Vulnerabilities: Difference between revisions
CelesteBlue (talk | contribs) (→Kernel) |
CelesteBlue (talk | contribs) |
||
(44 intermediate revisions by the same user not shown) | |||
Line 20: | Line 20: | ||
== PSP Game Savedata == | == PSP Game Savedata == | ||
=== Savedata protections === | |||
Most PSP games have a common encryption system whose encryption key is per-game. The encrypted savedata is often named DATA.BIN. The per-game key can be dumped using a plugin on an actual PSP: SGKeyDumper by qwikrazor87. The savedata can be decrypted on PC using [https://github.com/38-vita-38/psp-save psp-save by 38-vita-38] or [https://github.com/cielavenir/psp-savedata-endecrypter psp-savedata-endecrypter by popsdeco/cielavenir] or [https://github.com/BrianBTB/SED-PC SED-PC by BrianBTB] or on PSP using [https://github.com/bucanero/apollo-psp Apollo Save Tool (PSP) by bucanero] or SED (Savegame Encrypt/Decrypt). | |||
Some PSP games have an additional encryption applied to their savedata. This system was already present in some PlayStation and PlayStation 2 games: | |||
* Tekken 2 and 3 for PS1. | |||
* Bandai Namco Entertainment used a previously unknown feature of PS2 memory cards (per sector encryption on flash raw sectors) to protect the quest data memory card on the System 246 version of Soul Calibur 2 Arcade game. One cannot move the save data from one memory card to another because the game uses the per card crypto seed. | |||
See also [https://github.com/bucanero/save-decrypters/] and [https://community.wemod.com/t/philymasters-security-archive/3923] | |||
Some games store digests in the savedata to ensure integrity. | |||
==== Tekken 6 ==== | |||
The first 0x20 bytes of MAINDATA.SAV, GHOST.SAV and REPLAY.SAV of PS3 Tekken 6 are not encrypted and are a sort of header. They contain filesize and maybe digest. The remaining data in the files are encrypted with an unknown algorithm (maybe AES128 with a per-console key based on eid0). | |||
MAINDATA.SAV of PSP Tekken 6 is fully encrypted without any header. The game calls [[Kirk]] command 5 to encrypt/decrypt savedata with a key derived from per-console [[Fuse ID]]. This file can be decrypted on PC with the command <code>psp-save -d KEY.BIN 5 MAINDATA.SAV MAINDATA_DEC.SAV</code> where KEY.BIN is the per-console key. This per-console key can be dumped using Apollo Save Tool (PSP) or derived from the console's [[Fuse ID]]. | |||
==== Gladiator Begins Demo ==== | |||
==== Gran Turismo ==== | |||
==== Invizimals ==== | |||
Invizimals PSP game stores a checksum in its savedata. It also maybe encrypts it (to check). | |||
https://github.com/bucanero/save-decrypters/tree/master/invizimals-checksum-fixer | |||
==== SOCOM U.S. Navy SEALs games ==== | |||
Custom savedata encryption may concern the following PSP games: | |||
* SOCOM U.S. Navy SEALs: Fireteam Bravo | |||
* SOCOM U.S. Navy SEALs: Fireteam Bravo 2 | |||
* SOCOM U.S. Navy SEALs: Fireteam Bravo 3 | |||
* SOCOM U.S. Navy SEALs: Tactical Strike | |||
==== Patapon 3 ==== | |||
https://github.com/bucanero/save-decrypters/tree/master/patapon3-decrypter | |||
==== Monster Hunter games ==== | |||
Monster Hunter PSP and Nintendo 3DS games use a custom encryption system and a custom SHA1 integrity hash. It concerns the following games and DLCs: | |||
* Monster Hunter Freedom Unite (ULUS10391/ULES01213) | |||
* Monster Hunter Portable 2nd G (ULJM05500) | |||
* Monster Hunter Portable 3rd (ULJM05800) | |||
* Quests - MH Freedom Unite (ULUS10391/ULES01213) | |||
* Quests - MH Portable 2nd G (ULJM05500) | |||
* Quests - MH Portable 3rd (ULJM05800) | |||
https://github.com/bucanero/save-decrypters/tree/master/monsterhunter-decrypter | |||
=== Blacklisted games === | |||
Here is the list of blocked exploits extracted from the blacklist of the PSP emulator of the PS Vita. See also the [https://www.psdevwiki.com/vita/Blacklists PS Vita dev wiki]. | |||
<pre> | |||
TODO | |||
</pre> | |||
=== Electronic Arts Games === | |||
According to Jeerum (2010), every EA game on PSP gets a buffer overflow if you try hard enough: insert 1 kB or 2 kB into your profile name in the save data. | |||
See https://en.wikipedia.org/wiki/List_of_Electronic_Arts_games%3A_2000%E2%80%932009 and https://en.wikipedia.org/wiki/List_of_Electronic_Arts_games:_2010%E2%80%932019 . | |||
=== Before PS Vita era === | === Before PS Vita era === | ||
==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ==== | ==== Grand Theft Auto: Liberty City Stories UMD (and the Goofy exploit): PSP 2.00-3.03. Patched 3.30 ==== | ||
Discovered by Edison Carter. | Discovered by Edison Carter, Fanjita and n00bz in 2006. | ||
There is a stack buffer overflow in the savedata processing of GTA LCS. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it. | |||
Sony quickly patched this vulnerability with a firmware update, and released a "new" version of the game that required to install the patched System Software. People wanting to hack their PSP had to be careful not to buy an updated version of the UMD. This is the only time in the PSP history that an exploited game got a UMD update. | |||
Germany version: | Germany version: | ||
Line 47: | Line 113: | ||
Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched. | Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched. | ||
This vulnerability got reused a second time by Noobz on 2007-01-25, in what was called the Goofy exploit, as it was discovered that Sony had incorrectly patched the vulnerability. | |||
https://web.archive.org/web/20081212045551/http://www.noobz.eu/joomla/news/sony-goofed-again-hello-world-on-all-v2.0-3.03-firmwares.html | |||
==== Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51 ==== | ==== Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51 ==== | ||
==== Gripshift by | On 2007-06-23, Noobz, with the help of Archaemic, found an exploit in the game Lumines. Called illuminati, the exploit was apparently found by pure luck, when Archaemic was trying to feed random data to the game. | ||
https://web.archive.org/web/20080115210003/http://www.noobz.eu/joomla/news/beware-of-the-illuminati.html | |||
==== Gripshift by MaTiaZ: PSP <= 5.02?-5.03?. Patched 5.05 ==== | |||
* released by MaTiaZ on 2009-01-01. | |||
There is a buffer overflow vulnerability in the player’s name, by editing the game’s save data. | |||
https://web.archive.org/web/20090121190410/https://lan.st/showthread.php?t=1867 | |||
==== | ==== Medal Of Honor Heroes by kgsws: PSP <=?5.51? ==== | ||
* first version (requires connection between 2 PSPs) of the exploit for Medal of Honor Heroes (ULUS-10141) released by kgsws on 2009-07-06 | |||
* second version (does not require online) of the exploit for Medal of Honor Heroes (ULUS-10141) released by kgsws on 2009-07-09 | |||
* Medal Of Honor Heroes 2 is maybe affected too. | |||
https://www.youtube.com/watch?v=VqTjvtfCnXc | |||
https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/ | https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/ | ||
https://www.brewology.com/downloads/download.php?id=9900 | https://www.brewology.com/downloads/download.php?id=9900 | ||
https://www.dcemu.co.uk/vbulletin/threads/223571-New-Exploit-MOHH-(Medal-of-Honor-Heroes)-THIS-VERSION-DOESN-T-WORK | |||
https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit | https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit | ||
https://forums.exophase.com/threads/new-psp-homebrew-medal-of-honor-heroes-exploit-v2.17461/ | |||
==== Patapon 2 demo (USA) by Malloxis: PSP <= ?6.20? ==== | |||
https://wololo.net/talk/viewtopic.php?f=3&t=51 | |||
https://wololo.net/2010/03/29/way-to-keep-a-secret-malloxis/ | |||
==== Everybody's Golf and variants: PSP <=?6.31? ==== | |||
* Everybody's Golf Portable (みんなのGOLFポータブル, Minna no Gorufu Pōtaburu), known as Everybody's Golf in the PAL region and Hot Shots Golf: Open Tee in North America, is the first game of the series released for PlayStation Portable. | |||
* Everybody's Golf Portable 2 (みんなのGOLF ポータブル2, Minna no Gorufu Pōtaburu Tsū), known as Everybody's Golf 2 in the PAL region (Australian version titled Everybody's Golf: Open Tee 2) and Hot Shots Golf: Open Tee 2 in North America, is the second game of the series released for PlayStation Portable. | |||
* Everybody's Stress Buster and Hot Shots Shorties are maybe vulnerable. | |||
* Discovered by J416DY on 2010-08. | |||
* https://wololo.net/talk/viewtopic.php?f=3&t=51 | |||
==== Hot Shots Golf and variants ==== | |||
Hot Shots Golf, Hot Shots Golf 2, Hot Shots Golf - Non-Greatest Hits | |||
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews. | |||
https://wololo.net/talk/viewtopic.php?f=3&t=51 | |||
==== Minna no Golf and variants ==== | |||
Minna no Golf, Minna no Golf 2, Minna no Golf 2 - The Best | |||
https://wololo.net/talk/viewtopic.php?f=3&t=51 | |||
