Looking for vulnerabilities in the PSP Firmware
I’ve described in a previous article how to look for exploits in games on the PSP. But as you may or may not know, the new PSPGo’s business model made game exploits useless for the average user.
Let me explain: if an exploit is found (and revealed) in a Game on the PSP, Sony will simply remove the game temporarily from the PSN Store, and it will be available again only if the game’s developers fix the issue. So the only people who will be able to benefit the exploit will be those who downloaded the game from the PSN Store before the exploit was made public. (unless you didn’t know, the PSPGo has no UMD drive, and therefore all games for this machine must be bought on the PSN)
Yep, that’s not cool, and it explains why Freeplay doesn’t want to make the recent hack of the PSP Go public (the exploit is still useful for hackers as it allows to run unsigned code on the PSPGo, and therefore analyze its firmware more precisely). It also explains why we should now be looking for vulnerabilities in the PSP Firmware (such as the laughman tiff exploit that led to chickHEN a few months ago) rather than games.
In this article I will explain how to monitor the PSP Menu with PSPLink. If you haven’t read my previous post on savegames exploits, I suggest you do it, as it is a nice introduction to PSP exploits. Disclaimer: I’m not the best PSPLink user in the world, so this article might be incomplete on some parts.
Setup
Imagine you have a file that crashes your PSP. It can be a video file, an mp3, an image, etc… (I will explain later how you can find or create these files). How would you tell if it can become an exploit or not? Well, as usual, the answer is clear: PSPLink.
PSPLink is a very usueful tool to analyze the Ram of the PSP. If you don’t have it yet, google for it. I personally have the version included with the minimalist PSPSDK.
PSPLink has two parts of interest for this: one that goes on the PSP (basically, an EBOOT, as most homebrews), and two executables that run on the PC (they will display the information sent by the PSP to the PC).
Once you have installed PSPLink on your PSP and plugged your PSP to your computer with a USB cable, open 2 command-line windows, in which you will run respectively usbhostfs_pc and pspsh.
When this is done, you can run the PSPLink EBOOT on your PSP. If everything goes well, pspsh on your computer will display “host0:/” and usbhostfs will say “Connected to Device”. It should look like this:
If you need more information on PSPLink, google for it.
Running the XMB/VSH
Now that’s the interesting part. If you’re a developer, you might know how to run your homebrews’ prx files from there. But how can you access the PSP Menu? Well that’s actually very easy, as you only need to type the two following commands in pspsh:
reset vsh
flash0:/vsh/module/vshmain.prx
And that’s it! Let me tell you, it is way easier than doing it for savegames, as no plugins are required.
Test your crash
Then what? Well, you do whatever is needed to reproduce your crash. In my case, I have an mp3 file that crashes the PSP, so on my PSP I go to the music menu, and try to play the files.
When the crash occurs, pspsh should display the current state of the registers, and lots of useful information.
MIPS…
From here, what you need is MIPS assembly knowledge, and lots of patience. But I can’t teach you that :). For the basics, you can still read my article on Savegames, as we are looking for the exact same thing: a way to overwrite $ra
By the way, you need a hacked PSP to run PSPLink, so don’t try this on Official Firmwares.
tanks for your help
Hi,wololo.
Thanks for your interesting article.
I am very interested in this article, and want to introduce this to Japanese PSP users.
So I translated into Japanese here:
http://plaza.rakuten.co.jp/mamosuke2008/diary/200910120001/
Sorry for telling you about it after I posted my article.
@mamosuke: no problem at all, I know that you always put links to the source in your articles 🙂
waiting for more surprising news …
Is it possible to find an png exploit on psp firmware 6.10 ?
@H@lo World: The most famous PNG library is called libpng, and it’s pretty much bug free nowadays. Sony are reportedly not using this lib, so they could have a bug in their own software, but it’s a bit unlikely (I mean, there’s always bugs, but it’s less likely to find one in PNG files than in other format maybe ?)
You can have a look at the bug list of libpng to get inspiration: http://sourceforge.net/tracker/?group_id=5624&atid=105624
hi wololo,
thanks for your help.
