Top Menu

Tag Archives power

Now that 6.20 TN-A is out in the open, allow me to describe the kernel vulnerability used. Back in 5.70/6.00 Sony introduced a feature into the sceUtility_private library that allowed to set and unset a callback with kernel privileges.

sceUtility_private_764F5A3C //Set power callback
sceUtility_private_2DC8380C // release (unset) power callback

These two functions are not normally imported so they require some special techniques such as syscall estimation to reach them in order to utilise their functionality.

Now, how does this kernel exploit work?