Looking for vulnerabilities in the PSP Firmware

I’ve described in a previous article how to look for exploits in games on the PSP. But as you may or may not know, the new PSPGo’s business model made game exploits useless for the average user.

Let me explain: if an exploit is found (and revealed) in a Game on the PSP, Sony will simply remove the game temporarily from the PSN Store, and it will be available again only if the game’s developers fix the issue. So the only people who will be able to benefit the exploit will be those who downloaded the game from the PSN Store before the exploit was made public. (unless you didn’t know, the PSPGo has no UMD drive, and therefore all games for this machine must be bought on the PSN)

Yep, that’s not cool, and it explains why Freeplay doesn’t want to make the recent hack of the PSP Go public (the exploit is still useful for hackers as it allows to run unsigned code on the PSPGo, and therefore analyze its firmware more precisely). It also explains why we should now be looking for vulnerabilities in the PSP Firmware (such as the laughman tiff exploit that led to chickHEN a few months ago) rather than games.

In this article I will explain how to monitor the PSP Menu with PSPLink. If you haven’t read my previous post on savegames exploits, I suggest you do it, as  it is a nice introduction to PSP exploits. Disclaimer: I’m not the best PSPLink user in the world, so this article might be incomplete on some parts.

Setup

Imagine you have a file that crashes your PSP. It can be a video file, an mp3, an image, etc… (I will explain later how you can find or create these files). How would you tell if it can become an exploit or not? Well, as usual, the answer is clear: PSPLink.

PSPLink is a very usueful tool to analyze the Ram of the PSP. If you don’t have it yet, google for it. I personally have the version included with the minimalist PSPSDK.

PSPLink has two parts of interest for this: one that goes on the PSP (basically, an EBOOT, as most homebrews), and two executables that run on the PC (they will display the information sent by the PSP to the PC).

Once you have installed PSPLink on your PSP and plugged your PSP to your computer with a USB cable, open 2 command-line windows, in which you will run respectively usbhostfs_pc and pspsh.

When this is done, you can run the PSPLink EBOOT on your PSP. If everything goes well, pspsh on your computer will display “host0:/” and usbhostfs will say “Connected to Device”. It should look like this:

If you need more information on PSPLink, google for it.

Running the XMB/VSH

Now that’s the interesting part. If you’re a developer, you might know how to run your homebrews’ prx files from there. But how can you access the PSP Menu? Well that’s actually very easy, as you only need to type the two following commands in pspsh:

reset vsh

flash0:/vsh/module/vshmain.prx

And that’s it! Let me tell you, it is way easier than doing it for savegames, as no plugins are required.

Test your crash

Then what? Well, you do whatever is needed to reproduce your crash. In my case, I have an mp3 file that crashes the PSP, so on my PSP I go to the music menu, and try to play the files.

When the crash occurs, pspsh should display the current state of the registers, and lots of useful information.

MIPS…

From here, what you need is MIPS assembly knowledge, and lots of patience. But I can’t teach you that :). For the basics, you can still read my article on Savegames, as we are looking for the exact same thing: a way to overwrite $ra

By the way, you need a hacked PSP to run PSPLink, so don’t try this on Official Firmwares.

Tags: , , , ,

  1. noladu95’s avatar

    tanks for your help

    Reply

  2. mamosuke’s avatar

    Hi,wololo.

    Thanks for your interesting article.
    I am very interested in this article, and want to introduce this to Japanese PSP users.
    So I translated into Japanese here:
    http://plaza.rakuten.co.jp/mamosuke2008/diary/200910120001/

    Sorry for telling you about it after I posted my article.

    Reply

  3. wololo’s avatar

    @mamosuke: no problem at all, I know that you always put links to the source in your articles :)

    Reply

  4. eric’s avatar

    waiting for more surprising news …

    Reply

  5. H@lo World’s avatar

    Is it possible to find an png exploit on psp firmware 6.10 ?

    Reply

  6. wololo’s avatar

    @H@lo World: The most famous PNG library is called libpng, and it’s pretty much bug free nowadays. Sony are reportedly not using this lib, so they could have a bug in their own software, but it’s a bit unlikely (I mean, there’s always bugs, but it’s less likely to find one in PNG files than in other format maybe ?)
    You can have a look at the bug list of libpng to get inspiration: http://sourceforge.net/tracker/?group_id=5624&atid=105624

    Reply

  7. H@lo World’s avatar

    hi wololo,
    thanks for your help.
    If I changed one byte on png image, the psp said: The Data is Corrupted
    And the tiff exploit is patched on 6.10
    And bmp images have no alpha layer.
    Is it possible to get an alpha layer in bmp images or is it possible to find an exploit in bmp somewhere else ?

