I started investigating the ps3 webkit about 6/7 months, but at the time, it was only to gather information, I had no idea I would eventually be the one working on it!



End of August, I gave the information I had to esc0rtd3w & expected he would work on it alone. However, he knew nothing about webkit exploitation & he started to collaborate with W. By hijacking webkit, we inherit its privileges which means we are root & we get access to lv2 syscalls. However the ps3 OS is protected by NX ( No eXecute is the bsd/linux equivalent of DEP on Windows) , no address randomisation though. Executing our own payload is made impossible by NX but we can still execute code despite NX using ROP (Return Oriented Programming).



The principle is simple, select snippets from the system code (snippets like these are called gadgets) & assemble them so execution jumps from one gadget to the next until the task we planned is done. It requires providing values/parameters & offsetting to each gadget instruction as well...



First week of September, I joined their effort & 2 weeks later we had ROP execution.

From that moment, I have been doing all the ROP development work alone while the other 2 helped with testing & researching (and debugging for esc0rtd3w).



Right now I have 2 ROP chains ready, one for idps dumping & the other for flash memory dumping.

The idps dumper is about to get released. (UPDATE Released >> Click Here )

The flash dumper will be released later .