Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 20: Line 20:


== PSP Game Savedata ==
== PSP Game Savedata ==
=== Savedata protections ===
Most PSP games have a common encryption system whose encryption key is per-game. The encrypted savedata is often named DATA.BIN. The per-game key can be dumped using a plugin on an actual PSP: SGKeyDumper by qwikrazor87. The savedata can be decrypted on PC using [https://github.com/38-vita-38/psp-save psp-save by 38-vita-38] or [https://github.com/cielavenir/psp-savedata-endecrypter psp-savedata-endecrypter by popsdeco/cielavenir] or [https://github.com/BrianBTB/SED-PC SED-PC by BrianBTB] or on PSP using [https://github.com/bucanero/apollo-psp Apollo Save Tool (PSP) by bucanero] or SED (Savegame Encrypt/Decrypt).
Some PSP games have an additional encryption applied to their savedata. This system was already present in some PlayStation and PlayStation 2 games:
* Tekken 2 and 3 for PS1.
* Bandai Namco Entertainment used a previously unknown feature of PS2 memory cards (per sector encryption on flash raw sectors) to protect the quest data memory card on the System 246 version of Soul Calibur 2 Arcade game. One cannot move the save data from one memory card to another because the game uses the per card crypto seed.
See also [https://github.com/bucanero/save-decrypters/] and [https://community.wemod.com/t/philymasters-security-archive/3923]
Some games store digests in the savedata to ensure integrity.
==== Tekken 6 ====
The first 0x20 bytes of MAINDATA.SAV, GHOST.SAV and REPLAY.SAV of PS3 Tekken 6 are not encrypted and are a sort of header. They contain filesize and maybe digest. The remaining data in the files are encrypted with an unknown algorithm (maybe AES128 with a per-console key based on eid0).
MAINDATA.SAV of PSP Tekken 6 is fully encrypted without any header. The game calls [[Kirk]] command 5 to encrypt/decrypt savedata with a key derived from per-console [[Fuse ID]]. This file can be decrypted on PC with the command <code>psp-save -d KEY.BIN 5 MAINDATA.SAV MAINDATA_DEC.SAV</code> where KEY.BIN is the per-console key. This per-console key can be dumped using Apollo Save Tool (PSP) or derived from the console's [[Fuse ID]].
==== Gladiator Begins Demo ====
==== Gran Turismo ====
==== Invizimals ====
Invizimals PSP game stores a checksum in its savedata. It also maybe encrypts it (to check).
https://github.com/bucanero/save-decrypters/tree/master/invizimals-checksum-fixer
==== SOCOM U.S. Navy SEALs games ====
Custom savedata encryption may concern the following PSP games:
* SOCOM U.S. Navy SEALs: Fireteam Bravo
* SOCOM U.S. Navy SEALs: Fireteam Bravo 2
* SOCOM U.S. Navy SEALs: Fireteam Bravo 3
* SOCOM U.S. Navy SEALs: Tactical Strike
==== Patapon 3 ====
https://github.com/bucanero/save-decrypters/tree/master/patapon3-decrypter
==== Monster Hunter games ====
Monster Hunter PSP and Nintendo 3DS games use a custom encryption system and a custom SHA1 integrity hash. It concerns the following games and DLCs:
* Monster Hunter Freedom Unite (ULUS10391/ULES01213)
* Monster Hunter Portable 2nd G (ULJM05500)
* Monster Hunter Portable 3rd (ULJM05800)
* Quests - MH Freedom Unite (ULUS10391/ULES01213)
* Quests - MH Portable 2nd G (ULJM05500)
* Quests - MH Portable 3rd (ULJM05800)
https://github.com/bucanero/save-decrypters/tree/master/monsterhunter-decrypter


=== Blacklisted games ===
=== Blacklisted games ===
Line 84: Line 32:


According to Jeerum (2010), every EA game on PSP gets a buffer overflow if you try hard enough: insert 1 kB or 2 kB into your profile name in the save data.
According to Jeerum (2010), every EA game on PSP gets a buffer overflow if you try hard enough: insert 1 kB or 2 kB into your profile name in the save data.
See https://en.wikipedia.org/wiki/List_of_Electronic_Arts_games%3A_2000%E2%80%932009 and https://en.wikipedia.org/wiki/List_of_Electronic_Arts_games:_2010%E2%80%932019 .


=== Before PS Vita era ===
=== Before PS Vita era ===


==== Grand Theft Auto: Liberty City Stories UMD (and the Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====
==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====


Discovered by Edison Carter, Fanjita and n00bz in 2006.
Discovered by Edison Carter.


There is a stack buffer overflow in the savedata processing of GTA LCS. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.
The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.


