Homebrew I'm confused

Status
Not open for further replies.

Mythrandir

Life-long Learner
Member
Joined
Nov 12, 2015
Messages
182
Trophies
0
XP
827
Country
United States
Everyone is hyped about kernel exploit for 9.3+ (even if it's real or not). I still don't know should I be hyped or not. Although this tweet is.. hmm..
https://twitter.com/JustPingo/status/665538688655360000
If there's gonna be kernel exploit - Yay
If not - still yay, cause of other hax I have...

From what I've gathered, there is no need to be hyped at this time. There was a misunderstanding as to the significance of some unused code in Ninjhax 2.5.
ok so as entertaining as this is, it doesn't seem nice to let people speculate and possibly get excited over nothing. so, i'll address the big thing i guess :



if you open up any of the payloads in a hex editor, you will indeed find that code. this is apparently significant because this syscall lets processes that have access to it execute arbitrary code in kernel mode. sounds amazing right ? of course the thing is that no process actually has access to it, so you'd need some kind of exploit to use it. therefore, there has to be some kind of exploit hidden away that gives the current process access to it, right ? smea's a liar and thought noone would find his secret kernel exploit, right ?

as you've probably guessed by now, no, that's not what's going on. the truth of the matter is that unlike what Mrrraou claims, this code is not used by anything. sure, the svcBackdoor function exists, and it *is* called by another function... but the function in question is not called by anything, ever. this is just a remnant of some old debugging code in app_bootloader which only ran on 9.2.

here's a screenshot of the actual code, and how it's not called anymore :

View attachment 29721

View attachment 29722


and if you still don't believe me just ask anyone who knows how to read arm disassembly to take a look, and they'll be able to confirm that invalidate_icache isn't called anywhere in app_bootloader. another thing you could do for proof is modify the payload : just replace the svc 0x7b instruction with an undefined instruction (like 0xffffffff); this way, if the funciton *is* called, it'll crash. if it's not, it'll just keep working the way it always does.
 
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: "Now I know why he took his own life"