In my previous post about HENkaku KOTH challenge I mentioned that something good gonna happen when HENkaku KOTH will finish. Now member of Molecule team Yifan Lu officially announced when source code will be released. Announcing by the way a "major update" to HENkaku exploit. Is worth to mention that in the mean time st4rk also solved final stage of HENkaku kernel ROP chain, which mean he also finished KOTH challenge. But this is not over yet, Yifan mentioned there is a third challenger (group) that probably did it, but they want to stay quiet for now. I guess that group is known from PS3 scene, but this is only my unconfirmed assumption.
HENkaku developers and reverse engineers that finished King Of The Hill challenge agreed to wait until end of month with all releases. That's because Molecule team (xyz, Davee, proxima, Yifan Lu) want to publish latest source code for HENkaku. This mean that HENkaku will be updated before that or in same time, somewhere at the end of this month. Below You can read latest Yifan Lu write-up, but also there You will find links to rest of this exciting journey thru HENkaku ROP chain. To fully understand how advanced piece of code is it, I recommend to read "full story" of HENkaku reverse engineering.
- Latest Yifan Lu write-up
- Mike.H final stage explanation
- st4rk final stage explanation
- Full story - links
HENkaku KOTH Solved
When HENkaku was first released, we posed to the community the KOTH challenge to get more hackers interested in the Vita. This week, two individuals have separately completed the challenge and are the new kings of Vita hacking! Mike H. and st4rk both proved that they have the final encryption key, showing that they solved the kernel ROP chain. I highly recommend reading their respective posts as they give some great insight into how hacking works. I also know of a third group who might have also completed the challenge but wishes to keep quiet for now. Congratuations to them too!
All participants have been given the prize for solving the challenge and in a short time, everyone will get a peek too. Molecule has gotten quite lazy since the release of HENkaku and since we underestimated the amount of time it would take for the challenge to be completed, we are only midway through polishing up the source code for release. The participants and I have agreed to not release anything until the end of the month. As a bonus for waiting, the source will not be for HENkaku as you know it today–it will be for the major update we have been working on. Stay tuned for more details! In the meantime, it would be fun to see if anyone can run their own kernel payload with all the information out today–it should be possible!
HENkaku Kernel ROP
The rest of this post is dedicated to my own explanation in creating the ROP chain for the challenge. I believe it is the most complex ROP chain ever written (although I haven’t seen too many ROP chains that does work beyond copying code and running it). Enjoy!
FULL ARTICLE: https://yifan.lu/2016/10/20/henkaku-koth-solved/
Here it is, Stage 3, the last stage of HENkaku.This was by far the toughest to crack, so, let's dive in!
HENkaku - Stage 3
In Stage 2, we analyzed how HENkaku exploits two distinct kernel bugs to achieve code execution: a memory leak bug (in the sceIoDevctl function) to defeat KASLR and a use-after-free (in the sceNetIoctl function) to break into the kernel and do ROP.
However, since the execution flow switches over to a ROP chain planted into the kernel, we still couldn't figure out what was happening next.
Like I mentioned in the previous write-up's ending note, dumping the kernel (more specifically, the SceSysmem module) was now necessary. Team molecule did not provide any additional vulnerability that we could use for this purpose, so, it was up to the participants to figure it out themselves.
I had already found a potential memory leak vulnerability while playing around with Stage 2 but, unfortunately, due to it's nature (out-of-bounds read) it wasn't enough to reach the SceSysmem module.
Frustrated, I began looking for other plausible entry-points. It took me several attempts and required analyzing several key components of the Vita's system:
The SceNet module was the origin of the use-after-free and I had already an OOB read there, so, what else could be in there?
The SceDriverUser module exposes a decent amount of unique system calls for the filesystem. Some of them crash. Can I leak memory here?
Developers don't pay much attention to security when it comes to implement media handling. Some specific audio handling features are taken care by the kernel itself. Can I compromise it?
Just like with audio, graphics are a common source of flaws. The Vita has plenty of libraries with unique system calls for this (SceGpuEs4User, SceGxm, ScePaf). Will this help?
User applications are managed by modules that heavily communicate with the kernel (SceAppUtil and SceDriverUser via SceAppMgr calls). Perhaps this can be taken down?
Eventually, one of those gave me what I wanted and I was able to dump the entire Vita's kernel memory. After locating the SceSysmem module among the dumped binaries I became able to solve the rest of the challenge.
On a side note, I did attempt blind ROP at first by relocating a few gadgets and taking wild guesses, but team molecule made sure it wouldn't be that easy. The gadgets' placement makes it very difficult to predict what each one will do.
HENkaku PS Vita CTF: The end?
Kept you waiting huh?
So finally we got the final straight of HENkaku CTF. If you don’t remember it, this is the CTF made months ago by the Molecule Team for everyone that is interested in learning more about PS Vita security. Before anything, make sure that you already read both my point of view from stage2 and the xyz write up about the Vita kernel exploit that made all of this possible. Let’s get started!
