PSP-Hacks.com
Also from the Dashhacks Network: ps3-hacks.com xbox360-hacks.com nes-hacks.com iphone-hacks.com review-hacks.com dashhacks.com
POC: GripShift SaveGame Exploit Found; Works on PSP-3000!
greg | January 3, 2009
Every so often some claims are made and videos surface, most completely fabricated, but this time — we have the real deal. Discovered by MaTiAz and proven successful by both MaTiAz and FreePlay is a user-mode buffer overflow exploit. The vulnerability lies within the GripShift save game loading routine. Check it –
It’s a step in the right direction all right.
Let me quote MaTiAz –
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.
Download:
GripShift SaveGame Exploit (POC)
(both MaTiAz and FreePlay’s included)
Savegame Deemer
(to decrypt and use the unencrypted GripShift savegame)
- source: lan.st
Affiliates
Video Games
PSP Hacks Archives
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
©2009 — Dashhacks Inc. || Privacy Policy
This is great news! Congrats to all!!!
pretty interesting. well done guys, lets see where this leads…..
intriguing…
*runs off to gamestop*
Wow, I posted this in the forum here, and I don’t even get any thanks or notice from you guys??
Come on.
Thanks Rebman, for sharing this info!
Yeah, Thanks a lot!!
We don’t read the forum that much.
very interesting news!
The scene hasn’t been resurrected by a gamesave exploit in quite a while. I’ll be following this…
Just brought a UK & US gripshift for $20 hoping for hack in very near future before the price rockets up ;)
Looking good keep the hard work up.
I see the sales of Grip Shift going through the roof. :)
Great find… Keep it up dudes.
Good job, i wonder what this will lead to. I wonder if its gonna be as popular as GTA:Lcs and Lumines on Ebay…lol
Wow, im excited now, this is like how to put the homebrew channel on your Wii, you get the wii game The Legend of Zelda: Twllight Princess and put the hack which is hidden as a saved Zelda Twllight Princess saved game, so when you try to play the disc you load up that saved game file and when it loads it it activates that hack. The same thing might happen hear with the psp. (Sorry I know Wii has nothing to do with this site but yea anyway I wanted to show the similaraties.)
Well If were doing that its like the Xbox with 007 or Mech Assault, that’s how I got XBMC installed as the Dash on mine and all my friends Xbox’s.
original xboxs are so awsome
Yea, Fyi, the orginal Xbox did a very similar thing as the Wii, and the PSP used to have a exploit in a game too, it was in GTA:LCS, homebrew could be run from it, then later on custom firmware was introduced, and then there was a homebrew to upgrade to a custom firmware through gta:lcs. Lumines was another game for psp, that did downgrading. It is like the Wii
holy shi- *runs off to buy twilight*
——————-
cool, 3000 will be hacked soon
FUK YEA
GETTING CLOSER TO HACKIN THE PSP-3000
Fuck yeah
Fuck Yeah!!!
Yeah Fuck!!!
Fuck? Yeah.
Fuck Yeah!!!
(So Many Fuck Yeahs!!)
“…It was tested on 4.01M33-2 with US version of GripShift…”
he said it worked on M33. has anyone tried on the official firmware?
umm yes, as its being tested on a psp-3000 in the video…
rofl lainlives xD
Then it’s incorrect on the original post to say he tested it on a psp-3000 with custom firmware 4.01M33-2, it should say he tested it on a psp-3000 with official firmware.
Should I buy Gripshift?
If you have a 3000 and want any hope of hacking it soon, then yes. Id do it before Sony pulls it off the shelves and ebay sells it for at least $50 a pop.
@_@ the description has too many tech terms….
sooo anyone have a hacked CFW psp 3000 they can sell me? cause i dont want to go thru the trouble of buying gripshift and then find out i did something wrong and bricked a 3000. should i just wait for the 4000? cause all the 3000 is a 2000 wit anti glare screen. and will they ever fix the lines on the screen?
Its prob the psp screen that is causing the line. but idk if fixed, 3000 aint hacked yet… and 3000 has built in mic.
Looking forward to it….ill keep my 3000 virgin though….allways good to have a 2nd psp….the fix the lines issue is overblown….ive had 3 psps…and the 3000 is the best BY FAR looking screen sony has ever out into the psp….great work guys…!!
YES so close for psp3000 now we have an exploit and now hopefully dax will decrypt the new screencode on psp3000 and itl be like whean we used gta on psp1000
DAX HAS been workin on it nd we might get da news within 2 dayz dat diz exploit colud take us to cfw path or not…..he haz started workin on it……
Alright a break through!!!!!!!!!
I don’t get it!!
did the psp 3000 got hacked and CFW works on it now?
no it just has this exploit THIS ONE ONLY it does not have cfw it states it was tested on a cfw psp (1000 or 2000)
Someone just has found a hole in the savegame file to where it is possible to write code on it. Its not a guarantee but very possible to hack it or at least make eboot loaders to load homebrew. Back in the day this is what we did, and there were homebrew apps that ran ISO’s too.
“back to the days” seems to be where we need to search for answers :)
Back in teh days is cool, now wehave Pandora, and a shit load of ppl is hacking it eaisly… its still cool though i guess. It seemed more exciting back then. With the firmware emulators and firmware spoofs, battery icon is customizable… Emulators were available n in much development. Now everything kinda died, n psp iso is what most ppl do on it.
^my question exactly^
well they said they could get he keys to make the Pandora work if they found another way to exploit a 3000 and looks like they just did.
That’s right. So let’s just see what happens instead of desperately trying to buy a mediocre game.
But will this exploit be enough, or do they need kernel access?
This is a bit like the Twighlight hack for the WII. Gets you in the back door and then you need something else to make it useful. :) Glad the PSP homebrew scene is so healthy. :D
You guys all rock…
This is also like the GTA: lcs and Lumines hack for the PSP…back in the days. Hope this works though.
This is just a user mode exploit though, unless they find a way to make it kernel (I’m sure they will eventually), then it’ll still be a long time before it’s hacked completely.
BACK IN THE DAYS LIKE ONLY 2 YEAR AGO LOL GOOD WORK
Now we wait DA to dump the pre ipl and game over for ta88v3. Don’t buy the game. Cuz if there will be a hack, it will be with pandora battery.
omg yes!!!!
just wait and see
true its userland but they can now start working on the new keys needed for a pandora to work again.they said it could be done if a gamesave hack or another way in was found.
i actually wont buy gripshift im gonna wait and see what pandora can do because pandora has bound to break that wall with the new motherboard plus pandora = awesome
yeah i just picked up 5 copy’s of gripshift looking for more
You are dumb, do you think you can sell them on ebay for 100’s? Seriously, GripShift is at ever game store.
Those noobs like you goona purchase all of the cheap copies of GripShift leaving the homebrew developers like DaX with expensive materials to work on. :(
hahaha, good point mate! xD
5 copies? Trying to merchant now…=P
Only thing about this, is that if the PSP-3000 bricks, there’s still no way to use Pandora…
Nice exploit, though
Well that’s part of the inherent risk you take. If I recall correctly I think there used to be a disclaimer before some firmwares were installed to say if it bricks don’t come crying.
they were only 7 bucks each at gamestop why not
I have a question, could it be posible to make a program that simply tells the psp to run another program that modifies the firmware or would you still need keral mode for te psp to run the program that your proram tells it to run?
,,,soon psp 3000 will hack!!!,,,
,,,another bad attempt to stop hacking,,