First PSP-3000 Hack? GripShift Save Game Exploit


Finally some good news (and not fake) in regards to finding a working hack for the PSP-3000. A user-mode buffer overflow exploit was discovered by MaTiAz. He has found a vulnerability with-in the GripShift save game loading routine. What does this mean? This could be the stepping stone which will lead the way to full PSP-3000 hacks, homebrew and custom firmware. Lets hope this is another loop hole like GTA:LCS and Lumines was for the PSP-1000 back in 2005-6. (If you can remember back that far!)

Need proof its real? Just check the video above and no, its not another fake. This time its legit!

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.


Similar Posts:

  • Dick_Alex

    Rarely do some many numbnuts collect in a single thread. Thanks to the folks who are working on this.

    • Bonz

      looks like your just one more numnut on the thread… and me posting nothing relevant to the thread makes me one to


    psp blue tool does work….KINDA…If u have a psp 1K and use the magic memory stick with time machine and kd instaled on it…

  • Grim

    will we be able to play iso files because of this

    i mean has anyone come up with a code for that

  • k1ll4

    np noone come up with code

  • Grim

    well i guess soon they’ll be able to

    give me hope people
    i’ve been waiting four months with my 3000 for a CFW or atleast a way to play iso files

  • Dick_Crappnix

    I also got the 3000 because of the blue tool….so if anyone finds anything out post it here!:!.!:!:!:

  • Dick_Crappnix_SuCkS


  • Dick_Crappnix


  • Dick_Crappnix

    he’s my friend…

  • Moderator


  • Moderator-Is-Fake


  • Dark_AleX

    I’ve got it!
    We have to use the previous Exploit from lumines and do the exact same thing like with Grpshift.
    It doesn’t make it play ISOs or CSOs , but a lot of homebrew stuff.
    Sony 0 Dark_AleX 1

  • Fake-Alerts -.-


  • CyprioT BrO

    the gripshift exploit only leads to hen. hen is no cfw and is a user-mode exploit. not a kernal mode exploit which is what we want.

    the way to go it use wololo’s libtiff or “the laughing man.tiff” to inject code into the ram. gripshift may help us inject more code into the ram which could lead to a cfw.

  • xxwlolpsp

    hi i was jus wondering if this will work on psp 3000 and cant wait will it work and when that thing comes up that means its hacked?

    and after that what happens or what do you do>> anaswer please

  • CyprioT BrO

    no point to keep posting in this, there is a libtiff bug which has lead to an exploit and were most likely not going to use this exploit.

  • makemyday

    just wait for the stable hack,do we??

  • CyprioT BrO

    tomorro the hen will be released and no gripshift will be needed PARTEEEYY

    (although it may be the release day coming out tommorow but hu cares)

  • jack

    fuck you suck my pussy nigga

  • noob

    someone can help me please…. If I have a psp 3000 with 5.03…it’s a good thing or not ???

    • Bonz

      well you see that really depends, do you like having a psp 3000 with 5.03? if I had a psp 3000 with 5.03 i wouldn’t thing it was a good thing but i also wouldn’t buy a 3000 unless there was a way to mod it and there isn’t yet i mean there is chickHEN that can be used on a 3000 with 5.03 or any psp for that matter but it doesn’t allow you to run psp or ps1 games just homebrew and even then it is limited to homebrew that does not attempt to write to the kernel….

  • noob


  • iLovEtuRtleS

    sooooooooo……if i run the gripshift exploit, will i be able to play homebrew games and snes emulators and stuff on my psp? i have a psp 3001 5.01…..

  • iLovEtuRtleS

    sooooooooo……if i run the gripshift exploit, will i be able to play homebrew games and snes emulators and stuff on my psp? i have a psp 3001 5.01…..