QJ.net Game Discussion - PSP, Xbox, Wii, PS3, PSP Homebrew, and PSP Guides

**TeamOverload** · 08-21-2006, 04:40 AM

So, any updates on this? I have been away for the weekend so, I dont know, if anything has been progressing. Plus, this thread hasn't been updated in two days.

**Fanjita** · 08-21-2006, 06:00 AM

Perhaps because there's no news?

**TeamOverload** · 08-21-2006, 06:01 AM

Quote:

Originally Posted by Fanjita

Perhaps because there's no news?

I figured that out, but with things like this, I would at least expect discussion.

Edit: I forgot this did get moved to the Developer's Dungeon, so there aren't as many people to talk about it.

**Theknightinhell** · 08-21-2006, 04:31 PM

Thats a good thing, there should be less speculation and use this thread solely for news

**Fanjita** · 08-21-2006, 05:26 PM

Alright, time for a brief update with the facts so far.

This exploit is definitely genuine, and usable.

It's unclear exactly which firmwares it will be usable on, but so far 2.0 and 2.01 should definitely work. 2.5 and above are significantly harder to research. 2.7+ will take longer still. The signs are that it may go up as far as 2.8, but that's not proven.

Just to put things into perspective, a combined team has spent at least 60 intensive hours working on researching this so far, and we're at the point of being able to confirm that it will work.

It will take longer still to convert it into something that is actually in a demonstrable form, such as Hello World.

Credit so far goes to NOPx86 for discovering the vulnerability and proof of concept on the PC, and Skylark and psp250 for researching it on the PSP. I've helped a bit too, but those guys have done the bulk of the work.

**Access_Denied** · 08-21-2006, 05:35 PM

If the exploit does work on 2.5+, could the eLoader be easily adapted to work with this exploit? Or will it take another couple weeks to create a whole new eLoader?

**Fanjita** · 08-21-2006, 05:48 PM

Quote:

Originally Posted by ARza

If the exploit does work on 2.5+, could the eLoader be easily adapted to work with this exploit? Or will it take another couple weeks to create a whole new eLoader?

Yes, that ought to be possible.

08-21-2006, 06:03 PM

Quote:

Originally Posted by Fanjita

Alright, time for a brief update with the facts so far.

This exploit is definitely genuine, and usable.

It's unclear exactly which firmwares it will be usable on, but so far 2.0 and 2.01 should definitely work. 2.5 and above are significantly harder to research. 2.7+ will take longer still. The signs are that it may go up as far as 2.8, but that's not proven.

Just to put things into perspective, a combined team has spent at least 60 intensive hours working on researching this so far, and we're at the point of being able to confirm that it will work.

It will take longer still to convert it into something that is actually in a demonstrable form, such as Hello World.

Credit so far goes to NOPx86 for discovering the vulnerability and proof of concept on the PC, and Skylark and psp250 for researching it on the PSP. I've helped a bit too, but those guys have done the bulk of the work.

Excellent, i'll be looking out for the latest news from you guys.

**FreePlay** · 08-21-2006, 07:40 PM

Kick... ass.

**Theknightinhell** · 08-21-2006, 09:00 PM

Damn skippy, kick ass. Good luck Fanjita, Skylark, and PSP250

**TheEmulatorGuy** · 08-21-2006, 09:20 PM

I don't think we'll be seeing a kernel eLoader, since 2.0 didn't have one.

**Twenty 2** · 08-21-2006, 10:24 PM

But that was a different exploit. You cant base your expectations on what was set in the past with this exploit.

**TheEmulatorGuy** · 08-21-2006, 11:09 PM

Quote:

Originally Posted by Twenty 2

But that was a different exploit. You cant base your expectations on what was set in the past with this exploit.

Uh, yes I can, because they're both buffer overflows in the TIFF format.

**the_darkside_986** · 08-21-2006, 11:11 PM

Holy crap the exploit was confirmed. Awesome. I've got 1.5 but for some reason, I always find this type of news exciting. How exactly did they confirm it is what I'm wondering.

**hàrléyg²** · 08-22-2006, 01:27 AM

Quote:

Originally Posted by TheEmulatorGuy

Uh, yes I can, because they're both buffer overflows in the TIFF format.

Ya, but they're not the same exploit, are they?

**TheEmulatorGuy** · 08-22-2006, 03:14 AM

Quote:

Originally Posted by hàrléyg²

Ya, but they're not the same exploit, are they?

Quote:

Originally Posted by Glynnder

exactly

I will eat my words if I turn out wrong, but the exploits use the same process and area. There is no direct kernel access as shown by the 2.0 exploit, so any huge difference is unlikely. Same place, same mode.

Of course, it doesn't matter, because the vulnerability that allowed kernel access through GTA will work here.

