Datel’s Action Replay: a Dead End for hackers?
3 Weeks ago Datel made it to the (PSP) news headlines by releasing the new version of the Action Replay, a piece of software not signed by Sony and yet running on non hacked PSP.
As it seems clear that Datel figured out how to reproduce Sony’s signature (and technically, run everything they want on every PSP model), the PSP scene was excited at the possibilities that opened up for the future of homebrews.
There were several ideas about “how” this could be used for the benefit of the underground scene, but unfortunately all of these apparently led to … nothing at all.
The idea of figuring out the encryption process just by looking at the action replay EBOOT didn’t feel like a doable thing. It was clear from the start that it wouldn’t be any easier than figuring out Sony’s encryption process, which hackers haven’t been able to do in the 5 years of the PSP’s life.
Other attempts were made to find an exploit in the PSPAR Eboot, with classic buffer overflow exploits, through the program’s configuration files, which proved to be quite secured against such attacks.
Hackers were also hoping to be able to inject a fake “cheat code” into the Ram, that would actually be nothing more than a binary loader (a homebrew Loader). It turns out that the PSPAR does not allow users to create their own cheat codes (old Action replay software allowed to do that through the help of a “trainer” program). Actually the cheats are all stored in the EBOOT itself, making it virtually impossible to “inject” anything.
Finally, it was expected to maybe trick the update mechanism. Previous versions of the Action Replay would patch themselves by loading a data file in the PSP/COMMON folder. But it seems that this new version does not update itself. Rather, users have to connect to the pspar.com website and download an entirely new EBOOT for each update. This was somewhat expected, as it would otherwise mean that the EBOOT has the code to sign itself again after being modified, which was very unlikely. Nevertheless, it’s now officially clear that this won’t work either.
So all of this has been a dead end so far. The last ray of hope could come from Datel themselves, if they decide to come up with a commercial “homebrew loader” solution, like they did for the gameCube/Wii (SD Media Launcher). Personally I’d pay good money for that, but Datel hasn’t replied to people who inquired about that (do it too, if many people show interest, maybe they’ll consider it!). I guess they need to weight the pros and cons of going (yet again) at (legal) war against Sony…
On a side note, it means that people on official firmwares can now cheat in games, so the whole “we lock CFW users out of the PSN because CFW users can cheat” *** has no meaning at all anymore. It also probably means that online play will become less enjoyable now, but I can’t really tell, I’m on CFW and therefore can’t access the PSN or the playstation store…
there goes another hope. hopefully, something will come out with Abigail’s work
oh well.. too bad. i’d be interested in a commercial homebrew launcher or even something similar to 5.03 gen for ofw…
Lawl, now official firmware users can cheat on PSN, shame for the OFW users that do not want to cheat
Hi wololo.. is this good? or like I think it’s only a crash?
http://img237.imageshack.us/img237/5403/psplink.png
Thanks! ^^
Hi wololo, do you think that the latest image posted from disel701 works for exploit ? tnk write back soon as possible
diesel701, Pulcini0315: I am not sure. Earlier I replied that “fp” was related to the FPU, but apparently it is the frame pointer. If you can ask psplink what inside this value, and if you can get control of this value, your crash might be exploitable
thanks for the reply wololo, so the crash could be exploited … If you are interested in sending you the file via private message …
Thanks for the reply wololo… I’ve seen the mips code with psplink through “disasm”:
http://img43.imageshack.us/img43/2866/disasm.png
As you can seen the problem is $a0, however there is no “jump”, so I think there is nothing to do. or I’m wrong?
I’ve done two little mods of the file that make this interesting crashes (but I think nothing exploitable):
http://img268.imageshack.us/img268/5317/psplink2.png
http://img716.imageshack.us/img716/7365/crash2.png
diesel701: I see. From your first screenshot, there could be some hope if you have control on $a0. Can you put whatever you want in $a0? If so, you might be able to go further down the execution of the code and maybe reach a point where a jump is done?
However this looks difficult since apparently there are at least 10 lines or so without any jump…
Your 2 other screenshots look interesting too, but the question now is, can you “control” the contents of the variables involved, by changing the png file?
wololo, the file is not in PNG but is in TIF and works on fw from 5.03 to 6.20…
if you interested I send you the file… 😉
Thanks again wololo.
I have done some test and I can’t handle the value of $a0 and, however, there is no jump after the crash… so I think there is nothing to do with this file.
Thanks again for your support and time to reply… 🙂
wololo: hi, i´ve seen something interesting in youtube:Someone shows a crash of an tiff image.Can you test the picture with psplink please?
Here´s the link: http://rapidshare.com/files/341924769/crash.tif.html
hopefully it is exploitable 🙂
I reply to you (H@lo World): the file is not exploitable because the problem is a “breakpoint”.. nothing to do.. I’m sorry… 😉
That´s bad.If I had known this i wouldn´t have tried to hex edit it.The picture has 2 code lines (0x17A0 – 0x17C0 and 0x2600) which crashes the psp in the hex editor. And this stupid 0xFFFFFFFFF at v0…, but thank u for your answer =)
Hopefully someone else find an useful exploit 😉
Hi wololo and everyone, I’ve seen this video : http://www.youtube.com/watch?v=6L6K1a0E42A&feature
WHat do u think ? Could you try to see if it’s just crash or something more ? tnk
Pulcini0315: This is just a crash, and not exploitable, because of a “breakpoint”.We talked about this in this thread already.
But I think someone else will find an real bufferoverflow, which lead to an Hello World. I´m sorry 🙂
o’ right bye 🙁
Frankly, I just got the new datel version yesterday and all i really wanted was the XYZ mod in SMS… But it sucks because i cant add any codes everyone says there is an add new code button but i checked there is no main menu or add new code. Super jumping is pretty fun though.
wololo, what cfw r u running on ur psp? i thought u had pro. my lcfw pro b10 6.60 has psn access & theres the psn lover plugin so you can still enjoy psn.
TobeyDemon, look at the date of this post. It is very old.