First PSP-3000 Hack? GripShift Save Game Exploit

Sunday, January 4th, 2009

Finally some good news (and not fake) in regards to finding a working hack for the PSP-3000. A user-mode buffer overflow exploit was discovered by MaTiAz. He has found a vulnerability with-in the GripShift save game loading routine. What does this mean? This could be the stepping stone which will lead the way to full PSP-3000 hacks, homebrew and custom firmware. Lets hope this is another loop hole like GTA:LCS and Lumines was for the PSP-1000 back in 2005-6. (If you can remember back that far!)

Need proof its real? Just check the video above and no, its not another fake. This time its legit!

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.

Source: Lan.st

Similar Posts:

VHBL round two, Game name to be released soon *Updated*

Tags: GripShift SaveGame Exploit, psp 3000 hack, psp 3000 hacks, PSP-3000

Posted in PSP News

http://pspslimhacks.com/ PSP-Fan

Could be time to buy gripshift if you have psp-3000?

http://gamespot.com jack

suck my dick bitch nigga fuck you ass and your fuckn mama

ragnarok01

mmm what does the screen mean when its changing the colors like that????????????
http://pspslimhacks.com/ PSP-Fan

It means its hacked.
http://youtube.com/puntymario puntymario

Whoa this is odd well good thing I have the game. though why I have it I have no idea
Enk

So, Now what!
Znupi

Oh man oh man I hope it works for TA88v3 PSP-200s!!!
Znupi

I meant PSP-2000s :\

Mimeblade

Yes! The sooner the better!

otto888

me too. I lost my pandora battery and I updated to 5.00 OFW >.>
navpreet

hey guys. jus got my psp 3000 for christmas. i no wondering i no how to hack the psp 3000. theres a website u have to download a save file. then u have to put the gripshift game in then start the game. then jus press x.
Valho

man i really hope this works for the psp 2000s

Bonz

it does

naruto

I saw this on PSP-hacks and discarded it right away. But then I thought about the Lumines/GTA exploits and changed my mind. Possible CFW installation via save game loading (mabye)?
http://f6y.ath.cx/ FreePlay

Never discard an exploit.
kengil

help me !!!
i have psp 2000 have board TA88v3
when my psp lowbat and i recharge
there is somthing wrong becuz
when i look in games> save utility>
there are corrupted so.. what that corrupted
navpreet

hey guys. can some 1 tell me how to use save game deemer. and to install it. thanks.
random person

the light blue battery pack wil becoming soon it’s mean for hacking the PSP-3000 & possibly the TA88
naruto

The blue battery is already out. It cant hack it because Dax still hasnt got the 2 functions yet on the PSP 3000. Datel relys on Dax too much, which is why the Blue battery pack failed.

Thrawn

Datel Lite Blue Tool is a Fake!!! It only turn on the green light but didn’t let you use Service Mode and thus no access to the kernel mode is allowed… Check the Datel Website, they changed the description of this product: “for psp 2000 like a pandora battery and just a normal replacement battery for PSP3000″ but they just sell a lot of this damn thing before stating this useless nonworking tool…

ImpStizzi

being sony seen this happen before, wouldnt they act quicker into trying to prevent the psp-3000 from being able to get homebrew on it ? and if so do they know when this would be ?
im thinking this event occurs when its all over youtube that someone is running an homebrew program on da 3000. but it might be sooner,im just curious.
ImpStizzi

**do they (hackers) know when this would be ?^
Yamileth

Just a quick question…. So should we go buy GripShift or will it not be needed later?
Jeff

Buy it. Ebay is the only place that has them now. It will be hacked soon using GripShift.
jon

I have a psp-3000 and gripshift so if I make a new savefile with the name this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa with 57 a it can make that i have a cfw on my psp and play iso s right?
http://www.balonbay.com FR350Z

Well, hopefully they can do this with another game also, like the Rachet and Clank game that comes with it.

Because Gripshift was released 3 years ago, finding it would be pretty hard.
Trendy Hendy

OK, so this means it’s hacked? I’m confused. Does it mean, if you have the crappy Gripshift game, DAX could make CFW Installer code in the savegame folder, and voila?

