Again, the legality of this tool is extremely controversial (much more than the Pandora Battery, if you ask), so please do not share any links here. I’m sure those of you who have a bricked ta88v3 will find their way to this tool one way or another, anyways.

Seriously, bricking your own console to make a point…that’s what I call being brave, ErikPshat 

In soviet Russia, PSP unbricks you.

Nowadays running a custom firmware on a PSP is not complex, no downgrading is required as both pro cfw and TN Hen run on the latest firmware, and people who want to install another CFW such as M33 just need to use the necessary tools.

But people who have joined the scene a bit earlier know that the biggest hack for the PSP was the pandora battery, where hackers discovered (with lots of work and a bit of luck) that the battery in the PSP was used not only to power the device, but also to enter service mode, so that Sony repair centers could quickly fix a broken flash or install a new firmware on a PSP. Coupled with a “magic” memory stick, this allowed hackers to create a very cheap downgrade/unbrick mechanism, and basically with a special battery and a special memory stick you could easily unbrick your psp, or install a custom firmware on it. I still have one of those, and it is the most convenient technique for installing a CFW on PSPs that support it. It is also extremely safe, because even if you mess up your flash, you have ways to rewrite it entirely, so there is no risk of brick, unlike recent CFW installation systems.

Sony quickly reacted and their new PSP models were not compatible with this Pandora battery anymore. The first model of motherboards to include a security against the Pandora battery was the Ta88v3, the doomed psp2000 model. This model was still compatible with the battery and could enter service mode, but the magic memory stick didn’t work anymore, so it was basically made useless. Further models (the psp3000) even added more security, rendering the battery itself useless.

Hackers Boryan and ErikPshat have found a technique to use a magic memory stick on a ta88v3, which is a big deal for those of us who are stuck with a bricked psp 2000…

The technique is described in this thread, and the result is shown in this video, made by dev Yoti (who has provided several updates for PSARDumper PSPIdent in the past) and showing the jigkick installing firmware 5.02 on a 6.38 ta88v3 (correction, the psp in the video is a ta85v2, but Yoti guarantees that the results are the same on a ta88v3)

Although this is an impressive breakthrough, I’m going to ask people to not share any links on this, as this unfortunately relies on leaked data/hardware belonging to Sony, and is therefore clearly illegal. Feel free to discuss, but links to infringing material will be removed.

In clear words, they are able to sign content and have a (non hacked) PS3 believe this content is signed by Sony (and therefore the PS3 will run anything you want).

I have received many contacts from people asking me if this would have an impact on the PSP. After all, the PS3 is able to run (decrypt) some PSP games, activate PSP content (like Media Go), and overall there is such a symbiosis between the PS3 and the PSP that we can’t help but ask ourselves: “what if the PSP keys were also available on the PS3?”

Well, it seems the question was legitimate, as Mathieulh announced on Twitter that he can now sign PSP content.

For those who wonder what this means, well simply put: no need for any exploit, HBL, or HEN  in the future, as we will (?) be able to run our homebrews directly from the XMB without any hack. That is, if Mathieu releases his code.

If you still didn’t get it, this is a major breakthrough, with an impact similar to the pandora batteries and the first CFW on the PSP

Congrats Mathieu! Any plan for a release?

source: twitter via psp-hacks.com, thanks to Lune for the tip!

Warning: I want to add that console hacking teams do not work for money. People like MathieuLH or the team fail0verfl0w will NOT ask you for money in exchange for their work. If their work ever gets released, it will be available for free. Don’t get tricked by fakers (there are lot of fake failoverflow accounts on youtube apparently)

Datel is a company known for their various tools for many consoles. Their most famous product is probably the “Action Replay”, a series of software tools that allow you to cheat in many games (extra lives, extra gold, extra weapons, that kind of stuff…). Action replay is available for many console, and Datel have sometimes been criticized for making easy money on open source software (such as some code by Booster and the Prometheus team, related to the PSP IPL).

Datel was supposed to release an equivalent to the Pandora battery for the PSP 3000 in 2008, the “Blue Lite Tool”. Their press release, made on the site Maxconsole.net, was apparently only a buzz, as the battery was a standard pandora battery (it worked as expected on old PSPs, but didn’t do anything more than a regular battery on PSP 3000 models). It is still unclear if their Blue Lite Tool was a fake from the start, or if the lawsuit they got from Sony at that time was related to the tool.

Today Datel announce that they have a way to run the Action Replay software on the PSPGo. From the page in the link above:

Works with the original SONY PSP the PSP 2000 & 3000 plus the new PSPgo.

For such a tool to work on a PSPGo, it means that either Datel has become an official Sony partner (I highly doubt that), or they found a new way to run unencrypted code on a PSP Go, or their product description is lying (which happened in the past with the blue tool).

No doubt the hackers will get their hands on this product and debunk the scam if it is one.

Thanks again to n00b81 for the info.

Below are details for each model.

PSP Phat and PSP2000 (except ta88v3)

If you own a PSP Phat (PSP-1000), or a PSP Slim (PSP 2000) that is NOT a Ta88v3, then your PSP, independently of its firmware, is 100% hackable with a pandora battery. It’s been the case for many months now, and it will not change as the exploit used for the pandora batteries is a hardware exploit and cannot be fixed with a new firmware.

