Everything you should know about exploits!

[Xian Nox]

if im exploiting a game can it brick my psp go ?

No. User mode (or game) exploits can't access flash0 and can't brick your PSP.

Advertising

[Salahkun]

if im exploiting a game can it brick my psp go ?

No. User mode (or game) exploits can't access flash0 and can't brick your PSP.

thanks for the answer i will have to start crashing my games .

Advertising

[Salahkun]

my psp go is type A and drivers u have in the tut are for B
where i can get the type A , i can make psplink working on windows 7

[JJS]

"PSP Type A" is the USB mass storage device (memory stick and internal flash). You have to install the "PSP Type B" driver only after starting PSPLink on the PSP.

[dinamico]

Hello everyone!! After read the complete tutorial i have one question. How could access to the memory the first psp hacker's and find the expliots like TIFF without the psplink?
And I found a mistake. In the theme example, the crash address in the images is different than i the code

[m0skit0]

There were no exploits like TIFF without PSPLink. If you want to know how it all started, here you go (for n-th time).

[dinamico]

Yeah but on the first attempt to access to the memory TyRaNid or whoever didn't know how was the memory organized, isnt it? I guess they worked to descipher the memory map but how? When NEM discovered the bug in 1.00 kernel I guess he wrote some assembler or compiled some code with gcc cross-compiler (MIPS) or so to execute a "Hello World", but how did he know where to put the code? He needed to know that user code goes in xxxxx address or what's the system call to print on the screen, he needed some library or guide. Did they descipher it looking in the motherboard, searching traces and looking for glue logic or did they discovered where things were by software (like psplink)? How could the PSPSDK's programmers make all the library if they were working "blind"?
Sorry for my english and if I make you waste your time.

[dinamico]

I do not know if no one has answered me because I have not expressed well or because no one knows the answer. Can anyone tell me if I said something without sense?

[m0skit0]

I think all this is answered in the video, but anyway...

Yeah but on the first attempt to access to the memory TyRaNid or whoever didn't know how was the memory organized, isnt it?

Of course they didn't know.

I guess they worked to descipher the memory map but how?

I don't know how they specifically did, but you can, for example, just ask all addresses and those returning a bus error do not exist.

but how did he know where to put the code?

Just watch where the kernel puts it, and do the same. Also AFAIK back in 1.00 PSP executed any ELF thrown at, and being ELF an open standard format, it wasn't that hard to make a homebrew executable.

He needed to know that user code goes in xxxxx address or what's the system call to print on the screen, he needed some library or guide

You can get all this from PSP official games/executables. Also I think they got lucky and there was a game that included debugging symbols (aka was compiled with GCC's -g flag on). Bubble Bobble IIRC.

[dinamico]

just ask all addresses and those returning a bus error do not exist.

Implying I have the control of the system but I must have my psp already hacked to do that by software, or I if do that by hardware (by a bus request and looking the return values with an extern hardware, for example) the data is encrypted so i can't get very much information. But, in an attempt to answer myself, I guess there is another option. There is no need to know the memory map to hack it, right? At least, not in the first time.

Just watch where the kernel puts it, and do the same.

It's the same, you have to take the control of the system to get info from the kernel.

Also AFAIK back in 1.00 PSP executed any ELF thrown at, and being ELF an open standard format, it wasn't that hard to make a homebrew executable.

It's the key of everything because while the PSP execute any homebrew, we can do all the things I said before easily. We don't have to worry about where the kernel puts the code because the system run it, and we can now do what you said about getting the return values. So If they didn't discover this easy hack, it couldn't know how the PSP works, isn't it?

What I'm trying to ask is if we don't get a gap in the system testing blindly, we can't move forward because we have no information about it, so we have to have luck after all. It's that true?