10 Days of Hacking, Day 4: The PSP, Part 1
We all know this machine, we have been studying its interior for years now, but I am here to disclose the early hacks and mistakes that gave us initial access to all we have today.
The PSP was subject of hacking earlier in its lifespan, and has been staying that way for almost all of the time it has been in the market, with very few exceptions like the 5.50-6.20 dark ages. On the PSP scene we have seen many great hackers come and go, and we’ve had some of our best memories of our teen years, and some of us still have. But all of this happened thanks to early developments by many great people and dumb mistakes by a company that was new to the market of portable and upgradeable consoles.
UNSECURED = A HACKERS TREASURE
You may have probably heard this before but early PSP firmwares were not really secured at all.
Flash0 was easily accessible from user space, flash0 kernel modules were not at all encrypted, and crafting your own custom modules was as easy as grabbing a MIPS toolchain, compiling your code, copying it to flash0 and adding it to plain text file.
That’s it, you got yourself a Custom Firmware.
But flash0 was not the only thing unprotected. Early PSP models were essentially watered down devkits, with the headphone’s controller port being a full fledge debugger port, that and the fact that some early japanese games were compiled in debug mode allowed hackers to understand how many of the core essential functions of the kernel worked, how to use them and what their name was.
Sony quickly issued an update to their firmware, version 1.50, to address many of the ways hackers were running unsigned code, like kernel-flagged ELFs, but it didn’t take long enough for hackers to find new ways to run unsigned code, like swapping the memory sticks and later the more convenient and infamous 1.50 kxploit.
Here in wololo.net we have talked before about the vicious cycle of kernel exploits: to find a kernel exploit you must be able to obtain an unencrypted dump of the kernel’s module, but to do that you must have kernel access.
This cycle never really existed in the PSP as you had direct access to kernel modules, so even if Sony updated the firmware and protected the kernel, you still had a kernel dump you can use to analyze the inner workings of the PSP.
OVERFLOW THAT BUFFER
A buffer overflow is the process of copying more data to a buffer than it was allocated to hold, making the data surpass the boundaries of such buffer and end up with portions copied on a place outside the buffer than it was initially intended.
Let’s see this using a more clear example. We have two programs: program 1 allocates 12 bytes of data on the stack, program 2 allocates 10 bytes just after program 1. So we have that part of the memory map like this:
[][][][][][][][][][]||[][][][][][][][][][][][]
Program 2 data space — Program 1 data space
Program 2 is supposed to receive at most 10 bytes of information, but instead it receives 14, and program 2 doesn’t have any check or method to prevent this, so the above buffer ends up like this:
[x][x][x][x][x][x][x][x][x][x]||[x][x][x][x][][][][][][][][]
Program 2 allocated data — Program 1 allocated data
As you can see, data that belongs to Program 2 ends up in a space of memory that belongs to Program 1.
Depending on what Program 1 does with this data, the program will end up either crashing or malfunctioning, or simply not get affected at all. If we do get Program 1 to crash or malfunction, it’s an indication that we have control over its normal execution flow, and in many cases, this leads to exploits that allow us to run our own code.
This is what happened to a very familiar game: Grand Theft Auto Liberty City Stories. A buffer overflow present in the game allowed hackers to run their own unsigned code, and along with kernel exploits found in the 1.XX dumps, this allowed for a downgrader to be made, so users who updated to 2.00 and wished to go back to 1.50 could now do so thanks to this game.
This technique for hacking PSP games was left untouched for a long time, until the dark times of the PSP scene led to the birth of the Half Byte Loader project, but that’s not something I’ll be covering today.
An update of the GTA UMD was quickly released, including a copy of Sony’s firmware update that patched the vulnerability (note from wololo: to be even clearer, it is believed the game was not patched, what was patched was the firmware, the only patch in the game was that it now required a higher firmware to run). Finding an unpatched copy of the game was hard, and many UMD copies were selling on ebay for excessive prices from people who wanted to make money off of the hard work of others, all scenes are full of a**holes.
CUSTOMIZE THE SYSTEM
While most exploits up to 2.6X allowed for PSP’s to be downgraded to be able to use older hacks, media and functionality of the new firmwares, such as new games, required the PSP to be on the latest official firmware to work.