==== Minna no sukkiri and variants by Jeerum: PSP <= ?6.35? ==== | |||
* Minna no sukkiri, Minna no sukkiri demo | |||
* Discovered and exploited by Jeerum (2010-12-19). It had been found before Jeerum by at least Darxploit, Flyer, minomushi, some1. These people made the move of keeping this as secret as possible, and contacting mamosuke, j416, JJS, m0skit0, and wololo in order to discuss release plans. | |||
https://wololo.net/talk/viewtopic.php?f=3&t=51 | |||
https://wololo.net/talk/viewtopic.php?t=1032 | |||
==== Carol Vorderman's Sudoku by Jeerum: probably not patched ==== | |||
* Discovered and exploited by Jeerum (2011-01-06). | |||
* [https://github.com/ChampionLeake/SudokuSTACK implementation by ChampionLeake (2019-04-22)] | |||
* The PS2 version of this game is also vulnerable. | |||
=== During PS Vita era === | === During PS Vita era === | ||
Line 165: | Line 294: | ||
==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61 ==== | ==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61 ==== | ||
==== Pursuit Force and Pursuit Force - Extreme Justice: <= ?2.61?. Patched 3.00 ==== | |||
According to the PS Vita blacklist, Pursuit Force games savedata vulnerabilities are exploitable on some PS Vita System Software versions < 3.00. | |||
==== Pipe Madness by Frostegater: <= 2.61. Patched 3.00 ==== | ==== Pipe Madness by Frostegater: <= 2.61. Patched 3.00 ==== | ||
Line 224: | Line 357: | ||
==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18 ==== | ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18 ==== | ||
Discovered around 2014-09-12 by qwikrazor87. | Discovered in 2010 by anonymous and around 2014-09-12 by qwikrazor87. | ||
It is fairly easy to get this exploit to work as it is a buffer overflow in the player's name. | |||
The savedata in Gladiator Begins Demo only work on the PSP that created them. | |||
https://wololo.net/talk/viewtopic.php?t=39771 | https://wololo.net/talk/viewtopic.php?t=39771 | ||
Line 238: | Line 375: | ||
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/ | https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/ | ||
==== Patapon | ==== Patapon: <= 3.18 ==== | ||
==== Talkman Travel: Tokyo: <= 3.18 ==== | ==== Talkman Travel: Tokyo: <= 3.18 ==== | ||
Line 249: | Line 386: | ||
==== Patapon 2 non-demo (UCES01177): <= 3.36 ==== | ==== Patapon 2 non-demo (UCES01177): <= 3.36 ==== | ||
https://wololo.net/talk/viewtopic.php?f=3&t=51 | |||
https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/ | https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/ | ||
Line 269: | Line 408: | ||
==== Ape Escape: On the Loose: <= 3.50. Patched 3.51 ==== | ==== Ape Escape: On the Loose: <= 3.50. Patched 3.51 ==== | ||
There is a classical buffer overflow exploit in the player's name. This exploit was found in parallel be several people in 2010. This game is really easy to exploit (see the [https://wololo.net/2010/02/27/writing-a-binary-loader/ tutorial]). | |||
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews. | |||
==== "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 ==== | ==== "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 ==== | ||
Line 281: | Line 424: | ||
https://github.com/173210/psp_exploits/ | https://github.com/173210/psp_exploits/ | ||
==== Mega Man Powered Up or Rockman Rockman: <= ? ==== | |||
* Disclosed by 173210 on 2015-09-05. | |||
* https://gist.github.com/173210/d086cf9074c714c1b737 | |||
* https://gist.github.com/173210/90103a9547381ce380ab | |||
* https://gist.github.com/173210/e8f8119534f1fc87a89d | |||
=== After PS Vita era === | === After PS Vita era === | ||
Line 287: | Line 437: | ||
https://github.com/ChampionLeake/scrabblehax | https://github.com/ChampionLeake/scrabblehax | ||
=== Remarks === | === Remarks === | ||
Line 304: | Line 450: | ||
== PS1 Game Savedata == | == PS1 Game Savedata == | ||
=== | === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack === | ||
Discovered around | Discovered around 2014-04-08 by qwikrazor87 and vonjack. | ||
Maybe not exploitable. | |||
=== | === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack === | ||
Discovered around 2014- | Discovered around 2014-04-21 by qwikrazor87 and vonjack. | ||
Maybe not exploitable. | |||
=== Noon (NPJJ00466) by qwikrazor87 and vonjack === | |||
Discovered around 2014-04-19 by qwikrazor87 and vonjack. | |||
Maybe not exploitable. | |||
=== Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 === | |||
Discovered around 2015-09-28 by qwikrazor87. | |||
Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white. | |||
=== Tekken 2 by qwikrazor87 and Acid_snake === | |||
Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob. | |||
https://wololo.net/downloads/index.php/download/8275 | https://wololo.net/downloads/index.php/download/8275 | ||
Line 320: | Line 482: | ||
https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html | https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html | ||
=== Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and | === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack === | ||
Discovered around 2014-07 | Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob. | ||
https://wololo.net/downloads/index.php/download/8275 | https://wololo.net/downloads/index.php/download/8275 | ||
Line 338: | Line 498: | ||
https://alex-free.github.io/tonyhax-international/save-game-exploit.html | https://alex-free.github.io/tonyhax-international/save-game-exploit.html | ||
=== Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? === | === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? === | ||
Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake. | |||
https://alex-free.github.io/tonyhax-international/save-game-exploit.html | https://alex-free.github.io/tonyhax-international/save-game-exploit.html | ||
=== Crash Bandicoot 3: Warped by ?alex-free? === | https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/ | ||
=== Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? === | |||
Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake. | |||
https://alex-free.github.io/tonyhax-international/save-game-exploit.html | https://alex-free.github.io/tonyhax-international/save-game-exploit.html | ||
https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/ | |||
=== Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? === | === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? === | ||
Line 354: | Line 522: | ||
Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki]. | Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki]. | ||
== | == POPS == | ||
=== POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake === | |||
Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented. | |||
There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time. | |||
This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers. | |||
=== POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) === | |||
Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob. | |||
Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later <code>jalr</code> to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload. | |||
On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there. | |||
https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/ | |||
== Unclassified usermode vulnerabilities == | |||
=== Puzzle Bobble === | |||
The Japanese version of Puzzle Bobble was compiled in debug mode, allowing hackers to retrieve some interesting information, such as function names, that were later on used in the scene’s PSP SDK. In 2005, this was one of the first steps to getting homebrews on the PSP. | |||
https://forums.ps2dev.org/viewtopic.php?t=2081 | |||
=== PsOneLoader by TheFloW === | |||
https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/ | |||
== System == | |||
=== libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP <= 5.05 === | |||
Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee. | |||
https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World | |||
https://wololo.net/2009/04/13/eggsplanations/ | |||
https:// | https://www.youtube.com/watch?v=wV21QqQmX_o | ||
=== libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP <= 4.20 === | === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP <= 4.20 === | ||
Line 384: | Line 576: | ||
https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/ | https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/ | ||
=== libtiff exploit # | === libtiff exploit #2 (TIFF Exploit 2.71): PSP <= 2.71 === | ||
Discovered in 2006-09. | |||
Implemented in Kriek eLoader and xLoader by Team N00bz. | |||
https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit | |||
=== libtiff exploit #1 (TIFF Exploit 2.00): PSP <= 2.00 === | |||
Discovered on 2005-09-23 by Niacin, Skylark and Toc2rta. | |||
The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code. | |||
