In my previous post about HENkaku KOTH challenge I mentioned that something good gonna happen when HENkaku KOTH will finish. Now member of Molecule team Yifan Lu officially announced when source code will be released. Announcing by the way a "major update" to HENkaku exploit. Is worth to mention that in the mean time st4rk also solved final stage of HENkaku kernel ROP chain, which mean he also finished KOTH challenge. But this is not over yet, Yifan mentioned there is a third challenger (group) that probably did it, but they want to stay quiet for now. I guess that group is known from PS3 scene, but this is only my unconfirmed assumption.
HENkaku developers and reverse engineers that finished King Of The Hill challenge agreed to wait until end of month with all releases. That's because Molecule team (xyz, Davee, proxima, Yifan Lu) want to publish latest source code for HENkaku. This mean that HENkaku will be updated before that or in same time, somewhere at the end of this month. Below You can read latest Yifan Lu write-up, but also there You will find links to rest of this exciting journey thru HENkaku ROP chain. To fully understand how advanced piece of code is it, I recommend to read "full story" of HENkaku reverse engineering.
- Latest Yifan Lu write-up
- Mike.H final stage explanation
- st4rk final stage explanation
- Full story - links
HENkaku KOTH Solved
When HENkaku was first released, we posed to the community the KOTH challenge to get more hackers interested in the Vita. This week, two individuals have separately completed the challenge and are the new kings of Vita hacking! Mike H. and st4rk both proved that they have the final encryption key, showing that they solved the kernel ROP chain. I highly recommend reading their respective posts as they give some great insight into how hacking works. I also know of a third group who might have also completed the challenge but wishes to keep quiet for now. Congratuations to them too!
All participants have been given the prize for solving the challenge and in a short time, everyone will get a peek too. Molecule has gotten quite lazy since the release of HENkaku and since we underestimated the amount of time it would take for the challenge to be completed, we are only midway through polishing up the source code for release. The participants and I have agreed to not release anything until the end of the month. As a bonus for waiting, the source will not be for HENkaku as you know it today–it will be for the major update we have been working on. Stay tuned for more details! In the meantime, it would be fun to see if anyone can run their own kernel payload with all the information out today–it should be possible!
HENkaku Kernel ROP
The rest of this post is dedicated to my own explanation in creating the ROP chain for the challenge. I believe it is the most complex ROP chain ever written (although I haven’t seen too many ROP chains that does work beyond copying code and running it). Enjoy!
FULL ARTICLE: https://yifan.lu/2016/10/20/henkaku-koth-solved/
Here it is, Stage 3, the last stage of HENkaku.This was by far the toughest to crack, so, let's dive in!
HENkaku - Stage 3
In Stage 2, we analyzed how HENkaku exploits two distinct kernel bugs to achieve code execution: a memory leak bug (in the sceIoDevctl function) to defeat KASLR and a use-after-free (in the sceNetIoctl function) to break into the kernel and do ROP.
However, since the execution flow switches over to a ROP chain planted into the kernel, we still couldn't figure out what was happening next.
Like I mentioned in the previous write-up's ending note, dumping the kernel (more specifically, the SceSysmem module) was now necessary. Team molecule did not provide any additional vulnerability that we could use for this purpose, so, it was up to the participants to figure it out themselves.
I had already found a potential memory leak vulnerability while playing around with Stage 2 but, unfortunately, due to it's nature (out-of-bounds read) it wasn't enough to reach the SceSysmem module.
Frustrated, I began looking for other plausible entry-points. It took me several attempts and required analyzing several key components of the Vita's system:
The SceNet module was the origin of the use-after-free and I had already an OOB read there, so, what else could be in there?
The SceDriverUser module exposes a decent amount of unique system calls for the filesystem. Some of them crash. Can I leak memory here?
Developers don't pay much attention to security when it comes to implement media handling. Some specific audio handling features are taken care by the kernel itself. Can I compromise it?
Just like with audio, graphics are a common source of flaws. The Vita has plenty of libraries with unique system calls for this (SceGpuEs4User, SceGxm, ScePaf). Will this help?
User applications are managed by modules that heavily communicate with the kernel (SceAppUtil and SceDriverUser via SceAppMgr calls). Perhaps this can be taken down?
Eventually, one of those gave me what I wanted and I was able to dump the entire Vita's kernel memory. After locating the SceSysmem module among the dumped binaries I became able to solve the rest of the challenge.
On a side note, I did attempt blind ROP at first by relocating a few gadgets and taking wild guesses, but team molecule made sure it wouldn't be that easy. The gadgets' placement makes it very difficult to predict what each one will do.
HENkaku PS Vita CTF: The end?
Kept you waiting huh?
So finally we got the final straight of HENkaku CTF. If you don’t remember it, this is the CTF made months ago by the Molecule Team for everyone that is interested in learning more about PS Vita security. Before anything, make sure that you already read both my point of view from stage2 and the xyz write up about the Vita kernel exploit that made all of this possible. Let’s get started!
Stage 3: Cryptanalysis
After finish the stage 2, I started to analyze the stage 3 payloads. As I explained before these payloads are encrypted with AES-ECB and I discovered it because you can leak some information about the plaintext by observing the ciphertext. It’s one of some weakness of ECB mode (and that is one of many reasons that ECB mode is really not recommended). Exploring this weakness in both payload 1 (loader.enc) and payload 2 (payload.enc) I noticed it in payload 1:
Stage 3 Payload 1
In ECB mode if you encrypt with the same key two plaintext with few changes, the ciphertext will only change where plaintext was changed. As the payloads 2 really changed a lot by HENkakus versions (you can notice it doing hex diff between them), I guessed that the last bytes from the payload 1 is the key used to encrypted/decrypted the payload 2! So it has different key per-version. I tried to explore this weakness and try to find a way to get the plaintext, but I didn’t have success. Even with crazy ideas like modifying the key in the end of payload 1 and trying to craft a branch instruction that will run my code in payload2 and others craziness, I considered giving up. As far as I know, only with a known plaintext we could do something. Anyway it gave me some important informations about what I’m dealing and was useful to the next approach.