Most people had to take the important decision of either updating and giving up homebrews in favor of new games and functionality, or downgrading to use homebrews, giving up and new games and functions.
It wasn’t until a Spanish Developer going by the name of Dark_Alex released what he called “Open Edition Firmware” or “Custom Firmware” that users were able to have both homebrews and new features at the same time.
Custom Firmwares were able to run due to a bug in the Initial Program Loader of the PSP that allowed us to run unencrypted custom kernel modules that replaced the original ones from Sony.
Sony of course continued to update the firmware and Dark_Alex continued to hack them, thus the game of cat and mouse continued for a long time, until DAX announced his retirement from the PSP Scene after releasing 5.00 M33-6, a CFW that is still being used even today.
Dark_Alex was a first in what he did, he paved the path to generations of Custom Firmwares that still have a great impact on the modern ones we have today. There’s not a single CFW today, be it PRO on the PSP or TN-CEF on the ePSP, that hasn’t originated from Dark_Alex’s original code and ideas. He is the giant shoulders all of us today stand on, and should always have a mention when talking about PSP hacking.
CONCLUSION
We have done a quick overview on some of the classic hacks that have allowed us to achieve what we have achieved today, on part 2 I will review the more modern hacks being used today on the PSP, stay tuned!
Liked This Article? Check Day 5: The PSP Part 2, and Day 3: The PS2
I don’t care about being the first, but I do care to be the first one to salute almighty Dark Alex. DaX, you rocked hard and will always be remembered.
The way you formulate that makes it sound like he’s dead.
Well, yeah… I mean he dead in terms of the Hacking Scene… hasn’t posting anything since 5.00 m33-6
Exactly.
Just because the old guard have stopped developing doesn’t mean they’re not watching the scene 😉
I totally remember the good old days of memory stick swapping just to get doom to run on my psp… It’s amazing to see how far all these hacks have gone for the psp.
Can’t wait for Part 2, it’s so awesome!
you forgot about devhook and pandora they were amazing in every hack ever made
I agree with you, but maybe that section will be covered in part 2!?
you see, part 1 is about the early hacks, while part 2 is about the late hacks (5.03 and above), so pandora doesn’t fit in it.
I wanted to talk about pandora but couldn’t find any technical details on how it worked in time for the post.
What about “Playstation Portable Cracking” presentation at 24c3 by TyRaNiD? If I recall correctly he covered a lot from the early stages of PSP hacking including Pandora.
I will see it, but won’t make a difference, part 2 is already written and the pandora hack doesn’t really fit in it.
ohh and great posts btw keep it up!! 🙂
Reading this makes me want an PSP-1000 again, just to run M33 CFW and using Time Machine to go back to 1.50 and back again to CFW. Those were some fun times! Brings back a lot of memories! Thanks for a nice true story here, good reading and looking forward to part two.
is ther a psp software downloader thats vita prepared ?
preferred iso and torrented ?
cheers
we have a zero tolerance policy against piracy
Isn’t hacking to get free psp iso’s from an exploit piracy?
Is installing (legal) Windows which allows you to download and install pirated games also considered as piracy?
Some people use their exploit to play backups of games which they already have for PSP in form of UMDs and don’t want to buy it again not to mention a huge amount of homebrews which they enjoy.
He clearly asked for a tool capable of downloading isos so it’s definitely NOT his backup of a legally bought copy, that’s piracy.
All these 10 days of hacking is fun reading. I just shut everything off to be able concentrate on the reading. I tell my boss at work that I’m ill need to go home, then I tell my wife I’ll work late don’t wait for me. Then I go to some small cafeteria an just read. Pop up the old PSP and dream away. When the battery is out I continue on PS vita. Reading these articles makes you think about old time and it take hours, and a lot of coffee. These articles are amazing. Keep up the good work.
So much nostalgia. This is the device that got me into console hacking in the first place. 2005, when I was only in my first year as a teenager. Can’t believe it’s already been 9 years! When PSP came out 9 years ago was 1996, 1996-2005 feels like it went by longer than 2005-2014.
