Hacking consoles: a learning journey (part 2)
(Previous post in this series: Hacking consoles: a learning journey, part 1)
Hello, and welcome to this second (or first, depending on how you’re keeping count) installment of my learning journey. Don’t worry, this name is temporary, and I will be talking suggestions until I find a more fitting one.
In my introduction post, I… well, introduced you to what this series was going to be, and wrapped up by telling you that I was planning on using a Debian Linux distribution to do most of the hacking. I quickly ran into some issues that I will explain here, and had to switch to Windows, so that made me reconsider things a little. I will henceforth be switching from OS to OS depending on what works best. As a disclaimer though, if you can get anything I do to work on another platform, please do as you prefer, since there won’t be much difference apart from installation procedures.
Something I think I will be doing often in this series is a summary of the day, for the reader to have an idea of the topics that the current post holds.
For a first post, I thought going simple was the best decision. Getting started with such a technical field isn’t an easy task, so focusing on one “simple” concept at a time, especially in the beginning, seems more fitting.
For all those reasons, today’s topic will be PSP gamesave exploits. The PSP is already relatively old, which means two things: first, accessing exploits and writeups will be very much easier than on more recent consoles. This is good, since our goal is to understand hacking, and not to make any breakthrough discovery. The other thing that we can deduce isn’t that good for us, however. Since the PSP scene isn’t active anymore, the tools that we will need to get started most likely won’t be actively maintained, which means that we could have issues with using them on a recent OS.
If we follow Wololo’s 2009 guide on gamesave exploits for the PSP, we can establish a list of tools that will be needed:
- The Savegame Deemer plugin
- A PSP with its USB cable
- A hexadecimal editor
- A brain
So far, everyone who wants to follow along should at least have the PSP and cable. Apart from that, we will start working on getting PSPLink to work, installing Savegame Deemer, and maybe get myself a brain if I have some time left.
When I initially got into writing this article, I was very eager to get going, and started by installing PSPLink and the tools that go along with it. I spend way too long trying to get everything working on Debian and in VirtualBox, since I was working with a broken website (ps2dev.com, home of the PSPSDK and psptoolchain projects, has been down for a long time [Note from wololo: this was such a great resource for all console enthusiasts out there. The internet archive has a snapshot from 2008]) and couldn’t get anything to work by compiling the projects from source.
After spending a whole week trying to get the separate tools working on Debian, I gave up and installed the Minimalist PSPSDK on Windows. That, thankfully, worked almost right out of the box, so this will be our solution of choice here. Here’s the link. The plugins needed for psplink to work are all under the “C:\pspsdk\psplink“ folder on your hard drive after installing this software.
The savegame deemer was very easy to install on the PSP, since it was just some .prx file to put in the PSP’s seplugins folder and to activate. I found a cool Wololo easter egg hunt code on the download page, which was funny, but this was otherwise done very quickly.
A quick word on getting plugins to work: you need to put the various .prx files in the “seplugins” folder of your PSP, and to add a line with their filename followed by a space and a “1” in two files called “game.txt” and “vsh.txt”.
I also installed HxD on my computer as a hexadecimal editor, but as for the brain, however, I still can’t get my hands on one. I guess we’ll just have to work without it for the time being.
And, finally, we arrive at the actual hacking part. This is where I will regularly do my best to follow in the scene’s footsteps, in order to explain my learning process, my hurdles, and all in all my experience with the matter at hand.
The first thing that must be done is to get our hands on a vulnerable game, which would here be the Japanese demo of Phantasy Star Portable. Surprisingly, I had a Japanese UMD of this game lying around, so I will be able to work with the full version. Remember kids, downloading ROMs of games you don’t already own is illegal, and shouldn’t be done under any circumstances.
I should also establish that some knowledge of programming is preferable to have since I will not explain any code I use here, except from the part specific to hacking. Now, let us get on with the hacking.
For starters, you need to link your PSP to your PC using a USB to Mini-USB cable. Windows will not recognize your console as a device, however, until you install a thing called the “Type B PSP drivers”. But that wouldn’t be any fun if it was easy and straightforward to do, so let’s get on with it.
Since Microsoft is very big on security when it comes to their Windows platform, installing arbitrary unsigned drivers isn’t the easiest thing to do. You need to boot into a specific mode, and then use a tool called libusb-win32 to get the job done. The easiest way to do the first part is to click “Reboot” in the start menu while holding your SHIFT key, until a special screen comes on and gives you a bunch of options. You need to navigate under “Troubleshoot”, then “Advanced options” and finally “Start-up settings”, which sometimes is hidden under the little “More options” text under the first few choices. What’s then left to do is to press the F7 key, and Windows will reboot without those pesky safety measures.
