PSP Browser History Files Research / historyi.dat historyv.dat
I was doing some research for weakness in the 2.5 FW and recently focused on the browser.
After deciphering of the browser historyx.dat files I was able to create my own ones and find out its file structure. (Just editing does NOT work cause the browser has 3 checks to avoid any modification of the file)
I was able to do what i would call a standard string overflow by creating a title which possible exceeds the boundries usually defined for the title.
It happens when you open the browser history and particularly (The history title of an entry appears wrong, which might be a sign of an overflow) when you open up the submenu to show "information" about the entry (wait a sec) OR when you select the history entry (in order to browse to it), the PSP freezes. After a few seconds it automatically shuts down. Only holding the power knob for some seconds makes it reboot from start.
So far so good.
However my knowledge about the PSP registers and locating the entry point is not that good so I would need some help from people who HAVE an idea how to inject code and validate if this is possibly an overflow.
Attached is the file to put in ms0:/PSP/SYSTEM/BROWSER/
(Use 003 version which works on 2.0 & 2.5 FW)
1. Put historyv.dat into ms0:/PSP/SYSTEM/BROWSER/
2. Start Browser
3. Select the History Icon in the toolbar
4. Scroll down the history entries to the LAST entry (It looks buggy!)
5. Either press X and it freezes OR Triangle, Information, Press Up/Down, wait a sec, now it freezes
Please PM me about this only IF you can help AND have knowledge of buffer overflows.
- If the "information" is selected to be shown, no scrollbar appears nor a "title" label. It might be a "division by zero" freeze caused by the scrollbar thumb which gets smaller the longer the title is. There is a small delay where you can still press O to get back to the history list, if you wait a second it freezes.
- Made some tests with different title length and spotted surprising behaviours. Randomly (dis-)appearing titles, blank title but correct width selection rectangle.
- Freeze behaviour seems to start at approx. 90.000 bytes title size, causing an empty title.
- It seems that at ~200.000 bytes, the title of the prior history item shows up as the title; as seen in the example dat file (will validate to make sure later).
- The title in displayed in the "Information" function is a null-terminated string showing 4354 chars (thus using 0x00 in the file cuts it).
- If the history is looked at, but the freeze not triggered and browser closed, it writes an historyv.dat with just "Ver.01" in it.
- The buffer seems to overwrite memory in the heap, pretty distanced from the next stack.
// Work on this has been stopped. Attached to this post you find some c snippets of code to generate appropriate files if you like to dig into it.
If you do not understand the above:
THIS IS NOT A DOWNGRADER
THIS IS POSSIBLY NOTHING THAT LEADS TO ONE
THIS IS RESEARCH ONLY