When the PSP and the Vita show their battle scars…
The PSP has a long history of user mode exploits in its game library. Without going into details, savegames have been our favorite vector of user mode hacks for years.
Some of you might remember the old days of GTA: Liberty City Stories, the dramas around Gripshift or Mercury, the awesome “commit suicide to trigger the exploit” in Medal of Honor, or, more recently, our numerous HBL or VHBL releases.
- Related read: 10 Great PSP Games with a Vulnerability
But did you know that each new firmware on the PSP or the Vita ships with a “blacklist” of those savegame exploits, hashes that help the console identify “bad” savegames? The games themselves are never patched, it would be way too costly to contact the development studio, recompile the game with a patch, go through a release process… not to mention how impractical it would have been to distribute patched UMDs back in the days (as far as I know, the “patched” version of GTA was actually just shipping with an updated firmware that had the blacklist thing implemented).
As a consequence, each new PSP firmware (including the ones on the Vita) ships with a growing list of hacked games, what I like to call the “battle scars” of the PSP in Sony’s fight against hackers.
For those interested, that blacklist can be found in savedata_utility.prx (thanks to neur0n for the screenshot below).
devs zer01ne and wth have compiled a full list for us. Most of those names remind me personally of a specific event in the 7 years history of the PSP scene, while some of these games will not remind you of anything.
It turns out that some games are actually blacklisted by Sony before any public exploit release is made. Leaks? Or Sony taking preventive measures against some specific games because the dev studio is the same as another, hacked game? This is probably the case for the latest addition in Vita’s firmware 1.80, 7 Wonders of the Ancient World, which has been patched probably because it was developped by MumboJumbo, the company behind Super Collapse 3.
Enjoy the list 🙂
- ULUS10041 – GTA:LCS (US)
- ULES00151 – GTA:LCS (EUR)
- ULES00182 – GTA:LCS (DE)
- ULJS00005 – Lumines (JAP)
- ULUS10002 – Lumines (US)
- ULES00043 – Lumines (EUR)
- ULKS46005 – Lumines (KOR)
- ULJM05089 – Gripshift (JAP)
- ULUS10040 – Gripshift (US)
- ULES00177 – Gripshift (EUR)
- ULKS46040 – Gripshift (KOR)
- ULJM05097 – Pursuit Force – Daitsuiseki (JAP)
- UCUS98640 – Pursuit Force (US)
- UCES00019 – Pursuit Force (EUR)
- UCKS45016 – Pursuit Force (KOR)
- UCUS98703 – Pursuit Force – Extreme Justice (US)
- UCES00694 – Pursuit Force – Extreme Justice (EUR)
- UCAS40150 – Pursuit Force – Extreme Justice (UK)
- ULUS10141 – Medal of Honor: Heroes (US)
- ULJM05213 – Medal of Honor: Heroes (JAP)
- ULAS42082 – Medal of Honor: Heroes (UK)
- ULKS46066 – Medal of Honor: Heroes (KOR)
- ULES00557 – Medal of Honor: Heroes (EUR)
- ULES00558 – Medal of Honor: Heroes (FR)
- ULES00559 – Medal of Honor: Heroes (DE)
- ULES00560 – Medal of Honor: Heroes (EUR Platinum)
- ULES00561 – Medal of Honor: Heroes (SP)
- ULES00562 – Medal of Honor: Heroes (DE)
- ULUS10310 – Medal of Honor: Heroes 2 (US)
- ULJM05301 – Medal of Honor: Heroes 2 (JAP)
- ULES00955 – Medal of Honor: Heroes 2 (UK)
- ULES00988 – Medal of Honor: Heroes 2 (EUR)
- ULES00956 – Medal of Honor: Heroes 2 (FR)
- ULUS10017 – Archer Maclean’s Mercury (US)
- ULES00011 – Archer Maclean’s Mercury (FR)
- UCJS10011 – [Hg] Hydrium (JAP)
- UCKS45007 – [Hg] Hydrium (KOR)
- ULUS10133 – Mercury Meltdown (US)
- ULES00466 – Mercury Meltdown (EUR)
- UCJS10043 – Shutyuuryoku Ikusei Korogasu Ekitai Puzzle – Tama-Run (JAP)
- UCUS98711 – Patapon (US)