Once you have signed into your session again, you will need to use a little piece of software called libusb-win32, which will enable driver installation for any device connected to your PC. In this software, all that’s needed is to launch the file called “inf-wizard.exe” in the “bin” folder, press “next” once and select the Type-B PSP driver that shows up (you need to be anywhere on your PSP except from the USB mode, otherwise Type A will show up instead). You then need to save some files someplace of your choosing, and let the program do its job. If some warning message shows up about the unsigned driver, confirm that you know what you’re doing and go on with the process.
And now that all of this is out of the way, you should hear a satisfying Windows USB sound every time you start up your PSP while it is plugged in. If that isn’t the case, make sure you did everything right, and if nothing works, try using the RemoteJoy plugin on your PSP to force it into trying to interact via USB, and then redo the libusb-win32 stuff. If everything worked as intended, just launch “usbhostfs_pc.exe” as administrator and “pspsh.exe” as a regular user in the “C:\pspsdk\bin” folder, and if your PSP is plugged in, you should have a nice console waiting for your input in pspsh.exe.
Now it may not seem like it, but we are relatively close to being able to exploit something on our console. You see, as Wololo explains, there are sometimes things that are overlooked during game development, and buffer overflows are one of them. You see how, when you name your character in any game, you have a character limit? Well, if you somehow manage to write a longer name than the maximum allowed, the end of your name ends up somewhere in the game’s save memory that wasn’t designed for this, and that will maybe be read some other time during the game’s execution. If the game doesn’t prevent names that are too long for its own good from being read, we will then be able to write anything we want where we shouldn’t be able to write anything.
In this game, you need to create a character, and name it something recognizable. Since this is a Japanese game, most of you will not be able to read what is written, and I will guide you through the few menus we need to navigate. First, press the START button, then the O button on “new game” on the title screen. You will then be presented with a character on the right, and a few options on the left. The only one you don’t want to use is 戻る (modoru), which, as TheFloW taught us, means “To go back”. Instead, you want to choose 次の設定へ (tsugi no settei e), which means “To the next setting”. Remember, on Japanese PlayStation consoles, O is used to confirm, and X to cancel. There will eventually be a setting called “名前” (namae), which means “Name”; you need to write something that you will remember in a few minutes. For this example, I will use “wololorocks!” as a character name, and then go to the next menu by clicking the next settings button. You will need to enter another name, which needs not to be the same as the last one. I will use “あ”, which means “a”. You will need to press O a few more times until a cutscene starts playing, at which point you can shut the game down and go back to the PSP’s main menu. Your save file will be located under “PSP/SAVEPLAIN/ULJM0530900” in your PSP’s filesystem.
Once we open the larger file of the three in HxD, we notice that under “Decoded text”, the first line reads “WÿOÿLÿOÿLÿOÿRÿOÿCÿKÿSÿ.ÿ”. This, even that messed up, might remind you of something we wrote not long ago. Now, if we try and overwrite the data with some random text after where our name is written, we should be able to make the game crash upon loading the file, which is the starting point for a gamesave exploit. If we fill, say, the following 10 lines with the letter “a” under “Decoded text” in HxD and load the savefile, some interesting results could happen. Thankfully, when we start up the game and choose the “Continue” option, we see that our name changed from “wololorocks!” to “wololorocksN___________________” (that’s 20 underscores), and that we now are level 97. If we try and load the save… Well, nothing special happens, much to my disappointment.
Sadly, the game seems to only crash in the demo version of the Japanese game, so my convenient full UMD will not do the trick today. We can, however, change games in favour of Gripshift, which is an established way to get a gamesave exploit going, and isn’t written in Japanese! That, however, will be coming in the next post of this series, since I want to keep this in bite-size chunks in order not to write a three-book novel each article.
We got the PSP driver and PSPLink to work nicely, and even though we didn’t get any exploit going this time, we learnt that vulnerabilities aren’t found easily, and that even the easier methods such as a gamesave crash aren’t often useful in hacking. Next time however, we will be reproducing the famous Gripshift exploit, which should be much more fulfilling, and more functional for our purpose. I hope to have you here for my next post, so until next time, farewell.
Next post in this series: Hacking Consoles: a learning journey part 3