http://www.psdevwiki.com/psp/api.php?action=feedcontributions&user=CelesteBlue&feedformat=atom PSP Developer wiki - User contributions [en] 2024-03-29T09:16:05Z User contributions MediaWiki 1.39.6 http://www.psdevwiki.com/psp/index.php?title=Tachyon&diff=12431 Tachyon 2024-01-21T03:13:10Z <p>CelesteBlue: </p> <hr /> <div>[[File:PSP CXD2962GG.jpg|thumb|PSP CXD2962GG]]<br /> <br /> &lt;b&gt;Tachyon&lt;/b&gt; is the codename of the PSP main CPU SoC IC. It is a Sony custom-made LSI which holds the main CPU (Allegrex), the VFPU coprocessor, the Media Engine CPU and its embedded DRAM, the Graphics Engine, the AVC decoder, the Virtual Mobile Engine DSP, the [[Kirk]] and [[Spock]] crypto engines, and the 4KB embedded mask ROM which holds the [[PRE-IPL|iplloader]] and routines to boot into service mode.<br /> <br /> Tachyon has one primary CPU core which is responsible for running the [[XMB]] and games, and a second CPU core (&lt;i&gt;[[Media Engine]]&lt;/i&gt;) which implements the audio and video decoding functionality of the PSP.<br /> <br /> == Main Core &quot;SC&quot; ==<br /> <br /> See [[Allegrex]].<br /> <br /> == Media Engine ==<br /> <br /> See [[Media Engine]].<br /> <br /> == Graphics Engine ==<br /> <br /> : &lt;i&gt;See main article: &lt;b&gt;[[Graphics]]&lt;/b&gt;&lt;/i&gt;<br /> <br /> == Virtual Mobile Engine ==<br /> <br /> The VME appears to be one half of Sony's &quot;Virtual Mobile Engine Concept 2&quot; where a CPU would take care of &quot;lightweight control tasks&quot; and reconfigurable hardware logic (the VME) would do all of the &quot;heavy work in a power efficient manner&quot;. See [https://www.yumpu.com/en/document/read/10961029/virtual-mobile-enginetm-vme-sony Virtual Mobile Engine - LSI that &quot;Changes its Spots&quot;].<br /> <br /> It might be something like a reconfigurable DSP; noone has been able to interpret its &quot;firmware&quot; yet.<br /> <br /> It can be accessed from the ME through the mfvme/mtvme instructions or through DMA with addresses from 0x440F8000 to 0x44100000 (excluded).<br /> <br /> == Memory mapping ==<br /> <br /> This memory mapping is shared by the SC, the GE &amp; the ME, except the VRAM which is accessible only by the SC and the GE.<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Start !! End !! Size !! Description<br /> |-<br /> | 0x00010000 || 0x00013FFF || 0x00004000 (&lt;i&gt;16KiB&lt;/i&gt;) || Allegrex Scratchpad<br /> |-<br /> | 0x04000000 || 0x041FFFFF || 0x00200000 (&lt;i&gt;2MiB&lt;/i&gt;) || Graphics Engine VRAM<br /> |-<br /> | 0x08000000 || 0x087FFFFF || 0x00800000 (&lt;i&gt;8MiB&lt;/i&gt;) || Allegrex Kernel memory (RAM)<br /> |-<br /> | 0x08800000 || 0x097FFFFF || 0x01800000 (&lt;i&gt;24MiB&lt;/i&gt;) || Allegrex User memory (RAM)<br /> |-<br /> | 0x1C000000 || ? || ? || Hardware registers<br /> |-<br /> | 0x1FC00000 || 0x1FDFFFFF || 0x00200000 || MIPS Reset Vector<br /> |-<br /> | 0x1FE00000 || ? || ? || Hardware registers<br /> |-<br /> |}<br /> <br /> See [[Hardware Registers]] for details about the hardware registers.<br /> <br /> Access can be cached &amp; privileged or not by changing the first 4 bits (&lt;i&gt;31-28 bits&lt;/i&gt;) of the address using this virtual memory mapping:<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Name !! Is it cached? !! Permission || Description<br /> |-<br /> | 0x&lt;b&gt;0&lt;/b&gt;0000000 || KU0 || Cached || User/Supervisor/Kernel || Main memory<br /> |-<br /> | 0x&lt;b&gt;4&lt;/b&gt;0000000 || KU1 || Uncached || User/Supervisor/Kernel || Often used for VRAM<br /> |-<br /> | 0x&lt;b&gt;8&lt;/b&gt;0000000 || K0 || Cached || Kernel || Main kernel memory<br /> |-<br /> | 0x&lt;b&gt;A&lt;/b&gt;0000000 || K1 || Uncached || Kernel || Mainly used for hardware registers<br /> |-<br /> | 0x&lt;b&gt;C&lt;/b&gt;0000000 || K2/KS || Cached || Supervisor/Kernel || Usage unknown/unconfirmed<br /> |-<br /> | 0x&lt;b&gt;E&lt;/b&gt;0000000 || K3 || Cached || Kernel || Usage unknown/unconfirmed<br /> |-<br /> |}<br /> <br /> == PSP-1000 VFPU bug ==<br /> <br /> PSP-1000 CPU has broken &lt;code&gt;ulv.q&lt;/code&gt; instruction, that causes FPU registers corruption.<br /> <br /> You can see more about it [https://sites.google.com/a/davidgf.es/davidgf-net/home/psp-dev/vfpu-test?tmpl=%2Fsystem%2Fapp%2Ftemplates%2Fprint%2F here].<br /> <br /> == Versions == <br /> <br /> === PSP-1000 ===<br /> <br /> *CPU and DDR are discrete ICs on the motherboard<br /> *32 MiB main memory (DDR)<br /> *2 MiB Media Engine memory (eDRAM)<br /> <br /> === PSP-2000 and later ===<br /> <br /> *DDR is brought into the CPU's package<br /> *64 MiB main memory (DDR)<br /> *4 MiB Media Engine memory (eDRAM)<br /> <br /> == See also ==<br /> <br /> * https://www.zdnet.com/article/sony-reveals-some-specs-for-psp-handheld/ (2004)<br /> <br /> * https://www.extremetech.com/extreme/56942-sony-details-psp-chip-specs<br /> <br /> * https://www.copetti.org/writings/consoles/playstation-portable/</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Tachyon&diff=12430 Tachyon 2024-01-21T03:11:19Z <p>CelesteBlue: </p> <hr /> <div>[[File:PSP CXD2962GG.jpg|thumb|PSP CXD2962GG]]<br /> <br /> &lt;b&gt;Tachyon&lt;/b&gt; is the codename of the PSP main CPU SoC IC. It is a Sony custom-made LSI which holds the main CPU (Allegrex), the VFPU coprocessor, the Media Engine CPU and its embedded DRAM, the Graphics Engine, the AVC decoder, the Virtual Mobile Engine DSP, the [[Kirk]] and [[Spock]] crypto engines, and the 4KB embedded mask ROM which holds the [[PRE-IPL|iplloader]] and routines to boot into service mode.<br /> <br /> Tachyon has one primary CPU core which is responsible for running the [[XMB]] and games, and a second CPU core (&lt;i&gt;[[#Media_Engine|Media Engine]]&lt;/i&gt;) which implements the audio and video decoding functionality of the PSP.<br /> <br /> == Main Core &quot;SC&quot; ==<br /> <br /> See [[Allegrex]].<br /> <br /> == Media Engine ==<br /> <br /> See [[Media Engine]].<br /> <br /> == Graphics Engine ==<br /> <br /> : &lt;i&gt;See main article: &lt;b&gt;[[Graphics]]&lt;/b&gt;&lt;/i&gt;<br /> <br /> == Virtual Mobile Engine ==<br /> <br /> The VME appears to be one half of Sony's &quot;Virtual Mobile Engine Concept 2&quot; where a CPU would take care of &quot;lightweight control tasks&quot; and reconfigurable hardware logic (the VME) would do all of the &quot;heavy work in a power efficient manner&quot;. See [https://www.yumpu.com/en/document/read/10961029/virtual-mobile-enginetm-vme-sony Virtual Mobile Engine - LSI that &quot;Changes its Spots&quot;].<br /> <br /> It might be something like a reconfigurable DSP; noone has been able to interpret its &quot;firmware&quot; yet.<br /> <br /> It can be accessed from the ME through the mfvme/mtvme instructions or through DMA with addresses from 0x440F8000 to 0x44100000 (excluded).<br /> <br /> == Memory mapping ==<br /> <br /> This memory mapping is shared by the SC, the GE &amp; the ME, except the VRAM which is accessible only by the SC and the GE.<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Start !! End !! Size !! Description<br /> |-<br /> | 0x00010000 || 0x00013FFF || 0x00004000 (&lt;i&gt;16KiB&lt;/i&gt;) || Allegrex Scratchpad<br /> |-<br /> | 0x04000000 || 0x041FFFFF || 0x00200000 (&lt;i&gt;2MiB&lt;/i&gt;) || Graphics Engine VRAM<br /> |-<br /> | 0x08000000 || 0x087FFFFF || 0x00800000 (&lt;i&gt;8MiB&lt;/i&gt;) || Allegrex Kernel memory (RAM)<br /> |-<br /> | 0x08800000 || 0x097FFFFF || 0x01800000 (&lt;i&gt;24MiB&lt;/i&gt;) || Allegrex User memory (RAM)<br /> |-<br /> | 0x1C000000 || ? || ? || Hardware registers<br /> |-<br /> | 0x1FC00000 || 0x1FDFFFFF || 0x00200000 || MIPS Reset Vector<br /> |-<br /> | 0x1FE00000 || ? || ? || Hardware registers<br /> |-<br /> |}<br /> <br /> See [[Hardware Registers]] for details about the hardware registers.<br /> <br /> Access can be cached &amp; privileged or not by changing the first 4 bits (&lt;i&gt;31-28 bits&lt;/i&gt;) of the address using this virtual memory mapping:<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Name !! Is it cached? !! Permission || Description<br /> |-<br /> | 0x&lt;b&gt;0&lt;/b&gt;0000000 || KU0 || Cached || User/Supervisor/Kernel || Main memory<br /> |-<br /> | 0x&lt;b&gt;4&lt;/b&gt;0000000 || KU1 || Uncached || User/Supervisor/Kernel || Often used for VRAM<br /> |-<br /> | 0x&lt;b&gt;8&lt;/b&gt;0000000 || K0 || Cached || Kernel || Main kernel memory<br /> |-<br /> | 0x&lt;b&gt;A&lt;/b&gt;0000000 || K1 || Uncached || Kernel || Mainly used for hardware registers<br /> |-<br /> | 0x&lt;b&gt;C&lt;/b&gt;0000000 || K2/KS || Cached || Supervisor/Kernel || Usage unknown/unconfirmed<br /> |-<br /> | 0x&lt;b&gt;E&lt;/b&gt;0000000 || K3 || Cached || Kernel || Usage unknown/unconfirmed<br /> |-<br /> |}<br /> <br /> == PSP-1000 VFPU bug ==<br /> <br /> PSP-1000 CPU has broken &lt;code&gt;ulv.q&lt;/code&gt; instruction, that causes FPU registers corruption.<br /> <br /> You can see more about it [https://sites.google.com/a/davidgf.es/davidgf-net/home/psp-dev/vfpu-test?tmpl=%2Fsystem%2Fapp%2Ftemplates%2Fprint%2F here].<br /> <br /> == Versions == <br /> <br /> === PSP-1000 ===<br /> <br /> *CPU and DDR are discrete ICs on the motherboard<br /> *32 MiB main memory (DDR)<br /> *2 MiB Media Engine memory (eDRAM)<br /> <br /> === PSP-2000 and later ===<br /> <br /> *DDR is brought into the CPU's package<br /> *64 MiB main memory (DDR)<br /> *4 MiB Media Engine memory (eDRAM)<br /> <br /> == See also ==<br /> <br /> * https://www.zdnet.com/article/sony-reveals-some-specs-for-psp-handheld/ (2004)<br /> <br /> * https://www.extremetech.com/extreme/56942-sony-details-psp-chip-specs<br /> <br /> * https://www.copetti.org/writings/consoles/playstation-portable/</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Media_Engine&diff=12429 Media Engine 2024-01-21T03:11:16Z <p>CelesteBlue: Created page with &quot;&lt;b&gt;The Media Engine&lt;/b&gt; (&lt;i&gt;or shortly ME&lt;/i&gt;) — is a second MIPS based CPU core, that was not directly accessible by licensed developers. Instead, Sony runs code on the ME to facilitate decoding audio and video assets, along with the help of more specialized hardware like the Virtual Mobile Engine and &quot;AVC&quot;. The ME runs at the same clock frequency as the main CPU core. It seems to have the same instruction set. The ME has two co-processors: * &lt;b&gt;COP0&lt;/b&gt;: general sy...&quot;</p> <hr /> <div>&lt;b&gt;The Media Engine&lt;/b&gt; (&lt;i&gt;or shortly ME&lt;/i&gt;) — is a second MIPS based CPU core, that was not directly accessible by licensed developers. Instead, Sony runs code on the ME to facilitate decoding audio and video assets, along with the help of more specialized hardware like the Virtual Mobile Engine and &quot;AVC&quot;.<br /> <br /> The ME runs at the same clock frequency as the main CPU core. It seems to have the same instruction set.<br /> <br /> The ME has two co-processors:<br /> * &lt;b&gt;COP0&lt;/b&gt;: general system control<br /> * &lt;b&gt;[[COP1]]&lt;/b&gt;: 32-bit Floating Point Unit<br /> <br /> It has three instructions the main CPU doesn't have (or used):<br /> * &lt;code&gt;DBREAK&lt;/code&gt; (&lt;i&gt;also present on other MIPS processors&lt;/i&gt;): used only once in the ME firmware<br /> * &lt;code&gt;MTVME&lt;/code&gt;<br /> * &lt;code&gt;MFVME&lt;/code&gt;<br /> <br /> These two last instructions actually have the same opcodes as LDL and SDL, which this CPU doesn't have.<br /> The instructions are actually encoded like this:<br /> &lt;pre&gt;<br /> ldl $reg, off($a3) &lt;=&gt; mfvme $reg, $off<br /> sdl $reg, off($a3) &lt;=&gt; mtvme $reg, $off<br /> &lt;/pre&gt;<br /> They might be used to store and retrieve information from and to the VME. They seem to be only used for video decoding.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Allegrex&diff=12428 Allegrex 2024-01-21T03:10:05Z <p>CelesteBlue: </p> <hr /> <div>The PSP's CPU, named &lt;b&gt;Allegrex&lt;/b&gt; — is a dual core 32-bit Little Endian MIPS processor, based on the R4000 design with a few custom instructions.<br /> <br /> Both CPU cores have their own 16 KiB Instruction and 16 KiB Data caches. The main CPU has an internal 16 KiB of scratchpad RAM, that is accessed directly without going through the system bus.<br /> <br /> The main CPU has three coprocessors:<br /> * &lt;b&gt;COP0&lt;/b&gt;: general system control<br /> * &lt;b&gt;[[COP1]]&lt;/b&gt;: 32-bit Floating Point Unit<br /> * &lt;b&gt;[[COP2]]&lt;/b&gt;: Vector Floating Point Unit (up to 3.2 GFLOPS)<br /> <br /> It has some instructions from &lt;b&gt;MIPS IV:&lt;/b&gt; &lt;code&gt;ext, ins, wsbw, seb, seh, rotr, rot(r)v, bitrev, clz, clo&lt;/code&gt;.<br /> <br /> It does not seem to have:<br /> * 64-bit instructions (of course)<br /> * &lt;code&gt;ll, ldc1, ldc2, lwc2, sc, sdc1, sdc2, swc2&lt;/code&gt; (&lt;i&gt;some of them are actually replaced by VFPU instructions with different names&lt;/i&gt;)<br /> * T* (&lt;i&gt;trap and TLB&lt;/i&gt;) instructions<br /> *&lt;code&gt;bltzal, bgezal, bltzall, bgezall&lt;/code&gt;<br /> <br /> It also has its own instructions:<br /> * &lt;code&gt;halt&lt;/code&gt; (&lt;i&gt;opcode 0x70000000&lt;/i&gt;): This instructions waits for an interruption to wake it up.<br /> * &lt;code&gt;mfic&lt;/code&gt; (&lt;i&gt;opcode 0x70000024 with mask 0xFFFF07FF&lt;/i&gt;): It retrieves the interrupt controller state (&lt;i&gt;1: interruptions enabled, 0: interruptions disabled&lt;/i&gt;) into the register described by mask 0x0000F800.<br /> * &lt;code&gt;mtic&lt;/code&gt; (&lt;i&gt;opcode 0x70000026 with mask 0xFFFF07FF&lt;/i&gt;): It sets the interrupt controller state to the value which is in the register described by mask 0x0000F800.<br /> <br /> The CPU defaults to 222 MHz, but can be configured to run from 1-333 MHz.<br /> <br /> The CPU cores are connected to main memory and other peripherals like the Graphics Engine through a system bus, that is limited to half of the CPU's configured clock speed.<br /> <br /> Since the PSP doesn't have a MMU, the COP0 registers related to TLBs are unused. The PSP also uses the obscure instructions &lt;code&gt;cfc0&lt;/code&gt;/&lt;code&gt;ctc0&lt;/code&gt; to access &quot;control registers&quot; which are used by the PSP firmware to store various low level data.<br /> <br /> === Calling convention ===<br /> <br /> The PSP calling convention seems a bit non-standard:<br /> *&lt;b&gt;Arguments are passed&lt;/b&gt; through following registers: &lt;code&gt;$a0, $a1, $a2, $a3, $t0, $t1, $t2, $t3&lt;/code&gt;, then on the stack<br /> *Registers &lt;code&gt;$s0, $s1, $s2, $s3, $s4, $s5, $s6, $s7, $fp&lt;/code&gt; (&lt;i&gt;used as a normal registers&lt;/i&gt;), &lt;code&gt;$ra&lt;/code&gt; (&lt;i&gt;return address&lt;/i&gt;), &lt;code&gt;$sp&lt;/code&gt; (&lt;i&gt;stack pointer&lt;/i&gt;) &lt;b&gt;are saved&lt;/b&gt; (&lt;i&gt;or restored&lt;/i&gt;) by the callee<br /> *Registers &lt;code&gt;$t4, $t5, $t6, $t7, $t8, $t9&lt;/code&gt; are temporary registers, &lt;b&gt;not saved&lt;/b&gt; by the callee<br /> *Registers &lt;code&gt;$v0, $v1&lt;/code&gt; contain the &lt;b&gt;return value&lt;/b&gt; of a function: &lt;code&gt;$v0&lt;/code&gt; for the lower 32-bits and &lt;code&gt;$v1&lt;/code&gt; for the higher 32-bits (if appliable)<br /> <br /> Some registers are used only by the kernel:<br /> *&lt;code&gt;$gp&lt;/code&gt; and &lt;code&gt;$k0&lt;/code&gt; are used in only a few specific places in the kernel<br /> *&lt;code&gt;$k1&lt;/code&gt; &lt;b&gt;is used to check permissions&lt;/b&gt;: each time an user function is called, it shifts &lt;code&gt;$k1&lt;/code&gt; left by 11 bits. The function is in user mode if the &lt;code&gt;$k1&lt;/code&gt; value has then its first (highest value) bit set. In then checks either if a pointer has its higher bit set, and/or if its end has its higher bit set, and/or if its size has its higher bit set. If one of those bits is set and we're in user mode, the function returns an error (if it checked the pointer/buffer, which is not always the case).<br /> *&lt;code&gt;$at&lt;/code&gt; (&lt;i&gt;assembly temporary&lt;/i&gt;) &lt;b&gt;is used as a temporary register&lt;/b&gt;, for hardware manipulation sometimes (to store the hardware register address when reading/writing from/to it).</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=CPU&diff=12427 CPU 2024-01-21T03:06:56Z <p>CelesteBlue: Changed redirect target from Tachyon to Allegrex</p> <hr /> <div>#REDIRECT [[Allegrex]]</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Allegrex&diff=12426 Allegrex 2024-01-21T03:06:40Z <p>CelesteBlue: Created page with &quot;Allegrex is the main CPU of the PSP.&quot;</p> <hr /> <div>Allegrex is the main CPU of the PSP.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Codenames&diff=12425 Codenames 2024-01-21T03:05:49Z <p>CelesteBlue: </p> <hr /> <div>PSP components codenames are mosly based on Star Trek whilst PSP mdoel revisions are based on The Lord of the Rings.<br /> <br /> = Star Trek =<br /> <br /> * [[Tachyon]]: SoC<br /> * [[Allegrex]]: main CPU<br /> * [[Baryon]]: system controller (Syscon)<br /> * [[Pommel]]: Power Control IC. A DC-DC converter controlled by Baryon.<br /> * [[Lepton]]: Mechacon UMD Controller IC. A Sony custom-made LSI which holds the optical media DSP and CPU, the ATAPI interface, 480KB DRAM read buffer, and (at least) 384KB Flash ROM for firmware.<br /> * [[Spock]]: hardware crypto engine responsible for the raw sector level decryption of UMDs. Named after Captain Spock of Star Trek.<br /> * [[Kirk]]: crypto processor<br /> * [[Gluon]]: likely the UMD laser Radio Frequency amplifier<br /> * [[Magpie]]: PSP Fat Wireless communication module<br /> * [[Voyager]]: PSP Slim Wireless communication module. Named after the Starfleet vessel of Star Trek.<br /> * [[Hibari]]: PSP Slim LCD Controller IC. Means &quot;Skylark&quot; in Japanese.<br /> <br /> = The Lord of the Rings =<br /> <br /> * Legolas: PSP First Series with TA-082, TA-086 motherboard<br /> * Frodo: PSP Slim &amp; Lite with TA-085, TA-088, TA-090 motherboard<br /> * Samwise: PSP Brite with TA-090, TA-092, TA-093, TA-095 motherboard<br /> * Strider: PSP Go with TA-091, TA-094 motherboard<br /> * Bilbo: PSP Street with TA-096, TA-097 motherboard<br /> <br /> = Other =<br /> <br /> * First: PSP First Series with TA-079, TA-081 motherboard<br /> * ME: Media Engine<br /> * XMB: Cross Media Bar<br /> <br /> To merge from: [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/psp-glossary/index.html Silverspring's glossary]</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12424 Kirk 2024-01-18T23:38:27Z <p>CelesteBlue: /* Per-console keys */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> Most of the static keys used by the engine (plus the private key for Kirk command 1, which is not present on the chip) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk commands 1/2/3/0xA ==<br /> <br /> This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and 0xA.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0xE, 0x10 and 0x11.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> These commands allow to do operations with any public key. For the latest Pre-IPL version which adds an additional ECDSA verification of the XOR of the block hashes, the public key which is hardcoded in the Pre-IPL is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Slotted Keys =<br /> The KIRK ROM can access different keys which are slotted in what might be some kind of secure enclave. There are slots for both AES and ECDSA keys.<br /> <br /> == AES slotted keys ==<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0<br /> |KIRK command 0 (Kbooti from Devkit) decryption key<br /> |No<br /> |-<br /> |1<br /> |KIRK command 0 (Kbooti from Devkit) CMAC key<br /> |No<br /> |-<br /> |2<br /> |KIRK command 1 (IPL) decryption key<br /> |Yes<br /> |-<br /> |3<br /> |KIRK command 2 (DRM) decryption key<br /> |No<br /> |-<br /> |4~0x83<br /> |KIRK commands 4/7 decryption keys (128 possible ones)<br /> |Yes<br /> |}<br /> <br /> == ECDSA slotted keys ==<br /> Note: public keys take two slots (for both coordinates), and private keys take only one.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0/1<br /> |KIRK command 1 (IPL) public key (used to verify valid IPLs)<br /> |Yes (including the private key!)<br /> |-<br /> |2/3<br /> |KIRK command 2 (DRM) public key (used to verify data passed to KIRK command 2)<br /> |No<br /> |-<br /> |4<br /> |KIRK command 3 (DRM) private key (used by command 2 to sign data for command 3)<br /> |No<br /> |-<br /> |5/6<br /> |KIRK command 3 (DRM) public key (used by command 3 to verify data coming from command 2)<br /> |No<br /> |}<br /> <br /> = PSP Individual Keys =<br /> <br /> Kirk commands 2, 3, 5, 6, 8, 9, 0x10 and 0x12 use individual (per-console) seeds to generate individual keys. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30-byte buffer named unofficially &quot;individual key mesh&quot;. The PSP individual key mesh is used to generate various final individual keys depending on a seed parameter.<br /> <br /> == PSP Individual Key Mesh ==<br /> <br /> === Structure ===<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> typedef struct ScePspIndividualKeyMesh { // size is 0x30<br /> SceUInt8 derivation_seed_0[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_seed_1[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_key[0x10]; // AES128 key used to derive final keys from seed_0 and seed_1<br /> } ScePspIndividualKeyMesh;<br /> &lt;/source&gt;<br /> <br /> === Algorithm ===<br /> <br /> To generate the individual key mesh of a specific PSP, provided its [[Fuse ID]], execute the following code.<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> void gen_psp_individual_key_mesh(ScePspIndividualKeyMesh *key_mesh) {<br /> int i, k;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuse_id[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuse_id[7] = g_fuse90 &amp;0xFF;<br /> fuse_id[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuse_id[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuse_id[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuse_id[3] = g_fuse94 &amp;0xFF;<br /> fuse_id[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuse_id[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuse_id[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuse_id[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt 3, 6 and 9 times subkey_2 to obtain the final key mesh<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(key_mesh[i * 0x10], subkey_2, 0x10);<br /> }<br /> }<br /> <br /> typedef struct {<br /> unsigned char buf1[8]; // 0<br /> unsigned char buf2[8]; // 8<br /> unsigned char buf3[8]; // 0x10<br /> } SomeStructure;<br /> <br /> void gen_psp_individual_key_mesh_official_implementation(SomeStructure *ss, ScePspIndividualKeyMesh *key_mesh) {<br /> byte bVar1;<br /> byte *dst;<br /> int idx;<br /> int j;<br /> byte *src;<br /> byte subkey_2[16];<br /> byte subkey_1[16];<br /> uint ctx[64];<br /> uint ctx2[64];<br /> <br /> AES_set_encrypt_key_2(g_ids_master_key, 128, ctx); // set g_ids_master_key as AES key<br /> AES_set_decrypt_key_2(g_ids_master_key, 128, ctx2); // set g_ids_master_key as AES key<br /> <br /> idx = 0; // initialize the subkeys using the Fuse ID<br /> do {<br /> bVar1 = ss[idx + ((int)(idx + ((uint)(idx &gt;&gt; 0x1f) &gt;&gt; 0x1d)) &gt;&gt; 3) * -8];<br /> src = subkey_2 + idx;<br /> dst = subkey_1 + idx;<br /> idx = idx + 1;<br /> *src = bVar1;<br /> *dst = bVar1;<br /> } while (idx &lt; 0x10);<br /> <br /> idx = 2; // encrypt first subkey three times, and decrypt second subkey three times<br /> do {<br /> AES_encrypt_2(subkey_1, subkey_1, ctx);<br /> idx = idx - 1;<br /> AES_decrypt_2(subkey_2, subkey_2, ctx2);<br /> } while (-1 &lt; idx);<br /> <br /> AES_set_encrypt_key_2(subkey_1, 128, ctx); // set subkey_1 as AES key<br /> <br /> idx = 0; // encrypt three times each one of the three first blocks<br /> do {<br /> j = 2;<br /> do {<br /> j = j - 1;<br /> AES_encrypt_2(subkey_2, subkey_2, ctx);<br /> } while (-1 &lt; j);<br /> dst = key_mesh + idx * 0x10;<br /> j = 0;<br /> do {<br /> src = subkey_2 + j;<br /> j = j + 1;<br /> *dst = *src;<br /> dst = dst + 1;<br /> } while (j &lt; 0x10);<br /> idx = idx + 1;<br /> } while (idx &lt; 3);<br /> }<br /> &lt;/source&gt;<br /> <br /> == Final PSP Individual Keys ==<br /> <br /> === Algorithm ===<br /> <br /> In some Kirk commands, the individual key mesh is used along with a seed parameter to generate a final individual key using the following algorithm.<br /> <br /> &lt;syntaxhighlight lang=&quot;c&quot;&gt;<br /> void make_perconsole_key(u8 output[16], int seed_param, ScePspIndividualKeyMesh *key_mesh) {<br /> if (seed_param &amp; 1)<br /> memcpy(output, key_mesh-&gt;derivation_seed_1, 16);<br /> else<br /> memcpy(output, key_mesh-&gt;derivation_seed_0, 16);<br /> <br /> // Encrypt the result several times depending on the seed parameter<br /> rijndael_set_key(&amp;aes_ctx, key_mesh-&gt;derivation_key);<br /> seed_param = (seed_param / 2) + 1;<br /> while ((seed_param--) &gt;= 0) {<br /> rijndael_encrypt(&amp;aes_ctx, output);<br /> }<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> === Seed Parameter Per Command ===<br /> <br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Seed parameter<br /> !Usage<br /> |-<br /> |0<br /> |Kirk commands 2 (encryption) &amp; 3 (decryption) (the real encryption and CMAC keys are random, but this per-console key is used to encrypt them)<br /> |-<br /> |1<br /> |Kirk command 5 (encryption) &amp; 8 (decryption)<br /> |-<br /> |2<br /> |Kirk command 6 (encryption) &amp; 9 (decryption)<br /> |-<br /> |3<br /> |Kirk command 16<br /> |-<br /> |4<br /> |Kirk command 18<br /> |-<br /> |5<br /> |Unused<br /> |-<br /> |6<br /> |RNG buffer reseeding<br /> |}<br /> <br /> == PSP Individual Key Mesh Certificate ==<br /> <br /> There exists a PSP Individual Key Mesh Certificate stored in both PSP flashData.prx and in PS Vita cmep keyrings 0x601 and 0x602 (in endian-swapped fashion). It contains the individual key mesh followed by the Fuse ID from which it was generated and ends with a hash.<br /> <br /> === Structure ===<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ScePspIndividualKeyMeshCert { // size is 0x40<br /> ScePspIndividualKeyMesh key_mesh;<br /> SceUInt8 fuse_id[8]; // endianness to precise<br /> SceUInt8 reserved[4]; // could be arbitrary but in practice always zeroed<br /> SceUInt32 hash; // the hash algorithm is in PSP Jig Kick flashData.prx<br /> } ScePspIndividualKeyMeshCert;<br /> &lt;/source&gt;<br /> <br /> === Algorithm ===<br /> <br /> To generate the ScePspIndividualKeyMeshCert of a specific PSP, provided its [[Fuse ID]], execute the following code.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_key_mesh_certificate_hash(ScePspIndividualKeyMeshCert *cert) {<br /> byte bVar1;<br /> uint uVar2;<br /> int iVar3;<br /> byte *pbVar4;<br /> uint uVar5;<br /> uint uVar6;<br /> byte *pbVar7;<br /> uint uVar8;<br /> byte bVar9;<br /> int idx;<br /> int offset;<br /> byte *pbVar11;<br /> byte local_60 [80];<br /> byte m [16];<br /> uint uVar10;<br /> <br /> pbVar11 = local_60;<br /> m[0] = 1;<br /> m[1] = 0xf;<br /> m[2] = 0x36;<br /> m[3] = 0x78;<br /> m[4] = 0x40;<br /> <br /> offset = 0;<br /> do {<br /> pbVar4 = cert + offset;<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar4;<br /> } while (offset &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> offset = 0;<br /> do {<br /> bVar1 = *pbVar11;<br /> <br /> idx = 0;<br /> do {<br /> uVar8 = (uint)m[idx];<br /> iVar3 = idx + 0x40;<br /> uVar10 = 0;<br /> bVar9 = 0;<br /> uVar2 = (uint)bVar1;<br /> while (uVar8 != 0) {<br /> uVar6 = uVar2 &lt;&lt; 1;<br /> uVar5 = uVar8 &amp; 1;<br /> uVar8 = (int)uVar8 &gt;&gt; 1;<br /> if (uVar5 != 0) {<br /> uVar10 = uVar10 ^ uVar2;<br /> }<br /> bVar9 = (byte)uVar10;<br /> uVar2 = uVar6;<br /> if ((uVar6 &amp; 0x100) != 0)<br /> uVar2 = uVar6 ^ 0x11d;<br /> }<br /> idx = idx + 1;<br /> local_60[iVar3] = bVar9;<br /> } while (idx &lt; 5);<br /> <br /> idx = 0;<br /> do {<br /> pbVar7 = pbVar11 + idx;<br /> iVar3 = idx + 0x40;<br /> idx = idx + 1;<br /> *pbVar7 = *pbVar7 ^ local_60[iVar3];<br /> } while (idx &lt; 5);<br /> <br /> idx = offset + 1;<br /> pbVar11 = local_60 + offset + 1;<br /> offset = idx;<br /> } while (idx &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar11 = local_60 + offset;<br /> pbVar7 = cert + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar11;<br /> *pbVar11 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> return;<br /> }<br /> <br /> void gen_psp_individual_key_mesh_certificate(SomeStructure *ss, byte *data_for_0x38, ScePspIndividualKeyMeshCert *cert) { <br /> gen_psp_key_mesh(cert-&gt;key_mesh);<br /> <br /> for (int idx = 0; idx &lt; 8; idx++)<br /> cert-&gt;fuse_id[idx] = ss[idx];<br /> <br /> for (int idx = 0; idx &lt; 4; idx++)<br /> cert-&gt;reserved[idx] = data_for_0x38[idx];<br /> <br /> gen_psp_individual_key_mesh_certificate_hash(cert);<br /> <br /> return 0;<br /> }<br /> <br /> typedef struct U64 {<br /> unsigned int low;<br /> unsigned int high;<br /> } U64;<br /> <br /> int CreateSomeStructure(SomeStructure *ss) {<br /> U64 fuse_id;<br /> int i;<br /> <br /> memcpy(&amp;fuse_id, &amp;g_fuse_id, 8);<br /> <br /> memset(ss-&gt;buf1, 0, 8);<br /> memset(ss-&gt;buf2, 0xFF, 8);<br /> <br /> memcpy(ss-&gt;buf3, &amp;fuse_id.high, 4);<br /> memcpy(ss-&gt;buf3+4, &amp;fuse_id.low, 4);<br /> <br /> for (i = 0; i &lt; 4; i++) {<br /> ss-&gt;buf1[3-i] = ss-&gt;buf3[i];<br /> ss-&gt;buf1[7-i] = ss-&gt;buf3[4+i];<br /> }<br /> <br /> return 0;<br /> }<br /> <br /> uint gen_psp_individual_seed_helper(ScePspIndividualKeyMeshCert *cert) {<br /> SomeStructure ss;<br /> CreateSomeStructure(&amp;ss);<br /> int data_for_0x38 = 0;<br /> gen_psp_individual_key_mesh_certificate(&amp;ss, &amp;data_for_0x38, cert)<br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti size+0x12<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | {{Slot0_AES_1_CMAC}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led, bootrom<br /> | {{no}}<br /> | {{Slot2_AES_CMAC}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{Slot3_AES}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab, openpsid<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | openpsid, chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | buf_size+0x24<br /> | buf_size+0x34<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab, openpsid, bootrom<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | buf_size+0x34 (header + key)<br /> | buf_size<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE signature)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab, chkreg, openpsid, bootrom<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_SEED<br /> | Seed the Kirk internal RNG buffer<br /> | 0x1C<br /> | 0x1C<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab, openpsid (used for IDStorage Certificates ECDSA)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | ECDSA Signature Verification<br /> | 0x64<br /> | 0<br /> | memab, memlmd, mesg_led, openpsid (checks for generated signatures, used for IDStorage Certificates ECDSA)<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification<br /> | 0xB8<br /> | 0<br /> | openpsid, memab, chkreg (used for IDStorage Certificates AES-CMAC)<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 0x0: decrypt kbooti ==<br /> This command is only used by devkits to decrypt the kbooti, ie the devkit's Bootrom. It supposedly can only be run at a very early stage. The very short header is as follows.