Dont know but may help hackers - PSP3D.com - Sony PlayStation Portable News, Homebrew, Hacks, Reviews, Videos, Mods, Forums

lucas224 · #1 (**permalink**) 12-09-2005, 04:00 AM

http://www.psp-hacks.com/forums/viewtopic.php?t=12526

this was done by PSP250 frotm page thats on top

I tried to summerize what I gathered from various sites about the status on 2.0+ FW hacks.

Looking forward to CONSTRUCTIVE comments.

This info is listed here in order to possible make some progress and share what people know.

Latest Status:

FW 2.00 - TIFF Exploit / Downgrader
available / Limited homebrew
FW 2.01 - GTA Savegame exploit / No downgrader / No homebrew
FW 2.50 - GTA Savegame exploit / No downgrader / No homebrew
FW 2.60 - No exploit / No downgrader / No homebrew

Found Vulnerabilities:

- Browser historyv.dat Heap Overflow (2.0-2.5)
- libungif memory write access (2.0-2.5)
http://www.sukimashita.com/temp/bad-24.gif
(Immediate crash due to segfault)
http://www.sukimashita.com/temp/bad-17.gif
(Same technique but different memory location overwritten, watch thumb with corrupt pixels after reboot)

- GTA savegame buffer overflow (2.0-2.5)
- Wipeout savegame buffer overflow (2.0-?)

Approaches:

- Run code using buffer overflow
- Sign/encrypt homebrew app and make the psp run it
(- Alter 1.50 FW to be pseudo 2.51 update and run it; does not work, encryption problem and 2nd version check within psar)
DISCARDED - Find privat encryption key for signing homebrew (takes too long)

Buffer Overflow

Some flaw in the code enables injection of code in order to execute bytecode.

Possible Weakness List 2.5 FW:

SAFE = Not vulnerable/No known exploit
???? = Untested on 2.5 FW
VULN = Vulnerable

SAFE - Bookmark File, String lengths in Attributes / URIs
VULN - Browser History Files
???? - LIBMPEG PSMF, libmpeg/PMF exploits (custom sony lib)
???? - Video Play, use wrong picture/frame info/size in videos to cause an overflow
SAFE - zlib 1.2.3, http://www.zlib.org/
SAFE - libpng version 1.2.8, http://www.libpng.org/
SAFE - Netfront Browser uses libpng 1.2.6
SAFE - libtiff
???? - Abuse proc:// scheme
VULN - libungif
???? - Wipeout "Ghost" Savegame Exploit
VULN - GTA Savegame Buffer Overflow
???? - MP4 Video Overflow (Since now only reported to work on 2.0 FW max)

... your ideas?

Features to research for possible flaws:

- Pictures: Overflow in Image routines (TIFF, PNG, GIF, BMP, JPG, ...)
- Music: Overflow in Audio routines (MP3, AT3, WAV, ...)
- Movie: Overflow in Movie routines (MP4, ...)
- Game: Run unsigned code/modify signed code to cause overflow/modify updaters
- Game-Sharing Feature
- Netfront Browser: Find exploit within browser
- Savegames: Find exploit in savegame loading routines
- LocationFree System

Last edited by PSP250 on Wed Nov 30, 2005 2:37 pm; edited 13 times in total

psphack4life · #2 (**permalink**) 12-19-2005, 11:01 PM

one of those ideas may help but most are not going to due too the .tiff being patched on mst apps

psphack4life · #3 (**permalink**) 12-19-2005, 11:02 PM

that browser one sounds reasonable in pictures it brickes the psp savedata has already bene done but you may be on to something

psphack4life · #4 (**permalink**) 12-19-2005, 11:03 PM

im a member not a junior no more wooooohoooo

psphack4life · #5 (**permalink**) 12-19-2005, 11:04 PM

i will try t o pull something out of one of your ideas and make us both be responsable for the great hack downgrade if i get it working thanx so much

Birdman1 · #6 (**permalink**) 12-19-2005, 11:30 PM

four posts in a row. I dont care but the Moderators might ban you for a while for spaming. use the edit button if you want to add another idea and there are no new posts.

antonio_424 · #7 (**permalink**) 12-19-2005, 11:55 PM

Isn't the savegame exploit also in version 2.6?