PS Vita Early Kernel Exploit Toolbox

This repo contains some exploits for use on early PS Vita firmware. There are two examples of kernel execution using the syscall handler overflow vulnerability found in firmware prior to 1.61 for pkg decryption and NAND dumping.

There is also code which exploits a function in libSceNgsInternal, which involves crafting a custom library which is used in the compilation of the application.

Crafting libraries

See: https://github.com/mathieulh/PS-Vita-Early-Kernel-Exploit-Toolbox/blob/master/kdumper/README.md

NAND dumper

A simple NAND dumper.

The code currently supports 0.945, 0.995 and 1.500, however can be adapted for any firmware prior to 1.61.

PKG decrypter

A simple PKG decrypter. Currently only supports FW 1.500, but can be ported by dumping the appropriate regions and finding the new offset for the functions required.

The code currently only supports 1.500 for PKG decryption.

Usage:

1. Clone the repo and ensure you have the appropriate SDK and tools installed for the target FW.

2. Right-click kexec project -> Post-Build Event. Edit the path to match the location of new.c and the path to copy the payload to (default is C:\FSD\kexec.bin).

3. Adjust the preprocessor definitions at the top of BOTH main.c and new.c to suit the firmware the target Vita is currently on.

4. Compile and run the user process either from within Visual Studio or manually via Neighborhood -> Load Executable.

Notes:

new.c should NOT be compiled by SNC/MSBuild or any of the VS Tools, it is built using yagarto, specifically with the buildme.bat script. This is then copied to the file serving directory as kexec.bin.

Alternatively, find the following line in kexec.vcxproj and adjust the paths appropriately:

<Command>$(SolutionDir)\..\yagarto\bin\buildme.bat "C:\Users\PS3SDK\Desktop\1.03_kdump\post\yagarto\bin\new.c" "C:\FSD\kexec.bin"</Command>

Credits

Thanks to mathieulh, LemonHaze, CelesteBlue, The Flow and Proxima.