One Day Later - 2.5/2.6 Kernel Exploit - The Real, Full Story - A MUST READ!

**Terdinglagev2** · June 30th, 2006, 08:25

UPDATE: Birdman has mentioned that for an uknown reason the Beta's release may be getting postponed. I would be able to tell you more, but for some reason the DALnet server isnt working for my miRC.

Welcome everyone to "One Day Later" an article chronicling the events that rocked the PSP Scene from 06/28/06 to 06/29/06. In this article I will review all the ins and outs of the new exploit, the truth behind DarK_AleX's Downdater, the real culprit behind epidemic of bricked PSPs, and of course the most important part of all - The information you will learn tomorrow... TODAY!

What We Know
Well, it has been an eventful 24 hours here on the PSP Scene, with some developments that can be considered nothing less than extraordinary. We started yesterday on Wednesday June 28th, 2006 with hitchhikr releasing his proof-of-concept of kernel memory access on a 2.5 or 2.6 PSP. Without a doubt the biggest exploit since the GTA eLoader, immediately upon its release several devs took to work. Some of the biggest names in PSP Homebrew took their crack at making a practical application of the brand new exploit, including DarK_AleX, Fanjita, Yoshi, Mathieulh, and 0okm. The first to note any progress was Fanjita, releasing a very early attempt at using the newfound exploit. Below is the exact quote of the release from PSPUpdates, followed by an exact quote of their "exclusive" email from Fanjita:
__________________________________________________ ______________
Update #1: Fanjita has released the "source" of his work so far today on this newly discovered exploit. If you would like to take a look at it and continue investigating where he left off for today, have a look!
Only for v2.5 / v2.6.

Based on Proof of Concept code by Hitchhikr / Neural.

Function : Attempts to load ms0:/kernel.elf using sceLoadModule/sceStartModule when in kernel mode, after writing a NOP to 0x8801A5B4.

Diags: Writes a log of operations to ms0:/GTALOG.TXT.
If LoadModule fails, writes the error code to ms0:/failload.trc.
If StartModule fails, writes the error code to ms0:/failstart.trc.

Check out the included readme for more info! (Thanks for the tip, gangsta_psp!)

Download: [Fanjita's Exploit Source - Day 1]

Update #2: Fanjita has taken a moment to respond to some of the many questions being asked in our forums regarding the update above and his "source":

Rumour clear-up time : this was posted in the pspdev IRC, so that people who know what they're doing can play with it if they want. I don't mind it being spread around, but if you don't understand how sceKernelLoad* apply security checks, then it's probably not for you.

It's work-in-progress, it's not an eLoader beta, it's just a more convenient way of experimenting with the exploit (maybe), and also an effort to test some in-RAM hacks to remove some security checks.

It doesn't seem to work at the moment, and the main thing that needs to be done is to investigate why - presumably, there's a problem with the format of the ELFs being loaded.

Kernel.elf is just an arbitrary ELF - nothing I've tried so far has worked, feel free to try your own.

The source that's given is just the source of the function that's attempting to do stuff with the exploit - it doesn't show any of the exploit code, and is not a complete app in its own right.

He also went on to say that the main focus right now is to replicate a "nokxploit functionality" making 2.50/2.60 PSP's behave the same way that 1.0 PSP's do in regards to homebrew. He says that a "kernel eLoader" would be possible but more $#@!bersome than a nokxploit approach.
__________________________________________________ ______________

We will be debunking his statements later on in the article, but for now we will proceed to the next set of releases that came from the exploit, the ones from none other than the man behind the Downdater, DarK_AleX. He started all of us off by releasing the first real progress in the form of his PRXDecryptor TEST for Firmware v2.6 (though it was only partially effective). It was after this release however, that the real fun began. At around 9:30 PM on 06/28/06 DarK_AleX released the first version of his now infamous "Downdater". Before continuing on, I suggest everyone read DarK_AleX's official unmodified post, here.

Without doubt one of the biggest developments that could have possibly came from the new 2.5/2.6 exploit, it was a ray of light for the 2.0+ PSP community. And after a few successful reports early on, the program soon made it to PSPUpdates where it was eagerly accepted (perhaps to eagerly), and the result turned out to be a large number of yep, you guess it, BRICKS. After that things began getting ugly on the PSPUpdates forums, with several angry members blaming their newfound bricks on DarK_AleX and few even taking advantage of the situation. Anyone present on the PSPUpdates forums last night knows what I am talking about. However, later in this post I will reveal the truth behind this frenzy, and clear up who was truely behind the bricking, and who is taking advantage of you.