If I changed one byte on png image, the psp said: The Data is Corrupted
And the tiff exploit is patched on 6.10
And bmp images have no alpha layer.
Is it possible to get an alpha layer in bmp images or is it possible to find an exploit in bmp somewhere else ?
hi,
here I am again.
Could this bmp image lead to exploit ?
http://rapidshare.com/files/298644478/hh2.bmp.html
it crashes the psp…
No, a crash is not necessary an exploit, and I explain here why we probably can’t exploit the PSP with bmp images:
http://wololo.net/wagic/2009/10/18/why-we-cant-easily-find-exploits-in-bmp-images/
hhm… I´m new here and I want to help hacking the psp.
The article you gave me is very interesting.
There is likely no bmp exploit I have seen.
You said to focus on tiff images but the tiff exploit is patched of sony,isn´t it?
The second thing is that I´ve searched for psplink but I haven´t yet found an download link.
It would be great if you had an link for me.
thanks
For windows, PSPLink is integrated in the Mini pspsdk: http://minpspw.sourceforge.net/
ONE tiff exploit was patched by Sony, it doesn’t mean that the library is safe, it probably still has bugs. Remember that the PSP was already hacked at least twice with 2 different tiff vulnerabilities.
Oh, thats great
thank you so much!!
hi wololo
I´ve a question.
Everytime I write reset vsh in psplink my psp crashes.
I´ve psp slim with firmware 5.50 Gen D2
Do you know what I do wrong?
I’m not sure, it could be related to the Gen firmware… did you try on M33 ?
No I didn´t
Thank you for your tip
now it works
Hello wololo,
If I would find an kernel exploit, where I should write the “ms0:/h.bin”
in the file?
That’s a weird question… If you find an exploit (user or kernel) and want to load a binary, you have to find a way to call sceioread. I don’t know exactly what register sceioread is expected to read from, but basically, assuming it’s $a1 (that’s an example), and your “ms0:/h.bin” text is at address 08800000 (again, just as an example, this assumes that you put that stuff somewhere in memory), then you have to manage to put 08800000 into $a1 and then call sceioread.
To get more insight on this, look for “sparta sdk” on google, this is probably the best example you will get on how to do that.
Hi.wololo
I´ve found a good tiff image but how exactly I create an butteroverflow on tiff? 🙁
Is there a programm or should I change the bytes with the Hex Editor that I´ve done with the whole picture, but there was no buffer overflow.
I´ll be happy if there is a TUT or something else.
See you
@ H@lo World: there are several techniques for this.
I recently explained one of these techniques here:
http://wololo.net/wagic/2009/11/08/psp-exploits-finding-crashes-with-fuzzing
Thank you for your help 🙂 ,
but you said that there are other ways…
Where I can find them or which are their names?
there are thousands of ways and the only limit is your imagination. Another way is to look at the source code of libraries used by the PSP such as the libtiff and the libungif in order to find vulnerabilities in there. Or you can also decompile the PSP firmware and look for bugs in it. Or you can randomly hexedit a file, etc…
I have a question, although sony may have patched the tiff exploit that was used in chickhen would it be possible that the exploit could still work on say firmware 6.00, given that you can try to view it on psp filer through hbl and then install cfw given that the exploit puts the psp in a homebrew state and you could install cfw from it!?
hi wololo
i have found a glitch in the xmb on 6.00, if you proxy your psp to your computer and reroute the updatelist file it uses to check if updates have been made to an updatelist file thats older on your pc and download the update, when you press x to run the update it will show the xmb but you cant move around and it will still give you the option to run the update, you can only browse the xmb when you press o. i was wondering if anything could happen out of this or if its nothing more than a glitch
Hello I have a quesion can psplink run on the new hen for ofw 6.35 psp version 3000
what is it vercion?? is 6.20?? tenkyo im hap now
Please, why pspsh don’t say “host0:/” ? Usbhostfs_pc says “Connected to device” with 3 other lines, but pspsh does nothing…
Help please !