- UCJS10077 – Patapon (JAP)
- UCKS45076 – Patapon (KOR)
- UCAS40193 – Patapon (UK)
- UCES00995 – Patapon (EUR)
- ULES00281 – Splinter Cell Essentials (EUR)
- ULUS10070 – Splinter Cell Essentials (USA)
- UCUS98732 – Patapon2 (USA)
- UCJS10089 – Patapon2 (JAP)
- UCJP12345 – Patapon2 (JAP)
- UCAS40239 – Patapon2 (UK)
- UCES01177 – Patapon2 (EUR)
- ULJM05561 – Fuuun Shinsengumi Bakumatsu den Portable (JAP)
- UCJS10001 – Mina no Golf Portable (JAP)
- UCKS45004 – Minna no Golf Portable (KOR)
- UCJM95401 – Minna no Golf – Coca Cola Special Edition (JAP)
- UCES00012 – Everybody’s Golf (EUR)
- UCUS98614 – Hot Shots Golf (USA – Everybody’s Golf)
- UCJS10075 – Minna no Golf Portable 2 (JAP)
- UCES00767 – Everybody’s Golf 2 (EUR)
- UCUS98693 – Hot Shots Golf 2 (USA – Everybody’s Golf 2)
- NPHG00081 – Everybodys Golf [HK] (demo)
- ULES00387 – Sudoku Coach (EUR)
- UCJS10094 – Minna no Sukkiri (JAP)
- NPUG80524 – Hot_Shots Shorties Green (USA)
- NPUG80527 – Hot_Shots Shorties Blue (USA)
- NPUG80528 – Hot Shots Shorties Red Pack (USA)
- NPUG80529 – Hot Shots Shorties Yellow Pack (USA)
- NPEG00046 – Everybody’s Stress Buster: Green Pack (EUR)
- NPEG00047 – Everybody’s Stress Buster: Blue Pack (EUR)
- NPEG00048 – Everybody’s Stress Buster: Red Pack (EUR)
- NPEG00049 – Everybody’s Stress Buster: Yellow Pack (EUR)
- UCAS40290 – Everybody’s Stress Buster (UK)
- ULES00389 – Professor Sudoku (EUR)
- ULES00388 – Carol Vorderman’s Sudoku (EUR)
- ULUS10126 – Carol Vorderman’s Sudoku (USA)
- UCES01250 = Motorstorm Arctic Edge (EUR)
- UCUS98743 = Motorstorm Arctic Edge (USA)
- UCJS10104 = Motorstorm Raging Ice (JAP – Motorstorm Arctic Edge)
- UCKS45124 = Motorstorm Arctic Edge (KOR)
- UCAS40266 – MotorStorm Arctic Edge (Asia)
- UCUS98701 – Everybody’s Tennis (US)
- UCJS10101 – Everybody’s Tennis (JP)
- UCES01420 – Everybody’s Tennis (EU)
- UCAS40307 – Everybody’s Tennis (HK)
- NPUG70053 – HotShots Tennis Get a Grip [US] (demo)
- NPJG90082 – Everybody’s Tennis (JP) (demo)
- NPEG90027 – Everybodys Tennis [EU] (demo)
- NPHG00081 – Everybodys Golf [HK] (demo)
- UCAS40266 – MotorStorm Arctic Edge (Asia)
- UCUS98701 – Everybody’s Tennis (US)
- UCJS10101 – Everybody’s Tennis (JP)
- UCES01420 – Everybody’s Tennis (EU)
- UCAS40307 – Everybody’s Tennis (HK)
- NPUG70053 – HotShots Tennis Get a Grip [US] (demo)
- NPJG90082 – Everybody’s Tennis (JP) (demo)
- NPEG90027 – Everybodys Tennis [EU] (demo)
- ULUS10227 – 7 Wonders of the Ancient World
- ULES01037 – 7 Wonders of the Ancient World
Do those names bring back memories? What epic hacks do you remember on the PSP?
Source: wth on /talk
Wow that’s crazy do essentitiall if we can somehow remove the game from the list vhbl would always work
Man I remember hacking medal of honor heroes 2 online with nitepr. Those were the days.
lol….wishful thinking, but in a perfect world would be nice
ugh this makes me feel old -_-
yeah same here lol
were all on the same boat
Ahh I remember the annoying Patapon demo load in lol
if i’m not going to have any internet access for the next 10 days (starting around 4am today) am i pretty much sc*** to get the new game for the new exploit?
Dont know where your from but in the U.S, McDonalds, Chick-Fil-A, Lowes, Starbucks, Macy’s, T-Mobile, Whataburger all provide free Wifi where I’m at. Before I had wifi at home I had my rooted android do that for me. Wifi is pretty much everywhere. You shouldn’t have much trouble finding it.
theirs gotta be an internet connection some where u can use…
not if i’m in the middle of the ocean on a cruise ship
Can you release the VHBL before tomorrow because monday is school and i want to play a little bit with the vhbl
School is out on Monday because of labor day.
