Things are going very fast. For those who are just joining us: until now there were basically two solutions to run homebrews on a PSP. Either you had a hackable PSP on which you could install a “Custom firmware” (CFW), or you owned one of the new models (basically every PSP that was sold since summer 2008), and had to rely on some “exploits” such as the Patapon exploit, which was used to run HBL (a homebrew loader), and later on a HEN (Homebrew Enabler).
CFW or HEN, that was basically the choice we had so far to run homebrews.
Then came fail0verfl0w, and Mathieulh. A group of developers found a critical security issue in the PS3 system, which led to a full analysis of the PS3 firmware, in which some keys used for PSP Game encryption were found. After a few weeks of hard work involving many developers, tools started to emerge. I’ll spare the details for now, but it is basically possible to sign your own games (I’m talking here about games you created, not games you get on the PSN), and run them directly on a PSP without any “classic” hack, or without a Custom Firmware.
Yeah, we're superheroes, you love us
In the video below I’m showing Wagic running on a 6.35 PSP3000. Note that I cold reboot the console, to show that no exploit is running there.
The tools to sign your homebrews, although not entirely user friendly yet, can easily be found with our friend google (and if not now, tomorrow they will be). I used prxEncrypter by bbtgp and fix-relocations by JJS.
These signing techniques still rely on some external data, and Sony could probably fix this in further firmwares by creating a whitelist of allowed Eboots. Will they actually do it, or are they now focusing on the PSP2? For now, this is only user mode (yes, liquidzigong did sign his Hen, but this Hen still relies on a kernel exploit to work, and that’s easy to fix…), which should keep us away from any form of piracy, at least for now (and, alas, from plugin support or CFW as well)
This assumes you have access to your homebrew’s prx. If you only have the EBOOT, you can extract the prx with pbp unpacker (data.psp == your prx)
if your prx has relocations type 7, run fix-relocations on it (fix-relocations mygame.prx) (if you don’t know, run that anyways, it shouldn’t hurt)
run PrxEncrypter on your prx (prxEncrypter mygame.prx)
run pack-pbp the way you usually do it in a makefile (pack-pbp EBOOT.PBP PARAM.SFO icon.png NULL pic0.png pic1.png NULL data.psp NULL )
There are still lots of limitations (no kernel mode, prx should be less than 5MB, no static elf support,…), but tools are being progressively built to make this easier, so I’m sure that as I type this, more convenient tools will already be available. I spotted some tools that allow to sign static elfs by embedding a loader inside of the eboot.
We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!