Implemented in downgraders (like MPH downgrader from 2.00 to 1.50) and eLoader by Fanjita. | |||
https:// | https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit | ||
https:// | [https://web.archive.org/web/20060130220231/http://sunkone.cja.net/psp/loader2/README.txt] -> cjb | ||
https:// | https://repo.zenk-security.com/Magazine%20E-book/EN-Hacking%20PSP.pdf | ||
=== Unsigned System PRX allowed: PSP <= 6.20 === | === Unsigned System PRX allowed: PSP <= 6.20 === | ||
Line 404: | Line 608: | ||
Fixed: since PSP System Software version 6.30. | Fixed: since PSP System Software version 6.30. | ||
=== Old System PRX allowed === | === Old System PRX allowed: PSP any version === | ||
Discovered around 2005. | Discovered around 2005. | ||
Line 426: | Line 630: | ||
Fixed: no. | Fixed: no. | ||
=== | === Fixed syscall numbers: PSP <= ?6.50? === | ||
On PSP System Software version below 6.60, you could guess the syscall number for any kernel export, allowing you to call any syscall without having the resolved stub readily available. | |||
Fixed on PSP System Software version 6.60 or just before. On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore. | |||
=== qwikTrick (or Perfect Syscalls) by qwikrazor87: PSP/PS Vita any version === | |||
Discovered by qwikrazor87 around 2013 but independently discovered by others before, probably in 2011. Released by Acid_snake on 2023-10-15. | |||
On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore. Therefore hackers became restricted to the functions imported by the application they exploited. This led to limited kernel function access (less chances of triggering a kernel bug) and it also drastically reduced V/HBL compatibility. | |||
If you load a utility module, which loads a prx in user space, you can have a background thread that changes the PRX's stubs table to whichever imports you want. It relies on a race condition so you have to run the code a few times until it works. Eventually you can resolve whatever kernel export even if the original game did not have it. | |||
This exploit was very useful since most Minis games (main attack vector back in time) had limited imports. Team OILIX never released it because they wanted to keep it in case they came across a kernel exploit on some obscure function that not a lot of games import. Also because by then VHBL was already abandoned and everyone wanted eCFW (ARK, TN) instead so making VHBL have perfect syscalls for better compatibility was a waste for this hack. In hindsight it was a bad decision since Team OILIX never actually used the function because soon after was figured out how to craft PBOOT.PBP for PS Vita with any desired imports. | |||
https://github.com/PSP-Archive/ARK-4/blob/add6c946b4bab17ed7488114ccda3357ea42e0f2/common/utils/imports.c#L91 | |||
= Kernel = | = Kernel = | ||
== | == UID planting Type Confusion kexploits by qwikrazor87 and TheFloW == | ||
Exploiting this bug is straightforward: | |||
1) Plant a fake UID object into kernel. | |||
2) Encode this UID object. | |||
3) Delete the UID object. | |||
Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode. | |||
https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion | |||
=== sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita <= 3.74 === | |||
https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion | https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion | ||
Line 444: | Line 671: | ||
It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit. | It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit. | ||
== kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.70 == | === sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita <= 3.50 === | ||
Discovered around 2014-10-20 by qwikrazor87. | |||
After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid->uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals. | |||
https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt | |||
=== Stack Pointer UID plant kexploit by qwikrazor87: PS Vita <= ?3.50? === | |||
Discovered around 2014-01-29 by qwikrazor87. | |||
The exploit steps are: | |||
1) Execute assembly that does saves context. | |||
2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000. | |||
3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread. | |||
4) Execute assembly that does something. | |||
5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory. | |||
6) Execute assembly that restores context. | |||
7) Call the hijacked function _sceKernelLibcTime. | |||
=== sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita <= ?3.50? === | |||
Discovered around 2014-01-03 by qwikrazor87. | |||
Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory. | |||
=== sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita <= ?3.50? === | |||
Discovered around 2013-10-15 by qwikrazor87. | |||
== Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.70 == | |||
https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition | https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition | ||
Line 452: | Line 710: | ||
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c | https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c | ||
== VPL kexploit by qwikrazor87 or Total_Noob: PS Vita | == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita <= 3.52 == | ||
[https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW] | [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW] | ||
Line 458: | Line 716: | ||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V] | https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V] | ||
== | == _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita <= 3.50 == | ||
Discovered around 2014- | Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87). | ||
A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked. | |||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c | |||
https://pastebin.com/Sdz0XPRg | |||
== _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? == | |||
Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. | |||
Simply call <code>_sceUsbGpsGetData(0x10000, sw_address);</code> where <code>sw_address</code> is the address of the function to hijack, usually _sceKernelLibcTime. | |||
== _sceWlanSetHostDiscover kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.15? == | |||
Discovered around 2014-01-19 by qwikrazor87 and Acid_snake. | |||
In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel. | |||
== | == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? == | ||
Discovered around | Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. | ||
== sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= 3.36 == | |||
Discovered around 2013-12-13 by qwikrazor87 and Acid_snake. | |||
The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory. | |||
https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt | https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt | ||
Line 478: | Line 752: | ||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c | https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c | ||
== _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita | == _sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita <= 3.20 == | ||
Discovered around 2014-04- | Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22. | ||
There is a time-of-check to time-of-use exploit in chnnlsv. | There is a time-of-check to time-of-use exploit in chnnlsv. | ||
Line 498: | Line 772: | ||
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c | https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c | ||
== | == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? == | ||
Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. | |||
There is a time-of-check to time-of-use exploit in chnnlsv. | |||
== __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? == | |||
Discovered around 2013-10-22. | Discovered around 2013-12-13 by qwikrazor87 and Acid_snake. | ||
== _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita <= ?3.15? == | |||
Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob. | |||
https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c | https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c | ||
Line 508: | Line 792: | ||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c | https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c | ||
== sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 | == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita <= ?2.11? == | ||
Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156. | Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156. | ||
Line 555: | Line 839: | ||
== kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita <= 2.01 == | == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita <= 2.01 == | ||
