Nope. At the moment I'm inspecting the Lumines savedata. I noticed that if you leave off the 0x00 at the end of a name in the high score table, it freezes the game and (but doesn't shut down the PSP). Dunno if that's at all useful.
Printable View
Nope. At the moment I'm inspecting the Lumines savedata. I noticed that if you leave off the 0x00 at the end of a name in the high score table, it freezes the game and (but doesn't shut down the PSP). Dunno if that's at all useful.
Sounds interesting. If it is, guess I will have to go out and buy lumines.
Finally, something intresting in the only game I have for my psp.
if that works, then I'll buy Lumines...
damn lumines costs €60 here.. i hope it works anyway.
Isnt Lumines supposed to become a Greatest Hit? I hope so.
i prefer not to buy games to get exploits...i would have to think about that...
Well, I rented Lumines before, and it is a pretty awesome game anyways. So, I wouldnt mind buying it. Who knows though, this might not lead to anything, so I wont get too hyped.
If it takes a game for an exploit, I would buy it.
Hope it does lead to something. Anyway you could just rent Lumines, I would buy it though. Great game.
Already got it last year. Excellent game.
But I've been burned by this scene too muce for hope and prays.
Fake downgraders took most of my hope away...Zitat:
Zitat von X omega v5
*coughcoughihateyougoldru shcoughcoughyoutohomebrew 271coughcough*
Sorry, choked on a carrot :)
Although this is old data and i'm not quite sure if everyone is already aware but i figured in case any of these had been over looked, I though i'd add this to see if this might help in the fight agains 2.7
The browser history files thing sounds interesting. annd the wipeout ghost thing as well.
http://www.psp-hacks.com/forums/viewtopic.php?t=12526
this was done by PSP250 frotm page thats on top
I tried to summerize what I gathered from various sites about the status on 2.0+ FW hacks.
Looking forward to CONSTRUCTIVE comments.
This info is listed here in order to possible make some progress and share what people know.
Latest Status:
FW 2.00 - TIFF Exploit / Downgrader
available / Limited homebrew
FW 2.01 - GTA Savegame exploit / No downgrader / No homebrew
FW 2.50 - GTA Savegame exploit / No downgrader / No homebrew
FW 2.60 - No exploit / No downgrader / No homebrew
Found Vulnerabilities:
- Browser historyv.dat Heap Overflow (2.0-2.5)
- libungif memory write access (2.0-2.5)
http://www.sukima****a.com/temp/bad-24.gif
(Immediate crash due to segfault)
http://www.sukima****a.com/temp/bad-17.gif
(Same technique but different memory location overwritten, watch thumb with corrupt pixels after reboot)
- GTA savegame buffer overflow (2.0-2.5)
- Wipeout savegame buffer overflow (2.0-?)
Approaches:
- Run code using buffer overflow
- Sign/encrypt homebrew app and make the psp run it
(- Alter 1.50 FW to be pseudo 2.51 update and run it; does not work, encryption problem and 2nd version check within psar)
DISCARDED - Find privat encryption key for signing homebrew (takes too long)
Buffer Overflow
Some flaw in the code enables injection of code in order to execute bytecode.
Possible Weakness List 2.5 FW:
SAFE = Not vulnerable/No known exploit
???? = Untested on 2.5 FW
VULN = Vulnerable
SAFE - Bookmark File, String lengths in Attributes / URIs
VULN - Browser History Files
???? - LIBMPEG PSMF, libmpeg/PMF exploits (custom sony lib)
???? - Video Play, use wrong picture/frame info/size in videos to cause an overflow
SAFE - zlib 1.2.3, http://www.zlib.org/
SAFE - libpng version 1.2.8, http://www.libpng.org/
SAFE - Netfront Browser uses libpng 1.2.6
SAFE - libtiff
???? - Abuse proc:// scheme
VULN - libungif
???? - Wipeout "Ghost" Savegame Exploit
VULN - GTA Savegame Buffer Overflow
???? - MP4 Video Overflow (Since now only reported to work on 2.0 FW max)
... your ideas?
Features to research for possible flaws:
- Pictures: Overflow in Image routines (TIFF, PNG, GIF, BMP, JPG, ...)
- Music: Overflow in Audio routines (MP3, AT3, WAV, ...)
- Movie: Overflow in Movie routines (MP4, ...)
- Game: Run unsigned code/modify signed code to cause overflow/modify updaters
- Game-Sharing Feature
- Netfront Browser: Find exploit within browser
- Savegames: Find exploit in savegame loading routines
- LocationFree System
A bit outdated though. We should add our results for what we did so far.
The cable (if done by my plans) will be done this week. I'll do some experimentation on it. I might just even keep it, since TO has not replied to me if he wants it or not.
Yeah, im not too sure about the serial cable. You can just keep it if you want.
http://astalavista.box.sk/cgi-bin/robot?srch=xp
although this pertains to os exploits maybe some digging around will reveal more exploits for the psp.
