Eggsplanations

I get lots of questions by email about the Hello World released by Matiaz yesterday, so I’ll try to answer to these questions.

1. What?

What is this about?

Yesterday, Matiaz (known for the Gripshift exploit) released a proof of concept “Hello world” file for an exploit on all PSPs up to firmware 5.03 (and probably 5.05 too, actually…). This file is a tiff file. Putting it in your PHOTO folder, as well as the correct “h.bin” file in the root of your memory stick, then viewing the file will randomly (1 out of ~20 times) display a “hello world” message.

Woot, CFW on my PSP3000 then?

Not so fast. The current “Hello world” only works on Phat PSPs

What, only Phats? Then this sh#t is useless?

Again, not so fast. the “Hello World” only works on Phat PSPs right now, but the exploit exists on all PSPs. The difference lies in how Slim and light PSPs manage the RAM. It’s only a matter of time (a few days?) before the equivalent is done on PSP2000 and PSP3000 models

So, er…woot, I guess, CFW on my 3000?

Sorry, not so fast again. It’s been said several times that CFW on the new 3000 models is probably impossible to do.

So I guess I was right, it’s all useless?

No. This exploit is yet another User mode exploit. If used with a Kernel mode exploit, it could allow to run a HEN (Homebrew ENabler) on the new PSP models. A HEN would in theory allow to run homebrews, and probably ISOS as well. The good point about a HEN is that it stays in memory, and does not get wiped out if you put your PSP in sleep mode. So even if the exploit seems really random, if you managed to run it once, with a HEN you wouldn’t have to care about the exploit anymore, unless you hard-reboot your console (after a crash, for example…). After a hard reboot, you would have to run the exploit again.

So with a HEN, the randomness of this exploit doesn’t matter that much.

But for a HEN to come out, remember that we are waiting for a – yet to be found – Kernel exploit. Could it be the “bit of awesomness” mentioned in Matiaz’s readme ?

So what’s the difference with the Gripshift exploit then?

Well, not so much, they both offer the same thing (a user mode exploit), with the following differences:

  • The Gripshift exploit requires an expensive game (tiif is free)
  • The Gripshift exploit only works up to 5.02 (tiff works up to 5.05)
  • The tiff eggsploit is very unstable (Gripshift works every time)

So the question is: do you have Gripshift? What firmware is your PSP?

Will Sony patch this?

Definitely. Wait for the next firmware update, it will come with a patch for this issue. Don’t upgrade if you want to play homebrews…

Oh, and keep looking for other exploits. It’s fun, and always useful. I sincerely believe this exploit wouldn’t exist if people hadn’t started this whole “let’s look for crashes” crazyness recently :)

Yeah, I know, my post about vulnerabilities was inspirational, aw, please stop flattering me, it makes me blush :D

2. Who, When?

Although Matiaz truly did 99% of the work here, I believe it is important to name the people who worked on this. Several guys were involved in this, and it’s a bit sad to mention only one of them, even if the people who worked in parallel didn’t necessarily go as far as Matiaz did.

The initial file was posted with a link in a youtube video,  and on my blog by a guy named malloxis. From where I stand, this initial file involved lots of luck ;)

This then started a little buzz on DAX’s forums, but went unnoticed in other places. Noob81 and myself quickly understood that the file was interesting, and started working on it. At some point we realized that we weren’t skilled enough to go further, and needed help. This is the time when we contacted Freeplay, Matiaz and Archaemic, who all looked into this vulnerability and confirmed it was exploitable. From then we all worked in parallel (I personally got help with Slims from MaxMouseDll), and it seems Matiaz (apparently with the help of Davee from the lan.st forums) reached the finish line first :)

I hope I don’t sound too bitter here, because I’m not really, I’m actually completely excited! But I guess hacking is all about fame, so even when it’s a tiny contribution, it’s fair to name the people who helped.  Anyways in the end we all get something useful out of this, so it’s cool :D

(I probably didn’t mention everyone actually involved in this, only the ones I know about)

3.How?

I don’t have all the technical details yet, but here is some information:

Is this related to the libtiff vulnerability you talked about earlier this year?

No. It’s a completely different vulnerability. Actually, my tests seemed to show that this is not a vulnerability in the tiff library, but rather a very sony specific bug in the way they implemented the lib on the PSP (if you can test this to see if it crashes on a PS3 or an Ipod, I’d be happy to know by the way)

PSPLink DIY

Ok, so here is the initial file as modified by myself, to show the possibilities of hack offered by these files. Matiaz endend up not using this error but another one that prooved more efficient, but this is the starting point for everything.

You can of course play with the proof of concept released by Matiaz too. After all, it’s only hex-editing and playing with PSPLink ;)

  1. amorphophallus’s avatar

    hi, this is so great job. also they are.
    can i translate this for japanese on my blog?

    Reply

  2. wololo’s avatar

    @amorphophallus: yes, go ahead, but please put a link to my blog too, thanks :)

    Reply

  3. eric’s avatar

    excellent work.we are waiting …

    Reply

  4. amorphophallus’s avatar

    yea, I’ll make trackback too, thanks

    Reply

  5. ltwp’s avatar

    hello,

    Just to add a comment to a question of the article:
    running a ps3 on 2.6x fw, the tiff file just opens & shows the picture; no crash to be seen

    Reply

  6. mamosuke’s avatar

    Hi.
    Your article is very useful for PSP freak.

    I translated your article into Japanese and published in my blog with putting your link to here. I am sorry for the delay to talk to you about it.

    My blog is….
    When yyoossk,who found the Phantasy Star crash you know,posted about it to dark-alex forum,I helped him as a translater.
    Here is a link to the forum. Translated website to spanish in it is my blog.
    http://www.dark-alex.org/forum/viewtopic.php?f=7&t=10149&start=80

    I always visit your blog and enjoy reading.Thanks.

    Reply

  7. wololo’s avatar

    Hey mamosuke, thanks. I actually know your blog, and I visit it regularly (as well as piccolo33/ringo’s blog) :)

    Reply

  8. wololo’s avatar

    @ltwp: thanks a lot for the info… too bad for ps3 owners, I guess…

    Reply

  9. Roberto1’s avatar

    Hey wololo I was able to use psp link but I guess it dosnt work im not sure were I would post this so I put it here.So could you check the crashes for me posted on my old messages if you can thank you wololo or anyone who checks

    Reply

  10. shadow’s avatar

    ok dude I have some question about how this work, this because I don’t want to send to the garbage another console.

    Reply

  11. smiky’s avatar

    Hi wololo, could you tell us psplink how to used? all the time i dont understand how to use it.

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>