I get lots of questions by email about the Hello World released by Matiaz yesterday, so I’ll try to answer to these questions.
What is this about?
Yesterday, Matiaz (known for the Gripshift exploit) released a proof of concept “Hello world” file for an exploit on all PSPs up to firmware 5.03 (and probably 5.05 too, actually…). This file is a tiff file. Putting it in your PHOTO folder, as well as the correct “h.bin” file in the root of your memory stick, then viewing the file will randomly (1 out of ~20 times) display a “hello world” message.
Woot, CFW on my PSP3000 then?
Not so fast. The current “Hello world” only works on Phat PSPs
What, only Phats? Then this sh#t is useless?
Again, not so fast. the “Hello World” only works on Phat PSPs right now, but the exploit exists on all PSPs. The difference lies in how Slim and light PSPs manage the RAM. It’s only a matter of time (a few days?) before the equivalent is done on PSP2000 and PSP3000 models
So, er…woot, I guess, CFW on my 3000?
Sorry, not so fast again. It’s been said several times that CFW on the new 3000 models is probably impossible to do.
So I guess I was right, it’s all useless?
No. This exploit is yet another User mode exploit. If used with a Kernel mode exploit, it could allow to run a HEN (Homebrew ENabler) on the new PSP models. A HEN would in theory allow to run homebrews, and probably ISOS as well. The good point about a HEN is that it stays in memory, and does not get wiped out if you put your PSP in sleep mode. So even if the exploit seems really random, if you managed to run it once, with a HEN you wouldn’t have to care about the exploit anymore, unless you hard-reboot your console (after a crash, for example…). After a hard reboot, you would have to run the exploit again.
So with a HEN, the randomness of this exploit doesn’t matter that much.
But for a HEN to come out, remember that we are waiting for a – yet to be found – Kernel exploit. Could it be the “bit of awesomness” mentioned in Matiaz’s readme ?
So what’s the difference with the Gripshift exploit then?
Well, not so much, they both offer the same thing (a user mode exploit), with the following differences:
- The Gripshift exploit requires an expensive game (tiif is free)
- The Gripshift exploit only works up to 5.02 (tiff works up to 5.05)
- The tiff eggsploit is very unstable (Gripshift works every time)
So the question is: do you have Gripshift? What firmware is your PSP?
Will Sony patch this?
Definitely. Wait for the next firmware update, it will come with a patch for this issue. Don’t upgrade if you want to play homebrews…
Oh, and keep looking for other exploits. It’s fun, and always useful. I sincerely believe this exploit wouldn’t exist if people hadn’t started this whole “let’s look for crashes” crazyness recently 🙂
Yeah, I know, my post about vulnerabilities was inspirational, aw, please stop flattering me, it makes me blush 😀
2. Who, When?
Although Matiaz truly did 99% of the work here, I believe it is important to name the people who worked on this. Several guys were involved in this, and it’s a bit sad to mention only one of them, even if the people who worked in parallel didn’t necessarily go as far as Matiaz did.
The initial file was posted with a link in a youtube video, and on my blog by a guy named malloxis. From where I stand, this initial file involved lots of luck 😉
This then started a little buzz on DAX’s forums, but went unnoticed in other places. Noob81 and myself quickly understood that the file was interesting, and started working on it. At some point we realized that we weren’t skilled enough to go further, and needed help. This is the time when we contacted Freeplay, Matiaz and Archaemic, who all looked into this vulnerability and confirmed it was exploitable. From then we all worked in parallel (I personally got help with Slims from MaxMouseDll), and it seems Matiaz (apparently with the help of Davee from the lan.st forums) reached the finish line first 🙂
I hope I don’t sound too bitter here, because I’m not really, I’m actually completely excited! But I guess hacking is all about fame, so even when it’s a tiny contribution, it’s fair to name the people who helped. Anyways in the end we all get something useful out of this, so it’s cool 😀
(I probably didn’t mention everyone actually involved in this, only the ones I know about)
I don’t have all the technical details yet, but here is some information:
Is this related to the libtiff vulnerability you talked about earlier this year?
No. It’s a completely different vulnerability. Actually, my tests seemed to show that this is not a vulnerability in the tiff library, but rather a very sony specific bug in the way they implemented the lib on the PSP (if you can test this to see if it crashes on a PS3 or an Ipod, I’d be happy to know by the way)
Ok, so here is the initial file as modified by myself, to show the possibilities of hack offered by these files. Matiaz endend up not using this error but another one that prooved more efficient, but this is the starting point for everything.
You can of course play with the proof of concept released by Matiaz too. After all, it’s only hex-editing and playing with PSPLink 😉see here.