Writing a binary Loader
After studying both the Gripshift and the MOHH exploit, I now feel confident to write a little guide on creating a binary loader.
What This article is about
The first step to running homebrew on a PSP is to find a user mode exploit, which is done by taking control of the Ram through techniques such as a buffer overflow in a game or crafted images.
Imagine that you’ve found such a vulnerability, and have full control of our beloved variable $ra. The next step for you is to create a proof of concept. The basic idea is to create a binary loader, that is, a piece of code able to load another piece of code from a file on the memory stick, then run it.
Writing a binary loader is fairly simple once you know how to do it, but it relies on lots of tribal knowledge, as there is no central place that gathers that kind of information.
So there it is 🙂
Disclaimer: I just learned how to do it myself very recently. Some of the techniques I describe here might not be optimal. I also suck big time at MIPS. Oh, and I tend to write a ruby script for things that could probably go in a Makefile. As usual, take everything you read on the internet with a grain of salt.
In this guide I’m assuming you already have control of the variable $ra and can change it to whatever value you want. I’m taking the example of a savegame. Some steps are fairly different if you found a vulnerability in the XMB, but overall the principles are the same. I’m assuming you know how to use PSPLink, and have a fair knowledge on how to use a hexeditor, scripting languages, a bit of C and/or MIPS, basic Makefiles…roughly, the kind of stuff you learn writing homebrews 🙂
Tools you will NEED (Download links)
- prxtool and psplink are part of the minimal psp sdk. Honestly you should already have this installed if you are reading this.
- For windows users, cygwin might be useful, and install ruby with it if you plan to run my scripts
- A Hex editor (on Windows I use XIV32)
- Savegame Deemer to work on savegame data easily
- PRXDecrypter to decrypt Eboots
- SED (Savegame Encrypter/Decrypter) to encrypt your exploit once it’s ready
- Silverspring’s libdoc (for 6.60, update thanks to thecobra)
Contents
Writing a binary loader from a savegame exploit requires the following steps:
- Find a place to jump to
- Find the function imports
- Compile a binary loader
- Inject your binary loader in savegame
- Write a SDK adapted to your game
- Create a small “proof of concept” binary file (a.k.a. “Hello World”)
- Reencrypt your savegame
Find a place to Jump to
Run psplink and crash your game like you “usually” do. Keep that running, you’ll need it for this step.
You have control of $ra, and need to have it jump to wherever you will inject your binary loader code. Basically, your code will be injected in the savegame, so you need to know where in Ram that piece of the savegame ends up. To do that, you need to visually compare your Ram and the savegame. To do a dump of your ram just after you found a crash, type savemem 0x08800000 200000000 memdump.bin in psplink. This will create a memdump.bin file on your drive, which should be roughly 24MB.
Now look for a very recognizable pattern in your savegame. A series of letters or bytes that you can easily look for. And look for these values in your Ramdump as well (with an hexeditor, obviously). In the image below, my ramdump is on the left, and the savegame is on the right.
Once you’ve found them in you’re ramdump, you pretty much know where you will want to jump, AND where you will inject the code in your savegame. In this example, my pattern is at offset 0x43F0 in the savegame, and at offset 0x32C3E0 in the ramdump. That last one is actually 0x8800000 + 0x32C3E0 (0x08B2C3E0) in ram since we dumped our file starting at 0x08800000. You can check if your psplink is still open: you should find your pattern if you type: memdump 0x08B2C3E0 20 (replace the address with whatever you chose, of course).
You want to make sure the place you jump to is exactly equivalent to the pattern you chose in your savegame, over a few hundred bytes. If there are differences in this area between your savegame and the ram, it means this savegame block is not entirely loaded at this position, and it will make your code injection more difficult (you want your code to be in one block, not splattered all over the Ram :P)
So you have step one: we found a nice place to jump to (0x08B2C3E0), and where in the SDDATA.BIN we will inject our binary loader (0x43F0).
Find the function imports
OK, this one sounds extremely difficult, as if it required lots of exceptional knowledge: that’s not the case. Or, rather, we have tools that do the work for us.
When you write a homebrew, you call functions of the PSPSDK. The position of these functions in Ram is not known in advance in the case of a game exploit, so we need to find them and “redirect” them correctly.
