How does kxploit work?

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

Post Reply
CyberBill
Posts: 86
Joined: Tue Jul 26, 2005 3:53 pm
Location: Redmond, WA

How does kxploit work?

Post by CyberBill »

Hi, I'm wondering how the kxploit actually works. I understand that the kernel locks out running unsigned binaries, and that kxploit gets around this and then launches an unsigned binary (an .elf)... but I havnt heard anything of how they did this (technically). Is it code?? A buffer overflow of some kind?

If its code I would assume that we could write more code (loaders for homebrew elfs that turn on USB functionality while running the app) into the exploit without having to write another loader.

Right now Im writing a wifi app and I'm (attempting) to write a loader that loads up the wifi modules and then runs my app, so that my app can be in user mode instead of kernel mode, which should allow me to use the Home key.

Thanks!

-Bill
mrbrown
Site Admin
Posts: 1537
Joined: Sat Jan 17, 2004 11:24 am

Post by mrbrown »

Kxploit is not code - it's akin to a swap trick. The magic of creating an app or "app loader" is in the ELF, and has nothing to do with kxploit. ELFs that load with kxploit can run unmodified on the 1.0 firmware.

All I'm saying is that kxploit is not very interesting itself, but the apps you can run by using it are.
CyberBill
Posts: 86
Joined: Tue Jul 26, 2005 3:53 pm
Location: Redmond, WA

Post by CyberBill »

Right, so what *is* it then?

How does the swap trick work? And how does kxploit remove the need for swapping memory sticks?

Im looking for a pretty technical explanation. I've been a C/C++ coder for 6 years and have console dev experience.
Woogie
Posts: 6
Joined: Sun Jul 24, 2005 8:40 pm

Post by Woogie »

Well, basically, both firmware 1.0 and 1.5 can run unencrypted, unsigned binaries. They blocked this in 1.51.

1.0 will run an unsigned binary in a PBP file without worry.
1.5 will refuse to run an unsigned binary in a PBP file, but will execute a bare elf file if you can provide that file after the PSP has already loaded the PBP.

So all kxploit does is create two directories, the PSP sees one as corrupt (and shows the corrupt icon) and one as valid. Once you launch the valid one, the PSP incorrectly parses the "%" sign as part of a standard printf-style formatting string, and so removes it, and then finds the elf file and loads it.

Memory stick swap works in the same way - it finds the pbp first on the first memory stick, and then finds the elf on the second after having run the pbp from the menu.

1.51 & 1.52 (not sure about 2.0) both contain the printf formatting bug, so you can still use the directory structure as in 1.5, but t he ability to launch an unsigned, raw elf file has been removed. So all that is left is a buffer overrun exploit, but that will be incredibly difficult to master, as you need to know exactly what code will be overwritten, and then since the program that has been exploited will be encrypted, it will be expecting your buffer overrun code to be encrypted too...
DigitalFoundry
Posts: 47
Joined: Thu Jan 20, 2005 4:35 am

Post by DigitalFoundry »

I'm fairly sure that 2.0 fixes the printf formatting bug, thus slamming the door that was left ever-so-slightly ajar in 1.51 and 1.52.
Warren
Posts: 175
Joined: Sat Jan 24, 2004 8:26 am
Location: San Diego, CA

Post by Warren »

Woogie wrote:So all that is left is a buffer overrun exploit, but that will be incredibly difficult to master, as you need to know exactly what code will be overwritten, and then since the program that has been exploited will be encrypted, it will be expecting your buffer overrun code to be encrypted too...
I think the best shot at any new exploits will have to be savegame based. Are any people currently investigating this at all?
mrbrown
Site Admin
Posts: 1537
Joined: Sat Jan 17, 2004 11:24 am

Post by mrbrown »

Warren wrote:
Woogie wrote:So all that is left is a buffer overrun exploit, but that will be incredibly difficult to master, as you need to know exactly what code will be overwritten, and then since the program that has been exploited will be encrypted, it will be expecting your buffer overrun code to be encrypted too...
I think the best shot at any new exploits will have to be savegame based. Are any people currently investigating this at all?
Hmm, IIRC, with the new layout and all, we don't discuss exploits here anymore :P.
F9zDark
Posts: 127
Joined: Sat Apr 02, 2005 11:34 am

Post by F9zDark »

Not to be on the soap box or anything, but isn't it pointless to create homebrew if the amount of people with homebrew able PSPs dwindle? We already know the Euros are stuck with 2.0. Without exploits to open the doors in the future firmware all of this homebrew development is rather mute if you ask me.
ooPo
Site Admin
Posts: 2023
Joined: Sat Jan 17, 2004 9:56 am
Location: Canada
Contact:

Post by ooPo »

It would be pointless, if the point was to provide software for others to use.

That may be the case for some, but certainly not all homebrew programmers. I'd say most do it just for the experience, either for finding their way into a game-related job or just because its very interesting to take apart and conquer the latest nifty piece of hardware.

