PSP exploits and the Vita: how hacking PSP Minis became relevant

December 20th, 2012, 00:50 Posted By: wraggster

via http://wololo.net/2012/12/18/psp-exp...came-relevant/

Software usermode exploits on the PSP have always been either about exploits in a game (generally a buffer overflow), or exploits in one of the embedded libraries such as libtiff. Exploits in games had the inconvenience that it often meant buying an expensive game that you might not end up really playing, but sometimes it was well worth it. The overall idea was to make sure to buy a copy of the game that didn’t have a patch for the security hole (in hindsight, the games were actually not patched, their metadata was just slightly modified to require a higher version of the Firmware, and the firmware is where the patch was). As long as you didn’t update your firmware and were able to buy one of the “golden” UMDs somewhere, you would be able to enjoy a HEN, a downgrade, or a CFW.





That system had its drawbacks, mostly the insane price of the UMDs for some of those games (unpatched copies of GTA Liberty City Stories reached up to 20,000Y – that’s $250 – in Japan), but other than that it was a pretty good way to get exploits.

Then came the PSP Go, with its concept of “all digital” purchases. UMDs were gone, and if an exploit was found in a game, it would have been easy for Sony to remove the game from the PSN, patch the firmware, and put the game back on the store afterwards (as we’ve seen, this is what they do nowadays with VHBL or CEF for the Vita, which is why we came up with the concept of Ninja releases).

The PSP Go suddenly made Game exploits much less attractive. What would be the point of releasing an exploit that all new PSP Go owners would not be able to use? This is something I myself mentioned several times on this blog back in the days.

There was still, however, one loophole in this system, which was the PSP Demos. It had seemed a good idea a while ago that PSP Demos should be distributed not by Sony only, but by other websites promoting the PSP. Therefore, Demos were signed in a way that allowed anybody to redistribute them, without having to go through the PSN. This is why the first hack publicly available for the PSP go was an exploit in the Demo of Patapon2, which was later followed by similar exploits such as the Japanese demo of Minna no sukkiri. These demos had the double benefit of being free and not requiring a PSN connection, which meant no forced update for PSP Go owners, so everyone was happy.

Of course, there’s not an infinite amount of Demos with such vulnerabilities, but that became quickly irrelevant as better hacks ended up being found for the PSP, in particular the possibility to sign content for it, which removed the need for usermode exploits.

Usermode exploits in PSP games are easy to find and implement nowadays (see the guide here), and experience shows us that lots of psp games are vulnerable to simple buffer overflow attacks. But the PSP Go digital model, and, more importantly, the Vita today (where all PSP purchases are – obviously – digital, and the few psp demos there all need to be downloaded through the PSN) made that type of attack quite irrelevant. In the end, buying expensive PSP games, just for a hack that will end up being patched in next firmware, might seem quite pointless to some of us.

There are 0 comments - Join In and Discuss Here