**Abe_Froeman** · 08-22-2006, 05:15 AM

Per some members requests, I went through and cleaned out all of the spam since this thread has been moved to the Dungeon. If you have nothing to contribute to the thread or this isn't your area of expertise, just because you can post in the Dungeon doesn't mean you "need" to.

**FreePlay** · 08-22-2006, 05:24 AM

Quote:

Originally Posted by TheEmulatorGuy

I will eat my words if I turn out wrong, but the exploits use the same process and area. There is no direct kernel access as shown by the 2.0 exploit, so any huge difference is unlikely. Same place, same mode.

Of course, it doesn't matter, because the vulnerability that allowed kernel access through GTA will work here.

Um... Actually, TEG, the 2.00 exploit was kernel-mode. It ran in the VSH, which has full access to kernel-mode functions. Also, the kernel-mode exploit used for the 2.5/2.6 downgrader probably doesn't exist on 2.80.

**IchigoKurosaki** · 08-22-2006, 07:48 AM

If i'm correct VSH Mode dosen't have access to Kernel Mode Function, but does have access of changing between Game Mode and Kernel/Update Mode...

**FreePlay** · 08-22-2006, 11:50 AM

VSH mode definitely has kernel access. There's no doubt of that, really... I managed to mount an ISO as disc0: and read from it using nothing but syscalls under the 2.00 VSH.

**Fanjita** · 08-22-2006, 01:55 PM

Quote:

Originally Posted by FreePlay

VSH mode definitely has kernel access. There's no doubt of that, really... I managed to mount an ISO as disc0: and read from it using nothing but syscalls under the 2.00 VSH.

No.

Try reading some kmem, then you'll see that you're not in kernel mode.

The Sony APIs just allow user threads with the VSH thread attribute to do more stuff, that's all.

**FreePlay** · 08-22-2006, 02:34 PM

B'doh. I stand corrected.

**TheEmulatorGuy** · 08-22-2006, 08:36 PM

Quote:

Originally Posted by FreePlay

B'doh. I stand corrected.

Yeah, I'm not going to say anything.

**FreePlay** · 08-22-2006, 11:45 PM

That would probably be kind of you.

**Glynnder** · 08-23-2006, 12:16 AM

Thats what I was thinking, if you read earlier im sure i said something like that too.

Methinks thats why when it was vsh(?) mode unloked for the 2.60 eLoader not much happens.
Or was that not vsh

**IchigoKurosaki** · 08-23-2006, 02:01 AM

No it was Update Mode...

**Glynnder** · 08-23-2006, 08:11 AM

that was it, sorry!

**Twenty 2** · 08-23-2006, 09:55 AM

So why doesnt the 2.6 exploit work on 2.7?

**Glynnder** · 08-23-2006, 10:10 AM

because Sony patched the GTA exploit

**hàrléyg²** · 08-23-2006, 10:37 AM

I'm thinking about closing this thread and only allowing fanjita to post news updates inside it.
I'll ask him what he thinks.

08-21-2006, 04:40 AM	#301
TeamOverload Rock Star FamousLastX Join Date: Aug 2005 Location: CT\| FW: 4.01 M33-2 Posts: 11,844 Trader Feedback: 0	So, any updates on this? I have been away for the weekend so, I dont know, if anything has been progressing. Plus, this thread hasn't been updated in two days. __________________

08-21-2006, 06:00 AM	#302
Fanjita Join Date: Sep 2005 Location: Edinburgh, UK Posts: 2,388 Trader Feedback: 0	Perhaps because there's no news? __________________ Using firmware v2.00-v3.50? Open up a whole world of homebrew here The PSP Homebrew Database needs YOU! Your ISP may be illegally wiretapping all your web activity. Stop Phorm Now! Visiting the Edinburgh Festivals? Get practical advice from experts.

08-21-2006, 04:31 PM	#304
Theknightinhell Suicide Silence Theknightinhell Join Date: Sep 2005 Location: New Jersey Posts: 2,163 Trader Feedback: 0	Thats a good thing, there should be less speculation and use this thread solely for news __________________

08-21-2006, 05:26 PM	#305
Fanjita Join Date: Sep 2005 Location: Edinburgh, UK Posts: 2,388 Trader Feedback: 0	Alright, time for a brief update with the facts so far. This exploit is definitely genuine, and usable. It's unclear exactly which firmwares it will be usable on, but so far 2.0 and 2.01 should definitely work. 2.5 and above are significantly harder to research. 2.7+ will take longer still. The signs are that it may go up as far as 2.8, but that's not proven. Just to put things into perspective, a combined team has spent at least 60 intensive hours working on researching this so far, and we're at the point of being able to confirm that it will work. It will take longer still to convert it into something that is actually in a demonstrable form, such as Hello World. Credit so far goes to NOPx86 for discovering the vulnerability and proof of concept on the PC, and Skylark and psp250 for researching it on the PSP. I've helped a bit too, but those guys have done the bulk of the work. __________________ Using firmware v2.00-v3.50? Open up a whole world of homebrew here The PSP Homebrew Database needs YOU! Your ISP may be illegally wiretapping all your web activity. Stop Phorm Now! Visiting the Edinburgh Festivals? Get practical advice from experts.

