When the PSP and the Vita show their battle scars…

The PSP has a long history of user mode exploits in its game library. Without going into details, savegames have been our favorite vector of user mode hacks for years.

Some of you might remember the old days of GTA: Liberty City Stories, the dramas around Gripshift or Mercury, the awesome “commit suicide to trigger the exploit” in Medal of Honor, or, more recently, our numerous HBL or VHBL releases.

But did you know that each new firmware on the PSP or the Vita ships with a “blacklist” of those savegame exploits, hashes that help the console identify “bad” savegames? The games themselves are never patched, it would be way too costly to contact the development studio, recompile the game with a patch, go through a release process… not to mention how impractical it would have been to distribute patched UMDs back in the days (as far as I know, the “patched” version of GTA was actually just shipping with an updated firmware that had the blacklist thing implemented).

As a consequence, each new PSP firmware (including the ones on the Vita) ships with a growing list of hacked games, what I like to call the “battle scars” of the PSP in Sony’s fight against hackers.

For those interested, that blacklist can be found in savedata_utility.prx (thanks to neur0n for the screenshot below).

devs zer01ne and wth have compiled a full list for us. Most of those names remind me personally of a specific event in the 7 years history of the PSP scene, while some of these games will not remind you of anything.

It turns out that some games are actually blacklisted by Sony before any public exploit release is made. Leaks? Or Sony taking preventive measures against some specific games because the dev studio is the same as another, hacked game? This is probably the case for the latest addition in Vita’s firmware 1.80, 7 Wonders of the Ancient World, which has been patched probably because it was developped by MumboJumbo, the company behind Super Collapse 3.

Enjoy the list :)