Ah, the good old PSP days. Unfortunately, I never got my hands on a PSP 1000 or PSP 2000 with the hackable motherboard. I was late to the party. I got my PSP back in February 2009, I thought I could hack it the same way as the previous versions. But nope, I couldn’t. And that was a total let down.
But then eventually they found the Chickhen exploit and the PSP 3000 got hacked, but still. It wasn’t the same as hacking the PSP with a pandora battery.
There is a mistake in the article. The 2.00 to 1.50 downgrader didn’t use GTA, it was a TIFF exploit. Perhaps Acid_Snake got mixed up with GTALCS being the first game to require 2.00.
The GTALCS exploit was for the 2.60/2.50 to 1.50 downgrader and the exploit was found thanks to Edison_Carter’s cheatdevice (he also was famous for finding unreleased cheats in San Andreas).
How can you remember all these for gods sake it was in 2005 or 2006 !
I hope we can make some memorable memories with the VITA 🙂
releasing 5.00 M33-6,
what about re-releasing it for tnv ?
or any other custom firmware in tnv on vita ?
cheers
I guess dark alex got the final laugh because m33 could connect to psn even today.
Just to clear up one mistake in the article, the 2.00 downgrader used a .TIFF exploit, whereas the 2.60/2.50 downgrader was the one that used GTALCS and Lumines was used for a 3.XX (I forget which) downgrader.
Ah, the original PSP. The portable gaming system that got me hooked onto homebrew, backing up my own ISO’s, hacks. q:
Nice article, Acid_Snake.
Dark Alex’s first custom firmware wasn’t “Open Edition” as stated in the article above. It was actually “SE” (Special Edition) for 2.71. And actually even before that he released the POC firmware for 1.50 “technically” his first cfw but it couldn’t do much.
K, I have to make one “negative” comment about this article. The part about the GTA UMD’s and their pricing on ebay. How on earth is that cheating, or ripping off the scene’s work? Unless of course they not only sold the UMD, but the required files to get a PSP setup as well. But still that’s a bit of grey area to me. Because in all honesty the UMD pricing can all be chalked up to “supply and demand.” There was a highly limited supply and thus the demand for it was that much greater. So people had to pay more for it.
This same principle holds true for collector’s items of all sorts. As the item in question has become a collector’s item due to it’s availability. So people have to pay a high price depending on that rarity.
So you can’t blame people for selling the game for extremely high prices because of a simple economic principle or law. Unless of course they packaged the files up and called them their own. Then yes, I agree, they are ***.
na i agree with acid_snake they are ***holes. much the same as ticket touts selling tickets at extortionate prices to desperate fans! touts are scum of the earth
But nice article overall! I enjoyed it. I loved the PSP scene and hope one day after the PS Vita has saturated the market enough, and enough games exist that it doesn’t destroy the market and the handheld. We can have the same level of access to our PS Vita’s that we did on the PSP with full custom firmware on the PS Vita side.
Also I have to send my thanks and appreciation towards Dark_Alex as well! The man is a *** genius! He definitely knew how to make the PSP sing and sing all day long.
The great pillar of the hacking community, the cornerstone of it’s foundation. Props to him for leaving such a legacy.
For those who want a really deep look into the history I recommend https://github.com/bibanon/android-development-codex/wiki/PSP-Custom-Firmware-History and of course TyRaNiD’s talk at 24c3 https://media.ccc.de/v/24c3-2209-en-playstation_portable_cracking
Quote from the page “.Using a dumped PSP system ROM image, and the knowledge discovered from the Wipeout disc, the layout of the executable format was successfully reverse-engineered by a hacker named “NEM” and the “Saturn Expedition Committee” group. ”
Thats where it all started somehow. I still remember the days idling on IRC, testing the new recovery flasher versions and cracking the E-1000 at gamescom month before beeing released. Shout outs to Mathieulh, Hellcat, some1, davee, Dark Alex, Silverspring , team noobz , Red Squirrel, npt (R.I.P) and all those who contributed or who are still contributing to the scene. And of course, you wololo for giving us cheap game exploits, HBL and a forum.