Pleez some reassurance.

Thrawn

It is just an hack that permit the execution of arbitrary code, a long step on in the hard battle for CFW but it is still a usermode hack so it not permit writing none tot the flash and so it cannot allow to flash custom fw… But is a good news cause the savegame is 25kb and permit a long piece of code to be executed maybe DAX or someone else may find a way to use this for swapping in Kernel mode!!!
Let’s Wait Guys!!!

R3MNR4NTV4R1BLE

This gripshift ordeal is an exploit which means its a step in the right direction, as for finding a umd will be another story
gurbz

New layout? I clicked my bookmark and when I got here I was all like. “Damn I hate it when i click the wrong bookmark.”
Thanos

Do anyone knows if finally psp-3000 will be hacked??i mean if there will be a guide how to hack the psp-3000 for us that we dont know about hacks..
navpreet

hey guys i no another place , to buy the gripshift umd. go on game.co.uk for people who live in the uk. or use amazon.com amazon have it i checked. in game it cost £3.90. and from amazon it £10. or $10.lol
can’t remember. but hope it helps
http://www.dark-alex.org maikel

el camino es largo , y hay ke dar tiempo , en el juego passport to paris , se esta observando un posible bug , y la gente esta buscando todo tipos de errores en los juegos para sacar adelante los diferentes equipos con las diferentes placas .

un saludo desde españa y esperemos ke de un modo u otro , podamos escoger algun dia que firmware poner a nuestra consola pues ni mas ni menos , si en un ordenador podemos poner windows , linux , apple , ectt , porque no poder poner diferentes software a nuestras psp ,o custom firmware , es una opcion ke creo ke de algun modo tenemos derechos a decidir con ke sistema de trabajo podemos educar a nuestra maquina psp .

las leyes de mi pais dejan poder tener una copia por cada original y sin embargo yo no puedo tener la mia en esta maquina por motivos de seguridad antipirateria , cuando tengo un duplicado de mis cd de musica o peliculas ke ademas puedo ver en mi psp . incomprensible

p.d. la esperanza es lo ultimo que se pierde .

2009 mvisions programmer
mike

does this allow iso files to be played???

http://pspslimhacks.com/ PSP-Fan

Its doesn’t yet. But it could lead to a discovery that might just let you do that.

Pingback: Team N00bz join Sparta Exploit Team, PSP Hacks - PSP Slim Hacks
CyprioT BrO

All the best 4 da people who are working hard for cfw on the 3000… i used to have a 1000 but never had cfw coz i was scared of hacking it although it wasn’t untill i sold the 1000 for the 3000 that i found out it would be practically risk free… I’M SO LUCKY COZ I HAVE GRIPTSHIFT (which i almost sold coz i hated it so much {called it grips***t} but i hung onto it )

Donatello101

Its sh** All Right But Its A good smelling sh**

Pubslished

First of all, I would like to thank FreePlay and MaTiAz. Thumbs up for you guys. And all the best.

I have a PSP 3000 myself and hoping you guys to hack it.

I’m sure that there’s more games out there not only GripShift can be exploited. So people that cannot find a copy of one don’t worry because some great hacker would find a new game that can be exploited.

Have a nice day everyone!
Near Rivers

hay hay peeps im a bit of a noob to the psp i brought the psp 3000 day before yesterday

i also brought rachet and clank size dont matter soo can the thing on gripshift be the same on rachet and clank if so how lmao
Dark_Alex

Expect the release of the new downgrader for PSP 3000 in Jan. 19th.

Have a good day guys.

aceozzy

Is it true that you can downgrade 3000 with datel blue?

