Homebrew developer MaTiAz did it. I've never heard of him, but given what he did, he's the next Dark-Alex. He used gamesaves in the racing game Gripshift to run arbitrary code.and he ended up with a PSP-3000 series running 5.02 HEN-A. ^_^
TAKE THAT SONY!
Quote from MaTiAz:
"So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra.
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this.). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh."
PSP-3000 was officially PWNED. Not even by Dark-Alex. Who would've guessed?
As for homebrew. Dragula96 made a png-based game by using MaTiAz and Freeplay's "Hello World Sparta SDK" exploit. It may not be the best, but there's more.
Team PSPGen is working on a homebrew enabler based on the Gripshift exploit. Sony is likely to patch the files, but if no one updates, then more than likely someone will figure out how to prevent it.
There's videos on youtube now of PSP-3000s running 5.02 HEN-A, articles all over the web, so yeah. Look around if you don't believe it.
As of now, the latest articles here are pertinent to this.
Once again, PWNAGE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
TAKE THAT SONY!
Quote from MaTiAz:
"So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra.
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this.). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh."
PSP-3000 was officially PWNED. Not even by Dark-Alex. Who would've guessed?
As for homebrew. Dragula96 made a png-based game by using MaTiAz and Freeplay's "Hello World Sparta SDK" exploit. It may not be the best, but there's more.
Team PSPGen is working on a homebrew enabler based on the Gripshift exploit. Sony is likely to patch the files, but if no one updates, then more than likely someone will figure out how to prevent it.
There's videos on youtube now of PSP-3000s running 5.02 HEN-A, articles all over the web, so yeah. Look around if you don't believe it.
As of now, the latest articles here are pertinent to this.
Once again, PWNAGE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Comment