Sony quickly patched this vulnerability with a firmware update, and released a "new" version of the game that required to install the patched System Software. People wanting to hack their PSP had to be careful not to buy an updated version of the UMD. This is the only time in the PSP history that an exploited game got a UMD update.
The Exploit was patched in a second batch of UMD prints.


Germany version:
Germany version:
Line 113: Line 59:


Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.
Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.
This vulnerability got reused a second time by Noobz on 2007-01-25, in what was called the Goofy exploit, as it was discovered that Sony had incorrectly patched the vulnerability.
https://web.archive.org/web/20081212045551/http://www.noobz.eu/joomla/news/sony-goofed-again-hello-world-on-all-v2.0-3.03-firmwares.html


==== Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51 ====
==== Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51 ====


On 2007-06-23, Noobz, with the help of Archaemic, found an exploit in the game Lumines. Called illuminati, the exploit was apparently found by pure luck, when Archaemic was trying to feed random data to the game.
==== Gripshift by Matiaz: PSP <= 5.02?-5.03?. Patched 5.05 ====
 
https://web.archive.org/web/20080115210003/http://www.noobz.eu/joomla/news/beware-of-the-illuminati.html
 
==== Gripshift by MaTiaZ: PSP <= 5.02?-5.03?. Patched 5.05 ====
 
* released by MaTiaZ on 2009-01-01.
 
There is a buffer overflow vulnerability in the player’s name, by editing the game’s save data.
 
https://web.archive.org/web/20090121190410/https://lan.st/showthread.php?t=1867
 
==== Medal Of Honor Heroes by kgsws: PSP <=?5.51? ====
 
* first version (requires connection between 2 PSPs) of the exploit for Medal of Honor Heroes (ULUS-10141) released by kgsws on 2009-07-06
* second version (does not require online) of the exploit for Medal of Honor Heroes (ULUS-10141) released by kgsws on 2009-07-09
* Medal Of Honor Heroes 2 is maybe affected too.
 
https://www.youtube.com/watch?v=VqTjvtfCnXc
 
https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/
 
https://www.brewology.com/downloads/download.php?id=9900
 
https://www.dcemu.co.uk/vbulletin/threads/223571-New-Exploit-MOHH-(Medal-of-Honor-Heroes)-THIS-VERSION-DOESN-T-WORK
 
https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit
 
https://forums.exophase.com/threads/new-psp-homebrew-medal-of-honor-heroes-exploit-v2.17461/


==== Patapon 2 demo (USA) by Malloxis: PSP <= ?6.20? ====
==== Patapon 2 demo (USA) by Malloxis: PSP <= ?6.20? ====


https://wololo.net/talk/viewtopic.php?f=3&t=51
https://wololo.net/talk/viewtopic.php?f=3&t=51
https://wololo.net/2010/03/29/way-to-keep-a-secret-malloxis/


==== Everybody's Golf and variants: PSP <=?6.31? ====
==== Everybody's Golf and variants: PSP <=?6.31? ====
Line 167: Line 79:


Hot Shots Golf, Hot Shots Golf 2, Hot Shots Golf - Non-Greatest Hits
Hot Shots Golf, Hot Shots Golf 2, Hot Shots Golf - Non-Greatest Hits
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews.


https://wololo.net/talk/viewtopic.php?f=3&t=51
https://wololo.net/talk/viewtopic.php?f=3&t=51
Line 192: Line 102:
* [https://github.com/ChampionLeake/SudokuSTACK implementation by ChampionLeake (2019-04-22)]
* [https://github.com/ChampionLeake/SudokuSTACK implementation by ChampionLeake (2019-04-22)]
* The PS2 version of this game is also vulnerable.
* The PS2 version of this game is also vulnerable.
==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP <=? ====
2009-07-10
https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/
https://www.brewology.com/downloads/download.php?id=9900
https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit


=== During PS Vita era ===
=== During PS Vita era ===
Line 294: Line 214:


==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61 ====
==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61 ====
==== Pursuit Force and Pursuit Force - Extreme Justice: <= ?2.61?. Patched 3.00 ====
According to the PS Vita blacklist, Pursuit Force games savedata vulnerabilities are exploitable on some PS Vita System Software versions < 3.00.


==== Pipe Madness by Frostegater: <= 2.61. Patched 3.00 ====
==== Pipe Madness by Frostegater: <= 2.61. Patched 3.00 ====
Line 345: Line 261:
==== MyStylist: <= 3.15 ====
==== MyStylist: <= 3.15 ====


==== Skate Park City by freakler: <= 3.15. Patched 3.18 ====
==== Skate Park City: <= 3.15. Patched 3.18 ====
 
Exploited by freakler in 2014, then patched since PS Vita System Software version 3.18.


==== Space Invaders Extreme: <= 3.18 ====
==== Space Invaders Extreme: <= 3.18 ====
Line 359: Line 273:
==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18 ====
==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18 ====


Discovered in 2010 by anonymous and around 2014-09-12 by qwikrazor87.
Discovered around 2014-09-12 by qwikrazor87.
 
It is fairly easy to get this exploit to work as it is a buffer overflow in the player's name.
 
The savedata in Gladiator Begins Demo only work on the PSP that created them.


https://wololo.net/talk/viewtopic.php?t=39771
https://wololo.net/talk/viewtopic.php?t=39771
Line 410: Line 320:


==== Ape Escape: On the Loose: <= 3.50. Patched 3.51 ====
==== Ape Escape: On the Loose: <= 3.50. Patched 3.51 ====
There is a classical buffer overflow exploit in the player's name. This exploit was found in parallel be several people in 2010. This game is really easy to exploit (see the [https://wololo.net/2010/02/27/writing-a-binary-loader/ tutorial]).
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews.


==== "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 ====
==== "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 ====
Line 419: Line 325:
https://code.google.com/archive/p/valentine-hbl/source/default/source
https://code.google.com/archive/p/valentine-hbl/source/default/source


==== God of War - Ghost of Sparta by sockse and qwikrazor87: <= ?3.52? ====
==== Puzzle Scape: <= 3.52 ====
 
Exploited by sockse and qwikrazor87 in 2014.
 
==== Fight Night Round 3 by sockse and qwikrazor87: <= ?3.52? ====
 
Exploited by sockse and qwikrazor87 in 2014.
 
==== Hero of Sparta (PSP Minis) by sockse and qwikrazor87: <= ?3.52? ====
 
Exploited by sockse and qwikrazor87 in 2014, then patched.
 
==== Echoes (PSP Minis) by sockse: <= ?3.52? ====
 
Exploited by sockse in 2014, then patched.
 
==== Puzzle Scape by sockse and qwikrazor87: <= 3.52 ====
 
Exploited by sockse in 2014, then patched, then exploited in a different way by qwikrazor87 again in 2014.


==== World of Pool, Pool Hall Pro: <= 3.52 ====
==== World of Pool, Pool Hall Pro: <= 3.52 ====
Line 444: Line 332:


https://github.com/173210/psp_exploits/
https://github.com/173210/psp_exploits/
==== Field Commander by sockse: <= ? ====
Discovered in 2014 by sockse.


==== Mega Man Powered Up or Rockman Rockman: <= ? ====
==== Mega Man Powered Up or Rockman Rockman: <= ? ====
Line 458: Line 342:
=== After PS Vita era ===
=== After PS Vita era ===


==== Scrabble by sockse and ChampionLeake: probably not patched, 2018-05-17 ====
==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====
 
Discovered by sockse (see [https://web.archive.org/web/20230429162635/https://wololo.net/talk/viewtopic.php?t=39756 writeup by sockse (2014-09-16)]) then patched on PSP but exploited in a different way later by ChampionLeake.


https://github.com/ChampionLeake/scrabblehax
https://github.com/ChampionLeake/scrabblehax
Line 569: Line 451:


== Unclassified usermode vulnerabilities ==
== Unclassified usermode vulnerabilities ==
=== Puzzle Bobble ===
The Japanese version of Puzzle Bobble was compiled in debug mode, allowing hackers to retrieve some interesting information, such as function names, that were later on used in the scene’s PSP SDK. In 2005, this was one of the first steps to getting homebrews on the PSP.
https://forums.ps2dev.org/viewtopic.php?t=2081


=== PsOneLoader by TheFloW ===
=== PsOneLoader by TheFloW ===
Line 752: Line 628:
https://pastebin.com/Sdz0XPRg
https://pastebin.com/Sdz0XPRg


== _sceUsbGpsGetData kernel write kexploit by sockse, qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==
== _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==


Discovered around 2014-01-29 by sockse, qwikrazor87 and Acid_snake. See [https://web.archive.org/web/20230429162635/https://wololo.net/talk/viewtopic.php?t=39756 writeup by sockse (2014-09-16)].
Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.


Simply call <code>_sceUsbGpsGetData(0x10000, sw_address);</code> where <code>sw_address</code> is the address of the function to hijack, usually _sceKernelLibcTime.
Simply call <code>_sceUsbGpsGetData(0x10000, sw_address);</code> where <code>sw_address</code> is the address of the function to hijack, usually _sceKernelLibcTime.
Line 1,175: Line 1,051:


https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP
https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP
<references />
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)