CyprioT BrO

nope. and at this fake Dark_Alex there will only be a downgrader for idiots who upgraded to 5.03+ before getting the psp hacked

Almed22

hi guys, uhmmm… you know Dark_AleX is really pissed of cuz of his impersonators. so please stop, and FYI its pretty obvious on the icons you have ) i’m just sayi’n
Publsihed

Yeah, what’s up with the people impersonating here? That’s stupid y’know.
Danny

f***!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!I traded in my friggin’ gripshift!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! This is a crapload of ass
You stupid

Hey its not our fault don’t come here shouting you idiot
Danny

sorry. who knew that the worst racing game on the psp would be integral to the future of the homebrew community?
Nicholas

is it true will there be a downgrader out on the 19th???
smeeisme

“Pre-announcements aren’t normally the Noobz way, but in this case it seemed worthwhile to let people know, in case anyone was thinking of doing similar work. We won’t predict timescales, especially as everyone is very busy at the moment and there’s a fair amount of work to be done – so please don’t ask.”
“Written by Fanjita Wednesday, 07 January 2009″
Taken from the N00bz website
INDIAN

please help me to hack PSP 3000 by GRIPSHIFT method[i have the game but dont know the procedure]please tell me in steps,please ,please,please

my email_id: mangalore20@gmail.com

once again please

CyprioT BrO

the psp 3000 can’t be hacked yet, simply this exploit has been used to run a few homebrew games and a homebrew enabler with iso compatiblility(5.02HEN-a [currently unreleased for reasons which if you email me on jaspg@hotmail.comi will explain]).

Pingback: PSP Firmware 5.03 Released. Giftshift patch?, PSP Hacks - PSP Slim Hacks
Beebop

If you want a cheap copy of Gripshift US then read on…

if you go here http://www.gamestop.com/Catalog/ProductDetails.aspx?Product_ID=39575

You can see that gamestop is sold out online, but if you use the search feature many stores, especially in smaller cities, still have several used copies for 7.99! I called the local gamestop last night and the site was correct, they had a copy so I reserved it. I will also buy any other copies they have. This works as of 1/22/09 but move fast, I’m sure before long gamestop employees will be buying up the copies that are still available.

Hopefully some of you find this usefull.

Beebop West
namehere

do not update your PSP to 5.03 !!!!!

Sony already have closed this bug in that OFW !!!!!!!!!!!

CyprioT BrO

that was already said…

ram

i hav a gripshift us version..
can ny 1 please tell me that whether to enable hen-a which version of gripshift will be needed—us or uk?

CyprioT BrO

both can be used although the hen has not been released yet due to important reasons.

http://www.billwales.com Bonz

ya like sony not being able to patch the exploit out cause they have nothing to work with yet
CyprioT BrO

not really. sony has already patched this exploit in 5.03 although the hen hasn’t been released because gripshift is just a way to get to the accual exploit. if they release the hen without finding anouther loophole sony would just patch that exploit and then unless your on 4.20-5.02 firmware people won’t be able to install cfw.
http://www.billwales.com Bonz

i’m sure i read that on psp gen but meh
CyprioT BrO

@bonz, thats where i got that from
http://www.billwales.com Bonz

gripshif like you said is just a way to get to the second exploit there is no other way right now the reason they are not releasing it is cause they don’t want sony to patch there way out of the 2nd exploit so like i said and i quote “ya like sony not being able to patch the exploit out cause they have nothing to work with yet“

ram

i hav a gripshift us version..
can ny 1 please tell me that whether to enable hen-a which version of gripshift will be needed—us or uk?
please

http://www.billwales.com Bonz

it doesn’t matter but the software to do it has not been released yet

Pingback: PSP 3000 HEN Info - E4G
http://www.myspace.com/tjb2009 Tha timster

THE PSP HAS BEEN HACKED IT WILL RUN HOMEBREW READ THIS!!!!
GripShift savegame exploit Hello World + Sparta SDK – Exploit Works on PSP 3000
Posted By: wraggster
Matiaz: has today released the Hello World of his exploit for the PSP which opens up Homebrew for all Consoles and expecially for those Homebrew Starved on PSP3000 consoles.

Heres a video of the exploit:

Ok, binary loader, hello world and SDK finished, get it here. Read the readme for the imporant stuff.
It’s encrypted and works on the US version only.
Get the SDK here.