Discovered by yosh | Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh. | ||
kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection. | kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection. | ||
Line 567: | Line 851: | ||
== sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 == | == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 == | ||
Discovered by Yosh | Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous. | ||
In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software <= 1.80 PSPemu it is not. | In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software <= 1.80 PSPemu it is not. | ||
Line 603: | Line 887: | ||
TBD: implementation by CelesteBlue | TBD: implementation by CelesteBlue | ||
== sceNetMPulldown ( | == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP <= 6.61 == | ||
https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c | https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c | ||
Line 637: | Line 921: | ||
https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/ | https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/ | ||
== ifhandle 5.70 | == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 == | ||
https://wololo.net/talk/viewtopic.php?p=147730#p147730 | https://wololo.net/talk/viewtopic.php?p=147730#p147730 | ||
Line 643: | Line 927: | ||
https://wololo.net/talk/viewtopic.php?p=147732#p147732 | https://wololo.net/talk/viewtopic.php?p=147732#p147732 | ||
== GEN/M33 contested | == GEN/M33 contested Wlan kexploit: PSP <= 5.50 == | ||
Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit. | |||
https://wololo.net/talk/viewtopic.php?p=147642#p147642 | https://wololo.net/talk/viewtopic.php?p=147642#p147642 | ||
Line 660: | Line 944: | ||
http://www.kingx.de/forum/showthread.php?tid=15275 | http://www.kingx.de/forum/showthread.php?tid=15275 | ||
https://github.com/DaveeFTW/ChickHEN/blob/main/Launcher/main.c | |||
This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after. | This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after. | ||
Line 686: | Line 972: | ||
https://www.hitchhikr.net/Exploit_2.6.zip | https://www.hitchhikr.net/Exploit_2.6.zip | ||
https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/GTA%20stub/loader.c | |||
https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/dump_reboot_v2.6/copy.c | |||
== reused index.dat key: PSP 2.00, 2.01 == | == reused index.dat key: PSP 2.00, 2.01 == | ||
Line 711: | Line 1,001: | ||
Fixed: since PSP System Software version 6.35. | Fixed: since PSP System Software version 6.35. | ||
= | = iplloader = | ||
== NMI Backdoor == | == NMI Backdoor == | ||
Line 723: | Line 1,013: | ||
Applicable to: None | Applicable to: None | ||
Vulnerable: | Vulnerable: iplloader (all PSP bootrom versions, 0.7.0 and newer PSP DevKit Kbooti versions, PS Vita's PSP emulator bootrom) | ||
The | The iplloader bootrom (present within Tachyon's IC package) as well as iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom. | ||
This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9 | This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9 | ||
If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, | If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0. | ||
Below are the relevant pieces of code: | Below are the relevant pieces of code: | ||
Line 744: | Line 1,034: | ||
</pre> | </pre> | ||
This backdoor may allow an attacker performing a hardware based attack to set those values and gain | This backdoor may allow an attacker performing a hardware based attack to set those values and gain iplloader time code execution. | ||
== Arbitrary IPL Load Address == | == Arbitrary IPL Load Address == | ||
Line 756: | Line 1,046: | ||
Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed. | Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed. | ||
iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations. | |||
== Arbitrary IPL Entrypoint Address == | == Arbitrary IPL Entrypoint Address == | ||
Line 766: | Line 1,056: | ||
Applicable to: IPL time code execution on 01g and 02g, used in Pandora | Applicable to: IPL time code execution on 01g and 02g, used in Pandora | ||
Fixed: | Fixed: iplloader 2.6.0 | ||
iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion. | |||
Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check. | Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check. | ||
Line 784: | Line 1,074: | ||
Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100. | Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100. | ||
iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block. | |||
https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/ | https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/ | ||
== | == iplloader assumes a block with the checksum 0 is the first IPL block == | ||
Found by: C+D/Prometheus - Earliest discovery: 2006 Q4 | Found by: C+D/Prometheus - Earliest discovery: 2006 Q4 | ||
Line 798: | Line 1,088: | ||
Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself. | Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself. | ||
This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump | This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump iplloader. | ||
== | == iplloader do not perform the XOR step when running in Jig/Service mode == | ||
Found by: Mathieulh - Earliest discovery: 2019 Q1 | Found by: Mathieulh - Earliest discovery: 2019 Q1 | ||
Introduced: | Introduced: iplloader 3.5.0 | ||
Applicable to: Code execution on 3.5.0 | Applicable to: Code execution on 3.5.0 iplloader without previous knowledge of the XOR key. | ||
Fixed: probably never as 3.5.0 is the last known | Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool | ||
This is not so much a vulnerability as a poor design implementation. | This is not so much a vulnerability as a poor design implementation. | ||
To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, | To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions. | ||
This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed. | This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed. | ||
== | == iplloader clears the XOR key after doing a cache sync during normal execution == | ||
Found by: Proxima - Earliest discovery: 2020-01-27 | Found by: Proxima - Earliest discovery: 2020-01-27 | ||
Introduced: | Introduced: iplloader 3.5.0 | ||
Applicable to: Dumping the | Applicable to: Dumping the iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability | ||
Fixed: probably never as 3.5.0 is the last known | Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool | ||
3.5.0 | 3.5.0 iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C. | ||
In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000. | In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000. | ||
While it may be possible that Tachyon 0x00600000 and later | While it may be possible that Tachyon 0x00600000 and later iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000) | ||
== Faulty ECDSA Hash Comparison == | == Faulty ECDSA Hash Comparison == | ||
Line 842: | Line 1,132: | ||
Fixed: never | Fixed: never | ||
Starting with Tachyon 0x00600000, | Starting with Tachyon 0x00600000, iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature. | ||
This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid. | This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid. | ||
Line 849: | Line 1,139: | ||
= General writeups = | = General writeups = | ||
https://web.archive.org/web/20150919042153/https://playstationhax.it/forums/topic/1600-psp-and-psp-emulator-kernel-vulnerabilities-an-overview-chapter-1/ | |||
https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/ | https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/ |
Latest revision as of 23:34, 26 September 2024
Usermode[edit | edit source]
Exploits to sort[edit | edit source]
https://www.psdevwiki.com/psp/Homebrew_Enabler
https://en.wikibooks.org/wiki/PSP/Homebrew_History
https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table
https://www.psdevwiki.com/vita/Non-native_Exploits
https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png
https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/
https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/
https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html
PSP Game Savedata[edit | edit source]
Savedata protections[edit | edit source]
Most PSP games have a common encryption system whose encryption key is per-game. The encrypted savedata is often named DATA.BIN. The per-game key can be dumped using a plugin on an actual PSP: SGKeyDumper by qwikrazor87. The savedata can be decrypted on PC using psp-save by 38-vita-38 or psp-savedata-endecrypter by popsdeco/cielavenir or SED-PC by BrianBTB or on PSP using Apollo Save Tool (PSP) by bucanero or SED (Savegame Encrypt/Decrypt).
