Hacking the PSP

PSP Firmware Hacks

Started by ak03 at 06-27-2006 5:34 PM. Topic has 2 replies.

Hacking the PSP » Forums » PSP Firmware Ha... » 2.5 n 2.6 kernal mode

Search Sort Posts:  Oldest to newest Newest to oldest

06-27-2006, 5:34 PM ak03 Joined on 06-09-2006 Posts 126 2.5 n 2.6 kernal mode Breaking News: 2.60 Firmware Exploit Found - Kernel Access! Break out your calendars folks, because this may be a day that you want to mark as a pivotal day in the history of PSP homebrew. A developer known as hitchhikr of "hitchhikr SoftWorks" and coder companion Neural has come out with a Proof of Concept of a 2.50/2.60 Firmware Exploit! Once implemented and fine tuned for "normal user" use, this will bring 2.50 and 2.60 Firmware up to the same homebrew capability that 1.50 PSP owners enjoy with FULL kernel mode access - although Grand Theft Auto: Liberty City Stories will still be required, just like with eLoader. Speaking of eLoader, Fanjita is already working with hitchhikr on incorporating this new exploit into an easily executable means via eLoader. After a brief chat with Fanjita, he's told us that you can expect some generic application for developers to hopefully be released in the next 24 hours. It will take a bit longer before something useable for non-devs will be released. The exploit takes advantage of an added security check in 2.50/2.60 Firmware for sceKernelLoadExec, which is responsible for loading EBOOTs, but Sony also accidentally added an overflow bug, which means this exploit will not work with 2.0 and 2.01 Firmware. Below you will find a download of hitchhikr's & Neural's Proof of Concept - this is not intended for the casual user. It creates dump files containing kernel memory dumps in the root of the memstick (boot.bin, kmem.bin, klib.bin). It also creates writeaccess.bin which contains just the hex (12 34 56 78) to prove that kmem CAN be written to. But don't start upgrading those PSP's yet until a viable means of implementation is released! Also, this breakthrough does not open up the possibility of a downgrader due to the protection in the IPL in 2.50+ firmware. Although speculation has already begun that this will open the door to the decrypting of 2.70+ Firmware, allowing it to be emulated a la Devhook. Download: [2.60 Firmware Exploit - Proof of Concept] source: http://pspupdates.qj.net/    Report

06-28-2006, 1:09 PM ak03 Joined on 06-09-2006 Posts 126 Re: 2.5 n 2.6 now able to run like they have firmware 1.5 UPDATE #1: Fanjita has released the "source" of his work so far today on this newly discovered exploit. If you would like to take a look at it and continue investigating where he left off for today, have a look! Only for v2.5 / v2.6. Based on Proof of Concept code by Hitchhikr / Neural. Function : Attempts to load ms0:/kernel.elf using sceLoadModule/sceStartModule when in kernel mode, after writing a NOP to 0x8801A5B4. Diags: Writes a log of operations to ms0:/GTALOG.TXT. If LoadModule fails, writes the error code to ms0:/failload.trc. If StartModule fails, writes the error code to ms0:/failstart.trc. Check out the included readme for more info! (Thanks for the tip, gangsta_psp!) Download: [Fanjita's Exploit Source - Day 1]    Report

06-28-2006, 1:11 PM ak03 Joined on 06-09-2006 Posts 126 Re: 2.5 n 2.6 now able to run like they have firmware 1.5 Update #2: Fanjita has taken a moment to respond to some of the many questions being asked in our forums regarding the update above and his "source": Rumour clear-up time : this was posted in the pspdev IRC, so that people who know what they're doing can play with it if they want. I don't mind it being spread around, but if you don't understand how sceKernelLoad* apply security checks, then it's probably not for you. It's work-in-progress, it's not an eLoader beta, it's just a more convenient way of experimenting with the exploit (maybe), and also an effort to test some in-RAM hacks to remove some security checks. It doesn't seem to work at the moment, and the main thing that needs to be done is to investigate why - presumably, there's a problem with the format of the ELFs being loaded. Kernel.elf is just an arbitrary ELF - nothing I've tried so far has worked, feel free to try your own. The source that's given is just the source of the function that's attempting to do stuff with the exploit - it doesn't show any of the exploit code, and is not a complete app in its own right. He also went on to say that the main focus right now is to replicate a "nokxploit functionality" making 2.50/2.60 PSP's behave the same way that 1.0 PSP's do in regards to homebrew. He says that a "kernel eLoader" would be possible but more cumbersome than a nokxploit approach.    Report

Hacking the PSP » Forums » PSP Firmware Ha... » 2.5 n 2.6 kernal mode

(please select) Forums Home |- Search Forums |- Active Topics |- Unanswered Posts User Options |- Sign In |- Join this community |- Forgot Password Forums |- General Discussion |- PSP Hardware Hacks |- PSP Software Hacks |- PSP Firmware Hacks |- PSP Games |- Homebrew Software |- PSP Magazines |- Hacking the PSP: First Edition Book Discussion |- Hacking the PSP Book Addendums |- Hacking the PSP: Second Edition Discussion |- Hacking the PSP: Second Edition Addendums Hombrew Software Libraries |- Games |- Applications |- Flash Games and Applications |- Utilities |- Demos |- Emulators |- Game Saves and Cheats |- Trailers |- Movies |- Firmware Hacks and Launchers |- PSP Software Development |- Game Add-Ons |- PSP Magazines |- Shells and Operating Systems |- Web Browser Portals |- Educational |- Miscellaneous