ICAL Exploit: Difference between revisions
(Created page with "== Introduction == ICAL Exploit was Discovered by SilicaAndPina allows for System Uri Calling on the latest PSVita firmware 3.69 as well as a bug with the PSN Sign Up...") |
(Deadnaming isnt nice.) |
||
| (9 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
== Introduction == | == Introduction == | ||
== System URI | ICAL Exploit is a PSVita exploit that allows System URI call on OFW. | ||
The vulnerability was discovered and exploited by "Li". | |||
The PSVita [[Calendar]] | Chained with a bug in the PSN Sign Up application, that allows for Account Switching even on the latest PSVita firmware [[3.74]]. | ||
*Note: You CANNOT use the Calendar application itself to do this | == System URI calling == | ||
Here is an example .ics file | System URI's are URI's defined in param.sfo surrounded by triangle brackets. They can only be run by the system and not by the web browser. The PSVita [[Calendar]] application allows user to create ICAL event files in the (.ics) format, which is an .INI-Like format with ':' instead of '=' for defining values. These files can be sent over PSN messenger and the Email client. To execute SUPPORT_URI's you simply have to write the URI you want into the .ics file's URL: entry and then view the event either in the Email application or the PSN messenger application and click the "www" browser icon. | ||
*Note: You CANNOT use the Calendar application itself to do this. It must be done in the event preview screen found in Email or Messenger applications. You should be able to do this in any text editor. | |||
== Example == | |||
Here is an example .ics file that launches the Package Installer application. | |||
BEGIN:VCALENDAR | BEGIN:VCALENDAR | ||
| Line 39: | Line 43: | ||
END:VEVENT | END:VEVENT | ||
END:VCALENDAR | END:VCALENDAR | ||
== Changing PSN | == Tools == | ||
If you | |||
"Please Wait..." and then take you to the "Welcome <yourname> to PSN" screen | A website for easily exploiting the libical bug mentioned is available at: [[http://vitatricks.xyz]]. | ||
The source code of this website is available: [[http://bitbucket.org/SilicaAndPina/vitatricks]]. | |||
== Changing PSN accounts == | |||
If you run again the Sign Up application via the 'psnreg:' URI call after you have already got an account linked, then the Sign Up application will say | |||
"Please Wait..." and then take you to the "Welcome <yourname> to PSN" screen. However if you remove internet access from the console at the correct time using the "Please Wait..." screen then PSN authentication will fail. You will be booted back to the "Sign In" screen from here. You can sign in using any credentials and your PSVita will be linked to this PSN account. However `ux0:/id.dat` is NOT updated so you will have to go back to your original PSN account before rebooting or you will be greeted with the fatal "Please format your memory card" message. | |||
Latest revision as of 06:42, 12 May 2022
Introduction[edit | edit source]
ICAL Exploit is a PSVita exploit that allows System URI call on OFW. The vulnerability was discovered and exploited by "Li". Chained with a bug in the PSN Sign Up application, that allows for Account Switching even on the latest PSVita firmware 3.74.
System URI calling[edit | edit source]
System URI's are URI's defined in param.sfo surrounded by triangle brackets. They can only be run by the system and not by the web browser. The PSVita Calendar application allows user to create ICAL event files in the (.ics) format, which is an .INI-Like format with ':' instead of '=' for defining values. These files can be sent over PSN messenger and the Email client. To execute SUPPORT_URI's you simply have to write the URI you want into the .ics file's URL: entry and then view the event either in the Email application or the PSN messenger application and click the "www" browser icon.
- Note: You CANNOT use the Calendar application itself to do this. It must be done in the event preview screen found in Email or Messenger applications. You should be able to do this in any text editor.
Example[edit | edit source]
Here is an example .ics file that launches the Package Installer application.
BEGIN:VCALENDAR PRODID:-//SCE Inc//PSVitaCalendar 0.00//EN VERSION:2.0 BEGIN:VTIMEZONE TZID:106 BEGIN:STANDARD DTSTART:19700101T000000 TZOFFSETFROM:+1100 TZOFFSETTO:+1000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4 END:STANDARD BEGIN:DAYLIGHT DTSTART:19700101T000000 TZOFFSETFROM:+1000 TZOFFSETTO:+1100 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=10 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:2017100712075551579 DTSTAMP:20171007T121157Z DTSTART;TZID=106:20171007 DTEND;TZID=106:20171008 SUMMARY:Package Installer SEQUENCE:6 URL:psgm:play?titleid=NPXS10031 END:VEVENT END:VCALENDAR
Tools[edit | edit source]
A website for easily exploiting the libical bug mentioned is available at: [[1]].
The source code of this website is available: [[2]].
Changing PSN accounts[edit | edit source]
If you run again the Sign Up application via the 'psnreg:' URI call after you have already got an account linked, then the Sign Up application will say "Please Wait..." and then take you to the "Welcome <yourname> to PSN" screen. However if you remove internet access from the console at the correct time using the "Please Wait..." screen then PSN authentication will fail. You will be booted back to the "Sign In" screen from here. You can sign in using any credentials and your PSVita will be linked to this PSN account. However `ux0:/id.dat` is NOT updated so you will have to go back to your original PSN account before rebooting or you will be greeted with the fatal "Please format your memory card" message.