10 Great PSP Games with a vulnerability

If you like “Top 10” types of posts, this one is for you, and I’m sure you won’t find it anywhere else. This is a chronological list of PSP games in which vulnerabilities were found (ordered by date of exploit release, not release date of the game)…
Come with me, we’ll visit some of the major events in the scene’s history on the way… and as a nice bonus, 2 of the exploited games in this list were never revealed publicly before :)

1. 2005 : Puzzle Bobble

We’re going back to the very early days of the PSP scene with this first entry! Most of you probably never heard of this one before, actually.
The Japanese version of Puzzle Bobble was compiled in debug mode, allowing hackers to retrieve some interesting information, such as function names, that were later on used in the scene’s PSP SDK.

This was one of the first steps to getting homebrews on this great device.

2. 2006 – 2007 : GTA – Liberty City Stories

This one started a long era of “save game exploits” on the PSP. Fanjita and n00bz found a buffer overflow vulnerability in the savegames of GTA-LCS. This allowed users to run the noobz eLoader, and later on, downgraders.

Sony quickly patched this one with a firmware update, and released a “new” version of the game that required to install the patched firmware. People wanting to hack their PSP had to be careful not to buy an updated version of the UMD. This is the only time in the PSP history that an exploited game got a UMD update.

Funny anecdote, this vulnerability got reused a second time by Noobz almost a year later, in what was called the goofy exploit, when it was discovered that sony had incorrectly patched the vulnerability. This one has a special place in my heart, as the GTA exploit is what I first used to run eLoader and scummVM on my psp phat!

3. 2007: Lumines

Noobz again, with the help of hacker Archaemic, found an exploit in the game Lumines. Called illuminati, the exploit was apparently found by pure luck, when Archaemic was trying to feed random data to the game.

This exploit gave hope to owners of the 3.50 firmware, technically working on all PSPs from firmware 1.0 to 3.50 (the most up to date firmware at the time)

4. 2009: Gripshift

As a happy new year present for 2009, developer MaTiaZ gave us the Gripshift exploit, yet another buffer overflow vulnerability in the player’s name, using the game’s save data.

Although the hype was extremely high on this exploit, the lack of a good Kernel exploit to work with it basically ruined the fun for everybody. The old guys among us will remember this as a big fight over an exploit between famous Hacker Dark-Alex, and team pspgen, when pspgen announced they would release a Custom Firmware/Hen using the Gripshift exploit

5. 2009: Medal Of Honor Heroes

In the middle of 2009, developer kgsws  (who is now better known for being the first to sign homebrews on the PSP) released an exploit for the game Medal Of Honor Heroes (MOHH). The exploit had the particularity of requiring the players to commit suicide in the middle of a multiplayer game, which, although not very practical, was extremely fun.

Again, the lack of Kernel exploit (or rather, the lack of interest from people who had a kernel exploit) to work with this game made it not so interesting  to the community, but this is also the game on which m0skit0 started developing Half Byte Loader, an open source successor to the NoobZ eLoader (these are both applications that allow to run homebrews without a kernel exploit)

6. 2010: Patapon 2

The PSP Go had announced dark times for the scene: exploits in games weren’t cool anymore, because exploits on UMDs wouldn’t work on the PSP Go, and exploits in games from the Sony PSN would get patched instantly. The “serious” guys were digging in the PSP firmware, or looking for exploits in images or mp3 files. Some people were still looking for exploits in games though, mostly for the fun of it.

This was the case of malloxis, who found an interesting crash in Patapon 2. What he didn’t realize at the time was that Patapon 2 also had an associated a demo, that could be obtained without accessing the PSN Store on various websites (no risk of an update by Sony), and that this demo could load and save games.
It took roughly a week to developer Wololo (that would be me :) ) helped by N00b81, to create a proof of concept for a binary loader using this buffer overflow. At this time, taking note of the previous “wasted” user mode exploits (MOHH and Gripshift), we (n00b81 and myself) wanted to go further, and help m0skit0 with his work on half byte loader. We wanted to keep our exploit under wraps, until HBL was ready, to avoid this great exploit being “yet another wasted user mode vulnerability”.