Regardless of the wonderful flame-job countless users provided for DarK_AleX, he continued his work on the Downdater after teaming up with Yoshi and Mathieulh to releases three subsequent versions of the program, v0.2, v0.3, and v.04. Thanks to Yop2k5 from the PlanetPSP iRC channel's bravery (he tested THREE times until ending up with a brick) we are now even closer to a working version.

And last but not least, we have the unconfirmed downgrader by 0okm, the creator of the Die Hard Firmware v1.0 Downgrader. All there currently is in proof of this is three posts in broken English on the PSPUpdates forums.
__________________________________________________

sorry
it is unstable
i test 10pcs FW2.60 PSP
8pcs OK
2pcs have error

i can't share it
i don't want to have Dark_AleX's condition :P
__________________________________________________

yes
i can confirm can use hitchhikr's concept to "downgrader" old ver. hardware PSP with FW2.60 to FW1.00
i was use another method NOT Dark_AleX's Downgrader"

"if "ookm" is "0okm"
i can tell you
i try my way with hitchhikr's Great Work ^o^
__________________________________________________

i test 10pcs FW2.60 psp
reflash them to FW1.00
8pcs OK
2pcs have error
but never mind
i have multi FW Module ^o^"
__________________________________________________

And with that, we have reviewed EVERYTHING that has happened in the last day concerning this great new exploit, which leaves the fun stuff. In the following section, I will debunk all of the information above (you people deserve the truth!), and give you a little preview of what's to come.

What You Don't Know
Well, here goes, I'll start by talking about the first thing I discussed in this article, Fanjita's attempts with Kernel memory and the eLoader. I do not intend to demean his work in any way, but there is definitely some things you eLoader hopeful's and downgrader bashers should hear about.

1. The exploit for Kernel access itself is unstable, as noted by one of the developers of the Downdater in the following statements:

* [Mathieulh] because the exploit itself is unstable.
* [Mathieulh] the point is lots of functions **** up for no reason using the exploit
* [Mathieulh] and we don't know why
* [Mathieulh] for instance using printf will freeze the psp in kernal mode

2. The Kernel access exploit doesn't allot very much RAM for use on a 2.6 PSP, once again as noted by a Downdater developer:

* [Mathieulh] we also found out that the ammount of available ram on 2.60 using the kernel exploit is very small

Well, now that that is out there, we can move on to the next issue I promised to address – DarK_AleX's nickname as the "BRICKER". Last night on the PSPUpdates forums was literally a spam fest in which countless updates members called out DarK_AleX and blamed their bricks on him. This really disappointed me, as I am personally seeing residual effects of this portrayal on my own site, www.pspbrew.com. DarK_AleX is an amazing asset to the PSP Community, and it truly saddens me that some sceners would damage his reputation so severely. Thus, it makes me proud to bring you the TRUTH about the real culprit behind the bricks that resulted from Downdater v0.1! As it turns out, the true culprit behind the devastation was none other than the very first person to try the Downdater, PSPXnax. To lend validity to my case, I interviewed an eyewitness who watched the first KNOWN downgrade play out, and also an exact quote of PSPXnax's live confession on ProjectPSP's iRC Chat, here it is:

Birdman's Eyewitness Account: "we were all excited when the downgrader came out, even us with 1.5's were glad to finally be able to accept more members into our family, but of course dark_alex didnt test it so we eventually found someone who was willing and able to test it, PSPXnax. We explained how to set it up and all, and he ran it on his first psp and told us that it ran compleatly fine and the downgrader was a complete success. Well of course when we heard this we were overjoyed but at the same time we were a bit sceptical, but he continued to insure us it worked. he seemed like a very nice trustworth guy, so after pspxanx confirmed we happily went about telling sites all over the internet that pspxnax had tested it and that he claimed it worked fine. After that everyone who followed this knows the horrific events that happend afterwards, mass brickage, people were so eager to have 1.5 that the heard it had been "confirmed" and imeadiatly rushed to test it. so i mean its really for you to decide. dark alex told everyone straight up that it was untested and unconfirmed, but whos the real culprit? the dev or the devil?"

