GripShift savegame ex ...

January 4th, 2009, 23:11 Posted By: wraggster

Matiaz: has today released the Hello World of his exploit for the PSP which opens up Homebrew for all Consoles and expecially for those Homebrew Starved on PSP3000 consoles.

Heres a video of the exploit:

Ok, binary loader, hello world and SDK finished, get it here. Read the readme for the imporant stuff.
It's encrypted and works on the US version only.
Get the SDK here.

Old post for nostalgia:

Quote:
So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite .
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.

Credits go to those who deserve them.

Hello World on PSP FW 1.52-5.02
The Spartaaaaaaaaaaaaaaaaaaaa!!! Exploit

by MaTiAz & FreePlay

Instructions
------------
1. Copy the contents of MS_ROOT into the root of your memory stick.
(This will overwrite the first GripShift savegame slot).
2. Launch the US version of GripShift.
3. Load up the game (if it doesn't autoload).
4. See your PSP run unsigned code.

It'll autoexit after some time. You can use the home button to exit too if
you've seen enough.

FAQ
---
Q: Will this allow downgrading?
A: No, because this is an usermode exploit and functions required to downgrade are
only available in kernel mode.

Q: Why the name?
A: Because the original exploit was found by overwriting the player name with
"this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa".

Q: Can/Will Sony block this?
A: Yes.

Q: I wanna make homebrew using the exploit. How?
A: Get FreePlay's GS SDK: http://f6y.ath.cx/pspdev/sparta_sdk.zip
It has some constraints though, check the readme.
The Hello World was written with it.

Credits
-------
Exploit and binary loader: MaTiAz
SDK: FreePlay
Greets go to Dark_AleX, Mathieulh, jas0nuk, Hellcat, etc. etc. etc, you know.