What a lovely surprise to wake up to… No, not a stripper, I wish… I’m talking about FreePlay’s newest YouTube videos. YouTubers who are subscribed to FreePlay’s channel already know what they’re about to watch. Those who aren’t, well, have a gander at this:

And this one too… The PSP gets g0wned, accompanied by an awesome soundtrack.

FreePlay also mentions:

(Scratch some of that… You can read/write flash1)

No, it’s not going to lead to custom firmware, piracy, or a Pandora for the Go. It can’t write to flash0, and it even seems to be unable to overwrite the system settings, which was always unblocked before on the older systems. It’s user-mode only.

Regardless — it’s something all right. Perhaps we’ll see more GO ‘brew sooner rather than later. And as always, good lookin’ out FreePlay.

- source: FreePlay @ YouTube

Potentially some good news… Let me take you back to July 8th when the Medal of Honor: Heroes exploit by kgsws was showcased. Well, firmware 5.55 — currently shipped with G.I. Joe The Rise of Cobra UMD and select other titles — remains vulnerable to said exploit. Check it out:

Download: MOHH Exploit v2

- source: plaza.rakuten.co.jp

I read about this a couple days ago and was awaiting more concrete evidence before posting, and well, here it is — the proof is in the pudding… Courtesy of kgsws — a [promising] Medal of Honor: Heroes user mode exploit for firmware 5.51 and prior.

The vulnerability stems from a classic “format string” overflow in the player’s name; Details can be found in “info.txt.” Source code also included.

Download: MOHH Exploit v2

- source: dcemu

Perhaps this is the reason behind Sony issuing PSP Firmware Update 5.51… A German developer who goes by the name of Miche2245 has discovered a Save Game vulnerability in PSP Firmware 5.50. Currently the Japanese version of Monster Hunter Freedom 2 and the English version of Need for Speed: Underground work.

The exploit you may download below is for Monster Hunter 2. Once executed by loading the save game you can then utilize ChickHEN — the homebrew enabler — under PSP Firmware 5.50.

Props Miche2245. Nice work.

Download: FW 5.50 SaveGame (Monster Hunter Freedom 2) Exploit

- source: pspking.de

Just a few days ago you read about this newly discovered TIFF exploit running on PSP-1000 (Fat) models with firmware 5.03. Today the same exploit is now functioning on the PSP-2000 (Slim), but sadly, still, MaTiAz mentions no PSP-3000 support… Or wait… What the… Could it be?!

What you just witnessed appears to be a PSP-3000 running firmware 5.02 that is indeed vulnerable to MaTiAz’s or some derivation of MaTiAz’s TIFF exploit. As always, stay tuned.

Download: “Hello World” Firmware 5.03 TIFF Exploit

- discussion thread -

- source: mformature

Ooo… What do we have here? –

Hello World for PSP firmware 5.03

The days of TIFF based exploits aren’t long gone, at least not yet. ;)
Here’s the third TIFF exploit for the PSP, enjoy.

Just copy the files to the memory stick root, disconnect USB and go to photo menu.
Don’t dismiss the exploit even if it doesn’t work on the first time, it’s *very* unstable.
You might get it working on the first time, but you might as well have to try it 20 times!

And now to get real technical –

The h.bin is loaded to 0×08800000, and the text address of paf.prx is passed in $a0 to the binary code. You can then trick out function imports, like for example sceDisplayWaitVblankStart:

sceDisplayWaitVblankStart = (void*)(paf_addr+0×15F068);

Note: this release only works on PSP-1000 (Fat) models; the Slim version is imminent. As well, MaTiAz mentions something else with a touch of awesome is coming up — just wait a few days. Now I suggest you (yes, even you PSP-3000 or TA-088v3 owners) hang tight should Sony issue a new firmware update in the meantime — lets see where this exploit takes us first…

Download: “Hello World” Firmware 5.03 TIFF Exploit

- discussion thread -

- source: mformature

With so much drama in the PSP scene, it’s hard knowing who’s who and from what regime… But, somehow, someway, Dark_AleX sets the record straight like every single day… And today: a little background info concerning this bit of news — the GripShift kernel mode exploit video…

To quote Dark_AleX himself –

This is about how I trusted someone called “miriam” and I gave him a kernel exploit of C+D, which was found by joek (the ONLY ONE that deserves credit of that), just to play for HIMSELF, as it is being used to decrypt 3k modules, but the first thing he did was to show to others to get a bit of fame.

Now i realize not to trust anyone anymore, thanks.

So here we are today, stuck in user-mode land while completely HEN-less.

Watch or skip through this unnecessarily long video of Homebrew Enabler, enabling both user and kernel mode homebrew on the PSP-3000 [EUR GripShift] –

Ok, so again… No release. Not yet anyway… The Google (French to English) translation reads something close to this –

This version of HEN-A (Homebrew Enabler) enables user and kernel mode homebrew, including those that emulate the UMD, better known as ISO loaders. Installing and using a custom firmware isn’t going to happen yet — you know, because of the pre-IPL business… And sadly, for the moment, the pspgen team isn’t going to release their work in hopes to prevent Sony from patching the exploit so quickly. With that said, the development team is looking for more loopholes before it’s made public.

Whether it’s pspgen or someone else, we’ll likely have something usable real soon. So find yourself a copy of the GripShift UMD and do not update should Sony spring a new firmware version upon us.

- source: pspgen

It is indeed exploit fever season, and the remedy — more N00bz! That’s right — the N00bz have combined forces with MaTiAz and FreePlay to help further expand on the recent “Sparta” (GripShift) exploit. The plan:

Our initial focus will be to make it easier to run standard homebrew via this exploit, by adapting eloader to it. This will be restricted purely to user-mode homebrew, since there is currently no public kernel-mode exploit that could be used here, and compatibility is likely to be patchy due to the security measures in the later firmwares which make determining all the syscalls almost impossible. Still, you can expect that at least some emulators and other popular pure user-mode homebrew will run.

So with that said, don’t get too excited for a downgrader solution yet. In the case of someone discovering a method to bust kernel mode wide open, then downgrading via Sparta could very well be possible.

- full article/source: noobz.eu

Every so often some claims are made and videos surface, most completely fabricated, but this time — we have the real deal. Discovered by MaTiAz and proven successful by both MaTiAz and FreePlay is a user-mode buffer overflow exploit. The vulnerability lies within the GripShift save game loading routine. Check it –

It’s a step in the right direction all right.

Let me quote MaTiAz –

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.

Download:

GripShift SaveGame Exploit (POC)
(both MaTiAz and FreePlay’s included)

Savegame Deemer
(to decrypt and use the unencrypted GripShift savegame)

- source: lan.st