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Address<br /> !Size<br /> !Description<br /> |-<br /> |0x0<br /> |16<br /> |CMAC of the body, computed using AES slotted key 1<br /> |-<br /> |0x10<br /> |2<br /> |Size of the body<br /> |-<br /> |0x12<br /> |...<br /> |Body, encrypted using AES slotted key 0<br /> |}<br /> The command is very simple and acts as follows:<br /> <br /> # Verify the command is run at an early stage<br /> # Read the body size and check it's non-zero<br /> # Verify the CMAC of the body using AES slotted key 1<br /> # While computing the CMAC, verify the body size didn't change<br /> # Decrypt body using AES slotted key 0<br /> <br /> == Commands 0x1, 0x2, 0x3 &amp; 0xA: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> These three functions take very similar inputs, as they all do signature verification and decryption.<br /> <br /> * Command 1 is used to decrypt the IPL blocks.<br /> * Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3.<br /> * Command 3 decrypts data encrypted by command 2.<br /> * Command 0xA takes the same data as commands 1, 2 and 3 but only does the signature verification for the header (not for the body) and no decryption (or reencryption).<br /> <br /> There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The 0x10..0x60 bytes depend on the signature mode.<br /> <br /> '''Metadata Header Structure (Length 0x90)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> |0x00<br /> |0x10<br /> |Decryption key, encrypted with another key depending on the command<br /> |-<br /> |0x10<br /> |0x50<br /> |Signature information, depends on the signature mode (see below)<br /> |-<br /> | 0x60 || 4 || Set to 1, 2 or 3 depending on the command<br /> |-<br /> | 0x64 || 4 || Bit 0 is 0 if block is AES CMAC-signed, 1 if it is ECDSA-signed<br /> Bit 1 is used by command 2 to determine if the resulting Kirk 3 block should be AES CMAC-signed (0) or ECDSA-signed (1)<br /> |-<br /> | 0x68 || 4 || Bit 0 indicates all input data (including the full header) should be wiped if the body signature check fails<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 24 || Unused<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Signature Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the the same key as the decryption key (at 0x00)<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The CMAC key at 0x10 is decrypted using a key which depends on the command and is the same as the decryption key at 0x00 (see below). It is decrypted using AES-CBC (so offset 0x00 is used as the IV).<br /> <br /> The CMAC of the header from offset 0x60 and size 0x30 is computed. Kirk then checks the data size &amp; offset (at 0x70 and 0x74) didn't change from what was previously read (possibly to avoid data being overwritten while being processed). The value is then checked against the value at 0x20.<br /> <br /> If this fails, the command returns KIRK_HEADER_SIG_INVALID. Otherwise, except for command 10, it proceeds with the full data CMAC, computed from header offset 0x60 to the end of the body contents. The value is checked against the value at 0x30.<br /> <br /> If this second check fails, and the LSB of 0x68 is set to 1, all the input data is wiped (set to zero's). In both cases, if the check fails, it then returns KIRK_HEADER_SIG_INVALID.<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The ECDSA version is slightly different. The header from offset 0x60 with size 0x30 is hashed and the header signature is verified. Similarly to CMAC, it then verifies values at 0x70 and 0x74 didn't change. It then acts similarly to the CMAC version with the data signature, including the possible data wiping.<br /> <br /> === Commands 1 &amp; 3 ===<br /> Commands 1 and 3 work exactly the same. The only difference is that the ECDSA public key comes from slots 0/1 for command 1, and 5/6 for command 3. Also, the AES key, used for decrypting the decryption &amp; CMAC keys, is a static key in keyslot 2 for command 1, and a per-console key with seed 0 for command 3.<br /> <br /> # Verify that the command mode at 0x60 matches the current command<br /> # Read the body size and data offset and verify that the body size is non-zero<br /> # Get or compute the AES key<br /> # Check the signature mode at 0x64, and check the header &amp; the data signature as specified above depending on the signature mode<br /> # Decrypt the decryption key at 0x00 using the key from step 3.<br /> # Decrypt the data using AES-CBC with a null IV.<br /> <br /> === Command 2 ===<br /> Command 2 is a bit more complicated as it re-encrypts data for command 3.<br /> <br /> # Follow steps 1-5 from above, using key slots 2/3 for the ECDSA key and key slot 3 for the AES key<br /> # Copy the input header (including padding) to the output<br /> # Change offset 0x60 (command) to command 3<br /> # Change offset 0x64 to 0 or 1 depending on the second bit of the input value at 0x64 (which determines if the output of command 2 should be ECDSA or CMAC-signed)<br /> # Decrypt the body of the data similarly to commands 1 &amp; 3<br /> # Generate a random key and encrypt it with per-console key (seed = 0), and store the result at 0x00<br /> # If in CMAC mode for the output, do the same for the CMAC key at 0x10 (encrypt using CBC mode and data at 0x00 as the IV)<br /> # Encrypt the body in CBC mode with a null IV<br /> # Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3).<br /> <br /> === Command 0xA ===<br /> Its behavior is very simple:<br /> <br /> # Determine if the input is data for command 1, 2 or 3 depending on the command mode. (If it is another value, return an error.)<br /> # Get or compute AES and ECDSA public keys depending on the command<br /> # Check the signature similarly to the other commands.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0. The encryption operands take a header as an input along with the raw data, and generate encrypted data along with a header corresponding to the matching decryption command. Decryption commands output the raw decrypted data.<br /> <br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F), with console-specific modifications for some keyseeds<br /> <br /> - Commands 5 (encryption) and 8 (decryption) use a per-console key derived from the key mesh<br /> <br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from a random key and data stored at 0x14, the random key being encrypted with a per-console key so that command 9 can decrypt<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header (except for commands 6 and 9 where it is longer).<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption (commands 4/5/6), 5 for decryption (commands 7/8/9)<br /> |-<br /> | 0x04 || 8 || Unused<br /> |-<br /> | 0x0C || 1 || Only used by commands 4/7: keyseed<br /> |-<br /> |0x0D<br /> |1<br /> |Submode: the 3 LSBs are 0 for commands 4/7, 1 for commands 5/8 and 2 for commands 6/9<br /> |-<br /> |0x0E<br /> |2<br /> |Unused<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |-<br /> |0x14<br /> |16<br /> |Only for commands 6/9: additional key<br /> |-<br /> |0x24<br /> |16<br /> |Only for command 9: reencrypted encryption key<br /> |}<br /> <br /> === Commands 4/7 ===<br /> The behavior of these commands is:<br /> <br /> # Read the header<br /> # Verify the mode and submode match the current command<br /> # Read the body size and check that it is non-zero<br /> # Get the AES key at key slot 4 + &lt;keyseed&gt;. Command 4 can only encrypt with keyseeds 0..0x3F while command 7 can decrypt with keyseeds 0..0x7F.<br /> # Derive the key for some keyseeds using per-console parameters:<br /> ## If the key mesh's derivation key MSB is 1 and keyseed is in the 0x20..0x2f or 0x6c, 0x7b range, invert the bits of the last word (4 bytes) of the key<br /> ## If the keyseed is in the 0x27..0x2f or 0x73..0x7b range, XOR the first word of the key with the key mesh derivation key<br /> # For command 4, copy the input header to the output, just replacing mode 4 with 5, and encrypt the body from offset 0x14 using AES-CBC with a null IV and the key determined at step 5.<br /> # For command 7, decrypt the data and output it without a header<br /> <br /> === Commands 5/8 ===<br /> The behavior of these commands is identical to commands 4/7, except it uses per-console key computed from the key mesh with seed 1.<br /> <br /> === Commands 6/9 ===<br /> For both commands, steps 1-3 are the same as above, but differ afterwards.<br /> <br /> Command 6 works like this:<br /> <br /> # Copy the 0x24-byte long header to the output, just replacing the mode from 4 to 5<br /> # Generate a random buffer and encrypt it using per-console key with seed 2. Write the result of the operation at 0x24.<br /> # Encrypt the random buffer using the key at 0x14<br /> # Use the result of step 3 to encrypt the data, then output it<br /> <br /> Command 9 is the logical counterpart:<br /> <br /> # Decrypt data at 0x24 with the per-console key with seed 2<br /> # Reencrypt the data of the previous step with the key located at offset 0x14<br /> # Decrypt the data using the result of step 2 as a key<br /> <br /> == Command 0xB: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 0xC: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 0xD: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point (x and y are each 0x14 bytes long).<br /> <br /> == Command 0xE: PRNG ==<br /> <br /> This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.)<br /> <br /> == Command 0xF: Seed RNG buffer ==<br /> This function seeds the Kirk 32-byte RNG buffer used to generate all the random data coming from Kirk.<br /> <br /> It takes as an input and output data of size 0x1c:<br /> <br /> * 0x00 - 64-bit counter - increased by 1 in the output<br /> * 0x08 - seed data (0x14 bytes long) - used for seeding as an input, and contains fresh reseeded data for the output<br /> <br /> Seeding works this way:<br /> <br /> # Increment the input counter<br /> # Set the first 0x14 bytes of the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator<br /> # Initialize the 32-byte RNG buffer to two empty words, and two words taken from the input data at offsets 0x00 and 0x04<br /> # Do a reseeding (see below)<br /> # Output the bytes contained in the first 0x14 bytes of the PRNG seed after the reseeding<br /> <br /> Reseeding is then done by all operations requiring random data and works this way:<br /> <br /> # Encrypt RNG buffer with AES per-console key with seed 6<br /> # Set the last half of the PRNG seed (0x14 bytes) to the contents RNG buffer<br /> # Regenerate data with the PRNG<br /> The functions requiring random data then use some parts of the PRNG state (&quot;seed&quot; (first 0x28 bytes of the PRNG state) or &quot;result&quot; (last 0x14 bytes of the PRNG state)) as random data to be used.<br /> <br /> == Command 0x10: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature.<br /> <br /> == Command 0x11: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature. It is used to verify IdStorage IDPS certificates.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature).<br /> <br /> == Command 0x12: verify certificate ==<br /> <br /> This command verifies an AES-CBC-MAC (OMAC1) signature. It is used to verify [[IDStorage#IDStorage_certified_sections|ID Storage certificates]]. <br /> <br /> This command has no output.<br /> <br /> It takes as input an [[IDStorage#IDStorage_certified_sections|ID Storage certificate]] read from [[IDStorage]].<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct kirk_command_0x12_input{<br /> ids_cert_psp certificate;<br /> } kirk_command_0x12_input;<br /> &lt;/source&gt;<br /> <br /> It uses per-console key with seed 4.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header signature<br /> 0×04: Invalid data signature<br /> 0×05: Invalid ECDSA data<br /> 0x0C: Kirk not seeded<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid encryption keyseed<br /> 0x0F: Invalid decryption keyseed<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version Bootrom public key is unknown.<br /> * Keys related to Kirk commands 0, 2 and 3 are unknown. (See above for details.)<br /> * The Kirk's internal PRNG is deterministic but its function is unknown.<br /> * Elliptic curves have additional parameters specified in the code, which are unknown.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=IDStorage&diff=12423 IDStorage 2024-01-18T22:34:19Z <p>CelesteBlue: /* IDStorage certified sections */</p> <hr /> <div>= Location =<br /> <br /> == PSP ==<br /> <br /> IDStorage area is located after the IPL on the NAND at offset 0xC0000.<br /> <br /> = Description =<br /> <br /> It is used to store low-level information, such as the serial, [[MAC address]], [[UMD]], WLAN and region. <br /> <br /> The IDStorage area is an associative array and information is stored using key/value pairs (index/leaf). The IDStorage seems a little coupled to the physical storage as each leaf is mapped to an area of 512-byte, which is equal to the pagesize of the PSP standard NAND flash, and it seems 512-byte page operations are intended.<br /> <br /> = Structure =<br /> <br /> Idstorage leaves are all 512 bytes. Most IDStorage leaves have a pair, although some do not.<br /> <br /> Idstorage leaves indexes are 16-bit integers and are stored in an index table of two NAND pages of 512 bytes.<br /> <br /> * The index is identified by byte 6 of the spare area (0x73).<br /> * byte 7 is the idstorage version.<br /> * byte is either 1 or 0 depending on whether the idstorage has been formatted or not, and finally byte 9 indicates if the idstorage is read-only or not.<br /> <br /> For example, an index appearing at position 27 (byte 54) in the index table would find its associated data at the NAND offset: 0xC0000 + (27 * 512) = 0xC3600.<br /> <br /> = Importance in OS =<br /> <br /> As major functions such as UMD decryption, Ad Hoc and DNAS Authentication rely on IDStorage leaves, the loss or corruption of leaves can be crippling to the usability of the PSP. Users are strongly recommended to take a [[NAND Backup]], giving them the opportunity to restore their IDStorage using a tool such as [[NandTool]].<br /> <br /> The firmware provides a driver to facilitate manipulations. In PSP: idstorage.prx. In PSVita: idstorage.skprx.<br /> <br /> = Generation =<br /> <br /> Most of the idstorage generation process is detailed in Despertar Del Cementerio (sources available here: https://github.com/mathieulh/Despertar-Del-Cementerio).<br /> <br /> * some PSP JigKick files contain information on how to (re)generate idstorage leaves<br /> * DespertarDelCementerio v7 also contains information about idstorage (re)generation.<br /> * the most significant module used by DCv7 used to do this is idsregeneration.prx&lt;br /&gt;<br /> (see DCv7 src code https://github.com/mathieulh/Despertar-Del-Cementerio/tree/master/idsregeneration).<br /> * you can see a plethora of &quot;templates&quot; which are used for the generation of the idstorage sections.<br /> * the idstorage regeneration requires 2, probably more parameters -&gt; Region, MAC Address, and likely a timestamp of sorts.<br /> * on ps3 the generation method wasn't found on the JigKick firmware files (and selfs). however, it seems that factory still does this, but by accessing a server, so the information cannot be deduced anymore unless there's access to the server.<br /> * together with the idps (called PSID on PSP), the openPSID is also generated on PSP (written to IdStorage).<br /> * there are 12 sections on PSP, unlike the 11 ones on PS3 EID0.<br /> <br /> = IDStorage certified sections =<br /> <br /> IDStorage certified sections are a security measure for critical information. For example PSID and OpenPSID are certified (leaves 0x100, 0x101, 0x120, 0x121). For PSPemu on PS3 and PS Vita, the same sort of certificates are contained in PS3 eEID and PS Vita ID Storage, and Kirk commands are implemented to handle them. Moreover, PS3 eEID certificates use almost the same structure and algorithms, whilst PS Vita extends block sizes from 128 to 192 and 256 bits.<br /> <br /> Kirk command 0x12 is used to verify IDStorage certificates.<br /> <br /> == Structure ==<br /> <br /> {|class=&quot;wikitable&quot;<br /> |-<br /> ! Name !! Size !! Description<br /> |-<br /> | Data || 0x10 || contains the actual data (either PSID or OpenPSID)<br /> |-<br /> | plaintext public key || 0x28 || contains the certificate's public key (without padding)<br /> |-<br /> | R || 0x14 || part of the ECDSA signature pair (R, S)<br /> |-<br /> | S || 0x14 || part of the ECDSA signature pair (R, S)<br /> |-<br /> | public key || 0x28 || ECDSA public key (unknown what this is doing here)<br /> |-<br /> | encrypted private key || 0x20 || encrypted blob that contains the certificate's private key (with padding)<br /> |-<br /> | omac/cmac1 || 0x10 || hash of the previous information in CMAC1/OMAC mode<br /> |}<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ECDSA160_signature { // size is 0x28<br /> unsigned char r[0x14];<br /> unsigned char s[0x14];<br /> } ECDSA160_signature;<br /> <br /> typedef struct ids_cert_main_psp { // size is 0xA8<br /> char data[0x10];<br /> char pub_key[0x28]; // ?generated using Kirk command 0xC? sent to Kirk command 0x11 for verification<br /> ECDSA160_signature signature;<br /> char constant_pub_key[0x28]; // hardcoded constant, same in all PSP consoles but depends on the certificate index in ID Storage<br /> char enc_priv_key[0x20]; // decrypted and verified by Kirk command 0x10<br /> } ids_cert_main_psp;<br /> <br /> typedef struct ids_cert_psp { // size is 0xB8<br /> ids_cert_main_psp cert_data; // data input for generating enc_aes_cmac_hash<br /> char aes_cmac[0x10]; // verified by Kirk command 0x12<br /> } ids_cert_psp;<br /> &lt;/source&gt;<br /> <br /> = Content =<br /> <br /> * Leaves 0x100-0x11F are identical to their backup leaves 0x120-0x13F<br /> * Old PSP revision haven't leaves 0x046, 0x047<br /> * Very old PSP revisions haven't leaf 0x140<br /> * Leaf 0x50 is maybe Serial Number<br /> <br /> = Uses =<br /> <br /> == IPL ==<br /> <br /> The Stage 2 [[IPL]] (main.bin) reads 3 leaves, 0x004, 0x005 and 0x006. These leaves play a significant part in the PSP as they are related to power. In TA-082 and TA-086 PSP's, these leaves are at different locations, causing a brick with the 1.50 IPL.<br /> <br /> 0x004<br /> 0000000000 6E 79 72 42 01 00 00 00-10 00 00 00 BB 01 AB 1F nyrB............<br /> 0000000016 D8 00 24 00 14 31 14 00-94 01 48 00 D8 00 00 00 ..$..1....H.....<br /> <br /> 0x005<br /> 0000000000 67 68 6C 43 01 00 00 00-01 00 00 00 CA D9 E3 9B ghlC............<br /> 0000000016 0A 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<br /> <br /> 0x006<br /> 0000000000 72 64 44 4D 01 00 00 00-07 00 00 00 85 BD 2C 75 rdDM..........,u<br /> 0000000016 00 00 00 85 83 81 80 00-00 00 00 00 00 00 00 00 ................<br /> <br /> == Chkreg.prx ==<br /> <br /> === sceChkregGetPsCode ===<br /> <br /> Chkreg (chkreg.prx) reads 2 leaves, 0x100 and 0x102 or 0x120 and 0x122. <br /> <br /> It gets PSID from the IdStorage and convert it to PsCode.<br /> <br /> Example of PSP PsCode: 00 00 00 01 00 03 00 01<br /> <br /> The return from sceChkregGetPsCode is determined to be valid or invalid via KIRK command 0x12, just like other functions using leaves 0x100, 0x120.<br /> <br /> == openpsid.prx ==<br /> <br /> === sceOpenPSIDGetPSID ===<br /> <br /> sceOpenPSIDGetPSID first reads leaf 0x100 or 0x120 into a buffer using sceIdStorageLookup with the following args:<br /> <br /> sceIdStorageLookup(0x120, 0x38, buf, 0xB8); // ???offset to check???<br /> <br /> The buffer is then sent to KIRK using sceUtilsBufferCopyWithRange with the following args:<br /> <br /> sceUtilsBufferCopyWithRange(0, 0, buf, 0xB8, 0x12);<br /> <br /> It sends data to 2 modules: OpenPSID and memab. Once the scrambled buffer has been sent, &quot;some check&quot; is performed.<br /> <br /> If sceUtilsBufferCopyWithRange is sucessful, this part of sceChkregGetPsCode returns 0, else it returns 0x80000108.<br /> <br /> === sceOpenPSIDGetOpenPSID ===<br /> <br /> OpenPSID (openpsid.prx) reads 2 leaves, both relating to the region: 0x101 or 0x121 and 0x102 or 0x122. The OpenPSID is calculated via the above leaves and sceUtilsBufferCopyWithRange.<br /> <br /> It first reads 0x101 or 0x121 into a buffer. If this fails it returns 0xC0520001 and reads 0x102 or 0x122 into the buffer. If it fails again, it returns 0xC0520002.<br /> <br /> The buffer is then passed to sceUtilsBufferCopyWithRange with the following args:<br /> <br /> sceUtilsBufferCopyWithRange(0, 0, buf, 0xB8, 0x12);<br /> <br /> If the sceUtilsBufferCopyWithRange returns 1, OpenPSID returns 0xC0520001, else it returns 0.<br /> <br /> == Memab ==<br /> <br /> Memab (memab.prx) reads 1 leaf, 0x100 or 0x120.<br /> <br /> Mgr (mgr.prx) reads 2 leaves, 0x040 and another unknown leaf.<br /> <br /> 0x040<br /> 00000001E0 03 86 00 20 F8 47 90 88-58 99 2E 88 F8 47 90 88 ... .G..X....G..<br /> 00000001F0 25 00 00 00 64 99 2E 88-01 00 00 00 D0 99 2E 88 %...d...........<br /> <br /> Another unknown leaf.<br /> <br /> == Power ==<br /> <br /> Power (power.prx) reads 1 leaf, 0x0004. This leaf is related to power and is also read by the IPL.<br /> <br /> == Umdman ==<br /> <br /> Umdman (umdman.prx) reads 1 leaf, 0x102. This leaf is related to the region, and is probably used to determine what UMD video's can be read on the PSP.<br /> <br /> == USB ==<br /> <br /> === usb.prx ===<br /> <br /> USB (usb.prx) reads 1 leaf, 0x041. This leaf has information on the USB types.<br /> <br /> 0x041<br /> 0000000000 4C 05 00 00 0A 03 53 00-6F 00 6E 00 79 00 00 00 L.....S.o.n.y...<br /> 0000000064 00 00 00 00 05 00 00 00-C8 01 00 00 16 03 50 00 ..............P.<br /> 0000000080 53 00 50 00 20 00 54 00-79 00 70 00 65 00 20 00 S.P. .T.y.p.e. .<br /> 0000000096 41 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 A...............<br /> 0000000128 00 00 00 00 00 00 00 00-00 00 00 00 C9 01 00 00 ................<br /> 0000000144 16 03 50 00 53 00 50 00-20 00 54 00 79 00 70 00 ..P.S.P. .T.y.p.<br /> 0000000160 65 00 20 00 42 00 00 00-00 00 00 00 00 00 00 00 e. .B...........<br /> 0000000208 CA 01 00 00 16 03 50 00-53 00 50 00 20 00 54 00 ......P.S.P. .T.<br /> 0000000224 79 00 70 00 65 00 20 00-43 00 00 00 00 00 00 00 y.p.e. .C.......<br /> 0000000272 00 00 00 00 CB 01 00 00-16 03 50 00 53 00 50 00 ..........P.S.P.<br /> 0000000288 20 00 54 00 79 00 70 00-65 00 20 00 44 00 00 00 .T.y.p.e. .D...<br /> 0000000336 00 00 00 00 00 00 00 00-CC 01 00 00 16 03 50 00 ..............P.<br /> 0000000352 53 00 50 00 20 00 54 00-79 00 70 00 65 00 20 00 S.P. .T.y.p.e. .<br /> 0000000368 45 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 E...............<br /> <br /> Offset Description Data<br /> 0x0000 idVendor 0x4C 0x05 <br /> 0x0002 ??? 0x00 0x00 <br /> 0x0004 bLength 0x0A <br /> 0x0005 ??? 0x03 <br /> 0x0006 iManufacturer String 0x53 0x00 0x6F 0x00 0x6E 0x00 0x79 <br /> 0x0044 ? bNum 0x05 <br /> 0x0045 ??? 0x00 0x00 0x00 <br /> 0x0048 idProduct 0xC8 0x01 <br /> 0x004A ??? 0x00 0x00 <br /> 0x004C bLength 0x16 <br /> 0x004D ? bDescriptorType 0x03 <br /> 0x004E iProduct String 0x50 0x00 0x53 0x00 0x50 0x00 0x20 <br /> 0x00 0x54 0x00 0x79 0x00 0x70 0x00 <br /> 0x65 0x00 0x20 0x00 0x41 <br /> 0x008C idProduct 0xC9 0x01 <br /> 0x008E ??? 0x00 0x00 <br /> 0x0090 bLength 0x16 <br /> 0x0091 ? bDescriptorType 0x03 <br /> 0x0092 iProduct String 0x50 0x00 0x53 0x00 0x50 0x00 0x20 <br /> 0x00 0x54 0x00 0x79 0x00 0x70 0x00 <br /> 0x65 0x00 0x20 0x00 0x42 <br /> 0x00D0 idProduct 0xCA 0x01 <br /> 0x00D2 ??? 0x00 0x00 <br /> 0x00D4 bLength 0x16 <br /> 0x00D5 ? bDescriptorType 0x03 <br /> 0x00D6 iProduct String 0x50 0x00 0x53 0x00 0x50 0x00 0x20 <br /> 0x00 0x54 0x00 0x79 0x00 0x70 0x00 <br /> 0x65 0x00 0x20 0x00 0x43 <br /> 0x0114 idProduct 0xCB 0x01 <br /> 0x0116 ??? 0x00 0x00 <br /> 0x0118 bLength 0x16 <br /> 0x0119 ? bDescriptorType 0x03 <br /> 0x011A iProduct String 0x50 0x00 0x53 0x00 0x50 0x00 0x20 <br /> 0x00 0x54 0x00 0x79 0x00 0x70 0x00 <br /> 0x65 0x00 0x20 0x00 0x44 <br /> 0x0158 idProduct 0xCC 0x01 <br /> 0x015A ??? 0x00 0x00 <br /> 0x015C bLength 0x16 <br /> 0x015D ? bDescriptorType 0x03 <br /> 0x015E iProduct String 0x50 0x00 0x53 0x00 0x50 0x00 0x20 <br /> 0x00 0x54 0x00 0x79 0x00 0x70 0x00 <br /> 0x65 0x00 0x20 0x00 0x45<br /> <br /> === usbstor.prx ===<br /> <br /> USBstor (usbstor.prx) reads 1 leaf, ?0x040 or 0x043?.<br /> <br /> ?0x040 or 0x043?<br /> 0000000000 55 73 74 72 53 6F 6E 79-20 20 20 20 50 53 50 20 UstrSony PSP <br /> 0000000016 20 20 20 20 20 20 20 20-20 20 20 20 31 2E 30 30 1.00<br /> 0000000032 50 00 53 00 50 00 00 00-00 00 00 00 00 00 00 00 P.S.P........... <br /> <br /> == WLAN ==<br /> <br /> WLAN (wlan.prx) reads 2 leaves, 0x044 and 0x045.<br /> <br /> 0x044<br /> 0000000000 00 16 FE 86 FA 28 .....( <br /> <br /> 0x045<br /> 0000000000 03 00 01 ... <br /> <br /> These leaves contains the MAC address of the PSP. This can be changed, but does not effect the hardware, only the address displayed under System Information.<br /> <br /> == Sysconf_plugin ==<br /> <br /> Sysconf_plugin (sysconf_plugin.prx) reads 1 leaf, 0x044. This is probably why the VSH displays a different MAC address when leaves 0x044/0x045 are changed.<br /> <br /> == Vshmain ==<br /> <br /> Vshmain (vshmain.prx) reads 1 leaf, 0x046.<br /> <br /> 0x046<br /> Empty, however vshmain uses the first byte of this leaf to set a param for vshImposeSetParam. <br /> <br /> = Legality of distribution =<br /> <br /> There is question as to whether [[Sony]] are able to take legal action against those found to be distributing IDStorage leaves among the community, for research, repair, or otherwise. The worry is that the leaves are proprietary data (particularly UMD decryption leaves).<br /> <br /> = Useful links =<br /> <br /> * [https://github.com/esxgx/uofw/blob/master/src/lowio/nand.c]<br /> * [https://gigawiz.github.io/yapspd/html_chapters_split/chap19.html#sec19.2.4]<br /> * [https://xero1.wordpress.com/2007/01/06/hello-world/]<br /> * [https://www.elotrolado.net/hilo_referencia-sobre-el-idstorage_839995]</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12422 Kirk 2024-01-18T22:28:14Z <p>CelesteBlue: /* Command 0x12: verify certificate */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> Most of the static keys used by the engine (plus the private key for Kirk command 1, which is not present on the chip) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk commands 1/2/3/0xA ==<br /> <br /> This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and 0xA.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0xE, 0x10 and 0x11.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> These commands allow to do operations with any public key. For the latest Pre-IPL version which adds an additional ECDSA verification of the XOR of the block hashes, the public key which is hardcoded in the Pre-IPL is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Slotted Keys =<br /> The KIRK ROM can access different keys which are slotted in what might be some kind of secure enclave. There are slots for both AES and ECDSA keys.