Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 29: Line 29:
* Bandai Namco Entertainment used a previously unknown feature of PS2 memory cards (per sector encryption on flash raw sectors) to protect the quest data memory card on the System 246 version of Soul Calibur 2 Arcade game. One cannot move the save data from one memory card to another because the game uses the per card crypto seed.
* Bandai Namco Entertainment used a previously unknown feature of PS2 memory cards (per sector encryption on flash raw sectors) to protect the quest data memory card on the System 246 version of Soul Calibur 2 Arcade game. One cannot move the save data from one memory card to another because the game uses the per card crypto seed.


See also [https://github.com/bucanero/save-decrypters/] and [https://community.wemod.com/t/philymasters-security-archive/3923]
See also [https://bucanero.github.io/save-decrypters/] and [https://community.wemod.com/t/philymasters-security-archive/3923]


Some games store digests in the savedata to ensure integrity.
Some games store digests in the savedata to ensure integrity.
==== Invizimals ====
Invizimals has a checksum.
https://bucanero.github.io/save-decrypters/invizimals-checksum-fixer


==== Tekken 6 ====
==== Tekken 6 ====


The first 0x20 bytes of MAINDATA.SAV, GHOST.SAV and REPLAY.SAV of PS3 Tekken 6 are not encrypted and are a sort of header. They contain filesize and maybe digest. The remaining data in the files are encrypted with an unknown algorithm (maybe AES128 with a per-console key based on eid0).
The first 0x20 bytes of MAINDATA.SAV, GHOST.SAV and REPLAY.SAV of PS3 Tekken 6 are not encrypted and are a sort of header. They contain filesize and maybe digest. The remaining data in the files are encrypted with an unknown algorithm (maybe AES128). MAINDATA.SAV of PSP Tekken 6 is fully encrypted without any header.
 
MAINDATA.SAV of PSP Tekken 6 is fully encrypted without any header. The game calls [[Kirk]] command 5 to encrypt/decrypt savedata with a key derived from per-console [[Fuse ID]]. This file can be decrypted on PC with the command <code>psp-save -d KEY.BIN 5 MAINDATA.SAV MAINDATA_DEC.SAV</code> where KEY.BIN is the per-console key. This per-console key can be dumped using Apollo Save Tool (PSP) or derived from the console's [[Fuse ID]].


==== Gladiator Begins Demo ====
==== Gladiator Begins Demo ====
Line 45: Line 49:
==== Invizimals ====
==== Invizimals ====


Invizimals PSP game stores a checksum in its savedata. It also maybe encrypts it (to check).
==== Socom ====
 
https://github.com/bucanero/save-decrypters/tree/master/invizimals-checksum-fixer
 
==== SOCOM U.S. Navy SEALs games ====
 
Custom savedata encryption may concern the following PSP games:
* SOCOM U.S. Navy SEALs: Fireteam Bravo
* SOCOM U.S. Navy SEALs: Fireteam Bravo 2
* SOCOM U.S. Navy SEALs: Fireteam Bravo 3
* SOCOM U.S. Navy SEALs: Tactical Strike


==== Patapon 3 ====
==== Patapon 3 ====


https://github.com/bucanero/save-decrypters/tree/master/patapon3-decrypter
https://bucanero.github.io/save-decrypters/patapon3-decrypter


==== Monster Hunter games ====
==== Monster Hunter games ====
Line 71: Line 65:
* Quests - MH Portable 3rd (ULJM05800)
* Quests - MH Portable 3rd (ULJM05800)


https://github.com/bucanero/save-decrypters/tree/master/monsterhunter-decrypter
https://bucanero.github.io/save-decrypters/monsterhunter-decrypter


=== Blacklisted games ===
=== Blacklisted games ===
Line 345: Line 339:
==== MyStylist: <= 3.15 ====
==== MyStylist: <= 3.15 ====


==== Skate Park City by freakler: <= 3.15. Patched 3.18 ====
==== Skate Park City: <= 3.15. Patched 3.18 ====
 
Exploited by freakler in 2014, then patched since PS Vita System Software version 3.18.


==== Space Invaders Extreme: <= 3.18 ====
==== Space Invaders Extreme: <= 3.18 ====
Line 419: Line 411:
https://code.google.com/archive/p/valentine-hbl/source/default/source
https://code.google.com/archive/p/valentine-hbl/source/default/source


==== God of War - Ghost of Sparta by sockse and qwikrazor87: <= ?3.52? ====
==== Puzzle Scape: <= 3.52 ====
 
Exploited by sockse and qwikrazor87 in 2014.
 
==== Fight Night Round 3 by sockse and qwikrazor87: <= ?3.52? ====
 
Exploited by sockse and qwikrazor87 in 2014.
 
==== Hero of Sparta (PSP Minis) by sockse and qwikrazor87: <= ?3.52? ====
 
Exploited by sockse and qwikrazor87 in 2014, then patched.
 
==== Echoes (PSP Minis) by sockse: <= ?3.52? ====
 
Exploited by sockse in 2014, then patched.
 
==== Puzzle Scape by sockse and qwikrazor87: <= 3.52 ====
 
Exploited by sockse in 2014, then patched, then exploited in a different way by qwikrazor87 again in 2014.


==== World of Pool, Pool Hall Pro: <= 3.52 ====
==== World of Pool, Pool Hall Pro: <= 3.52 ====
Line 444: Line 418:


https://github.com/173210/psp_exploits/
https://github.com/173210/psp_exploits/
==== Field Commander by sockse: <= ? ====
Discovered in 2014 by sockse.


==== Mega Man Powered Up or Rockman Rockman: <= ? ====
==== Mega Man Powered Up or Rockman Rockman: <= ? ====
Line 458: Line 428:
=== After PS Vita era ===
=== After PS Vita era ===


==== Scrabble by sockse and ChampionLeake: probably not patched, 2018-05-17 ====
==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====
 
Discovered by sockse (see [https://web.archive.org/web/20230429162635/https://wololo.net/talk/viewtopic.php?t=39756 writeup by sockse (2014-09-16)]) then patched on PSP but exploited in a different way later by ChampionLeake.


https://github.com/ChampionLeake/scrabblehax
https://github.com/ChampionLeake/scrabblehax
Line 752: Line 720:
https://pastebin.com/Sdz0XPRg
https://pastebin.com/Sdz0XPRg


== _sceUsbGpsGetData kernel write kexploit by sockse, qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==
== _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? ==


Discovered around 2014-01-29 by sockse, qwikrazor87 and Acid_snake. See [https://web.archive.org/web/20230429162635/https://wololo.net/talk/viewtopic.php?t=39756 writeup by sockse (2014-09-16)].
Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.


Simply call <code>_sceUsbGpsGetData(0x10000, sw_address);</code> where <code>sw_address</code> is the address of the function to hijack, usually _sceKernelLibcTime.
Simply call <code>_sceUsbGpsGetData(0x10000, sw_address);</code> where <code>sw_address</code> is the address of the function to hijack, usually _sceKernelLibcTime.
Line 1,175: Line 1,143:


https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP
https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP
<references />
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)