Old post for nostalgia:

Quote:
So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009

GripShift has buffer overflow vulnerability when loading game saves. The savegame contains the profile name which can be easily used to overwrite.
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.

Credits go to those who deserve them.

Hello World on PSP FW 1.52-5.02
the Spartaaaaaaaaaaaaaaaaaaaa!!! Exploit

by MaTiAz & FreePlay

Instructions
————
1. Copy the contents of MS_ROOT into the root of your memory stick.
(This will overwrite the first GripShift savegame slot).
2. Launch the US version of GripShift.
3. Load up the game (if it doesn’t autoload).
4. See your PSP run unsigned code.

It’ll autoexit after some time. You can use the home button to exit too if
you’ve seen enough.

FAQ
—
Q: Will this allow downgrading?
A: No, because this is an usermode exploit and functions required to downgrade are
only available in kernel mode.

Q: Why the name?
A: Because the original exploit was found by overwriting the player name with
“this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa”.

Q: Can/Will Sony block this?
A: Yes.

Q: I wanna make homebrew using the exploit. How?
A: Get FreePlay’s GS SDK: http://f6y.ath.cx/pspdev/sparta_sdk.zip
It has some constraints though, check the readme.
The Hello World was written with it.

Credits
——-
Exploit and binary loader: MaTiAz
SDK: FreePlay
Greets go to Dark_AleX, Mathieulh, jas0nuk, Hellcat, etc. etc. etc, you know.
GripShift savegame exploit Hello World + Sparta SDK – Exploit Works on PSP 3000
Posted By: wraggster
Matiaz: has today released the Hello World of his exploit for the PSP which opens up Homebrew for all Consoles and expecially for those Homebrew Starved on PSP3000 consoles.

Heres a video of the exploit:

Ok, binary loader, hello world and SDK finished, get it here. Read the readme for the imporant stuff.
It’s encrypted and works on the US version only.
Get the SDK here.

Old post for nostalgia:

Quote:
So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009

GripShift has buffer overflow vulnerability when loading game saves. The savegame contains the profile name which can be easily used to overwrite.
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.

Credits go to those who deserve them.

Hello World on PSP FW 1.52-5.02
the Spartaaaaaaaaaaaaaaaaaaaa!!! Exploit

by MaTiAz & FreePlay

Instructions
————
1. Copy the contents of MS_ROOT into the root of your memory stick.
(This will overwrite the first GripShift savegame slot).
2. Launch the US version of GripShift.
3. Load up the game (if it doesn’t autoload).
4. See your PSP run unsigned code.

It’ll autoexit after some time. You can use the home button to exit too if
you’ve seen enough.

FAQ
—
Q: Will this allow downgrading?
A: No, because this is an usermode exploit and functions required to downgrade are
only available in kernel mode.

Q: Why the name?
A: Because the original exploit was found by overwriting the player name with
“this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa”.

Q: Can/Will Sony block this?
A: Yes.

Q: I wanna make homebrew using the exploit. How?
A: Get FreePlay’s GS SDK: http://f6y.ath.cx/pspdev/sparta_sdk.zip
It has some constraints though, check the readme.
The Hello World was written with it.

Credits
——-
Exploit and binary loader: MaTiAz
SDK: FreePlay
Greets go to Dark_AleX, Mathieulh, jas0nuk, Hellcat, etc. etc. etc, you know.

Bonz

NO SHIT MAN! that is what the top post is all about your just posting old info

CyprioT BrO

aw you beat me to it

BANANA MAN

hey… where can i download that gripshift program?? and does it need a down grader?

Bonz

it is not a downgrader and this HEN is not available for download that way Sony doesn’t patch out of it till there is a way to make a downgrader
CyprioT BrO

gripshift is not a program, it is a UMD and as long as u don’t have firmware 5.03 you will not need a downgrader

http://www.billwales.com Bonz

actually this will lead to a downgrader but nothing can be done right now as none of these files have been released

http://gamespot.com jack

fuck you dick apple

First PSP-3000 Hack? GripShift Save Game Exploit

Similar Posts:

Recent Posts

Categories

Friends

Our Network Sites

Links