[PSP] Possibly good news for 2.00 users?

[Junglist]

Apparntly someones managed to get a buffer overflow on version 2.00 and looks promising to possibly lead to homebrew...

Taken from pspupdates

First Homebrew Code on 2.00

1. Set wallpaper to frame_buffer.png (without overflow.tif present
in the PHOTO directory, or it will crash).
2. Add overflow.tif to the PHOTO directory, and open into the photo
viewer. Custom code to paint the screen! Or to write a homebrew
app! Not to run illegal games.


How It Works?

1. The PNG contains a small amount of code in a known, fixed place
(the VRAM). If to look closely at the wallpaper, sees small
coloured pixels in the right down. The pixels are Allegrex
opcodes, with the highest byte all zero for the ALPHA. These
pixels do:

syscall 0x20C7 ; sceKernelDcacheWritebackInvalidateAll
slt a0, zero, sp ; put 1 into a0
sll a0, a0, 6 ; put 64 into a0
addiu a0, sp, a0 ; get screen painter address over SP
jr a0 ; jump to the screen painter
nop ; branch delay slot

2. The TIFF contains also some code and a buffer to trigger the
known BitsPerSample overflow in libtiff in the photo viewer.
The buffer makes a jump to the VRAM which has the PNG colours
by overwriting the safed ra (return address) on the stack.
The VRAM code uses SP and calculates the address of the buffer
then runs it. Then it jumps there. The screen is yellow as
the colour was 0x12345678 in Hex.

[whatnow]

sounds intersting, would be good to see a hole for 2.0 users come from this.

I dont know if it will or not, I know nothing on overflows, but you would've though sony would cover their asses on image overflows and imbedded routines seeing as how they are common use in windows based trojans or simular 'expliots' on a pc.

[Junglist]

ill admit, i know nothing about it. But from what ive read essentialy all that does at the moment is change the screen colour but the point is that its run the code to change the screen and however basic that is hopefully those in the know can get to work using it. Fingers crossed anyway

[whatnow]

looks like it does some wierd things,something is being executed

[spankthemonk]

It doesnt just change the background colour, it actually crashes the psp by a buffer overflow. What they need to do next is point the overflow towards running homebrew, not easy but it is doable

[EnTiTy]

he he he let the real downgrading begin
i hope maybe 2.0 user's and 1.51 1.52 who upgrade to 2.00 may indeed now be able to revert to 1.50

[whatnow]

i really hope that they find a patch for 2.0

after playing with a UK PSP I do quite like what they did, albeit not much but it makes for a nicer os with backgrounds and a browser. I know u can have custom bg's and a wipeout browser (or the 2ch homebrew one) but it's not the same as the real thing.

going forward would be great, I just hope it's possible. Although if someone did manage to downgrade to a 1.5 I dont think many people would be complaining.

[whatnow]

The creator(s) of the 2.0 Buffer Overflow have spoken with me and have created a way to allow the execut1on of a binary file from the root directory of the memory stick. I was told that it will load binary files up to 64k from the memory stick, but won’t load un-encrypted elf files yet. The file named ‘h.bin’ must be placed in the root directory of ms0: for it to run. Here’s what was said in the readme: “

Pure binary loader.

* it's loaded at 0x08810000
* it's max 64 kb
* it's pure binary MIPS code
* you have to use syscalls and not NIDs
* it runs in user space!
* it's called h.bin (paint screen blue yay!) in the root of the MemoryStick

Set the frame_buffer.png as background like before and Place the new overflow.tif in the photos dir and the h.bin on the memory stick. It loads ms0:/h.bin

[Junglist]

Slowly getting there. Would be suprised if this wasnt all sorted before the weekend

[EnTiTy]

damn so they locked down loading elfs the pure mips asm shang?

[whatnow]

damn so they locked down loading elfs the pure mips asm shang?

so it seems.

but theoreticly if they can make a loader in mips assembly code then can't that then proceed to load either another eboot loader, shell or something simular to then do what we all wanna do?

I hope something good comes out of this

[EnTiTy]

so it seems.

but theoreticly if they can make a loader in mips assembly code then can't that then proceed to load either another eboot loader, shell or something simular to then do what we all wanna do?

I hope something good comes out of this

just loading humma k's apps will do

[whatnow]

yeah but that's well over 64k I assumed the image would need to load a preloader for all other homebrew.

edit: actually the first eboot is 43k for fastloader 0.7 but the second one requires for 1.5's is 159k so hopefully as this isn't required HK may be able to recode his fastloader/umd emu for 2.0 psps

would be sweet if any of what i'm saying is possible.

[dbd]

Possibly another alternative:

Rather than going straight for a loader, if someone we're to create a util that operates within this new exploits boundarys that then patches the PSP's firmware to remove Sony's protection [EDIT to allow homebrew to boot]. Easy said I know, technically possible I have no idea.

[whatnow]

I think someone wants to say hello

Spoiler:

Hello 2.0

[budge1972]

Can anyone confirm that 2.00 is cracked ?
seems pspupdates is down ..maybe because of this news
here,s hoping

[whatnow]

http://pspupdates.qj.net - new url for that site

a starfield animation app has been released. No doubt some real work is being done and something will come out shortly

[whatnow]

there's now a 2.0 firmware dumper doing the rounds, porobably legit but I only read about it from pspupdates

Still good news for psp owners :thumbs

[Da Mafia]

Well i've used it and it works fine, maybe there is some way to reverse the process using a 1.5 firmware dump

[Junglist]

Theres now supponsely a PLAYABLE pong game for version 2.00 :S
http://pspupdates.qj.net/2005/09/fir...-tif-pong.html


naturaly dont hold me responsible, but i tried this and it works :thumbs

Obviously not very helpfull playing pong vs yourself but shows good progress