The serial port could have access to the ram potentially, which is how flashing the psps NAND chip works, dont forget that.
Printable View
The serial port could have access to the ram potentially, which is how flashing the psps NAND chip works, dont forget that.
See my post in the (locked) PSP Flasher thread on my theory of that :)Zitat:
Zitat von TeamOverload
I will never find that in there.
LINKAGE :)Zitat:
Zitat von TeamOverload
Alright, so therefore it will still require the serial port, but usb as well, in a joint effort.
Well, first we'd need to find out IF theres something behind that theory and if so, we'd need to find out what triggers the PSP the listen to the serial instead of trying to launch the firmware....Zitat:
Zitat von TeamOverload
Well, it seems my sample with Maxim went through, so hopefully it will come Saturday. I just need a remote and some 0.1uF ceramic disc capacitors and it's off to TO.
Well, I am getting a serial cable soon, and I have a serial logger, so I will run some tests.
Just wondering (not to break the discussion here but), even if something was found through the serial port, wouldn`t you need a serial cable to make use of the exploit anyways?
Not to be a kill-joy, but why are you guys talking about serial flashing in here? This is supposed to be about finding an exploit using the 2.71 dump. Try creating a new topic TO, and most likely more people will join in the project, and this one can resume
We will just keep hiding discuss in here so hopefully iball and freeplay wont spam it up :p
Also, I am planning on getting a dissassembly of the hpremote.prx to see everyone function there is. That involves the decrypted dump ;)
Cheeky boy TO :P lol. And the iBall/Freeplay thing's a good idea, haha.
So do you have a disassembler?
Yeah, but its being a pain, because whoever got me the javasdk got me an old version. I'll download the latest one when I get my pc internet fixed this weekend.
Well I'm online for a bit now. If you find me a link, I'll download it for you
just use PS2Dis... :-)
Atleast its what I use...
The PSP 2.71 browser uses zlib 1.2.1 and libpng 1.2.6. Both of these are vulnerable to a few exploits. Whether the PSP itself is or not is unknown. Discuss!
I'll check it out, freeplay. I'll report back later
Sounds interesting, tell your results.Zitat:
Zitat von TheKnightInHell
Interesting. Do any allow arbitrary code and does anyone know if there is a proof of concept out?Zitat:
Zitat von FreePlay
There was a proof-of-concept PNG image for an exploit for zlib 1.2.1, but I cannot find it anywhere. And yes, the exploits would allow for arbitrary code execution, if we could figure out how the hell they work. So far, Skylark, nopcode and I (from the Noobz IRC channel) are all stumped. (That or we just haven't really tried yet :p)
I found a page describing how the zlib buffer overflow was executed, do you want to see it?Zitat:
Zitat von FreePlay
I found out that somebody found a exploit that requires that the application is written to strip the alpha channel from a PNG file.
The vulnerability is caused due to a boundary error in the "png_set_strip_alpha( )" function within the handling of a PNG image file containing alpha channels. This can be exploited to cause a heap-based buffer overflow via a specially-crafted PNG file.
The vulnerability has been reported in versions 1.0.16, 1.0.17, 1.2.6, and 1.2.7.
Dunno if this also works on a psp, maby someone can give it a try?
Here is information for the zlib buffer overflow that I've found. No idea if any good or any use, but here ya go:
Zitat:
Zitat von SecuriTeam
This might be interesting
Zitat:
Two vulnerabilities have been reported in libpng, which potentially can be exploited by malicious people to compromise a user's system.
A boundary error in the "png_handle_tRNS()" function and an integer overflow in the "png_read_png()" function can be exploited to cause buffer overflows by tricking a user into viewing a specially crafted PNG image with an application linked to the vulnerable library.
Successful exploitation may allow execution of arbitrary code.
I already know about those :p
Well did they had any use? :p
no because someone said once that paf.prx (which i asume views the images) don't contain those code strings.. so they can be overflowed..
correct me if i'm wrong. i just say what i remember:P
This is the closes I can find about the zlib exploit, sorry if it's redundant. I'll google some more later:
http://seclists.org/lists/bugtraq/2002/Mar/0185.html
I don't know if this will help?
http://www.maxconsole.net/?mode=news&newsid=5484
^^^ that is kind of old, and was proven useless as far as I know.Zitat:
Zitat von jen_1982
Ah ok, just trying to help.Zitat:
Zitat von mattjm1230
TeamOverload is done with this stuff thanks to the fakes.
He is? When did this happen?
what was a fake? I have trouble believeing what freeplay said was a fake. And all of the other crap in the other threads has nothing to do with this, so why would TO quit this?
Looks like for a while he's been angry with it. I don't see the need for huge words in his sig, but, meh. I guess I'll do it too to feel important.Zitat:
Zitat von X omega v5
I think TO quit b/c of:
Madmatty- Serial Cable FAKE exploit, Lied about Being a Former Sony Employee.
and Recently the Guy with the "Flash Overflow"
:\
Lets hope the rest of the scene doesn't quit b/c of people like them...
Understandable. With all the crap he's been through, I'm surprised he stayed in as long as he did.
Yeah thats a cool sig !Zitat:
Zitat von Smiffers
Has this been PROVEN fake?Zitat:
Zitat von SarahBaby3325
Can you give me a link?
Yes, it's fake. He claimed that the serial port was directly connected to the NAND chip... and it's quite obviously not.