What actually happened is that malloxis blew it off by leaking my files, and we had to release a work-in-progress version of Half Byte Loader. But overall things turned out well, as Half Byte Loader dominated the scene for a few months, until Total_Noob’s Hen came, almost a year later.

Fun fact: people who used HBL during this era now want to kill kittens every time they hear the Patapon song.

7. 2010 – Hot Shots Golf 1 and 2

As we were working on Half Byte Loader, and as no Kernel exploit was seeing the light of day, it became clear to us that making Half Byte Loader portable to many exploits was a priority.

This is in this context that developer J416 adapted HBL to an exploit he had found in Hot shots golf.

It was also clear in 2010 that game exploits were mainstream on the PSP. I had been contacted at the time by more than 10 persons who had a valid buffer overflow vulnerability using a game, and hundreds of people who could crash the PSP by feeding it garbage. At that time, we were not afraid about running out of user mode exploits, but more afraid of seeing Sony patching them very quick when they were not Demos. It turns out that Sony took months to patch the Hot shot golf games on the PSN, proving that user mode exploit and homebrew were not a threat for them (the only good move Sony intentionally made for the scene in 6 years?)

8. 2010 – Minna no Sukkiri

Developer Jeerum found an exploit in the Demo of the Japanese game “Minna no sukkiri”.

The circumstances in which he released it were a bit awkward (we already had a perfectly working user mode exploit for all known firmwares), but came in handy for Half Byte Loader, as it meant we didn’t have to maintain too many versions of HBL anymore. People just had to use this very compact demo, and could forget about the previous Patapon exploit, or the “expensive” Hot shots golf games.

The 2 next game vulnerabilities were never revealed publicly before today, to the best of my knowledge. I reveal both of them here because I think it’s fun, and I don’t think they would be any useful now that we can sign homebrew. I also think Sony won’t bother fixing them as long as there’s no exploit fo them to look at. So here goes:

9. 2010 -  Ape Escape: On the Loose

Yet another classical Buffer overflow exploit in the player’s name. This exploit was found in parallel be several people who strangely all contacted me around the same period of time.

I’ll leave as an exercise to the reader the work of creating a hello world, the tutorials are here and this game is really easy to exploit.

This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews (we had the same kind of issue with Hot shots golf)

10. 2010 – Gladiator Begins JP Demo

This one was extremely interesting. I must apologize to the person who found this exploit, as I can’t remember who it was… we worked together towards a working binary loader. This was going to be the next big user mode exploit for the PSP… until we discovered that the savegames in this demo only work on the PSP that created them.

I was aware that such a system exists on the PSP (lots of people were complaining about the impossibility to re-use their save games on recent games such as Tekken 6), and wasn’t able to bypass this limitation…who knows, maybe the recent works on encryption on the PSP could help finalizing this one. Again, it is fairly easy to get this exploit to work, it’s a Buffer overflow in the player’s name again…only problem is that the savegame will only accept to load on your own psp.

The awesome conclusion

There are of course many other games on the PSP with such vulnerabilities in them… I know a few of them, but it’s probably not so important now that we can all have a CFW on our PSP.

One interesting thing to note is that, with the exception of Noobz involved in two of these exploits, all these vulnerabilities were found by different people… so this is why I laugh every time people think the scene is “dead” when one hacker leaves it… obviously, there are many skilled people on the scene, and they all come and go :)

For those of you who want to try these exploits, as far as I know, except the two last ones of the list, they’ve all been patched on recent firmwares, so you would need to downgrade your PSP first in order to test the exploits!

  1. MitMakis’s avatar

    Well, with the PSVita coming out, the PSP is on it’s last leg, I don’t see what else can be done with it.