Stage 3: ROP-chain brute-force
This was the second approach that I tried. To this I needed the max possible of information about the HENkaku stage 3, with the cryptanalysis I determined that we are dealing with payload 1 with a key fixed and a payload 2 that has a key-per-version. Another goods source of information was the xyz writeup about the stage 2 exploit that explained that the leaked addresses used is from SceSysMem and after the stage2 analysis release, Team Mocule updated the HENkaku repository, what was a nice place to look for information! After sometime looking into the loader.rop.in file and krop.rop I found this:[...]
FULL ARTICLE: http://st4rk.net/2016/10/21/henkaku-ps-vita-ctf-the-end/
- HENkaku: Vita homebrew for everyone
- HENkaku KOTH Challenge
- HENkaku - Exploit teardown - Stage 1
- Exploiting WebKit on Vita 3.60
- On HENkaku offline installer
- Yes, it's a kernel exploit!
- HENkaku PS Vita CTF: Reverse Engineering
- HENkaku - Exploit teardown - Stage 2
- Vita sceNetIoctl use-after-free
- HENkaku - Exploit teardown - Stage 3
- HENkaku PS Vita CTF: The end?
- HENkaku KOTH Solved
PS VITA / PS TV HENkaku KOTH solved + Major update to henkaku announced
By kozarovv on Oct 21, 2016 at 4:03 AM
PS4 Player (Media Player) by Lapy05575948From the developer who brought us PS4 Xplorer (File Manager) for our exploited PS4 capable of launching homebrew, has now dropped the latest homebrew (powered by Unity) with the release of PS4 Player from Lapy05575948. This new PlayStation 4 Homebrew is a Video Player currently in the BETA stages that provides support for the following video formats: MP4 & MOV. Also subtitles are supported in this release (in SRT format). At this moment the only supported Storage location for your media is on usb0/ . This PlayStation4 homebrew is an early beta release that is only going to improve with time. Have a suggestion or comment drop a line below in this article or tweet directly to the developer (@ Lapy05575948).Continue reading
PS4 Xplorer (file manager) v1.10 Released + Sneak peak of upcoming PS4 (media) Player by LapyDeveloper Lapy05575948 has been working on several homebrew's and ports for the PS4 using Unity 3d, we have seen the developer released various games like El Pollo 2.0 & Lapy's Chicken , but then the dev also developed a game called Save the Scene which was an original concept for the PS4 (now also ported to the PS Vita). In the recent weeks the developer turned attention to a utility, that being a file manager for the PS4. The app which was called Windows Explorer (v1.00-.05) originally and since has been renamed more appropriately PS4 Xplorer in recent updates (stating from v1.06). The homebrew is still in the BETA stage but progressing well as the developer has released multiple updates for the file manager (v1.10 currently) adding features like multilingual support / FTP Support and all the essentials for file management on the PS4.. This Homebrew runs on exploited console on firmware's 5.07 / 5.05 / 5.01 / 4.75 or 4.55 firmware Follow all the previous progress of changes in the changelogs provided below.
But wait that is not all the developer has in store for us, as another project is also in the works for the PS4., A very cool project (Ps4 Player), while its not released yet the developer is giving plenty of progress reports and some sneak peak video demos of an upcoming media player, Checkout the details and demonstrations in the tab belowContinue reading
RPCS3 (PS3 Emulator) - February 2019 Progress Report - Support for additional Accessories!The PS3 saw different Controller Designs and additional Accessories within it's life cycle. The early readers from this Site can probably remember how Sony themselves presented a "boomerang-styled" Controller back at E3 2005, which (sadly?) never saw a release. But as for nearly every Console, there were Game Titles, which supported to be played with additional Accessoires, sometimes they were even mandatory. Either you wanted to play specific Game Titles where a webcam tracked your motion moving by displaying it in-Game, you wanted to get better and faster Results with a Steering Wheel while Racing with other Players online with some fancy Cars, or maybe you really thought you can actually sing (which you can't of course ) so you played with some Microphones to sing various Songs in karaoke. But whichever of those mentioned Accessoires you prefered, maybe you want to use them as well when you want to emulate those Game Titles on your PC! How you might ask? Don't worry. This is one of many Improvements which this months Progress Report from the Great Team behind the RPCS3 Emulator is about. So better grab your old Guitar-Controllers and "Let's Rock'n'Roll!" Continue reading
Share This Page
- henkaku homebrew
- homebrew game
- playstation 2
- playstation 2 resources
- playstation portable
- playstation portable cfw
- playstation portable resources
- playstation tv
- ps vita
- ps2 emulator
- ps2 resources
- ps3 cfw
- ps3 han
- ps3 homebrew
- ps4 homebrew
- psp cfw
- psp emulator
- psp resources
- pstv homebrew
- vita homebrew
- webman mod
- User Record:
- Latest Member:
PS2 SCUMM VM (LAST USB+IHD compatible version) think you can still find this elsewhere, COMPARE THEMScummVM Emulator (even the ScummVM website and Sourceforge dont have this version :) -UniqueUserName