Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 20: Line 20:


== PSP Game Savedata ==
== PSP Game Savedata ==
=== Savedata protections ===
Most PSP games have a common encryption system whose encryption key is per-game. The encrypted savedata is often named DATA.BIN. The per-game key can be dumped using a plugin on an actual PSP: SGKeyDumper by qwikrazor87. The savedata can be decrypted on PC using [https://github.com/38-vita-38/psp-save psp-save by 38-vita-38] or [https://github.com/cielavenir/psp-savedata-endecrypter psp-savedata-endecrypter by popsdeco/cielavenir] or [https://github.com/BrianBTB/SED-PC SED-PC by BrianBTB] or on PSP using [https://github.com/bucanero/apollo-psp Apollo Save Tool (PSP) by bucanero] or SED (Savegame Encrypt/Decrypt).
Some PSP games have an additional encryption applied to their savedata. This system was already present in some PlayStation and PlayStation 2 games:
* Tekken 2 and 3 for PS1.
* Bandai Namco Entertainment used a previously unknown feature of PS2 memory cards (per sector encryption on flash raw sectors) to protect the quest data memory card on the System 246 version of Soul Calibur 2 Arcade game. One cannot move the save data from one memory card to another because the game uses the per card crypto seed.
See also [https://github.com/bucanero/save-decrypters/] and [https://community.wemod.com/t/philymasters-security-archive/3923]
Some games store digests in the savedata to ensure integrity.
==== Tekken 6 ====
The first 0x20 bytes of MAINDATA.SAV, GHOST.SAV and REPLAY.SAV of PS3 Tekken 6 are not encrypted and are a sort of header. They contain filesize and maybe digest. The remaining data in the files are encrypted with an unknown algorithm (maybe AES128 with a per-console key based on eid0).
MAINDATA.SAV of PSP Tekken 6 is fully encrypted without any header. The game calls [[Kirk]] command 5 to encrypt/decrypt savedata with a key derived from per-console [[Fuse ID]]. This file can be decrypted on PC with the command <code>psp-save -d KEY.BIN 5 MAINDATA.SAV MAINDATA_DEC.SAV</code> where KEY.BIN is the per-console key. This per-console key can be dumped using Apollo Save Tool (PSP) or derived from the console's [[Fuse ID]].
==== Gladiator Begins Demo ====
==== Gran Turismo ====
==== Invizimals ====
Invizimals PSP game stores a checksum in its savedata. It also maybe encrypts it (to check).
https://github.com/bucanero/save-decrypters/tree/master/invizimals-checksum-fixer
==== SOCOM U.S. Navy SEALs games ====
Custom savedata encryption may concern the following PSP games:
* SOCOM U.S. Navy SEALs: Fireteam Bravo
* SOCOM U.S. Navy SEALs: Fireteam Bravo 2
* SOCOM U.S. Navy SEALs: Fireteam Bravo 3
* SOCOM U.S. Navy SEALs: Tactical Strike
==== Patapon 3 ====
https://github.com/bucanero/save-decrypters/tree/master/patapon3-decrypter
==== Monster Hunter games ====
Monster Hunter PSP and Nintendo 3DS games use a custom encryption system and a custom SHA1 integrity hash. It concerns the following games and DLCs:
* Monster Hunter Freedom Unite (ULUS10391/ULES01213)
* Monster Hunter Portable 2nd G (ULJM05500)
* Monster Hunter Portable 3rd (ULJM05800)
* Quests - MH Freedom Unite (ULUS10391/ULES01213)
* Quests - MH Portable 2nd G (ULJM05500)
* Quests - MH Portable 3rd (ULJM05800)
https://github.com/bucanero/save-decrypters/tree/master/monsterhunter-decrypter
=== Blacklisted games ===
Here is the list of blocked exploits extracted from the blacklist of the PSP emulator of the PS Vita. See also the [https://www.psdevwiki.com/vita/Blacklists PS Vita dev wiki].
<pre>
TODO
</pre>
=== Electronic Arts Games ===
According to Jeerum (2010), every EA game on PSP gets a buffer overflow if you try hard enough: insert 1 kB or 2 kB into your profile name in the save data.
See https://en.wikipedia.org/wiki/List_of_Electronic_Arts_games%3A_2000%E2%80%932009 and https://en.wikipedia.org/wiki/List_of_Electronic_Arts_games:_2010%E2%80%932019 .


