Skip to content
/ bd-jb Public

Reimplementation of TheFlow's bd-jb. No kernel part yet.

131 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sleirsgoevy/bd-jb

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
native
native
 
 
root/org/homebrew
root/org/homebrew
 
 
README.txt
README.txt
 
 

Repository files navigation

BD-JB reimplementation based on TheFlow's report and presentation. Implements loading arbitrary .bin payloads using vulnerabilities #2 (privileged constructor call), #3 (privileged method call), #4 (jit hack) from the report. Listens for payloads on port 9019.

The first (and only) argument to the payload is the address of sceKernelDlsym, which can be used to resolve other symbols. It seems that libkernel_sys.sprx always has id 0x2001, and you can look up other libraries by getting the full list of handles and looking up name of each handle. You can't directly call syscalls due to missing kernel patches.

About

Reimplementation of TheFlow's bd-jb. No kernel part yet.

Resources

Readme
Activity

Stars

131 stars

Watchers

31 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages