Looking for vulnerabilities in the PSP Firmware
I’ve described in a previous article how to look for exploits in games on the PSP. But as you may or may not know, the new PSPGo’s business model made game exploits useless for the average user.
Let me explain: if an exploit is found (and revealed) in a Game on the PSP, Sony will simply remove the game temporarily from the PSN Store, and it will be available again only if the game’s developers fix the issue. So the only people who will be able to benefit the exploit will be those who downloaded the game from the PSN Store before the exploit was made public. (unless you didn’t know, the PSPGo has no UMD drive, and therefore all games for this machine must be bought on the PSN)
Yep, that’s not cool, and it explains why Freeplay doesn’t want to make the recent hack of the PSP Go public (the exploit is still useful for hackers as it allows to run unsigned code on the PSPGo, and therefore analyze its firmware more precisely). It also explains why we should now be looking for vulnerabilities in the PSP Firmware (such as the laughman tiff exploit that led to chickHEN a few months ago) rather than games.
In this article I will explain how to monitor the PSP Menu with PSPLink. If you haven’t read my previous post on savegames exploits, I suggest you do it, as it is a nice introduction to PSP exploits. Disclaimer: I’m not the best PSPLink user in the world, so this article might be incomplete on some parts.
Imagine you have a file that crashes your PSP. It can be a video file, an mp3, an image, etc… (I will explain later how you can find or create these files). How would you tell if it can become an exploit or not? Well, as usual, the answer is clear: PSPLink.
PSPLink is a very usueful tool to analyze the Ram of the PSP. If you don’t have it yet, google for it. I personally have the version included with the minimalist PSPSDK.
PSPLink has two parts of interest for this: one that goes on the PSP (basically, an EBOOT, as most homebrews), and two executables that run on the PC (they will display the information sent by the PSP to the PC).
Once you have installed PSPLink on your PSP and plugged your PSP to your computer with a USB cable, open 2 command-line windows, in which you will run respectively usbhostfs_pc and pspsh.
When this is done, you can run the PSPLink EBOOT on your PSP. If everything goes well, pspsh on your computer will display “host0:/” and usbhostfs will say “Connected to Device”. It should look like this:
If you need more information on PSPLink, google for it.
Running the XMB/VSH
Now that’s the interesting part. If you’re a developer, you might know how to run your homebrews’ prx files from there. But how can you access the PSP Menu? Well that’s actually very easy, as you only need to type the two following commands in pspsh:
And that’s it! Let me tell you, it is way easier than doing it for savegames, as no plugins are required.
Test your crash
Then what? Well, you do whatever is needed to reproduce your crash. In my case, I have an mp3 file that crashes the PSP, so on my PSP I go to the music menu, and try to play the files.
When the crash occurs, pspsh should display the current state of the registers, and lots of useful information.
From here, what you need is MIPS assembly knowledge, and lots of patience. But I can’t teach you that :). For the basics, you can still read my article on Savegames, as we are looking for the exact same thing: a way to overwrite $ra
By the way, you need a hacked PSP to run PSPLink, so don’t try this on Official Firmwares.