=== Before PS Vita era ===
=== Before PS Vita era ===


==== Grand Theft Auto: Liberty City Stories UMD (and the Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====
==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====


Discovered by Edison Carter, Fanjita and n00bz in 2006.
Discovered by Edison Carter.


There is a stack buffer overflow in the savedata processing of GTA LCS. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.
The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.


Sony quickly patched this vulnerability with a firmware update, and released a "new" version of the game that required to install the patched System Software. People wanting to hack their PSP had to be careful not to buy an updated version of the UMD. This is the only time in the PSP history that an exploited game got a UMD update.
The Exploit was patched in a second batch of UMD prints.


Germany version:
Germany version:
Line 113: Line 47:


Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.
Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.
This vulnerability got reused a second time by Noobz on 2007-01-25, in what was called the Goofy exploit, as it was discovered that Sony had incorrectly patched the vulnerability.
https://web.archive.org/web/20081212045551/http://www.noobz.eu/joomla/news/sony-goofed-again-hello-world-on-all-v2.0-3.03-firmwares.html


==== Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51 ====
==== Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51 ====


On 2007-06-23, Noobz, with the help of Archaemic, found an exploit in the game Lumines. Called illuminati, the exploit was apparently found by pure luck, when Archaemic was trying to feed random data to the game.
==== Gripshift by Matiaz: PSP <= 5.02?-5.03?. Patched 5.05 ====


https://web.archive.org/web/20080115210003/http://www.noobz.eu/joomla/news/beware-of-the-illuminati.html
==== Patapon 2 demo (USA) by Malloxis: PSP <= ?6.20? ====
 
==== Gripshift by MaTiaZ: PSP <= 5.02?-5.03?. Patched 5.05 ====
 
* released by MaTiaZ on 2009-01-01.


There is a buffer overflow vulnerability in the player’s name, by editing the game’s save data.
==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP <=? ====


https://web.archive.org/web/20090121190410/https://lan.st/showthread.php?t=1867
2009-07-10
 
==== Medal Of Honor Heroes by kgsws: PSP <=?5.51? ====
 
* first version (requires connection between 2 PSPs) of the exploit for Medal of Honor Heroes (ULUS-10141) released by kgsws on 2009-07-06
* second version (does not require online) of the exploit for Medal of Honor Heroes (ULUS-10141) released by kgsws on 2009-07-09
* Medal Of Honor Heroes 2 is maybe affected too.
 
https://www.youtube.com/watch?v=VqTjvtfCnXc


https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/
https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/


https://www.brewology.com/downloads/download.php?id=9900
https://www.brewology.com/downloads/download.php?id=9900
https://www.dcemu.co.uk/vbulletin/threads/223571-New-Exploit-MOHH-(Medal-of-Honor-Heroes)-THIS-VERSION-DOESN-T-WORK


https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit
https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit
https://forums.exophase.com/threads/new-psp-homebrew-medal-of-honor-heroes-exploit-v2.17461/
==== Patapon 2 demo (USA) by Malloxis: PSP <= ?6.20? ====
https://wololo.net/talk/viewtopic.php?f=3&t=51
https://wololo.net/2010/03/29/way-to-keep-a-secret-malloxis/
==== Everybody's Golf and variants: PSP <=?6.31? ====
* Everybody's Golf Portable (みんなのGOLFポータブル, Minna no Gorufu Pōtaburu), known as Everybody's Golf in the PAL region and Hot Shots Golf: Open Tee in North America, is the first game of the series released for PlayStation Portable.
* Everybody's Golf Portable 2 (みんなのGOLF ポータブル2, Minna no Gorufu Pōtaburu Tsū), known as Everybody's Golf 2 in the PAL region (Australian version titled Everybody's Golf: Open Tee 2) and Hot Shots Golf: Open Tee 2 in North America, is the second game of the series released for PlayStation Portable.
* Everybody's Stress Buster and Hot Shots Shorties are maybe vulnerable.
* Discovered by J416DY on 2010-08.
* https://wololo.net/talk/viewtopic.php?f=3&t=51
==== Hot Shots Golf and variants ====
Hot Shots Golf, Hot Shots Golf 2, Hot Shots Golf - Non-Greatest Hits
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews.
https://wololo.net/talk/viewtopic.php?f=3&t=51
==== Minna no Golf and variants ====
Minna no Golf, Minna no Golf 2, Minna no Golf 2 - The Best
https://wololo.net/talk/viewtopic.php?f=3&t=51
==== Minna no sukkiri and variants by Jeerum: PSP <= ?6.35? ====
* Minna no sukkiri, Minna no sukkiri demo
* Discovered and exploited by Jeerum (2010-12-19). It had been found before Jeerum by at least Darxploit, Flyer, minomushi, some1. These people made the move of keeping this as secret as possible, and contacting mamosuke, j416, JJS, m0skit0, and wololo in order to discuss release plans.
https://wololo.net/talk/viewtopic.php?f=3&t=51
https://wololo.net/talk/viewtopic.php?t=1032
==== Carol Vorderman's Sudoku by Jeerum: probably not patched ====
* Discovered and exploited by Jeerum (2011-01-06).
* [https://github.com/ChampionLeake/SudokuSTACK implementation by ChampionLeake (2019-04-22)]
* The PS2 version of this game is also vulnerable.


=== During PS Vita era ===
=== During PS Vita era ===
Line 294: Line 165:


==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61 ====
==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61 ====
==== Pursuit Force and Pursuit Force - Extreme Justice: <= ?2.61?. Patched 3.00 ====
According to the PS Vita blacklist, Pursuit Force games savedata vulnerabilities are exploitable on some PS Vita System Software versions < 3.00.


==== Pipe Madness by Frostegater: <= 2.61. Patched 3.00 ====
==== Pipe Madness by Frostegater: <= 2.61. Patched 3.00 ====
Line 345: Line 212:
==== MyStylist: <= 3.15 ====
==== MyStylist: <= 3.15 ====


==== Skate Park City by freakler: <= 3.15. Patched 3.18 ====
==== Skate Park City: <= 3.15. Patched 3.18 ====
 
Exploited by freakler in 2014, then patched since PS Vita System Software version 3.18.


==== Space Invaders Extreme: <= 3.18 ====
==== Space Invaders Extreme: <= 3.18 ====
Line 359: Line 224:
==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18 ====
==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18 ====


Discovered in 2010 by anonymous and around 2014-09-12 by qwikrazor87.
Discovered around 2014-09-12 by qwikrazor87.
 
It is fairly easy to get this exploit to work as it is a buffer overflow in the player's name.
 
The savedata in Gladiator Begins Demo only work on the PSP that created them.


https://wololo.net/talk/viewtopic.php?t=39771
https://wololo.net/talk/viewtopic.php?t=39771
Line 377: Line 238:
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/


==== Patapon: <= 3.18 ====
==== Patapon 1: <= 3.18 ====


==== Talkman Travel: Tokyo: <= 3.18 ====
==== Talkman Travel: Tokyo: <= 3.18 ====
Line 388: Line 249:


==== Patapon 2 non-demo (UCES01177): <= 3.36 ====
==== Patapon 2 non-demo (UCES01177): <= 3.36 ====
https://wololo.net/talk/viewtopic.php?f=3&t=51


https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/
https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/
Line 410: Line 269:


==== Ape Escape: On the Loose: <= 3.50. Patched 3.51 ====
==== Ape Escape: On the Loose: <= 3.50. Patched 3.51 ====
There is a classical buffer overflow exploit in the player's name. This exploit was found in parallel be several people in 2010. This game is really easy to exploit (see the [https://wololo.net/2010/02/27/writing-a-binary-loader/ tutorial]).
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews.


==== "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 ====
==== "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 ====
Line 419: Line 274:
https://code.google.com/archive/p/valentine-hbl/source/default/source
https://code.google.com/archive/p/valentine-hbl/source/default/source


==== God of War - Ghost of Sparta by sockse and qwikrazor87: <= ?3.52? ====
==== Puzzle Scape: <= 3.52 ====
 
Exploited by sockse and qwikrazor87 in 2014.
 
==== Fight Night Round 3 by sockse and qwikrazor87: <= ?3.52? ====
 
Exploited by sockse and qwikrazor87 in 2014.
 
==== Hero of Sparta (PSP Minis) by sockse and qwikrazor87: <= ?3.52? ====
 
Exploited by sockse and qwikrazor87 in 2014, then patched.
 
==== Echoes (PSP Minis) by sockse: <= ?3.52? ====
 
Exploited by sockse in 2014, then patched.
 
==== Puzzle Scape by sockse and qwikrazor87: <= 3.52 ====
 
Exploited by sockse in 2014, then patched, then exploited in a different way by qwikrazor87 again in 2014.


==== World of Pool, Pool Hall Pro: <= 3.52 ====
==== World of Pool, Pool Hall Pro: <= 3.52 ====
Line 445: Line 282:
https://github.com/173210/psp_exploits/
https://github.com/173210/psp_exploits/


==== Field Commander by sockse: <= ? ====
=== After PS Vita era ===


Discovered in 2014 by sockse.
==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====


==== Mega Man Powered Up or Rockman Rockman: <= ? ====
https://github.com/ChampionLeake/scrabblehax
 
* Disclosed by 173210 on 2015-09-05.
* https://gist.github.com/173210/d086cf9074c714c1b737
* https://gist.github.com/173210/90103a9547381ce380ab
* https://gist.github.com/173210/e8f8119534f1fc87a89d
 
=== After PS Vita era ===


==== Scrabble by sockse and ChampionLeake: probably not patched, 2018-05-17 ====
==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====


Discovered by sockse (see [https://web.archive.org/web/20230429162635/https://wololo.net/talk/viewtopic.php?t=39756 writeup by sockse (2014-09-16)]) then patched on PSP but exploited in a different way later by ChampionLeake.
https://github.com/ChampionLeake/SudokuSTACK
 
https://github.com/ChampionLeake/scrabblehax


=== Remarks ===
=== Remarks ===
Line 475: Line 303:


== PS1 Game Savedata ==
== PS1 Game Savedata ==
=== Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===
Discovered around 2014-04-08 by qwikrazor87 and vonjack.
Maybe not exploitable.


=== Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===
=== Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===
Line 570: Line 392:
== Unclassified usermode vulnerabilities ==
== Unclassified usermode vulnerabilities ==


=== Puzzle Bobble ===
=== PsOneLoader by TheFloW ===


The Japanese version of Puzzle Bobble was compiled in debug mode, allowing hackers to retrieve some interesting information, such as function names, that were later on used in the scene’s PSP SDK. In 2005, this was one of the first steps to getting homebrews on the PSP.
https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/


https://forums.ps2dev.org/viewtopic.php?t=2081
== System ==


=== PsOneLoader by TheFloW ===
=== libtiff exploit #1 (TIFF Exploit 2.00): PSP <= 2.00 ===
 
Discovered on 2005-09-23 by Niacin and Skylark.


https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/
The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.


== System ==
Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.


=== libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP <= 5.05 ===
https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit


Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.
=== libtiff exploit #2 (TIFF Exploit 2.71): PSP <= 2.71 ===


https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World
Discovered in 2006-09.


https://wololo.net/2009/04/13/eggsplanations/
Implemented in Kriek eLoader and xLoader by Team N00bz.


https://www.youtube.com/watch?v=wV21QqQmX_o
https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit


=== libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP <= 4.20 ===
=== libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP <= 4.20 ===
Line 602: Line 426:
https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/
https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/


=== libtiff exploit #2 (TIFF Exploit 2.71): PSP <= 2.71 ===
=== libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP <= 5.05 ===


Discovered in 2006-09.
Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.


Implemented in Kriek eLoader and xLoader by Team N00bz.
https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World


https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit
https://wololo.net/2009/04/13/eggsplanations/


=== libtiff exploit #1 (TIFF Exploit 2.00): PSP <= 2.00 ===
https://www.youtube.com/watch?v=wV21QqQmX_o
 
Discovered on 2005-09-23 by Niacin, Skylark and Toc2rta.
 
The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.
 
Implemented in downgraders (like MPH downgrader from 2.00 to 1.50) and eLoader by Fanjita.
 
https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit
 
[https://web.archive.org/web/20060130220231/http://sunkone.cja.net/psp/loader2/README.txt] -> cjb
 
https://repo.zenk-security.com/Magazine%20E-book/EN-Hacking%20PSP.pdf


=== Unsigned System PRX allowed: PSP <= 6.20 ===
=== Unsigned System PRX allowed: PSP <= 6.20 ===
Line 634: Line 446:
Fixed: since PSP System Software version 6.30.
Fixed: since PSP System Software version 6.30.