@Brody ,im pretty sure they have free wifi on cruise ships
i used it while i was on a cruise ship. If your taking a cruise
on a canoe, now thats a different story. 🙂
If that’s true then that is awesome 🙂 I figured I would have to pay for some sort of satellite connection
Is this a 1.80 vhbl release?
what? this is just a look back at the history of user mode exploits.
I was wondering what all those IDs were for when I was skimming through my flash. Maybe I’ll hex edit the blacklist and try out the exploits on 6.60. Thanks wololo.
Patapon 2 demo exploit on 6.60 works with edited blacklist but dbglog says “ERROR INITIALIZING CONFIG”.
Many things have changed in VHBL recently, it is possible the latest VHBL does not work anymore for the patapon exploit, I am not very careful with maintaining compatibility with the old exploit… or did you actually download a hbl version from those days?
I tried out hbl r100 for Patapon 2. I’ll look for the latest version and try it out.
did you forget to add Super Collapse 3 to the list? 🙂
yeah I myself didn’t mention it to the list since it’s kinda ‘evident’ lol but indeed
So if I understand correctly run all these games the VHBL??
No the HBL
mostly not.. since i have psp 1k and i use cfw since DarkAlex’s one
So you’re using an outdated CFW, smart, must be fun.
I own the first 4 games as UMDs. I remember buying my first PSP. It was used and had GTA LCS within. I told the guy to not update the console otherwise I wouldn’t have bought it.
Still, how could those usermode exploits lead to kmode ?!
They don’t, a kernel exploit leads to a kmode exploit and a user mode exploit leads to a umode.
Some savedatas had a possitive respnse to the usermodekernal $ra wich means code could be implemented in the save with the game still working(not always) remember: Spartaaaaaaaaaaaa with gripshift? And from there they went furter to see if a positive response wasgiven to the kernalmode. if that is true you need to reverse engineer some modules to bypass the chain of trust. its a long process but here on Wololo there are alllot of threads which explain how to search for an exploit
By the way, asking for the release of the Ninja release might even stall the release. So just wait patiently ple
ase
i know it’s not a big deal, but you got a typo in the review. you wrote out sutdio instead of studio lol
thanks, fixed 🙂
I did not know 7 Wonders of the Ancient World has been one vhbl
no, read attentively: it could be potentially exploited because it has the same developer as Super Collapse 3. this is sometimes the case with exploits than a dev does a mistake on the majority, if not all, of his titles
So these are the VHBL PSP titles…
Dude I remember DarkAlex! I was so happy when he got backups working!!!!! Cause I had about a mil. or so!!!
Oh and the first downgrader I used with out a PSPTOOL battery, was with GTA. and HellCat’s app.
Is 7 wonder of the world the game we’re waiting for the new vhbl? I wonder
It really would matter if it was, which it isnt, cause it has already been black listed.
mmh… wouldn’t it be possible just to change some values in the firmware before installing it so that old exploits work? Or would that change some kind of hash of the firmware file cuasing the Vita to refuse the file?
oh ya, i still own my UMD of GTA LCS, also the first psp game i bought for my vita, yes even before SC3. all those years and the scene hasnt changed much, everyone still buggs the DEVs can i play free games, hurry do this, i need that, grrr i hated those guys, and still do, we all should JUST SAY THANKS or learn to CODE, which is out of the question for many as they dont even know how to read.
thank you all for all your hard work,
I think we should do both. I am actually looking into the possibilities.
the patapon 2 was agreat exploitsince it was the first (and the only) that i used 2 years ago… Damn, how i miss the patapon 2 song… 😛
Patapon 2 Demo, on the psp go, man I remember those days.
Dear, Mr. Homie Wololo Sir =)
I deleted my sc3 file by mistake after upgrading to filware 1.80 on my vita. Now SC 3 doesn’t work eventhough I try to re install it using open CMA.
Is there a way to fix this? or do I have to buy another game to install the new VHBL whenever it comes out.
Gracias Amigo in advance for the reply
VHBL for SC3 only works up to firmware 1.67 AFAIK. On 1.80, the exploit has been patched, so you’ll have to get the next release
Lumines…
Good times, hahaha
so if we knew wehre this list is located in a ps vita update file we could simply corrupt it by writing some trash with the correct md5 checksum to that location even without knowing the aes key, just whiping out one block of data?
1. savedata_utility.prx is in PSP EMU flash0
2. we can’t access PSP EMU flash0 from within user mode (=VHBL)
3. all the prx’es are encrypted, and you will have to decrypt them to change anything.
4. i don’t know how would you properly reencrypt it back to work on the psp emulator.
5. there’s no point, because attempting to gain a psp user access from within already having psp user access is… you know.
why would i have to decrypt it?
isn´t aes encrypted in 128 bit blocks?
woudn´t it be enough to change/delete a few blocks where the blacklist is stored?
I remember using the eloader back when GTA came out….and then 2.0…and then CFW and it was all uphill from there
dear wololo, we all need soon back to school,
so give a fast answer!!
do u gonne release it before school time begins or later!!!
plz we need to know it tell us plz. i dont wanne mis it again!!!
i dont want a answer like : Do as everybody and follow the site!
i need fast and Good answer !!! like every body here.
every body here know’s that u and ur team awesome is!!!
plz i dont wanne mis it again !!!
do u understand me?
we are waiting sooo long!!
oke good bye 🙂 !!!!
Your going back to school and..?
I work 10 hour shifts and I’m still waiting patiently
Crying for the release isn’t gonna make it happen any sooner. I hate to sounds like a dev but it’ll come out when its good and ready.
That and from what I’ve seen so far in following the scene here the releases are put out on times when most people are about to get the game
Yo, leave him alone, it appears he REALLY needs to go back to school.
Demo exploit = GOLD
Pata pata pata PON!
Dear Wololo,
It makes me sick watching people beg all the time for the release of the Ninja release etc.
Could you ip-ban them or somthing?
Want to be the first one? Why IP ban them for just asking a simple question? So what you’re saying is that anyone who asks for VHBL should get ip-banned?
Doesnt anyone of you remember the EPIC TIFF exploit??
I think it was on FW 2.80 or something like that…
Are you sure Sony is just comparing the hashes? Then it would be possible to reenable the exploit by just changing one bit in the savegame.
no they don’t use hashes of savefiles, they just look for the gameid identifier and then manually check the right parts of the exploited saves where the security issue lies
In most cases being bOfs they simply limit the string size(s) themselves to a specific length, the savedata_utility code handling that is pretty plain actually
My most favorite memory was playing both medal of honor games online. But at the same time nitepr started being used soon after i started to get decent at the multiplayer and ruined the online portion of the game. Both my best and worst memories are tied to the same two games ironic, but ill never forget the day that i downgraded my phat 1000 for the first time and ran homebrews on 1.50, aww the good ol days! Takes me back, and thanks to wololo’s site,and others for guidance on how to fully enjoy what the psp experience truly is and was! Good times
@wololo,
Is it possible to dummy/fake this module “savedata_utility.prx” since it holds all the blacklisted savegames?
No, that would require an exploit, which puts you in a “chicken/egg” type of situation 🙂
point taken 😀 i forgot about the vita side… lol
Wololo, before launching ninja, I want to thank you in advance for sharing your work, eye diariamento my e-mail and I will continue looking.
@
WololoIsGay on September 2, 2012 at 2:21 am
Want to be the first one? Why IP ban them for just asking a simple question? So what you’re saying is that anyone who asks for VHBL should get ip-banned?
Reply
ME: So you’re saying that it’s normal if people keep on beging for the release?
I’ts just not cool to do such a thing.
He never replied to anything of the Ninja release to Non contributers, so why do you people think your special?
Just sit tight and wait.
True, true. And ninja release is a secret release that was not meant to be told to anyone else except the people that help in developing VHBL.
hi, what will happen with the game when each savedata been blacklisted??
will the still playable in the new FW? or they simply won’t load any saves?
just my curiousity, is each savedata in 1 game got the same hashes? or how sony can determine which savedata is save to load or with (v)HBL exploit?
thanks 🙂
I would assume that the hash is representative only of save data that contains the “bug” necessary to trigger that exploit, or that contains more data or data reflecting VHBL code rather than what would normally be contained inside one of the save data files.
Sony would probably have a lot of upset fans and need to offer refunds if they repeatedly patched PSP games so you couldn’t save and thus couldn’t play them ;p
Although I wouldn’t be surprised if they did that to a game at some point in the future, if the felt it was necessary to keep an exploit constrained to prior firmwares.
if the hashes reflect to VHBL’ed savedata then this hashes would change everytime we compile VHBL right?
i think with Vita, $ony added ALOT of angry fans already
“PSP game conversion” comes to mind 🙂