In the case of a game, you’ll want to extract the “EBOOT.BIN” from your game and decrypt it. The EBOOT.BIN is inside the iso of your game, so to get it you will need an iso of your game. If the game is an UMD, it’s very easy to do on any custom firmware with the “USB Drive” option that you can find in any custom firmware. (If the game is a PSN game, you’ll need NPDecryptor to create the ISO).
Most likely, this “EBOOT.BIN” is encrypted, so you additionally need to decrypt it with prxdecrypter.
Once you have your decrypted EBOOT.BIN handy, use prxtool to retrieve information from it, with the following syntax:
prxtool -f EBOOT.BIN
This will give you the actual addresses of each function that the game imports and uses. These are the functions that you will be able to use in your homebrews or in the binary loader.
You’ll notice that instead of function names, you get a library name followed by hexa values. From there you can either manually do the associations, or (better) get an xml file with the nids/function names associations. Such xml files can be found on silverspring’s website (http://silverspring.lan.st/).
Once you have one of those xml nids files, just type
prxtool -f -n yourfile.xml EBOOT.BIN
which will give you a much more readable output 🙂
Keep this output somewhere!
If prxtool complains about your file not being a prx… you probably sc*** up the decryption process at some point, or you used the wrong EBOOT.BIN (there are several of those in the ISO, most of them are dummies)
Compile a binary loader
For this step I suggest you download my patapon exploit SDK as it is a good example. This SDK can be found as a part of HBL, here.
The binary loader itself is pretty simple to write, directly in assembly. You could write it in C based on the SDK you will create (that I describe below), but my inspiration here is the sparta_sdk which has its binary loader written in mips assembly. Assembly is a bit tougher than C/C++, but in this case, we are simply going to adapt my patapon work to fit your game, so it’s only a few replacements here and there.
Note: this work is heavily inspired by Mattiaz’s “sparta sdk”, it is recommended that you download it too if you want to see the differences, which can be educational.
Open the file “loader.S” from the patapon binloader folder.
Basically what we want to replace here are the function addresses used by the patapon binLoader. I used addresses that made sense for Patapon, but not for your game. So for the 4 functions involved (sceIoOpen, sceIORead, sceIOClose, sceKernelDcacheInvalidateRange) , you will take your list of imports generated earlier, and replace the “patapon” value with the value for your game. In my example, I replaces 0x08A69854 (the value from the Gripshift exploit) with 0x08C88590 (the value from the patapon exploit) for sceIoClose, and so on.
Additionally, you need to update the address where the filename is stored. The filename is the name of your binary, and is traditionally ms0:/h.bin. You need to add this string in your savefile somewhere around your jump location, and inject this address into the asm code. In my example below, I put the file name “0xF0” bytes after my jump point, so I changed the 0xC0 from the sparta sdk into F0. Don’t forget to put a “0x00” at the end of your string!! Note that this also means that the length of my compiled binary loader has to be less than F0 bytes, otherwise when I inject it I will overwrite my file name :'(
That’s pretty much the only things you have to change. We’ll now compile this file and inject it in the SDDATA.BIN.
Compiling assembly is not especially difficult as all the tools for that are provided in the PSPSDK. Again, taking inspiration from the spartaSDK, here are the needed compilation commands:
psp-as loader.s
psp-objcopy -O binary a.out a.bin
The first step compiles the code, and the second step creates a binary version of it.
Inject the binary loader in your Savegame
Once you’ve got a compiled version of your binLoader, it is then easy to inject it into your save file, either manually with a copy paste, or through the scripting language of your choice. The only thing to remember is that you want to inject it at the precise location matching $ra, that you found above in this article.
For the injection, I have a small ruby script that takes a valid SDDATA.BIN file and loads the exploit + the compiled binary loader into it directly. I’m only providing a picture of the code but you can also find the code here. I suggest you go with the method you prefer (and the language you prefer) for injecting your code.
Note that at this step, you already have a way to create your hello world (in asm) and inject it instead of the binary loader. It’s actually not necessarily a bad idea to try much easier code (such as calling sceKernelExitGame) before aiming for a binary loader, to make sure your thing works.