08-21-2006, 05:35 PM	#306
Access_Denied I'm Baaaack! Join Date: May 2006 Location: Waukegan,Illinois Posts: 2,186 Trader Feedback: 0	If the exploit does work on 2.5+, could the eLoader be easily adapted to work with this exploit? Or will it take another couple weeks to create a whole new eLoader? __________________

08-21-2006, 07:40 PM	#309
FreePlay Join Date: Dec 2005 Location: h0000000rj Posts: 12,858 Trader Feedback: 0	Kick... ass. __________________ [qj now fails.]

08-21-2006, 09:00 PM	#310
Theknightinhell Suicide Silence Theknightinhell Join Date: Sep 2005 Location: New Jersey Posts: 2,163 Trader Feedback: 0	Damn skippy, kick ass. Good luck Fanjita, Skylark, and PSP250 __________________

08-21-2006, 09:20 PM	#311
TheEmulatorGuy Developer Join Date: Feb 2006 Location: Tauranga, New Zealand Posts: 355 Trader Feedback: 0	I don't think we'll be seeing a kernel eLoader, since 2.0 didn't have one. __________________

08-21-2006, 10:24 PM	#312
Twenty 2 Developer Join Date: Jun 2005 Location: At my house... Posts: 885 Trader Feedback: 0	But that was a different exploit. You cant base your expectations on what was set in the past with this exploit. __________________ F.A.L.O?

08-21-2006, 11:11 PM	#314
the_darkside_986 Developer Join Date: Jul 2006 Posts: 262 Trader Feedback: 0	Holy crap the exploit was confirmed. Awesome. I've got 1.5 but for some reason, I always find this type of news exciting. How exactly did they confirm it is what I'm wondering. __________________ http://openpandora.org/

08-22-2006, 05:15 AM	#317
Abe_Froeman Retired QJ ***istrator Join Date: Jan 2006 Real First Name: Mandatory Field Filler Location: East Coast of US Just Played: Mandatory Field Filler** Posts: 14,616 Trader Feedback: 0	Per some members requests, I went through and cleaned out all of the spam since this thread has been moved to the Dungeon. If you have nothing to contribute to the thread or this isn't your area of expertise, just because you can post in the Dungeon doesn't mean you "need" to.

08-22-2006, 07:48 AM	#319
IchigoKurosaki Party at Las Noches! Join Date: Jun 2005 Location: Florida Posts: 1,648 Trader Feedback: 0	If i'm correct VSH Mode dosen't have access to Kernel Mode Function, but does have access of changing between Game Mode and Kernel/Update Mode... __________________ .:Nobis Development Group:. .:Personal Portfolio:. Playstation Portable - PSP1001 - 3.90 M33-2

08-22-2006, 11:50 AM	#320
FreePlay Join Date: Dec 2005 Location: h0000000rj Posts: 12,858 Trader Feedback: 0	VSH mode definitely has kernel access. There's no doubt of that, really... I managed to mount an ISO as disc0: and read from it using nothing but syscalls under the 2.00 VSH. __________________ [qj now fails.]

08-22-2006, 02:34 PM	#322
FreePlay Join Date: Dec 2005 Location: h0000000rj Posts: 12,858 Trader Feedback: 0	B'doh. I stand corrected. __________________ [qj now fails.]

08-22-2006, 11:45 PM	#324
FreePlay Join Date: Dec 2005 Location: h0000000rj Posts: 12,858 Trader Feedback: 0	That would probably be kind of you. __________________ [qj now fails.]

08-23-2006, 02:01 AM	#326
IchigoKurosaki Party at Las Noches! Join Date: Jun 2005 Location: Florida Posts: 1,648 Trader Feedback: 0	No it was Update Mode... __________________ .:Nobis Development Group:. .:Personal Portfolio:. Playstation Portable - PSP1001 - 3.90 M33-2

08-23-2006, 09:55 AM	#328
Twenty 2 Developer Join Date: Jun 2005 Location: At my house... Posts: 885 Trader Feedback: 0	So why doesnt the 2.6 exploit work on 2.7? __________________ F.A.L.O?

08-23-2006, 10:37 AM	#330
hàrléyg² My name is Mud Join Date: Dec 2005 Posts: 1,538 Trader Feedback: 0	I'm thinking about closing this thread and only allowing fanjita to post news updates inside it. I'll ask him what he thinks. __________________

QJ.net Game Discussion - PSP, Xbox, Wii, PS3, PSP Homebrew, and PSP Guides

libtiff vulnerability crash's 2.71 and 2.80