First PSP-3000 Hack? GripShift Save Game Exploit


Finally some good news (and not fake) in regards to finding a working hack for the . A user-mode buffer overflow exploit was discovered by MaTiAz. He has found a vulnerability with-in the GripShift save game loading routine. What does this mean? This could be the stepping stone which will lead the way to full hacks, homebrew and custom firmware. Lets hope this is another loop hole like GTA:LCS and Lumines was for the PSP-1000 back in 2005-6. (If you can remember back that far!)

Need proof its real? Just check the video above and no, its not another fake. This time its legit!

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.


Similar Posts:

The following two tabs change content below.


  1. Dick_Alex says:

    Rarely do some many numbnuts collect in a single thread. Thanks to the folks who are working on this.

  2. PSP NOOBZ SUK says:

    psp blue tool does work….KINDA…If u have a psp 1K and use the magic memory stick with time machine and kd instaled on it…

  3. Grim says:

    will we be able to play iso files because of this

    i mean has anyone come up with a code for that

  4. k1ll4 says:

    np noone come up with code

  5. Grim says:

    well i guess soon they’ll be able to

    give me hope people
    i’ve been waiting four months with my 3000 for a CFW or atleast a way to play iso files

  6. Dick_Crappnix says:

    I also got the 3000 because of the blue tool….so if anyone finds anything out post it here!:!.!:!:!:

  7. Dick_Crappnix_SuCkS says:


  8. Dick_Crappnix says:


  9. Dick_Crappnix says:

    he’s my friend…

  10. Moderator says:


  11. Moderator-Is-Fake says:


  12. Dark_AleX says:

    I’ve got it!
    We have to use the previous Exploit from lumines and do the exact same thing like with Grpshift.
    It doesn’t make it play ISOs or CSOs , but a lot of homebrew stuff.
    Sony 0 Dark_AleX 1

  13. Fake-Alerts -.- says:


  14. CyprioT BrO says:

    the gripshift exploit only leads to hen. hen is no cfw and is a user-mode exploit. not a kernal mode exploit which is what we want.

    the way to go it use wololo’s libtiff or “the laughing man.tiff” to inject code into the ram. gripshift may help us inject more code into the ram which could lead to a cfw.

  15. xxwlolpsp says:

    hi i was jus wondering if this will work on psp 3000 and cant wait will it work and when that thing comes up that means its hacked?

    and after that what happens or what do you do>> anaswer please

  16. CyprioT BrO says:

    no point to keep posting in this, there is a libtiff bug which has lead to an exploit and were most likely not going to use this exploit.

  17. makemyday says:

    just wait for the stable hack,do we??

  18. CyprioT BrO says:

    tomorro the hen will be released and no gripshift will be needed PARTEEEYY

    (although it may be the release day coming out tommorow but hu cares)

  19. jack says:

    fuck you suck my pussy nigga

  20. noob says:

    someone can help me please…. If I have a psp 3000 with 5.03…it’s a good thing or not ???

    • Bonz says:

      well you see that really depends, do you like having a psp 3000 with 5.03? if I had a psp 3000 with 5.03 i wouldn’t thing it was a good thing but i also wouldn’t buy a 3000 unless there was a way to mod it and there isn’t yet i mean there is chickHEN that can be used on a 3000 with 5.03 or any psp for that matter but it doesn’t allow you to run psp or ps1 games just homebrew and even then it is limited to homebrew that does not attempt to write to the kernel….

  21. noob says:


  22. iLovEtuRtleS says:

    sooooooooo……if i run the gripshift exploit, will i be able to play homebrew games and snes emulators and stuff on my psp? i have a psp 3001 5.01…..

  23. iLovEtuRtleS says:

    sooooooooo……if i run the gripshift exploit, will i be able to play homebrew games and snes emulators and stuff on my psp? i have a psp 3001 5.01…..