PSP-3000 and TA-088v3 owners — it’s your time to shine… Or at least I hope it is… Yoshihiro and Team GEN have released their highly anticipated PSP Custom Firmware 5.03 GEN-B for all ChickHEN-enabled handhelds. It’s on you; I don’t have a PSP-3000 to test with… So whether your 5.03 GEN-B experience be a positive or negative one, I ask you leave it below.

Core features:

• Play games (UMD or backup) requiring firmware 5.50+, including 6.xx
• Play games that introduce their own cfw detection / protection
• Play PSOne games
• Access to the VSH and Recovery Console

Known bugs:

• MGS demo refuses to run
• The Recovery mode menu is “mixed”

Keep in mind: you need a PSP-3000 or PSP-2000 with the TA-088v3 board. Your PSP also needs to be running [official] firmware 5.03; this is required for ChickHEN.

Download:
ChickHEN R2
PSP Custom Firmware 5.03 GEN-A
PSP Custom Firmware 5.03 GEN-B

- source: pspgen

Trick or Treat? PSPGEN decided on “trick” and made a ghost of 5.03 GEN-B for ChickHEN and PSP-3000 owners. Scheduled for release today; however, the GEN team encountered a last minute bug and is now working to correct this. The bug –

This is not a problem with the CFW but a recovery bug. If you remember, the recovery of 5.03GEN-A already had a problem: all option lines were shuffled. The correction of this problem comes with another bug in some options like the “use version.txt” which doesn’t work anymore and prevents the launch of the MGS.

Ah well… Ya win some; ya lose some. Check back tomorrow for a possible evening release. Happy Halloween!

- source: pspgen

And another one! Xenogears and Becus25 steering clear of the drama train with Custom Firmware Enabler v3.20. Again, this enables custom firmware features on your 5.03 PSP-3000 or TA-088v3 equipped hand-held. Use it with Team Typhoon’s ChickHEN.

CFWEnabler v3.20 changes…

• Now you can use plugins that are not on seplugins folder.
• Now we use our own systemctrl, not GENyUS ones.
• Version is now 5.00M33-6.
• Native 5.03 Pops is now supported.
• MS Speed Patch available.
• Fixed bug that did not patch version.txt properly.
• Quick Start mode (Autostart if you don’t press R Trigger).

Download:
ChickHEN R2
CFWEnabler v3.20 for ChickHEN R2

- source: sceners

Update: CFWEnabler v3.10 is now out –

• Improved system flasher, it is now much safer.
• Improved uninstalling system, it is now much safer.
• Added Spanish language.
• Added Internet Update.
• Improved startup (now a little faster)
• The Eboot.pbp now occupies less.
• Fixed internal problems.

Topping off Sony’s recent 5.03 beat-down with a few more security-shattering blows is another Custom Firmware Enabler release from Xenogears and Becus25. CFWEnabler version 3.01 introduces PSP-3000 support; Enable most, if not all, features of CFW M33 on your PSP-3000. You’ll of course need ChickHEN R2 as well. Grab both below.

CFWEnabler 3.01 changes:

• PSP 3000 is now supported.
• Graphical interface improved.
• Network update option added (Server Needed).
• Official network update blocking option.
• New configuration options.
• Free UMD Region.
• Pic0/Pic1 Hide.
• version.txt.
• Registry Hacks.
• CPU overclocking.
• Solved several bugs.

Download:
ChickHEN R2
CFWEnabler v3.10 for ChickHEN R2

Thanks dc.

- source: sceners

Watch or skip through this unnecessarily long video of Homebrew Enabler, enabling both user and kernel mode homebrew on the PSP-3000 [EUR GripShift] –

Ok, so again… No release. Not yet anyway… The Google (French to English) translation reads something close to this –

This version of HEN-A (Homebrew Enabler) enables user and kernel mode homebrew, including those that emulate the UMD, better known as ISO loaders. Installing and using a custom firmware isn’t going to happen yet — you know, because of the pre-IPL business… And sadly, for the moment, the pspgen team isn’t going to release their work in hopes to prevent Sony from patching the exploit so quickly. With that said, the development team is looking for more loopholes before it’s made public.

