10 Days of Hacking, Day 4: The PSP, Part 1
We all know this machine, we have been studying its interior for years now, but I am here to disclose the early hacks and mistakes that gave us initial access to all we have today.
The PSP was subject of hacking earlier in its lifespan, and has been staying that way for almost all of the time it has been in the market, with very few exceptions like the 5.50-6.20 dark ages. On the PSP scene we have seen many great hackers come and go, and we’ve had some of our best memories of our teen years, and some of us still have. But all of this happened thanks to early developments by many great people and dumb mistakes by a company that was new to the market of portable and upgradeable consoles.
UNSECURED = A HACKERS TREASURE
You may have probably heard this before but early PSP firmwares were not really secured at all.
Flash0 was easily accessible from user space, flash0 kernel modules were not at all encrypted, and crafting your own custom modules was as easy as grabbing a MIPS toolchain, compiling your code, copying it to flash0 and adding it to plain text file.
That’s it, you got yourself a Custom Firmware.
But flash0 was not the only thing unprotected. Early PSP models were essentially watered down devkits, with the headphone’s controller port being a full fledge debugger port, that and the fact that some early japanese games were compiled in debug mode allowed hackers to understand how many of the core essential functions of the kernel worked, how to use them and what their name was.
Sony quickly issued an update to their firmware, version 1.50, to address many of the ways hackers were running unsigned code, like kernel-flagged ELFs, but it didn’t take long enough for hackers to find new ways to run unsigned code, like swapping the memory sticks and later the more convenient and infamous 1.50 kxploit.
Here in wololo.net we have talked before about the vicious cycle of kernel exploits: to find a kernel exploit you must be able to obtain an unencrypted dump of the kernel’s module, but to do that you must have kernel access.
This cycle never really existed in the PSP as you had direct access to kernel modules, so even if Sony updated the firmware and protected the kernel, you still had a kernel dump you can use to analyze the inner workings of the PSP.
OVERFLOW THAT BUFFER
A buffer overflow is the process of copying more data to a buffer than it was allocated to hold, making the data surpass the boundaries of such buffer and end up with portions copied on a place outside the buffer than it was initially intended.
Let’s see this using a more clear example. We have two programs: program 1 allocates 12 bytes of data on the stack, program 2 allocates 10 bytes just after program 1. So we have that part of the memory map like this:
Program 2 data space — Program 1 data space
Program 2 is supposed to receive at most 10 bytes of information, but instead it receives 14, and program 2 doesn’t have any check or method to prevent this, so the above buffer ends up like this:
Program 2 allocated data — Program 1 allocated data
As you can see, data that belongs to Program 2 ends up in a space of memory that belongs to Program 1.
Depending on what Program 1 does with this data, the program will end up either crashing or malfunctioning, or simply not get affected at all. If we do get Program 1 to crash or malfunction, it’s an indication that we have control over its normal execution flow, and in many cases, this leads to exploits that allow us to run our own code.
This is what happened to a very familiar game: Grand Theft Auto Liberty City Stories. A buffer overflow present in the game allowed hackers to run their own unsigned code, and along with kernel exploits found in the 1.XX dumps, this allowed for a downgrader to be made, so users who updated to 2.00 and wished to go back to 1.50 could now do so thanks to this game.
This technique for hacking PSP games was left untouched for a long time, until the dark times of the PSP scene led to the birth of the Half Byte Loader project, but that’s not something I’ll be covering today.
An update of the GTA UMD was quickly released, including a copy of Sony’s firmware update that patched the vulnerability (note from wololo: to be even clearer, it is believed the game was not patched, what was patched was the firmware, the only patch in the game was that it now required a higher firmware to run). Finding an unpatched copy of the game was hard, and many UMD copies were selling on ebay for excessive prices from people who wanted to make money off of the hard work of others, all scenes are full of a**holes.
CUSTOMIZE THE SYSTEM
While most exploits up to 2.6X allowed for PSP’s to be downgraded to be able to use older hacks, media and functionality of the new firmwares, such as new games, required the PSP to be on the latest official firmware to work.
Most people had to take the important decision of either updating and giving up homebrews in favor of new games and functionality, or downgrading to use homebrews, giving up and new games and functions.
It wasn’t until a Spanish Developer going by the name of Dark_Alex released what he called “Open Edition Firmware” or “Custom Firmware” that users were able to have both homebrews and new features at the same time.
Custom Firmwares were able to run due to a bug in the Initial Program Loader of the PSP that allowed us to run unencrypted custom kernel modules that replaced the original ones from Sony.
Sony of course continued to update the firmware and Dark_Alex continued to hack them, thus the game of cat and mouse continued for a long time, until DAX announced his retirement from the PSP Scene after releasing 5.00 M33-6, a CFW that is still being used even today.
Dark_Alex was a first in what he did, he paved the path to generations of Custom Firmwares that still have a great impact on the modern ones we have today. There’s not a single CFW today, be it PRO on the PSP or TN-CEF on the ePSP, that hasn’t originated from Dark_Alex’s original code and ideas. He is the giant shoulders all of us today stand on, and should always have a mention when talking about PSP hacking.
We have done a quick overview on some of the classic hacks that have allowed us to achieve what we have achieved today, on part 2 I will review the more modern hacks being used today on the PSP, stay tuned!