Hacking consoles: a learning journey (part 3)
(Previous post in this series: Hacking consoles: a learning journey, part 2)
Introduction:
Hello, and welcome to this new Learning Journey post! We have a lot of things to discuss today, so strap in for a bumpy ride.
I’d like to start off this installment by talking about all of the things that happened that won’t be included in today’s writeup. Remember when I ended my last post by saying that we would reenact the famous Gripshift exploit? Yeah, that turned out to be impossible. The expoit itself really happened, but it can’t be done again under today’s conditions. Believe me, I’ve tried. At the time, the exploit was found and used on the PSP 5.02 firmware, but on January 19, 2009, Sony released the 5.03 update, which patched it. Being on the 6.61 firmware myself, there is no way I could have possibly done it without downgrading all the way to the 3rd ever firmware available to the PSP 3000, which would have taken far longer than to find another savegame exploit.
So, I after trying to downgrade for a little bit, I quickly switched to hunting for an unpatched exploit that I could do myself. It took me a little time, but I found that Patapon 2 had one, which was historically used as an entry point for the Half-Byte Loader (HBL) by Wololo himself (I might be wrong on this one, but this is what I’ve gathered) [Note from Wololo: the release of that hack itself was an interesting story of betrayal]. So, without further ado, I am sorry for the wait, and let’s get started with hacking into the PSP.
Today’s summary:
All in all, today’s plan is to get something working using Patapon 2. Since it took me a whole week and three days to even have enough material to get started on this post, I won’t get too greedy and will just get the simplest exploit going.
Getting started:
First of all, you need to get your hands on the game Patapon 2. During the last post we covered the setting up of the whole operation (using PSPLink, savegame deemer, and so on), so that won’t be necessary today. I will be using the exact same setup, so if you missed it, you can go and read it right now.
For those who want to follow along, you’ll need to be up-to-date with this aforementioned last post, the only difference being that we’ll be working on Patapon 2 instead of Phantasy Star Portable.
The hacking:
I’ll admit, without having to set everything up like last time, when it came to hacking (meaning, when I was done with hunting for the right thing to use), the whole thing was surprisingly easy. When you start up the game, the only thing to do is to create a new game, make your way through the unskippable first level, and save your game by hitting select in the hub area of the game. You can give yourself whatever name you want, as long as you can remember it for later.
The opening sequence is about 5 minutes long and you actually have to play it, but it’s a fun experience.
If you read my post last week, you know that it’s time to get into our hex editor and get hacking.
If you installed the Savegame Deemer plugin correctly on your PSP, you should have your decrypted save on your PSP, in the /PSP/SAVEPLAIN/UCUS98732_DATA01 folder of you memory stick. Once you’ve found it, open SDDATA.BIN in your favorite hexadecimal editor, and get ready to look for the name you’ve entered earlier.
For that, you just have to press CTRL+F, enter your character’s name in the search bar, press enter, and…
Wait, what?
Wait, what? “Can’t find `oct0`”? Well, I must have entered the wrong name, let me check…
The truth is, every game has its own way of storing information. Oftentimes, like it’s the case here, your name won’t just be saved as-is, and you’ll have to do some digging around in order to find where it was really saved. For this, you have two options: get creative, or comb the file to find what you’re looking for. I’m pretty lazy, so I started entering some random things, like a space between each letter and so on, until I found it. In a Patapon 2 save file, your name is actually saved as-is, but each character is encoded using 4 bytes when they only need 2.
That means that there is an empty space (a null byte) between each letter that you’ve entered. For this kind of scenario, you’ll have to search for the hexadecimal directly. You’ll first need to convert your plain-text name into hexadecimal (in my case, oct0 is 6F 63 74 30), and then edit it as you need. This time, we’ll have to search for 6F 00 63 00 74 00 30 00. Be careful to search for hexadecimal and not text, otherwise you won’t find it even then.
