Homebrew

From PSP Developer wiki
(Redirected from KXploit)
Jump to navigation Jump to search

PlayStation Portable homebrew refers to the process of executing unsigned code on the PlayStation Portable.

History of homebrew[edit | edit source]

In April 2005, a DNS redirection trick was discovered in the game Wipeout Pure's content-downloading feature that allowed regular HTML web pages to be displayed in its place. Using this trick, and with a bit of guess work, hackers spotted that navigating to addresses such as file:///disc0:/ would allow files from the UMD to be viewed, thus the discovery of PSPs executable format, the [EBOOT], was figured. Using a dumped PSP system ROM image, and the knowledge discovered from the Wipeout disc, the layout of the executable format was successfully reverse-engineered by a hacker "NEM" and the "Saturn Expedition Committee".

In May of the same year, PSPs using the 1.00 version of the firmware were able to execute unsigned code packed in the same format as EBOOT.BIN from Wipeout, but from the /PSP/GAME folder on a Memory Stick. This meant that PSPs could be used to run homebrew software, as there was no mechanism to check if the code had been digitally signed by Sony in this firmware revision (as was similar with the PlayStation and PlayStation 2 consoles - missing security features in first revisions). A proof of concept "Hello World" was released to demonstrate this. This resulted in the release of a number of homebrew software, which were all built with the GNU GCC and GNU Binutils, modified to produce code for the PS2 and PSP (MIPS processor devices).

In addition, it became possible to dump Universal Media Discs (UMDs) using a homebrew technique. These dumped UMD images can be written to a Memory Stick Duo and executed, performing in exactly the same way as if they were being read from a UMD.

1.50 homebrew[edit | edit source]

It was discovered in June 2005 that unsigned code could be run on a firmware with version 1.50. The discovery allowed early US PSP adopters to run homebrew which quickly led to articles appearing in the mainstream.

Two ways were developed to run unsigned code. First, through the use of an exploit known as "Swaploit", and later, via the safer 'KXPloit'.

Swaploit[edit | edit source]

Swaploit was released on June 15]] 2005. It was created by a Spanish team and involved swapping between two memory sticks at the launch of the game, before it crashed with an error, to run the selected homebrew. There were reports of failing memory sticks using this method, but none have been verified.

KXploit[edit | edit source]

Developed by the Spanish Killer-X, KXploit exploited a misuse of the sprintf function of the PSP by having another folder named exactly the same with a percentage sign after the file name (eg game and game%). The percentage folder contained no data aside from images and a PARAM.SFO. The folder without the % had only a DATA.PSP renamed to EBOOT.PBP, the file containing the code. The problem with this exploit was that corrupted data would show on the memory stick (as well as the normal data). This was because the PSP would only see the program that had a PARAM.SFO file in it, the file inside the % folder. The file with just the program data would be seen as corrupted. However, this was shortly overcome by using two tricks. One would exploit the File Allocation Table|FAT16 system of the memory stick, and the other involved putting __SCE__ before the name of corrupted folder and %__SCE__ before the name of the normal folder (with the percentage sign at the end removed). Both tricks would remove the corrupted data, because the non-% folder would be invisible to the PSP, and still allow the EBOOT to be run. Many tools exist, like PSP Brew, Sei PSP Tool, and more, that automatically hide the corrupted data and organize your previously installed programs.

No-KXploit Patch[edit | edit source]

Some users and developers of homebrew complained about having the secondary folders for homebrew, and the corrupted icons that were shown. While there are ways to hide the icons, it is considered a nuisance. One piece of homebrew, called the No-KXploit patch, modified the PSP's firmware in memory (in the RAM), allowing non-KXploited homebrew to be executed directly. The No-KXploit patch itself uses KXploit, to allow it to be run.

The patch does not modify the firmware of the PSP or write to the flash (specifically flash0). It is now (mostly) rendered obsolete by custom firmware, which is designed to allow the execution of homebrew.

1.51 and 1.52 homebrew[edit | edit source]

For slightly over two years there was no method of launching homebrew on firmwares 1.51 and 1.52. Later there were downgraders released for versions lower than 2.71. Sony released a new firmware that prevented this from working after a short time. From then there were no known exploits to downgrade firmwares version up to 3.03. After a while this too was exploited using the GTA save data exploit. Once again Sony released firmware to prevent this and no one could run homebrew once again. After a little while this changed yet again with the new Illuminati exploit (23 June] 2007). The Illuminati exploit worked on all firmwares as it is launched from the Lumines UMD which will play on all firmwares between 1.50 and 3.50. Firmware 3.51 was released shortly after the exploit was discovered and users soon found that Sony had removed the vulnerability.

