Editing Vulnerabilities

= Usermode =

== Exploits to sort ==

https://www.psdevwiki.com/psp/Homebrew_Enabler

https://en.wikibooks.org/wiki/PSP/Homebrew_History

https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table

https://www.psdevwiki.com/vita/Non-native_Exploits

https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png

https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/

https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/

https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html

== PSP Game Savedata ==

=== Before PS Vita era ===

==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====

Discovered by Edison Carter.

The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.

The Exploit was patched in a second batch of UMD prints.

Germany version:
* ULES00182 - Unpatched - Contains 2.00 System Software update.

Europe (UK/EU) version:
* ULES00151 first batch - Unpatched - Contains 2.00 System Software update.
* ULES00151 second batch - Patched - Contains 2.60 System Software update.

North America (US) version:
* ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.
* ULUS10041 - Patched - Contains UPDL 010050 on the UMD.

* ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.

The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.

Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.

==== Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51 ====

==== Gripshift by Matiaz: PSP <= 5.02?-5.03?. Patched 5.05 ====

==== Patapon 2 demo (USA) by Malloxis: PSP <= ?6.20? ====

==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP <=? ====

2009-07-10

https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/

https://www.brewology.com/downloads/download.php?id=9900

https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit

=== During PS Vita era ===

==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: <= 1.61 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/

==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: <= 1.61. Patched 1.65 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/

==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: <= 1.67.  Patched 1.69?0?, 2014-11-10 ====

https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3

https://code.google.com/archive/p/valentine-hbl/source/default/source

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/

==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): <= 1.80. Patched 1.81 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/

==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: <= 1.81. Patched on 2.00 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/

==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: <= 1.81 ====

https://wololo.net/talk/viewtopic.php?f=56&t=36217

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/

==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: <= 1.81. Patched 2.00 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/

==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: <= 2.02. Patched 2.05 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/

==== Dissidia Duodecim: <= 2.05 ====

==== Apache Overkill by Tomtomdu80: <= 2.06 ====

==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: <= 2.12 ====

https://code.google.com/archive/p/valentine-hbl/source/default/source

==== Arcade Air Hockey & Bowling (Europe, NPUZ00103), Arcade Pool & Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: <= 2.60. Patched 2.61 ====

https://code.google.com/archive/p/valentine-hbl/source/default/source

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/

==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61 ====

==== Pipe Madness by Frostegater: <= 2.61. Patched 3.00 ====

==== Jewel Keepers: <= 2.61. Patched 3.00 ====

==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: <= 2.61. Patched 3.00 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/

==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: <= 2.61. Patched 3.00 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/

==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: <= 3.00 ====

https://wololo.net/talk/viewtopic.php?f=56&t=36217

==== Cubixx: <= 3.00. Patched 3.01 ====

==== Ben 10 Alien Force: Vilgax Attacks: <= 3.01. Patched 3.10 ====

==== King Of Pool by qwikrazor87: <= 3.01. Patched 3.10 ====

This game was exploited 4 times and fixed 4 times.

==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====

Not exploited.

==== 101-in-1 Megamix by xerpi: <= 3.01. Patched 3.10 ====

==== Fifa 2011, Fifa 2012: <= 3.01. Patched 3.10 ====

==== Persona 2: Innocent Sin, Persona 2: Tsumi: <= 3.01. Patched 3.10 ====

==== Arcade Air Hockey & Bowling (Europe, NPUZ00103), Arcade Pool & Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: <= 3.01. Patched 3.10 ====

==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版): <= 3.12 ====

==== MyStylist: <= 3.15 ====

==== Skate Park City: <= 3.15. Patched 3.18 ====

==== Space Invaders Extreme: <= 3.18 ====

==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: <= 3.18 ====

https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit

https://code.google.com/archive/p/valentine-hbl/source/default/source

==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18 ====

Discovered around 2014-09-12 by qwikrazor87.

https://wololo.net/talk/viewtopic.php?t=39771

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/

==== Vertigo (NPUH10092) by qwikrazor87: <= 3.18 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/

==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: <= 3.18 ====

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/

==== Patapon 1: <= 3.18 ====

==== Talkman Travel: Tokyo: <= 3.18 ====

==== Go! Sudoku (UCES00152): <= 3.30 ====

https://code.google.com/archive/p/valentine-hbl/source/default/source

==== Arcade Darts: <= 3.36 ====

==== Patapon 2 non-demo (UCES01177): <= 3.36 ====

https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/

https://github.com/TheOct0/patapon_exploit

https://github.com/wololo-learning-journey/patapon_exploit

https://code.google.com/archive/p/valentine-hbl/source/default/source

https://wololo.net/talk/viewtopic.php?f=53&t=41343

==== Numblast: <= 3.36 ====

==== Hot Brain: <= 3.36 ====

==== Hatsune Miku: Project DIVA extend: <= 3.36 ====

https://code.google.com/archive/p/valentine-hbl/source/default/source

==== Ape Escape: On the Loose: <= 3.50. Patched 3.51 ====

==== "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 ====

https://code.google.com/archive/p/valentine-hbl/source/default/source

==== Puzzle Scape: <= 3.52 ====

==== World of Pool, Pool Hall Pro: <= 3.52 ====

==== Metal Gear Solid Portable OPS+ by 173210: <= 3.57 ====

https://github.com/173210/psp_exploits/

=== After PS Vita era ===

==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====

https://github.com/ChampionLeake/scrabblehax

==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====

https://github.com/ChampionLeake/SudokuSTACK

=== Remarks ===

PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.

https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/

http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/

https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/

== PS1 Game Savedata ==

=== Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake ===

Discovered around 2015-09-28 by qwikrazor87 or Acid_snake.

