Hello World + Sparta SDK – Exploit Works on PSP 3000

0 Hello World + Sparta SDK Exploit Works on PSP 3000

Happy New Year!!!. I think this is the best story to start the year 2009.

When I found out that someone successfully run an exploit  in PSP 3000, the first time come to my mind was the game they using to exploit it, like in the previous PSP version. Why is that, well for sure that game will be hard to find now, the best bet is eBay but for sure the price is way higher now. But I will cross my finger for “Rogers plus” where I able to bought my GTA and Lumines. So better grab your GriftShift copy now before it’s gone on the shelf.

So lets straight to the news… Just yesterday, that MaTiAz PSP homebrewers had found an exploit in GripShift. MaTiAz says that they’ve yet to find any further use for this, but it’s still a new exploit. It could lead to further hacks, but for now, it’s merely a proof of concept.

MaTiAz also explain the exploit…Here’s MaTiAz explaining the exploit:

GripShift has buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.

There are two versions of the exploit. The first which is the raw form from MaTiAz, the other one (v2), is a version encrypted by FreePlay. It’s also been confirmed that it works all the way up to the recent CFW 5.02 GEN-A and also “Hello World!” PSP homebrew devs MaTiAz and FreePlay have released a Hello World version of the GripShift exploit along with a binary loader and an SDK so that other devs can make their own homebrew using the exploit.

If you wanna play around with the Hello World and the SDK, you can download both below. Just be sure to read the read me files included with each file bundle before doing anything.




Source: PSPupdates.com


[ad]

This entry was written by pinoyconsole and posted on January 6, 2009 at 10:25 am and filed under homebrew. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
Post a Comment or Leave a Trackback

2 Comments

  1. reggie
    Posted January 22, 2009 at 11:29 am | Permalink

    how to run psp 3000 unsigned code so i can use gripshift

  2. neli
    Posted February 10, 2009 at 6:30 pm | Permalink

    hai bago pwede mg filipino^^
    gumagana po ba yan sa 5.03?
    cra pc ko kya d ko matry kung ok or hind?
    thnx
    its my 1st time sa sita na to^^
    medyo astig^^

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

Stop SOPA