Looking for vulnerabilities in the PSP Firmware

wololo

Been followin' the console hacking scene since 2006, I'm an old guy so get off my lawn!

You may also like...

Hey, reader. The ads below are not "inappropriate", they are computer-generated "popular topics on the web". Data doesn't lie. Don't blame me, blame mankind.

30 Responses

  1. mamosuke says:

    Hi,wololo.

    Thanks for your interesting article.
    I am very interested in this article, and want to introduce this to Japanese PSP users.
    So I translated into Japanese here:
    http://plaza.rakuten.co.jp/mamosuke2008/diary/200910120001/

    Sorry for telling you about it after I posted my article.

  2. wololo says:

    @mamosuke: no problem at all, I know that you always put links to the source in your articles :)

  3. eric says:

    waiting for more surprising news …

  4. H@lo World says:

    Is it possible to find an png exploit on psp firmware 6.10 ?

  5. wololo says:

    @H@lo World: The most famous PNG library is called libpng, and it’s pretty much bug free nowadays. Sony are reportedly not using this lib, so they could have a bug in their own software, but it’s a bit unlikely (I mean, there’s always bugs, but it’s less likely to find one in PNG files than in other format maybe ?)
    You can have a look at the bug list of libpng to get inspiration: http://sourceforge.net/tracker/?group_id=5624&atid=105624

  6. H@lo World says:

    hi wololo,
    thanks for your help.
    If I changed one byte on png image, the psp said: The Data is Corrupted
    And the tiff exploit is patched on 6.10
    And bmp images have no alpha layer.
    Is it possible to get an alpha layer in bmp images or is it possible to find an exploit in bmp somewhere else ?

  7. H@lo World says:

    hi,
    here I am again.
    Could this bmp image lead to exploit ?

    http://rapidshare.com/files/298644478/hh2.bmp.html

    it crashes the psp…

  8. wololo says:

    No, a crash is not necessary an exploit, and I explain here why we probably can’t exploit the PSP with bmp images:
    http://wololo.net/wagic/2009/10/18/why-we-cant-easily-find-exploits-in-bmp-images/

  9. H@lo World says:

    hhm… I´m new here and I want to help hacking the psp.
    The article you gave me is very interesting.
    There is likely no bmp exploit I have seen.
    You said to focus on tiff images but the tiff exploit is patched of sony,isn´t it?
    The second thing is that I´ve searched for psplink but I haven´t yet found an download link.
    It would be great if you had an link for me.
    thanks

  10. wololo says:

    For windows, PSPLink is integrated in the Mini pspsdk: http://minpspw.sourceforge.net/

    ONE tiff exploit was patched by Sony, it doesn’t mean that the library is safe, it probably still has bugs. Remember that the PSP was already hacked at least twice with 2 different tiff vulnerabilities.

  11. H@lo World says:

    Oh, thats great
    thank you so much!!

  12. H@lo World says:

    hi wololo
    I´ve a question.
    Everytime I write reset vsh in psplink my psp crashes.
    I´ve psp slim with firmware 5.50 Gen D2
    Do you know what I do wrong?

  13. wololo says:

    I’m not sure, it could be related to the Gen firmware… did you try on M33 ?

  14. H@lo World says:

    No I didn´t
    Thank you for your tip

  15. H@lo World says:

    now it works

  16. H@lo World says:

    Hello wololo,
    If I would find an kernel exploit, where I should write the “ms0:/h.bin”
    in the file?

  17. wololo says:

    That’s a weird question… If you find an exploit (user or kernel) and want to load a binary, you have to find a way to call sceioread. I don’t know exactly what register sceioread is expected to read from, but basically, assuming it’s $a1 (that’s an example), and your “ms0:/h.bin” text is at address 08800000 (again, just as an example, this assumes that you put that stuff somewhere in memory), then you have to manage to put 08800000 into $a1 and then call sceioread.
    To get more insight on this, look for “sparta sdk” on google, this is probably the best example you will get on how to do that.

  18. H@lo World says:

    Hi.wololo
    I´ve found a good tiff image but how exactly I create an butteroverflow on tiff? :(
    Is there a programm or should I change the bytes with the Hex Editor that I´ve done with the whole picture, but there was no buffer overflow.
    I´ll be happy if there is a TUT or something else.
    See you

  19. wololo says:

    @ H@lo World: there are several techniques for this.
    I recently explained one of these techniques here:
    http://wololo.net/wagic/2009/11/08/psp-exploits-finding-crashes-with-fuzzing

  20. H@lo World says:

    Thank you for your help :) ,
    but you said that there are other ways…
    Where I can find them or which are their names?

  21. wololo says:

    there are thousands of ways and the only limit is your imagination. Another way is to look at the source code of libraries used by the PSP such as the libtiff and the libungif in order to find vulnerabilities in there. Or you can also decompile the PSP firmware and look for bugs in it. Or you can randomly hexedit a file, etc…

  22. Stranger says:

    I have a question, although sony may have patched the tiff exploit that was used in chickhen would it be possible that the exploit could still work on say firmware 6.00, given that you can try to view it on psp filer through hbl and then install cfw given that the exploit puts the psp in a homebrew state and you could install cfw from it!?

  23. Stranger says:

    hi wololo

    i have found a glitch in the xmb on 6.00, if you proxy your psp to your computer and reroute the updatelist file it uses to check if updates have been made to an updatelist file thats older on your pc and download the update, when you press x to run the update it will show the xmb but you cant move around and it will still give you the option to run the update, you can only browse the xmb when you press o. i was wondering if anything could happen out of this or if its nothing more than a glitch

  24. hunter says:

    Hello I have a quesion can psplink run on the new hen for ofw 6.35 psp version 3000

  25. luccAS says:

    what is it vercion?? is 6.20?? tenkyo im hap now

  26. benjamindu11 says:

    Please, why pspsh don’t say “host0:/” ? Usbhostfs_pc says “Connected to device” with 3 other lines, but pspsh does nothing…

    Help please !

  1. October 12, 2009
  2. October 18, 2009

    [...] Subscribe to feed ‹ Looking for vulnerabilities in the PSP Firmware [...]

  3. November 8, 2009

    [...] said it numerous times, finding crashes is the first step to finding exploits on the PSP (and on other devices as well, by [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>