Once you have installed the exploit file, start Harvest Moon, then after about 20 seconds the screen should flash white.

=== Tekken 2 by qwikrazor87 or Acid_snake ===

Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.

Implemented in TN-X by Total_Noob and qwikrazor87.

https://wololo.net/downloads/index.php/download/8275

https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html

=== Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===

Discovered around 2014-07-24 by qwikrazor87 or Acid_snake. Released on 2015-03-12 by Total_Noob.

Implemented in TN-X by Total_Noob and qwikrazor87.

https://wololo.net/downloads/index.php/download/8275

https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html

=== Castlevania Chronicles (NPUJ01384) by ChampionLeake ===

https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities

https://github.com/socram8888/tonyhax/issues/39

https://alex-free.github.io/tonyhax-international/save-game-exploit.html

=== Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===

https://alex-free.github.io/tonyhax-international/save-game-exploit.html

=== Crash Bandicoot 3: Warped by ?alex-free? ===

https://alex-free.github.io/tonyhax-international/save-game-exploit.html

=== Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===

https://alex-free.github.io/tonyhax-international/save-game-exploit.html

=== Exploitable PS1 games not available officially on PSP ===

Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].

== System ==

=== libtiff exploit #1 (TIFF Exploit 2.00): PSP <= 2.00 ===

Discovered on 2005-09-23 by Niacin and Skylark.

The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.

Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.

https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit

=== libtiff exploit #2 (TIFF Exploit 2.71): PSP <= 2.71 ===

Discovered in 2006-09.

Implemented in Kriek eLoader and xLoader by Team N00bz.

https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit

=== libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP <= 4.20 ===

Discovered in 2008-08. Released on 2009-03-15.

https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/

https://www.youtube.com/watch?v=RUJnXADjxsw

https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/

=== libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP <= 5.05 ===

Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.

https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World

https://wololo.net/2009/04/13/eggsplanations/

https://www.youtube.com/watch?v=wV21QqQmX_o

=== Unsigned System PRX allowed: PSP <= 6.20 ===

Discovered in 2011 by kgsws.

When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.

kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.

Fixed: since PSP System Software version 6.30.

=== Old System PRX allowed ===

Discovered around 2005.

It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.

Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.

Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings.  In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.

Infinity 2 uses a signed usermode system PRX.

https://github.com/DaveeFTW/Infinity

https://infinity.lolhax.org/

https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/

The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.

Fixed: no.

=== POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===

There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.

This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.

= Kernel =

== kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.74 ==

https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion

https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c

https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c

It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.

== kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.70 ==

https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition

https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c

https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c

== VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==

[https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]

https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]

== sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita <= 3.50 ==

Discovered around 2014-10-20 by qwikrazor87.

https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt

== _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita <= 3.50 ==

Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).

https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c

https://pastebin.com/Sdz0XPRg

== sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==

https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt

https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c

== _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==

Discovered around 2014-04-05 by qwikrazor87.

There is a time-of-check to time-of-use exploit in chnnlsv.

https://twitter.com/qwikrazor87/status/510187344893607937

https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt

https://pastebin.com/SE7UvPRR

https://github.com/173210/TN-Rev/blob/master/loader/main.c

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c

https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c

https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c

== _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita <= ?3.15? ==

Discovered around 2013-10-22.

https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c

https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c

== sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita <= ?2.11? ==

Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.

There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.

https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/

== 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita <= 2.02 ==

Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.

The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.

The 11 functions require an active WiFi connection.

Kernel write access:
<pre>
sceWlanDrv_lib_354D5D6B(char *dest); // kwrite
sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite
sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite
sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);
sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite
sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite
sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite
sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite
</pre>

Kernel read access:
<pre>
sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48
sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);
sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48
</pre>

https://www.twitlonger.com/show/kr81e0

https://wololo.net/talk/viewtopic.php?f=56&t=27532&start=40#p233947

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c

https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c

https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/

== kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita <= 2.01 ==

Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.

kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.

These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.

https://twitter.com/Yosh778/status/295355524818546688

https://www.twitlonger.com/show/kr81e0

== sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==

Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.

In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software <= 1.80 PSPemu it is not.

Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.

sceWlanGetEtherAddr does not require an active WiFi connection.

Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.

https://wololo.net/talk/viewtopic.php?f=23&t=12760

https://pastebin.com/TNWsEfHw

https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c

https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c

== sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP <= 6.61 ==

Discovered in 2009 by davee. Released on 2022-11-03 by davee.

PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 < a1, a0 == a1, and a0 > a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.

This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.

TBD: implementation by CelesteBlue

== sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP <= 6.61 ==

https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c

PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 <= a1 and a0 > a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.

TBD: implementation by CelesteBlue

== sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP <= 6.61 ==

https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c

https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp

https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c

https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c

== sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==

Discovered by some1 then exploited by liquidzigong.

https://wololo.net/talk/viewtopic.php?t=6612

https://wololo.net/2011/05/23/6-38-downgrader-by-some1/

https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c

https://github.com/smiky/psptools/blob/master/kxploit/main.c

https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/

== sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==

https://lolhax.org/2010/12/23/arcanum/

https://wololo.net/talk/viewtopic.php?f=5&t=947

https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c

https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/

== ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==

https://wololo.net/talk/viewtopic.php?p=147730#p147730

https://wololo.net/talk/viewtopic.php?p=147732#p147732

== GEN/M33 contested wlan exploit: PSP <= 5.50 ==

?? Ask davee.

https://wololo.net/talk/viewtopic.php?p=147642#p147642

== sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP <= 5.03 ==

By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.

https://wololo.net/talk/viewtopic.php?p=2022

https://wololo.net/talk/viewtopic.php?p=2022#p2022

https://wololo.net/talk/viewtopic.php?f=5&t=242

http://www.kingx.de/forum/showthread.php?tid=15275

This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.

This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.

== Registry error store: PSP <= ?2.80? ==

According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.

https://wololo.net/talk/viewtopic.php?p=147642#p147642

== Registry write access from usermode: PSP <= 2.60 ==

Since the registry is placed on flash1, it can be accessed by usermode.

== sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==

There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character ":" in that path, and calculates the length of the drive name from that (e.g. "ms0:"). It then copies the drive name onto the stack with strncpy.

The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like "sceKernelLoadExec") is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.

In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.

https://forums.ps2dev.org/viewtopic.php?t=6091

https://www.hitchhikr.net/Exploit_2.6.zip

== reused index.dat key: PSP 2.00, 2.01 ==

== swaptrick/kxploit: PSP <= 1.50 ==

This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.

== kernel flagged ELF: PSP <= 1.00 ==

== Remarks ==

https://www.pspx.ru/forum/showthread.php?t=97295

= IPL =

== Giraffe bug ==

Discovered in 2016 by davee.

There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.

https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/

Fixed: since PSP System Software version 6.35.

= Lib-PSP iplloader =

== NMI Backdoor ==

Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04

Introduced: Tachyon 0x00140000 bootrom

Fixed: Never

Applicable to: None

Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)

The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.

This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9

If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.

Below are the relevant pieces of code:

<pre>
ROM:BFC00004                 lw      $v0, 0xBC100000             # store 0xBC100000 to $v0
ROM:BFC0000C                 bnez    $v0, loc_BFC00064           # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064
</pre>
<pre>
ROM:BFC00064                 cfc0    $v0, $9                     # store coprocessor $9 to $v0
ROM:BFC00068                 beqz    $v0, loc_BFC00078 $         # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078
ROM:BFC0006C                 nop
ROM:BFC00070                 jr      $v0                         # jump to register $v0 (value initially set in coproc $9)
</pre>

This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.

== Arbitrary IPL Load Address ==

Found by: C+D/Prometheus - Earliest discovery: 2007-04-04

Introduced: Tachyon 0x00140000 bootrom

Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.

Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.

Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.

== Arbitrary IPL Entrypoint Address ==

Found by: C+D/Prometheus - Earliest discovery: 2007-04-04

Introduced: Tachyon 0x00140000 bootrom

Applicable to: IPL time code execution on 01g and 02g, used in Pandora

Fixed: Lib-PSP iplloader 2.6.0

Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion.

Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.

https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/

== No minimum IPL block size ==

Found by: C+D/Prometheus - Earliest discovery: 2007-04-04

Introduced: Tachyon 0x00140000 bootrom

Applicable to: Pandora hack.

Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.

Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.

https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/

== Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==

Found by: C+D/Prometheus - Earliest discovery: 2006 Q4

Introduced: Tachyon 0x00140000 bootrom

Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.

Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.

This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.

== Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==

Found by: Mathieulh - Earliest discovery: 2019 Q1

Introduced: Lib-PSP iplloader 3.5.0

Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.

Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool

This is not so much a vulnerability as a poor design implementation. 

To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.

This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.

== Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==

Found by: Proxima - Earliest discovery: 2020-01-27

Introduced: Lib-PSP iplloader 3.5.0

Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability

Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool

3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.

In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.

While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)

== Faulty ECDSA Hash Comparison ==

Found by: Davee - Earliest discovery: 2021-02-12

Introduced: Tachyon 0x00600000 bootrom

Applicable to: IPL code execution.

Fixed: never

Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.

This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.

NOTE: For this to work, the block checksum of the inserted blocks has to be "forged" so that it matches the one of the previous block checksum

= General writeups =

https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/

https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/

https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit

https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP