QuickJump QuickGuide Issue #6: The GripShift Exploit |
Ó
The PSP homebrew community found a ray of hope for the PSP-3000 at the start of the new year when MaTiAz found a critical exploit in the old PSP title by Sidhe Interactive, GripShift. This paved the way for users to run homebrew on the unhacked PSP model despite the lack of custom firmware. Here's QuickJump QuickGuide Issue #6 - your quick guide to the Gripshift exploit.
A New Hope (insert Star Wars theme)
The new year kicked off with a bang when MaTiAz revealed that he found an exploit in GripShift, allowing him to create the first raw form of the exploit. Soon after, FreePlay teamed up with MaTiAz, and he was able to encrypt the second version of the hack. As it turned out, GripShift has a buffer flow vulnerability when loading savegames. The savegame contains a profile name, which can easily be used to overwrite $ra. At 25KB, there's plenty of room to put your code in.
Soon after, The Noobz Team confirmed that they will be joining MaTiAz and FreePlay to further develop the exploit. Although the exploit already includes an SDK that allows homebrew porting, their initial focus was to adapt eloader into it, to make it easier to run standard homebrew.
GripShift greets: Hello World
It wasn't long after the team got together when MaTiAz and Freeplay released the Hello World version of the exploit, complete with a binary loader and an SDK that devs can use to brew using the exploit. Armed with a handy SDK, devs race to create their own homebrew games for the PSP-3000.
It was dragula96 who got there first, releasing GripShift Pong v1.0, the first homebrew game for the PSP-3000, saying that it does "feel wrong when a hello world is not followed by Pong." Soon after, Team P86 also joined in on the action, releasing Bombernan GripShift v1.
Although the exploit worked on the North American, European, and Japanese versions of GripShift, the binary loader did not. After a few days of updating the SDK, the problem of the Euro version was solved. In another corner of the development scene, Bubbletune and Miriam also found a solution for the European version - an appended SDK.
Controversy erupts
Miriam was implementing a private HEN and was in touch with DaX for advice. Despite the advice received from DaX, Miriam was still unable to get it to work. It was through the help of another friend that Miriam managed to get his HEN working, up to 95% functionality at least. - all based on Miriam's code.
Dark-AleX handed the C+D kernel exploit to Miriam, telling him to keep quiet about it, seeing as it was joek who made it for personal use, decrypting 3k modules, and definitely not for public release. With insistent pressure, Miriam allowed MaGiXieN to make a video out of it, just to prove it's possible, but not to disclose any details.
DaX reacted, saying that credit for GripShift HEN was stolen. "This is about how I trusted someone called "miriam" and I gave him a kernel exploit of C+D, which was found by joek (the ONLY ONE that deserves credit of that), just to play for HIMSELF, as it is being used to decrypt 3k modules, but the first thing he did was to show to others to get a bit of fame," he said.
Miriam immediately makes a statement in response to the homebrew hero. "...under the pressure of several people I allowed MaGiXieN to make a video of the HEN in action, but not disclose any details. Which is exactly what happened. Nobody else but MaGiXieN and me have access to this homebrew-enabler, and I'm the only one who knows how the internals work," he wrote. At the end of his statement, Miriam bids goodbye to the eDrama and the homebrew community.
It was all one big misunderstanding, and the homebrew scene lost a developer.
Now what?
Thanks to the work accomplished by everyone involved, working the exploit is now as easy as 1-2-3. First, you'll need the GripShift UMD, US, Euro, or Japanese versions. Simple as that sounds, good luck getting one, and you'd better be ready to cough up. Simply load the savefiles below to be able to run homebrew.
Loading the savefile will cause a buffer overflow, allowing you to execute user-mode homebrew. This buffer overflow is sort of a "controlled crash" of the PSP. After that, you're good to go.
As far as homebrew games are concerned, these are the ones we've got:
Download: GripShift Pong v1
Download: Bombermen GripShift v1
Download: GripShift Rtype v0.2
So that's it for QuickJump QuickGuide #6, and hopefully, it helped you get a good grasp of the whole deal with the GripShift exploit. Check back with us next week as we dig into the persona of AhMan, the dev who brought us the iR Shell. Until then, stick around for more gaming news right here on QJ.
Contact Us:
The QJ.net Network |
 |
| Site | Feed |
| QJ.NET | RSS |
| Nintendo DS | RSS |
| PlayStation 3 | RSS |
| PSP Updates | RSS |
| Wii | RSS |
| Xbox 360 | RSS |
| MMORPG | RSS |
| Personal Computer Games | RSS |
| iPhone - iPod Touch | RSS |
| QJ.NET Forums | RSS |
Add QJ.NET
User Favorites - December
User Favorites - December
Categories
Archives
Accessories
Add-ons
Applications
Artwork
Batteries
Cheats
Deals
Emulators
Events
Featured Articles
Firmware
Flash Applications
Flash games
Game Demos
Games
Hacks & Exploits
Homebrew Applications
Homebrew Demos
Homebrew Development
Homebrew Emulators
Homebrew Games
Homebrew Themes
How-To
Humor
Imports
Interviews
Magazines
Mods
MY QJ
News
Off Topic
On Shelves This Week
Opinions & Analysis
Podcasts
Previews
PSP Go
PSP Minis
PSP Slim & Lite
QJ How-To Series
QuickJump QuickGuide
QuickJump QuickPeek
Reviews
Rumors
Scans
Screenshots
Site News
Titles
UMD Movies
Videos
Weekend Warrior
Wi-Fi
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
Comments
It's not a controlled crash at all; it's an unexpected hijacking of poorly-written code. As for what's next... Matiaz and I haven't heard a word from Team Noobz in well over a month. We don't know what's up.
They are controlled crashes to the effect that they are invoked intentionally and don't leave the system in a useless state. I think that is probably an easier way of explaining the situation to noobs rather than explaining the whole situation surrounding the programmers who didn't check and secure their code effectively.
Think theres any chance this will get released? i know alot of people who would want it. not to mention itd make me feel better about buying a new psp. my old analog nub broke and i tried replacing it but the problem continues
get ready to add another item to that list of apps ;D gimmy like 4 more days O.o
" The savegame contains a profile name, which can easily be used to overwrite $ra. At 25KB, there's plenty of room to put your code in." I believe the game "Pocket Racers" has the same vunerability, i could be wrong check it out if you can.
If he can create an app just by looking at the code dont you think someone could look at it and adjust the code to create a homebrew enable for making cfws
It's not nearly that easy.
Its been so long since I've heard any news on this exploit that I almost assumed that all efforts were given up.
I'll look into it. I've actually examined several dozen games for similar exploits; some showed promise, but so far none have managed to be usable.
Add New Comment