[RELEASE] GripShift Hello World + Sparta SDK

[MaTiAz]

Ok, so this is the Hello World version of the GripShift exploit, complete with a binary loader and SDK to make your own binaries.

The readme says it all:

Code:

Hello World on PSP FW 1.52-5.02
The Spartaaaaaaaaaaaaaaaaaaaa!!! Exploit

by MaTiAz & FreePlay

Instructions
------------
1. Copy the contents of MS_ROOT into the root of your memory stick.
(This will overwrite the first GripShift savegame slot).
2. Launch the US version of GripShift.
3. Load up the game (if it doesn't autoload).
4. See your PSP run unsigned code. :)

It'll autoexit after some time. You can use the home button to exit too if
you've seen enough.

FAQ
---
Q: Will this allow downgrading?
A: No, because this is an usermode exploit and functions required to downgrade are
   only available in kernel mode.

Q: Why the name?
A: Because the original exploit was found by overwriting the player name with
   "this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".

Q: Can/Will Sony block this?
A: Yes.

Q: I wanna make homebrew using the exploit. How?
A: Get FreePlay's GS SDK: http://f6y.ath.cx/pspdev/sparta_sdk.zip
   It has some constraints though, check the readme.
   The Hello World was written with it. :)

Credits
-------
Exploit and binary loader: MaTiAz
SDK: FreePlay
Greets go to Dark_AleX, Mathieulh, jas0nuk, Hellcat, etc. etc. etc, you know.

Download Hello World
Download Sparta SDK

[Savagefreak]

w00p?

[eldiablov]

Great work MaTiAz. I would really be interested to know how you got this working.

[FreePlay]

Two days straight of working on it tirelessly, mostly. Stopping occasionally to eat.

Hooah.

[matthew]

sweet guys, awesome work

[emcp]

who, oh

just wondering
this should aid DA into finding the necessary changes to his pandora

[mohaas05]

who, oh

just wondering
this should aid DA into finding the necessary changes to his pandora

Uh, this is the farthest thing from pandora.

I'm sure eventually we'll see a downgrader. 2.8 was originally just user-mode too.

[Davee]

who, oh

just wondering
this should aid DA into finding the necessary changes to his pandora

I doubt it. It's user mode only so far, plus, I'm sure Alex has his own exploit, probably kernel mode.

[emcp]

I doubt it. It's user mode only so far, plus, I'm sure Alex has his own exploit, probably kernel mode.

yeah just noticed, on the main page it says usermode, should have also looked at the FAQ too

ah well, it gives some encouragement to persevere

[pspfreak101]

this brings back the good ole days with psp hacking haven't seen an exploit in soon long :)

[NoEffex]

You could probably hook functions via assembly (I've done in it several usermode games, can't deny a subroutine access to it). I JUST ordered gripshift, so I will gander at this bad boy, it'd be neat if anything worthwhile came out of it.

EDIT, now that I think about, what I think could be done is hooking of a kernel thread to load a kernel module(by hijacking a jr ra off some BS kernel function and the arguments) which then does sorta a pause-game type thing, which then once you have your kernel module you can do whatever you might desire.

[Sythun]

Has anyone tried running these exploits on the European version of the game? Gotta find out before I go searching for it :)

[matthew]

i tried. the sdk and savegames released only work on usa version. probably can be ported to european versions though

[Mr305]

I've always been fascinated by Exploits!

Especially White Text Black Background + "Hello World"

[MaTiAz]

Has anyone tried running these exploits on the European version of the game? Gotta find out before I go searching for it :)

Well, there's a bit of a problem with the binary loader on the european version, seems like sceIoOpen doesn't want to work. We'll be working on that, since the exploit does exist on the european version too.

[World_Genesis]

w00t

[FreePlay]

I actually made my own Hello World (based on SG57's Snowfield demo) but MaTiAz made the exploit so his Hello World takes precedence

Here's the other one:

[tinmanx]

WoW, I changed a print

Thanks for the hard work everyone.

[pspfreak101]

it should be easy to port some tiff brew for people to use while waiting for a eloader

[NoEffex]

eloader? I think this time they'll be wanting to head straight to cfw, which essentially if you can run a kernel-mode prx, I'm pretty sure you can.

[TurtlesPwn]

eloader? I think this time they'll be wanting to head straight to cfw, which essentially if you can run a kernel-mode prx, I'm pretty sure you can.

one minor problem: you can't.

so, they'll probably make a loader first.

or am I missing something?

[Light_AleX]

Dark_AleX definitely has a kernel exploit to do all that.

How the heck did he dump the PSP-3000 decrypt tables then?

Except, he doesn't want to release it, yet.
:)

Porting the old libtiff homebrew could have some limits, if the GP SDK doesn't have the necessary functions, you are going to have to find them in the game itself. Only the functions imported by the game are allowed to be used by the exploit. Correct me if I am wrong.

@TurtlesPwn,

If they are able to get substantial kernel access, direct CFW or downgrading is possible. It happened in the Illuminati exploit. Maybe not an eLoader first but a HEN to allow those stuff. :)

-Light_AleX

[TurtlesPwn]

@TurtlesPwn,

If they are able to get substantial kernel access, direct CFW or downgrading is possible. It happened in the Illuminati exploit. Maybe not an eLoader first but a HEN to allow those stuff. :)

-Light_AleX

Well you don't say do you? REALLY? WOW!

Thanks, captain obvious. What I was saying was that as of right now, there is no kernel access at all.

[NoEffex]

Well you don't say do you? REALLY? WOW!

Thanks, captain obvious. What I was saying was that as of right now, there is no kernel access at all.

If you use assembly you can store to any partition on the ram, thus hooking a kernel function to redirect a kernel thread to do the dirty work for you. It's not some mystical magical area where the laws of the MIPS assembly language are bent and torn. I'm talking on an assembly level. I think you misunderstood me.

[TurtlesPwn]

I would think if it was that easy they already would've done it. The PSP has a good bit of RAM, finding the right spot would take a while and probably not be consistent across various PSPs.

[NoEffex]

I would think if it was that easy they already would've done it. The PSP has a good bit of RAM, finding the right spot would take a while and probably not be consistent across various PSPs.

http://pastebin.com/m597d6b73

lol, just scan for any jr ra you want, it'll end up looping back around eventually if you code it right.

If that is no avail, you could even make one that records all the addresses of the jr ra's.

[TheKing]

If you use assembly you can store to any partition on the ram, thus hooking a kernel function to redirect a kernel thread to do the dirty work for you. It's not some mystical magical area where the laws of the MIPS assembly language are bent and torn. I'm talking on an assembly level. I think you misunderstood me.

Nope, you can't arbitrary write to any RAM address with a user mode thread. A user mode thread can only access user partition memory. Another kernel exploit will need to be found to allow kernel mode access. Since we now have a user mode access, turning it into a kernel mode xploit is only a matter of time. Thanks to buggy Sony PSP APIs.

SilverSpring, a friend of DA, has already said Dark_AleX has his own user mode & kernel mode exploit. This means the GripShift xploit won't be helpful to DA in aiding his work. I do believe DA has already made his M33 CFW running on PSP3000 by using his own user/kernel mode exploit. He couldn't release it, 'cos he doesn't wanna release his user/kernel mode exploit. In fact, this is the right thing to do. If he releases his own exploit, Sony will patch it right away. On the other hand, he may release the M33 CFW for PSP3000 using GripShift exploit, since this one is already known by Sony. Just my 2 cents worth.

[slicer4ever]

don't get me wrong but arn't we forgetting about the psp-2000's that have the new un-pandorable motherboards(unless i've missed something which allows them to be downgraded)?, you guys keep saying DA has already found an exploit for PSP3k's, but gripshift can possible lead to an downgrader for unpandorable 2k mb's

[TurtlesPwn]

Nope, you can't arbitrary write to any RAM address with a user mode thread. A user mode thread can only access user partition memory. Another kernel exploit will need to be found to allow kernel mode access.

I thought this as well for a reason why getting kernel mode is not as easy as noeffex thinks but I don't have much knowledge of the actual system workings of a PSP. Thanks for confirming.

[infinity888]

Wait im not really great with all this stuff so dont flame me to hard but if a kernal mode exploit was found couldent you then dump the pre/ipl and then get a working pandora?