  • ULUS10041 – GTA:LCS (US)
  • ULES00151 – GTA:LCS (EUR)
  • ULES00182 – GTA:LCS (DE)
  • ULJS00005 – Lumines (JAP)
  • ULUS10002 – Lumines (US)
  • ULES00043 – Lumines (EUR)
  • ULKS46005 – Lumines (KOR)
  • ULJM05089 – Gripshift (JAP)
  • ULUS10040 – Gripshift (US)
  • ULES00177 – Gripshift (EUR)
  • ULKS46040 – Gripshift (KOR)
  • ULJM05097 – Pursuit Force – Daitsuiseki (JAP)
  • UCUS98640 – Pursuit Force (US)
  • UCES00019 – Pursuit Force (EUR)
  • UCKS45016 – Pursuit Force (KOR)
  • UCUS98703 – Pursuit Force – Extreme Justice (US)
  • UCES00694 – Pursuit Force – Extreme Justice (EUR)
  • UCAS40150 – Pursuit Force – Extreme Justice (UK)
  • ULUS10141 – Medal of Honor: Heroes (US)
  • ULJM05213 – Medal of Honor: Heroes (JAP)
  • ULAS42082 – Medal of Honor: Heroes (UK)
  • ULKS46066 – Medal of Honor: Heroes (KOR)
  • ULES00557 – Medal of Honor: Heroes (EUR)
  • ULES00558 – Medal of Honor: Heroes (FR)
  • ULES00559 – Medal of Honor: Heroes (DE)
  • ULES00560 – Medal of Honor: Heroes (EUR Platinum)
  • ULES00561 – Medal of Honor: Heroes (SP)
  • ULES00562 – Medal of Honor: Heroes (DE)
  • ULUS10310 – Medal of Honor: Heroes 2 (US)
  • ULJM05301 – Medal of Honor: Heroes 2 (JAP)
  • ULES00955 – Medal of Honor: Heroes 2 (UK)
  • ULES00988 – Medal of Honor: Heroes 2 (EUR)
  • ULES00956 – Medal of Honor: Heroes 2 (FR)
  • ULUS10017 – Archer Maclean’s Mercury (US)
  • ULES00011 – Archer Maclean’s Mercury (FR)
  • UCJS10011 – [Hg] Hydrium (JAP)
  • UCKS45007 – [Hg] Hydrium (KOR)
  • ULUS10133 – Mercury Meltdown (US)
  • ULES00466 – Mercury Meltdown (EUR)
  • UCJS10043 – Shutyuuryoku Ikusei Korogasu Ekitai Puzzle – Tama-Run (JAP)
  • UCUS98711 – Patapon (US)
  • UCJS10077 – Patapon (JAP)
  • UCKS45076 – Patapon (KOR)
  • UCAS40193 – Patapon (UK)
  • UCES00995 – Patapon (EUR)
  • ULES00281 – Splinter Cell Essentials (EUR)
  • ULUS10070 – Splinter Cell Essentials (USA)
  • UCUS98732 – Patapon2 (USA)
  • UCJS10089 – Patapon2 (JAP)
  • UCJP12345 – Patapon2 (JAP)
  • UCAS40239 – Patapon2 (UK)
  • UCES01177 – Patapon2 (EUR)
  • ULJM05561 – Fuuun Shinsengumi Bakumatsu den Portable (JAP)
  • UCJS10001 – Mina no Golf Portable (JAP)
  • UCKS45004 – Minna no Golf Portable (KOR)
  • UCJM95401 – Minna no Golf – Coca Cola Special Edition (JAP)
  • UCES00012 – Everybody’s Golf (EUR)
  • UCUS98614 – Hot Shots Golf (USA – Everybody’s Golf)
  • UCJS10075 – Minna no Golf Portable 2 (JAP)
  • UCES00767 – Everybody’s Golf 2 (EUR)
  • UCUS98693 – Hot Shots Golf 2 (USA – Everybody’s Golf 2)
  • NPHG00081 – Everybodys Golf [HK] (demo)
  • ULES00387 – Sudoku Coach (EUR)
  • UCJS10094 – Minna no Sukkiri (JAP)
  • NPUG80524 – Hot_Shots Shorties Green (USA)
  • NPUG80527 – Hot_Shots Shorties Blue (USA)
  • NPUG80528 – Hot Shots Shorties Red Pack (USA)
  • NPUG80529 – Hot Shots Shorties Yellow Pack (USA)
  • NPEG00046 – Everybody’s Stress Buster: Green Pack (EUR)
  • NPEG00047 – Everybody’s Stress Buster: Blue Pack (EUR)
  • NPEG00048 – Everybody’s Stress Buster: Red Pack (EUR)
  • NPEG00049 – Everybody’s Stress Buster: Yellow Pack (EUR)
  • UCAS40290 – Everybody’s Stress Buster (UK)
  • ULES00389 – Professor Sudoku (EUR)
  • ULES00388 – Carol Vorderman’s Sudoku (EUR)
  • ULUS10126 – Carol Vorderman’s Sudoku (USA)
  • UCES01250 = Motorstorm Arctic Edge (EUR)
  • UCUS98743 = Motorstorm Arctic Edge (USA)
  • UCJS10104 = Motorstorm Raging Ice (JAP – Motorstorm Arctic Edge)
  • UCKS45124 = Motorstorm Arctic Edge (KOR)
  • UCAS40266 – MotorStorm Arctic Edge (Asia)
  • UCUS98701 – Everybody’s Tennis (US)
  • UCJS10101 – Everybody’s Tennis (JP)
  • UCES01420 – Everybody’s Tennis (EU)
  • UCAS40307 – Everybody’s Tennis (HK)
  • NPUG70053 – HotShots Tennis Get a Grip [US] (demo)
  • NPJG90082 – Everybody’s Tennis (JP) (demo)
  • NPEG90027 – Everybodys Tennis [EU] (demo)
  • NPHG00081 – Everybodys Golf [HK] (demo)
  • UCAS40266 – MotorStorm Arctic Edge (Asia)
  • UCUS98701 – Everybody’s Tennis (US)
  • UCJS10101 – Everybody’s Tennis (JP)
  • UCES01420 – Everybody’s Tennis (EU)
  • UCAS40307 – Everybody’s Tennis (HK)
  • NPUG70053 – HotShots Tennis Get a Grip [US] (demo)
  • NPJG90082 – Everybody’s Tennis (JP) (demo)
  • NPEG90027 – Everybodys Tennis [EU] (demo)
  • ULUS10227 – 7 Wonders of the Ancient World
  • ULES01037 – 7 Wonders of the Ancient World

Do those names bring back memories? What epic hacks do you remember on the PSP?

Source: wth on /talk

  1. Wololosupporter’s avatar

    Wow that’s crazy do essentitiall if we can somehow remove the game from the list vhbl would always work

    Reply

    1. Zach’s avatar

      Man I remember hacking medal of honor heroes 2 online with nitepr. Those were the days.

      Reply

      1. Norml’s avatar

        Fag, thankfully online was lame anyway, don’t cheat ONLINE.

        Reply

  2. 12loogies’s avatar

    lol….wishful thinking, but in a perfect world would be nice

    Reply

  3. Jd8531’s avatar

    ugh this makes me feel old -_-

    Reply

    1. z2442’s avatar

      yeah same here lol

      Reply

    2. rafael707’s avatar

      were all on the same boat

      Reply

  4. Sakuryu’s avatar

    Ahh I remember the annoying Patapon demo load in lol

    Reply

  5. Brody’s avatar

    if i’m not going to have any internet access for the next 10 days (starting around 4am today) am i pretty much screwed to get the new game for the new exploit?