PSPXnax's Live Confession: [PSPXNAX] ok guys i admit it i am very sorry i did lie .... but u should also thank me for 2 things .... firstly i gave u a all hope second i gave people the courage to try it on their own psp's if i didnt do wt i did we would have never ever have know wheather this downgrader is going to work or not i am very sorry for all those that got their psps bricked but it also did save potentially thouhsands others from getting bricked thank u brave people

As you probably realize, it was not just for so many people to flame DarK_AleX and hurt his reputation. He did not intend to break any PSPs, and ultimately it is not his fault that any were bricked. If you want to blame anyone other than yourself, you now know who to flame, not DarK_AleX, but PSPXnax. This now leads us to the next thing you should be informed of, the people taking advantage of this situation to steal your money. Though there are legit cases out there like Josh's PSP from PSP-Hacks, there are also definitely bad ones out there. I will only use one for this article, and you can use your judgment if your considering donating to any other people left with bricks. The example of the day is none other than TMK or TheMarioKarters from PSPUpdates. The user had allegedly "bricked" his PSP with the downgrader and was asking for donations. The sad part was that even if he had tried the downgrader, he had not read the readme at all, because he apparently had a TA-082 PSP. I just want to get this out in the public, and warn people to not donate to scammers like this. Oh, and I also should throw a few things in for good measure. I congratulate the PSPUpdates admins for making people remove the TMK donation links from their sigs, and also that it seems what goes around as TMK's PayPal account has apparently been hacked and the money removed. Sweeeeeeet Justice! Anyways, now we can move on to the really fun stuff, what you will be seeing today from the Downdater!

Downdater Beta (coming soon): For this I felt it was best if I just copy/pasted the iRC chat about this topic directly, here it is strait from the devs keyboard to your monitor:

[Mathieulh] and finally we will tomorrow have a beta version to test
[Mathieulh] with sceioremove instead of logical format (to check out wether it works or not)
[mrweeeedbirdman> will the beta have any chanse of wroking?
[Mathieulh] if not we will stick to logical format
[Mathieulh] yes it will
[mrweeeedbirdman> cool
[Mathieulh] but it will also have chances of brickinf
[Mathieulh] bricking*
* fettesbumsen acts like he understands.
[Firey21] pl
[Mathieulh] as it's a beta
[Mathieulh] lol
[Firey21] ok
[mrweeeedbirdman> yea i just wondering if its chances are higher than that of .4
[Firey21] beta = 60% sucvess
[mrweeeedbirdman] cool
Firey21] or thats how it should be
[Mathieulh] lol I can't really tell, anything can happen on the psp especially with an unstable exploit such as the one we are using

Well folks, that’s all for now. I hope you enjoyed the show and I hope you enjoy the developments that are sure to be coming in the near future!

Special thanks to Terdinglage and Birdman for their hard work put into this great article. ~ Kaiser

Source: http://www.pspbrew.com

**BL4Z3D247** · June 30th, 2006, 08:43

well i hope people aren't gunna atempt the beta without the UP chip, 60% is better than what it was(0%) but its still a little too low in my book

***Kaiser*** · June 30th, 2006, 08:46

Excellent Article. Thanks for allowing us to use it Terdinglage. Moving to news forums.

**BL4Z3D247** · June 30th, 2006, 08:51

Originally Posted by Kaiser

Excellent Article. Thanks for allowing us to use it Terdinglage. Moving to news forums.

perfectly worded Kaiser...the only thing i didn't know about was the beta version comin out, so thanx for postin this Terdinglagev2

**acn010** · June 30th, 2006, 08:59

now we need is rich boys testers for this
lmao

**BL4Z3D247** · June 30th, 2006, 09:03

Originally Posted by acn010

now we need is rich boys testers for this
lmao

well all the rich boy testers probably have the UP chip...i still can't wait to see how this will pan out

**tophead420** · June 30th, 2006, 09:07

ok im completly confused with this so whats the deal withthis could sumone please sum it up for me in simple terms bc the aricle kinda lost me but il read it again maybe itll make sense this time but idk

EDIT; ok it kinda made a lil more since to me so they are working on a downgrader or sumtin along those lines from the way i take it but i dont know i really am not one to want to try sumtin that will render my psp usless even if it has a 100% success rate becuz tho 100% there is still a chance you cud still mess up, tho if it had a really i mean really F N detailed read me file i might consider it so if a downgrader is released ill wait for people to try it then i just may give it a try but id be happy if they just get kernal mode working on 2.5-.6 fw thats what i want more then a downgrader[ tho it was mentioned to unstable::: but just remember this its still in a very early stage of devlopment what i feel is it just needs to be worked on a lil bit becuz you cant expect perfection from a first or second release and dont say its not possible becuz look sum1 found away to access it so thats gotta count for sumthing] becuz if i wanted a 1.5 psp ill fork over the money for it

**BL4Z3D247** · June 30th, 2006, 09:10

Originally Posted by tophead420

ok im completly confused with this so whats the deal withthis could sumone please sum it up for me in simple terms bc the aricle kinda lost me but il read it again maybe itll make sense this time but idk

yeh it is a big article, what part are u havin trouble understandin?