In my previous post about HENkaku KOTH challenge I mentioned that something good gonna happen when HENkaku KOTH will finish. Now member of Molecule team Yifan Lu officially announced when source code will be released. Announcing by the way a "major update" to HENkaku exploit. Is worth to mention that in the mean time st4rk also solved final stage of HENkaku kernel ROP chain, which mean he also finished KOTH challenge. But this is not over yet, Yifan mentioned there is a third challenger (group) that probably did it, but they want to stay quiet for now. I guess that group is known from PS3 scene, but this is only my unconfirmed assumption.
HENkaku developers and reverse engineers that finished King Of The Hill challenge agreed to wait until end of month with all releases. That's because Molecule team (xyz, Davee, proxima, Yifan Lu) want to publish latest source code for HENkaku. This mean that HENkaku will be updated before that or in same time, somewhere at the end of this month. Below You can read latest Yifan Lu write-up, but also there You will find links to rest of this exciting journey thru HENkaku ROP chain. To fully understand how advanced piece of code is it, I recommend to read "full story" of HENkaku reverse engineering.
- Latest Yifan Lu write-up
- Mike.H final stage explanation
- st4rk final stage explanation
- Full story - links
HENkaku KOTH Solved
When HENkaku was first released, we posed to the community the KOTH challenge to get more hackers interested in the Vita. This week, two individuals have separately completed the challenge and are the new kings of Vita hacking! Mike H. and st4rk both proved that they have the final encryption key, showing that they solved the kernel ROP chain. I highly recommend reading their respective posts as they give some great insight into how hacking works. I also know of a third group who might have also completed the challenge but wishes to keep quiet for now. Congratuations to them too!
All participants have been given the prize for solving the challenge and in a short time, everyone will get a peek too. Molecule has gotten quite lazy since the release of HENkaku and since we underestimated the amount of time it would take for the challenge to be completed, we are only midway through polishing up the source code for release. The participants and I have agreed to not release anything until the end of the month. As a bonus for waiting, the source will not be for HENkaku as you know it today–it will be for the major update we have been working on. Stay tuned for more details! In the meantime, it would be fun to see if anyone can run their own kernel payload with all the information out today–it should be possible!
HENkaku Kernel ROP
The rest of this post is dedicated to my own explanation in creating the ROP chain for the challenge. I believe it is the most complex ROP chain ever written (although I haven’t seen too many ROP chains that does work beyond copying code and running it). Enjoy!
FULL ARTICLE: https://yifan.lu/2016/10/20/henkaku-koth-solved/
Here it is, Stage 3, the last stage of HENkaku.This was by far the toughest to crack, so, let's dive in!
HENkaku - Stage 3
In Stage 2, we analyzed how HENkaku exploits two distinct kernel bugs to achieve code execution: a memory leak bug (in the sceIoDevctl function) to defeat KASLR and a use-after-free (in the sceNetIoctl function) to break into the kernel and do ROP.
However, since the execution flow switches over to a ROP chain planted into the kernel, we still couldn't figure out what was happening next.
Like I mentioned in the previous write-up's ending note, dumping the kernel (more specifically, the SceSysmem module) was now necessary. Team molecule did not provide any additional vulnerability that we could use for this purpose, so, it was up to the participants to figure it out themselves.
I had already found a potential memory leak vulnerability while playing around with Stage 2 but, unfortunately, due to it's nature (out-of-bounds read) it wasn't enough to reach the SceSysmem module.
Frustrated, I began looking for other plausible entry-points. It took me several attempts and required analyzing several key components of the Vita's system:
The SceNet module was the origin of the use-after-free and I had already an OOB read there, so, what else could be in there?
The SceDriverUser module exposes a decent amount of unique system calls for the filesystem. Some of them crash. Can I leak memory here?
Developers don't pay much attention to security when it comes to implement media handling. Some specific audio handling features are taken care by the kernel itself. Can I compromise it?
Just like with audio, graphics are a common source of flaws. The Vita has plenty of libraries with unique system calls for this (SceGpuEs4User, SceGxm, ScePaf). Will this help?
User applications are managed by modules that heavily communicate with the kernel (SceAppUtil and SceDriverUser via SceAppMgr calls). Perhaps this can be taken down?
Eventually, one of those gave me what I wanted and I was able to dump the entire Vita's kernel memory. After locating the SceSysmem module among the dumped binaries I became able to solve the rest of the challenge.
On a side note, I did attempt blind ROP at first by relocating a few gadgets and taking wild guesses, but team molecule made sure it wouldn't be that easy. The gadgets' placement makes it very difficult to predict what each one will do.
HENkaku PS Vita CTF: The end?
Kept you waiting huh?
So finally we got the final straight of HENkaku CTF. If you don’t remember it, this is the CTF made months ago by the Molecule Team for everyone that is interested in learning more about PS Vita security. Before anything, make sure that you already read both my point of view from stage2 and the xyz write up about the Vita kernel exploit that made all of this possible. Let’s get started!
Stage 3: Cryptanalysis
After finish the stage 2, I started to analyze the stage 3 payloads. As I explained before these payloads are encrypted with AES-ECB and I discovered it because you can leak some information about the plaintext by observing the ciphertext. It’s one of some weakness of ECB mode (and that is one of many reasons that ECB mode is really not recommended). Exploring this weakness in both payload 1 (loader.enc) and payload 2 (payload.enc) I noticed it in payload 1:
Stage 3 Payload 1
In ECB mode if you encrypt with the same key two plaintext with few changes, the ciphertext will only change where plaintext was changed. As the payloads 2 really changed a lot by HENkakus versions (you can notice it doing hex diff between them), I guessed that the last bytes from the payload 1 is the key used to encrypted/decrypted the payload 2! So it has different key per-version. I tried to explore this weakness and try to find a way to get the plaintext, but I didn’t have success. Even with crazy ideas like modifying the key in the end of payload 1 and trying to craft a branch instruction that will run my code in payload2 and others craziness, I considered giving up. As far as I know, only with a known plaintext we could do something. Anyway it gave me some important informations about what I’m dealing and was useful to the next approach.
