Library for the exploitation of the PSP Kernel with the aim of easing the creation of OFW-compatible homebrew with kernel access.
With the use of signing utilities, it is simple and easy to create homebrew for the PSP that runs on Official Firmware
.
These homebrew however only have access to user-mode API, meaining it's access to the system is restricted.
This library provides an easy-to-use universal solution for writing homebrew with kernel access for OFW.
You must include libpspexploit.h
and libpspexploit.a
into your homebrew and use the API
to elevate privilages in your homebrew.
The functions to be called (in order) to achive kernel priviledge are the following:
pspXploitInitKernelExploit
: initializes the necessary information to trigger the kernel vulnerability. Takes no arguments. Returns 0 on success.pspXploitDoKernelExploit
: corrupts the kernel memory to allow escalation of priviledges. Takes no arguments. Returns 0 on success.pspXploitExecuteKernel
: takes a pointer to a function as argument and executes that function with kernel priviledges. Returns nothing.pspXploitRepairKernel
: repairs damage done to kernel bypspXploitDoKernelExploit
. This will revert the kernel exploit.
Once kernel access has been granted, the following functions can be used to aid in the creation of your homebrew:
pspXploitSetUserLevel
: allows setting user level to a higher priviledge one.pspXploitFindFunction
: resolve the exact address of a function via its module name, library name and NID.pspXploitFindModuleByName
: obtain the SceModule structure via the module name.pspXploitFindTextAddrByName
: obtain the module's text address via its name.
The library also offers a table of common kernel functions, which can be initialized by calling pspXploitScanKernelFunctions
,
as well as a variety of macros and algorithms to help with the development of kernel-mode homebrew in OFW.
The library combines several vulnerabilities and algorithms that have been developed throught the years of the PSP
scene.
The most important vulnerabilities used are:
sceRtcCompareTick
: a read-only vulnerability. Allows us to obtain the precise data at any kernel address. This lets us analyze the kernel before even attempting to corrupt it.sceSdGetLastIndex
: a write vulnerability. Allows us to partially write to any address in kernel memory, vulnerating the behaviour of the kernel to allow escalating priviledges.
These two vulnerabilities were chosen because they are both available on firmwares 2.80
all the way up to 6.61
, which are the the firmware versions we aim for since they can run demos (which is how we sign our homebrew).
They might exist in lower firmwares, but other methods of executing your EBOOT.PBP
will be required (such as plain ELF
on 1.00
, the kxploit
format on 1.50
or eLoader
on 2.00
).
A few kernel homebrew that have already been ported to OFW are:
- Universal Flash Dumper: dumps files in PSP flash and other useful information. https://github.com/PSP-Archive/Universal-Flash-Dumper
- PSP Ident: displays very helpful information about your PSP.
To be released
. - PSP MSID dumper: dumps the ID of your memory stick.
To be released
. - PSP IDPS dumper: dumps the IDPS of your PSP.
To be released
.
qwikrazor87
: for his discovery of the kernel vulnerability insceSdGetLastIndex
.Davee
: for figuring out thesceRtcCompareTick
kernel exploit.CelesteBlue
: for the simple, fast and robust implementation ofsceRtcCompareTick
.Acid_Snake
: for implementingsceSdGetLastIndex
kernel exploit and this very library.