Some PSP games have an additional encryption applied to their savedata. This system was already present in some PlayStation and PlayStation 2 games:
- Tekken 2 and 3 for PS1.
- Bandai Namco Entertainment used a previously unknown feature of PS2 memory cards (per sector encryption on flash raw sectors) to protect the quest data memory card on the System 246 version of Soul Calibur 2 Arcade game. One cannot move the save data from one memory card to another because the game uses the per card crypto seed.
Some games store digests in the savedata to ensure integrity.
Tekken 6[edit | edit source]
The first 0x20 bytes of MAINDATA.SAV, GHOST.SAV and REPLAY.SAV of PS3 Tekken 6 are not encrypted and are a sort of header. They contain filesize and maybe digest. The remaining data in the files are encrypted with an unknown algorithm (maybe AES128 with a per-console key based on eid0).
MAINDATA.SAV of PSP Tekken 6 is fully encrypted without any header. The game calls Kirk command 5 to encrypt/decrypt savedata with a key derived from per-console Fuse ID. This file can be decrypted on PC with the command psp-save -d KEY.BIN 5 MAINDATA.SAV MAINDATA_DEC.SAV
where KEY.BIN is the per-console key. This per-console key can be dumped using Apollo Save Tool (PSP) or derived from the console's Fuse ID.
Gladiator Begins Demo[edit | edit source]
Gran Turismo[edit | edit source]
Invizimals[edit | edit source]
Invizimals PSP game stores a checksum in its savedata. It also maybe encrypts it (to check).
https://github.com/bucanero/save-decrypters/tree/master/invizimals-checksum-fixer
[edit | edit source]
Custom savedata encryption may concern the following PSP games:
- SOCOM U.S. Navy SEALs: Fireteam Bravo
- SOCOM U.S. Navy SEALs: Fireteam Bravo 2
- SOCOM U.S. Navy SEALs: Fireteam Bravo 3
- SOCOM U.S. Navy SEALs: Tactical Strike
Patapon 3[edit | edit source]
https://github.com/bucanero/save-decrypters/tree/master/patapon3-decrypter
Monster Hunter games[edit | edit source]
Monster Hunter PSP and Nintendo 3DS games use a custom encryption system and a custom SHA1 integrity hash. It concerns the following games and DLCs:
- Monster Hunter Freedom Unite (ULUS10391/ULES01213)
- Monster Hunter Portable 2nd G (ULJM05500)
- Monster Hunter Portable 3rd (ULJM05800)
- Quests - MH Freedom Unite (ULUS10391/ULES01213)
- Quests - MH Portable 2nd G (ULJM05500)
- Quests - MH Portable 3rd (ULJM05800)
https://github.com/bucanero/save-decrypters/tree/master/monsterhunter-decrypter
Blacklisted games[edit | edit source]
Here is the list of blocked exploits extracted from the blacklist of the PSP emulator of the PS Vita. See also the PS Vita dev wiki.
TODO
Electronic Arts Games[edit | edit source]
According to Jeerum (2010), every EA game on PSP gets a buffer overflow if you try hard enough: insert 1 kB or 2 kB into your profile name in the save data.
See https://en.wikipedia.org/wiki/List_of_Electronic_Arts_games%3A_2000%E2%80%932009 and https://en.wikipedia.org/wiki/List_of_Electronic_Arts_games:_2010%E2%80%932019 .
Before PS Vita era[edit | edit source]
Grand Theft Auto: Liberty City Stories UMD (and the Goofy exploit): PSP 2.00-3.03. Patched 3.30[edit | edit source]
Discovered by Edison Carter, Fanjita and n00bz in 2006.
There is a stack buffer overflow in the savedata processing of GTA LCS. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.
Sony quickly patched this vulnerability with a firmware update, and released a "new" version of the game that required to install the patched System Software. People wanting to hack their PSP had to be careful not to buy an updated version of the UMD. This is the only time in the PSP history that an exploited game got a UMD update.
Germany version:
- ULES00182 - Unpatched - Contains 2.00 System Software update.
Europe (UK/EU) version:
- ULES00151 first batch - Unpatched - Contains 2.00 System Software update.
- ULES00151 second batch - Patched - Contains 2.60 System Software update.
North America (US) version:
- ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.
- ULUS10041 - Patched - Contains UPDL 010050 on the UMD.
- ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.
The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.
Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.
This vulnerability got reused a second time by Noobz on 2007-01-25, in what was called the Goofy exploit, as it was discovered that Sony had incorrectly patched the vulnerability.
Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51[edit | edit source]
On 2007-06-23, Noobz, with the help of Archaemic, found an exploit in the game Lumines. Called illuminati, the exploit was apparently found by pure luck, when Archaemic was trying to feed random data to the game.
Gripshift by MaTiaZ: PSP <= 5.02?-5.03?. Patched 5.05[edit | edit source]
- released by MaTiaZ on 2009-01-01.
There is a buffer overflow vulnerability in the player’s name, by editing the game’s save data.
https://web.archive.org/web/20090121190410/https://lan.st/showthread.php?t=1867
Medal Of Honor Heroes by kgsws: PSP <=?5.51?[edit | edit source]
- first version (requires connection between 2 PSPs) of the exploit for Medal of Honor Heroes (ULUS-10141) released by kgsws on 2009-07-06
- second version (does not require online) of the exploit for Medal of Honor Heroes (ULUS-10141) released by kgsws on 2009-07-09
- Medal Of Honor Heroes 2 is maybe affected too.
https://www.youtube.com/watch?v=VqTjvtfCnXc
https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/
https://www.brewology.com/downloads/download.php?id=9900
https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit
https://forums.exophase.com/threads/new-psp-homebrew-medal-of-honor-heroes-exploit-v2.17461/
Patapon 2 demo (USA) by Malloxis: PSP <= ?6.20?[edit | edit source]
https://wololo.net/talk/viewtopic.php?f=3&t=51
https://wololo.net/2010/03/29/way-to-keep-a-secret-malloxis/
Everybody's Golf and variants: PSP <=?6.31?[edit | edit source]
- Everybody's Golf Portable (みんなのGOLFポータブル, Minna no Gorufu Pōtaburu), known as Everybody's Golf in the PAL region and Hot Shots Golf: Open Tee in North America, is the first game of the series released for PlayStation Portable.