    Reply

    1. Zasisem’s avatar

      Enjoy what’s left of this PSP who knows the community might just get bigger because of vita :p

      Reply

      1. BlkHalo’s avatar

        Yeah, I’ll love my PSP even after I sell it on eBay, at least we can always say we beat Sony, and I’ll always miss when I first ‘joined’ the scene, when I noticed wololo.net and always ignored psp-hacks for some reason back then, and had problems putting a demo on my PSP… and especially when I couldn’t even play my games online, I was so tempted to update, but I’m glad I didn’t now. Ah, the memories… And who could forget the Patapon 2 demo, I actually kinda like Patapon 3 now, it’s not bad at all… xD

        Reply

  2. mr-crazy’s avatar

    a guy reported gripshift earlier but u guys proved him wrong,then why now??

    Reply

    1. wololo’s avatar

      I have absolutely no clue what you are talking about…

      Reply

  3. ThirstyCow’s avatar

    fun fun fun

    Reply

  4. rainof89’s avatar

    Very interesting article. Ah the memories of the irritating patapon song. In the very beginning we had to load 1 homebrew at a time. Remember the time someone said they got gpsp to work? I spent almost 2 hours running HBL over and over again trying to load it without it crashing. Fun times :)

    Reply

  5. sumedh’s avatar

    yo wololo it’s just like a flashback to the past i really like to read n follow the scenes n realy appreciate the dev(hackers) to share their work ………………arigato kosaimass

    Reply

  6. (|EcLiPsE|)’s avatar

    i am a user of the HBL since the revision 79, if i remamber corectly… good memories

    Reply

  7. Sharky’s avatar

    OMG i just rofl’d at the part about killing kittens when you hear the patapon song cause its SOOOOOO TRUE xDD

    i came to the scene when hbl first started and man that patapon song almost drove me InSaNe like to the point where killing kittens might not be enough :P

    Reply

  8. Dallox’s avatar

    I was a sure of it since the first rev of patapon, i was so impressed by simpleturn XD

    Reply

    1. Dallox’s avatar

      user**

      Reply

  9. hektik’s avatar

    Still dont think you can beat the days of DAX and m33 cfw, i have a psp 2000 with 5.00-m33 and a psp 3000 with 5.03 gen c and have never had a problem with either.
    I would like to say thanks to everyone involved with the creation of cfw, without whom we would be stuck with what sony thinks we should have.

    Reply

  10. Cynder2011’s avatar

    hehe awesomeness

    I started using HBL and (L)CFW with 2010 – Hot Shots Golf 1 and 2

    around novmeber of 2010….it was so awesome.

    Reply

  11. sasasas’s avatar

    KeepSwagginrP1hdh nice lol xD

    Reply

  12. yellow’s avatar

    I came to the pspscene in April 2010 and it was fun with the annoying patapon sound lol good times.

    Reply

  13. Apple PI’s avatar

    POOR POOR Carol Vorderman……….

    Blessed are those who give without remembering and take without forgetting.

    Reply

  14. Apple PI’s avatar

    lol I am gonna say it before someone else does:

    What’s a Carol Vorderman?

    Reply

  15. asasas’s avatar

    nice vulnerability xD BakedZitiF87ReD

    Reply

  16. grewolf’s avatar

    I love how you said that hbl users would love to kill a kitten every time we hear the patapon song. At first it was relaxing then turned boring and then annoying Lol! But every time i hear it, it always takes me back from where it started. The good old advanced psp.tk. Thank goodness theres talk and elite psp gamers and the site that tipi created to continue help psp users on that wonderful hbl days. Thanks wololo

    Reply

  17. StriderHien’s avatar

    aaah yeah, the patapon demo exploit… even TN started from there
    and i remember the great times playing megaman zero on psp…

    Reply

  18. asasas’s avatar

    ItsFridayNite maybe this would work on PSVITA

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>