WebKit ROP Chain Tutorials [Creation/Editing/Debugging] - PS3 Development

[esc0rtd3w]

ok so the chain is working.

stackframe offset may be wrong sometimes, the others should be verified.

i will look into it. thanks

 

[Strong]

Now checked in version ps3xploit_pett_v001_preview5 and beep test works here stably.

 

[k9mo]

@esc0rtd3w will you be covering directories read/write/close and also the file read/close doesn't work for big files is it a bug or is it a restriction from the console because when i set size right and execute chain it will work for a bit then freeze console for big files.

 

[Strong]

CFW 4.81DEX file PS3Xploit.bin copied via ps3xploit deleted via FileZilla.

 

[esc0rtd3w]

@Strong thanks for testing

 

[Strong]

@esc0rtd3w glad to help, waiting for new files to test.

 

[jbuck1975]

What are the success rates on finding the offsets when running this. I'm on 4201a super slim and find it takes hours to get it to the execute part. And the few times its worked i had to adjust the search tweaks to *70* *810000* and just play with those. And even then it's still not successful every time

 

[esc0rtd3w]

i am working on tweaking search. i have added options in currently unreleased files for string settings based on flash type if other tweaks are needed.

as a general rule, all models produce similar results while searching for offsets..the large stackframe that the tutorial uses is different from other releases and therefore the search needs adjusted a bit differently.

this will be smoothed out over time as i have more time to test.

 

[jbuck1975]

Ok. Didn't know if I needed to test some things on this model to get working my smooth

 

[Strong]

@esc0rtd3w thank you for your work! Checked some stuff in v.ps3xploit_pett-v002 on CFW 4.81DEX, search of offsets is much better.

Now I want to check for OFW 4.66.

I have a question: is it possible to copy 2 or more files?

 

[esc0rtd3w]

currently you can only copy one file at a time. i am testing directory copy and mounting now, and will be making a mini video soon explaining these things with debugger.

 

[Strong]

@esc0rtd3w thank You! I'll wait.

 

[Ulquiorra-Sama]

currently you can only copy one file at a time. i am testing directory copy and mounting now, and will be making a mini video soon explaining these things with debugger.

Sorry to bother you, but "directiry copy" means folder and subfolders? Or just one at a time?

Thank you!

 

[Strong]

4.66 for IDPS is located at 0x715BB8

 

[esc0rtd3w]

@Ulquiorra-Sama think about what you are even asking!

directory copy is just that...it copies a folder, so if stuff in folder, then it will also be transferred!

 

[Ulquiorra-Sama]

@Ulquiorra-Sama think about what you are even asking!

directory copy is just that...it copies a folder, so if stuff in folder, then it will also be transferred!

kkkkkkkkkkkkkkkkkkkkkkkkkkk
Sorry man, logic is not my strong point. I'm very hyped for this new function \o/

 

[DeViL303]

@esc0rtd3w So, can you write to dev_flash on super slim with this exploit? So in theory you could have any XMB "xml/rco only" mods for 3k/super slim like XMBM and Package Manager. Kind of interesting but it would not really add much except ability to install signed pkgs from USB, and also XMBM would give the ability to delete files from the XMB using the unlink trick.

 

[Strong]

@esc0rtd3w tested version v004-TEST-VERSION-1 4.81 DEX, after a successful initialization and clicking on the Execute Chain freezes on previous versions as well.

 

[bguerville]

@esc0rtd3w tested version v004-TEST-VERSION-1 4.81 DEX, after a successful initialization and clicking on the Execute Chain freezes on previous versions as well.

You are testing in DEX so have you tried using the ProDG debugger to find out where the problem might be?
esc0rtd3w already explained how to make vsh attachable & debug the ROP chain.
You would typically start with a breakpoint on chain start ie 0x976bc in DEX 4.81.
From there you can step in & see the parameters being loaded before each syscall or export. Parameters are usually loaded by the gadget starting at 0x6161b8 on DEX.
As explained in the tut, parameters of an export or syscall are passed in registers r3 to r11 & in that order ie 1st param = r3, 2nd param = r4 etc...
In the specific case of a syscall however, r11 is not the 8th parameter but the syscall number.
When a syscall or export fails, it returns an error number placed in r3 in the standard way ie 0x8xxxxxxx.
At the last instruction (usually blr) of an export or syscall gadget, if the value in r3 is 0xFFFFFFFF8xxxxxxx it means an error occurred. If the error is unexpected & it is always the case in the tutorial ROP chains, most of the time it is because of 1 or more bad parameter(s).
Refer to psdevwiki:
Error Codes listing for error identification.
http://www.psdevwiki.com/ps3/Error_Codes
Syscalls list http://www.psdevwiki.com/ps3/LV2_Functions_and_Syscalls
VSH exports list
http://www.psdevwiki.com/ps3/VSH_Exports
Using the debugger is the only way to understand what's going on & basically learn anything at all in this tutorial.

 

[esc0rtd3w]

@esc0rtd3w So, can you write to dev_flash on super slim with this exploit? So in theory you could have any XMB "xml/rco only" mods for 3k/super slim like XMBM and Package Manager. Kind of interesting but it would not really add much except ability to install signed pkgs from USB, and also XMBM would give the ability to delete files from the XMB using the unlink trick.

yes

i am testing mounting different partitions now. theoretically could be easily done.

@esc0rtd3w tested version v004-TEST-VERSION-1 4.81 DEX, after a successful initialization and clicking on the Execute Chain freezes on previous versions as well.

what chain hex and params are you using?