Just because people don't get to run the latest emulators doesn't mean everyone packs it up and goes elsewhere. With the noise level lowered, it may even improve for those of us truly interested in the subject.
shifty
Posts: 32
Joined: Thu Jun 16, 2005 8:59 am
Location: MIT
Contact:

Homebrew on 2.0

Post by shifty »

I used to think I was smart, but I've been learning so much
from the developers in this forum. I am very
impressed with their levels of competence...from figuring
out the GU, to figuring out the ME, to setting up the kernel
stubs webpage, to archiving all the modules, to listing the
part numbers of all the components on the board, and many
other smart advances that don't come immediately to mind.

It saddens me to think that I might not read posts of that
caliber anymore. And there is currently no place else
to read about things like that.

So, I think the answer lies somewhere in between what
you two are saying. It's not pointless to continue, but I do
think that it makes sense to continue to discuss exploit
research. It is, after all, a very academically demanding
type of research and I'm learning more than ever about
OS internals through it.

So, I agree that piracy and warez/emuz kiddiez
are annoying and I don't want to encourage piracy at all.
(Just rent the games till you find one you like, then buy it!)
However, as the author of a popular program (PSPKick),
I have received *large* numbers of requests for people
with 1.51/1.52 who want to run it, yet can't. I feel
these people's frustration, the ones who have legitimate
desire to run homebrew. Many of them never had a chance.

So, I would like to see exploit research discussion continue, because it
will enable large numbers of users to use legitimate homebrew
and because it will enable a lot of people to learn how to code
from unsung experts. And if we can figure out a way to enable
homebrew without enabling piracy (and I know that's a big IF),
I am all for it.

Please take these comments into consideration.

Sincerely,
Noah Vawter
ooPo
Site Admin
Posts: 2023
Joined: Sat Jan 17, 2004 9:56 am
Location: Canada
Contact:

Post by ooPo »

In a happy and perfect world we wouldn't have to worry about piracy or getting hit by lawyers just for poking our noses into the hardware we've purchased. We don't live in that world, unfortunately...

Regardless, getting a psp with an exploitable firmware is trivial at the moment and when combined with the real lack of true exploit discussion on these forums it really made sense to avoid the whole mess and just not talk about discovering new methods here. This may change in the future - but for now this is the way we've chosen to run these forums.

Instead, we can focus our efforts on improving our understanding of the psp itself, and on producing free and legal alternative to signing your soul away to Sony.
F9zDark
Posts: 127
Joined: Sat Apr 02, 2005 11:34 am

Post by F9zDark »

Don't get me wrong, there was far too many posts about nonsense, none of which did anything exemplary or even tried any of what being said as an idea. If getting rid of the forum entirely is what it takes to keep the garbage out, then I suppose that is what needs to be done. But to completely sweep exploits under the proverbial rug, just doesn't really seem fitting to me, since it is the reason that homebrew can run on 1.50 PSPs and certainly is more legitimate than say a mod chip.
ooPo
Site Admin
Posts: 2023
Joined: Sat Jan 17, 2004 9:56 am
Location: Canada
Contact:

Post by ooPo »

I don't know what you mean by 'more legitimate'.

Could you please be a bit more vague?
CyberBill
Posts: 86
Joined: Tue Jul 26, 2005 3:53 pm
Location: Redmond, WA

Post by CyberBill »

I have noticed a *ton* of nonsensical GARBAGE on this forum. Random 13yo kids who think they have a clue how any of this stuff works. They should stay out of the way of the people who do understand and have put lots of effort into figuring out how things work.

Its crazy how they could come up with something like how loading up a blank signed ELF would work. :P

It makes me wonder how many of the exploit-ists on here are actual PSP devs.

-Bill
F9zDark
Posts: 127
Joined: Sat Apr 02, 2005 11:34 am

Post by F9zDark »

Well exploiting a hole left in by Sony by discovering it on one's own accord is, as far as I know, legal. As opposed to illegally modifying the hardware to completely circumvent any means of protection.
ooPo
Site Admin
Posts: 2023
Joined: Sat Jan 17, 2004 9:56 am
Location: Canada
Contact:

Post by ooPo »

How is modifying the hardware illegal? Both methods are legal.
CyberBill
Posts: 86
Joined: Tue Jul 26, 2005 3:53 pm
Location: Redmond, WA

Post by CyberBill »

The Digital Millenium Copywrite Act (DMCA) makes circumventing any kind of copy protection illegal, whether it is hardware or software.
ooPo
Site Admin
Posts: 2023
Joined: Sat Jan 17, 2004 9:56 am
Location: Canada
Contact:

Post by ooPo »

The DMCA, which only applies to a small minority of active developers here, has provisions for interoperability and fair use.
rinco
Posts: 255
Joined: Fri Jan 21, 2005 2:12 pm
Location: Canberra, Australia

Post by rinco »

There is little discussion on kxploit in these forums because it was not developed (discovered?) here.

If you are interested in how it works, refer to build.mak in pspsdk. If you want to know why it works... you'd be best off asking Psp-dev.

ps: discussing legalities is a downward spiral
Post Reply