I'm looking at the sdk v1.7 and can't find some apparently key things you guys are using in the rpc client. For example, how do you know nsysnet.rpl exists? The sdk index (system/docs/man/en_us/index.html) doesn't mention it. There is mention of SORecv, SOSocket, SOConnect, SOSend, which match the signatures of the nsysnet.rpl symbols the rpc server uses, but I think I am missing something.
Well it looks like I found the answer:
We found the different functions in various ways. Filesystem and IOS functions were inside coreinit, which comex gave to me to help me build the ROP chain. I believe nsysnet was found in the Cafe OS system log, along with the names of all the other loaded libraries. Some could be guessed, like gx2.rpl for the graphics library.
I should note that we don't actually have permission in the web browser to access external storage or any part of the internal filesystem outside of the browser's area. This is another reason why a kernel or loader exploit is useful. Let it be said that we're working on it.
I've dumped the logs via rpc, and do see mention of it, but again, I don't see the methods (recv, send, connect, socket) mentioned at all. How did you find the method signatures for these? Any chance that you can share the coreinit binary, perhaps via PM?