    Reply

    1. jlo138’s avatar

      Dont know where your from but in the U.S, McDonalds, Chick-Fil-A, Lowes, Starbucks, Macy’s, T-Mobile, Whataburger all provide free Wifi where I’m at. Before I had wifi at home I had my rooted android do that for me. Wifi is pretty much everywhere. You shouldn’t have much trouble finding it.

      Reply

  6. gotoHotSpotMan’s avatar

    theirs gotta be an internet connection some where u can use…

    Reply

    1. Brody’s avatar

      not if i’m in the middle of the ocean on a cruise ship

      Reply

  7. 1fff’s avatar

    Can you release the VHBL before tomorrow because monday is school and i want to play a little bit with the vhbl

    Reply

    1. Norml’s avatar

      School is out on Monday because of labor day.

      Reply

  8. trollkilla’s avatar

    @Brody ,im pretty sure they have free wifi on cruise ships
    i used it while i was on a cruise ship. If your taking a cruise
    on a canoe, now thats a different story. :)

    Reply

    1. Brody’s avatar

      If that’s true then that is awesome :) I figured I would have to pay for some sort of satellite connection

      Reply

  9. booler’s avatar

    Is this a 1.80 vhbl release?

    Reply

    1. Acid_Snake’s avatar

      what? this is just a look back at the history of user mode exploits.

      Reply

  10. qwikrazor87’s avatar

    I was wondering what all those IDs were for when I was skimming through my flash. Maybe I’ll hex edit the blacklist and try out the exploits on 6.60. Thanks wololo.

    Reply

    1. qwikrazor87’s avatar

      Patapon 2 demo exploit on 6.60 works with edited blacklist but dbglog says “ERROR INITIALIZING CONFIG”.

      Reply

      1. wololo’s avatar

        Many things have changed in VHBL recently, it is possible the latest VHBL does not work anymore for the patapon exploit, I am not very careful with maintaining compatibility with the old exploit… or did you actually download a hbl version from those days?

        Reply

        1. qwikrazor87’s avatar

          I tried out hbl r100 for Patapon 2. I’ll look for the latest version and try it out.

          Reply

  11. StepS’s avatar

    did you forget to add Super Collapse 3 to the list? :)

    Reply

    1. yosh’s avatar

      yeah I myself didn’t mention it to the list since it’s kinda ‘evident’ lol but indeed

      Reply

  12. Fabian’s avatar

    So if I understand correctly run all these games the VHBL??

    Reply

  13. pifpaf’s avatar

    No the HBL

    Reply

  14. rofl’s avatar

    mostly not.. since i have psp 1k and i use cfw since DarkAlex’s one

    Reply

    1. Norml’s avatar

      So you’re using an outdated CFW, smart, must be fun.

      Reply

  15. G0l3m’s avatar

    I own the first 4 games as UMDs. I remember buying my first PSP. It was used and had GTA LCS within. I told the guy to not update the console otherwise I wouldn’t have bought it.

    Still, how could those usermode exploits lead to kmode ?!

    Reply

    1. Norml’s avatar

      They don’t, a kernel exploit leads to a kmode exploit and a user mode exploit leads to a umode.

      Reply

  16. Leroy’s avatar

    Some savedatas had a possitive respnse to the usermodekernal $ra wich means code could be implemented in the save with the game still working(not always) remember: Spartaaaaaaaaaaaa with gripshift? And from there they went furter to see if a positive response wasgiven to the kernalmode. if that is true you need to reverse engineer some modules to bypass the chain of trust. its a long process but here on Wololo there are alllot of threads which explain how to search for an exploit

    By the way, asking for the release of the Ninja release might even stall the release. So just wait patiently ple
    ase

    Reply

  17. HeroKing’s avatar

    i know it’s not a big deal, but you got a typo in the review. you wrote out sutdio instead of studio lol

    Reply

    1. wololo’s avatar

      thanks, fixed :)

      Reply

  18. bahiano’s avatar

    I did not know 7 Wonders of the Ancient World has been one vhbl

    Reply

    1. StepS’s avatar

      no, read attentively: it could be potentially exploited because it has the same developer as Super Collapse 3. this is sometimes the case with exploits than a dev does a mistake on the majority, if not all, of his titles

      Reply

  19. Pop’s avatar

    So these are the VHBL PSP titles…

    Reply

  20. Jones’s avatar

    Dude I remember DarkAlex! I was so happy when he got backups working!!!!! Cause I had about a mil. or so!!!