Write a SDK
This sounds difficult. It’s not. Once you have your function imports, writing the SDK is a piece of cake. What you need to do here is take the list of function imports you retrieved through prxtool, and write a file named sdk.S just like the one in the patapon SDK. It’s pretty straight forward. In my example, I replaced 0x08A69854 with 0x08C88590 and so on, just like I did with the .S. This is assembly, but it’s dead simple, as you don’t even need to look for what the functions actually do.
In my case I wrote a simple ruby script that parses my prxtool “functions imports” file into a sdk.S function, but there probably are some options in prxtool to help you with that task.
You then copy the sdk.h from the patapon exploit, and that’s it. One .S file and one .h, and you’re done!
Write a Hello world
Once you’ve got your sdk, writing a Hello World is extremely simple. Actually, you can even cheat and reuse the sample provided in the patapon SDK. Be sure to start with the smallest file possible, just to make sure your code actually works. A simple proof of concept is just some C code that calls “sceKernelExitGame()“. That’s enough for you to confirm that your SDK is roughly correct and that your binary Loader (coded previously) does its job. Additional samples can also be found in the sparta SDK.
The sparta_sdk makefiles might need a few changes since we are using a different way of writing the SDK(take inspiration from the Makefile from patapon rather than that from sparta in that case)
The output of the compilation should be a h.bin file. If your binary loader loads ms0:/h.bin, then just put that h.bin at the root of your memory stick, put your binaryLoader SDDATA.bin in the correct subfolder of the SAVEPLAIN directory, and fire up your game (with SGDeemer and psplink enabled of course), trigger the exploit…and your hello world should appear 🙂
TroubleShooting
There might be several reasons for your exploit to fail at that point. Although computer programming IS exact science, it’s extremely easy to do stupid mistakes if your working environment is not “good” enough. At that point, PSPLink is the key to your success. If you get a crash, try to investigate the Ram. Are you actually jumping to the correct location? Is your binary loader really at that location? Is it entirely there or did it get truncated for some weird reason? Add breakpoints to your binary loader to see if it actually runs. When you are sure the binary Loader runs, make sure it really loads your hello world where you expect it to be loaded in Ram. If so, add breakpoints to your hello world as well. Or simplify it.
All these steps can be extremely painful if you don’t automate some of your work. I highly recommend taking the time to write a few scripts that will automate the work for you (compile the binLoader and inject it, etc…). Choose whatever scripting language you’re confident with 🙂
Reencrypt your savegame
That’s the last step when you want to make sure your exploit works on official firmware. A tool called SED allows you to reencrypt your exploited savegame. To do that though, you need the savegame key. That key can be found in the SAVEPLAIN data given by SGDeemer. It’s at the very bottom of XXXX.bin where XXX is the code of your game . At the bottom of that file, the last 20 bytes should be only zeroes. you want the 16bytes before that. That’s your key 🙂
For the usage of SED… well, google for it, I’m feeling lazy. If you made it that far, SED shouldn’t be a problem for you 🙂
Very nice article 🙂
But it can be better, you can detail a little more (with your sample) this part “The only thing to remember is that you want to inject it at the precise location matching $ra, that you found above in this article.” I understand it, but it looks too “fast” and “superfluous”. This being the heart of the exploit should have a little more attention.
Another nice touch is to put all your references at the end of the article (for download), eg. links to sparta, mohh and sed.
The overall this is the best article I have found about exploiting psp savedata.
Is always helpful.
Please up the good work.! 😀
To proceed to my blog’s link wololo’s blog.(_ _)
Once again a great article. I’m defenately going to refer to this if one day i’m lucky enough to even overwright some of the registrys with a crash 😛
I give you Super-Hyper-Special thanks!!!
great!
but maybe you can tell me how i use this chinese SED thing 🙂
Nice and helpful guide (event though a complete newbie could do that job nao). Just wanna ask what I’d have to change for a VSH-sploit in MaTiAz’ loader.S?
great article^^ and tnx for ur patience with me^^
btw, jeerum, http://www.megaupload.com/?d=DZXWHE5S
english sed^^
At the beginning of your article you said “After studying both the Gripshift and the MOHH exploit[…]”. So do you mean that you can use the MOHH sploit and write a binary loader for this exploit to launch HB on 5.50 ofw?
myfefko: the binary loader for the MOHH exploit already exists and is included with the exploit, google for it 🙂
Running homebrews is another level of complexity (it’s the next level, somehow), look for m0skit0’s homebrew loader if you are looking for that kind of information
j416 found an exploit with using modified savedata,which can perfectly control the value of $ra in PSPLink.