Before the Illuminati exploit was found there were many rumours about running homebrew which were claimed as fact, usually involving the DATA.PSAR file from an official update to 1.51 or 1.52. However, nothing came from these rumours.

2.00 homebrew[edit | edit source]

Sony, seeing that not many people were updating their PSPs to 1.51 or 1.52, decided to release an update with features that would give people an incentive to update. The main feature was an official web browser, revealed at the 2005 PlayStation Meeting on June 20, 2005. The Japanese language|Japanese version of the update was released a week later, on June 27,2005. In addition to a web browser, it also had support for high-quality MPEG-4 AVC video and the ability to change the wallpaper. As 2.00 contained a web browser, it became possible to write programs that would take advantage of the PSP's HTML rendering ability, and its newfound ability to connect to a server on a wireless network.

On September 23, 2005, an exploit, a buffer overrun in the image rendering libraries, was discovered, allowing execution of an unsigned binary file. The method involved the user launching a Tagged Image File Format|TIFF file in their photo directory. When the Photo menu was accessed, the binary file was loaded.

Two days later, the first "Hello World" program was released. The size of the binary was limited to 64kb, and the PSP could not yet read unencrypted ELF files, so further experimentation was required before any kind of homebrew software could be run. A day later, the first playable game using the exploit was released, titled "TIFF Pong 2.00".

A PSP developer by the name of Fanjita created a program called eLoader using the same exploit as the MPH Downgrader, which allowed the user to run unsigned user mode homebrew launched from a menu. This was an alternative to downgrading the PSP to 1.5 using the MPH Downgrader.

Soon after, a new TIFF exploit was found that works with all firmwares up to 2.80.

2.01 - 2.60 homebrew[edit | edit source]

Moving quickly to fix this exploit, Sony released the version 2.01 firmware on October 3, 2005. This was only a security update and offered no new features.

On the September 28, 2005, Cheat Device was released for GTA: Liberty City Stories which exploited a memory bug during saving. It ran behind Liberty City Stories allowing for various modifications to the game, such as infinite health and the ability to "spawn" any of the vehicles in the game. Based on the proof-on-concept provided by the Cheat Device, a "Hello world program" was created in December, 2005. A day later, the first playable homebrew for version 2.01 was released, titled "Tetris for Firmware 2.01".

Two days later, the exploit was released for 2.60 firmware, leading to the creation of Tetris for version 2.50 and 2.60. A developers kit was later released. In January, 2006, an EBOOT Loader for 2.01+, and then, a version of the eLoader which supported version 2.60 were released. WiFi connectivity was added on April 2, 2006, due to the discovery of a function that allowed the eLoader to initialize WiFi without Kernel mode.

On June 27, 2006, another exploit was discovered in the 2.50 and 2.60 firmware that allowed for kernel mode to be utilized. GTA: Liberty City Stories is still required. The exploit takes advantage of another buffer overflow bug that was added when Sony included an additional security check in the 2.50 firmware.

Furthermore, during June 2006, Rockstar started shipping a version of GTA:LCS that patches the memory bug. The patched UMD also contains a compulsory upgrade to firmware 2.60. It was met with a change of serial number and graphical layout, in the PAL regions.

On 21 August 2006 it was announced that homebrew is possible on 2.0-2.80 by loading a TIFF image. This resulting in launching homebrew on 2.00-2.60 without GTA:LCS using full kernel access. Contrary to popular belief, the exploit itself will not allow code to be executed under the kernel space, but does in fact use the sceKernelLoadExec exploit present in 2.50-2.71, hence why 2.80+ cannot use this exploit.

On 5 September 2006, an EBOOT loader that does not require GTA:LCS, and uses the new TIFF exploit, was released for the 2.00-2.60 firmwares. It still has the same compatibility rate as previous loaders, due to the user mode limitations.

2.70 - 2.71 homebrew[edit | edit source]

On 25 April 2006, Sony released firmware version 2.70, which directly was believed to have patched the exploit in the GTA savegame. Currently, the libtiff exploit talked about below is now supported by 2.00-2.80 allowing homebrew to be executed. With 2.70 came Macromedia Flash support, and hence a number of PSP Flash games have been created. There have also been various flash portals released to allow flash games and applications to easily be run without adding them to bookmarks.

On 16 August 2006, a vulnerability in libtiff was found and a proof of concept program was released. This new exploit opened the doors for Firmware 2.00 through 2.80 to play homebrew, and was met with the Noobz team whom made a homebrew loader (eLoader) for these firmwares using this exploit.

