Finally some good news (and not fake) in regards to finding a working hack for the PSP-3000. A user-mode buffer overflow exploit was discovered by MaTiAz. He has found a vulnerability with-in the GripShift save game loading routine. What does this mean? This could be the stepping stone which will lead the way to full PSP-3000 hacks, homebrew and custom firmware. Lets hope this is another loop hole like GTA:LCS and Lumines was for the PSP-1000 back in 2005-6. (If you can remember back that far!)
Need proof its real? Just check the video above and no, its not another fake. This time its legit!
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.
Source: Lan.st
Similar Posts
Digg it
Stumble
Del.ico.us
Reddit
Newsvine
Leave a comment
Add your link!
February 28, 2009 at 7:14 pm
Rarely do some many numbnuts collect in a single thread. Thanks to the folks who are working on this.
February 28, 2009 at 11:38 pm
looks like your just one more numnut on the thread… and me posting nothing relevant to the thread makes me one to
March 11, 2009 at 1:48 am
psp blue tool does work….KINDA…If u have a psp 1K and use the magic memory stick with time machine and kd instaled on it…
March 24, 2009 at 4:19 pm
will we be able to play iso files because of this
i mean has anyone come up with a code for that
March 24, 2009 at 7:38 pm
np noone come up with code
March 27, 2009 at 3:59 pm
well i guess soon they’ll be able to
give me hope people
i’ve been waiting four months with my 3000 for a CFW or atleast a way to play iso files
March 28, 2009 at 1:36 am
I also got the 3000 because of the blue tool….so if anyone finds anything out post it here!:!.!:!:!:
March 28, 2009 at 1:37 am
what-a-noob
March 28, 2009 at 1:37 am
lol
March 28, 2009 at 1:38 am
he’s my friend…
March 28, 2009 at 1:39 am
SPAM ALERT! SPAM ALERT!
March 28, 2009 at 1:39 am
FAKE MODERATOR ALERT! FAKE MODERATOR ALERT!
March 28, 2009 at 1:42 am
I’ve got it!
We have to use the previous Exploit from lumines and do the exact same thing like with Grpshift.
It doesn’t make it play ISOs or CSOs , but a lot of homebrew stuff.
Sony 0 Dark_AleX 1
March 28, 2009 at 1:45 am
FAKE ALERT!!!
March 28, 2009 at 6:51 am
the gripshift exploit only leads to hen. hen is no cfw and is a user-mode exploit. not a kernal mode exploit which is what we want.
the way to go it use wololo’s libtiff or “the laughing man.tiff” to inject code into the ram. gripshift may help us inject more code into the ram which could lead to a cfw.
April 13, 2009 at 5:33 pm
hi i was jus wondering if this will work on psp 3000 and cant wait will it work and when that thing comes up that means its hacked?
and after that what happens or what do you do>> anaswer please
April 14, 2009 at 12:34 am
no point to keep posting in this, there is a libtiff bug which has lead to an exploit and were most likely not going to use this exploit.
April 20, 2009 at 10:55 am
just wait for the stable hack,do we??
April 20, 2009 at 12:09 pm
tomorro the hen will be released and no gripshift will be needed PARTEEEYY
(although it may be the release day coming out tommorow but hu cares)
May 11, 2009 at 11:38 pm
fuck you suck my pussy nigga
May 15, 2009 at 6:48 am
someone can help me please…. If I have a psp 3000 with 5.03…it’s a good thing or not ???
May 15, 2009 at 7:12 am
well you see that really depends, do you like having a psp 3000 with 5.03? if I had a psp 3000 with 5.03 i wouldn’t thing it was a good thing but i also wouldn’t buy a 3000 unless there was a way to mod it and there isn’t yet i mean there is chickHEN that can be used on a 3000 with 5.03 or any psp for that matter but it doesn’t allow you to run psp or ps1 games just homebrew and even then it is limited to homebrew that does not attempt to write to the kernel….
May 15, 2009 at 6:49 am
please
June 8, 2009 at 5:25 am
sooooooooo……if i run the gripshift exploit, will i be able to play homebrew games and snes emulators and stuff on my psp? i have a psp 3001 5.01…..
June 8, 2009 at 5:27 am
sooooooooo……if i run the gripshift exploit, will i be able to play homebrew games and snes emulators and stuff on my psp? i have a psp 3001 5.01…..