4 October, 2014
2019 UPDATE: This software is pretty bad. It was a tool I created while learning and it sucks a lot. If you’re here looking for a tool I wouldn’t recommend to use this. If you’re here to learn some history then go ahead!
I’ve done a post about Return Orientated Programming (ROP) before where I described basic operation of a ROP chain. The public domain of pentest security tools involving ROP is largely orientated around intel architecture x86.
12 July, 2013
Today is a short post, but I’ve recently started playing around with ClipUpload. ClipUpload is a very clever, yet very simple clipboard upload tool which will upload whatever is in your clipboard to a variety of sources including: facebook, imgur, pastebin or even your own FTP server.
Whilst I think it is pretty cool to upload to an FTP server, I’d much rather have the ability for a secure transfer. That being said, I forked the code and with the help of SharpSSH I modified the FTP addon and produced a fully working SCP addon.
Introduction to Return Oriented Programming
11 May, 2013
This will be a small introduction into return oriented programming, commonly referred to as ROP. I’ve had a lot of experience with security measures but never really had any hands on experience with more modern security technologies such as non-executable stack/data (DEP, NX, XN, W^X) or Address Space Layout Randomisation (ASLR).
The non-executable stack isn’t really limited to just the stack, anything that isn’t code memory can’t be executed. So as in PSP, you can’t just jump to the savedata and have the day’s work done.
PSVita Native Hack, c’mon devs!
2 September, 2012
Just to start, congratulation to yifanlu for his excellent work on gaining the first vita native hack. I’d like to note that I’m just relaying information from a forum post by yifanlu and did not have any input on yifanlu’s work, it’s all his!
Also, if you’re not a developer, please note that there is currently no way to run homebrew, colour your screen, download binaries, hack your device, make a milkshake from 10 miles away or such.
29 March, 2012
Turns out he’s not just a green frog! So, I’ve been throwing this word around recently and it’s probably about time I explain. Kermit, either a protocol or perhaps a funny name (see KIRK/SPOCK) is a communication interface for the PSP emu. Specifically it allows the PSP to talk to the host.
Now, I can tell there aren’t as many developers here, so I’ll try to simplify for the curious minds but this stuff is pretty complicated.
PS Vita PSP HEN
21 March, 2012
First things first, huge thanks to Proxima and some1. They’ve provided key utilities and advice for this research. So, yeah, it was really only a matter of time till this kind of thing happened. Sony dont just emulate the userland process of a PSP game, they emulate the entire kernel albeit, a modified kernel. The PSP emu has limited access to hardware, with interfacing the hardware done via a Kermit module.
Can you crack it? + Solution
3 December, 2011
Thanks to a facebook message from my dad yesterday, I was informed of this website: Can you Crack it?. So, promptly, I got onto the job and it was surprisingly easy and I imagine it will be for most people who can reverse engineer and has experience doing so.
Click read more to see how I did it, but I suggest you have a good attempt beforehand. It’s a nice little reverse engineering exercise.
“Chronoswitch” Downgrader 5.0. Advanced 09g Support!
1 September, 2011
As an ongoing project, me and some1 have been enhancing this downgrader from birth on the 6.31 / 6.35 firmwares. This multi-firmware downgrader allows you to install a lower (or higher) firmware without any fuss. No complex flash0 sharing, just running the firmware update.
However, there comes restriction with PSP models and compatible firmware. For example, a PSPgo cannot run 1.50 as there are no drivers for the system and the IPL format is incompatible.
15 July, 2011
Well, I’m no beginner to electronics, but this is my first microcontroller that can directly interface them! So yeah, pretty cool, never messed with AVR in my life, always used PIC for my USB controller. So I’ve been messing around a bit and I’ve done some very basic stuff working with components here and there.
Read on to see the stuff I’ve done.
First thing first was a test to get me warmed up to the equipment.
KIRK 0x10 Private Key
6 July, 2011
The private key for the KIRK 0x10 functionality is known to be stored in a encrypted buffer of 0x20 bytes. Proxima discovered that the KIRK 0x10 operates as this:
Kirk 0x10 - ECDSA Sign hash Invocation:
u8 encryptedprivatekey[0x20] - the private key returned by KIRK 0xC must be AES encrypted somehow
sceUtilsBufferCopyWithRange(newsig,0x28,buffer,0x34,0x10); newsig will have the r and s values for an ECDSA signature