    Reply

  8. H@lo World’s avatar

    hi,
    here I am again.
    Could this bmp image lead to exploit ?

    http://rapidshare.com/files/298644478/hh2.bmp.html

    it crashes the psp…

    Reply

  9. wololo’s avatar

    No, a crash is not necessary an exploit, and I explain here why we probably can’t exploit the PSP with bmp images:
    http://wololo.net/wagic/2009/10/18/why-we-cant-easily-find-exploits-in-bmp-images/

    Reply

  10. H@lo World’s avatar

    hhm… I´m new here and I want to help hacking the psp.
    The article you gave me is very interesting.
    There is likely no bmp exploit I have seen.
    You said to focus on tiff images but the tiff exploit is patched of sony,isn´t it?
    The second thing is that I´ve searched for psplink but I haven´t yet found an download link.
    It would be great if you had an link for me.
    thanks

    Reply

  11. wololo’s avatar

    For windows, PSPLink is integrated in the Mini pspsdk: http://minpspw.sourceforge.net/

    ONE tiff exploit was patched by Sony, it doesn’t mean that the library is safe, it probably still has bugs. Remember that the PSP was already hacked at least twice with 2 different tiff vulnerabilities.

    Reply

  12. H@lo World’s avatar

    Oh, thats great
    thank you so much!!

    Reply

  13. H@lo World’s avatar

    hi wololo
    I´ve a question.
    Everytime I write reset vsh in psplink my psp crashes.
    I´ve psp slim with firmware 5.50 Gen D2
    Do you know what I do wrong?

    Reply

  14. wololo’s avatar

    I’m not sure, it could be related to the Gen firmware… did you try on M33 ?

    Reply

  15. H@lo World’s avatar

    No I didn´t
    Thank you for your tip

    Reply

  16. H@lo World’s avatar

    now it works

    Reply

  17. H@lo World’s avatar

    Hello wololo,
    If I would find an kernel exploit, where I should write the “ms0:/h.bin”
    in the file?

    Reply

  18. wololo’s avatar

    That’s a weird question… If you find an exploit (user or kernel) and want to load a binary, you have to find a way to call sceioread. I don’t know exactly what register sceioread is expected to read from, but basically, assuming it’s $a1 (that’s an example), and your “ms0:/h.bin” text is at address 08800000 (again, just as an example, this assumes that you put that stuff somewhere in memory), then you have to manage to put 08800000 into $a1 and then call sceioread.
    To get more insight on this, look for “sparta sdk” on google, this is probably the best example you will get on how to do that.

    Reply

  19. H@lo World’s avatar

    Hi.wololo
    I´ve found a good tiff image but how exactly I create an butteroverflow on tiff? :(
    Is there a programm or should I change the bytes with the Hex Editor that I´ve done with the whole picture, but there was no buffer overflow.
    I´ll be happy if there is a TUT or something else.
    See you

    Reply

  20. wololo’s avatar

    @ H@lo World: there are several techniques for this.
    I recently explained one of these techniques here:
    http://wololo.net/wagic/2009/11/08/psp-exploits-finding-crashes-with-fuzzing

    Reply

  21. H@lo World’s avatar

    Thank you for your help :) ,
    but you said that there are other ways…
    Where I can find them or which are their names?

    Reply

  22. wololo’s avatar

    there are thousands of ways and the only limit is your imagination. Another way is to look at the source code of libraries used by the PSP such as the libtiff and the libungif in order to find vulnerabilities in there. Or you can also decompile the PSP firmware and look for bugs in it. Or you can randomly hexedit a file, etc…

    Reply

  23. Stranger’s avatar

    I have a question, although sony may have patched the tiff exploit that was used in chickhen would it be possible that the exploit could still work on say firmware 6.00, given that you can try to view it on psp filer through hbl and then install cfw given that the exploit puts the psp in a homebrew state and you could install cfw from it!?

    Reply

  24. Stranger’s avatar

    hi wololo

    i have found a glitch in the xmb on 6.00, if you proxy your psp to your computer and reroute the updatelist file it uses to check if updates have been made to an updatelist file thats older on your pc and download the update, when you press x to run the update it will show the xmb but you cant move around and it will still give you the option to run the update, you can only browse the xmb when you press o. i was wondering if anything could happen out of this or if its nothing more than a glitch

    Reply

  25. hunter’s avatar

    Hello I have a quesion can psplink run on the new hen for ofw 6.35 psp version 3000

    Reply

  26. luccAS’s avatar

    what is it vercion?? is 6.20?? tenkyo im hap now

    Reply

  27. benjamindu11’s avatar

    Please, why pspsh don’t say “host0:/” ? Usbhostfs_pc says “Connected to device” with 3 other lines, but pspsh does nothing…

    Help please !

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>