Editing Avcontent.db. Arbitrary Delete.
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
== Introduction == | == Introduction == | ||
This is a disclosure of an vulnerability | This is a disclosure of an vulnerability i (SilicaAndPina) discovered back in 2019. | ||
The PlayStation Vita has a few apps for displaying various media formats. | The PlayStation Vita has a few apps for displaying various media formats. | ||
Line 6: | Line 6: | ||
media files require "promotion" to be put into these apps | media files require "promotion" to be put into these apps | ||
basically each of the media apps has a sqllite3 database called 'avcontent.db' inside ux0 | basically each of the media apps has a sqllite3 database called 'avcontent.db' inside various folders on ux0 which cache the contents of these apps. | ||
== Arbitrary Delete == | == Arbitrary Delete == | ||
By editing the tbl_VPContent inside avcontent.db you can change the path of any media contents to be whatever path you want | |||
if you then delete it inside the app, it will not only delete the entry from the database, but it will delete that underlying file as well. | |||
By editing the tbl_VPContent inside avcontent.db you can change the | |||
if you then delete it inside the | |||
but it will delete that underlying file as well. | |||
== Arbitrary Read == | == Arbitrary Read == | ||
Using the videos app i was able to read arbitrary files by changing the path in the avcontent.db, | |||
and then copying it with CMA, however this only worked with files inside ux0: | |||
files outside there would not work. | |||
Using the | |||
and then copying it with CMA, however this only worked with files inside ux0: | |||
files outside there would not work. | |||
== Exploitation == | == Exploitation == | ||
Ultimately this trick is kinda useless, it requires having access to the memory card to write a hacked avcontent.db in the first place, which if you had you can delete whatever you want anyway? | Ultimately this trick is kinda useless, it requires having access to the memory card to write a hacked avcontent.db in the first place, which if you had you can delete whatever you want anyway? | ||
(it could also be done with CMA i guess), so it'd only be useful for removing files from say ur0) | (it could also be done with CMA i guess), so it'd only be useful for removing files from say ur0. or ones you cant do via backups / restore | ||
or with another hacked vita) but at that point you may as well just delete the file you want from the memory card using that, | |||
an interesting idea is to setup a SQL Trigger on delete to automatically put the entry back into the database, this way you could delete any file over and over again. | an interesting idea is to setup a SQL Trigger on delete to automatically put the entry back into the database, this way you could delete any file over and over again. | ||
this could be used to make a sort of 'unlink memory card' feature, that works even without hacks. but by the time i had this idea, there was already h-encore2.. | this could be used to make a sort of 'unlink memory card' feature, that works even without hacks. but by the time i had this idea, there was already h-encore2.. |