- Everybody's Golf Portable 2 (みんなのGOLF ポータブル2, Minna no Gorufu Pōtaburu Tsū), known as Everybody's Golf 2 in the PAL region (Australian version titled Everybody's Golf: Open Tee 2) and Hot Shots Golf: Open Tee 2 in North America, is the second game of the series released for PlayStation Portable.
- Everybody's Stress Buster and Hot Shots Shorties are maybe vulnerable.
- Discovered by J416DY on 2010-08.
- https://wololo.net/talk/viewtopic.php?f=3&t=51
Hot Shots Golf and variants[edit | edit source]
Hot Shots Golf, Hot Shots Golf 2, Hot Shots Golf - Non-Greatest Hits
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews.
https://wololo.net/talk/viewtopic.php?f=3&t=51
Minna no Golf and variants[edit | edit source]
Minna no Golf, Minna no Golf 2, Minna no Golf 2 - The Best
https://wololo.net/talk/viewtopic.php?f=3&t=51
Minna no sukkiri and variants by Jeerum: PSP <= ?6.35?[edit | edit source]
- Minna no sukkiri, Minna no sukkiri demo
- Discovered and exploited by Jeerum (2010-12-19). It had been found before Jeerum by at least Darxploit, Flyer, minomushi, some1. These people made the move of keeping this as secret as possible, and contacting mamosuke, j416, JJS, m0skit0, and wololo in order to discuss release plans.
https://wololo.net/talk/viewtopic.php?f=3&t=51
https://wololo.net/talk/viewtopic.php?t=1032
Carol Vorderman's Sudoku by Jeerum: probably not patched[edit | edit source]
- Discovered and exploited by Jeerum (2011-01-06).
- implementation by ChampionLeake (2019-04-22)
- The PS2 version of this game is also vulnerable.
During PS Vita era[edit | edit source]
Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: <= 1.61[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/
Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: <= 1.61. Patched 1.65[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/
Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: <= 1.67. Patched 1.69?0?, 2014-11-10[edit | edit source]
https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3
https://code.google.com/archive/p/valentine-hbl/source/default/source
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/
Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): <= 1.80. Patched 1.81[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/
Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: <= 1.81. Patched on 2.00[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/
Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: <= 1.81[edit | edit source]
https://wololo.net/talk/viewtopic.php?f=56&t=36217
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/
Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: <= 1.81. Patched 2.00[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/
UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: <= 2.02. Patched 2.05[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/
Dissidia Duodecim: <= 2.05[edit | edit source]
Apache Overkill by Tomtomdu80: <= 2.06[edit | edit source]
Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: <= 2.12[edit | edit source]
https://code.google.com/archive/p/valentine-hbl/source/default/source
Arcade Air Hockey & Bowling (Europe, NPUZ00103), Arcade Pool & Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: <= 2.60. Patched 2.61[edit | edit source]
https://code.google.com/archive/p/valentine-hbl/source/default/source
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/
"Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61[edit | edit source]
Pursuit Force and Pursuit Force - Extreme Justice: <= ?2.61?. Patched 3.00[edit | edit source]
According to the PS Vita blacklist, Pursuit Force games savedata vulnerabilities are exploitable on some PS Vita System Software versions < 3.00.
Pipe Madness by Frostegater: <= 2.61. Patched 3.00[edit | edit source]
Jewel Keepers: <= 2.61. Patched 3.00[edit | edit source]
Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: <= 2.61. Patched 3.00[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/
FieldRunners (NPEZ00098, NPUZ00014) by frostegater: <= 2.61. Patched 3.00[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/
Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: <= 3.00[edit | edit source]
https://wololo.net/talk/viewtopic.php?f=56&t=36217
Cubixx: <= 3.00. Patched 3.01[edit | edit source]
Ben 10 Alien Force: Vilgax Attacks: <= 3.01. Patched 3.10[edit | edit source]
King Of Pool by qwikrazor87: <= 3.01. Patched 3.10[edit | edit source]
This game was exploited 4 times and fixed 4 times.
Tiny Hawk (NPEZ00434) by qwikrazor87[edit | edit source]
Not exploited.
101-in-1 Megamix by xerpi: <= 3.01. Patched 3.10[edit | edit source]
Fifa 2011, Fifa 2012: <= 3.01. Patched 3.10[edit | edit source]
Persona 2: Innocent Sin, Persona 2: Tsumi: <= 3.01. Patched 3.10[edit | edit source]
Arcade Air Hockey & Bowling (Europe, NPUZ00103), Arcade Pool & Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: <= 3.01. Patched 3.10[edit | edit source]
"Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版): <= 3.12[edit | edit source]
MyStylist: <= 3.15[edit | edit source]
Skate Park City: <= 3.15. Patched 3.18[edit | edit source]
Space Invaders Extreme: <= 3.18[edit | edit source]
Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: <= 3.18[edit | edit source]
https://code.google.com/archive/p/valentine-hbl/source/default/source
Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18[edit | edit source]
Discovered in 2010 by anonymous and around 2014-09-12 by qwikrazor87.
It is fairly easy to get this exploit to work as it is a buffer overflow in the player's name.
The savedata in Gladiator Begins Demo only work on the PSP that created them.
https://wololo.net/talk/viewtopic.php?t=39771
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/
Vertigo (NPUH10092) by qwikrazor87: <= 3.18[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/
Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: <= 3.18[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/
Patapon: <= 3.18[edit | edit source]
Talkman Travel: Tokyo: <= 3.18[edit | edit source]
Go! Sudoku (UCES00152): <= 3.30[edit | edit source]
https://code.google.com/archive/p/valentine-hbl/source/default/source
Arcade Darts: <= 3.36[edit | edit source]
Patapon 2 non-demo (UCES01177): <= 3.36[edit | edit source]
https://wololo.net/talk/viewtopic.php?f=3&t=51
https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/
https://github.com/TheOct0/patapon_exploit
https://github.com/wololo-learning-journey/patapon_exploit
https://code.google.com/archive/p/valentine-hbl/source/default/source
https://wololo.net/talk/viewtopic.php?f=53&t=41343
Numblast: <= 3.36[edit | edit source]
Hot Brain: <= 3.36[edit | edit source]
Hatsune Miku: Project DIVA extend: <= 3.36[edit | edit source]
https://code.google.com/archive/p/valentine-hbl/source/default/source
Ape Escape: On the Loose: <= 3.50. Patched 3.51[edit | edit source]
There is a classical buffer overflow exploit in the player's name. This exploit was found in parallel be several people in 2010. This game is really easy to exploit (see the tutorial).
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews.
"Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51[edit | edit source]
https://code.google.com/archive/p/valentine-hbl/source/default/source
Puzzle Scape: <= 3.52[edit | edit source]
World of Pool, Pool Hall Pro: <= 3.52[edit | edit source]
Metal Gear Solid Portable OPS+ by 173210: <= 3.57[edit | edit source]
https://github.com/173210/psp_exploits/
Mega Man Powered Up or Rockman Rockman: <= ?[edit | edit source]
- Disclosed by 173210 on 2015-09-05.
