Fanjita has released the "source" of his work so far today on this newly discovered exploit. If you would like to take a look at it and continue investigating, have a look!

Only for v2.5 / v2.6.

Based on Proof of Concept code by Hitchhikr / Neural.

Function : Attempts to load ms0:/kernel.elf using sceLoadModule/sceStartModule when in kernel mode, after writing a NOP to 0x8801A5B4.

Diags: Writes a log of operations to ms0:/GTALOG.TXT.
If LoadModule fails, writes the error code to ms0:/failload.trc.
If StartModule fails, writes the error code to ms0:/failstart.trc.

Source for the interesting bit:

void kernel_proc(void) {
// Dump'em all - read access
int handle;
int luid;

unsigned int *probe;

dlog("check dlog");

#if 1
dlog("patch module check");
// Patch module check
probe = (unsigned int*) 0x8801A5B4;
probe[0] = 0;
#endif

dlog("load module");
// try loading an ELF
luid = sceKernelLoadModule("ms0:/kernel.elf", 0, NULL);
if (luid < 0)
{
handle = sceIoOpen("ms0:/failload.trc", O_WRONLY | O_CREAT | O_TRUNC, 0777);
sceIoWrite(handle, &luid, 4);
sceIoClose(handle);
}
else
{
dlog("start module");
luid = sceKernelStartModule(handle, 0, NULL, NULL, NULL);
if (luid < 0)
{
handle = sceIoOpen("ms0:/failstart.trc", O_WRONLY | O_CREAT | O_TRUNC, 0777);
sceIoWrite(handle, &luid, 4);
sceIoClose(handle);
}
}

for(;;) { }
}