Possible 2.5 Exploit?

**adoken** · November 14th, 2005, 11:59

I saw some news on pspspot mentioning a 2.5 exploit tought i'd share it
Here it goes:

The guys over at **********.com are doing coverage on this new 2.50, "Tiff" overflow exploit, this is what they had to say..

We’ve gotten about 20 emails from users claiming that a new TIF overflow has been created for PSP firmware version 2.50. Basically, it claims to freeze up the PSP when run, just like the original overflow exploit for 2.00 did. A similar exploit was found in the 2.00 firmware, which was used to create the MPH 2.00 -> 1.50 downgrader.

We do not have a fv2.50 PSP here at QJ, and even if we did we’d be hesitant to try such a file without the creator stepping forward and giving us more information (email us!). We weren’t going to put this up, but we figured there would be people out there that would want to hear about it. If it’s true, then great. If not, then oh well, no loss.

OK to end fear of the Exploit Here are the inner workings

Tradional PBP and SAVEGAME Layout
-ULUS100xxxx or EBOOT
--Param.SFO (tells how the psp handles the file: e.g. title - update ver. 2.51)
--icon0.PNG (icon)
--icon1.PMF (almost like a short movie clip <500kb
--pic1.PNG (background for pile that appears when you look at the file)
--SND0 (background sound-not in most saves or EBOOTs)
--Data file/data.psp (name vary depending on game saves...data.psp is the name when in eboots)
--Data.psar(only in eboots)

Well my Exploit contains...
--Param.SFO (tells how the psp handles the file: e.g. title - update ver. 2.51)
--icon0.PNG (icon-overflow.tif)
--icon1.PMF (blank PMF found in iso rip kits)
--pic1.PNG (background for file-framebuffer)
--SND0.AT3 ( small randow sound clip)
--Data file/data.psp (from v1.5)
--Data.psar(from v1.5)
and...
--Pic0.PNG (overflow.tif)

My Original Idea For The Exploit
1)the icon0 would be set to the overflow.tif
2)pic1 the framebuffer image
3)the 2 data files as 1.50s data files
4)SND0.AT3 a music file >20mb
5)ICON1 the blank pmf found in iso rip kits
6)Param file set to be read as updater version 2.51
7)pic0 overflow.tif resized to 272x480

Only one thing from my original blueprint wasn't used : the AT3 file is 5kb

How This Works
This works by overloading the psp audio with a glitch sound, and overloading the image handler with overflow.tif, thus in conjuction overriding the TIF patch.

Source: PSPSPOT.COM