- https://gist.github.com/173210/d086cf9074c714c1b737
- https://gist.github.com/173210/90103a9547381ce380ab
- https://gist.github.com/173210/e8f8119534f1fc87a89d
After PS Vita era[edit | edit source]
ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17[edit | edit source]
https://github.com/ChampionLeake/scrabblehax
Remarks[edit | edit source]
PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.
https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/
http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/
https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/
PS1 Game Savedata[edit | edit source]
Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack[edit | edit source]
Discovered around 2014-04-08 by qwikrazor87 and vonjack.
Maybe not exploitable.
Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack[edit | edit source]
Discovered around 2014-04-21 by qwikrazor87 and vonjack.
Maybe not exploitable.
Noon (NPJJ00466) by qwikrazor87 and vonjack[edit | edit source]
Discovered around 2014-04-19 by qwikrazor87 and vonjack.
Maybe not exploitable.
Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87[edit | edit source]
Discovered around 2015-09-28 by qwikrazor87.
Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.
Tekken 2 by qwikrazor87 and Acid_snake[edit | edit source]
Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.
https://wololo.net/downloads/index.php/download/8275
https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html
Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack[edit | edit source]
Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.
https://wololo.net/downloads/index.php/download/8275
https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html
Castlevania Chronicles (NPUJ01384) by ChampionLeake[edit | edit source]
https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities
https://github.com/socram8888/tonyhax/issues/39
https://alex-free.github.io/tonyhax-international/save-game-exploit.html
Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free?[edit | edit source]
Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.
https://alex-free.github.io/tonyhax-international/save-game-exploit.html
https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/
Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free?[edit | edit source]
Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.
https://alex-free.github.io/tonyhax-international/save-game-exploit.html
https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/
Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free?[edit | edit source]
https://alex-free.github.io/tonyhax-international/save-game-exploit.html
Exploitable PS1 games not available officially on PSP[edit | edit source]
Compare with the list of PS vulnerabilities on the PS1 dev wiki.
POPS[edit | edit source]
POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake[edit | edit source]
Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.
There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.
This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.
POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X)[edit | edit source]
Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.
Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later jalr
to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.
On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.
https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/
Unclassified usermode vulnerabilities[edit | edit source]
Puzzle Bobble[edit | edit source]
The Japanese version of Puzzle Bobble was compiled in debug mode, allowing hackers to retrieve some interesting information, such as function names, that were later on used in the scene’s PSP SDK. In 2005, this was one of the first steps to getting homebrews on the PSP.
https://forums.ps2dev.org/viewtopic.php?t=2081
PsOneLoader by TheFloW[edit | edit source]
https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/
System[edit | edit source]
libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP <= 5.05[edit | edit source]
Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.
https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World
https://wololo.net/2009/04/13/eggsplanations/
https://www.youtube.com/watch?v=wV21QqQmX_o
libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP <= 4.20[edit | edit source]
Discovered in 2008-08. Released on 2009-03-15.
https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/
https://www.youtube.com/watch?v=RUJnXADjxsw
https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/
libtiff exploit #2 (TIFF Exploit 2.71): PSP <= 2.71[edit | edit source]
Discovered in 2006-09.
Implemented in Kriek eLoader and xLoader by Team N00bz.
https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit
libtiff exploit #1 (TIFF Exploit 2.00): PSP <= 2.00[edit | edit source]
Discovered on 2005-09-23 by Niacin, Skylark and Toc2rta.
The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.
Implemented in downgraders (like MPH downgrader from 2.00 to 1.50) and eLoader by Fanjita.
https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit
[3] -> cjb
https://repo.zenk-security.com/Magazine%20E-book/EN-Hacking%20PSP.pdf
Unsigned System PRX allowed: PSP <= 6.20[edit | edit source]
Discovered in 2011 by kgsws.
When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.
kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.
Fixed: since PSP System Software version 6.30.
Old System PRX allowed: PSP any version[edit | edit source]
Discovered around 2005.
It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.
Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.
Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.
Infinity 2 uses a signed usermode system PRX.
https://github.com/DaveeFTW/Infinity
https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/
The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.
Fixed: no.
Fixed syscall numbers: PSP <= ?6.50?[edit | edit source]
On PSP System Software version below 6.60, you could guess the syscall number for any kernel export, allowing you to call any syscall without having the resolved stub readily available.
Fixed on PSP System Software version 6.60 or just before. On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore.
qwikTrick (or Perfect Syscalls) by qwikrazor87: PSP/PS Vita any version[edit | edit source]
Discovered by qwikrazor87 around 2013 but independently discovered by others before, probably in 2011. Released by Acid_snake on 2023-10-15.
On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore. Therefore hackers became restricted to the functions imported by the application they exploited. This led to limited kernel function access (less chances of triggering a kernel bug) and it also drastically reduced V/HBL compatibility.
If you load a utility module, which loads a prx in user space, you can have a background thread that changes the PRX's stubs table to whichever imports you want. It relies on a race condition so you have to run the code a few times until it works. Eventually you can resolve whatever kernel export even if the original game did not have it.
This exploit was very useful since most Minis games (main attack vector back in time) had limited imports. Team OILIX never released it because they wanted to keep it in case they came across a kernel exploit on some obscure function that not a lot of games import. Also because by then VHBL was already abandoned and everyone wanted eCFW (ARK, TN) instead so making VHBL have perfect syscalls for better compatibility was a waste for this hack. In hindsight it was a bad decision since Team OILIX never actually used the function because soon after was figured out how to craft PBOOT.PBP for PS Vita with any desired imports.
Kernel[edit | edit source]
UID planting Type Confusion kexploits by qwikrazor87 and TheFloW[edit | edit source]
Exploiting this bug is straightforward: 1) Plant a fake UID object into kernel. 2) Encode this UID object. 3) Delete the UID object.
Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.
https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion
sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita <= 3.74[edit | edit source]
https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion
https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c
It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.
sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita <= 3.50[edit | edit source]
Discovered around 2014-10-20 by qwikrazor87.
After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid->uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.
Stack Pointer UID plant kexploit by qwikrazor87: PS Vita <= ?3.50?[edit | edit source]
Discovered around 2014-01-29 by qwikrazor87.
The exploit steps are: 1) Execute assembly that does saves context. 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000. 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread. 4) Execute assembly that does something. 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory. 6) Execute assembly that restores context. 7) Call the hijacked function _sceKernelLibcTime.
sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita <= ?3.50?[edit | edit source]
Discovered around 2014-01-03 by qwikrazor87.
Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.
sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita <= ?3.50?[edit | edit source]
Discovered around 2013-10-15 by qwikrazor87.
Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.70[edit | edit source]
https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition
https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c
VPL kexploit by qwikrazor87 or Total_Noob: PS Vita <= 3.52[edit | edit source]
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]
_sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita <= 3.50[edit | edit source]
Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).
A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c
_sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20?[edit | edit source]
Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.
Simply call _sceUsbGpsGetData(0x10000, sw_address);
where sw_address
is the address of the function to hijack, usually _sceKernelLibcTime.
