New PSP exploit found in GripShift, works on PSP-3000

Posted Jan 3, 2009 at 8:08AM by QJ Staff Listed in: Hacks & Exploits, Homebrew Development Tags: Exploit, FreePlay, Hellcat, MaTiAz, PSP-3000, PSPLink

0

Now this is how you start a new year! New exploit, old game! Damn, it's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.

We'll leave the technical bits for later. Now, we'll have this video from FreePlay do the talking:

Holy... mother... of... pearl... o_0

Now then, the details: MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.

There are two versions of the exploit. The first which is the raw form from MaTiAz, the other one (v2), is a version encrypted by FreePlay. It's also been confirmed that it works all the way up to the recent CFW 5.02 GEN-A.

We're getting there, people! Just a bit more... Hope springs eternal, folks!

Thanks to Sbrillo1 for the tip!

Download: GripShift savegame exploit POC
Download: GripShift savegame exploit POC v2
Visit: QJ.NET PSP development forum

Illuminati exploit brings homebrew to all PSP Firmware!

Via lan.st

56 Jumps Another PSP exploit found, works on firmware 6.20 and all PSP models

34 Jumps Lego Star Wars III: The Clone Wars announced for Autumn 2010

32 Jumps Square Enix profits up almost 50 percent, FFXIII sells 1.8M units in Japan

30 Jumps Nomura to make Kingdom Hearts III a reality 'as quickly as possible'

29 Jumps God Eater has extremely customer-friendly shops

28 Jumps Kojima: Peace Walker will retain classic MGS fun

27 Jumps PSP homebrew - PMPlayer Advance v3.0.8

25 Jumps Spike TV casting call for God of War reality show

22 Jumps PSPlayerMT For PSP - Direct AVI Player Works On All the PSP

19 Jumps Custom Firmware 5.50GEN-D3 final released

Best prices available for:

LittleBigPlanet for PSP

Price Range:
$39.00 - $60.00

at 10 Stores

Compare Prices

Star Wars Battlefront Renegade Squadron for PSP

Price Range:
$19.00 - $39.00

at 8 Stores

Compare Prices

G.I. Joe: The Rise of Cobra for PSP

Price Range:
$11.00 - $48.00

at 8 Stores

Compare Prices

Comments

# Note... — FreePlay 2009-01-03 04:07

While there's a European save included, this was mainly for testing purposes. There are significant differences between the two versions (not the least being that Ubisoft was involved in the European one).

At the moment, *this code only works with the USA version of the game.* I'm pretty sure the exploit is in the European one, too, but haven't dealt with that yet.

# YEHAAAA!! — fenomeno0chris 2009-01-03 04:08

I hope DarkAlex or somebody else can finaly hack the PSP-3000!

Please work on this Exploit!

PS: I´ve already got a PSP-3000!

# VERY!!! Nice — mistr305 2009-01-03 04:11

I should get the PSP 3000;

Atleast to try "Contrast Boost" Effect on PSP-3000. (Talking about TweakDISPLAY)

# .... — Stinky_1 2009-01-03 04:24

hopefully this method can be used to hack the first few PSP-3000's, then they can reverse engineer what they did to work with pandora.

I remember the days of using all kinds of game saves on different versions of PSP to unlock them. But there was always that moment that your heart skipped a beat just in case something went wrong. Once pandora came out, it didnt really matter anymore.

Run with it guys! I may have to see if I can find a copy of grip shift now, and grab a psp 3000

# . — p0op 2009-01-03 04:36

The great thing about this as opposed to the GTA exploit found a few years ago is, that when people go hunting for this game, it'll only be, like, 10-20 bucks, as opposed to the 50 that people were paying back then.

# Yar! — FreePlay 2009-01-03 04:43

Cost me $8 at Gamestop :)

A funny thing to note: The game codes for GTA and this are just one different.

