Everything you should know about exploits!

[m0skit0]

I must have my psp already hacked to do that by software

Yes. I meant by hardware.

by a bus request and looking the return values with an extern hardware, for example) the data is encrypted so i can't get very much information

Data is not encrypted on RAM on PSP. And also if you're trying to figure out the memory map layout, actual data is useless.

There is no need to know the memory map to hack it, right? At least, not in the first time.

Depends on what you mean by "hack it", and depends on the system and the type of protection set up.

It's the same, you have to take the control of the system to get info from the kernel.

Nope. If you peek by hardware you don't need software control. You can simply dump kernel memory once you've figured out the memory layout and what part should be the kernel (if any).

What I'm trying to ask is if we don't get a gap in the system testing blindly, we can't move forward because we have no information about it, so we have to have luck after all. It's that true?

I do not agree. Usually hardware hacks are the first, because they expose the internal device architecture, which then can be tried to be exploited by software (using hardware to inject the code, checking what's happening when some code is executed/vulnerability found, etc...). IMHO there's no such thing as luck but knowledge and experience. Of course you can be lucky and Sony made a big mistake which allows easier cracking of the system's protection (like PSP's 1.00 executing unencrypted ELFs, PS3 return 4 and such), but you have to know where to look or luck has really no meaning. Nobody cracks a system's protection with luck only.

Advertising

[dinamico]

Data is not encrypted on RAM on PSP

You can simply dump kernel memory once you've figured out the memory layout and what part should be the kernel (if any).

Perfect, so I can dump the kernel also i can dump the RAM, I can compare them to locate where the IPL puts the kernel on it; I cant do that with games because they ARE encrypted, but as we now have access because we found a gap in kernel 1.00, we can run plain code so NOW we can compare with the RAM. I think I understand.

Advertising

[m0skit0]

so I can dump the kernel also i can dump the RAM, I can compare them to locate where the IPL puts the kernel on it

No need. That's already known. Kernel is put at 0x88000000 IIRC.

I cant do that with games because they ARE encrypted

Games when loaded in memory are decrypted. And btw, kernel is encrypted too.

[dinamico]

OK, It seems we misunderstood each other.
Although I guess I have mixed things up a bit talking in hypothetical terms. Sorry for that. Also I'm afraid to ask individual questions, because I think it is on the set where I have the problem but let's see...

Kernel is put at 0x88000000 IIRC.

Yes. I know that. But how could they know? what technique they used to know? Remember i'm talking about the first moments when they only could do hardware hacks and, if every code in PSP was encrypted, how could they compare them with RAM if they used the technique of dumping memory?
In the TyRaNiD speech, he didn't say anything about that, about what information and how to get that information from hardware and thats what i want to know.

[Risk3082]

-Now start “pspsh.exe”, you should see the following text:

host0:/>


This step doesn't work for me... Can anyone help? Everthing is installed but host0:/> doesn't appear........

[m0skit0]

But how could they know? what technique they used to know?

First, they knew PSP had a MIPS processor. By itself, MIPS defines user and kernel spaces. So you already know that the kernel is at 0x80000000 or higher. Then you just do a RAM dump by hardware.

if every code in PSP was encrypted, how could they compare them with RAM if they used the technique of dumping memory?

Compare for what?

[trill904]

Appreciate all the info here

[Skrill]

Is there a list of attempted exploits on certain game titles?

[z3r01]

well this is a perfect start for me to get into this whole psp exploit thing. here are my questions (please remember that although im new to this psp hacking scene of actually hacking, im great with directions/instructions and anything that i have to read! please dont treat my questions like im a complete moron...i have some knowledge and find myself easily to adapt to new things like i have with apple products and my ps3)

1. is there a certain language i need to learn (computer language of course...i assume not since i wont be technically creating apps but just finding a vulnerability and use files already created by wololo and others to help along the way)?
2. can i do this from my Mac? (psplink in general, as i kno i can get a hex editor for mac)

any help towards bringing me knowledge would be greatly appreciated

[Xian Nox]

1. is there a certain language i need to learn (computer language of course...i assume not since i wont be technically creating apps but just finding a vulnerability and use files already created by wololo and others to help along the way)?

C. You can go with a MIPS reference, but you need C.

2. can i do this from my Mac? (psplink in general, as i kno i can get a hex editor for mac)

As long as you can get the PSPSDK running, any platform should be fine.