Stage 3: ROP-chain brute-force
This was the second approach that I tried. To this I needed the max possible of information about the HENkaku stage 3, with the cryptanalysis I determined that we are dealing with payload 1 with a key fixed and a payload 2 that has a key-per-version. Another goods source of information was the xyz writeup about the stage 2 exploit that explained that the leaked addresses used is from SceSysMem and after the stage2 analysis release, Team Mocule updated the HENkaku repository, what was a nice place to look for information! After sometime looking into the loader.rop.in file and krop.rop I found this:[...]
FULL ARTICLE: http://st4rk.net/2016/10/21/henkaku-ps-vita-ctf-the-end/
- HENkaku: Vita homebrew for everyone
- HENkaku KOTH Challenge
- HENkaku - Exploit teardown - Stage 1
- Exploiting WebKit on Vita 3.60
- On HENkaku offline installer
- Yes, it's a kernel exploit!
- HENkaku PS Vita CTF: Reverse Engineering
- HENkaku - Exploit teardown - Stage 2
- Vita sceNetIoctl use-after-free
- HENkaku - Exploit teardown - Stage 3
- HENkaku PS Vita CTF: The end?
- HENkaku KOTH Solved
PS VITA / PS TV HENkaku KOTH solved + Major update to henkaku announced
By kozarovv on Oct 21, 2016 at 4:03 AM
RPCS3 (PS3 Emulator) - December 2018 Progress ReportYes, I know, we are late again. But trust me, this last Progress Report for 2018 has "packed a punch". Not only that both performance and graphical issues has been improved from many AAA Game Titles, but also that in conclusion, the Team behind this wonderful Project has improved many other things as well, such like a better Controller Support (including better Mouse Support) and a (again) revamped Compatibility List by removing duplicates and other mistakes, which will be detailed down below. This means also that the Announcement from the November 2018 Progress Report with having now more than >3000 Game Titles on their list is now redundant, since they was able to find so many duplicates that the new List from December lists 100 Game Titles less now. But don't worry, even with 100 Game Titles less, the Team was still able to improve so many Game Titles, that the "Playable" Category has been improved compared to November 2018. So with now exactly 2938 Game Titles listed on their Compatibility List, it's just a question of time when they will reach the >3000 Game Titles mark again.Continue reading
ZombieBound Released (v0.21) Released + Upcoming "The Hallway" Game by VitaHEX GamesVitaHEX Games is bringing the heat with his recent release of ZombieBound Reloaded (a CoD Zombie inspired game) and then with the much anticipated game (upcoming) release simply titled "The Hallway", when you see the first screenshot of this game you will see that all the title needs as its remake of the Hallway from the imfamous Silent Hill P.T. demo, Then as we all know that game was unfortunately abruptly cancelled , but this inspired VitaHEX to bring his vision of the game he created some time ago to the PS Vita / PlayStation TV through the power of Unity 3D which has also been seeing its fair share of PS4 Releases as well of late.. Wink Wink @ VitaHEX have any plans/intrest for some PS4 ports of your awesome games creations?
Lets take a look at the recent update to ZombieBound Reloaded (v0.21 currently) as the homebrew game has seen alot of improvements in the latest updates. Since the initial release of "Reloaded" we can now buy/unlock new weapons and purchase new levels (w/ in-game currency (gold bars)) from the Store that has now been included. 4 new weapons appear, New Level "The Hospital" has been added, New Zombie Sounds, Improved Fog and Lighting are just some of the new inclusions in v0.20 and 0.21 (which was quickly released to address a shotgun aiming bug,)Continue reading
webMAN MOD 1.47.09 - 4.84 CFW (CEX) Support AddedwebMAN MOD has received an update after developer @aldostools provided details and code that needed to be compiled for the new update,. Since developer aldostools doesn't have a ps3 environment setup currently for compiling. He requested someone to make the compile for him and our very own @kozarovv step in and compiled the latest update for webMAN MOD that should provide proper 4.84 CFW (CEX) support for the popular plugin.
WebMAN MOD (by @aldostools) which a fork of the master project from @deank's webMAN (or sometimes unofficially called webMAN "vanilla") and while deank version is equipped with plenty of great features the "MOD" version takes it a bit farther and adds some new functionality not found in the original project, If you would like to learn more about the webMAN MOD plugin there is no better place then to checkout the official forum here in the psx-place forums with tons of information to get the most out of this handy plugin for CFW enabled PS3's with background plugin functionality (A Cobra CFW or a Standard CFW with MAMBA installed and equipped).Continue reading
Share This Page
- henkaku homebrew
- homebrew game
- playstation 2
- playstation 2 resources
- playstation portable
- playstation portable cfw
- playstation portable resources
- playstation tv
- ps vita
- ps2 emulator
- ps2 resources
- ps3 cfw
- ps3 homebrew
- ps3xploit 3.0
- psp cfw
- psp emulator
- psp resources
- pstv homebrew
- vita homebrew
- webman mod
- User Record:
- Latest Member: