Libtiff Exploit Found in Firmware 4.20 for PSP3000 Owners ?

***wraggster*** · January 3rd, 2009, 10:15

Check out this video and discuss if legit:

**tinman** · January 3rd, 2009, 12:42

This is true, just not that video.

Originally Posted by MaTiAz

So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra.
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this.

). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game.

EDIT: yeah, don't forget to have Savegame-Deemer working, duh.

Video POC on PSP 3000 via FreePlay.

I'm keeping the source link out, because they wouldn't be happy with non dev's flooding the forums.

So, go buy GripShift now, if this gets fully worked out. You never know

**indstr** · January 3rd, 2009, 12:50

Dude!!! I resent that comment about Gripshift being one of the worst games. It has always been one of my favourite games for PSP!

**** that dude, I hope is exploit never works!

**newb_fo_life** · January 3rd, 2009, 13:31

Wow this is great news for the psp 3000

**KingPepper** · January 3rd, 2009, 14:02

Good for the homebrew scene, but not for Sony, if this leads to this machine being cracked open, then we will all lose out, because no developers will bother releasing any new AAA Titles, knowing that they are just going to be copied as .ISO's for Free, on Custom Firmware's

**frwololo** · January 3rd, 2009, 15:42

@tinman : The libtiff vulnerability and the GripShift exploit are two different things

I can say the libtiff thing is legit (since I'm the one who created the files), although not very useful. You can see my posts here : http://lan.st/showthread.php?t=1856

I'm pretty sure the GripShift thing is real (the people who created/confirmed it are trusty sources), and definitely more promising than my libtiff finding

**midnitdragoon** · January 3rd, 2009, 17:04

Originally Posted by tinman

This is true, just not that video.

Video POC on PSP 3000 via FreePlay.

I'm keeping the source link out, because they wouldn't be happy with non dev's flooding the forums.

So, go buy GripShift now, if this gets fully worked out. You never know

Yea i read that on the PSPUPDATES.com webpage this morning. I immediately sent a email to sony to tell them about it and they should keep an eye on this new exploit. Really dont want to see the psp 3000 hacked leading to more piracy.

**madcat1990** · January 3rd, 2009, 17:19

no offense guys (And I seriously don't want to start a flame war)

I think an image just crashing won't prove anything but if it crashes and then something like a hello world pops up, that's a whole different story (And we have to put in account that, even if this works, you might only have user level access not kernel level access which you need for hacking or replacing the firmware).

Again, don't want to start a flame war. but to me, this was useless.

About gripshift... Never played it nor care (doesn't make a difference to me) but if by any chance there is an exploit found, it happens.

Sooner or later pirates find their way to hack the console.

Deal with it.

**mike_jmg** · January 3rd, 2009, 18:09

This is kind of exciting yet kind of sad

Is good to see people still trying and working for the homebrew scene, but at the same time is very sad that this might kill the platform for good as it happened to the dreamcast. Only part-good thing is that there is a bunch of AAA titles already on their way.

Either way I'll go hunting for a gripshift umd