Yeah, that’s more like it.
Alright, now that we’ve found our name in the save file, the real fun can begin. We could very well fill the whole area with a single character to make it easy, but one thing I’ve though of is that we’ll need to find exactly where in the file we need to insert the technical stuff, and that won’t be possible if every byte is identical to the other ones. Hence, I can only suggest you to do as I did: fill several lines with growing numbers.
If every byte is the same, how can we find which one is interesting?
Alright then, the next thing we need to do is fire up usbhostfs_pc and psplink as we did last time, and load our game save.
Once we’ve loaded the save, the only thing we need to do is press “R” when presented with the hub, since we need our name to be displayed on screen in order for the game to crash.
Great! And now, since we didn’t fill the whole thing with one character, we know exactly where to strike.
Great, it worked! And now, there is only one thing to do, and that is to get exploiting. But this, ladies and gentlemen, will be saved for another time, since I haven’t even gotten started on it.
Conclusion:
We finally got to an interesting result! Even if we didn’t use the gripshift exploit in itself, we are exatcly on the same path, and we will most likely be able to make some kind of breakthrough next time. Don’t hesitate to go bug me on Twitter at @theoct0 about this post, and until then, farewell.
there are at least 3 different ways to exploit Patapon 2
Not going to lie, this journey has been a interesting one, really looking forward to the end results and the detailed documentation you have going on. Keep up the great work!
Very nice writeup, keep on!
Thanks man, I’m glad to start recognizing some familiar faces in the comments 🙂
I’m really enjoying myself doing this, so I’m more than happy to keep it going. I’ll do my best to have some kind of result for next time, so stay tuned!
One more chapter of “Giting gud with scrub scrub”.
>using 4 bytes when they only need 2
I think you’re confused about the hexadecimal representation. Each digit in hexadecimal (1-F) corresponds to 4 bits, so 2 digits make 1 byte.
The encoding is actually just UTF-16, which uses 2 byte characters, unlike UTF-8 which 1 byte per character. In this case, you could just change the text encoding while searching with hxd.
Yeah, thanks for pointing that out. In French, we call a byte an “octet”, and I very well know that 8 bits make an “octet”, but the byte thing in English always puts me off. My teacher would not be proud of me, I’ll make a post-it note not to do that mistake again 🙂
About the encoding part, I’ve never really been interested in this kind of thing while studying programming, so I prefer using simpler descriptions rather than learning that, at least for now.
This was a fun one to exploit (again. Keep it up. 🙂
I don’t understand from your console output just where do you know where to strike.
I’ll try to explain it a different way here for you 🙂
When you create your name in the save, the game expects to see a name that is 4 characters or less (“oct0”, “test”, “abc”, but not “sarah” for example because it is too long). If we manually go into the save file and change that to make a name that is longer, the game is confused and reads the whole name even though it should be 4 characters.
For example, if you had a question on a written text and you wrote too much, your answer would also be written in the next question.
What is interesting for us is that we want to write in the next question! So, we write a lot of things for the game to read instead of our name, and we try and see what goes where it shouldn’t.
If you look at what we wrote, you will see “30 31 32 … 3C 3D 3E 3F” somewhere, since I wrote this. And, if we look at the console output, we see “$ra=3F3E3D3C”. So, we know exactly what part of what we wrote in place of the name is interesting to take control of that $ra.
Tell me if you still don’t understand 🙂
Thanks for explaining – I also did not catch that when reading. Okay, so we look for places where part of the pattern is written out, which is is multiple places, like $s0 and $s4 also – or is $ra the only one of significance?
For our example, we need to take control of $ra because this specifically is the variable that stores the next instruction. If we can take control of this one specifically, then we’ll be able to tell the program what to do next.
The next post (part 4.5) will be an explanation of this kind of technical stuff in the Patapon 2 Savefile Exploit, so I’ll do my best to answer this kind of questions in detail there 🙂