Whether it’s pspgen or someone else, we’ll likely have something usable real soon. So find yourself a copy of the GripShift UMD and do not update should Sony spring a new firmware version upon us.

- source: pspgen

Back at it… MaTiAz & FreePlay have released a “Hello World” demonstration, as well as the SDK used to build said homebrew demo, for the newly discovered GripShift vulnerability.

Now coined the Sparta exploit, here’s what you should know: for the moment, you cannot downgrade or install a custom firmware with this, you may only enjoy Sparta-compiled homebrew and hope Sparta later leads to kernel mode access.

And finally, another video for your viewing pleasure –

FAQ
---
Q: Will this allow downgrading?
A: No, because this is an usermode exploit and functions required to downgrade are only available in kernel mode.

Q: Why the name?
A: Because the original exploit was found by overwriting the player name with "this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".

Q: Can/Will Sony block this?
A: Yes.

Q: I wanna make homebrew using the exploit. How?
A: Get FreePlay's GS SDK: http://tinyurl.com/sparta-sdk. It has some constraints though, check the readme. The Hello World was written with it.

Download:
The Sparta SDK
Hello World (for the Sparta Exploit)

– source: lan.st

Every so often some claims are made and videos surface, most completely fabricated, but this time — we have the real deal. Discovered by MaTiAz and proven successful by both MaTiAz and FreePlay is a user-mode buffer overflow exploit. The vulnerability lies within the GripShift save game loading routine. Check it –

It’s a step in the right direction all right.

Let me quote MaTiAz –

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.

Download:

GripShift SaveGame Exploit (POC)
(both MaTiAz and FreePlay’s included)

Savegame Deemer
(to decrypt and use the unencrypted GripShift savegame)

- source: lan.st

So as suspected, that blue Datel battery, it’s a total sham… Well, sort of… When put into service mode on the PSP-3000 it’ll result in nothing but a flashing light and black screen; at least for those sporting a TA-088v3 motherboard. Someone still needs to bypass or hack the pre-IPL hash process. Over at sceners is an update confirming the battery’s falsifications, as well some clarification on hacking the 88v3 IPL –

…it’s confirmed that this over exalted battery will leave 3k at least like the 88v3, just with a flashing light, a black screen and nothing but that LED indicator, as we announced.

…

Now onto the 88v3 IPL. You might remember this post from where part of the signing (there were 2 functions missing) was hacked from Brokencodes; so being as partial as it is, it would be interesting now to say, after reading about it on all the PSP-related webpages, that is NOT conclusive or definitely, so please, be aware that a “hack” for this couple of mobos might need further and longer study.

Now, I shouldn’t say it’s a total fake… The battery functions as described on other hackable PSP models, i.e.) the PSP-2000.

- source/full article via sceners

Moving forward at Sony-sonic speed is Dark_AleX who has now successfully decrypted those modules specific to the PSP-3000.

Do note: this program is NOT for the PSP-3000 itself; it’s intended to run on the PSP Fat (1000) or Slim (2000). The decrypted modules are for research and educational purposes.

Download:
PSARDumper (w/ 5.01 support & PSP-3000 module decryption)
Official PSP Firmware Updates

- source: dark-alex

Hrm… Well, as far as I know, there’s no official confirmation from anyone just yet… But according to *cough* Datel, they’ve created what would seem to be a Pandora-like battery for both the PSP-2000 and the thought to be unhacked 3000 — alas, Datel’s Lite Blue Tool Service Mode Battery.

It’s said the battery will offer the ability to toggle between normal and service mode; as well, the Lite Blue Tool features a LED power gauge indicator for your convenience. Of course in service mode you’re given access to the PSP’s flash leaving the device fully hackable — downgrade, install a custom firmware, do whatever desired… Or so you’d think.

The Lite Blue Tool will be available November 28th retailing for $29.99 across North America and $19.99 in the UK.

Now the question is: speculation or realer than Real Deal Holyfield? I’d say it’s likely but we’ll know for sure in the coming days…

Quoting Datel — *cough* –

(more…)