What a lovely surprise to wake up to… No, not a stripper, I wish… I’m talking about FreePlay’s newest YouTube videos. YouTubers who are subscribed to FreePlay’s channel already know what they’re about to watch. Those who aren’t, well, have a gander at this:

And this one too… The PSP gets g0wned, accompanied by an awesome soundtrack.

FreePlay also mentions:

(Scratch some of that… You can read/write flash1)

No, it’s not going to lead to custom firmware, piracy, or a Pandora for the Go. It can’t write to flash0, and it even seems to be unable to overwrite the system settings, which was always unblocked before on the older systems. It’s user-mode only.

Regardless — it’s something all right. Perhaps we’ll see more GO ‘brew sooner rather than later. And as always, good lookin’ out FreePlay.

- source: FreePlay @ YouTube

My man, FreePlay… I’ve been a Team Mack skeptic since the very beginning of their video-making shenanigans, and with good reason; for one, I’ve yet to see the new 6.00 theme colours in any of their videos. Factor that aside; FreePlay drops the devastation bomb on their nonsense by showcasing the finer differences between Sony’s official 6.00 system update and their RCO-crafted one.

It is indeed exploit fever season, and the remedy — more N00bz! That’s right — the N00bz have combined forces with MaTiAz and FreePlay to help further expand on the recent “Sparta” (GripShift) exploit. The plan:

Our initial focus will be to make it easier to run standard homebrew via this exploit, by adapting eloader to it. This will be restricted purely to user-mode homebrew, since there is currently no public kernel-mode exploit that could be used here, and compatibility is likely to be patchy due to the security measures in the later firmwares which make determining all the syscalls almost impossible. Still, you can expect that at least some emulators and other popular pure user-mode homebrew will run.

So with that said, don’t get too excited for a downgrader solution yet. In the case of someone discovering a method to bust kernel mode wide open, then downgrading via Sparta could very well be possible.

- full article/source: noobz.eu

Back at it… MaTiAz & FreePlay have released a “Hello World” demonstration, as well as the SDK used to build said homebrew demo, for the newly discovered GripShift vulnerability.

Now coined the Sparta exploit, here’s what you should know: for the moment, you cannot downgrade or install a custom firmware with this, you may only enjoy Sparta-compiled homebrew and hope Sparta later leads to kernel mode access.

And finally, another video for your viewing pleasure –

FAQ
---
Q: Will this allow downgrading?
A: No, because this is an usermode exploit and functions required to downgrade are only available in kernel mode.

Q: Why the name?
A: Because the original exploit was found by overwriting the player name with "this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".

Q: Can/Will Sony block this?
A: Yes.

Q: I wanna make homebrew using the exploit. How?
A: Get FreePlay's GS SDK: http://tinyurl.com/sparta-sdk. It has some constraints though, check the readme. The Hello World was written with it.

Download:
The Sparta SDK
Hello World (for the Sparta Exploit)

– source: lan.st

Every so often some claims are made and videos surface, most completely fabricated, but this time — we have the real deal. Discovered by MaTiAz and proven successful by both MaTiAz and FreePlay is a user-mode buffer overflow exploit. The vulnerability lies within the GripShift save game loading routine. Check it –

It’s a step in the right direction all right.

Let me quote MaTiAz –

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.

Download:

GripShift SaveGame Exploit (POC)
(both MaTiAz and FreePlay’s included)

Savegame Deemer
(to decrypt and use the unencrypted GripShift savegame)

- source: lan.st

Still beatin’ off to the same ol’ thing? For all the Beats fans out there, why not switch it up with something new…

Now jam your own beats with the PSP game, “Beats.” JBrown has managed to successfully load and play custom compiled BJS files using his new cross-platform app, “Beats off.” The package includes the Windows, Linux, and Mac OS X versions.

Huh, say what? Read our previous coverage on JBrown’s progress.

And on another note…

…FreePlay and I have been desperately trying to figure out the unknown values found in the header of BAR files. From what it looks like, they’re related to the file name, as the manifests always have the same value, but the others change per the name of the folder. If we figure out how to encode our own names, it’ll be possible to add content to Beats as opposed to replacing it.

Instructions for use; see readme.txt. Also, I strongly encourage you visit the source link to enlighten yourself of the current limitations.

Download: Beats Off v0.1

- source: beatsoff.blogspot.com

Despite all the VAG and BJS talk, this isn’t what you think… J Brown has been hard at work reverse engineering the PSP game, “Beats.”

The often-neglected “Jamming” mode is really what’s up… Once fully hacked — it’s at about 90% now — you’ll be left with quite the portable DJ app.

J Brown’s progress is nicely documented via the source link for those interested. It details the structure of the BJS format, VAG and BAR files, as well features FreePlay’s “unbeat” tool (Windows & Linux) for extracting said BAR files. That also compiles and works on my Mac. So, have fun beatin’ it up, reeeal good.

Download: FreePlay’s Unbeat

- source: beatsoff.blogspot.com