And now he made his Binary Loader working and “Hello World” for his PoC.
He only released a picture of his Hello World today at GameGaz forum.
http://forum.gamegaz.jp/viewtopic.php?f=23&t=90
His usermode exploit is working on PSP OFW6.20.
He said your article was really helpful. I think so,too.
Well…I quoted your great tutorial to translate into japanese as usual.
Thanks.
Wow, long time no see xDDD
Nice tuto dude!! I learnt myself a couple of things 😀
hey i want to know that it will work on my psp 3004 v5.51 plz reply fast im waiting for ur reply plz thanx in advance
just an additional question: do you also get the nid by using prxtool?
Beggin: the nids can be found on silverspring’s site: http://silverspring.lan.st/ .
i refer to the nids of the new firmware
ah. Hmm, I haven’t thought about it so far, but from what I’ve seen the nids of 6.20 are roughly the same as in 5.00. I might be wrong though, but since PSARDumper is out, it is now possible to run a tool called “nidattack” on the files of the firmware, to get the nids
Hi wololo,
I’ve a question:
How can we find kernel vulnabilities? I’ve readed about patching 0xbc000000 protection via a kernel function wich has no k1??? o.O
nice article, thx^^
@Geroni: I’ve never looked for kernel vulnerabilities myself, but basically most kernel functions do test if the k1 register is set or not, to check for kernel mode. The idea of a kernel exploit is to either manage to set this value (probably impossible ?) or to find kernel functions that don’t check it properly by reverse engineering the firmware.
AFAIK, kernel exploit always rely more or less on the same kind of trick, and Sony has been fixing those bugs a lot recently 🙁
hmm, but the nids’ve been randomised right? will i get’em anyways by using nidattack?
also: about the false positives… how do i know which one is false and which is right? (NIDs)
Beggin:
– The names should look like “real” function names. Most of them already exist in previous firmwares so it is probably easy to find them, and that’s how you understand which ones are false positives. I know that some modules such as paf.prx also have randomized names so nidattack cannot find the names/nids for this module.
ok thank you very much then, wololo!
sorry wololo, i have still one question… can i use old nids (eg. 1.50 ones) on 5.03 hen? if yes y’would be a biig help!!
sorry, I don’t know… I don’t think you can. I don’t see why you’d need that…
Awesome guide, very useful and well explained.
Thanks one million and keep up the good work man, your website is really cool :).
Your post is really interesting, i wish all sceners out there released such knowledge with wannabe programmers/reversers that really want to learn. Thanks for your time writing this, and if you don’t mind, i want to come in contact (email whatever) with you. Thanks again!
Nice, this actually shed a LOT of light on the process… one thing that wasn’t clear to me though was positioning of the code within the savegame, if placed in the wrong area wouldn’t the game simply refuse to load it because it’s detected a corrupt savegame?
is there a way i could analyze sony’s ofw 6.20 on my pc?
@Nickolas: PSAR Dumper (fixed for 6.XX), prxtool, IDA Pro…
That kind of stuff.
Thanks for this information, wololo. I will put this to good use some day.
Can i do this on 6.30? YES OR NO? LET ME KNOW ASAP!!!!!!!!!!!!!!!!
@terminator157: no, you need a hacked PSP to do these things
This doesn’t work on 6.31 either (just in case someone else comes in and asks).
ummm…could you try the ace combat 2 demo??? (cause i’m a sucka** coder and all my 1337 skilLZ come from heavy gaming)
hi
first thanks for your tutorials
second the first tutorial is too easy and this is too hard so i couldn’t understand it
maybe if i found a crash il come and tell you
Hey how do I Contact wololo i have found a exploit for the psp go 6.31 on demo
someone click on the other forum i made 2 crashes i need help porting this to hbl thx
very nice. i might try this sometime.