In late August 2006, the first Hello World program working through the libtiff exploit was released. It runs in kernel mode on firmwares up to 2.71, and user mode in 2.80. Throughout September 2006, hackers released downgraders and homebrew loaders for firmware version 2.71.

2.80 homebrew[edit | edit source]

On 12 September 2006, Tetris for firmware 2.80 was released, along with an SDK, Tetris being the first homebrew available on 2.80. This was followed just hours later by TIFF pong (edited one day later), followed two days later by more TIFF homebrew. Later the NOOBZ team released eLoader v0.995 "Kriek" with 2.80 support, alongside with xLoader, allowing homebrew EBOOTs to run on 2.80 firmware PSPs.

On 20 December 2006, a new exploit that unlocks kernel access in 2.80 was found by Team C+D and a proof of concept program was released.

So far, homebrew can only be run using a port HEN (Homebrew Enabler) for 2.80 firmware, eLoader v0.995 "Kriek" or later, or xLoader, which patches the PSP to launch homebrew directly from the XMB Game Menu. A downgrader has also been created for this firmware.

2.81 - 3.03 homebrew[edit | edit source]

On 25 January]] 2007, a user-mode exploit was discovered, affecting all PSP firmwares from 2.00 to 3.03. A "Hello World" application, called the Goofy Exploit, was subsequently released by the Noobz team, proving that unsigned code could be run on a 2.81+ PSP. The exploit requires an un-patched copy of Grand Theft Auto: Liberty City Stories (it is a variation of the old LCS exploit, exploiting the fact that Sony's patch only affected the save slots 0 - 7 however auto load also loads save games in slot 8 and 9, allowing the same exploit to be used if it's stored in either of these 2 slots).

On 28 January 2007,The Noobz team released the 3.03 HEN for 3.03 users who did not wish to downgrade but wanted the benefits of homebrew on a 3.03 system. This also requires the use of an unpatched Grand Theft Auto: Liberty City Stories UMD. To check if a copy of Grand Theft Auto: Liberty City Stories is unpatched, place the UMD into the drive, and under the UMD symbol, it gives you the option to update. If it says 2.00, it is unpatched. If it has anything else, it's patched.

3.10 - 3.50 homebrew[edit | edit source]

On 23 June 2007, a new exploit that works on all firmwares up to 3.50 called the "Illuminati exploit" was found. This exploit requires a copy of the game Lumines for it to work.http://www.noobz.eu/joomla/news/beware-of-the-illuminati.html 3 days later, Noobz made a downgrader which also needed Lumines. Japanese versions of Lumines have been patched and include the 3.51 firmware update. http://www.noobz.eu/joomla/news/has-lumines-been-patched.html

3.51+ homebrew[edit | edit source]

Pandora's Battery & Despertar del Cementerio v1 was released mid-2007. The mechanics of it was simple. The Pandora's Battery was an ordinary battery with the serial code in its EEPROM changed to 0xFFFFFFFF (Service Mode). In Service mode, the PSP would boot to the memory stick as its primary source. This allowed users to downgrade any Firmware to 1.50. Soon afterwards, Dark AleX (now known as Team M33) released 3.51 M33. Until his official release of 3.52 M33, he created 7 updates that patched his 3.51 M33. These updates included small patches to fix various errors. Within two months of releasing 3.52 M33, he had created four updates, with the forth creating one of the most stable and popular custom Firmware's since 3.40 OE-A. Around this time, Sony unveiled the PSP-200x series (PSP Slim). It came standard with 3.60 Firmware. Since the new model PSP did not support any homebrew applications it could not be downgraded just yet. When Sony released 3.71 Firmware, Dark_AleX went to work. He created Despertar del Cementerio v3. This version of Pandora's Battery allowed any PSP, regardless of model, region, or Firmware, to be upgraded to 3.71 M33-2. Today, there are over six different version of Pandora's Battery, that vary between a GUI, features, and homebrew apps built-in, that are all built on top of Despertar del Cementerio v3. Dark_AleX has also released 3.80 M33, which supports various new features, from official Sony firmwares and also his own additions. The Internet Radio, from official 3.80 firmware works on 3.80 M33. Also, the PS3 connectivity plugins, premo_plugin.prx and premo_plugin.rco can now be used to connect to a PS3 with a firmware 2.10, without the use of 3.71/3.72/3.73 or 3.80 PS3 plugins in firmware 3.71 M33. The new firmware 3.80 M33 also supports downloading official M33 updates via the System Software Update feature on the PSP XMB, previously used for Sony firmware updates.