=== Old System PRX allowed: PSP any version ===
=== Old System PRX allowed ===


Discovered around 2005.
Discovered around 2005.
Line 655: Line 467:


Fixed: no.
Fixed: no.
=== Fixed syscall numbers: PSP <= ?6.50? ===
On PSP System Software version below 6.60, you could guess the syscall number for any kernel export, allowing you to call any syscall without having the resolved stub readily available.
Fixed on PSP System Software version 6.60 or just before. On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore.
=== qwikTrick (or Perfect Syscalls) by qwikrazor87: PSP/PS Vita any version ===
Discovered by qwikrazor87 around 2013 but independently discovered by others before, probably in 2011. Released by Acid_snake on 2023-10-15.
On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore. Therefore hackers became restricted to the functions imported by the application they exploited. This led to limited kernel function access (less chances of triggering a kernel bug) and it also drastically reduced V/HBL compatibility.
If you load a utility module, which loads a prx in user space, you can have a background thread that changes the PRX's stubs table to whichever imports you want. It relies on a race condition so you have to run the code a few times until it works. Eventually you can resolve whatever kernel export even if the original game did not have it.
This exploit was very useful since most Minis games (main attack vector back in time) had limited imports. Team OILIX never released it because they wanted to keep it in case they came across a kernel exploit on some obscure function that not a lot of games import. Also because by then VHBL was already abandoned and everyone wanted eCFW (ARK, TN) instead so making VHBL have perfect syscalls for better compatibility was a waste for this hack. In hindsight it was a bad decision since Team OILIX never actually used the function because soon after was figured out how to craft PBOOT.PBP for PS Vita with any desired imports.
https://github.com/PSP-Archive/ARK-4/blob/add6c946b4bab17ed7488114ccda3357ea42e0f2/common/utils/imports.c#L91


= Kernel =
= Kernel =


== UID planting Type Confusion kexploits by qwikrazor87 and TheFloW ==
== kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.74 ==
 
Exploiting this bug is straightforward:
1) Plant a fake UID object into kernel.
2) Encode this UID object.
3) Delete the UID object.
 
Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.
 
https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion
 
=== sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita <= 3.74 ===


https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion
https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion
Line 697: Line 480:
It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.
It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.


=== sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita <= 3.50 ===
== kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.70 ==
 
Discovered around 2014-10-20 by qwikrazor87.
 
After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid->uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.
 
https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt
 
=== Stack Pointer UID plant kexploit by qwikrazor87: PS Vita <= ?3.50? ===
 
Discovered around 2014-01-29 by qwikrazor87.
 
The exploit steps are:
1) Execute assembly that does saves context.
2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.
3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.
4) Execute assembly that does something.
5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.
6) Execute assembly that restores context.
7) Call the hijacked function _sceKernelLibcTime.
 
=== sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita <= ?3.50? ===
 
Discovered around 2014-01-03 by qwikrazor87.
 
Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.
 
=== sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita <= ?3.50? ===
 
Discovered around 2013-10-15 by qwikrazor87.
 
== Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.70 ==


https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition
https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition
Line 742: Line 494:
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]


== _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita <= 3.50 ==
== Free kexploit by qwikrazor87: PS Vita <= 3.50 ==


Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).
Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).
Line 752: Line 504:
https://pastebin.com/Sdz0XPRg
https://pastebin.com/Sdz0XPRg


== _sceUsbGpsGetData kernel write kexploit by sockse, qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==
== sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita <= 3.50 ==
 
Discovered around 2014-10-20 by qwikrazor87.
 
https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt
 
== _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==


Discovered around 2014-01-29 by sockse, qwikrazor87 and Acid_snake. See [https://web.archive.org/web/20230429162635/https://wololo.net/talk/viewtopic.php?t=39756 writeup by sockse (2014-09-16)].
Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.


Simply call <code>_sceUsbGpsGetData(0x10000, sw_address);</code> where <code>sw_address</code> is the address of the function to hijack, usually _sceKernelLibcTime.
Simply call <code>_sceUsbGpsGetData(0x10000, sw_address);</code> where <code>sw_address</code> is the address of the function to hijack, usually _sceKernelLibcTime.


== _sceWlanSetHostDiscover kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.15? ==
== Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==
 
Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.
 
The exploit steps are:
1) Execute assembly that does saves context.
2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.
3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.
4) Execute assembly that does something.
5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.
6) Execute assembly that restores context.
7) Call the hijacked function _sceKernelLibcTime.
 
== _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita <= ?3.15? ==


Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.
Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.


In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.
In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.
== sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==
Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.
Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.


== sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==
== sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==


Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.
Discovered around 2013-12-31 by qwikrazor87 and Acid_snake.


== sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= 3.36 ==
== sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= 3.36 ==
Line 778: Line 555:
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c


== _sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita <= 3.20 ==
== _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita <= 3.20 ==


Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.
Discovered around 2013-12-12 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.


There is a time-of-check to time-of-use exploit in chnnlsv.
There is a time-of-check to time-of-use exploit in chnnlsv.
Line 800: Line 577:
== _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==
== _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==


Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.
Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.


There is a time-of-check to time-of-use exploit in chnnlsv.
There is a time-of-check to time-of-use exploit in chnnlsv.
Line 970: Line 747:


http://www.kingx.de/forum/showthread.php?tid=15275
http://www.kingx.de/forum/showthread.php?tid=15275
https://github.com/DaveeFTW/ChickHEN/blob/main/Launcher/main.c


This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.
This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.
Line 998: Line 773:


https://www.hitchhikr.net/Exploit_2.6.zip
https://www.hitchhikr.net/Exploit_2.6.zip
https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/GTA%20stub/loader.c
https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/dump_reboot_v2.6/copy.c


== reused index.dat key: PSP 2.00, 2.01 ==
== reused index.dat key: PSP 2.00, 2.01 ==
Line 1,027: Line 798:
Fixed: since PSP System Software version 6.35.
Fixed: since PSP System Software version 6.35.


= iplloader =
= Lib-PSP iplloader =


== NMI Backdoor ==
== NMI Backdoor ==
Line 1,039: Line 810:
Applicable to: None
Applicable to: None


Vulnerable: iplloader (all PSP bootrom versions, 0.7.0 and newer PSP DevKit Kbooti versions, PS Vita's PSP emulator bootrom)
Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)


The iplloader bootrom (present within Tachyon's IC package) as well as iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.
The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.


This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9
This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9


If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.
If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.


Below are the relevant pieces of code:
Below are the relevant pieces of code:
Line 1,060: Line 831:
</pre>
</pre>


This backdoor may allow an attacker performing a hardware based attack to set those values and gain iplloader time code execution.
This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.


== Arbitrary IPL Load Address ==
== Arbitrary IPL Load Address ==
Line 1,072: Line 843:
Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.
Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.


iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.
Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.


== Arbitrary IPL Entrypoint Address ==
== Arbitrary IPL Entrypoint Address ==
Line 1,082: Line 853:
Applicable to: IPL time code execution on 01g and 02g, used in Pandora
Applicable to: IPL time code execution on 01g and 02g, used in Pandora


Fixed: iplloader 2.6.0
Fixed: Lib-PSP iplloader 2.6.0


iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion.
Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion.


Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.
Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.
Line 1,100: Line 871:
Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.
Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.


iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.
Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.


https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/
https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/


== iplloader assumes a block with the checksum 0 is the first IPL block ==
== Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==


Found by: C+D/Prometheus - Earliest discovery: 2006 Q4
Found by: C+D/Prometheus - Earliest discovery: 2006 Q4
Line 1,114: Line 885:
Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.
Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.


This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump iplloader.
This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.


== iplloader do not perform the XOR step when running in Jig/Service mode ==
== Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==


Found by: Mathieulh - Earliest discovery: 2019 Q1
Found by: Mathieulh - Earliest discovery: 2019 Q1


Introduced: iplloader 3.5.0
Introduced: Lib-PSP iplloader 3.5.0


Applicable to: Code execution on 3.5.0 iplloader without previous knowledge of the XOR key.
Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.


Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool
Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool


This is not so much a vulnerability as a poor design implementation.  
This is not so much a vulnerability as a poor design implementation.  


To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.
To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.


This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.
This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.


== iplloader clears the XOR key after doing a cache sync during normal execution ==
== Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==


Found by: Proxima - Earliest discovery: 2020-01-27
Found by: Proxima - Earliest discovery: 2020-01-27


Introduced: iplloader 3.5.0
Introduced: Lib-PSP iplloader 3.5.0


Applicable to: Dumping the iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability
Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability


Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool
Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool


3.5.0 iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.
3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.


In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.
In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.


While it may be possible that Tachyon 0x00600000 and later iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)
While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)


== Faulty ECDSA Hash Comparison ==
== Faulty ECDSA Hash Comparison ==
Line 1,158: Line 929:
Fixed: never
Fixed: never


Starting with Tachyon 0x00600000, iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.
Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.


This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.
This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.
Line 1,165: Line 936:


= General writeups =
= General writeups =
https://web.archive.org/web/20150919042153/https://playstationhax.it/forums/topic/1600-psp-and-psp-emulator-kernel-vulnerabilities-an-overview-chapter-1/


https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/
https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/
Line 1,175: Line 944:


https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP
https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP
<references />
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)