GripShift: ULUS10040

GTA: LCS: ULUS10041

# Wont be that price for long — akadewboy 2009-01-03 04:44

Remember when the Lumines exploit was first created? That games was worth about $10 before the exploit, then it quickly sky rocketed. If this exploit is able to install custom firmware on the PSP3000, then you can expect the price of Gripshift to skyrocket even more.

# . — tacopalypse 2009-01-03 06:26

code. running. flashing colors. ooooooo

# keep going... — _lainlives_ 2009-01-03 06:40

Freeplay, MaTiAz, keep it going, I want to see how far this thing can be carried

# Yes, yes. — FreePlay 2009-01-03 06:44

I'm very enthusiastic.

# lol — Cactuar Knight 2009-01-03 06:54

Is that a typo I see or is that an attempt at "making a funny" - in what part of the world is 25kb a HUGE file? lol

# Where's Fanjita? — UltimaArmorX 2009-01-03 06:57

We could use an eLoader right about now.

# LOL — Binary 2009-01-03 07:02

now gamestop be wondering why people buying Gripshift

# Twenty-five kilobytes? — UltimaArmorX 2009-01-03 07:05

You can fit twenty-five thousand and five-hundred ninety-five characters of code with that (excluding spaces and indents)!

# It's huge compared to the Lumines exploit — akadewboy 2009-01-03 07:10

The Lumines exploit save file was 2.44 KB. So the GripShift exploit is "Huge" compared to that.

# Worst game ever will now be... — DarkXCloud 2009-01-03 07:39

This game will now be the best game on the market and there goin' to be like... What?!?! what?!? and then with a Wo0t

# LOL — FreePlay 2009-01-03 07:50

Some idiot is going through on his proxies, downvoting my comments. What an ass.

# ... — Justingraziano 2009-01-03 07:51

I HAVE THIS GAME!

# i agree — lee123 2009-01-03 08:12

i have griptshift for the ps3 and it is the worst game i have ever played

anyways about the hack, i didnt have a psp when the GTA/lumines hack was found, and when i did get one it was out of date and everyone was using pandoras, so the only thing i can relate it to is the twilght hack on the wii, is it like that?

also will this bring any better homebrew features to the psp, or will it just be used for installing CW?

# ... — TheLastGuitarHero 2009-01-03 08:34

Nah, I bet this was as far as they wanted to get. Once they got the flashing colors it was mission accomplished. ...You're weird.

Anyway, great job to you guys, what surprising news.

# . — akadewboy 2009-01-03 08:34

I don't know anything about the Wii exploit you're talking about, but how the Lumines exploit worked was: You would run Lumines, then after the game would load the exploited save it would execute Homebrew Enabler. Once Homebrew is enabled you could launch the 1.50 downgrader. After you were on 1.50 you could run the custom firmware installer. The GripShift exploit wont bring anything new, it will just hopefully allow us to install custom firmware on the PSP3000 and run homebrew on it.

# Hold up... — Tesseract 2009-01-03 08:52

Did anyone else notice that this miracle of running unsigned code was only mentioned as being tested on CFW, not OFW?

If the video shows this, then I apologise... I can't watch it from where I am right now... But I would hope that it's been attempted on OFW at least once. If not, it's still relatively useless.

# . — akadewboy 2009-01-03 09:00

Yes at first it only worked on Custom Firmware because the save file was decrypted. But the V2 exploit runs on official firmware because Freeplay encrypted the save. If you watch the video you'll see that it's running on an official firmware PSP3000.

# . — DarkXCloud 2009-01-03 09:36

I never played it, so I don't know if it's bad :| I hate it when people lower my rank.

# YES — eaferrari24 2009-01-03 11:20

I KNEW buying that game when it first came out would pay off some day

its the worst psp game i own.. by far

# Er... — FreePlay 2009-01-03 11:26

"Did anyone else notice that this miracle of running unsigned code was only mentioned as being tested on CFW, not OFW?"

You mean apart from:

"Damn, it's so cool to actually see this beauty working - and on a PSP-3000 no less!"

?

# ... — Silver-Tiger 2009-01-03 12:57

Nice one.... If pandora doesn't work anymore, get back to basics, game save hacks! ^^

Funny like all these haters who said "PSP-3000 sucks because of scanlines" will now buy the new PSP.

# _ — a20z07 2009-01-03 13:25

wow i should go sell my copy of gripshift now

# FINALLY — KylBlz 2009-01-03 14:36

YESSSS!!! Someone give that guy like 1,000,000 dollars because i totally would. My PSP 3000 needs CFW and all these stupid -- i mean GENIUS companies making gamesaves that allow you to run code are just perfect

# Finally — reeferandsumbud 2009-01-03 16:16

thank you! now i finally have an actual reason to buy a psp 3000.

# oooo! — Metal Jody 2009-01-03 17:23

Those flashing colors gave me a seizure 0_o

# Why are you downvoting your own comments, — UltimaArmorX 2009-01-03 19:41

no, why do you even care!? Do you have no dignity away from your computer?

# its not about dignity — Aces In The Palm 2009-01-03 21:06

if i'm a noob i'm trying to learn about the the exploits

i'm hordly going to take notice of a person who has no starts

i'll look for the highest voted as i'd feel they'de be most relevant to the article with the most fact

# A bit confused — nGoc 2009-01-03 22:58

could somebody this for me..

in this video

http://www.youtube.com/watch?v=NqIO6ONLhHg&eurl=http://pspupdates.qj.net/New-PSP-exploit-found-in-GripShift-works-on-PSP-3000/pg/49/aid/127658&feature=player_embedded

which is the same video above except a few seconds earlier

The game is run from the memory stick. If correct, how does it work if its a 3000?

# funny thing is — Aces In The Palm 2009-01-03 23:08

everyone will start buying gripshift.

and at the moment its not that useful.

i believe it could be possible to kickstart a HEN mode, but until pre-IPL is sorted...no custom firmware for 88v3 or psp-3000's

# Soldiering on with my good old PSP-1000 — tobyo1 2009-01-03 23:36

5.00M33-4 with 1.50 kernal, IMO PSP 1000 in the best, if you can find a decent condition one then I'd say it's the one to get. 1.50 kernal FTW, got all my GBA, GBC and Sega Gamegear games on it :) Hopefully, for you PSP-3000 owners this will compensate for scanlines, once you're all running the latest CFWs. Well done FreePlay!

# OK, let me clear things up for you — WiiRolled 2009-01-04 00:08

In the video you have posted, you can see a PSP-2000 with CFW showing that the exploit exists.

In the video embedded here in the news, you can see a PSP-3000 with original firmware, running the game from UMD and showing that the exploit works there as well ;)

# well — leq 2009-01-04 02:55

Don't blame me, I voted for Kang.

# HELL YEAH — NEOL 2009-01-04 03:58

First THANX FreePlay, MaTiAz you are the men is the PSP world.

sec NOW I HAVE A REASON TO BUY PSP-3K & i think that now its DAX TIME GO DAX GOO

i will keep a close eye on this hopefully we will see CFW soon 0.0

# i want noobz to release the downgrade. — jimftr 2009-01-04 07:16

just remember that it was fanjita and the noobz team that made the downgrade for these savegames and stuff. but now we have pandora they dont have much to do anymore. so lets hope fanjita starts to work on this.

# Gratz. — Achooist 2009-01-04 07:58

Haven't seen an exploit in...forever..

I thought they have been given up on!

I have a question, do people just randomly buy games and edit them to find exploits?

I mean, WHO BOUGHT THIS GAME?!

# dude, get a life — jerryspringerxxx 2009-01-04 08:04

this *****ing sucks dude. seriously. you have no talant.

# ... — Justingraziano 2009-01-04 08:07

Dude wtf? This is a great exploit. Dont make fun of him.