    Reply

  21. Jones’s avatar

    Oh and the first downgrader I used with out a PSPTOOL battery, was with GTA. and HellCat’s app.

    Reply

  22. razor’s avatar

    Is 7 wonder of the world the game we’re waiting for the new vhbl? I wonder

    Reply

    1. Mr McGoo’s avatar

      It really would matter if it was, which it isnt, cause it has already been black listed.

      Reply

  23. Zimond’s avatar

    mmh… wouldn’t it be possible just to change some values in the firmware before installing it so that old exploits work? Or would that change some kind of hash of the firmware file cuasing the Vita to refuse the file?

    Reply

  24. SofaKing™’s avatar

    oh ya, i still own my UMD of GTA LCS, also the first psp game i bought for my vita, yes even before SC3. all those years and the scene hasnt changed much, everyone still buggs the DEVs can i play free games, hurry do this, i need that, grrr i hated those guys, and still do, we all should JUST SAY THANKS or learn to CODE, which is out of the question for many as they dont even know how to read.
    thank you all for all your hard work,

    Reply

    1. Mr McGoo’s avatar

      I think we should do both. I am actually looking into the possibilities.

      Reply

  25. LUISDooMER’s avatar

    the patapon 2 was agreat exploitsince it was the first (and the only) that i used 2 years ago… Damn, how i miss the patapon 2 song… :P

    Reply

  26. cscash241’s avatar

    Patapon 2 Demo, on the psp go, man I remember those days.

    Reply

  27. razor’s avatar

    Dear, Mr. Homie Wololo Sir =)

    I deleted my sc3 file by mistake after upgrading to filware 1.80 on my vita. Now SC 3 doesn’t work eventhough I try to re install it using open CMA.
    Is there a way to fix this? or do I have to buy another game to install the new VHBL whenever it comes out.

    Gracias Amigo in advance for the reply

    Reply

    1. wololo’s avatar

      VHBL for SC3 only works up to firmware 1.67 AFAIK. On 1.80, the exploit has been patched, so you’ll have to get the next release

      Reply

  28. Scarecrow’s avatar

    Lumines…
    Good times, hahaha

    Reply

  29. openvita’s avatar

    so if we knew wehre this list is located in a ps vita update file we could simply corrupt it by writing some trash with the correct md5 checksum to that location even without knowing the aes key, just whiping out one block of data?

    Reply

    1. StepS’s avatar

      1. savedata_utility.prx is in PSP EMU flash0
      2. we can’t access PSP EMU flash0 from within user mode (=VHBL)
      3. all the prx’es are encrypted, and you will have to decrypt them to change anything.
      4. i don’t know how would you properly reencrypt it back to work on the psp emulator.
      5. there’s no point, because attempting to gain a psp user access from within already having psp user access is… you know.

      Reply

      1. openvita’s avatar

        why would i have to decrypt it?
        isn´t aes encrypted in 128 bit blocks?
        woudn´t it be enough to change/delete a few blocks where the blacklist is stored?

        Reply

  30. Nottulys’s avatar

    I remember using the eloader back when GTA came out….and then 2.0…and then CFW and it was all uphill from there

    Reply

  31. Fabian’s avatar

    dear wololo, we all need soon back to school,
    so give a fast answer!!
    do u gonne release it before school time begins or later!!!
    plz we need to know it tell us plz. i dont wanne mis it again!!!

    i dont want a answer like : Do as everybody and follow the site!

    i need fast and Good answer !!! like every body here.
    every body here know’s that u and ur team awesome is!!!
    plz i dont wanne mis it again !!!
    do u understand me?

    we are waiting sooo long!!
    oke good bye :) !!!!

    Reply

    1. JinxMeTwice’s avatar

      Your going back to school and..?
      I work 10 hour shifts and I’m still waiting patiently

      Crying for the release isn’t gonna make it happen any sooner. I hate to sounds like a dev but it’ll come out when its good and ready.

      That and from what I’ve seen so far in following the scene here the releases are put out on times when most people are about to get the game

      Reply

      1. Mr McGoo’s avatar

        Yo, leave him alone, it appears he REALLY needs to go back to school.

        Reply

  32. Norml’s avatar

    Demo exploit = GOLD
    Pata pata pata PON!

    Reply

  33. Leroy’s avatar

    Dear Wololo,

    It makes me sick watching people beg all the time for the release of the Ninja release etc.