-= Double Post =-
I'm not sure if any of you know about this site but i came across it looking for info on buffer exploits. http://psphacks.blogspot.com
It's some guy who goes by the name of liquidice and he pretty much kept a very decent timeline of all hacks and exploits since 1.0
Very interesting stuff to read and also someinteresting stuff on crashing the wipeout pure browser in 6 different ways. could help us get something going on 2.7/2.71
Just thought I'd share my findings.
Smashing the Stack - PSP Buffer Overflow Exploits
If anyone atempting to do buffer overflow exploits on the PSP, I'd suggest taking a look at this article:
http://www.hxdef.org/knowhow/stackover.txt
It explains in great details, how a stack works, the concepts behind a buffer overflow, examples on how to write shell code, and how to bring everything together using NOPs to get to the right place in memory. It has helped me a lot with understanding the concepts talked about in the wipeout browser crash thread. Hopefully will help someone else figure out how to get our own code working in there. It is not PSP specific, but the concepts are the same.
Good luck!
6 ways to crash the Wipeout Browser
tbminc over at ps2dev was been able to put the wipeout browser into a buffer overflow mode and execute other system functions. This looks promising for doing an exploit.
With help of #pspdev i was able to continously call "sceKernelSleepThread ", so sound continued but browser crashed. yay.
The binary is in fact loaded to 08900000. That location seems to be "static", it isn't randomized or so.
Next big task is to place some more interesting code somewhere where we know the memory address of. I haven't succeeded here for now.
Damn, i wish i had a ramdump of the running game...
If anyone has info for him, or wants to start trying this for themselves check out this thread:
http://forums.ps2dev.org/viewtopic.php?t=1948
Wow, sounds interesting! Good work Jedi. This sounds like it will lead to something hopefully!
I assume those are tbminc's words... IIRC, they realized that there was no real way for him to tell if he had just crashed the game thread, or if he was making it sleep, since the audio thread would continue running in either case. But yeah, ANYWHERE that user-made data is loaded, there's a potential entry point.Zitat:
Zitat von jedimasteryoda
But what system functions would lead to an entry point?Zitat:
Zitat von jedimasteryoda
Static? You mean its an unused memory address? Could we write code that runs when "sceKernelSleepThread " is run, and make it so that it allocates to that address?Zitat:
Zitat von jedimasteryoda
I believe that's what they were attempting, however they were unable to get a fixed return address if i understood what i read correctly, not to mention to impliment code for execution, but they stopped working on the exploit.
I figured this may be a step in the right direction seeing as how we need and exploit and game exploits seem to be the closest way to get homebrew on 2.7.
I'm hopeing someone will look over what i found and maybe continue to work on it. since we now know more about the prx's and the memory addresses we could possible use this a a way in.
If i find anything else i'll post it.
What game is more vulnerable to an exploit? WipeOut PurE or Lumines?:Jump:
WipeOut Pure loads track packs on startup - If you want a fast exploit (GTA takes too long to get straight to the eMenu) then WP might warrant a second look.
The wipeout browser bugs are fixed in later versions of the game (including the EU launch version).
Because of that I don't consider the WOP browser bugs to be a good platform for homebrew execution.
Personnaly I don't think Lumines, its savegame system means you can't have a homebrew loader and a save at the same time...Zitat:
Zitat von ][+][ a c K 3 r
But of course we could try it...
But what to exploit?
Maybe the same as the GTA exploit, just changed to Lumines data?
Not sure.
Personally I think anyone with Midnight Club 3: DUB Edition (US region) should try exploits as it was listed for something under a savegame prx. (in the same place as GTA, probably)
The only games listed under the savedata PRXes were the US, European, and German version of GTA. Nothing else is there.Zitat:
Zitat von PSP Pro_1
Anyways, Lumines' savedata is a bit complicated; you could probably tuck the exploit away in the Network Game History table :p That way it wouldn't force you to run it if you wanted to play the game normally; just if you opened the corresponding screen.
I simply don't like the GTA eLoader because you jump through multiple screens before you get to the menu - The TIFF version was great - We need to find an XMB alternative.
That wouldnt bother me.
Whats the exact bug? I bought my copy used like in April last year.Zitat:
Zitat von Fanjita
I have midnight club three so if there is anything I can do to help I will, or test something. Just tell me what to do. I really don't understand exactly how eloader worked so I couldn't move those files to a save game file and put them in the right place. (I know that it is something added to a save game)
i have lumines, i got it used so it should be old enough. id be more than willing to help
kennygprs
I think we`d need to find an entry point before we find an alternative to it. :down: :PC:Zitat:
Zitat von joshdb
I'm starting to think that the only way is through games, because the xmb is starting to seem exploitless.
we need a vulnerable game...
my guess is wipeout but if they updated it, then we need another one...
Yeah cuz isnt in the greatest hits?
you could try WP and help a few ppl
Yeah but I think the goal is an entry point that the majority could try, still I say go for it.
Ok, I havn't had any time to make any more progress on the cable.
whatll we use the cable for anyway? if its a serial cable for the remote port, itll just be able to emulate the remote.
unless you have something up your sleeve?
Trying out the theory of flashing via serial somehow.Zitat:
Zitat von kEnnY GpRS