v2

Makefile

@@ -1,5 +1,5 @@
 TARGET = flash_dumper
-OBJS = main.o utils.o kernel_read.o kernel_write.o flash_dumper.o imports.o
+OBJS = main.o flash_dumper.o
 
 UNAME := $(shell uname)
 
@@ -24,7 +24,7 @@ EXTRA_TARGETS = EBOOT.PBP
 PSP_EBOOT_TITLE = PSP Flash Dumper
 
 LIBDIR = 
-LIBS = -lpsprtc
+LIBS = -lpspexploit -lpsprtc -lpspdebug
 
 PSPSDK = $(shell psp-config --pspsdk-path)
 include $(PSPSDK)/lib/build.mak

flash_dumper.c

@@ -1,4 +1,4 @@
-#include "main.h"
+#include "libpspexploit.h"
 
 #define BUF_SIZE 1024*32
 
@@ -384,4 +384,4 @@ void initDumperKernelThread(){
         k_tbl->waitThreadEnd(kthreadID, NULL);
         k_tbl->KernelDeleteThread(kthreadID);
     }
-}
+}

main.h → libpspexploit.h

@@ -13,10 +13,9 @@
 #include <pspiofilemgr.h>
 #include <string.h>
 
-#ifndef MAIN_H
-#define MAIN_H
+#ifndef LIBPSPEXPLOIT_H
+#define LIBPSPEXPLOIT_H
 
-#define KRAM_BACKUP_SIZE (128*1024) // more than enough to scan sysmem
 #define KERNELIFY(x) (((u32)x)|0x80000000)
 
 typedef struct KernelFunctions{
@@ -65,29 +64,28 @@ typedef struct KernelFunctions{
 
 extern KernelFunctions* k_tbl;
 
-// utils.c
-void scanKernelFunctions(KernelFunctions* kfuncs);
+// User Utils
 u32 FindImportRange(char *libname, u32 nid, u32 lower, u32 higher);
 u32 FindImportVolatileRam(char *libname, u32 nid);
 u32 FindImportUserRam(char *libname, u32 nid);
 int p5_open_savedata(int mode);
 int p5_close_savedata();
 u32 FindFunctionFromUsermode(const char *library, u32 nid, u32 start_addr, u32 end_addr);
-u32 FindTextAddrByName(const char *modulename);
-u32 FindFunction(const char *module, const char *library, u32 nid);
 u32 qwikTrick(char* lib, u32 nid, u32 version);
 void _flush_cache();
 
+// Kernel Utils
+void scanKernelFunctions(KernelFunctions* kfuncs);
+u32 FindTextAddrByName(const char *modulename);
+u32 FindFunction(const char *module, const char *library, u32 nid);
+
 // kernel_read.c
 uint64_t kread64(uint32_t addr);
 void dump_kram(u32* dst, u32* src, u32 size);
 
 // kernel_write.c
-int stubScanner(u32 patch_addr, u32 orig_instr);
+int initExploit();
 int doExploit();
 void executeKernel(u32 kernelContentFunction);
 
-// flash_dumper.c
-void initDumperKernelThread();
-
 #endif

main.c

@@ -1,65 +1,59 @@
-#include "main.h"
+#include "libpspexploit.h"
+
+// flash_dumper.c
+void initDumperKernelThread();
 
 PSP_MODULE_INFO("Flash Dumper", PSP_MODULE_USER, 1, 0);
 PSP_MAIN_THREAD_ATTR(PSP_THREAD_ATTR_USER | PSP_THREAD_ATTR_VFPU);
 
-u32* kram_copy = NULL;
-SceUID memid = -1;
-
 static KernelFunctions _ktbl;
 KernelFunctions* k_tbl = &_ktbl;
 
 void kmain(){
     int k1 = pspSdkSetK1(0);
     pspDebugScreenPrintf("Got Kernel Access!\n");
     scanKernelFunctions(k_tbl);
-    repairInstruction();
+    repairKernel();
     initDumperKernelThread();
     pspDebugScreenPrintf("All Done!\n");
     pspSdkSetK1(k1);
 }
 
-int main(){ 
+int main(){
+
+    int res = 0;
 
     pspDebugScreenInit();
 
     pspDebugScreenPrintf("Universal Flash Dumper Started.\n");
+
+    pspDebugScreenPrintf("Initializing kernel exploit...\n");
+    res = initExploit();
 
-    memid = sceKernelAllocPartitionMemory(PSP_MEMORY_PARTITION_USER, "", PSP_SMEM_High, KRAM_BACKUP_SIZE, NULL);
-    kram_copy = sceKernelGetBlockHeadAddr(memid);
-
-    pspDebugScreenPrintf("Dumping kernel RAM for analysis.\n");
-    dump_kram(kram_copy, 0x88000000, KRAM_BACKUP_SIZE);
-
-    pspDebugScreenPrintf("Analyzing kernel RAM to obtain offset of sceKernelLibcTime\n");
-    u32 libctime_addr = FindFunctionFromUsermode("UtilsForUser", 0x27CC57F0, (u32)kram_copy, (u32)kram_copy + KRAM_BACKUP_SIZE);
+    if (res == 0){
 
-    pspDebugScreenPrintf("Found address of sceKernelLibcTime at: %p\n", libctime_addr);
-
-    u32 libctime_offset = libctime_addr - 0x88000000;
-    u32 orig_inst = *(u32*)( (u32)kram_copy + libctime_offset + 4 );
-
-    if (stubScanner(libctime_addr+4, orig_inst) == 0){
-        if (doExploit() == 0){
-            executeKernel(&kmain);
+        pspDebugScreenPrintf("Corrupting kernel...\n");
+        res = doExploit();
+
+        if (res == 0){
+            executeKernel(kmain);
         }
-        else{
-            pspDebugScreenPrintf("ERROR: Could not execute kernel exploit\n");
+        else {
+            pspDebugScreenPrintf("ERROR: %p", res);
         }
+
     }
     else{
-        pspDebugScreenPrintf("ERROR: Could not find vulnerable function\n");
+        pspDebugScreenPrintf("ERROR: %p\n", res);
     }
 
     pspDebugScreenPrintf("Press any button to exit\n");
-
+    SceCtrlData pad;
     while (1){
-        SceCtrlData pad;
         sceCtrlReadBufferPositive(&pad, 1);
         if (pad.Buttons) break;
     }
 
     sceKernelExitGame();
-
     return 0;
-}
+}