    Could you ip-ban them or somthing?

    Reply

    1. WololoIsGay’s avatar

      Want to be the first one? Why IP ban them for just asking a simple question? So what you’re saying is that anyone who asks for VHBL should get ip-banned?

      Reply

  34. grecomafioso’s avatar

    Doesnt anyone of you remember the EPIC TIFF exploit??

    I think it was on FW 2.80 or something like that…

    Reply

  35. AlienM’s avatar

    Are you sure Sony is just comparing the hashes? Then it would be possible to reenable the exploit by just changing one bit in the savegame.

    Reply

    1. yosh’s avatar

      no they don’t use hashes of savefiles, they just look for the gameid identifier and then manually check the right parts of the exploited saves where the security issue lies
      In most cases being bOfs they simply limit the string size(s) themselves to a specific length, the savedata_utility code handling that is pretty plain actually

      Reply

  36. nCadeRegal’s avatar

    My most favorite memory was playing both medal of honor games online. But at the same time nitepr started being used soon after i started to get decent at the multiplayer and ruined the online portion of the game. Both my best and worst memories are tied to the same two games ironic, but ill never forget the day that i downgraded my phat 1000 for the first time and ran homebrews on 1.50, aww the good ol days! Takes me back, and thanks to wololo’s site,and others for guidance on how to fully enjoy what the psp experience truly is and was! Good times

    Reply

  37. Dovahkiin’s avatar

    @wololo,
    Is it possible to dummy/fake this module “savedata_utility.prx” since it holds all the blacklisted savegames?

    Reply

    1. wololo’s avatar

      No, that would require an exploit, which puts you in a “chicken/egg” type of situation :)

      Reply

      1. Dovahkiin’s avatar

        point taken :D i forgot about the vita side… lol

        Reply

  38. PAULO’s avatar

    Wololo, before launching ninja, I want to thank you in advance for sharing your work, eye diariamento my e-mail and I will continue looking.

    Reply

  39. Leroy’s avatar

    @

    WololoIsGay on September 2, 2012 at 2:21 am
    Want to be the first one? Why IP ban them for just asking a simple question? So what you’re saying is that anyone who asks for VHBL should get ip-banned?

    Reply

    ME: So you’re saying that it’s normal if people keep on beging for the release?

    I’ts just not cool to do such a thing.
    He never replied to anything of the Ninja release to Non contributers, so why do you people think your special?

    Just sit tight and wait.

    Reply

    1. CATPowah’s avatar

      True, true. And ninja release is a secret release that was not meant to be told to anyone else except the people that help in developing VHBL.

      Reply

  40. ils’s avatar

    hi, what will happen with the game when each savedata been blacklisted??
    will the still playable in the new FW? or they simply won’t load any saves?

    just my curiousity, is each savedata in 1 game got the same hashes? or how sony can determine which savedata is save to load or with (v)HBL exploit?

    thanks :)

    Reply

    1. matt’s avatar

      I would assume that the hash is representative only of save data that contains the “bug” necessary to trigger that exploit, or that contains more data or data reflecting VHBL code rather than what would normally be contained inside one of the save data files.

      Sony would probably have a lot of upset fans and need to offer refunds if they repeatedly patched PSP games so you couldn’t save and thus couldn’t play them ;p

      Although I wouldn’t be surprised if they did that to a game at some point in the future, if the felt it was necessary to keep an exploit constrained to prior firmwares.

      Reply

      1. ils’s avatar

        if the hashes reflect to VHBL’ed savedata then this hashes would change everytime we compile VHBL right?

        i think with Vita, $ony added ALOT of angry fans already
        “PSP game conversion” comes to mind :)

        Reply

  41. isbric’s avatar

    @wololo I need some pointers on how to contrebute to a lasting userland exploit or a last kernel exploit.

    Besides obvius founding for sustainable hacking, is there any help you culd share on how to get started?

    This exploit -> patch chase is not good enough for me so the least i can do is to pitch in.

    Side note, i would love to talk with some of you more involved about the attack vectors just to eliminate some well tryed out ways.

    Reply

    1. wololo’s avatar

      Hi. You can contact me directly by email wagic.the.homebrew (gmail), or just post in the forums. I am far from being the cleverest guy in the community, so you might get much more interesting discussions with other people.

      Reply

  42. Leroy’s avatar

    I also send you a PM about the WP but you didn’t reply.

    Reply

  43. CATPowah’s avatar

    Hey, wololo. Is contributor is the same as donator ? Just asking. I mean donator help by funding and the latter was like technologically.

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>