New PSP exploit found in GripShift, works on PSP-3000

xist · Jan 3, 2009

New PSP exploit found in GripShift, works on PSP-3000

QUOTE said:
Now this is how you start a new year! New exploit, old game! Damn, it's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.

We'll leave the technical bits for later. Now, we'll have this video from FreePlay do the talking:

http://uk.youtube.com/watch?v=HAoZWymTySw&...g/49/aid/127658

Holy... mother... of... pearl... o_0

Now then, the details: MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.

There are two versions of the exploit. The first which is the raw form from MaTiAz, the other one (v2), is a version encrypted by FreePlay. It's also been confirmed that it works all the way up to the recent CFW 5.02 GEN-A.

We're getting there, people! Just a bit more... Hope springs eternal, folks!

Thanks to Sbrillo1 for the tip!

Before everyone rushes out to buy a copy of Gripshift however FreePlay notes -

QUOTEWhile there's a European save included, this was mainly for testing purposes. There are significant differences between the two versions (not the least being that Ubisoft was involved in the European one).

At the moment, *this code only works with the USA version of the game.* I'm pretty sure the exploit is in the European one, too, but haven't dealt with that yet.

Sony will probably patch this in newer firmwares as was the case in the past but for now hope springs eternal!

Doomsday Forte · Jan 3, 2009

Hot damn. And this is an old game so it's unlikely they'll release a "fixed" version of it too...

Funny how game exploits have affected the PSPs through and through (Lumines, GTAVCS, and now Gripshift). =P

need4speed · Jan 3, 2009

Now thats really Intresting Indeed as I got a psp 3000. If It does work for the EU version of the game then I will get this game and then hack my psp 3000

Thanks for the Information.

RupeeClock · Jan 3, 2009

Doomsday Forte said:
Hot damn. And this is an old game so it's unlikely they'll release a "fixed" version of it too...

Funny how game exploits have affected the PSPs through and through (Lumines, GTAVCS, and now Gripshift). =P

The exploits of using the same internal memory for save files, eh?

Wasn't there an old, web browser exploit in Wipeout?

raulpica · Jan 3, 2009

Good news. I hope this kinda leads to a CFW on the 3000.

ackers · Jan 3, 2009

Haha GripShift? I really like that game as well!

kobykaan · Jan 3, 2009

No point getting excited about this until someone manages to actually get the EXPLOIT to ACTUALLY install CFW!

Doomsday Forte · Jan 3, 2009

kobykaan said:
No point getting excited about this until someone manages to actually get the EXPLOIT to ACTUALLY install CFW!

Well, no, no need to bust out the champagne and all, but it's something right now. Unlike the Datel Blue Battery thing, at least this has something in terms of promise out there.

But yes, I will say it is too early to celebrate now. It's a foothold at the least.

leonheart_a · Jan 3, 2009

RupeeClock said:
Doomsday Forte said:

Hot damn. And this is an old game so it's unlikely they'll release a "fixed" version of it too...

Funny how game exploits have affected the PSPs through and through (Lumines, GTAVCS, and now Gripshift). =P

Click to expand...

The exploits of using the same internal memory for save files, eh?

Wasn't there an old, web browser exploit in Wipeout?

Yeah there was, one of the first browsers if i remember. The game Fired Up also had one to

Blfdgfdghd · Jan 5, 2009

so what do i need to buy cuz i google it and it shows me a game

Blfdgfdghd · Jan 5, 2009

kobykaan said:
No point getting excited about this until someone manages to actually get the EXPLOIT to ACTUALLY install CFW!

http://www.youtube.com/watch?v=HAoZWymTySw...feature=related

WildWon · Jan 5, 2009

cinnamonxv said:
kobykaan said:

No point getting excited about this until someone manages to actually get the EXPLOIT to ACTUALLY install CFW!

Click to expand...

http://www.youtube.com/watch?v=HAoZWymTySw...feature=related

Yes, that is definitely a youtube video showing what was described in the top post... but that is NOT custom firmware

Also, please don't double post. Just edit...

kobykaan · Jan 5, 2009

so far they have a HELLO WORLD demo and a partially working SPARTA SDK .. so NOTHING EXCITING that's it ... no CFW!

sconethief · Jan 6, 2009

full article of what kobykaan said

Sparta exploit update
Back at it… MaTiAz & FreePlay have released a “Hello World” demonstration, as well as the SDK used to build said homebrew demo, for the newly discovered GripShift vulnerability.

QUOTE said:
Now coined the Sparta exploit, here’s what you should know: for the moment, you cannot downgrade or install a custom firmware with this, you may only enjoy Sparta-compiled homebrew and hope Sparta later leads to kernel mode access.

And finally, another video for your viewing pleasure –

FAQ
---
Q: Will this allow downgrading?
A: No, because this is an usermode exploit and functions required to downgrade are only available in kernel mode.

Q: Why the name?
A: Because the original exploit was found by overwriting the player name with "this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".

Q: Can/Will Sony block this?
A: Yes.

Q: I wanna make homebrew using the exploit. How?
A: Get FreePlay's GS SDK: http://tinyurl.com/sparta-sdk. It has some constraints though, check the readme. The Hello World was written with it.

raulpica · Jan 6, 2009

Only usermode access. No CFW on 3000, then :/

NeSchn · Jan 6, 2009

Not bad not bad. I kind of always wanted a PSP to hack and play around with.

New PSP exploit found in GripShift, works on PSP-3000

ΚΑΤΑ ΤΟΝ ΔΑΙΜΟΝΑ ΕΑΥΤΟΥ

Well-Known Member

Well-Known Member

Colors 3D Snivy!

With your drill, thrust to the sky!

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Banned!

Banned!

EXTERMINATE!

Well-Known Member

Well-Known Member

With your drill, thrust to the sky!

Swag.

Similar threads

Popular threads in this forum