresh our memory of the very first custom firmware: 2.71 SE-A. Dark_AleX and team designed this custom firmware based on Devhook, a piece of software that allowed you to load the latest PSP firmware from the memory stick. Devhook provided the basic foundation for loading non-host firmware and…
Now that 6.20 TN-A is out in the open, allow me to describe the kernel vulnerability used. Back in 5.70/6.00 Sony introduced a feature into the sceUtility_private library that allowed to set and unset a callback with kernel privileges.
sceUtility_private_764F5A3C //Set power callback sceUtility_private_2DC8380C // release (unset) power callback
These two functions are not normally imported so they require some special techniques such as syscall estimation to reach them in order to utilise their functionality.
Now, how does this kernel exploit work?