PSP-3000 and TA88v3, Firmware 5.03 and below

If you are the unlucky owner of a “doomed” motherboard, but happen to have a firmware 5.03 or below, your PSP is “half-hackable” through the laughing man tiff exploit and the associated Homebrew Enabler, better known as “ChickHEN”. “half-hackable” means that your PSP can have all the features of fully hackable PSPs (homebrew, plugins, customizable themes, ISOs,…), but unlike fully hacked PSPs, if your hard-reboot your PSP, you’ll have to run the hack again. (For those who still don’t know, putting your PSP in sleep mode works fine and is the best thing to do to keep the HEN in Ram)

PSP-3000 and TA88v3, Firmware 5.50 and above

There is no “public” way to hack these PSPs currently. However lots of exploits have been made public in the past weeks, giving developers enough material to actually work on solutions for these models. A user exploit in the Game Archer Maclean’s Mercury exists up to firmware 6.10. A user exploit in the Game Medal of Honor Heroes (including Medal Of honor heroes 2) exists up to firmware 5.55. The Kernel exploit used in ChickHEN exists up to firmware 5.50, but (is not usable from a user exploit in a game). A Kernel exploit revealed by MathieuLH exists up to firmware 5.55. Team Typhoon revealed the existence of a kernel exploit up to at least firmware 6.10, but didn’t make it public. Technically, with the current public available info, these PSPs could be hacked up to firmware 6.10 for Homebrew through the Mercury Game, and up to firmware 5.55 for HEN (isos, plugins,…) through the kernel exploit revealed by MathieuLH

PSP Go

There is no “public” way to hack these PSPs currently. The PSPGo cannot technically use exploits in games. Well…it can, but as soon as a game is hacked, it gets patched. So either you own a hackable version of the game and can use it, either you’re screwed. The general idea is that we cannot use games as a “good” user exploit source for the PSPGo. Exploits still exist though, and most of the time kernel exploits valid for a given firmware will work on the PSPGo, so it’s only a matter of finding a user exploit in the XMB rather than in a game.

Vocabulary

Homebrew: User made (non official) applications. These include games such as Wagic, utilities, emulators…
ISO: In the PSP world, digital copy of a game, most of the time unencrypted, preventing it from running on an Official firmware. ISOs are often associated to game piracy.
plugin: Homebrews that are loaded in the Ram of the PSP to extend its functionalities. For example, the music plugin allows to play MP3s while playing a game or a homebrew on the PSP.
HEN: Homebrew ENabler. A program that patches the PSP Ram to allow running unsigned code (Homebrews). unlike eLoader, a HEN is in the Ram and therefore doesn’t require to be launched everytime you want to run unsigned code. To do this a HEN usually requires a Kernel exploit.
TA88v3 :A Model of Motherboard that was introduced on the PSP2000 in summer 2008. It fixes the vulnerability used by the pandora batteries. Several techniques exist to identify your PSP Motherboard. If you have a PSP 2000, the easiest way to identify if it has a “doomed” motherboard is to try a pandora kit (battery + memory stick) on it.

Note: Firmware 5.05 has been intentionally not mentioned as it was released to a very limited number of people.

Lots of things have been going on in the “underground” world of the PSP in those 3 months. Datel’s new battery (and maxconsole’s disgusting lies), brokencode’s “out of the blue” cracking of the pre IPL thingy, fake downgrade announcements… In the end it seemed like all attempts were leading to a dead-end, and Dark_Alex’s silence on the issue in the last 3 months didn’t help.

A few days ago, I myself gave it a try through a libtiff vulnerability, and managed to get the attention of a few hackers and psp sites… but honestly I don’t see my crash thingy getting any further, especially since a far better proof of concept has been revealed by MaTiAz on lan.st, using a buffer overflow in the game GripShift (but I’ll keep trying with libtiff).

After all, it seems part of the money from the donations is going to be sent to an ebay seller :p

Whatever this proof of concept leads to, I think there is one important thing to remember : people should not rely on only one guy to help them with their unhackable PSPs. This is just unhealthy for the scene. I’m against the deification of hackers.

Libtiff Crash by me

Gripshift buffer overflow POC by MaTiAz

I now have to wait until the 3000 is hacked so I can start working on network features for Wagic.

I’m not a hacker, so I can’t help much here, but I’ll send 50% of the donations received through Wagic until Day X to the team or individual who publicly releases an affordable (not an expensive modchip) and relatively secure (not too high percentage of bricks) way of running homebrews on the PSP 3000.

• This includes the donations I’ve received so far
• Day X is the day where the “method” to enable homebrews is publicly released.
• If several teams contribute to this, I’ll choose the one I’ll send the money to.
• The promise is over if I get enough donations to buy a second hand phat or slim psp (and I hope this does NOT happen)

This announcement is definitely not going to speed up the process, or even give motivation to the hackers working on that, but that’ll be my way to thank them whenever that happens.

Let’s cross fingers, now !

http://sceners.org/index.php?itemid=16

Edit: This has been confirmed by Alek on dark-alex.org

Edit: F#ck ! Some bots have bought all the preorders on amazon.co.jp >.< Now I’m gonna have to wait to get one

Edit: got my preorder, but that was tough !