GripShift savegame exploit Hello World + Sparta SDK - Exploit Works on PSP 3000

[wraggster]

Matiaz: has today released the Hello World of his exploit for the PSP which opens up Homebrew for all Consoles and expecially for those Homebrew Starved on PSP3000 consoles.

Heres a video of the exploit:

Ok, binary loader, hello world and SDK finished, get it here. Read the readme for the imporant stuff.
It's encrypted and works on the US version only.
Get the SDK here.

Old post for nostalgia:

Quote:
So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite .
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.

Credits go to those who deserve them.

Hello World on PSP FW 1.52-5.02
The Spartaaaaaaaaaaaaaaaaaaaa!!! Exploit

by MaTiAz & FreePlay

Instructions
------------
1. Copy the contents of MS_ROOT into the root of your memory stick.
(This will overwrite the first GripShift savegame slot).
2. Launch the US version of GripShift.
3. Load up the game (if it doesn't autoload).
4. See your PSP run unsigned code.

It'll autoexit after some time. You can use the home button to exit too if
you've seen enough.

FAQ
---
Q: Will this allow downgrading?
A: No, because this is an usermode exploit and functions required to downgrade are
only available in kernel mode.

Q: Why the name?
A: Because the original exploit was found by overwriting the player name with
"this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa".

Q: Can/Will Sony block this?
A: Yes.

Q: I wanna make homebrew using the exploit. How?
A: Get FreePlay's GS SDK: http://f6y.ath.cx/pspdev/sparta_sdk.zip
It has some constraints though, check the readme.
The Hello World was written with it.

Credits
-------
Exploit and binary loader: MaTiAz
SDK: FreePlay
Greets go to Dark_AleX, Mathieulh, jas0nuk, Hellcat, etc. etc. etc, you know.

Download and Give Feedback Via Comments

[mikebeaver]

Nice work, just need to get some kernal access now and all will be right with the world again

Mike..

[Veskgar]

Really REALLY cool stuff. Its refreshing just to see that there are still teams hard at work ensuring PSP homebrew survives every single hardware revision thrown at us by SONY.

The day when every single PSP can be homebrew enabled will hopefully once again be upon us.

Thanks to all who worked on this and I hope it encourages more work to try to get CFW on the new PSP's.

[Buddy4point0]

Great!
Has anyone tried using one of the old eboot loaders from the GTA exploit days?
It should work with little or no modification as that too ran in user mode.

I think that's the PSP 3000's best shot for homebrew right now.

[tinman]

Great!
Has anyone tried using one of the old eboot loaders from the GTA exploit days?
It should work with little or no modification as that too ran in user mode.

I think that's the PSP 3000's best shot for homebrew right now.

All the tiff brew needs to be recompiled to include the sparta_sdk.h take a look at it's list of functions. It's a very good start, but limited. Some tiff brew games do work after doing a few edits.

[dejkirkby]

I bow to you guys.
Great work.

[titch.ryan]

great work.
here come the firmware updates!!

[mungrin]

Does this do anything for the PSP 2000s that cannot be hacked?

[jarshale]

bad ass exploit name. gratz for gettin this




SPARTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!!!

[mike_jmg]

This is Spartaaaaaaaaaaaaaaaaaaa!!!!!!!
LOL

Sony closes the door, developers open a window
I knew there should be more savegame exploits, good work guys

Do you guys think DAX will release a HEN or something for this exploit?, or will he go straight to trying to improve pandora on an already hacked psp-3000?

either way I think the 3000 will be hacked soon but I don't know if I should get a copy of Gripshift, just in case

as the only copy I've seen is really overpriced and the dude doesn't even know there might be an exploit for it, imagine when he finds out