# This exploit.... — DarkXCloud 2009-01-04 08:45

How are they going to downgrade with this? I can see a phat psp downgrade, but a slim and a 3000?!? They both cannot downgrade to 1.50?!?

What magic are they going to do now? I'm hoping to see what happens next.

# ... — Justingraziano 2009-01-04 09:16

I see a PSP 4000 coming very soon.

# OK Aces. I get it. — UltimaArmorX 2009-01-04 09:28

But even with 5 stars it does not mean the comment will contain relevance. I hate to be a reminder, but the balloons that pop up on the two vote buttons say "I like this comment" and "I dislike this comment." Because of this, it literally can be any reason why the comment has whatever amount of stars.

Like my comment up top. It was obviously voted down once, voted back up, and then voted down once more. Reason? Maybe because...the reader has nothing else better to do? There's no fruit in voting up or down on comments like this and my other one. It sure is funny, though. Maybe they're entertained(?) Or maybe I added a thought or idea and someone agrees?

By the way, I think I overestimated FreePlay's train of thought. Since when are communities an idiot on a proxy? Tch.. this is nuts!

# Yeah.. — UltimaArmorX 2009-01-04 09:34

I can see it now: Christmas 2009 word gets out and then the launch starts March 2010. *mental sigh*

# Yes! — UltimaArmorX 2009-01-04 09:40

Beggars can't be choosers (and I'm not even begging..) but if it's possible we should expect it from them if not a word sayin it isn't possible, yeah?

Does anyone know if discussion is being made on this matter in the noobz.eu forums? Any verdicts made yet? Production? Testing? Anything??

# Said Metal Jody, — UltimaArmorX 2009-01-04 09:44

from the hospital bed.

# what?? — digicron 2009-01-04 10:12

"It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs)."

so....im not quite following. you say this was tested on 4.01M33? does that mean you already had 4.01m33 on your psp? i dont get it.....

if you did have 4.01m33 on your psp and you tested this, what is the point? you already had a cfw?

now dont flame me, this is a logical question. why prove you can cause a buffer overflow exploit in a game, when you already have a cfw, the whole point of a new exploit is so you can ultimately get to a CFW.

# POC!!!!!!!!!!!! !! — potat4o 2009-01-04 10:41

WOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOOOO OOOOOOOOOOOOT!

# ? — FreePlay 2009-01-04 11:02

"just remember that it was fanjita and the noobz team that made the downgrade for these savegames and stuff."

Noobz had nothing to do with this exploit.

# I really hope this exploit comes thru — KrAYzIeReYStA 2009-01-04 11:24

and CFW is made for it and as functional as slim...it might movtivate me to get the 3000

they havent fixed the scanlines issues with the very new 3000s have they?

# LOL — FreePlay 2009-01-04 12:59

"I have a question, do people just randomly buy games and edit them to find exploits?

I mean, WHO BOUGHT THIS GAME?!"

I bought it after we knew there was an exploit :)

Beforehand... ISOs, of course.

# Thanks! — Tesseract 2009-01-04 15:35

Heh... I didn't want to be TOO optimistic, then have the rug pulled out from under my enthusiasm.

Thanks for the clarification, guys. This really is a neat step forward. I really DO prefer the exploits to the Pandora option.

# . — marcosatti1 2009-01-04 16:21

Can this exploit be possibly used to hack the pre ipl? (I assume so as it is in a game which can be used to go to kernel mode?)

# lol @ UltimaArmorX — Aces In The Palm 2009-01-04 21:30

sadly i relise that

sometimes its do you like this person to some people using this site

which is why i wonder

why can unregistered people vote

should have to be registered and have to give a quick reason why you agree or disagree whenever you make a vote

# No. — FreePlay 2009-01-04 21:41

Game exploits are never kernel-mode exploits. Kernel-mode exploits are in the firmware. Also, the pre-IPL can only be dumped at the initial boot time.