_sceWlanSetHostDiscover kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.15?[edit | edit source]
Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.
In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.
sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20?[edit | edit source]
Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.
sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= 3.36[edit | edit source]
Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.
The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c
_sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita <= 3.20[edit | edit source]
Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.
There is a time-of-check to time-of-use exploit in chnnlsv.
https://twitter.com/qwikrazor87/status/510187344893607937
https://github.com/173210/TN-Rev/blob/master/loader/main.c
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c
_sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20?[edit | edit source]
Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.
There is a time-of-check to time-of-use exploit in chnnlsv.
__sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20?[edit | edit source]
Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.
_sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita <= ?3.15?[edit | edit source]
Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.
https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c
sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita <= ?2.11?[edit | edit source]
Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.
There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.
https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/
11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita <= 2.02[edit | edit source]
Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.
The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.
The 11 functions require an active WiFi connection.
Kernel write access:
sceWlanDrv_lib_354D5D6B(char *dest); // kwrite sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48); sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite
Kernel read access:
sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size); sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48
https://www.twitlonger.com/show/kr81e0
https://wololo.net/talk/viewtopic.php?f=56&t=27532&start=40#p233947
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c
https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/
kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita <= 2.01[edit | edit source]
Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.
kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.
These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.
https://twitter.com/Yosh778/status/295355524818546688
https://www.twitlonger.com/show/kr81e0
sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80[edit | edit source]
Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.
In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software <= 1.80 PSPemu it is not.
Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.
sceWlanGetEtherAddr does not require an active WiFi connection.
Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.
https://wololo.net/talk/viewtopic.php?f=23&t=12760
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c
sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP <= 6.61[edit | edit source]
Discovered in 2009 by davee. Released on 2022-11-03 by davee.
PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 < a1, a0 == a1, and a0 > a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.
This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.
TBD: implementation by CelesteBlue
sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP <= 6.61[edit | edit source]
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c
PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 <= a1 and a0 > a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.
TBD: implementation by CelesteBlue
sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP <= 6.61[edit | edit source]
https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c
https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp
https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c
sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61[edit | edit source]
Discovered by some1 then exploited by liquidzigong.
https://wololo.net/talk/viewtopic.php?t=6612
https://wololo.net/2011/05/23/6-38-downgrader-by-some1/
https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c
https://github.com/smiky/psptools/blob/master/kxploit/main.c
https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/
sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35[edit | edit source]
https://lolhax.org/2010/12/23/arcanum/
https://wololo.net/talk/viewtopic.php?f=5&t=947
https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c
https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/
sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20[edit | edit source]
https://wololo.net/talk/viewtopic.php?p=147730#p147730
https://wololo.net/talk/viewtopic.php?p=147732#p147732
GEN/M33 contested Wlan kexploit: PSP <= 5.50[edit | edit source]
Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.
https://wololo.net/talk/viewtopic.php?p=147642#p147642
sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP <= 5.03[edit | edit source]
By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.
https://wololo.net/talk/viewtopic.php?p=2022
https://wololo.net/talk/viewtopic.php?p=2022#p2022
https://wololo.net/talk/viewtopic.php?f=5&t=242
http://www.kingx.de/forum/showthread.php?tid=15275
https://github.com/DaveeFTW/ChickHEN/blob/main/Launcher/main.c
This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.
This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.
Registry error store: PSP <= ?2.80?[edit | edit source]
According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.
https://wololo.net/talk/viewtopic.php?p=147642#p147642
Registry write access from usermode: PSP <= 2.60[edit | edit source]
Since the registry is placed on flash1, it can be accessed by usermode.
sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60[edit | edit source]
There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character ":" in that path, and calculates the length of the drive name from that (e.g. "ms0:"). It then copies the drive name onto the stack with strncpy.
The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like "sceKernelLoadExec") is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.
In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.
https://forums.ps2dev.org/viewtopic.php?t=6091
https://www.hitchhikr.net/Exploit_2.6.zip
reused index.dat key: PSP 2.00, 2.01[edit | edit source]
swaptrick/kxploit: PSP <= 1.50[edit | edit source]
This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.
kernel flagged ELF: PSP <= 1.00[edit | edit source]
Remarks[edit | edit source]
https://www.pspx.ru/forum/showthread.php?t=97295
IPL[edit | edit source]
Giraffe bug[edit | edit source]
Discovered in 2016 by davee.
There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.
https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/
Fixed: since PSP System Software version 6.35.
iplloader[edit | edit source]
NMI Backdoor[edit | edit source]
Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04
Introduced: Tachyon 0x00140000 bootrom
Fixed: Never
Applicable to: None
Vulnerable: iplloader (all PSP bootrom versions, 0.7.0 and newer PSP DevKit Kbooti versions, PS Vita's PSP emulator bootrom)
The iplloader bootrom (present within Tachyon's IC package) as well as iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.
This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9
If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.
Below are the relevant pieces of code:
ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0 ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064
ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0 ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078 ROM:BFC0006C nop ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)
This backdoor may allow an attacker performing a hardware based attack to set those values and gain iplloader time code execution.
Arbitrary IPL Load Address[edit | edit source]
Found by: C+D/Prometheus - Earliest discovery: 2007-04-04
Introduced: Tachyon 0x00140000 bootrom
Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.
Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.
iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.
Arbitrary IPL Entrypoint Address[edit | edit source]
Found by: C+D/Prometheus - Earliest discovery: 2007-04-04
Introduced: Tachyon 0x00140000 bootrom
Applicable to: IPL time code execution on 01g and 02g, used in Pandora
Fixed: iplloader 2.6.0
iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion.
Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.
https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/
No minimum IPL block size[edit | edit source]
Found by: C+D/Prometheus - Earliest discovery: 2007-04-04
Introduced: Tachyon 0x00140000 bootrom
Applicable to: Pandora hack.
Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.
iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.
https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/
iplloader assumes a block with the checksum 0 is the first IPL block[edit | edit source]
Found by: C+D/Prometheus - Earliest discovery: 2006 Q4
Introduced: Tachyon 0x00140000 bootrom
Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.
Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.
This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump iplloader.
iplloader do not perform the XOR step when running in Jig/Service mode[edit | edit source]
Found by: Mathieulh - Earliest discovery: 2019 Q1
Introduced: iplloader 3.5.0
Applicable to: Code execution on 3.5.0 iplloader without previous knowledge of the XOR key.
Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool
This is not so much a vulnerability as a poor design implementation.
To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.
This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.
iplloader clears the XOR key after doing a cache sync during normal execution[edit | edit source]
Found by: Proxima - Earliest discovery: 2020-01-27
Introduced: iplloader 3.5.0
Applicable to: Dumping the iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability
Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool
3.5.0 iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.
In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.
While it may be possible that Tachyon 0x00600000 and later iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)
Faulty ECDSA Hash Comparison[edit | edit source]
Found by: Davee - Earliest discovery: 2021-02-12
Introduced: Tachyon 0x00600000 bootrom
Applicable to: IPL code execution.
Fixed: never
Starting with Tachyon 0x00600000, iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.
This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.
NOTE: For this to work, the block checksum of the inserted blocks has to be "forged" so that it matches the one of the previous block checksum
General writeups[edit | edit source]
https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/
https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/
https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit
https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP