Welcome Guest [Log In] [Register]
Welcome to the CSPSP forums. We hope you enjoy your visit.


You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.


Join our community!


If you're already a member please log in to your account to access all of our features:

Username:   Password:
Add Reply
PSP3000 OMGRAWR
Topic Started: Jan 4 2009, 11:12 AM (470 Views)
darkSymphonie
Member Avatar
Fuckarator
[ *  *  * ]
Hah, not quite.. Actually, it's just a proof of concept of Gripshift gamesave exploit! It's still great no?

http://www.youtube.com/watch?v=HAoZWymTySw



To quote MaTiAz:
Quote:
 
So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra.
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.

EDIT2: Ok, so, tested with a PSP3000. It's working! But only with firmware 4.01.. Updated video. Now shows PSP3000 with blue and white flickering. Thanks to Freeplay for encrypting the savegame to use on all PSP's.

Credits go to those who deserve them.



If someone has a PSP3000 or PSP2000 with a TA088 v3 and owns GripShift, try this: http://koti.kapsi.fi/~matiaz/psp/gripshift_poc_built_v2.zip

Of if you just wanna try it, "Buy" the game off the Internetz and try it.


EDIT:
So, a Hello World as just been released! WORKS ON ANY FIRMWARE
VIDEO IS ON A PSP3000!!!

http://www.youtube.com/watch?v=0KdIrzsi4IA


FOR DEVS!: Here, sparta's SDK for messing with the exploit!: http://dl.qj.net/Sparta-SDK-v1-PSP-Develop...25454/catid/204
FOR PPL WHO WANTS TO TRY: http://dl.qj.net/Development-Utilities/pg/...25453/catid/204

A step closer to unlocking kernel mode to downgrade? =]
Posted Image
Offline Profile Quote Post Goto Top
 
muhu
Member Avatar
Moderator
[ *  *  * ]
Score one for furfags and half-breeds. In other related news, FreePlay is working on an SDK. Don't expect any miracles, kids.
Offline Profile Quote Post Goto Top
 
Hero2
Unregistered

hmm...Interesting, but all we get is usermode, which for us is useless, but (<- big butt) usermode has the ability to access flash0 and launch game data off the memstick, so maybe if someone could launch 5.00m33-4 off their memstick using this, then maybe Dark_Alex can finish 5.00m33-5 with 03g module support without having to find the two HASH values needed to crack the new pre-ipl...
Quote Post Goto Top
 
darkSymphonie
Member Avatar
Fuckarator
[ *  *  * ]
Hero2
Jan 4 2009, 12:04 PM
hmm...Interesting, but all we get is usermode, which for us is useless, but (<- big butt) usermode has the ability to access flash0 and launch game data off the memstick, so maybe if someone could launch 5.00m33-4 off their memstick using this, then maybe Dark_Alex can finish 5.00m33-5 with 03g module support without having to find the two HASH values needed to crack the new pre-ipl...

Exactly, which is great! Finding the hashs.. FINDING! the hashes xD finding is a really vague word.. A hash is hard to "find" that's why we use those alternatives. For the 03g module support, I think it's gonna take some tiime =/ ..

Remember when the Lumines savegame exploit was discovered? Well, few hours later, we had the downgrader/M33 flasher..
Posted Image
Offline Profile Quote Post Goto Top
 
Doublehawk
Member Avatar
Advanced Member
[ *  *  * ]
Yes, but havnt hit pay dirt yet. While we have the ability to run whatever code we need, no one knows how many more tricks Sony have up up their sleeves. Now all I need to do is find a freaking copy of Gripshift, and hope for the best. Time to look all over my city and maybe even go into the West side. I dont give a damn if I get shot, I just want my game.
My signature? Tis a silly thing to read.
Offline Profile Quote Post Goto Top
 
Hero2
Unregistered

Doublehawk
Jan 4 2009, 10:40 AM
Yes, but havnt hit pay dirt yet. While we have the ability to run whatever code we need, no one knows how many more tricks Sony have up up their sleeves. Now all I need to do is find a freaking copy of Gripshift, and hope for the best. Time to look all over my city and maybe even go into the West side. I dont give a damn if I get shot, I just want my game.

I don't recommend getting shot for this game. It is waaaaaaaaaaaaaay tooooooo old to find in store or at gamestop.com. I'm gonna look further into this and see what happens.
Quote Post Goto Top
 
hopefulMisha
Member Avatar
[XE]*Misha
[ *  *  * ]
This game sucks. Hard. But hey, even sony gets stupid. My friend tried it but he said its useless until more work is done....
Offline Profile Quote Post Goto Top
 
darkSymphonie
Member Avatar
Fuckarator
[ *  *  * ]
So, a Hello World as just been released! WORKS ON ANY FIRMWARE
VIDEO IS ON A PSP3000!!!

http://www.youtube.com/watch?v=0KdIrzsi4IA


FOR DEVS!: Here, sparta's SDK for messing with the exploit!: http://dl.qj.net/Sparta-SDK-v1-PSP-Develop...25454/catid/204
FOR PPL WHO WANTS TO TRY: http://dl.qj.net/Development-Utilities/pg/...25453/catid/204

A step closer to unlocking kernel mode to downgrade? =]
Posted Image
Offline Profile Quote Post Goto Top
 
muhu
Member Avatar
Moderator
[ *  *  * ]
I would expect another HEN, due to the pre-ipl situation. Just don't update your TA-088v3 and 3000 models past 5.02.
Offline Profile Quote Post Goto Top
 
darkSymphonie
Member Avatar
Fuckarator
[ *  *  * ]
muhu
Jan 5 2009, 11:26 AM
I would expect another HEN or eLoader, due to the pre-ipl situation.

True! =]

CSPSP on PSP3000.. Microphone support? xD

Offtopic: Moohoo get on tat PSN rit naow!!1
Posted Image
Offline Profile Quote Post Goto Top
 
muhu
Member Avatar
Moderator
[ *  *  * ]
I'd rather have Skype headset support, for the obvious reason. Just for the record, I don't own a PS3.
Offline Profile Quote Post Goto Top
 
Hero2
Member Avatar
Advanced Member
[ *  *  * ]
darkSymphonie
Jan 5 2009, 08:14 AM
So, a Hello World as just been released! WORKS ON ANY FIRMWARE
VIDEO IS ON A PSP3000!!!

http://www.youtube.com/watch?v=0KdIrzsi4IA


FOR DEVS!: Here, sparta's SDK for messing with the exploit!: http://dl.qj.net/Sparta-SDK-v1-PSP-Develop...25454/catid/204
FOR PPL WHO WANTS TO TRY: http://dl.qj.net/Development-Utilities/pg/...25453/catid/204

A step closer to unlocking kernel mode to downgrade? =]

If anyone could try launching an EBOOT.PBP off their memstick using this exploit, please try, then post if successful. <- Then you can play CSPSP without cfw....But you cannot get cfw (yet) because the pre-ipl will NEVER launch a custom IPL even from the NAND (sorry...)....
Offline Profile Quote Post Goto Top
 
« Previous Topic · Off Topic · Next Topic »
Add Reply