# . — marcosatti1 2009-01-04 21:56

Ok, thanks for clearing that up.

# @ jimftr — Guest 2009-01-05 02:05

Yeah, wish they did, but I'm not sure if Fan is still around to work on it. Here's some good news tho. I saw a couple of the other well known PSP homebrew devs in the forums talking about this too. That includes mathieulh, wololo, hellcat, jas0nuk... the list goes on and on.

Here's to hoping the other devs pounce on this too. I really wanna see how far the psp scene can take this exploit to. To MaTiAz and FreePlay, good job on getting the ball rolling! ^_^

# asffsad — Achooist 2009-01-07 02:10

Ahhh, I see.

Thanks, I thought somebody had to actually buy it.

I got scared. +P

# . — 93pauott 2009-01-09 09:09

durr durr.

# ... — 93pauott 2009-01-20 08:56

i did... and, actually, the editor is awesome!

Refresh comments list

Add comment

JComments

The QJ.net Network
Site	Feed
QJ.NET	RSS
Nintendo DS	RSS
PlayStation 3	RSS
PSP Updates	RSS
Wii	RSS
Xbox 360	RSS
MMORPG	RSS
Personal Computer Games	RSS
iPhone - iPod Touch	RSS
QJ.NET Forums	RSS

Add QJ.NET

User Favorites - February

Most Commented
Another PSP exploit found,..	(138)
QuickJump QuickLines Tekke..	(80)
Sony quarterly financials:..	(27)
Nippon Ichi operating prof..	(25)
Nomura to make Kingdom Hea..	(24)
Dead or Alive: Paradise is..	(22)
Namco Bandai posts huge lo..	(20)
Kojima: Peace Walker will..	(19)
Casual games are no threat..	(18)
ESRB pulls down Dead or Al..	(18)
Square Enix profits up alm..	(15)
Brock Lesnar is the face o..	(14)
And the winning QuickLines..	(13)
Watch: Iron Man 2 War Mach..	(12)
Video: Dante's Inferno - m..	(12)
The Tester coming to the P..	(11)
Koller: iPad is a "net pos..	(11)
God Eater has extremely cu..	(11)
PSP homebrew - PMPlayer Ad..	(10)
Spike TV casting call for..	(10)
gpSP v0.9 for the PSP	(10)
Sega teases: Vanquish plat..	(9)
PSP Homebrew: Power Switch..	(9)
Custom Firmware 5.50GEN-D3..	(8)
PSP homebrew - PSP Filer v..	(8)

User Favorites - February

Top Jumps
Another PSP exploit found,..	(362)
gpSP v0.9 for the PSP	(90)
Custom Firmware 5.50GEN-D3..	(69)
Dead or Alive: Paradise is..	(68)
PSPlayerMT For PSP - Direc..	(56)
God Eater has extremely cu..	(41)
Brock Lesnar is the face o..	(38)
Custom Firmware 5.50GEN-D3..	(35)
PSP homebrew - NesterJ 1.1..	(34)
Lego Star Wars III: The Cl..	(34)
PSP homebrew - PSP Filer v..	(33)
Square Enix profits up alm..	(32)
Sony quarterly financials:..	(31)
Nomura to make Kingdom Hea..	(30)
The Tester coming to the P..	(29)
ModNation Racers driving s..	(29)
PSP Homebrew Weekend Warri..	(29)
Watch: SOCOM Fireteam Brav..	(28)
NBA 2K10 has now scored tw..	(28)
Kojima: Peace Walker will..	(28)
PSP homebrew - PMPlayer Ad..	(27)
SOCOM Fireteam Bravo 3 dem..	(27)
Nippon Ichi operating prof..	(27)
Video: Dante's Inferno - m..	(27)
Namco Bandai posts huge lo..	(27)

Username:

Password:


Remember Me?

Forgot password
New user registration