Stage 3: Cryptanalysis
After finish the stage 2, I started to analyze the stage 3 payloads. As I explained before these payloads are encrypted with AES-ECB and I discovered it because you can leak some information about the plaintext by observing the ciphertext. It’s one of some weakness of ECB mode (and that is one of many reasons that ECB mode is really not recommended). Exploring this weakness in both payload 1 (loader.enc) and payload 2 (payload.enc) I noticed it in payload 1:
Stage 3 Payload 1
In ECB mode if you encrypt with the same key two plaintext with few changes, the ciphertext will only change where plaintext was changed. As the payloads 2 really changed a lot by HENkakus versions (you can notice it doing hex diff between them), I guessed that the last bytes from the payload 1 is the key used to encrypted/decrypted the payload 2! So it has different key per-version. I tried to explore this weakness and try to find a way to get the plaintext, but I didn’t have success. Even with crazy ideas like modifying the key in the end of payload 1 and trying to craft a branch instruction that will run my code in payload2 and others craziness, I considered giving up. As far as I know, only with a known plaintext we could do something. Anyway it gave me some important informations about what I’m dealing and was useful to the next approach.
Stage 3: ROP-chain brute-force
This was the second approach that I tried. To this I needed the max possible of information about the HENkaku stage 3, with the cryptanalysis I determined that we are dealing with payload 1 with a key fixed and a payload 2 that has a key-per-version. Another goods source of information was the xyz writeup about the stage 2 exploit that explained that the leaked addresses used is from SceSysMem and after the stage2 analysis release, Team Mocule updated the HENkaku repository, what was a nice place to look for information! After sometime looking into the loader.rop.in file and krop.rop I found this:[...]
FULL ARTICLE: http://st4rk.net/2016/10/21/henkaku-ps-vita-ctf-the-end/
- HENkaku: Vita homebrew for everyone
- HENkaku KOTH Challenge
- HENkaku - Exploit teardown - Stage 1
- Exploiting WebKit on Vita 3.60
- On HENkaku offline installer
- Yes, it's a kernel exploit!
- HENkaku PS Vita CTF: Reverse Engineering
- HENkaku - Exploit teardown - Stage 2
- Vita sceNetIoctl use-after-free
- HENkaku - Exploit teardown - Stage 3
- HENkaku PS Vita CTF: The end?
- HENkaku KOTH Solved
PS VITA / PS TV HENkaku KOTH solved + Major update to henkaku announced
By kozarovv on Oct 21, 2016 at 4:03 AM
BGFTP v1.0 (by GrapheneCt): Background FTP server for transfering file to your VitaDeveloper GrapheneCt has released BGFTP, a new FTP server that works in the background. It does not matter if your in-game or sleep mode or hanging around the Live Area, The FTP transfers are always working while the developer says this will not impact any performance of the running task, but does add a warning that transfer can be slowed down since they are running on Reserved System Cores and will be knocked to low priority on those reserves, but nonetheless a great way to transfer files from your PC (or other devices servicing as a FTP server) to either your homebrew enabled PS Vita or the PlayStation TV (aka vita tv)..Continue reading
The Power Supply (Vol. 02) - Our Guest Today: "PS4 Developer @m0rph3us1987"With the very first introduction of our new Series of Developer Interviews - as known by "The Power Supply" - you were already allowed to dabble a little bit with Volume 01 of the series, where you got a deep look into the work from well-known Developer @deank he did for this scene. While he worked mainly for the PS3 Community, we thought it would be only fair to bring you a PS4 Developer with Volume 02 of this Interview Series today. This Developer maybe don't have the same long reputation as deank have since he began to tinker with the PS4 as his very first Sony Console. But this doesn't mean that he isn't worth to ask some questions. We covered his Achievements already in the past here in this Forum, especially when we provided you our yearly Overview about the CCC Events held in Germany. In fact, you should be familiar with him and his Lecture he held back at 35C3. So please give an warm welcome to m0rph3us1987, while in his Interview, we will talk about his Lecture he held, we will learn how he sees the current situation in "PS4 Development and Hacking" and we will get an deep insight how he began to learn writing some code in his young age. So allow us to introduce him further.Continue reading
RetroArch (PS4) R3 Released: New libretro Cores Added (Dramcaset / Jaguar / ScummVM /) + Source CodeFollowing the initial release of R1 and the followup of R2, developer @OsirisX has just released R3 for the PS4 Port of RetroArch with new core being added, various bug fixes to go along and also a release of the promised source code is included as well.. The new update provides ps4 support for Flycast (Sega Dreamcast), Bettle PSX, Virtual Jaguar, ScummVM, Stella-2014 (Atari 2600), Vectrex and SameBoy are the new cores included (emulation like dreamcast is experimental and many games have speed issues) in this release This update is based on RetroArch v1.8.4 and the Core Updater has been enabled, multi-controller Support has been added (up to 4 can be used), previous R1/R2 only one controller was supported. Also some cores that need have added support for keyboard and mouse controls. This port has evolve quite nicely and should be even better with now the source code release and likely will becomes part of the official release as this is still considered an "unofficial" port, but likely to become the official port.
Also the developer has created a Core Updater, which provides another method to update the cores. It help keeps the main pkg lite and you can also download indvidual cores via RetroArch itself as that bug of downloading cores has been fixed. See all the latest details below pertaining to the R3 release.Continue reading
Share This Page
- henkaku homebrew
- playstation 2
- playstation 2 resources
- playstation portable
- playstation portable cfw
- playstation portable resources
- playstation tv
- ps vita
- ps2 resources
- ps3 cfw
- ps3 homebrew
- ps4 homebrew
- psp cfw
- psp resources
- pstv homebrew
- vita homebrew
- webman mod
- User Record:
- Latest Member: