PSP exploits and the Vita: how hacking PSP Minis became relevant
Software usermode exploits on the PSP have always been either about exploits in a game (generally a buffer overflow), or exploits in one of the embedded libraries such as libtiff. Exploits in games had the inconvenience that it often meant buying an expensive game that you might not end up really playing, but sometimes it was well worth it. The overall idea was to make sure to buy a copy of the game that didn’t have a patch for the security hole (in hindsight, the games were actually not patched, their metadata was just slightly modified to require a higher version of the Firmware, and the firmware is where the patch was). As long as you didn’t update your firmware and were able to buy one of the “golden” UMDs somewhere, you would be able to enjoy a HEN, a downgrade, or a CFW.
That system had its drawbacks, mostly the insane price of the UMDs for some of those games (unpatched copies of GTA Liberty City Stories reached up to 20,000Y – that’s $250 – in Japan), but other than that it was a pretty good way to get exploits.
Then came the PSP Go, with its concept of “all digital” purchases. UMDs were gone, and if an exploit was found in a game, it would have been easy for Sony to remove the game from the PSN, patch the firmware, and put the game back on the store afterwards (as we’ve seen, this is what they do nowadays with VHBL or CEF for the Vita, which is why we came up with the concept of Ninja releases).
The PSP Go suddenly made Game exploits much less attractive. What would be the point of releasing an exploit that all new PSP Go owners would not be able to use? This is something I myself mentioned several times on this blog back in the days.
There was still, however, one loophole in this system, which was the PSP Demos. It had seemed a good idea a while ago that PSP Demos should be distributed not by Sony only, but by other websites promoting the PSP. Therefore, Demos were signed in a way that allowed anybody to redistribute them, without having to go through the PSN. This is why the first hack publicly available for the PSP go was an exploit in the Demo of Patapon2, which was later followed by similar exploits such as the Japanese demo of Minna no sukkiri. These demos had the double benefit of being free and not requiring a PSN connection, which meant no forced update for PSP Go owners, so everyone was happy.
Of course, there’s not an infinite amount of Demos with such vulnerabilities, but that became quickly irrelevant as better hacks ended up being found for the PSP, in particular the possibility to sign content for it, which removed the need for usermode exploits.
Usermode exploits in PSP games are easy to find and implement nowadays (see the guide here), and experience shows us that lots of psp games are vulnerable to simple buffer overflow attacks. But the PSP Go digital model, and, more importantly, the Vita today (where all PSP purchases are – obviously – digital, and the few psp demos there all need to be downloaded through the PSN) made that type of attack quite irrelevant. In the end, buying expensive PSP games, just for a hack that will end up being patched in next firmware, might seem quite pointless to some of us.
It’s in this new context that looking for exploits in PSP minis appears to me as a new valid option today. While it wasn’t relevant to look for vulnerabilities in a digital-only game back when all psps had UMD support, the change of situation now is that digital psp games are the only choice, and in that case we might as well look for the cheap ones. In addition, since Minis weren’t interesting to hackers back in “the days” for the reason mentioned above that they were digital-only, this increases the probability of finding vulnerabilities in them today, as they still are a “fresh” source for investigation.
Of course, the situation is not ideal, we would all prefer free hacks, and we would all prefer a “real” vita exploit. But for now, hacking psp minis in order to run VHBL or CEF sounds like the most viable approach, compared to looking for exploits in “regular” psp games, which are more expensive to the end user. This situation is of course not a secret, and you’ve seen a tendency for the past VHBL/CEF releases to target more and more “Minis” (Urbanix, Mad Blocker alpha, …), as I think hackers all reached the same conclusion as me.
The principle with PSP hacks on the Vita nowadays is not to find the “Golden” game like it used to be the case for GTA, Gripshift or Lumines a few years ago. The idea seems more to flood the scene with regular releases involving cheap games with vulnerabilities to guarantee Sony won’t keep up. Of course, some of us won’t see the point to keep playing that game of cat and mouse, but think of how many minis you can buy for the price you would have paid for a unpatched copy of GTA…