<br /> <br /> == AES slotted keys ==<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0<br /> |KIRK command 0 (Kbooti from Devkit) decryption key<br /> |No<br /> |-<br /> |1<br /> |KIRK command 0 (Kbooti from Devkit) CMAC key<br /> |No<br /> |-<br /> |2<br /> |KIRK command 1 (IPL) decryption key<br /> |Yes<br /> |-<br /> |3<br /> |KIRK command 2 (DRM) decryption key<br /> |No<br /> |-<br /> |4~0x83<br /> |KIRK commands 4/7 decryption keys (128 possible ones)<br /> |Yes<br /> |}<br /> <br /> == ECDSA slotted keys ==<br /> Note: public keys take two slots (for both coordinates), and private keys take only one.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0/1<br /> |KIRK command 1 (IPL) public key (used to verify valid IPLs)<br /> |Yes (including the private key!)<br /> |-<br /> |2/3<br /> |KIRK command 2 (DRM) public key (used to verify data passed to KIRK command 2)<br /> |No<br /> |-<br /> |4<br /> |KIRK command 3 (DRM) private key (used by command 2 to sign data for command 3)<br /> |No<br /> |-<br /> |5/6<br /> |KIRK command 3 (DRM) public key (used by command 3 to verify data coming from command 2)<br /> |No<br /> |}<br /> <br /> = Per-console keys =<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30 bytes buffer (&quot;key mesh&quot;). This buffer is used to generate different keys depending on a seed.<br /> <br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Seed<br /> !Usage<br /> |-<br /> |0<br /> |Kirk commands 2 (encryption) &amp; 3 (decryption) (the real encryption &amp; CMAC keys are random, but this per-console key is used to encrypt them)<br /> |-<br /> |1<br /> |Kirk command 5 (encryption) &amp; 8 (decryption)<br /> |-<br /> |2<br /> |Kirk command 6 (encryption) &amp; 9 (decryption)<br /> |-<br /> |3<br /> |Kirk command 16<br /> |-<br /> |4<br /> |Kirk command 18<br /> |-<br /> |5<br /> |Unused<br /> |-<br /> |6<br /> |RNG buffer reseeding<br /> |}<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> typedef struct ScePspKeyMesh { // size is 0x30<br /> SceUInt8 aes128cbc_key_1[0x10]; // used by Kirk commands 5 &amp; 8 and 16<br /> SceUInt8 aes128cbc_key_2[0x10]; // used by Kirk command 2 &amp; 3, 6 &amp; 9 and 18<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys<br /> } ScePspKeyMesh;<br /> &lt;/source&gt;<br /> <br /> To generate the key mesh of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspKeyMesh seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt 3, 6 and 9 times the subkey_2 to obtain the final keymesh<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> }<br /> &lt;/source&gt;The key mesh can then be used along with a seed to generate a key using the following algorithm:&lt;syntaxhighlight lang=&quot;c&quot;&gt;<br /> void make_perconsole_key(u8 output[16], int seed, ScePspKeyMesh keymesh)<br /> {<br /> if (seed &amp; 1) {<br /> memcpy(output, keymesh.aes128cbc_key_2, 16);<br /> } else {<br /> memcpy(output, keymesh.aes128cbc_key_1, 16);<br /> }<br /> // Encrypt the result several times depending on the seed<br /> rijndael_set_key(&amp;aes_ctx, keymesh.aes128cbc_derivation_key);<br /> seed = (seed / 2) + 1;<br /> while ((seed--) &gt;= 0) {<br /> rijndael_encrypt(&amp;aes_ctx, output);<br /> }<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> == ScePspIndividualSeed ==<br /> <br /> There is a 0x40-byte buffer, named here &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;, used in both PSP flashData.prx and in PS Vita cmep keyrings 0x601 and 0x602 (in endian swapped fashion). It is slightly different from the mesh buffer described above. Indeed, it is before applying the derivation_key.<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ScePspIndividualSeed { // size is 0x40<br /> SceUInt8 derivation_seed_0[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_seed_1[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_key[0x10]; // key used to derive final keys from seed_0 and seed_1<br /> SceUInt8 fuse_id[8]; // endianness to precise<br /> SceUInt8 reserved[4]; // could be arbitrary but in practice always zeroed<br /> SceUInt32 hash; // the hash algorithm is in PSP Jig Kick flashData.prx<br /> } ScePspIndividualSeed;<br /> &lt;/source&gt;<br /> <br /> To generate ScePspIndividualSeed, execute the following code.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed_hash(ScePspIndividualSeed *individual_seed) {<br /> byte bVar1;<br /> uint uVar2;<br /> int iVar3;<br /> byte *pbVar4;<br /> uint uVar5;<br /> uint uVar6;<br /> byte *pbVar7;<br /> uint uVar8;<br /> byte bVar9;<br /> int idx;<br /> int offset;<br /> byte *pbVar11;<br /> byte local_60 [80];<br /> byte m [16];<br /> uint uVar10;<br /> <br /> pbVar11 = local_60;<br /> m[0] = 1;<br /> m[1] = 0xf;<br /> m[2] = 0x36;<br /> m[3] = 0x78;<br /> m[4] = 0x40;<br /> <br /> offset = 0;<br /> do {<br /> pbVar4 = individual_seed + offset;<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar4;<br /> } while (offset &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> offset = 0;<br /> do {<br /> bVar1 = *pbVar11;<br /> <br /> idx = 0;<br /> do {<br /> uVar8 = (uint)m[idx];<br /> iVar3 = idx + 0x40;<br /> uVar10 = 0;<br /> bVar9 = 0;<br /> uVar2 = (uint)bVar1;<br /> while (uVar8 != 0) {<br /> uVar6 = uVar2 &lt;&lt; 1;<br /> uVar5 = uVar8 &amp; 1;<br /> uVar8 = (int)uVar8 &gt;&gt; 1;<br /> if (uVar5 != 0) {<br /> uVar10 = uVar10 ^ uVar2;<br /> }<br /> bVar9 = (byte)uVar10;<br /> uVar2 = uVar6;<br /> if ((uVar6 &amp; 0x100) != 0)<br /> uVar2 = uVar6 ^ 0x11d;<br /> }<br /> idx = idx + 1;<br /> local_60[iVar3] = bVar9;<br /> } while (idx &lt; 5);<br /> <br /> idx = 0;<br /> do {<br /> pbVar7 = pbVar11 + idx;<br /> iVar3 = idx + 0x40;<br /> idx = idx + 1;<br /> *pbVar7 = *pbVar7 ^ local_60[iVar3];<br /> } while (idx &lt; 5);<br /> <br /> idx = offset + 1;<br /> pbVar11 = local_60 + offset + 1;<br /> offset = idx;<br /> } while (idx &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar11 = local_60 + offset;<br /> pbVar7 = individual_seed + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar11;<br /> *pbVar11 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> return;<br /> }<br /> <br /> typedef struct {<br /> unsigned char buf1[8]; // 0<br /> unsigned char buf2[8]; // 8<br /> unsigned char buf3[8]; // 0x10<br /> } SomeStructure;<br /> <br /> uint gen_psp_individual_seed(SomeStructure *ss, byte *data_for_0x38, ScePspIndividualSeed *individual_seed) {<br /> byte bVar1;<br /> byte *dst;<br /> int idx;<br /> int j;<br /> byte *src;<br /> byte subkey_2[16];<br /> byte subkey_1[16];<br /> uint ctx[64];<br /> uint ctx2[64];<br /> <br /> AES_set_encrypt_key_2(g_ids_master_key, 128, ctx); // set g_ids_master_key as AES key<br /> AES_set_decrypt_key_2(g_ids_master_key, 128, ctx2); // set g_ids_master_key as AES key<br /> <br /> idx = 0; // initialize the subkeys using the Fuse ID<br /> do {<br /> bVar1 = ss[idx + ((int)(idx + ((uint)(idx &gt;&gt; 0x1f) &gt;&gt; 0x1d)) &gt;&gt; 3) * -8];<br /> src = subkey_2 + idx;<br /> dst = subkey_1 + idx;<br /> idx = idx + 1;<br /> *src = bVar1;<br /> *dst = bVar1;<br /> } while (idx &lt; 0x10);<br /> <br /> idx = 2; // encrypt first subkey three times, and decrypt second subkey three times<br /> do {<br /> AES_encrypt_2(subkey_1, subkey_1, ctx);<br /> idx = idx - 1;<br /> AES_decrypt_2(subkey_2, subkey_2, ctx2);<br /> } while (-1 &lt; idx);<br /> <br /> AES_set_encrypt_key_2(subkey_1, 128, ctx); // set subkey_1 as AES key<br /> <br /> idx = 0; // encrypt three times each one of the three first blocks<br /> do {<br /> j = 2;<br /> do {<br /> j = j - 1;<br /> AES_encrypt_2(subkey_2, subkey_2, ctx);<br /> } while (-1 &lt; j);<br /> dst = individual_seed + idx * 0x10;<br /> j = 0;<br /> do {<br /> src = subkey_2 + j;<br /> j = j + 1;<br /> *dst = *src;<br /> dst = dst + 1;<br /> } while (j &lt; 0x10);<br /> idx = idx + 1;<br /> } while (idx &lt; 3);<br /> <br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> individual_seed.fuse_id[idx] = ss[idx];<br /> idx = j;<br /> } while (j &lt; 8);<br /> <br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> individual_seed.reserved[idx] = data_for_0x38[idx];<br /> idx = j;<br /> } while (j &lt; 4);<br /> <br /> gen_psp_individual_seed_hash(individual_seed);<br /> <br /> return 0;<br /> }<br /> <br /> typedef struct U64 {<br /> unsigned int low;<br /> unsigned int high;<br /> } U64;<br /> <br /> int CreateSomeStructure(SomeStructure *ss) {<br /> U64 fuse_id;<br /> int i;<br /> <br /> memcpy(&amp;fuse_id, &amp;g_fuse_id, 8);<br /> <br /> memset(ss-&gt;buf1, 0, 8);<br /> memset(ss-&gt;buf2, 0xFF, 8);<br /> <br /> memcpy(ss-&gt;buf3, &amp;fuse_id.high, 4);<br /> memcpy(ss-&gt;buf3+4, &amp;fuse_id.low, 4);<br /> <br /> for (i = 0; i &lt; 4; i++) {<br /> ss-&gt;buf1[3-i] = ss-&gt;buf3[i];<br /> ss-&gt;buf1[7-i] = ss-&gt;buf3[4+i];<br /> }<br /> <br /> return 0;<br /> }<br /> <br /> uint gen_psp_individual_seed_helper(ScePspIndividualSeed *individual_seed) {<br /> SomeStructure ss;<br /> CreateSomeStructure(&amp;ss);<br /> int data_for_0x38 = 0;<br /> ScePspIndividualSeed individual_seed;<br /> gen_psp_individual_seed(&amp;ss, &amp;data_for_0x38, individual_seed)<br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> Or the following simplified reimplementation.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed(ScePspIndividualSeed *individual_seed) { <br /> int i, k;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuse_id[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuse_id[7] = g_fuse90 &amp;0xFF;<br /> fuse_id[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuse_id[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuse_id[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuse_id[3] = g_fuse94 &amp;0xFF;<br /> fuse_id[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuse_id[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuse_id[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, g_ids_master_key, 128); // set g_ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuse_id[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt three times each one of the three first blocks<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;individual_seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> for (int idx = 0; idx &lt; 8; idx++)<br /> individual_seed.fuse_id[idx] = ss[idx];<br /> <br /> for (int idx = 0; idx &lt; 4; idx++)<br /> individual_seed.reserved[idx] = data_for_0x38[idx];<br /> <br /> gen_psp_individual_seed_hash(individual_seed);<br /> <br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti size+0x12<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | {{Slot0_AES_1_CMAC}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led, bootrom<br /> | {{no}}<br /> | {{Slot2_AES_CMAC}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{Slot3_AES}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab, openpsid<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | openpsid, chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | buf_size+0x24<br /> | buf_size+0x34<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab, openpsid, bootrom<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | buf_size+0x34 (header + key)<br /> | buf_size<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE signature)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab, chkreg, openpsid, bootrom<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_SEED<br /> | Seed the Kirk internal RNG buffer<br /> | 0x1C<br /> | 0x1C<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab, openpsid (used for IDStorage Certificates ECDSA)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | ECDSA Signature Verification<br /> | 0x64<br /> | 0<br /> | memab, memlmd, mesg_led, openpsid (checks for generated signatures, used for IDStorage Certificates ECDSA)<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification<br /> | 0xB8<br /> | 0<br /> | openpsid, memab, chkreg (used for IDStorage Certificates AES-CMAC)<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 0x0: decrypt kbooti ==<br /> This command is only used by devkits to decrypt the kbooti, ie the devkit's Bootrom. It supposedly can only be run at a very early stage. The very short header is as follows.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Address<br /> !Size<br /> !Description<br /> |-<br /> |0x0<br /> |16<br /> |CMAC of the body, computed using AES slotted key 1<br /> |-<br /> |0x10<br /> |2<br /> |Size of the body<br /> |-<br /> |0x12<br /> |...<br /> |Body, encrypted using AES slotted key 0<br /> |}<br /> The command is very simple and acts as follows:<br /> <br /> # Verify the command is run at an early stage<br /> # Read the body size and check it's non-zero<br /> # Verify the CMAC of the body using AES slotted key 1<br /> # While computing the CMAC, verify the body size didn't change<br /> # Decrypt body using AES slotted key 0<br /> <br /> == Commands 0x1, 0x2, 0x3 &amp; 0xA: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> These three functions take very similar inputs, as they all do signature verification and decryption.<br /> <br /> * Command 1 is used to decrypt the IPL blocks.<br /> * Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3.<br /> * Command 3 decrypts data encrypted by command 2.<br /> * Command 0xA takes the same data as commands 1, 2 and 3 but only does the signature verification for the header (not for the body) and no decryption (or reencryption).<br /> <br /> There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The 0x10..0x60 bytes depend on the signature mode.<br /> <br /> '''Metadata Header Structure (Length 0x90)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> |0x00<br /> |0x10<br /> |Decryption key, encrypted with another key depending on the command<br /> |-<br /> |0x10<br /> |0x50<br /> |Signature information, depends on the signature mode (see below)<br /> |-<br /> | 0x60 || 4 || Set to 1, 2 or 3 depending on the command<br /> |-<br /> | 0x64 || 4 || Bit 0 is 0 if block is AES CMAC-signed, 1 if it is ECDSA-signed<br /> Bit 1 is used by command 2 to determine if the resulting Kirk 3 block should be AES CMAC-signed (0) or ECDSA-signed (1)<br /> |-<br /> | 0x68 || 4 || Bit 0 indicates all input data (including the full header) should be wiped if the body signature check fails<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 24 || Unused<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Signature Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the the same key as the decryption key (at 0x00)<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The CMAC key at 0x10 is decrypted using a key which depends on the command and is the same as the decryption key at 0x00 (see below). It is decrypted using AES-CBC (so offset 0x00 is used as the IV).<br /> <br /> The CMAC of the header from offset 0x60 and size 0x30 is computed. Kirk then checks the data size &amp; offset (at 0x70 and 0x74) didn't change from what was previously read (possibly to avoid data being overwritten while being processed). The value is then checked against the value at 0x20.<br /> <br /> If this fails, the command returns KIRK_HEADER_SIG_INVALID. Otherwise, except for command 10, it proceeds with the full data CMAC, computed from header offset 0x60 to the end of the body contents. The value is checked against the value at 0x30.<br /> <br /> If this second check fails, and the LSB of 0x68 is set to 1, all the input data is wiped (set to zero's). In both cases, if the check fails, it then returns KIRK_HEADER_SIG_INVALID.<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The ECDSA version is slightly different. The header from offset 0x60 with size 0x30 is hashed and the header signature is verified. Similarly to CMAC, it then verifies values at 0x70 and 0x74 didn't change. It then acts similarly to the CMAC version with the data signature, including the possible data wiping.<br /> <br /> === Commands 1 &amp; 3 ===<br /> Commands 1 and 3 work exactly the same. The only difference is that the ECDSA public key comes from slots 0/1 for command 1, and 5/6 for command 3. Also, the AES key, used for decrypting the decryption &amp; CMAC keys, is a static key in keyslot 2 for command 1, and a per-console key with seed 0 for command 3.<br /> <br /> # Verify that the command mode at 0x60 matches the current command<br /> # Read the body size and data offset and verify that the body size is non-zero<br /> # Get or compute the AES key<br /> # Check the signature mode at 0x64, and check the header &amp; the data signature as specified above depending on the signature mode<br /> # Decrypt the decryption key at 0x00 using the key from step 3.<br /> # Decrypt the data using AES-CBC with a null IV.<br /> <br /> === Command 2 ===<br /> Command 2 is a bit more complicated as it re-encrypts data for command 3.<br /> <br /> # Follow steps 1-5 from above, using key slots 2/3 for the ECDSA key and key slot 3 for the AES key<br /> # Copy the input header (including padding) to the output<br /> # Change offset 0x60 (command) to command 3<br /> # Change offset 0x64 to 0 or 1 depending on the second bit of the input value at 0x64 (which determines if the output of command 2 should be ECDSA or CMAC-signed)<br /> # Decrypt the body of the data similarly to commands 1 &amp; 3<br /> # Generate a random key and encrypt it with per-console key (seed = 0), and store the result at 0x00<br /> # If in CMAC mode for the output, do the same for the CMAC key at 0x10 (encrypt using CBC mode and data at 0x00 as the IV)<br /> # Encrypt the body in CBC mode with a null IV<br /> # Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3).<br /> <br /> === Command 0xA ===<br /> Its behavior is very simple:<br /> <br /> # Determine if the input is data for command 1, 2 or 3 depending on the command mode. (If it is another value, return an error.)<br /> # Get or compute AES and ECDSA public keys depending on the command<br /> # Check the signature similarly to the other commands.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0. The encryption operands take a header as an input along with the raw data, and generate encrypted data along with a header corresponding to the matching decryption command. Decryption commands output the raw decrypted data.<br /> <br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F), with console-specific modifications for some keyseeds<br /> <br /> - Commands 5 (encryption) and 8 (decryption) use a per-console key derived from the key mesh<br /> <br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from a random key and data stored at 0x14, the random key being encrypted with a per-console key so that command 9 can decrypt<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header (except for commands 6 and 9 where it is longer).<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption (commands 4/5/6), 5 for decryption (commands 7/8/9)<br /> |-<br /> | 0x04 || 8 || Unused<br /> |-<br /> | 0x0C || 1 || Only used by commands 4/7: keyseed<br /> |-<br /> |0x0D<br /> |1<br /> |Submode: the 3 LSBs are 0 for commands 4/7, 1 for commands 5/8 and 2 for commands 6/9<br /> |-<br /> |0x0E<br /> |2<br /> |Unused<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |-<br /> |0x14<br /> |16<br /> |Only for commands 6/9: additional key<br /> |-<br /> |0x24<br /> |16<br /> |Only for command 9: reencrypted encryption key<br /> |}<br /> <br /> === Commands 4/7 ===<br /> The behavior of these commands is:<br /> <br /> # Read the header<br /> # Verify the mode and submode match the current command<br /> # Read the body size and check that it is non-zero<br /> # Get the AES key at key slot 4 + &lt;keyseed&gt;. Command 4 can only encrypt with keyseeds 0..0x3F while command 7 can decrypt with keyseeds 0..0x7F.<br /> # Derive the key for some keyseeds using per-console parameters:<br /> ## If the key mesh's derivation key MSB is 1 and keyseed is in the 0x20..0x2f or 0x6c, 0x7b range, invert the bits of the last word (4 bytes) of the key<br /> ## If the keyseed is in the 0x27..0x2f or 0x73..0x7b range, XOR the first word of the key with the key mesh derivation key<br /> # For command 4, copy the input header to the output, just replacing mode 4 with 5, and encrypt the body from offset 0x14 using AES-CBC with a null IV and the key determined at step 5.<br /> # For command 7, decrypt the data and output it without a header<br /> <br /> === Commands 5/8 ===<br /> The behavior of these commands is identical to commands 4/7, except it uses per-console key computed from the key mesh with seed 1.<br /> <br /> === Commands 6/9 ===<br /> For both commands, steps 1-3 are the same as above, but differ afterwards.<br /> <br /> Command 6 works like this:<br /> <br /> # Copy the 0x24-byte long header to the output, just replacing the mode from 4 to 5<br /> # Generate a random buffer and encrypt it using per-console key with seed 2. Write the result of the operation at 0x24.<br /> # Encrypt the random buffer using the key at 0x14<br /> # Use the result of step 3 to encrypt the data, then output it<br /> <br /> Command 9 is the logical counterpart:<br /> <br /> # Decrypt data at 0x24 with the per-console key with seed 2<br /> # Reencrypt the data of the previous step with the key located at offset 0x14<br /> # Decrypt the data using the result of step 2 as a key<br /> <br /> == Command 0xB: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 0xC: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 0xD: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point (x and y are each 0x14 bytes long).<br /> <br /> == Command 0xE: PRNG ==<br /> <br /> This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.)<br /> <br /> == Command 0xF: Seed RNG buffer ==<br /> This function seeds the Kirk 32-byte RNG buffer used to generate all the random data coming from Kirk.<br /> <br /> It takes as an input and output data of size 0x1c:<br /> <br /> * 0x00 - 64-bit counter - increased by 1 in the output<br /> * 0x08 - seed data (0x14 bytes long) - used for seeding as an input, and contains fresh reseeded data for the output<br /> <br /> Seeding works this way:<br /> <br /> # Increment the input counter<br /> # Set the first 0x14 bytes of the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator<br /> # Initialize the 32-byte RNG buffer to two empty words, and two words taken from the input data at offsets 0x00 and 0x04<br /> # Do a reseeding (see below)<br /> # Output the bytes contained in the first 0x14 bytes of the PRNG seed after the reseeding<br /> <br /> Reseeding is then done by all operations requiring random data and works this way:<br /> <br /> # Encrypt RNG buffer with AES per-console key with seed 6<br /> # Set the last half of the PRNG seed (0x14 bytes) to the contents RNG buffer<br /> # Regenerate data with the PRNG<br /> The functions requiring random data then use some parts of the PRNG state (&quot;seed&quot; (first 0x28 bytes of the PRNG state) or &quot;result&quot; (last 0x14 bytes of the PRNG state)) as random data to be used.<br /> <br /> == Command 0x10: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature.<br /> <br /> == Command 0x11: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature. It is used to verify IdStorage IDPS certificates.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature).<br /> <br /> == Command 0x12: verify certificate ==<br /> <br /> This command verifies an AES-CBC-MAC (OMAC1) signature. It is used to verify [[IDStorage#IDStorage_certified_sections|ID Storage certificates]]. <br /> <br /> This command has no output.<br /> <br /> It takes as input an [[IDStorage#IDStorage_certified_sections|ID Storage certificate]] read from [[IDStorage]].<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct kirk_command_0x12_input{<br /> ids_cert_psp certificate;<br /> } kirk_command_0x12_input;<br /> &lt;/source&gt;<br /> <br /> It uses per-console key with seed 4.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header signature<br /> 0×04: Invalid data signature<br /> 0×05: Invalid ECDSA data<br /> 0x0C: Kirk not seeded<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid encryption keyseed<br /> 0x0F: Invalid decryption keyseed<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version Bootrom public key is unknown.<br /> * Keys related to Kirk commands 0, 2 and 3 are unknown. (See above for details.)<br /> * The Kirk's internal PRNG is deterministic but its function is unknown.<br /> * Elliptic curves have additional parameters specified in the code, which are unknown.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12421 Kirk 2024-01-18T22:24:15Z <p>CelesteBlue: /* Command 0x12: verify certificate */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> Most of the static keys used by the engine (plus the private key for Kirk command 1, which is not present on the chip) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk commands 1/2/3/0xA ==<br /> <br /> This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and 0xA.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0xE, 0x10 and 0x11.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> These commands allow to do operations with any public key. For the latest Pre-IPL version which adds an additional ECDSA verification of the XOR of the block hashes, the public key which is hardcoded in the Pre-IPL is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Slotted Keys =<br /> The KIRK ROM can access different keys which are slotted in what might be some kind of secure enclave. There are slots for both AES and ECDSA keys.<br /> <br /> == AES slotted keys ==<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0<br /> |KIRK command 0 (Kbooti from Devkit) decryption key<br /> |No<br /> |-<br /> |1<br /> |KIRK command 0 (Kbooti from Devkit) CMAC key<br /> |No<br /> |-<br /> |2<br /> |KIRK command 1 (IPL) decryption key<br /> |Yes<br /> |-<br /> |3<br /> |KIRK command 2 (DRM) decryption key<br /> |No<br /> |-<br /> |4~0x83<br /> |KIRK commands 4/7 decryption keys (128 possible ones)<br /> |Yes<br /> |}<br /> <br /> == ECDSA slotted keys ==<br /> Note: public keys take two slots (for both coordinates), and private keys take only one.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0/1<br /> |KIRK command 1 (IPL) public key (used to verify valid IPLs)<br /> |Yes (including the private key!)<br /> |-<br /> |2/3<br /> |KIRK command 2 (DRM) public key (used to verify data passed to KIRK command 2)<br /> |No<br /> |-<br /> |4<br /> |KIRK command 3 (DRM) private key (used by command 2 to sign data for command 3)<br /> |No<br /> |-<br /> |5/6<br /> |KIRK command 3 (DRM) public key (used by command 3 to verify data coming from command 2)<br /> |No<br /> |}<br /> <br /> = Per-console keys =<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30 bytes buffer (&quot;key mesh&quot;). This buffer is used to generate different keys depending on a seed.<br /> <br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Seed<br /> !Usage<br /> |-<br /> |0<br /> |Kirk commands 2 (encryption) &amp; 3 (decryption) (the real encryption &amp; CMAC keys are random, but this per-console key is used to encrypt them)<br /> |-<br /> |1<br /> |Kirk command 5 (encryption) &amp; 8 (decryption)<br /> |-<br /> |2<br /> |Kirk command 6 (encryption) &amp; 9 (decryption)<br /> |-<br /> |3<br /> |Kirk command 16<br /> |-<br /> |4<br /> |Kirk command 18<br /> |-<br /> |5<br /> |Unused<br /> |-<br /> |6<br /> |RNG buffer reseeding<br /> |}<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> typedef struct ScePspKeyMesh { // size is 0x30<br /> SceUInt8 aes128cbc_key_1[0x10]; // used by Kirk commands 5 &amp; 8 and 16<br /> SceUInt8 aes128cbc_key_2[0x10]; // used by Kirk command 2 &amp; 3, 6 &amp; 9 and 18<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys<br /> } ScePspKeyMesh;<br /> &lt;/source&gt;<br /> <br /> To generate the key mesh of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspKeyMesh seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt 3, 6 and 9 times the subkey_2 to obtain the final keymesh<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> }<br /> &lt;/source&gt;The key mesh can then be used along with a seed to generate a key using the following algorithm:&lt;syntaxhighlight lang=&quot;c&quot;&gt;<br /> void make_perconsole_key(u8 output[16], int seed, ScePspKeyMesh keymesh)<br /> {<br /> if (seed &amp; 1) {<br /> memcpy(output, keymesh.aes128cbc_key_2, 16);<br /> } else {<br /> memcpy(output, keymesh.aes128cbc_key_1, 16);<br /> }<br /> // Encrypt the result several times depending on the seed<br /> rijndael_set_key(&amp;aes_ctx, keymesh.aes128cbc_derivation_key);<br /> seed = (seed / 2) + 1;<br /> while ((seed--) &gt;= 0) {<br /> rijndael_encrypt(&amp;aes_ctx, output);<br /> }<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> == ScePspIndividualSeed ==<br /> <br /> There is a 0x40-byte buffer, named here &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;, used in both PSP flashData.prx and in PS Vita cmep keyrings 0x601 and 0x602 (in endian swapped fashion). It is slightly different from the mesh buffer described above. Indeed, it is before applying the derivation_key.<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ScePspIndividualSeed { // size is 0x40<br /> SceUInt8 derivation_seed_0[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_seed_1[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_key[0x10]; // key used to derive final keys from seed_0 and seed_1<br /> SceUInt8 fuse_id[8]; // endianness to precise<br /> SceUInt8 reserved[4]; // could be arbitrary but in practice always zeroed<br /> SceUInt32 hash; // the hash algorithm is in PSP Jig Kick flashData.prx<br /> } ScePspIndividualSeed;<br /> &lt;/source&gt;<br /> <br /> To generate ScePspIndividualSeed, execute the following code.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed_hash(ScePspIndividualSeed *individual_seed) {<br /> byte bVar1;<br /> uint uVar2;<br /> int iVar3;<br /> byte *pbVar4;<br /> uint uVar5;<br /> uint uVar6;<br /> byte *pbVar7;<br /> uint uVar8;<br /> byte bVar9;<br /> int idx;<br /> int offset;<br /> byte *pbVar11;<br /> byte local_60 [80];<br /> byte m [16];<br /> uint uVar10;<br /> <br /> pbVar11 = local_60;<br /> m[0] = 1;<br /> m[1] = 0xf;<br /> m[2] = 0x36;<br /> m[3] = 0x78;<br /> m[4] = 0x40;<br /> <br /> offset = 0;<br /> do {<br /> pbVar4 = individual_seed + offset;<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar4;<br /> } while (offset &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> offset = 0;<br /> do {<br /> bVar1 = *pbVar11;<br /> <br /> idx = 0;<br /> do {<br /> uVar8 = (uint)m[idx];<br /> iVar3 = idx + 0x40;<br /> uVar10 = 0;<br /> bVar9 = 0;<br /> uVar2 = (uint)bVar1;<br /> while (uVar8 != 0) {<br /> uVar6 = uVar2 &lt;&lt; 1;<br /> uVar5 = uVar8 &amp; 1;<br /> uVar8 = (int)uVar8 &gt;&gt; 1;<br /> if (uVar5 != 0) {<br /> uVar10 = uVar10 ^ uVar2;<br /> }<br /> bVar9 = (byte)uVar10;<br /> uVar2 = uVar6;<br /> if ((uVar6 &amp; 0x100) != 0)<br /> uVar2 = uVar6 ^ 0x11d;<br /> }<br /> idx = idx + 1;<br /> local_60[iVar3] = bVar9;<br /> } while (idx &lt; 5);<br /> <br /> idx = 0;<br /> do {<br /> pbVar7 = pbVar11 + idx;<br /> iVar3 = idx + 0x40;<br /> idx = idx + 1;<br /> *pbVar7 = *pbVar7 ^ local_60[iVar3];<br /> } while (idx &lt; 5);<br /> <br /> idx = offset + 1;<br /> pbVar11 = local_60 + offset + 1;<br /> offset = idx;<br /> } while (idx &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar11 = local_60 + offset;<br /> pbVar7 = individual_seed + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar11;<br /> *pbVar11 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> return;<br /> }<br /> <br /> typedef struct {<br /> unsigned char buf1[8]; // 0<br /> unsigned char buf2[8]; // 8<br /> unsigned char buf3[8]; // 0x10<br /> } SomeStructure;<br /> <br /> uint gen_psp_individual_seed(SomeStructure *ss, byte *data_for_0x38, ScePspIndividualSeed *individual_seed) {<br /> byte bVar1;<br /> byte *dst;<br /> int idx;<br /> int j;<br /> byte *src;<br /> byte subkey_2[16];<br /> byte subkey_1[16];<br /> uint ctx[64];<br /> uint ctx2[64];<br /> <br /> AES_set_encrypt_key_2(g_ids_master_key, 128, ctx); // set g_ids_master_key as AES key<br /> AES_set_decrypt_key_2(g_ids_master_key, 128, ctx2); // set g_ids_master_key as AES key<br /> <br /> idx = 0; // initialize the subkeys using the Fuse ID<br /> do {<br /> bVar1 = ss[idx + ((int)(idx + ((uint)(idx &gt;&gt; 0x1f) &gt;&gt; 0x1d)) &gt;&gt; 3) * -8];<br /> src = subkey_2 + idx;<br /> dst = subkey_1 + idx;<br /> idx = idx + 1;<br /> *src = bVar1;<br /> *dst = bVar1;<br /> } while (idx &lt; 0x10);<br /> <br /> idx = 2; // encrypt first subkey three times, and decrypt second subkey three times<br /> do {<br /> AES_encrypt_2(subkey_1, subkey_1, ctx);<br /> idx = idx - 1;<br /> AES_decrypt_2(subkey_2, subkey_2, ctx2);<br /> } while (-1 &lt; idx);<br /> <br /> AES_set_encrypt_key_2(subkey_1, 128, ctx); // set subkey_1 as AES key<br /> <br /> idx = 0; // encrypt three times each one of the three first blocks<br /> do {<br /> j = 2;<br /> do {<br /> j = j - 1;<br /> AES_encrypt_2(subkey_2, subkey_2, ctx);<br /> } while (-1 &lt; j);<br /> dst = individual_seed + idx * 0x10;<br /> j = 0;<br /> do {<br /> src = subkey_2 + j;<br /> j = j + 1;<br /> *dst = *src;<br /> dst = dst + 1;<br /> } while (j &lt; 0x10);<br /> idx = idx + 1;<br /> } while (idx &lt; 3);<br /> <br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> individual_seed.fuse_id[idx] = ss[idx];<br /> idx = j;<br /> } while (j &lt; 8);<br /> <br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> individual_seed.reserved[idx] = data_for_0x38[idx];<br /> idx = j;<br /> } while (j &lt; 4);<br /> <br /> gen_psp_individual_seed_hash(individual_seed);<br /> <br /> return 0;<br /> }<br /> <br /> typedef struct U64 {<br /> unsigned int low;<br /> unsigned int high;<br /> } U64;<br /> <br /> int CreateSomeStructure(SomeStructure *ss) {<br /> U64 fuse_id;<br /> int i;<br /> <br /> memcpy(&amp;fuse_id, &amp;g_fuse_id, 8);<br /> <br /> memset(ss-&gt;buf1, 0, 8);<br /> memset(ss-&gt;buf2, 0xFF, 8);<br /> <br /> memcpy(ss-&gt;buf3, &amp;fuse_id.high, 4);<br /> memcpy(ss-&gt;buf3+4, &amp;fuse_id.low, 4);<br /> <br /> for (i = 0; i &lt; 4; i++) {<br /> ss-&gt;buf1[3-i] = ss-&gt;buf3[i];<br /> ss-&gt;buf1[7-i] = ss-&gt;buf3[4+i];<br /> }<br /> <br /> return 0;<br /> }<br /> <br /> uint gen_psp_individual_seed_helper(ScePspIndividualSeed *individual_seed) {<br /> SomeStructure ss;<br /> CreateSomeStructure(&amp;ss);<br /> int data_for_0x38 = 0;<br /> ScePspIndividualSeed individual_seed;<br /> gen_psp_individual_seed(&amp;ss, &amp;data_for_0x38, individual_seed)<br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> Or the following simplified reimplementation.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed(ScePspIndividualSeed *individual_seed) { <br /> int i, k;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuse_id[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuse_id[7] = g_fuse90 &amp;0xFF;<br /> fuse_id[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuse_id[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuse_id[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuse_id[3] = g_fuse94 &amp;0xFF;<br /> fuse_id[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuse_id[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuse_id[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, g_ids_master_key, 128); // set g_ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuse_id[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt three times each one of the three first blocks<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;individual_seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> for (int idx = 0; idx &lt; 8; idx++)<br /> individual_seed.fuse_id[idx] = ss[idx];<br /> <br /> for (int idx = 0; idx &lt; 4; idx++)<br /> individual_seed.reserved[idx] = data_for_0x38[idx];<br /> <br /> gen_psp_individual_seed_hash(individual_seed);<br /> <br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti size+0x12<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | {{Slot0_AES_1_CMAC}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led, bootrom<br /> | {{no}}<br /> | {{Slot2_AES_CMAC}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{Slot3_AES}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab, openpsid<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | openpsid, chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | buf_size+0x24<br /> | buf_size+0x34<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab, openpsid, bootrom<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | buf_size+0x34 (header + key)<br /> | buf_size<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE signature)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab, chkreg, openpsid, bootrom<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_SEED<br /> | Seed the Kirk internal RNG buffer<br /> | 0x1C<br /> | 0x1C<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab, openpsid (used for IDStorage Certificates ECDSA)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | ECDSA Signature Verification<br /> | 0x64<br /> | 0<br /> | memab, memlmd, mesg_led, openpsid (checks for generated signatures, used for IDStorage Certificates ECDSA)<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification<br /> | 0xB8<br /> | 0<br /> | openpsid, memab, chkreg (used for IDStorage Certificates AES-CMAC)<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 0x0: decrypt kbooti ==<br /> This command is only used by devkits to decrypt the kbooti, ie the devkit's Bootrom. It supposedly can only be run at a very early stage. The very short header is as follows.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Address<br /> !Size<br /> !Description<br /> |-<br /> |0x0<br /> |16<br /> |CMAC of the body, computed using AES slotted key 1<br /> |-<br /> |0x10<br /> |2<br /> |Size of the body<br /> |-<br /> |0x12<br /> |...<br /> |Body, encrypted using AES slotted key 0<br /> |}<br /> The command is very simple and acts as follows:<br /> <br /> # Verify the command is run at an early stage<br /> # Read the body size and check it's non-zero<br /> # Verify the CMAC of the body using AES slotted key 1<br /> # While computing the CMAC, verify the body size didn't change<br /> # Decrypt body using AES slotted key 0<br /> <br /> == Commands 0x1, 0x2, 0x3 &amp; 0xA: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> These three functions take very similar inputs, as they all do signature verification and decryption.<br /> <br /> * Command 1 is used to decrypt the IPL blocks.<br /> * Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3.<br /> * Command 3 decrypts data encrypted by command 2.<br /> * Command 0xA takes the same data as commands 1, 2 and 3 but only does the signature verification for the header (not for the body) and no decryption (or reencryption).<br /> <br /> There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The 0x10..0x60 bytes depend on the signature mode.<br /> <br /> '''Metadata Header Structure (Length 0x90)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> |0x00<br /> |0x10<br /> |Decryption key, encrypted with another key depending on the command<br /> |-<br /> |0x10<br /> |0x50<br /> |Signature information, depends on the signature mode (see below)<br /> |-<br /> | 0x60 || 4 || Set to 1, 2 or 3 depending on the command<br /> |-<br /> | 0x64 || 4 || Bit 0 is 0 if block is AES CMAC-signed, 1 if it is ECDSA-signed<br /> Bit 1 is used by command 2 to determine if the resulting Kirk 3 block should be AES CMAC-signed (0) or ECDSA-signed (1)<br /> |-<br /> | 0x68 || 4 || Bit 0 indicates all input data (including the full header) should be wiped if the body signature check fails<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 24 || Unused<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Signature Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the the same key as the decryption key (at 0x00)<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The CMAC key at 0x10 is decrypted using a key which depends on the command and is the same as the decryption key at 0x00 (see below). It is decrypted using AES-CBC (so offset 0x00 is used as the IV).<br /> <br /> The CMAC of the header from offset 0x60 and size 0x30 is computed. Kirk then checks the data size &amp; offset (at 0x70 and 0x74) didn't change from what was previously read (possibly to avoid data being overwritten while being processed). The value is then checked against the value at 0x20.<br /> <br /> If this fails, the command returns KIRK_HEADER_SIG_INVALID. Otherwise, except for command 10, it proceeds with the full data CMAC, computed from header offset 0x60 to the end of the body contents. The value is checked against the value at 0x30.<br /> <br /> If this second check fails, and the LSB of 0x68 is set to 1, all the input data is wiped (set to zero's). In both cases, if the check fails, it then returns KIRK_HEADER_SIG_INVALID.<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The ECDSA version is slightly different. The header from offset 0x60 with size 0x30 is hashed and the header signature is verified. Similarly to CMAC, it then verifies values at 0x70 and 0x74 didn't change. It then acts similarly to the CMAC version with the data signature, including the possible data wiping.<br /> <br /> === Commands 1 &amp; 3 ===<br /> Commands 1 and 3 work exactly the same. The only difference is that the ECDSA public key comes from slots 0/1 for command 1, and 5/6 for command 3. Also, the AES key, used for decrypting the decryption &amp; CMAC keys, is a static key in keyslot 2 for command 1, and a per-console key with seed 0 for command 3.<br /> <br /> # Verify that the command mode at 0x60 matches the current command<br /> # Read the body size and data offset and verify that the body size is non-zero<br /> # Get or compute the AES key<br /> # Check the signature mode at 0x64, and check the header &amp; the data signature as specified above depending on the signature mode<br /> # Decrypt the decryption key at 0x00 using the key from step 3.<br /> # Decrypt the data using AES-CBC with a null IV.<br /> <br /> === Command 2 ===<br /> Command 2 is a bit more complicated as it re-encrypts data for command 3.<br /> <br /> # Follow steps 1-5 from above, using key slots 2/3 for the ECDSA key and key slot 3 for the AES key<br /> # Copy the input header (including padding) to the output<br /> # Change offset 0x60 (command) to command 3<br /> # Change offset 0x64 to 0 or 1 depending on the second bit of the input value at 0x64 (which determines if the output of command 2 should be ECDSA or CMAC-signed)<br /> # Decrypt the body of the data similarly to commands 1 &amp; 3<br /> # Generate a random key and encrypt it with per-console key (seed = 0), and store the result at 0x00<br /> # If in CMAC mode for the output, do the same for the CMAC key at 0x10 (encrypt using CBC mode and data at 0x00 as the IV)<br /> # Encrypt the body in CBC mode with a null IV<br /> # Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3).<br /> <br /> === Command 0xA ===<br /> Its behavior is very simple:<br /> <br /> # Determine if the input is data for command 1, 2 or 3 depending on the command mode. (If it is another value, return an error.)<br /> # Get or compute AES and ECDSA public keys depending on the command<br /> # Check the signature similarly to the other commands.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0. The encryption operands take a header as an input along with the raw data, and generate encrypted data along with a header corresponding to the matching decryption command. Decryption commands output the raw decrypted data.<br /> <br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F), with console-specific modifications for some keyseeds<br /> <br /> - Commands 5 (encryption) and 8 (decryption) use a per-console key derived from the key mesh<br /> <br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from a random key and data stored at 0x14, the random key being encrypted with a per-console key so that command 9 can decrypt<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header (except for commands 6 and 9 where it is longer).<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption (commands 4/5/6), 5 for decryption (commands 7/8/9)<br /> |-<br /> | 0x04 || 8 || Unused<br /> |-<br /> | 0x0C || 1 || Only used by commands 4/7: keyseed<br /> |-<br /> |0x0D<br /> |1<br /> |Submode: the 3 LSBs are 0 for commands 4/7, 1 for commands 5/8 and 2 for commands 6/9<br /> |-<br /> |0x0E<br /> |2<br /> |Unused<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |-<br /> |0x14<br /> |16<br /> |Only for commands 6/9: additional key<br /> |-<br /> |0x24<br /> |16<br /> |Only for command 9: reencrypted encryption key<br /> |}<br /> <br /> === Commands 4/7 ===<br /> The behavior of these commands is:<br /> <br /> # Read the header<br /> # Verify the mode and submode match the current command<br /> # Read the body size and check that it is non-zero<br /> # Get the AES key at key slot 4 + &lt;keyseed&gt;. Command 4 can only encrypt with keyseeds 0..0x3F while command 7 can decrypt with keyseeds 0..0x7F.<br /> # Derive the key for some keyseeds using per-console parameters:<br /> ## If the key mesh's derivation key MSB is 1 and keyseed is in the 0x20..0x2f or 0x6c, 0x7b range, invert the bits of the last word (4 bytes) of the key<br /> ## If the keyseed is in the 0x27..0x2f or 0x73..0x7b range, XOR the first word of the key with the key mesh derivation key<br /> # For command 4, copy the input header to the output, just replacing mode 4 with 5, and encrypt the body from offset 0x14 using AES-CBC with a null IV and the key determined at step 5.<br /> # For command 7, decrypt the data and output it without a header<br /> <br /> === Commands 5/8 ===<br /> The behavior of these commands is identical to commands 4/7, except it uses per-console key computed from the key mesh with seed 1.<br /> <br /> === Commands 6/9 ===<br /> For both commands, steps 1-3 are the same as above, but differ afterwards.<br /> <br /> Command 6 works like this:<br /> <br /> # Copy the 0x24-byte long header to the output, just replacing the mode from 4 to 5<br /> # Generate a random buffer and encrypt it using per-console key with seed 2. Write the result of the operation at 0x24.<br /> # Encrypt the random buffer using the key at 0x14<br /> # Use the result of step 3 to encrypt the data, then output it<br /> <br /> Command 9 is the logical counterpart:<br /> <br /> # Decrypt data at 0x24 with the per-console key with seed 2<br /> # Reencrypt the data of the previous step with the key located at offset 0x14<br /> # Decrypt the data using the result of step 2 as a key<br /> <br /> == Command 0xB: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 0xC: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 0xD: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point (x and y are each 0x14 bytes long).<br /> <br /> == Command 0xE: PRNG ==<br /> <br /> This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.)<br /> <br /> == Command 0xF: Seed RNG buffer ==<br /> This function seeds the Kirk 32-byte RNG buffer used to generate all the random data coming from Kirk.<br /> <br /> It takes as an input and output data of size 0x1c:<br /> <br /> * 0x00 - 64-bit counter - increased by 1 in the output<br /> * 0x08 - seed data (0x14 bytes long) - used for seeding as an input, and contains fresh reseeded data for the output<br /> <br /> Seeding works this way:<br /> <br /> # Increment the input counter<br /> # Set the first 0x14 bytes of the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator<br /> # Initialize the 32-byte RNG buffer to two empty words, and two words taken from the input data at offsets 0x00 and 0x04<br /> # Do a reseeding (see below)<br /> # Output the bytes contained in the first 0x14 bytes of the PRNG seed after the reseeding<br /> <br /> Reseeding is then done by all operations requiring random data and works this way:<br /> <br /> # Encrypt RNG buffer with AES per-console key with seed 6<br /> # Set the last half of the PRNG seed (0x14 bytes) to the contents RNG buffer<br /> # Regenerate data with the PRNG<br /> The functions requiring random data then use some parts of the PRNG state (&quot;seed&quot; (first 0x28 bytes of the PRNG state) or &quot;result&quot; (last 0x14 bytes of the PRNG state)) as random data to be used.<br /> <br /> == Command 0x10: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature.<br /> <br /> == Command 0x11: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature. It is used to verify IdStorage IDPS certificates.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature).<br /> <br /> == Command 0x12: verify certificate ==<br /> <br /> This command verifies an AES-CBC-MAC (OMAC1) signature. It is used to verify IdStorage IDPS certificates. <br /> <br /> This command has no output.<br /> <br /> It takes as input a &lt;code&gt;ids_cert_psp&lt;/code&gt; certificate read from [[IDStorage]].<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ECDSA160_signature { // size is 0x28<br /> unsigned char r[0x14];<br /> unsigned char s[0x14];<br /> } ECDSA160_signature;<br /> <br /> typedef struct ids_cert_main_psp { // size is 0xA8<br /> char data[0x10];<br /> char pub_key[0x28]; // ?generated using Kirk command 0xC? sent to Kirk command 0x11 for verification<br /> ECDSA160_signature signature;<br /> char constant_pub_key[0x28]; // hardcoded constant, same in all PSP consoles but depends on the certificate index in ID Storage<br /> char enc_priv_key[0x20]; // decrypted and verified by Kirk command 0x10<br /> } ids_cert_main_psp;<br /> <br /> typedef struct ids_cert_psp { // size is 0xB8<br /> ids_cert_main_psp cert_data; // data input for generating enc_aes_cmac_hash<br /> char aes_cmac[0x10]; // verified by Kirk command 0x12<br /> } ids_cert_psp;<br /> <br /> typedef struct kirk_command_0x12_input{<br /> ids_cert_psp certificate;<br /> } kirk_command_0x12_input;<br /> &lt;/source&gt;<br /> <br /> It uses per-console key with seed 4.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header signature<br /> 0×04: Invalid data signature<br /> 0×05: Invalid ECDSA data<br /> 0x0C: Kirk not seeded<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid encryption keyseed<br /> 0x0F: Invalid decryption keyseed<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version Bootrom public key is unknown.<br /> * Keys related to Kirk commands 0, 2 and 3 are unknown. (See above for details.)<br /> * The Kirk's internal PRNG is deterministic but its function is unknown.<br /> * Elliptic curves have additional parameters specified in the code, which are unknown.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12420 Kirk 2024-01-18T22:11:13Z <p>CelesteBlue: /* Command 0x11: ECDSA signature verification */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> Most of the static keys used by the engine (plus the private key for Kirk command 1, which is not present on the chip) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk commands 1/2/3/0xA ==<br /> <br /> This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and 0xA.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0xE, 0x10 and 0x11.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> These commands allow to do operations with any public key. For the latest Pre-IPL version which adds an additional ECDSA verification of the XOR of the block hashes, the public key which is hardcoded in the Pre-IPL is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Slotted Keys =<br /> The KIRK ROM can access different keys which are slotted in what might be some kind of secure enclave. There are slots for both AES and ECDSA keys.<br /> <br /> == AES slotted keys ==<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0<br /> |KIRK command 0 (Kbooti from Devkit) decryption key<br /> |No<br /> |-<br /> |1<br /> |KIRK command 0 (Kbooti from Devkit) CMAC key<br /> |No<br /> |-<br /> |2<br /> |KIRK command 1 (IPL) decryption key<br /> |Yes<br /> |-<br /> |3<br /> |KIRK command 2 (DRM) decryption key<br /> |No<br /> |-<br /> |4~0x83<br /> |KIRK commands 4/7 decryption keys (128 possible ones)<br /> |Yes<br /> |}<br /> <br /> == ECDSA slotted keys ==<br /> Note: public keys take two slots (for both coordinates), and private keys take only one.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0/1<br /> |KIRK command 1 (IPL) public key (used to verify valid IPLs)<br /> |Yes (including the private key!)<br /> |-<br /> |2/3<br /> |KIRK command 2 (DRM) public key (used to verify data passed to KIRK command 2)<br /> |No<br /> |-<br /> |4<br /> |KIRK command 3 (DRM) private key (used by command 2 to sign data for command 3)<br /> |No<br /> |-<br /> |5/6<br /> |KIRK command 3 (DRM) public key (used by command 3 to verify data coming from command 2)<br /> |No<br /> |}<br /> <br /> = Per-console keys =<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30 bytes buffer (&quot;key mesh&quot;). This buffer is used to generate different keys depending on a seed.<br /> <br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Seed<br /> !Usage<br /> |-<br /> |0<br /> |Kirk commands 2 (encryption) &amp; 3 (decryption) (the real encryption &amp; CMAC keys are random, but this per-console key is used to encrypt them)<br /> |-<br /> |1<br /> |Kirk command 5 (encryption) &amp; 8 (decryption)<br /> |-<br /> |2<br /> |Kirk command 6 (encryption) &amp; 9 (decryption)<br /> |-<br /> |3<br /> |Kirk command 16<br /> |-<br /> |4<br /> |Kirk command 18<br /> |-<br /> |5<br /> |Unused<br /> |-<br /> |6<br /> |RNG buffer reseeding<br /> |}<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> typedef struct ScePspKeyMesh { // size is 0x30<br /> SceUInt8 aes128cbc_key_1[0x10]; // used by Kirk commands 5 &amp; 8 and 16<br /> SceUInt8 aes128cbc_key_2[0x10]; // used by Kirk command 2 &amp; 3, 6 &amp; 9 and 18<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys<br /> } ScePspKeyMesh;<br /> &lt;/source&gt;<br /> <br /> To generate the key mesh of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspKeyMesh seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt 3, 6 and 9 times the subkey_2 to obtain the final keymesh<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> }<br /> &lt;/source&gt;The key mesh can then be used along with a seed to generate a key using the following algorithm:&lt;syntaxhighlight lang=&quot;c&quot;&gt;<br /> void make_perconsole_key(u8 output[16], int seed, ScePspKeyMesh keymesh)<br /> {<br /> if (seed &amp; 1) {<br /> memcpy(output, keymesh.aes128cbc_key_2, 16);<br /> } else {<br /> memcpy(output, keymesh.aes128cbc_key_1, 16);<br /> }<br /> // Encrypt the result several times depending on the seed<br /> rijndael_set_key(&amp;aes_ctx, keymesh.aes128cbc_derivation_key);<br /> seed = (seed / 2) + 1;<br /> while ((seed--) &gt;= 0) {<br /> rijndael_encrypt(&amp;aes_ctx, output);<br /> }<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> == ScePspIndividualSeed ==<br /> <br /> There is a 0x40-byte buffer, named here &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;, used in both PSP flashData.prx and in PS Vita cmep keyrings 0x601 and 0x602 (in endian swapped fashion). It is slightly different from the mesh buffer described above. Indeed, it is before applying the derivation_key.<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ScePspIndividualSeed { // size is 0x40<br /> SceUInt8 derivation_seed_0[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_seed_1[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_key[0x10]; // key used to derive final keys from seed_0 and seed_1<br /> SceUInt8 fuse_id[8]; // endianness to precise<br /> SceUInt8 reserved[4]; // could be arbitrary but in practice always zeroed<br /> SceUInt32 hash; // the hash algorithm is in PSP Jig Kick flashData.prx<br /> } ScePspIndividualSeed;<br /> &lt;/source&gt;<br /> <br /> To generate ScePspIndividualSeed, execute the following code.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed_hash(ScePspIndividualSeed *individual_seed) {<br /> byte bVar1;<br /> uint uVar2;<br /> int iVar3;<br /> byte *pbVar4;<br /> uint uVar5;<br /> uint uVar6;<br /> byte *pbVar7;<br /> uint uVar8;<br /> byte bVar9;<br /> int idx;<br /> int offset;<br /> byte *pbVar11;<br /> byte local_60 [80];<br /> byte m [16];<br /> uint uVar10;<br /> <br /> pbVar11 = local_60;<br /> m[0] = 1;<br /> m[1] = 0xf;<br /> m[2] = 0x36;<br /> m[3] = 0x78;<br /> m[4] = 0x40;<br /> <br /> offset = 0;<br /> do {<br /> pbVar4 = individual_seed + offset;<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar4;<br /> } while (offset &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> offset = 0;<br /> do {<br /> bVar1 = *pbVar11;<br /> <br /> idx = 0;<br /> do {<br /> uVar8 = (uint)m[idx];<br /> iVar3 = idx + 0x40;<br /> uVar10 = 0;<br /> bVar9 = 0;<br /> uVar2 = (uint)bVar1;<br /> while (uVar8 != 0) {<br /> uVar6 = uVar2 &lt;&lt; 1;<br /> uVar5 = uVar8 &amp; 1;<br /> uVar8 = (int)uVar8 &gt;&gt; 1;<br /> if (uVar5 != 0) {<br /> uVar10 = uVar10 ^ uVar2;<br /> }<br /> bVar9 = (byte)uVar10;<br /> uVar2 = uVar6;<br /> if ((uVar6 &amp; 0x100) != 0)<br /> uVar2 = uVar6 ^ 0x11d;<br /> }<br /> idx = idx + 1;<br /> local_60[iVar3] = bVar9;<br /> } while (idx &lt; 5);<br /> <br /> idx = 0;<br /> do {<br /> pbVar7 = pbVar11 + idx;<br /> iVar3 = idx + 0x40;<br /> idx = idx + 1;<br /> *pbVar7 = *pbVar7 ^ local_60[iVar3];<br /> } while (idx &lt; 5);<br /> <br /> idx = offset + 1;<br /> pbVar11 = local_60 + offset + 1;<br /> offset = idx;<br /> } while (idx &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar11 = local_60 + offset;<br /> pbVar7 = individual_seed + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar11;<br /> *pbVar11 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> return;<br /> }<br /> <br /> typedef struct {<br /> unsigned char buf1[8]; // 0<br /> unsigned char buf2[8]; // 8<br /> unsigned char buf3[8]; // 0x10<br /> } SomeStructure;<br /> <br /> uint gen_psp_individual_seed(SomeStructure *ss, byte *data_for_0x38, ScePspIndividualSeed *individual_seed) {<br /> byte bVar1;<br /> byte *dst;<br /> int idx;<br /> int j;<br /> byte *src;<br /> byte subkey_2[16];<br /> byte subkey_1[16];<br /> uint ctx[64];<br /> uint ctx2[64];<br /> <br /> AES_set_encrypt_key_2(g_ids_master_key, 128, ctx); // set g_ids_master_key as AES key<br /> AES_set_decrypt_key_2(g_ids_master_key, 128, ctx2); // set g_ids_master_key as AES key<br /> <br /> idx = 0; // initialize the subkeys using the Fuse ID<br /> do {<br /> bVar1 = ss[idx + ((int)(idx + ((uint)(idx &gt;&gt; 0x1f) &gt;&gt; 0x1d)) &gt;&gt; 3) * -8];<br /> src = subkey_2 + idx;<br /> dst = subkey_1 + idx;<br /> idx = idx + 1;<br /> *src = bVar1;<br /> *dst = bVar1;<br /> } while (idx &lt; 0x10);<br /> <br /> idx = 2; // encrypt first subkey three times, and decrypt second subkey three times<br /> do {<br /> AES_encrypt_2(subkey_1, subkey_1, ctx);<br /> idx = idx - 1;<br /> AES_decrypt_2(subkey_2, subkey_2, ctx2);<br /> } while (-1 &lt; idx);<br /> <br /> AES_set_encrypt_key_2(subkey_1, 128, ctx); // set subkey_1 as AES key<br /> <br /> idx = 0; // encrypt three times each one of the three first blocks<br /> do {<br /> j = 2;<br /> do {<br /> j = j - 1;<br /> AES_encrypt_2(subkey_2, subkey_2, ctx);<br /> } while (-1 &lt; j);<br /> dst = individual_seed + idx * 0x10;<br /> j = 0;<br /> do {<br /> src = subkey_2 + j;<br /> j = j + 1;<br /> *dst = *src;<br /> dst = dst + 1;<br /> } while (j &lt; 0x10);<br /> idx = idx + 1;<br /> } while (idx &lt; 3);<br /> <br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> individual_seed.fuse_id[idx] = ss[idx];<br /> idx = j;<br /> } while (j &lt; 8);<br /> <br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> individual_seed.reserved[idx] = data_for_0x38[idx];<br /> idx = j;<br /> } while (j &lt; 4);<br /> <br /> gen_psp_individual_seed_hash(individual_seed);<br /> <br /> return 0;<br /> }<br /> <br /> typedef struct U64 {<br /> unsigned int low;<br /> unsigned int high;<br /> } U64;<br /> <br /> int CreateSomeStructure(SomeStructure *ss) {<br /> U64 fuse_id;<br /> int i;<br /> <br /> memcpy(&amp;fuse_id, &amp;g_fuse_id, 8);<br /> <br /> memset(ss-&gt;buf1, 0, 8);<br /> memset(ss-&gt;buf2, 0xFF, 8);<br /> <br /> memcpy(ss-&gt;buf3, &amp;fuse_id.high, 4);<br /> memcpy(ss-&gt;buf3+4, &amp;fuse_id.low, 4);<br /> <br /> for (i = 0; i &lt; 4; i++) {<br /> ss-&gt;buf1[3-i] = ss-&gt;buf3[i];<br /> ss-&gt;buf1[7-i] = ss-&gt;buf3[4+i];<br /> }<br /> <br /> return 0;<br /> }<br /> <br /> uint gen_psp_individual_seed_helper(ScePspIndividualSeed *individual_seed) {<br /> SomeStructure ss;<br /> CreateSomeStructure(&amp;ss);<br /> int data_for_0x38 = 0;<br /> ScePspIndividualSeed individual_seed;<br /> gen_psp_individual_seed(&amp;ss, &amp;data_for_0x38, individual_seed)<br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> Or the following simplified reimplementation.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed(ScePspIndividualSeed *individual_seed) { <br /> int i, k;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuse_id[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuse_id[7] = g_fuse90 &amp;0xFF;<br /> fuse_id[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuse_id[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuse_id[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuse_id[3] = g_fuse94 &amp;0xFF;<br /> fuse_id[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuse_id[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuse_id[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, g_ids_master_key, 128); // set g_ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuse_id[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt three times each one of the three first blocks<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;individual_seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> for (int idx = 0; idx &lt; 8; idx++)<br /> individual_seed.fuse_id[idx] = ss[idx];<br /> <br /> for (int idx = 0; idx &lt; 4; idx++)<br /> individual_seed.reserved[idx] = data_for_0x38[idx];<br /> <br /> gen_psp_individual_seed_hash(individual_seed);<br /> <br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti size+0x12<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | {{Slot0_AES_1_CMAC}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led, bootrom<br /> | {{no}}<br /> | {{Slot2_AES_CMAC}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{Slot3_AES}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab, openpsid<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | openpsid, chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | buf_size+0x24<br /> | buf_size+0x34<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab, openpsid, bootrom<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | buf_size+0x34 (header + key)<br /> | buf_size<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE signature)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab, chkreg, openpsid, bootrom<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_SEED<br /> | Seed the Kirk internal RNG buffer<br /> | 0x1C<br /> | 0x1C<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab, openpsid (used for IDStorage Certificates ECDSA)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | ECDSA Signature Verification<br /> | 0x64<br /> | 0<br /> | memab, memlmd, mesg_led, openpsid (checks for generated signatures, used for IDStorage Certificates ECDSA)<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification<br /> | 0xB8<br /> | 0<br /> | openpsid, memab, chkreg (used for IDStorage Certificates AES-CMAC)<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 0x0: decrypt kbooti ==<br /> This command is only used by devkits to decrypt the kbooti, ie the devkit's Bootrom. It supposedly can only be run at a very early stage. The very short header is as follows.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Address<br /> !Size<br /> !Description<br /> |-<br /> |0x0<br /> |16<br /> |CMAC of the body, computed using AES slotted key 1<br /> |-<br /> |0x10<br /> |2<br /> |Size of the body<br /> |-<br /> |0x12<br /> |...<br /> |Body, encrypted using AES slotted key 0<br /> |}<br /> The command is very simple and acts as follows:<br /> <br /> # Verify the command is run at an early stage<br /> # Read the body size and check it's non-zero<br /> # Verify the CMAC of the body using AES slotted key 1<br /> # While computing the CMAC, verify the body size didn't change<br /> # Decrypt body using AES slotted key 0<br /> <br /> == Commands 0x1, 0x2, 0x3 &amp; 0xA: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> These three functions take very similar inputs, as they all do signature verification and decryption.<br /> <br /> * Command 1 is used to decrypt the IPL blocks.<br /> * Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3.<br /> * Command 3 decrypts data encrypted by command 2.<br /> * Command 0xA takes the same data as commands 1, 2 and 3 but only does the signature verification for the header (not for the body) and no decryption (or reencryption).<br /> <br /> There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The 0x10..0x60 bytes depend on the signature mode.<br /> <br /> '''Metadata Header Structure (Length 0x90)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> |0x00<br /> |0x10<br /> |Decryption key, encrypted with another key depending on the command<br /> |-<br /> |0x10<br /> |0x50<br /> |Signature information, depends on the signature mode (see below)<br /> |-<br /> | 0x60 || 4 || Set to 1, 2 or 3 depending on the command<br /> |-<br /> | 0x64 || 4 || Bit 0 is 0 if block is AES CMAC-signed, 1 if it is ECDSA-signed<br /> Bit 1 is used by command 2 to determine if the resulting Kirk 3 block should be AES CMAC-signed (0) or ECDSA-signed (1)<br /> |-<br /> | 0x68 || 4 || Bit 0 indicates all input data (including the full header) should be wiped if the body signature check fails<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 24 || Unused<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Signature Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the the same key as the decryption key (at 0x00)<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The CMAC key at 0x10 is decrypted using a key which depends on the command and is the same as the decryption key at 0x00 (see below). It is decrypted using AES-CBC (so offset 0x00 is used as the IV).<br /> <br /> The CMAC of the header from offset 0x60 and size 0x30 is computed. Kirk then checks the data size &amp; offset (at 0x70 and 0x74) didn't change from what was previously read (possibly to avoid data being overwritten while being processed). The value is then checked against the value at 0x20.<br /> <br /> If this fails, the command returns KIRK_HEADER_SIG_INVALID. Otherwise, except for command 10, it proceeds with the full data CMAC, computed from header offset 0x60 to the end of the body contents. The value is checked against the value at 0x30.<br /> <br /> If this second check fails, and the LSB of 0x68 is set to 1, all the input data is wiped (set to zero's). In both cases, if the check fails, it then returns KIRK_HEADER_SIG_INVALID.<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The ECDSA version is slightly different. The header from offset 0x60 with size 0x30 is hashed and the header signature is verified. Similarly to CMAC, it then verifies values at 0x70 and 0x74 didn't change. It then acts similarly to the CMAC version with the data signature, including the possible data wiping.<br /> <br /> === Commands 1 &amp; 3 ===<br /> Commands 1 and 3 work exactly the same. The only difference is that the ECDSA public key comes from slots 0/1 for command 1, and 5/6 for command 3. Also, the AES key, used for decrypting the decryption &amp; CMAC keys, is a static key in keyslot 2 for command 1, and a per-console key with seed 0 for command 3.<br /> <br /> # Verify that the command mode at 0x60 matches the current command<br /> # Read the body size and data offset and verify that the body size is non-zero<br /> # Get or compute the AES key<br /> # Check the signature mode at 0x64, and check the header &amp; the data signature as specified above depending on the signature mode<br /> # Decrypt the decryption key at 0x00 using the key from step 3.<br /> # Decrypt the data using AES-CBC with a null IV.<br /> <br /> === Command 2 ===<br /> Command 2 is a bit more complicated as it re-encrypts data for command 3.<br /> <br /> # Follow steps 1-5 from above, using key slots 2/3 for the ECDSA key and key slot 3 for the AES key<br /> # Copy the input header (including padding) to the output<br /> # Change offset 0x60 (command) to command 3<br /> # Change offset 0x64 to 0 or 1 depending on the second bit of the input value at 0x64 (which determines if the output of command 2 should be ECDSA or CMAC-signed)<br /> # Decrypt the body of the data similarly to commands 1 &amp; 3<br /> # Generate a random key and encrypt it with per-console key (seed = 0), and store the result at 0x00<br /> # If in CMAC mode for the output, do the same for the CMAC key at 0x10 (encrypt using CBC mode and data at 0x00 as the IV)<br /> # Encrypt the body in CBC mode with a null IV<br /> # Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3).<br /> <br /> === Command 0xA ===<br /> Its behavior is very simple:<br /> <br /> # Determine if the input is data for command 1, 2 or 3 depending on the command mode. (If it is another value, return an error.)<br /> # Get or compute AES and ECDSA public keys depending on the command<br /> # Check the signature similarly to the other commands.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0. The encryption operands take a header as an input along with the raw data, and generate encrypted data along with a header corresponding to the matching decryption command. Decryption commands output the raw decrypted data.<br /> <br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F), with console-specific modifications for some keyseeds<br /> <br /> - Commands 5 (encryption) and 8 (decryption) use a per-console key derived from the key mesh<br /> <br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from a random key and data stored at 0x14, the random key being encrypted with a per-console key so that command 9 can decrypt<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header (except for commands 6 and 9 where it is longer).<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption (commands 4/5/6), 5 for decryption (commands 7/8/9)<br /> |-<br /> | 0x04 || 8 || Unused<br /> |-<br /> | 0x0C || 1 || Only used by commands 4/7: keyseed<br /> |-<br /> |0x0D<br /> |1<br /> |Submode: the 3 LSBs are 0 for commands 4/7, 1 for commands 5/8 and 2 for commands 6/9<br /> |-<br /> |0x0E<br /> |2<br /> |Unused<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |-<br /> |0x14<br /> |16<br /> |Only for commands 6/9: additional key<br /> |-<br /> |0x24<br /> |16<br /> |Only for command 9: reencrypted encryption key<br /> |}<br /> <br /> === Commands 4/7 ===<br /> The behavior of these commands is:<br /> <br /> # Read the header<br /> # Verify the mode and submode match the current command<br /> # Read the body size and check that it is non-zero<br /> # Get the AES key at key slot 4 + &lt;keyseed&gt;. Command 4 can only encrypt with keyseeds 0..0x3F while command 7 can decrypt with keyseeds 0..0x7F.<br /> # Derive the key for some keyseeds using per-console parameters:<br /> ## If the key mesh's derivation key MSB is 1 and keyseed is in the 0x20..0x2f or 0x6c, 0x7b range, invert the bits of the last word (4 bytes) of the key<br /> ## If the keyseed is in the 0x27..0x2f or 0x73..0x7b range, XOR the first word of the key with the key mesh derivation key<br /> # For command 4, copy the input header to the output, just replacing mode 4 with 5, and encrypt the body from offset 0x14 using AES-CBC with a null IV and the key determined at step 5.<br /> # For command 7, decrypt the data and output it without a header<br /> <br /> === Commands 5/8 ===<br /> The behavior of these commands is identical to commands 4/7, except it uses per-console key computed from the key mesh with seed 1.<br /> <br /> === Commands 6/9 ===<br /> For both commands, steps 1-3 are the same as above, but differ afterwards.<br /> <br /> Command 6 works like this:<br /> <br /> # Copy the 0x24-byte long header to the output, just replacing the mode from 4 to 5<br /> # Generate a random buffer and encrypt it using per-console key with seed 2. Write the result of the operation at 0x24.<br /> # Encrypt the random buffer using the key at 0x14<br /> # Use the result of step 3 to encrypt the data, then output it<br /> <br /> Command 9 is the logical counterpart:<br /> <br /> # Decrypt data at 0x24 with the per-console key with seed 2<br /> # Reencrypt the data of the previous step with the key located at offset 0x14<br /> # Decrypt the data using the result of step 2 as a key<br /> <br /> == Command 0xB: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 0xC: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 0xD: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point (x and y are each 0x14 bytes long).<br /> <br /> == Command 0xE: PRNG ==<br /> <br /> This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.)<br /> <br /> == Command 0xF: Seed RNG buffer ==<br /> This function seeds the Kirk 32-byte RNG buffer used to generate all the random data coming from Kirk.<br /> <br /> It takes as an input and output data of size 0x1c:<br /> <br /> * 0x00 - 64-bit counter - increased by 1 in the output<br /> * 0x08 - seed data (0x14 bytes long) - used for seeding as an input, and contains fresh reseeded data for the output<br /> <br /> Seeding works this way:<br /> <br /> # Increment the input counter<br /> # Set the first 0x14 bytes of the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator<br /> # Initialize the 32-byte RNG buffer to two empty words, and two words taken from the input data at offsets 0x00 and 0x04<br /> # Do a reseeding (see below)<br /> # Output the bytes contained in the first 0x14 bytes of the PRNG seed after the reseeding<br /> <br /> Reseeding is then done by all operations requiring random data and works this way:<br /> <br /> # Encrypt RNG buffer with AES per-console key with seed 6<br /> # Set the last half of the PRNG seed (0x14 bytes) to the contents RNG buffer<br /> # Regenerate data with the PRNG<br /> The functions requiring random data then use some parts of the PRNG state (&quot;seed&quot; (first 0x28 bytes of the PRNG state) or &quot;result&quot; (last 0x14 bytes of the PRNG state)) as random data to be used.<br /> <br /> == Command 0x10: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature.<br /> <br /> == Command 0x11: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature. It is used to verify IdStorage IDPS certificates.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature).<br /> <br /> == Command 0x12: verify certificate ==<br /> <br /> This command has no output.<br /> <br /> It takes as an input a 0xB8-long buffer:<br /> *0x00: certificate data (either ConsoleID or OpenPSID) and ECDSA signature etc. (unused here)<br /> *0xA8: AES-CMAC hash of the rest of the header.<br /> It verifies the AES CMAC of the header using per-console key with seed 4.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header signature<br /> 0×04: Invalid data signature<br /> 0×05: Invalid ECDSA data<br /> 0x0C: Kirk not seeded<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid encryption keyseed<br /> 0x0F: Invalid decryption keyseed<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version Bootrom public key is unknown.<br /> * Keys related to Kirk commands 0, 2 and 3 are unknown. (See above for details.)<br /> * The Kirk's internal PRNG is deterministic but its function is unknown.<br /> * Elliptic curves have additional parameters specified in the code, which are unknown.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12410 Kirk 2024-01-18T00:15:21Z <p>CelesteBlue: /* 0x40-byte buffer */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> Most of the static keys used by the engine (plus the private key for Kirk command 1, which is not present on the chip) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk commands 1/2/3/0xA ==<br /> <br /> This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and 0xA.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0xE, 0x10 and 0x11.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> These commands allow to do operations with any public key. For the latest Pre-IPL version which adds an additional ECDSA verification of the XOR of the block hashes, the public key which is hardcoded in the Pre-IPL is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Slotted Keys =<br /> The KIRK ROM can access different keys which are slotted in what might be some kind of secure enclave. There are slots for both AES and ECDSA keys.<br /> <br /> == AES slotted keys ==<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0<br /> |KIRK command 0 (Kbooti from Devkit) decryption key<br /> |No<br /> |-<br /> |1<br /> |KIRK command 0 (Kbooti from Devkit) CMAC key<br /> |No<br /> |-<br /> |2<br /> |KIRK command 1 (IPL) decryption key<br /> |Yes<br /> |-<br /> |3<br /> |KIRK command 2 (DRM) decryption key<br /> |No<br /> |-<br /> |4~0x83<br /> |KIRK commands 4/7 decryption keys (128 possible ones)<br /> |Yes<br /> |}<br /> <br /> == ECDSA slotted keys ==<br /> Note: public keys take two slots (for both coordinates), and private keys take only one.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0/1<br /> |KIRK command 1 (IPL) public key (used to verify valid IPLs)<br /> |Yes (including the private key!)<br /> |-<br /> |2/3<br /> |KIRK command 2 (DRM) public key (used to verify data passed to KIRK command 2)<br /> |No<br /> |-<br /> |4<br /> |KIRK command 3 (DRM) private key (used by command 2 to sign data for command 3)<br /> |No<br /> |-<br /> |5/6<br /> |KIRK command 3 (DRM) public key (used by command 3 to verify data coming from command 2)<br /> |No<br /> |}<br /> <br /> = Per-console keys =<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30 bytes buffer (&quot;key mesh&quot;). This buffer is used to generate different keys depending on a seed.<br /> <br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Seed<br /> !Usage<br /> |-<br /> |0<br /> |Kirk commands 2 (encryption) &amp; 3 (decryption) (the real encryption &amp; CMAC keys are random, but this per-console key is used to encrypt them)<br /> |-<br /> |1<br /> |Kirk command 5 (encryption) &amp; 8 (decryption)<br /> |-<br /> |2<br /> |Kirk command 6 (encryption) &amp; 9 (decryption)<br /> |-<br /> |3<br /> |Kirk command 16<br /> |-<br /> |4<br /> |Kirk command 18<br /> |-<br /> |5<br /> |Unused<br /> |-<br /> |6<br /> |RNG buffer reseeding<br /> |}<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> typedef struct ScePspKeyMesh { // size is 0x30<br /> SceUInt8 aes128cbc_key_1[0x10]; // used by Kirk commands 5 &amp; 8 and 16<br /> SceUInt8 aes128cbc_key_2[0x10]; // used by Kirk command 2 &amp; 3, 6 &amp; 9 and 18<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys<br /> } ScePspKeyMesh;<br /> &lt;/source&gt;<br /> <br /> To generate the key mesh of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspKeyMesh seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt 3, 6 and 9 times the subkey_2 to obtain the final keymesh<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> }<br /> &lt;/source&gt;The key mesh can then be used along with a seed to generate a key using the following algorithm:&lt;syntaxhighlight lang=&quot;c&quot;&gt;<br /> void make_perconsole_key(u8 output[16], int seed, ScePspKeyMesh keymesh)<br /> {<br /> if (seed &amp; 1) {<br /> memcpy(output, keymesh.aes128cbc_key_2, 16);<br /> } else {<br /> memcpy(output, keymesh.aes128cbc_key_1, 16);<br /> }<br /> // Encrypt the result several times depending on the seed<br /> rijndael_set_key(&amp;aes_ctx, keymesh.aes128cbc_derivation_key);<br /> seed = (seed / 2) + 1;<br /> while ((seed--) &gt;= 0) {<br /> rijndael_encrypt(&amp;aes_ctx, output);<br /> }<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> == ScePspIndividualSeed ==<br /> <br /> There is a 0x40-byte buffer, named here &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;, used in both PSP flashData.prx and in PS Vita cmep keyrings 0x601 and 0x602 (in endian swapped fashion). It is slightly different from the mesh buffer described above. Indeed, it is before applying the derivation_key.<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ScePspIndividualSeed { // size is 0x40<br /> SceUInt8 derivation_seed_0[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_seed_1[0x10]; // a seed used to derive final keys with derivation_key<br /> SceUInt8 derivation_key[0x10]; // key used to derive final keys from seed_0 and seed_1<br /> SceUInt8 fuse_id[8]; // endianness to precise<br /> SceUInt8 reserved[4]; // could be arbitrary but in practice always zeroed<br /> SceUInt32 hash; // the hash algorithm is in PSP Jig Kick flashData.prx<br /> } ScePspIndividualSeed;<br /> &lt;/source&gt;<br /> <br /> To generate ScePspIndividualSeed, execute the following code.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed_hash(ScePspIndividualSeed *individual_seed) {<br /> byte bVar1;<br /> uint uVar2;<br /> int iVar3;<br /> byte *pbVar4;<br /> uint uVar5;<br /> uint uVar6;<br /> byte *pbVar7;<br /> uint uVar8;<br /> byte bVar9;<br /> int idx;<br /> int offset;<br /> byte *pbVar11;<br /> byte local_60 [80];<br /> byte m [16];<br /> uint uVar10;<br /> <br /> pbVar11 = local_60;<br /> m[0] = 1;<br /> m[1] = 0xf;<br /> m[2] = 0x36;<br /> m[3] = 0x78;<br /> m[4] = 0x40;<br /> <br /> offset = 0;<br /> do {<br /> pbVar4 = individual_seed + offset;<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar4;<br /> } while (offset &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar7 = local_60 + offset;<br /> offset = offset + 1;<br /> *pbVar7 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> offset = 0;<br /> do {<br /> bVar1 = *pbVar11;<br /> <br /> idx = 0;<br /> do {<br /> uVar8 = (uint)m[idx];<br /> iVar3 = idx + 0x40;<br /> uVar10 = 0;<br /> bVar9 = 0;<br /> uVar2 = (uint)bVar1;<br /> while (uVar8 != 0) {<br /> uVar6 = uVar2 &lt;&lt; 1;<br /> uVar5 = uVar8 &amp; 1;<br /> uVar8 = (int)uVar8 &gt;&gt; 1;<br /> if (uVar5 != 0) {<br /> uVar10 = uVar10 ^ uVar2;<br /> }<br /> bVar9 = (byte)uVar10;<br /> uVar2 = uVar6;<br /> if ((uVar6 &amp; 0x100) != 0)<br /> uVar2 = uVar6 ^ 0x11d;<br /> }<br /> idx = idx + 1;<br /> local_60[iVar3] = bVar9;<br /> } while (idx &lt; 5);<br /> <br /> idx = 0;<br /> do {<br /> pbVar7 = pbVar11 + idx;<br /> iVar3 = idx + 0x40;<br /> idx = idx + 1;<br /> *pbVar7 = *pbVar7 ^ local_60[iVar3];<br /> } while (idx &lt; 5);<br /> <br /> idx = offset + 1;<br /> pbVar11 = local_60 + offset + 1;<br /> offset = idx;<br /> } while (idx &lt; 0x3c);<br /> <br /> offset = 0x3c;<br /> do {<br /> pbVar11 = local_60 + offset;<br /> pbVar7 = individual_seed + offset;<br /> offset = offset + 1;<br /> *pbVar7 = *pbVar11;<br /> *pbVar11 = 0;<br /> } while (offset &lt; 0x40);<br /> <br /> return;<br /> }<br /> <br /> typedef struct {<br /> unsigned char buf1[8]; // 0<br /> unsigned char buf2[8]; // 8<br /> unsigned char buf3[8]; // 0x10<br /> } SomeStructure;<br /> <br /> uint gen_psp_individual_seed(SomeStructure *ss, byte *data_for_0x38, ScePspIndividualSeed *individual_seed) {<br /> byte bVar1;<br /> byte *dst;<br /> int idx;<br /> int j;<br /> byte *src;<br /> byte subkey_2[16];<br /> byte subkey_1[16];<br /> uint ctx[64];<br /> uint ctx2[64];<br /> <br /> AES_set_encrypt_key_2(g_ids_master_key, 128, ctx); // set g_ids_master_key as AES key<br /> AES_set_decrypt_key_2(g_ids_master_key, 128, ctx2); // set g_ids_master_key as AES key<br /> <br /> idx = 0; // initialize the subkeys using the Fuse ID<br /> do {<br /> bVar1 = ss[idx + ((int)(idx + ((uint)(idx &gt;&gt; 0x1f) &gt;&gt; 0x1d)) &gt;&gt; 3) * -8];<br /> src = subkey_2 + idx;<br /> dst = subkey_1 + idx;<br /> idx = idx + 1;<br /> *src = bVar1;<br /> *dst = bVar1;<br /> } while (idx &lt; 0x10);<br /> <br /> idx = 2; // encrypt first subkey three times, and decrypt second subkey three times<br /> do {<br /> AES_encrypt_2(subkey_1, subkey_1, ctx);<br /> idx = idx - 1;<br /> AES_decrypt_2(subkey_2, subkey_2, ctx2);<br /> } while (-1 &lt; idx);<br /> <br /> AES_set_encrypt_key_2(subkey_1, 128, ctx); // set subkey_1 as AES key<br /> <br /> idx = 0; // encrypt three times each one of the three first blocks<br /> do {<br /> j = 2;<br /> do {<br /> j = j - 1;<br /> AES_encrypt_2(subkey_2, subkey_2, ctx);<br /> } while (-1 &lt; j);<br /> dst = individual_seed + idx * 0x10;<br /> j = 0;<br /> do {<br /> src = subkey_2 + j;<br /> j = j + 1;<br /> *dst = *src;<br /> dst = dst + 1;<br /> } while (j &lt; 0x10);<br /> idx = idx + 1;<br /> } while (idx &lt; 3);<br /> <br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> individual_seed.fuse_id[idx] = ss[idx];<br /> idx = j;<br /> } while (j &lt; 8);<br /> <br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> individual_seed.reserved[idx] = data_for_0x38[idx];<br /> idx = j;<br /> } while (j &lt; 4);<br /> <br /> gen_psp_individual_seed_hash(individual_seed);<br /> <br /> return 0;<br /> }<br /> <br /> typedef struct U64 {<br /> unsigned int low;<br /> unsigned int high;<br /> } U64;<br /> <br /> int CreateSomeStructure(SomeStructure *ss) {<br /> U64 fuse_id;<br /> int i;<br /> <br /> memcpy(&amp;fuse_id, &amp;g_fuse_id, 8);<br /> <br /> memset(ss-&gt;buf1, 0, 8);<br /> memset(ss-&gt;buf2, 0xFF, 8);<br /> <br /> memcpy(ss-&gt;buf3, &amp;fuse_id.high, 4);<br /> memcpy(ss-&gt;buf3+4, &amp;fuse_id.low, 4);<br /> <br /> for (i = 0; i &lt; 4; i++) {<br /> ss-&gt;buf1[3-i] = ss-&gt;buf3[i];<br /> ss-&gt;buf1[7-i] = ss-&gt;buf3[4+i];<br /> }<br /> <br /> return 0;<br /> }<br /> <br /> uint gen_psp_individual_seed_helper(ScePspIndividualSeed *individual_seed) {<br /> SomeStructure ss;<br /> CreateSomeStructure(&amp;ss);<br /> int data_for_0x38 = 0;<br /> ScePspIndividualSeed individual_seed;<br /> gen_psp_individual_seed(&amp;ss, &amp;data_for_0x38, individual_seed)<br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> Or the following simplified reimplementation.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed(ScePspIndividualSeed *individual_seed) { <br /> int i, k;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuse_id[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuse_id[7] = g_fuse90 &amp;0xFF;<br /> fuse_id[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuse_id[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuse_id[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuse_id[3] = g_fuse94 &amp;0xFF;<br /> fuse_id[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuse_id[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuse_id[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, g_ids_master_key, 128); // set g_ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuse_id[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt three times each one of the three first blocks<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;individual_seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> for (int idx = 0; idx &lt; 8; idx++)<br /> individual_seed.fuse_id[idx] = ss[idx];<br /> <br /> for (int idx = 0; idx &lt; 4; idx++)<br /> individual_seed.reserved[idx] = data_for_0x38[idx];<br /> <br /> gen_psp_individual_seed_hash(individual_seed);<br /> <br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti size+0x12<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | {{Slot0_AES_1_CMAC}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led, bootrom<br /> | {{no}}<br /> | {{Slot2_AES_CMAC}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{Slot3_AES}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab, openpsid<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | openpsid, chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | buf_size+0x24<br /> | buf_size+0x34<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab, openpsid, bootrom<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | buf_size+0x34 (header + key)<br /> | buf_size<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE signature)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab, chkreg, openpsid, bootrom<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_SEED<br /> | Seed the Kirk internal RNG buffer<br /> | 0x1C<br /> | 0x1C<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab, openpsid (used for IDStorage Certificates ECDSA)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | ECDSA Signature Verification<br /> | 0x64<br /> | 0<br /> | memab, memlmd, mesg_led, openpsid (checks for generated signatures, used for IDStorage Certificates ECDSA)<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification<br /> | 0xB8<br /> | 0<br /> | openpsid, memab, chkreg (used for IDStorage Certificates AES-CMAC)<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 0x0: decrypt kbooti ==<br /> This command is only used by devkits to decrypt the kbooti, ie the devkit's Bootrom. It supposedly can only be run at a very early stage. The very short header is as follows.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Address<br /> !Size<br /> !Description<br /> |-<br /> |0x0<br /> |16<br /> |CMAC of the body, computed using AES slotted key 1<br /> |-<br /> |0x10<br /> |2<br /> |Size of the body<br /> |-<br /> |0x12<br /> |...<br /> |Body, encrypted using AES slotted key 0<br /> |}<br /> The command is very simple and acts as follows:<br /> <br /> # Verify the command is run at an early stage<br /> # Read the body size and check it's non-zero<br /> # Verify the CMAC of the body using AES slotted key 1<br /> # While computing the CMAC, verify the body size didn't change<br /> # Decrypt body using AES slotted key 0<br /> <br /> == Commands 0x1, 0x2, 0x3 &amp; 0xA: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> These three functions take very similar inputs, as they all do signature verification and decryption.<br /> <br /> * Command 1 is used to decrypt the IPL blocks.<br /> * Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3.<br /> * Command 3 decrypts data encrypted by command 2.<br /> * Command 0xA takes the same data as commands 1, 2 and 3 but only does the signature verification for the header (not for the body) and no decryption (or reencryption).<br /> <br /> There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The 0x10..0x60 bytes depend on the signature mode.<br /> <br /> '''Metadata Header Structure (Length 0x90)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> |0x00<br /> |0x10<br /> |Decryption key, encrypted with another key depending on the command<br /> |-<br /> |0x10<br /> |0x50<br /> |Signature information, depends on the signature mode (see below)<br /> |-<br /> | 0x60 || 4 || Set to 1, 2 or 3 depending on the command<br /> |-<br /> | 0x64 || 4 || Bit 0 is 0 if block is AES CMAC-signed, 1 if it is ECDSA-signed<br /> Bit 1 is used by command 2 to determine if the resulting Kirk 3 block should be AES CMAC-signed (0) or ECDSA-signed (1)<br /> |-<br /> | 0x68 || 4 || Bit 0 indicates all input data (including the full header) should be wiped if the body signature check fails<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 24 || Unused<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Signature Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the the same key as the decryption key (at 0x00)<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The CMAC key at 0x10 is decrypted using a key which depends on the command and is the same as the decryption key at 0x00 (see below). It is decrypted using AES-CBC (so offset 0x00 is used as the IV).<br /> <br /> The CMAC of the header from offset 0x60 and size 0x30 is computed. Kirk then checks the data size &amp; offset (at 0x70 and 0x74) didn't change from what was previously read (possibly to avoid data being overwritten while being processed). The value is then checked against the value at 0x20.<br /> <br /> If this fails, the command returns KIRK_HEADER_SIG_INVALID. Otherwise, except for command 10, it proceeds with the full data CMAC, computed from header offset 0x60 to the end of the body contents. The value is checked against the value at 0x30.<br /> <br /> If this second check fails, and the LSB of 0x68 is set to 1, all the input data is wiped (set to zero's). In both cases, if the check fails, it then returns KIRK_HEADER_SIG_INVALID.<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The ECDSA version is slightly different. The header from offset 0x60 with size 0x30 is hashed and the header signature is verified. Similarly to CMAC, it then verifies values at 0x70 and 0x74 didn't change. It then acts similarly to the CMAC version with the data signature, including the possible data wiping.<br /> <br /> === Commands 1 &amp; 3 ===<br /> Commands 1 and 3 work exactly the same. The only difference is that the ECDSA public key comes from slots 0/1 for command 1, and 5/6 for command 3. Also, the AES key, used for decrypting the decryption &amp; CMAC keys, is a static key in keyslot 2 for command 1, and a per-console key with seed 0 for command 3.<br /> <br /> # Verify that the command mode at 0x60 matches the current command<br /> # Read the body size and data offset and verify that the body size is non-zero<br /> # Get or compute the AES key<br /> # Check the signature mode at 0x64, and check the header &amp; the data signature as specified above depending on the signature mode<br /> # Decrypt the decryption key at 0x00 using the key from step 3.<br /> # Decrypt the data using AES-CBC with a null IV.<br /> <br /> === Command 2 ===<br /> Command 2 is a bit more complicated as it re-encrypts data for command 3.<br /> <br /> # Follow steps 1-5 from above, using key slots 2/3 for the ECDSA key and key slot 3 for the AES key<br /> # Copy the input header (including padding) to the output<br /> # Change offset 0x60 (command) to command 3<br /> # Change offset 0x64 to 0 or 1 depending on the second bit of the input value at 0x64 (which determines if the output of command 2 should be ECDSA or CMAC-signed)<br /> # Decrypt the body of the data similarly to commands 1 &amp; 3<br /> # Generate a random key and encrypt it with per-console key (seed = 0), and store the result at 0x00<br /> # If in CMAC mode for the output, do the same for the CMAC key at 0x10 (encrypt using CBC mode and data at 0x00 as the IV)<br /> # Encrypt the body in CBC mode with a null IV<br /> # Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3).<br /> <br /> === Command 0xA ===<br /> Its behavior is very simple:<br /> <br /> # Determine if the input is data for command 1, 2 or 3 depending on the command mode. (If it is another value, return an error.)<br /> # Get or compute AES and ECDSA public keys depending on the command<br /> # Check the signature similarly to the other commands.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0. The encryption operands take a header as an input along with the raw data, and generate encrypted data along with a header corresponding to the matching decryption command. Decryption commands output the raw decrypted data.<br /> <br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F), with console-specific modifications for some keyseeds<br /> <br /> - Commands 5 (encryption) and 8 (decryption) use a per-console key derived from the key mesh<br /> <br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from a random key and data stored at 0x14, the random key being encrypted with a per-console key so that command 9 can decrypt<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header (except for commands 6 and 9 where it is longer).<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption (commands 4/5/6), 5 for decryption (commands 7/8/9)<br /> |-<br /> | 0x04 || 8 || Unused<br /> |-<br /> | 0x0C || 1 || Only used by commands 4/7: keyseed<br /> |-<br /> |0x0D<br /> |1<br /> |Submode: the 3 LSBs are 0 for commands 4/7, 1 for commands 5/8 and 2 for commands 6/9<br /> |-<br /> |0x0E<br /> |2<br /> |Unused<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |-<br /> |0x14<br /> |16<br /> |Only for commands 6/9: additional key<br /> |-<br /> |0x24<br /> |16<br /> |Only for command 9: reencrypted encryption key<br /> |}<br /> <br /> === Commands 4/7 ===<br /> The behavior of these commands is:<br /> <br /> # Read the header<br /> # Verify the mode and submode match the current command<br /> # Read the body size and check that it is non-zero<br /> # Get the AES key at key slot 4 + &lt;keyseed&gt;. Command 4 can only encrypt with keyseeds 0..0x3F while command 7 can decrypt with keyseeds 0..0x7F.<br /> # Derive the key for some keyseeds using per-console parameters:<br /> ## If the key mesh's derivation key MSB is 1 and keyseed is in the 0x20..0x2f or 0x6c, 0x7b range, invert the bits of the last word (4 bytes) of the key<br /> ## If the keyseed is in the 0x27..0x2f or 0x73..0x7b range, XOR the first word of the key with the key mesh derivation key<br /> # For command 4, copy the input header to the output, just replacing mode 4 with 5, and encrypt the body from offset 0x14 using AES-CBC with a null IV and the key determined at step 5.<br /> # For command 7, decrypt the data and output it without a header<br /> <br /> === Commands 5/8 ===<br /> The behavior of these commands is identical to commands 4/7, except it uses per-console key computed from the key mesh with seed 1.<br /> <br /> === Commands 6/9 ===<br /> For both commands, steps 1-3 are the same as above, but differ afterwards.<br /> <br /> Command 6 works like this:<br /> <br /> # Copy the 0x24-byte long header to the output, just replacing the mode from 4 to 5<br /> # Generate a random buffer and encrypt it using per-console key with seed 2. Write the result of the operation at 0x24.<br /> # Encrypt the random buffer using the key at 0x14<br /> # Use the result of step 3 to encrypt the data, then output it<br /> <br /> Command 9 is the logical counterpart:<br /> <br /> # Decrypt data at 0x24 with the per-console key with seed 2<br /> # Reencrypt the data of the previous step with the key located at offset 0x14<br /> # Decrypt the data using the result of step 2 as a key<br /> <br /> == Command 0xB: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 0xC: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 0xD: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point (x and y are each 0x14 bytes long).<br /> <br /> == Command 0xE: PRNG ==<br /> <br /> This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.)<br /> <br /> == Command 0xF: Seed RNG buffer ==<br /> This function seeds the Kirk 32-byte RNG buffer used to generate all the random data coming from Kirk.<br /> <br /> It takes as an input and output data of size 0x1c:<br /> <br /> * 0x00 - 64-bit counter - increased by 1 in the output<br /> * 0x08 - seed data (0x14 bytes long) - used for seeding as an input, and contains fresh reseeded data for the output<br /> <br /> Seeding works this way:<br /> <br /> # Increment the input counter<br /> # Set the first 0x14 bytes of the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator<br /> # Initialize the 32-byte RNG buffer to two empty words, and two words taken from the input data at offsets 0x00 and 0x04<br /> # Do a reseeding (see below)<br /> # Output the bytes contained in the first 0x14 bytes of the PRNG seed after the reseeding<br /> <br /> Reseeding is then done by all operations requiring random data and works this way:<br /> <br /> # Encrypt RNG buffer with AES per-console key with seed 6<br /> # Set the last half of the PRNG seed (0x14 bytes) to the contents RNG buffer<br /> # Regenerate data with the PRNG<br /> The functions requiring random data then use some parts of the PRNG state (&quot;seed&quot; (first 0x28 bytes of the PRNG state) or &quot;result&quot; (last 0x14 bytes of the PRNG state)) as random data to be used.<br /> <br /> == Command 0x10: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature.<br /> <br /> == Command 0x11: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature).<br /> <br /> == Command 0x12: verify certificate ==<br /> <br /> This command has no output.<br /> <br /> It takes as an input a 0xB8-long buffer:<br /> *0x00: certificate data (either ConsoleID or OpenPSID) and ECDSA signature etc. (unused here)<br /> *0xA8: AES-CMAC hash of the rest of the header.<br /> It verifies the AES CMAC of the header using per-console key with seed 4.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header signature<br /> 0×04: Invalid data signature<br /> 0×05: Invalid ECDSA data<br /> 0x0C: Kirk not seeded<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid encryption keyseed<br /> 0x0F: Invalid decryption keyseed<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version Bootrom public key is unknown.<br /> * Keys related to Kirk commands 0, 2 and 3 are unknown. (See above for details.)<br /> * The Kirk's internal PRNG is deterministic but its function is unknown.<br /> * Elliptic curves have additional parameters specified in the code, which are unknown.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12388 Kirk 2024-01-16T00:07:24Z <p>CelesteBlue: /* 0x40-byte buffer */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> Most of the static keys used by the engine (plus the private key for Kirk command 1, which is not present on the chip) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk commands 1/2/3/0xA ==<br /> <br /> This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and 0xA.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0xE, 0x10 and 0x11.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> These commands allow to do operations with any public key. For the latest Pre-IPL version which adds an additional ECDSA verification of the XOR of the block hashes, the public key which is hardcoded in the Pre-IPL is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Slotted Keys =<br /> The KIRK ROM can access different keys which are slotted in what might be some kind of secure enclave. There are slots for both AES and ECDSA keys.<br /> <br /> == AES slotted keys ==<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0<br /> |KIRK command 0 (Kbooti from Devkit) decryption key<br /> |No<br /> |-<br /> |1<br /> |KIRK command 0 (Kbooti from Devkit) CMAC key<br /> |No<br /> |-<br /> |2<br /> |KIRK command 1 (IPL) decryption key<br /> |Yes<br /> |-<br /> |3<br /> |KIRK command 2 (DRM) decryption key<br /> |No<br /> |-<br /> |4~0x83<br /> |KIRK commands 4/7 decryption keys (128 possible ones)<br /> |Yes<br /> |}<br /> <br /> == ECDSA slotted keys ==<br /> Note: public keys take two slots (for both coordinates), and private keys take only one.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0/1<br /> |KIRK command 1 (IPL) public key (used to verify valid IPLs)<br /> |Yes (including the private key!)<br /> |-<br /> |2/3<br /> |KIRK command 2 (DRM) public key (used to verify data passed to KIRK command 2)<br /> |No<br /> |-<br /> |4<br /> |KIRK command 3 (DRM) private key (used by command 2 to sign data for command 3)<br /> |No<br /> |-<br /> |5/6<br /> |KIRK command 3 (DRM) public key (used by command 3 to verify data coming from command 2)<br /> |No<br /> |}<br /> <br /> = Per-console keys =<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30 bytes buffer (&quot;key mesh&quot;). This buffer is used to generate different keys depending on a seed.<br /> <br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Seed<br /> !Usage<br /> |-<br /> |0<br /> |Kirk commands 2 (encryption) &amp; 3 (decryption) (the real encryption &amp; CMAC keys are random, but this per-console key is used to encrypt them)<br /> |-<br /> |1<br /> |Kirk command 5 (encryption) &amp; 8 (decryption)<br /> |-<br /> |2<br /> |Kirk command 6 (encryption) &amp; 9 (decryption)<br /> |-<br /> |3<br /> |Kirk command 16<br /> |-<br /> |4<br /> |Kirk command 18<br /> |-<br /> |5<br /> |Unused<br /> |-<br /> |6<br /> |RNG buffer reseeding<br /> |}<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> typedef struct ScePspKeyMesh { // size is 0x30<br /> SceUInt8 aes128cbc_key_1[0x10]; // used by Kirk commands 5 &amp; 8 and 16<br /> SceUInt8 aes128cbc_key_2[0x10]; // used by Kirk command 2 &amp; 3, 6 &amp; 9 and 18<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys<br /> } ScePspKeyMesh;<br /> &lt;/source&gt;<br /> <br /> To generate the key mesh of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspKeyMesh seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt 3, 6 and 9 times the subkey_2 to obtain the final keymesh<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> }<br /> &lt;/source&gt;The key mesh can then be used along with a seed to generate a key using the following algorithm:&lt;syntaxhighlight lang=&quot;c&quot;&gt;<br /> void make_perconsole_key(u8 output[16], int seed, ScePspKeyMesh keymesh)<br /> {<br /> if (seed &amp; 1) {<br /> memcpy(output, keymesh.aes128cbc_key_2, 16);<br /> } else {<br /> memcpy(output, keymesh.aes128cbc_key_1, 16);<br /> }<br /> // Encrypt the result several times depending on the seed<br /> rijndael_set_key(&amp;aes_ctx, keymesh.aes128cbc_derivation_key);<br /> seed = (seed / 2) + 1;<br /> while ((seed--) &gt;= 0) {<br /> rijndael_encrypt(&amp;aes_ctx, output);<br /> }<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> == 0x40-byte buffer ==<br /> <br /> There is a 0x40-byte buffer, named here &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;, used in both PSP flashData.prx and (to be checked) in PS Vita cmep keyrings 0x601 and 0x602. It might be slightly different from the mesh buffer described above, so we keep it for now. Indeed, it is unsure if this 0x40 bytes buffer on PS Vita holds the final AES keys or if it is before applying the derivation_key.<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x40 bytes buffer. The first 0x10 bytes of the buffer is the AES CBC MAC key used by Kirk command 18 whilst the second 0x10 bytes are the AES CBC key used by Kirk command 16.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ScePspIndividualSeed { // size is 0x40<br /> SceUInt8 aes128cbc_mac_key[0x10]; // used by Kirk command 18<br /> SceUInt8 aes128cbc_key[0x10]; // used by Kirk command 16<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys of the structure<br /> SceUInt8 fuse_id[8]; // endianness to precise<br /> SceUInt32 padding; // usually set to zero<br /> SceUInt32 hash; // the hash algorithm is in PSP Jig Kick flashData.prx<br /> } ScePspIndividualSeed;<br /> &lt;/source&gt;<br /> <br /> To generate (without the hash though, and untested) ScePspIndividualSeed, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspIndividualSeed seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt three times each one of the three first blocks<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, seed.derivation_key, 128); // set the derivation key as AES key<br /> <br /> for (i = 0; i &lt; 2; i++) { // encrypt twice the seeds to get the final keys<br /> rijndael_encrypt(&amp;aes_ctx, seed.aes128cbc_mac_key, seed.aes128cbc_mac_key);<br /> rijndael_encrypt(&amp;aes_ctx, seed.aes128cbc_key, seed.aes128cbc_key);<br /> }<br /> }<br /> &lt;/source&gt;<br /> <br /> The following code is the official way to build the 0x40-byte buffer:<br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_hash_at_0x3C(byte *buf) {<br /> byte bVar1;<br /> uint uVar2;<br /> int iVar3;<br /> byte *pbVar4;<br /> uint uVar5;<br /> uint uVar6;<br /> byte *pbVar7;<br /> uint uVar8;<br /> byte bVar9;<br /> int i;<br /> int j;<br /> byte *pbVar11;<br /> byte local_60 [80];<br /> byte m [16];<br /> uint uVar10;<br /> <br /> pbVar11 = local_60;<br /> m[0] = 1;<br /> m[1] = 0xf;<br /> m[2] = 0x36;<br /> m[3] = 0x78;<br /> m[4] = 0x40;<br /> j = 0;<br /> do {<br /> pbVar4 = buf + j;<br /> pbVar7 = local_60 + j;<br /> j = j + 1;<br /> *pbVar7 = *pbVar4;<br /> } while (j &lt; 0x3c);<br /> j = 0x3c;<br /> do {<br /> pbVar7 = local_60 + j;<br /> j = j + 1;<br /> *pbVar7 = 0;<br /> } while (j &lt; 0x40);<br /> j = 0;<br /> do {<br /> bVar1 = *pbVar11;<br /> i = 0;<br /> do {<br /> uVar8 = (uint)m[i];<br /> iVar3 = i + 0x40;<br /> uVar10 = 0;<br /> bVar9 = 0;<br /> uVar2 = (uint)bVar1;<br /> while (uVar8 != 0) {<br /> uVar6 = uVar2 &lt;&lt; 1;<br /> uVar5 = uVar8 &amp; 1;<br /> uVar8 = (int)uVar8 &gt;&gt; 1;<br /> if (uVar5 != 0) {<br /> uVar10 = uVar10 ^ uVar2;<br /> }<br /> bVar9 = (byte)uVar10;<br /> uVar2 = uVar6;<br /> if ((uVar6 &amp; 0x100) != 0) {<br /> uVar2 = uVar6 ^ 0x11d;<br /> }<br /> }<br /> i = i + 1;<br /> local_60[iVar3] = bVar9;<br /> } while (i &lt; 5);<br /> i = 0;<br /> do {<br /> pbVar7 = pbVar11 + i;<br /> iVar3 = i + 0x40;<br /> i = i + 1;<br /> *pbVar7 = *pbVar7 ^ local_60[iVar3];<br /> } while (i &lt; 5);<br /> i = j + 1;<br /> pbVar11 = local_60 + j + 1;<br /> j = i;<br /> } while (i &lt; 0x3c);<br /> j = 0x3c;<br /> do {<br /> pbVar11 = local_60 + j;<br /> pbVar7 = buf + j;<br /> j = j + 1;<br /> *pbVar7 = *pbVar11;<br /> *pbVar11 = 0;<br /> } while (j &lt; 0x40);<br /> return;<br /> }<br /> <br /> uint generate_ids_seed_value(byte *ss,byte *data_for_0x38,byte *fuse_keys) {<br /> byte bVar1;<br /> byte *dst;<br /> int idx;<br /> int j;<br /> byte *src;<br /> byte buf2 [16];<br /> byte buf1 [16];<br /> uint ctx [64];<br /> uint ctx2 [64];<br /> <br /> AES_set_encrypt_key_2(g_ids_master_key,0x80,ctx);<br /> AES_set_decrypt_key_2(g_ids_master_key,0x80,ctx2);<br /> idx = 0;<br /> do {<br /> bVar1 = ss[idx + ((int)(idx + ((uint)(idx &gt;&gt; 0x1f) &gt;&gt; 0x1d)) &gt;&gt; 3) * -8];<br /> src = buf2 + idx;<br /> dst = buf1 + idx;<br /> idx = idx + 1;<br /> *src = bVar1;<br /> *dst = bVar1;<br /> } while (idx &lt; 0x10);<br /> idx = 2;<br /> do {<br /> AES_encrypt_2(buf1,buf1,ctx);<br /> idx = idx + -1;<br /> AES_decrypt_2(buf2,buf2,ctx2);<br /> } while (-1 &lt; idx);<br /> AES_set_encrypt_key_2(buf1,0x80,ctx);<br /> idx = 0;<br /> do {<br /> j = 2;<br /> do {<br /> j = j + -1;<br /> AES_encrypt_2(buf2,buf2,ctx);<br /> } while (-1 &lt; j);<br /> dst = fuse_keys + idx * 0x10;<br /> j = 0;<br /> do {<br /> src = buf2 + j;<br /> j = j + 1;<br /> *dst = *src;<br /> dst = dst + 1;<br /> } while (j &lt; 0x10);<br /> idx = idx + 1;<br /> } while (idx &lt; 3);<br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> fuse_keys[idx + 0x30] = ss[idx];<br /> idx = j;<br /> } while (j &lt; 8);<br /> idx = 0;<br /> do {<br /> j = idx + 1;<br /> fuse_keys[idx + 0x38] = data_for_0x38[idx];<br /> idx = j;<br /> } while (j &lt; 4);<br /> gen_hash_at_0x3C(fuse_keys);<br /> return 0;<br /> }<br /> &lt;/source&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti size+0x12<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | {{Slot0_AES_1_CMAC}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led, bootrom<br /> | {{no}}<br /> | {{Slot2_AES_CMAC}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{Slot3_AES}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab, openpsid<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | openpsid, chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | buf_size+0x24<br /> | buf_size+0x34<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab, openpsid, bootrom<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | buf_size+0x34 (header + key)<br /> | buf_size<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE signature)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab, chkreg, openpsid, bootrom<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_SEED<br /> | Seed the Kirk internal RNG buffer<br /> | 0x1C<br /> | 0x1C<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab, openpsid (used for IDStorage Certificates ECDSA)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | ECDSA Signature Verification<br /> | 0x64<br /> | 0<br /> | memab, memlmd, mesg_led, openpsid (checks for generated signatures, used for IDStorage Certificates ECDSA)<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification<br /> | 0xB8<br /> | 0<br /> | openpsid, memab, chkreg (used for IDStorage Certificates AES-CMAC)<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 0x0: decrypt kbooti ==<br /> This command is only used by devkits to decrypt the kbooti, ie the devkit's Bootrom. It supposedly can only be run at a very early stage. The very short header is as follows.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Address<br /> !Size<br /> !Description<br /> |-<br /> |0x0<br /> |16<br /> |CMAC of the body, computed using AES slotted key 1<br /> |-<br /> |0x10<br /> |2<br /> |Size of the body<br /> |-<br /> |0x12<br /> |...<br /> |Body, encrypted using AES slotted key 0<br /> |}<br /> The command is very simple and acts as follows:<br /> <br /> # Verify the command is run at an early stage<br /> # Read the body size and check it's non-zero<br /> # Verify the CMAC of the body using AES slotted key 1<br /> # While computing the CMAC, verify the body size didn't change<br /> # Decrypt body using AES slotted key 0<br /> <br /> == Commands 0x1, 0x2, 0x3 &amp; 0xA: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> These three functions take very similar inputs, as they all do signature verification and decryption.<br /> <br /> * Command 1 is used to decrypt the IPL blocks.<br /> * Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3.<br /> * Command 3 decrypts data encrypted by command 2.<br /> * Command 0xA takes the same data as commands 1, 2 and 3 but only does the signature verification for the header (not for the body) and no decryption (or reencryption).<br /> <br /> There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The 0x10..0x60 bytes depend on the signature mode.<br /> <br /> '''Metadata Header Structure (Length 0x90)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> |0x00<br /> |0x10<br /> |Decryption key, encrypted with another key depending on the command<br /> |-<br /> |0x10<br /> |0x50<br /> |Signature information, depends on the signature mode (see below)<br /> |-<br /> | 0x60 || 4 || Set to 1, 2 or 3 depending on the command<br /> |-<br /> | 0x64 || 4 || Bit 0 is 0 if block is AES CMAC-signed, 1 if it is ECDSA-signed<br /> Bit 1 is used by command 2 to determine if the resulting Kirk 3 block should be AES CMAC-signed (0) or ECDSA-signed (1)<br /> |-<br /> | 0x68 || 4 || Bit 0 indicates all input data (including the full header) should be wiped if the body signature check fails<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 24 || Unused<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Signature Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the the same key as the decryption key (at 0x00)<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The CMAC key at 0x10 is decrypted using a key which depends on the command and is the same as the decryption key at 0x00 (see below). It is decrypted using AES-CBC (so offset 0x00 is used as the IV).<br /> <br /> The CMAC of the header from offset 0x60 and size 0x30 is computed. Kirk then checks the data size &amp; offset (at 0x70 and 0x74) didn't change from what was previously read (possibly to avoid data being overwritten while being processed). The value is then checked against the value at 0x20.<br /> <br /> If this fails, the command returns KIRK_HEADER_SIG_INVALID. Otherwise, except for command 10, it proceeds with the full data CMAC, computed from header offset 0x60 to the end of the body contents. The value is checked against the value at 0x30.<br /> <br /> If this second check fails, and the LSB of 0x68 is set to 1, all the input data is wiped (set to zero's). In both cases, if the check fails, it then returns KIRK_HEADER_SIG_INVALID.<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The ECDSA version is slightly different. The header from offset 0x60 with size 0x30 is hashed and the header signature is verified. Similarly to CMAC, it then verifies values at 0x70 and 0x74 didn't change. It then acts similarly to the CMAC version with the data signature, including the possible data wiping.<br /> <br /> === Commands 1 &amp; 3 ===<br /> Commands 1 and 3 work exactly the same. The only difference is that the ECDSA public key comes from slots 0/1 for command 1, and 5/6 for command 3. Also, the AES key, used for decrypting the decryption &amp; CMAC keys, is a static key in keyslot 2 for command 1, and a per-console key with seed 0 for command 3.<br /> <br /> # Verify that the command mode at 0x60 matches the current command<br /> # Read the body size and data offset and verify that the body size is non-zero<br /> # Get or compute the AES key<br /> # Check the signature mode at 0x64, and check the header &amp; the data signature as specified above depending on the signature mode<br /> # Decrypt the decryption key at 0x00 using the key from step 3.<br /> # Decrypt the data using AES-CBC with a null IV.<br /> <br /> === Command 2 ===<br /> Command 2 is a bit more complicated as it re-encrypts data for command 3.<br /> <br /> # Follow steps 1-5 from above, using key slots 2/3 for the ECDSA key and key slot 3 for the AES key<br /> # Copy the input header (including padding) to the output<br /> # Change offset 0x60 (command) to command 3<br /> # Change offset 0x64 to 0 or 1 depending on the second bit of the input value at 0x64 (which determines if the output of command 2 should be ECDSA or CMAC-signed)<br /> # Decrypt the body of the data similarly to commands 1 &amp; 3<br /> # Generate a random key and encrypt it with per-console key (seed = 0), and store the result at 0x00<br /> # If in CMAC mode for the output, do the same for the CMAC key at 0x10 (encrypt using CBC mode and data at 0x00 as the IV)<br /> # Encrypt the body in CBC mode with a null IV<br /> # Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3).<br /> <br /> === Command 0xA ===<br /> Its behavior is very simple:<br /> <br /> # Determine if the input is data for command 1, 2 or 3 depending on the command mode. (If it is another value, return an error.)<br /> # Get or compute AES and ECDSA public keys depending on the command<br /> # Check the signature similarly to the other commands.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0. The encryption operands take a header as an input along with the raw data, and generate encrypted data along with a header corresponding to the matching decryption command. Decryption commands output the raw decrypted data.<br /> <br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F), with console-specific modifications for some keyseeds<br /> <br /> - Commands 5 (encryption) and 8 (decryption) use a per-console key derived from the key mesh<br /> <br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from a random key and data stored at 0x14, the random key being encrypted with a per-console key so that command 9 can decrypt<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header (except for commands 6 and 9 where it is longer).<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption (commands 4/5/6), 5 for decryption (commands 7/8/9)<br /> |-<br /> | 0x04 || 8 || Unused<br /> |-<br /> | 0x0C || 1 || Only used by commands 4/7: keyseed<br /> |-<br /> |0x0D<br /> |1<br /> |Submode: the 3 LSBs are 0 for commands 4/7, 1 for commands 5/8 and 2 for commands 6/9<br /> |-<br /> |0x0E<br /> |2<br /> |Unused<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |-<br /> |0x14<br /> |16<br /> |Only for commands 6/9: additional key<br /> |-<br /> |0x24<br /> |16<br /> |Only for command 9: reencrypted encryption key<br /> |}<br /> <br /> === Commands 4/7 ===<br /> The behavior of these commands is:<br /> <br /> # Read the header<br /> # Verify the mode and submode match the current command<br /> # Read the body size and check that it is non-zero<br /> # Get the AES key at key slot 4 + &lt;keyseed&gt;. Command 4 can only encrypt with keyseeds 0..0x3F while command 7 can decrypt with keyseeds 0..0x7F.<br /> # Derive the key for some keyseeds using per-console parameters:<br /> ## If the key mesh's derivation key MSB is 1 and keyseed is in the 0x20..0x2f or 0x6c, 0x7b range, invert the bits of the last word (4 bytes) of the key<br /> ## If the keyseed is in the 0x27..0x2f or 0x73..0x7b range, XOR the first word of the key with the key mesh derivation key<br /> # For command 4, copy the input header to the output, just replacing mode 4 with 5, and encrypt the body from offset 0x14 using AES-CBC with a null IV and the key determined at step 5.<br /> # For command 7, decrypt the data and output it without a header<br /> <br /> === Commands 5/8 ===<br /> The behavior of these commands is identical to commands 4/7, except it uses per-console key computed from the key mesh with seed 1.<br /> <br /> === Commands 6/9 ===<br /> For both commands, steps 1-3 are the same as above, but differ afterwards.<br /> <br /> Command 6 works like this:<br /> <br /> # Copy the 0x24-byte long header to the output, just replacing the mode from 4 to 5<br /> # Generate a random buffer and encrypt it using per-console key with seed 2. Write the result of the operation at 0x24.<br /> # Encrypt the random buffer using the key at 0x14<br /> # Use the result of step 3 to encrypt the data, then output it<br /> <br /> Command 9 is the logical counterpart:<br /> <br /> # Decrypt data at 0x24 with the per-console key with seed 2<br /> # Reencrypt the data of the previous step with the key located at offset 0x14<br /> # Decrypt the data using the result of step 2 as a key<br /> <br /> == Command 0xB: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 0xC: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 0xD: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point (x and y are each 0x14 bytes long).<br /> <br /> == Command 0xE: PRNG ==<br /> <br /> This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.)<br /> <br /> == Command 0xF: Seed RNG buffer ==<br /> This function seeds the Kirk 32-byte RNG buffer used to generate all the random data coming from Kirk.<br /> <br /> It takes as an input and output data of size 0x1c:<br /> <br /> * 0x00 - 64-bit counter - increased by 1 in the output<br /> * 0x08 - seed data (0x14 bytes long) - used for seeding as an input, and contains fresh reseeded data for the output<br /> <br /> Seeding works this way:<br /> <br /> # Increment the input counter<br /> # Set the first 0x14 bytes of the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator<br /> # Initialize the 32-byte RNG buffer to two empty words, and two words taken from the input data at offsets 0x00 and 0x04<br /> # Do a reseeding (see below)<br /> # Output the bytes contained in the first 0x14 bytes of the PRNG seed after the reseeding<br /> <br /> Reseeding is then done by all operations requiring random data and works this way:<br /> <br /> # Encrypt RNG buffer with AES per-console key with seed 6<br /> # Set the last half of the PRNG seed (0x14 bytes) to the contents RNG buffer<br /> # Regenerate data with the PRNG<br /> The functions requiring random data then use some parts of the PRNG state (&quot;seed&quot; (first 0x28 bytes of the PRNG state) or &quot;result&quot; (last 0x14 bytes of the PRNG state)) as random data to be used.<br /> <br /> == Command 0x10: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature.<br /> <br /> == Command 0x11: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature).<br /> <br /> == Command 0x12: verify certificate ==<br /> <br /> This command has no output.<br /> <br /> It takes as an input a 0xB8-long buffer:<br /> *0x00: certificate data (either ConsoleID or OpenPSID) and ECDSA signature etc. (unused here)<br /> *0xA8: AES-CMAC hash of the rest of the header.<br /> It verifies the AES CMAC of the header using per-console key with seed 4.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header signature<br /> 0×04: Invalid data signature<br /> 0×05: Invalid ECDSA data<br /> 0x0C: Kirk not seeded<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid encryption keyseed<br /> 0x0F: Invalid decryption keyseed<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version Bootrom public key is unknown.<br /> * Keys related to Kirk commands 0, 2 and 3 are unknown. (See above for details.)<br /> * The Kirk's internal PRNG is deterministic but its function is unknown.<br /> * Elliptic curves have additional parameters specified in the code, which are unknown.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12372 Kirk 2024-01-14T23:04:13Z <p>CelesteBlue: /* Per-console keys */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> Most of the static keys used by the engine (plus the private key for Kirk command 1, which is not present on the chip) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk commands 1/2/3/10 ==<br /> <br /> This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and 10.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 12, 13, 14, 16 and 17.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> These commands allow to do operations with any public key. For the latest Pre-IPL version which adds an additional ECDSA verification of the XOR of the block hashes, the public key which is hardcoded in the Pre-IPL is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Slotted Keys =<br /> The KIRK ROM can access different keys which are slotted in what might be some kind of secure enclave. There are slots for both AES and ECDSA keys.<br /> <br /> == AES slotted keys ==<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0<br /> |KIRK command 0 (Kbooti from Devkit) decryption key<br /> |No<br /> |-<br /> |1<br /> |KIRK command 0 (Kbooti from Devkit) CMAC key<br /> |No<br /> |-<br /> |2<br /> |KIRK command 1 (IPL) decryption key<br /> |Yes<br /> |-<br /> |3<br /> |KIRK command 2 (DRM) decryption key<br /> |No<br /> |-<br /> |4~0x83<br /> |KIRK commands 4/7 decryption keys (128 possible ones)<br /> |Yes<br /> |}<br /> <br /> == ECDSA slotted keys ==<br /> Note: public keys take two slots (for both coordinates), and private keys take only one.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0/1<br /> |KIRK command 1 (IPL) public key (used to verify valid IPLs)<br /> |Yes (including the private key!)<br /> |-<br /> |2/3<br /> |KIRK command 2 (DRM) public key (used to verify data passed to KIRK command 2)<br /> |No<br /> |-<br /> |4<br /> |KIRK command 3 (DRM) private key (used by command 2 to sign data for command 3)<br /> |No<br /> |-<br /> |5/6<br /> |KIRK command 3 (DRM) public key (used by command 3 to verify data coming from command 2)<br /> |No<br /> |}<br /> <br /> = Per-console keys =<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30 bytes buffer (&quot;key mesh&quot;). This buffer is used to generate different keys depending on a seed.<br /> <br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Seed<br /> !Usage<br /> |-<br /> |0<br /> |Kirk commands 2 (encryption) &amp; 3 (decryption) (the real encryption &amp; CMAC keys are random, but this per-console key is used to encrypt them)<br /> |-<br /> |1<br /> |Kirk command 5 (encryption) &amp; 8 (decryption)<br /> |-<br /> |2<br /> |Kirk command 6 (encryption) &amp; 9 (decryption)<br /> |-<br /> |3<br /> |Kirk command 16<br /> |-<br /> |4<br /> |Kirk command 18<br /> |-<br /> |5<br /> |Unused<br /> |-<br /> |6<br /> |RNG buffer reseeding<br /> |}<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> typedef struct ScePspKeyMesh { // size is 0x30<br /> SceUInt8 aes128cbc_key_1[0x10]; // used by Kirk commands 5 &amp; 8 and 16<br /> SceUInt8 aes128cbc_key_2[0x10]; // used by Kirk command 2 &amp; 3, 6 &amp; 9 and 18<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys<br /> } ScePspKeyMesh;<br /> &lt;/source&gt;<br /> <br /> To generate the key mesh of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspKeyMesh seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt 3, 6 and 9 times the subkey_2 to obtain the final keymesh<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> }<br /> &lt;/source&gt;The key mesh can then be used along with a seed to generate a key using the following algorithm:&lt;syntaxhighlight lang=&quot;c&quot;&gt;<br /> void make_perconsole_key(u8 output[16], int seed, ScePspKeyMesh keymesh)<br /> {<br /> if (seed &amp; 1) {<br /> memcpy(output, keymesh.aes128cbc_key_2, 16);<br /> } else {<br /> memcpy(output, keymesh.aes128cbc_key_1, 16);<br /> }<br /> // Encrypt the result several times depending on the seed<br /> rijndael_set_key(&amp;aes_ctx, keymesh.aes128cbc_derivation_key);<br /> seed = (seed / 2) + 1;<br /> while ((seed--) &gt;= 0) {<br /> rijndael_encrypt(&amp;aes_ctx, output);<br /> }<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> == 0x40-byte buffer ==<br /> <br /> There is a 0x40-byte buffer, named here &lt;code&gt;ScePspIndividualSeed&lt;/code&gt;, used in both PSP flashData.prx and (to be checked) in PS Vita cmep keyrings 0x601 and 0x602. It might be slightly different from the mesh buffer described above, so we keep it for now. Indeed, it is unsure if this 0x40 bytes buffer on PS Vita holds the final AES keys or if it is before applying the derivation_key.<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x40 bytes buffer. The first 0x10 bytes of the buffer is the AES CBC MAC key used by Kirk command 18 whilst the second 0x10 bytes are the AES CBC key used by Kirk command 16.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ScePspIndividualSeed { // size is 0x40<br /> SceUInt8 aes128cbc_mac_key[0x10]; // used by Kirk command 18<br /> SceUInt8 aes128cbc_key[0x10]; // used by Kirk command 16<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys of the structure<br /> SceUInt8 fuse_id[8]; // endianness to precise<br /> SceUInt32 padding; // usually set to zero<br /> SceUInt32 hash; // the hash algorithm is in PSP Jig Kick flashData.prx<br /> } ScePspIndividualSeed;<br /> &lt;/source&gt;<br /> <br /> To generate ScePspIndividualSeed, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspIndividualSeed seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt three times each one of the three first blocks<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, seed.derivation_key, 128); // set the derivation key as AES key<br /> <br /> for (i = 0; i &lt; 2; i++) { // encrypt twice the seeds to get the final keys<br /> rijndael_encrypt(&amp;aes_ctx, seed.aes128cbc_mac_key, seed.aes128cbc_mac_key);<br /> rijndael_encrypt(&amp;aes_ctx, seed.aes128cbc_key, seed.aes128cbc_key);<br /> }<br /> }<br /> &lt;/source&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti size+0x12<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | {{Slot0_AES_1_CMAC}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led, bootrom<br /> | {{no}}<br /> | {{Slot2_AES_CMAC}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{Slot3_AES}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab, openpsid<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | openpsid, chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | buf_size+0x24<br /> | buf_size+0x34<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab, openpsid, bootrom<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | buf_size+0x34 (header + key)<br /> | buf_size<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE signature)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab, chkreg, openpsid, bootrom<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_SEED<br /> | Seed the Kirk internal RNG buffer<br /> | 0x1C<br /> | 0x1C<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab, openpsid (used for IDStorage Certificates ECDSA)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | ECDSA Signature Verification<br /> | 0x64<br /> | 0<br /> | memab, memlmd, mesg_led, openpsid (checks for generated signatures, used for IDStorage Certificates ECDSA)<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification<br /> | 0xB8<br /> | 0<br /> | openpsid, memab, chkreg (used for IDStorage Certificates AES-CMAC)<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 0: decrypt kbooti ==<br /> This command is only used by devkits to decrypt the kbooti, ie the devkit's Pre-IPL. It supposedly can only be run at a very early stage. The very short header is as follows.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Address<br /> !Size<br /> !Description<br /> |-<br /> |0x0<br /> |16<br /> |CMAC of the body, computed using AES slotted key 1<br /> |-<br /> |0x10<br /> |2<br /> |Size of the body<br /> |-<br /> |0x12<br /> |...<br /> |Body, encrypted using AES slotted key 0<br /> |}<br /> The command is very simple and acts as follows:<br /> <br /> # Verify the command is run at an early stage<br /> # Read the body size and check it's non-zero<br /> # Verify the CMAC of the body using AES slotted key 1<br /> # While computing the CMAC, verify the body size didn't change<br /> # Decrypt body using AES slotted key 0<br /> <br /> == Commands 1, 2, 3 &amp; 10: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> These three functions take very similar inputs, as they all do signature verification and decryption.<br /> <br /> * Command 1 is used to decrypt the IPL blocks.<br /> * Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3.<br /> * Command 3 decrypts data encrypted by command 2.<br /> * Command 10 takes the same data as commands 1, 2 and 3 but only does the signature verification for the header (not for the body) and no decryption (or reencryption).<br /> <br /> There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The 0x10..0x60 bytes depend on the signature mode.<br /> <br /> '''Metadata Header Structure (Length 0x90)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> |0x00<br /> |0x10<br /> |Decryption key, encrypted with another key depending on the command<br /> |-<br /> |0x10<br /> |0x50<br /> |Signature information, depends on the signature mode (see below)<br /> |-<br /> | 0x60 || 4 || Set to 1, 2 or 3 depending on the command<br /> |-<br /> | 0x64 || 4 || Bit 0 is 0 if block is AES CMAC-signed, 1 if it is ECDSA-signed<br /> Bit 1 is used by command 2 to determine if the resulting Kirk 3 block should be AES CMAC-signed (0) or ECDSA-signed (1)<br /> |-<br /> | 0x68 || 4 || Bit 0 indicates all input data (including the full header) should be wiped if the body signature check fails<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 24 || Unused<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Signature Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the the same key as the decryption key (at 0x00)<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The CMAC key at 0x10 is decrypted using a key which depends on the command and is the same as the decryption key at 0x00 (see below). It is decrypted using AES-CBC (so offset 0x00 is used as the IV).<br /> <br /> The CMAC of the header from offset 0x60 and size 0x30 is computed. Kirk then checks the data size &amp; offset (at 0x70 and 0x74) didn't change from what was previously read (possibly to avoid data being overwritten while being processed). The value is then checked against the value at 0x20.<br /> <br /> If this fails, the command returns KIRK_HEADER_SIG_INVALID. Otherwise, except for command 10, it proceeds with the full data CMAC, computed from header offset 0x60 to the end of the body contents. The value is checked against the value at 0x30.<br /> <br /> If this second check fails, and the LSB of 0x68 is set to 1, all the input data is wiped (set to zero's). In both cases, if the check fails, it then returns KIRK_HEADER_SIG_INVALID.<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The ECDSA version is slightly different. The header from offset 0x60 with size 0x30 is hashed and the header signature is verified. Similarly to CMAC, it then verifies values at 0x70 and 0x74 didn't change. It then acts similarly to the CMAC version with the data signature, including the possible data wiping.<br /> <br /> === Commands 1 &amp; 3 ===<br /> Commands 1 and 3 work exactly the same. The only difference is that the ECDSA public key comes from slots 0/1 for command 1, and 5/6 for command 3. Also, the AES key, used for decrypting the decryption &amp; CMAC keys, is a static key in keyslot 2 for command 1, and a per-console key with seed 0 for command 3.<br /> <br /> # Verify that the command mode at 0x60 matches the current command<br /> # Read the body size and data offset and verify that the body size is non-zero<br /> # Get or compute the AES key<br /> # Check the signature mode at 0x64, and check the header &amp; the data signature as specified above depending on the signature mode<br /> # Decrypt the decryption key at 0x00 using the key from step 3.<br /> # Decrypt the data using AES-CBC with a null IV.<br /> <br /> === Command 2 ===<br /> Command 2 is a bit more complicated as it re-encrypts data for command 3.<br /> <br /> # Follow steps 1-5 from above, using key slots 2/3 for the ECDSA key and key slot 3 for the AES key<br /> # Copy the input header (including padding) to the output<br /> # Change offset 0x60 (command) to command 3<br /> # Change offset 0x64 to 0 or 1 depending on the second bit of the input value at 0x64 (which determines if the output of command 2 should be ECDSA or CMAC-signed)<br /> # Decrypt the body of the data similarly to commands 1 &amp; 3<br /> # Generate a random key and encrypt it with per-console key (seed = 0), and store the result at 0x00<br /> # If in CMAC mode for the output, do the same for the CMAC key at 0x10 (encrypt using CBC mode and data at 0x00 as the IV)<br /> # Encrypt the body in CBC mode with a null IV<br /> # Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3).<br /> <br /> === Command 10 ===<br /> Its behavior is very simple:<br /> <br /> # Determine if the input is data for command 1, 2 or 3 depending on the command mode. (If it is another value, return an error.)<br /> # Get or compute AES and ECDSA public keys depending on the command<br /> # Check the signature similarly to the other commands.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0. The encryption operands take a header as an input along with the raw data, and generate encrypted data along with a header corresponding to the matching decryption command. Decryption commands output the raw decrypted data.<br /> <br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F), with console-specific modifications for some keyseeds<br /> <br /> - Commands 5 (encryption) and 8 (decryption) use a per-console key derived from the key mesh<br /> <br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from a random key and data stored at 0x14, the random key being encrypted with a per-console key so that command 9 can decrypt<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header (except for commands 6 and 9 where it is longer).<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption (commands 4/5/6), 5 for decryption (commands 7/8/9)<br /> |-<br /> | 0x04 || 8 || Unused<br /> |-<br /> | 0x0C || 1 || Only used by commands 4/7: keyseed<br /> |-<br /> |0x0D<br /> |1<br /> |Submode: the 3 LSBs are 0 for commands 4/7, 1 for commands 5/8 and 2 for commands 6/9<br /> |-<br /> |0x0E<br /> |2<br /> |Unused<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |-<br /> |0x14<br /> |16<br /> |Only for commands 6/9: additional key<br /> |-<br /> |0x24<br /> |16<br /> |Only for command 9: reencrypted encryption key<br /> |}<br /> <br /> === Commands 4/7 ===<br /> The behavior of these commands is:<br /> <br /> # Read the header<br /> # Verify the mode and submode match the current command<br /> # Read the body size and check that it is non-zero<br /> # Get the AES key at key slot 4 + &lt;keyseed&gt;. Command 4 can only encrypt with keyseeds 0..0x3F while command 7 can decrypt with keyseeds 0..0x7F.<br /> # Derive the key for some keyseeds using per-console parameters:<br /> ## If the key mesh's derivation key MSB is 1 and keyseed is in the 0x20..0x2f or 0x6c, 0x7b range, invert the bits of the last word (4 bytes) of the key<br /> ## If the keyseed is in the 0x27..0x2f or 0x73..0x7b range, XOR the first word of the key with the key mesh derivation key<br /> # For command 4, copy the input header to the output, just replacing mode 4 with 5, and encrypt the body from offset 0x14 using AES-CBC with a null IV and the key determined at step 5.<br /> # For command 7, decrypt the data and output it without a header<br /> <br /> === Commands 5/8 ===<br /> The behavior of these commands is identical to commands 4/7, except it uses per-console key computed from the key mesh with seed 1.<br /> <br /> === Commands 6/9 ===<br /> For both commands, steps 1-3 are the same as above, but differ afterwards.<br /> <br /> Command 6 works like this:<br /> <br /> # Copy the 0x24-byte long header to the output, just replacing the mode from 4 to 5<br /> # Generate a random buffer and encrypt it using per-console key with seed 2. Write the result of the operation at 0x24.<br /> # Encrypt the random buffer using the key at 0x14<br /> # Use the result of step 3 to encrypt the data, then output it<br /> <br /> Command 9 is the logical counterpart:<br /> <br /> # Decrypt data at 0x24 with the per-console key with seed 2<br /> # Reencrypt the data of the previous step with the key located at offset 0x14<br /> # Decrypt the data using the result of step 2 as a key<br /> <br /> == Command 11: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 12: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 13: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point (x and y are each 0x14 bytes long).<br /> <br /> == Command 14: PRNG ==<br /> <br /> This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.)<br /> <br /> == Command 15: Seed RNG buffer ==<br /> This function seeds the Kirk RNG buffer used to generate all the random data coming from Kirk.<br /> <br /> It takes as an input and output data of size 0x1c:<br /> <br /> * 0x00 - unknown - modified by an unknown opcode<br /> * 0x04 - counter - increased by 1 in the output<br /> * 0x08 - seed data - used for seeding, and contains fresh reseeded data for the output<br /> <br /> Seeding works this way:<br /> <br /> # Increase input counter and do unknown operation on offset 0x00<br /> # Set the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator<br /> # Initialize RNG buffer to two empty words, and then output data at offsets 0x00 and 0x04<br /> # Do a reseeding<br /> # Output resulting buffer.<br /> <br /> Reseeding is then done by all operations requiring random data and works this way:<br /> <br /> # Encrypt RNG buffer with AES per-console key with seed 6<br /> # Reseed the PRNG with the RNG buffer<br /> # Regenerate data with the PRNG<br /> <br /> == Command 16: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature.<br /> <br /> == Command 17: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature).<br /> <br /> == Command 18: verify certificate ==<br /> <br /> This command has no output.<br /> <br /> It takes as an input a 0xB8-long buffer:<br /> *0x00: certificate data (either ConsoleID or OpenPSID) and ECDSA signature etc. (unused here)<br /> *0xA8: AES-CMAC hash of the rest of the header.<br /> It verifies the AES CMAC of the header using per-console key with seed 4.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header signature<br /> 0×04: Invalid data signature<br /> 0×05: Invalid ECDSA data<br /> 0x0C: Kirk not seeded<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid encryption keyseed<br /> 0x0F: Invalid decryption keyseed<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version Bootrom public key is unknown.<br /> * Keys related to Kirk commands 0, 2 and 3 are unknown. (See above for details.)<br /> * The Kirk's internal PRNG is deterministic but its function is unknown.<br /> * Elliptic curves have additional parameters specified in the code, which are unknown.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12367 Kirk 2024-01-14T22:39:55Z <p>CelesteBlue: Fix my 0x10 vs 10 confusion. Add a few precisions.</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> Most of the static keys used by the engine (plus the private key for Kirk command 1, which is not present on the chip) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk commands 1/2/3/10 ==<br /> <br /> This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and 10.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 12, 13, 14, 16 and 17.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> The public key is variable. For the latest Pre-IPL version which add an additional ECDSA verification of the XOR of the block hashes, the public key is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Slotted Keys =<br /> The KIRK ROM can access different keys which are slotted in what might be some kind of secure enclave. There are slots for both AES and ECDSA keys.<br /> <br /> == AES slotted keys ==<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0<br /> |KIRK command 0 (Kbooti from Devkit) decryption key<br /> |No<br /> |-<br /> |1<br /> |KIRK command 0 (Kbooti from Devkit) CMAC key<br /> |No<br /> |-<br /> |2<br /> |KIRK command 1 (IPL) decryption key<br /> |Yes<br /> |-<br /> |3<br /> |KIRK command 2 (DRM) decryption key<br /> |No<br /> |-<br /> |4~131<br /> |KIRK commands 4/7 decryption keys (128 possible ones)<br /> |Yes<br /> |}<br /> <br /> == ECDSA slotted keys ==<br /> Note: public keys take two slots (for both coordinates), and private keys take only one.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> !Do we have it?<br /> |-<br /> |0/1<br /> |KIRK command 1 (IPL) public key (used to verify valid IPLs)<br /> |Yes (including the private key!)<br /> |-<br /> |2/3<br /> |KIRK command 2 (DRM) public key (used to verify data passed to KIRK command 2)<br /> |No<br /> |-<br /> |4<br /> |KIRK command 3 (DRM) private key (used by command 2 to sign data for command 3)<br /> |No<br /> |-<br /> |5/6<br /> |KIRK command 3 (DRM) public key (used by command 3 to verify data coming from command 2)<br /> |No<br /> |}<br /> <br /> = Per-console keys =<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30 bytes buffer (&quot;key mesh&quot;). This buffer is used to generate different keys depending on a seed.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Seed<br /> !Usage<br /> |-<br /> |0<br /> |Kirk commands 2 (encryption) &amp; 3 (decryption) (the real encryption &amp; CMAC keys are random, but this per-console key is used to encrypt them)<br /> |-<br /> |1<br /> |Kirk command 5 (encryption) &amp; 8 (decryption)<br /> |-<br /> |2<br /> |Kirk command 6 (encryption) &amp; 9 (decryption)<br /> |-<br /> |3<br /> |Kirk command 16<br /> |-<br /> |4<br /> |Kirk command 18<br /> |-<br /> |5<br /> |Unused<br /> |-<br /> |6<br /> |RNG buffer reseeding<br /> |}<br /> &lt;source lang=&quot;c&quot;&gt;<br /> typedef struct ScePspKeyMesh { // size is 0x30<br /> SceUInt8 aes128cbc_key_1[0x10]; // used by Kirk commands 5 &amp; 8 and 16<br /> SceUInt8 aes128cbc_key_2[0x10]; // used by Kirk command 2 &amp; 3, 6 &amp; 9 and 18<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys<br /> } ScePspKeyMesh;<br /> &lt;/source&gt;<br /> <br /> To generate the key mesh of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;c&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspKeyMesh seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt 3, 6 and 9 times the subkey_2 to obtain the final keymesh<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> }<br /> &lt;/source&gt;The key mesh can then be used along with a seed to generate a key using the following algorithm:&lt;syntaxhighlight lang=&quot;c&quot;&gt;<br /> void make_perconsole_key(u8 output[16], int seed, ScePspKeyMesh keymesh)<br /> {<br /> if (seed &amp; 1) {<br /> memcpy(output, keymesh.aes128cbc_key_2, 16);<br /> } else {<br /> memcpy(output, keymesh.aes128cbc_key_1, 16);<br /> }<br /> // Encrypt the result several times depending on the seed<br /> rijndael_set_key(&amp;aes_ctx, keymesh.aes128cbc_derivation_key);<br /> seed = (seed / 2) + 1;<br /> while ((seed--) &gt;= 0) {<br /> rijndael_encrypt(&amp;aes_ctx, output);<br /> }<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti size+0x12<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | {{Slot0_AES_1_CMAC}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led, bootrom<br /> | {{no}}<br /> | {{Slot2_AES_CMAC}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{Slot3_AES}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab, openpsid<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | openpsid, chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | buf_size+0x24<br /> | buf_size+0x34<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab, openpsid, bootrom<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | buf_size+0x34 (header + key)<br /> | buf_size<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE signature)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab, chkreg, openpsid, bootrom<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_INIT_FUSE_SEEDS<br /> | Kirk Fuse Seeds Initialization<br /> | 0x1C<br /> | 0x1C<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab, openpsid (used for IDStorage Certificates ECDSA)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | ECDSA Signature Verification<br /> | 0x64<br /> | 0<br /> | memab, memlmd, mesg_led, openpsid (checks for generated signatures, used for IDStorage Certificates ECDSA)<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification<br /> | 0xB8<br /> | 0<br /> | openpsid, memab, chkreg (used for IDStorage Certificates AES-CMAC)<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 0: decrypt kbooti ==<br /> This command is only used by devkits to decrypt the kbooti, ie the devkit's Pre-IPL. It supposedly can only be run at a very early stage. The very short header is as follows.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Address<br /> !Size<br /> !Description<br /> |-<br /> |0x0<br /> |16<br /> |CMAC of the body, computed using AES slotted key 1<br /> |-<br /> |0x10<br /> |2<br /> |Size of the body<br /> |-<br /> |0x12<br /> |...<br /> |Body, encrypted using AES slotted key 0<br /> |}<br /> The command is very simple and acts as follows:<br /> <br /> # Verify the command is run at an early stage<br /> # Read the body size and check it's non-zero<br /> # Verify the CMAC of the body using AES slotted key 1<br /> # While computing the CMAC, verify the body size didn't change<br /> # Decrypt body using AES slotted key 0<br /> <br /> == Commands 1, 2, 3 &amp; 10: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> These three functions take very similar inputs, as they all do signature verification and decryption.<br /> <br /> * Command 1 is used to decrypt the IPL blocks.<br /> * Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3.<br /> * Command 3 decrypts data encrypted by command 2.<br /> * Command 10 takes the same data as commands 1, 2 and 3 but only does the signature verification for the header (not for the body) and no decryption (or reencryption).<br /> <br /> There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The 0x10..0x60 bytes depend on the signature mode.<br /> <br /> '''Metadata Header Structure (Length 0x90)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> |0x00<br /> |0x10<br /> |Decryption key, encrypted with another key depending on the command<br /> |-<br /> |0x10<br /> |0x50<br /> |Signature information, depends on the signature mode (see below)<br /> |-<br /> | 0x60 || 4 || Set to 1, 2 or 3 depending on the command<br /> |-<br /> | 0x64 || 4 || Bit 0 is 0 if block is AES CMAC-signed, 1 if it is ECDSA-signed<br /> Bit 1 is used by command 2 to determine if the resulting Kirk 3 block should be AES CMAC-signed (0) or ECDSA-signed (1)<br /> |-<br /> | 0x68 || 4 || Bit 0 indicates all input data (including the full header) should be wiped if the body signature check fails<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 24 || Unused<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Signature Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the the same key as the decryption key (at 0x00)<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The CMAC key at 0x10 is decrypted using a key which depends on the command and is the same as the decryption key at 0x00 (see below). It is decrypted using AES-CBC (so offset 0x00 is used as the IV).<br /> <br /> The CMAC of the header from offset 0x60 and size 0x30 is computed. Kirk then checks the data size &amp; offset (at 0x70 and 0x74) didn't change from what was previously read (possibly to avoid data being overwritten while being processed). The value is then checked against the value at 0x20.<br /> <br /> If this fails, the command returns KIRK_HEADER_SIG_INVALID. Otherwise, except for command 10, it proceeds with the full data CMAC, computed from header offset 0x60 to the end of the body contents. The value is checked against the value at 0x30.<br /> <br /> If this second check fails, and the LSB of 0x68 is set to 1, all the input data is wiped (set to zero's). In both cases, if the check fails, it then returns KIRK_HEADER_SIG_INVALID.<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Verification process ====<br /> <br /> The ECDSA version is slightly different. The header from offset 0x60 with size 0x30 is hashed and the header signature is verified. Similarly to CMAC, it then verifies values at 0x70 and 0x74 didn't change. It then acts similarly to the CMAC version with the data signature, including the possible data wiping.<br /> <br /> === Commands 1 &amp; 3 ===<br /> Commands 1 and 3 work exactly the same. The only difference is that the ECDSA public key comes from slots 0/1 for command 1, and 5/6 for command 3. Also, the AES key, used for decrypting the decryption &amp; CMAC keys, is a static key in keyslot 2 for command 1, and a per-console key with seed 0 for command 3.<br /> <br /> # Verify that the command mode at 0x60 matches the current command<br /> # Read the body size and data offset and verify that the body size is non-zero<br /> # Get or compute the AES key<br /> # Check the signature mode at 0x64, and check the header &amp; the data signature as specified above depending on the signature mode<br /> # Decrypt the decryption key at 0x00 using the key from step 3.<br /> # Decrypt the data using AES-CBC with a null IV.<br /> <br /> === Command 2 ===<br /> Command 2 is a bit more complicated as it re-encrypts data for command 3.<br /> <br /> # Follow steps 1-5 from above, using key slots 2/3 for the ECDSA key and key slot 3 for the AES key<br /> # Copy the input header (including padding) to the output<br /> # Change offset 0x60 (command) to command 3<br /> # Change offset 0x64 to 0 or 1 depending on the second bit of the input value at 0x64 (which determines if the output of command 2 should be ECDSA or CMAC-signed)<br /> # Decrypt the body of the data similarly to commands 1 &amp; 3<br /> # Generate a random key and encrypt it with per-console key (seed = 0), and store the result at 0x00<br /> # If in CMAC mode for the output, do the same for the CMAC key at 0x10 (encrypt using CBC mode and data at 0x00 as the IV)<br /> # Encrypt the body in CBC mode with a null IV<br /> # Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3).<br /> <br /> === Command 10 ===<br /> Its behavior is very simple:<br /> <br /> # Determine if the input is data for command 1, 2 or 3 depending on the command mode. (If it is another value, return an error.)<br /> # Get or compute AES and ECDSA public keys depending on the command<br /> # Check the signature similarly to the other commands.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0. The encryption operands take a header as an input along with the raw data, and generate encrypted data along with a header corresponding to the matching decryption command. Decryption commands output the raw decrypted data.<br /> <br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F), with console-specific modifications for some keyseeds<br /> <br /> - Commands 5 (encryption) and 8 (decryption) use a per-console key derived from the key mesh<br /> <br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from the keyseed using an unknown key derivation function<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header (except for commands 6 and 9 where it is longer).<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption (commands 4/5/6), 5 for decryption (commands 7/8/9)<br /> |-<br /> | 0x04 || 8 || Unused<br /> |-<br /> | 0x0C || 1 || Only used by commands 4/7: keyseed<br /> |-<br /> |0x0D<br /> |1<br /> |Submode: the 3 LSBs are 0 for commands 4/7, 1 for commands 5/8 and 2 for commands 6/9<br /> |-<br /> |0x0E<br /> |2<br /> |Unused<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |-<br /> |0x14<br /> |16<br /> |Only for commands 6/9: additional key<br /> |-<br /> |0x24<br /> |16<br /> |Only for command 9: reencrypted encryption key<br /> |}<br /> <br /> === Commands 4/7 ===<br /> The behavior of these commands is:<br /> <br /> # Read the header<br /> # Verify the mode and submode match the current command<br /> # Read the body size and check that it is non-zero<br /> # Get the AES key at key slot 4 + &lt;keyseed&gt;. Command 4 can only encrypt with keyseeds 0..0x3F while command 7 can decrypt with keyseeds 0..0x7F.<br /> # Derive the key for some keyseeds using per-console parameters:<br /> ## If the key mesh's derivation key MSB is 1 and keyseed is in the 0x20..0x2f or 0x6c, 0x7b range, invert the bits of the last word (4 bytes) of the key<br /> ## If the keyseed is in the 0x27..0x2f or 0x73..0x7b range, XOR the first word of the key with the key mesh derivation key<br /> # For command 4, copy the input header to the output, just replacing mode 4 with 5, and encrypt the body from offset 0x14 using AES-CBC with a null IV and the key determined at step 5.<br /> # For command 7, decrypt the data and output it without a header<br /> <br /> === Commands 5/8 ===<br /> The behavior of these commands is identical to commands 4/7, except it uses per-console key computed from the key mesh with seed 1.<br /> <br /> === Commands 6/9 ===<br /> For both commands, steps 1-3 are the same as above, but differ afterwards.<br /> <br /> Command 6 works like this:<br /> <br /> # Copy the 0x24-byte long header to the output, just replacing the mode from 4 to 5<br /> # Generate a random buffer and encrypt it using per-console key with seed 2. Write the result of the operation at 0x24.<br /> # Encrypt the random buffer using the key at 0x14<br /> # Use the result of step 3 to encrypt the data, then output it<br /> <br /> Command 9 is the logical counterpart:<br /> <br /> # Decrypt data at 0x24 with the per-console key with seed 2<br /> # Reencrypt the data of the previous step with the key located at offset 0x14<br /> # Decrypt the data using the result of step 2 as a key<br /> <br /> == Command 11: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 12: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 13: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point (x and y are each 0x14 bytes long).<br /> <br /> == Command 14: PRNG ==<br /> <br /> This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.)<br /> <br /> == Command 15: Seed RNG buffer ==<br /> This function seeds the Kirk RNG buffer used to generate all the random data coming from Kirk.<br /> <br /> It takes as an input and output data of size 0x1c:<br /> <br /> * 0x00 - unknown - modified by an unknown opcode<br /> * 0x04 - counter - increased by 1 in the output<br /> * 0x08 - seed data - used for seeding, and contains fresh reseeded data for the output<br /> <br /> Seeding works this way:<br /> <br /> # Increase input counter and do unknown operation on offset 0x00<br /> # Set the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator<br /> # Initialize RNG buffer to two empty words, and then output data at offsets 0x00 and 0x04<br /> # Do a reseeding<br /> # Output resulting buffer.<br /> <br /> Reseeding is then done by all operations requiring random data and works this way:<br /> <br /> # Encrypt RNG buffer with AES per-console key with seed 6<br /> # Reseed the PRNG with the RNG buffer<br /> # Regenerate data with the PRNG<br /> <br /> == Command 16: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature.<br /> <br /> == Command 17: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature).<br /> <br /> == Command 18: verify certificate ==<br /> <br /> This command has no output.<br /> <br /> It takes as an input a 0xB8-long buffer:<br /> *0x00: certificate data (either ConsoleID or OpenPSID) and ECDSA signature etc. (unused here)<br /> *0xA8: AES-CMAC hash of the rest of the header.<br /> It verifies the AES CMAC of the header using per-console key with seed 4.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header signature<br /> 0×04: Invalid data signature<br /> 0×05: Invalid ECDSA data<br /> 0x0C: Kirk not seeded<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid encryption keyseed<br /> 0x0F: Invalid decryption keyseed<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version Bootrom public key is unknown.<br /> * Keys related to Kirk commands 0, 2 and 3 are unknown. (See above for details.)<br /> * The Kirk's internal PRNG is deterministic but its function is unknown.<br /> * Elliptic curves have additional parameters specified in the code, which are unknown.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12292 Kirk 2024-01-11T00:57:37Z <p>CelesteBlue: /* Commands */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> All (or almost all) the static keys used by the engine (plus the private key for Kirk command 1) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk command 1 ==<br /> <br /> This curve is used for the ECDSA verification of Kirk command 1.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0x10, 0x11, and likely 0x12.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> The public key is variable. For the latest Pre-IPL version which add an additional ECDSA verification of the XOR of the block hashes, the public key is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Slotted Keys =<br /> The KIRK ROM can access different keys which are slotted in what might be some kind of secure enclave. There are slots for both AES and ECDSA keys.<br /> <br /> == AES slotted keys ==<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> |-<br /> |0<br /> |KIRK command 0 (Kbooti from Devkit) decryption key<br /> |-<br /> |1<br /> |KIRK command 0 (Kbooti from Devkit) CMAC key<br /> |-<br /> |2<br /> |KIRK command 1 (IPL) decryption key<br /> |-<br /> |3<br /> |KIRK command 2 (DRM) decryption key<br /> |-<br /> |4~131<br /> |KIRK commands 4/7 decryption keys (128 possible ones)<br /> |}<br /> <br /> == ECDSA slotted keys ==<br /> Note: public keys take two slots (for both coordinates), and private keys take only one.<br /> {| class=&quot;wikitable&quot;<br /> |+<br /> !Id<br /> !Content<br /> |-<br /> |0/1<br /> |KIRK command 1 (IPL) public key (used to verify valid IPLs)<br /> |-<br /> |2/3<br /> |KIRK command 2 (DRM) public key (used to verify data passed to KIRK command 2)<br /> |-<br /> |4<br /> |KIRK command 3 (DRM) private key (used by command 2 to sign data for command 3)<br /> |-<br /> |5/6<br /> |KIRK command 3 (DRM) public key (used by command 3 to verify data coming from command 2)<br /> |}<br /> <br /> = Individual Seed =<br /> <br /> Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x40 bytes buffer. The first 0x10 bytes of the buffer is the AES CBC MAC key used by Kirk command 18 whilst the second 0x10 bytes are the AES CBC key used by Kirk command 16.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> typedef struct ScePspIndividualSeed { // size is 0x40<br /> SceUInt8 aes128cbc_mac_key[0x10]; // used by Kirk command 18<br /> SceUInt8 aes128cbc_key[0x10]; // used by Kirk command 16<br /> SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys<br /> SceUInt8 fuse_id[8]; // endianness to precise<br /> SceUInt32 padding; // usually set to zero<br /> SceUInt32 hash; // the hash algorithm is in flashData.prx<br /> } ScePspIndividualSeed;<br /> &lt;/source&gt;<br /> <br /> To generate the individual seed of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code.<br /> <br /> &lt;source lang=&quot;C&quot;&gt;<br /> void gen_psp_individual_seed() { <br /> int i, k;<br /> ScePspIndividualSeed seed;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> u8 fuseid[8];<br /> <br /> // Byte-reverse the Fuse ID<br /> u32 g_fuse90 = *(u32 *)0xBC100090;<br /> u32 g_fuse94 = *(u32 *)0xBC100094;<br /> fuseid[7] = g_fuse90 &amp;0xFF;<br /> fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> fuseid[3] = g_fuse94 &amp;0xFF;<br /> fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> rijndael_set_key(&amp;aes_ctx, ids_master_key, 128); // set ids_master_key as AES key<br /> <br /> for (i = 0; i &lt; 0x10; i++) // initialize the subkeys using the Fuse ID<br /> subkey_2[i] = subkey_1[i] = fuseid[i % 8];<br /> <br /> for (i = 0; i &lt; 3; i++) { // AES encrypt, then decrypt, then encrypt, then decrypt, each subkey<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128); // set subkey_1 as AES key<br /> <br /> for (i = 0; i &lt; 3; i++) { // encrypt three times each one of the three first blocks<br /> for (k = 0; k &lt; 3; k++)<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> memcpy(&amp;seed[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> rijndael_set_key(&amp;aes_ctx, seed.derivation_key, 128); // set the derivation key as AES key<br /> <br /> for (i = 0; i &lt; 2; i++) { // encrypt twice the seeds to get the final keys<br /> rijndael_encrypt(&amp;aes_ctx, seed.aes128cbc_mac_key, seed.aes128cbc_mac_key);<br /> rijndael_encrypt(&amp;aes_ctx, seed.aes128cbc_key, seed.aes128cbc_key);<br /> }<br /> }<br /> &lt;/source&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti size<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | {{Slot0_AES_1_CMAC}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led, bootrom<br /> | {{no}}<br /> | {{Slot2_AES_CMAC}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{Slot3_AES}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | mesg_led<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab, openpsid<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | openpsid, chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | buf_size+0x24<br /> | buf_size+0x34<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab, openpsid, bootrom<br /> | {{no}}<br /> | {{Slot4_AES}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | buf_size+0x34 (header + key)<br /> | buf_size<br /> | power, inside a kl4e blob, IPL (stage 2)<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE sig)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab, chkreg, openpsid, bootrom<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | memab, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_INIT_FUSE_SEEDS<br /> | Initializes Kirk Fuse Seeds. <br /> | 0<br /> | 0<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab, openpsid<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | Signature Verification (checks for generated signatures)<br /> | 0x64<br /> | 0<br /> | memab, memlmd, mesg_led, openpsid<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification (IDStorage Certificates CMAC)<br /> | 0xB8<br /> | 0<br /> | openpsid, memab, chkreg<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 1: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> This function is used to both decrypt and verify the signature of the IPL blocks.<br /> <br /> There are two versions of this service: AES CMAC Verification, and ECDSA Verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The first 0x60 bytes depend on the version. The last 0x30 bytes are the same in both cases:<br /> <br /> '''Metadata Header Structure (Length 0x30)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x60 || 4 || Set to 1<br /> |-<br /> | 0x64 || 4 || 0 indicates AES CMAC version, 1 indicates ECDSA version<br /> |-<br /> | 0x68 || 4 || 0<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 8 || 0<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 16 || Decryption key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Decryption process ====<br /> <br /> The first 0x20 bytes of the Key Header are decrypted with the Kirk command 1 Stored AES Key. This was allegedly discovered by Datel by decapping the chip and reversing engineering the algorithms and keys. This was also recovered through the failure in PS3 cryptography by decrypting the isolated module in the PSP emulator on the PS3.<br /> <br /> The first block is the AES Key used for decrypting the main data. The second block is used to decrypt the next two blocks (0x20 bytes at offset 0x20). These represent the Metadata Header CMAC and the Data CMAC. They are checked against the AES CMAC of the metadata header section and the AES CMAC of the whole data, from the metadata header section to the end of the data (including padding in-between).<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 0x10 || Decryption key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Decryption process ====<br /> <br /> The ECDSA version is slightly different. Only the first block (0x10 bytes) is decrypted with the Kirk command 1 AES Key. It is used to decrypt the main data section just as in the AES CMAC version. Rather than a CMAC, the Metadata header is checked by SHA1 hashing its 0x30 bytes and checking the signature components through a ECDSA Verify call. The encrypted Data section is also checked via SHA1 of the entire data through a ECDSA Verify call.<br /> <br /> The ECDSA curve parameters are indicated above.<br /> <br /> == Commands 2 &amp; 3: DRM encrypt &amp; decrypt ==<br /> <br /> These commands are mostly unknown. The header is the same as Kirk command 1, with the mode set to 2 or 3.<br /> <br /> In command 2, the input data passed to Kirk is first checked (presumably CMAC), then decrypted, and re-encrypted with the console unique private key.<br /> Having that common key would allow legit creation of DRM BB install packages.<br /> <br /> Command 3 is the decryption counterpart of command 2.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0.<br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F)<br /> - Commands 5 (encryption) and 8 (decryption) use an unknown per-console key (it is unknown if it is derived from other data, or just stored as-is on the chip)<br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from the keyseed using an unknown key derivation function<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header:<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption, 5 for decryption<br /> |-<br /> | 0x04 || 8 || Unknown (0?)<br /> |-<br /> | 0x0C || 4 || Keyseed<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |}<br /> <br /> == Command 10: AES CMAC verification ==<br /> <br /> Used to verify IdStorage IDPS certificates.<br /> <br /> This seems to be the AES CMAC verification of Kirk command 1, and takes the same header as Command 1, the only difference is that no decryption is performed.<br /> <br /> See command 1 information for details.<br /> <br /> It could also possibly verify CMACs for commands 2 and 3, but that is unknown.<br /> <br /> == Command 11: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 12: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 13: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point(x and y are each 0x14 bytes long).<br /> <br /> == Command 14: PRNG ==<br /> <br /> This function takes no input and generates random data of the given size (depending on the specified size of the output buffer).<br /> <br /> == Command 15: Init Fuse Seeds ==<br /> <br /> This function takes no input and no output.<br /> <br /> Kirk initialization of Fuse Seeds.<br /> <br /> == Command 16: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with a device-specific encryption using the FuseID.<br /> <br /> Here is the code of the decryption, thanks to Davee &amp; Proxima. g_fuse90 and g_fuse94 are the two words composing the FuseID (present at the 0xBC100090 and 0xBC100094 hardware registers).<br /> <br /> Output is 0x20-byte long, but the last 0xC bytes are ignored (and possibly always equal to zero) for the private key.<br /> <br /> &lt;pre&gt;<br /> void decrypt_kirk16_private(u8 *dA_out, u8 *dA_enc)<br /> { <br /> int i, k;<br /> kirk16_data keydata;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> <br /> keydata.fuseid[7] = g_fuse90 &amp;0xFF;<br /> keydata.fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> keydata.fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> keydata.fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> keydata.fuseid[3] = g_fuse94 &amp;0xFF;<br /> keydata.fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> keydata.fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> keydata.fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> /* set encryption key */<br /> rijndael_set_key(&amp;aes_ctx, kirk16_key, 128);<br /> <br /> /* set the subkeys */<br /> for (i = 0; i &lt; 0x10; i++)<br /> {<br /> /* set to the fuseid */<br /> subkey_2[i] = subkey_1[i] = keydata.fuseid[i % 8];<br /> } <br /> <br /> /* do aes crypto */<br /> for (i = 0; i &lt; 3; i++)<br /> {<br /> /* encrypt + decrypt */<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> /* set new key */<br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128);<br /> <br /> /* now lets make the key mesh */<br /> for (i = 0; i &lt; 3; i++)<br /> {<br /> /* do encryption in group of 3 */<br /> for (k = 0; k &lt; 3; k++)<br /> {<br /> /* crypto */<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> /* copy to out block */<br /> memcpy(&amp;keydata.mesh[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> /* set the key to the mesh */<br /> rijndael_set_key(&amp;aes_ctx, &amp;keydata.mesh[0x20], 128);<br /> <br /> /* do the encryption routines for the aes key */<br /> for (i = 0; i &lt; 2; i++)<br /> {<br /> /* encrypt the data */<br /> rijndael_encrypt(&amp;aes_ctx, &amp;keydata.mesh[0x10], &amp;keydata.mesh[0x10]);<br /> }<br /> <br /> /* set the key to that mesh shit */<br /> rijndael_set_key(&amp;aes_ctx, &amp;keydata.mesh[0x10], 128);<br /> <br /> /* cbc decrypt the dA */<br /> AES_cbc_decrypt((AES_ctx *)&amp;aes_ctx, dA_enc, dA_out, 0x20);<br /> }<br /> &lt;/pre&gt;<br /> <br /> == Command 17: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature using the ECDSA curve described above.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, 5 on failure to verify the signature).<br /> <br /> == Command 18: verify certificate ==<br /> <br /> This command has most likely no output header.<br /> <br /> It takes as an input a 0xB8-long buffer:<br /> *0x00: certificate data (either ConsoleID or OpenPSID)<br /> *0x10: certificate public key (x and y)<br /> *0x38: ECDSA signature (r and s)<br /> *0x60: ECDSA public key used for the signature<br /> *0x88: certificate encrypted private key (padded)<br /> *0xA8: AES-CMAC hash of the rest of the header.<br /> <br /> Details are on PS Vita wiki. See also DespertarDelCementerio and CEX2DEX programs source codes.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header digest<br /> 0×04: Invalid data digest<br /> 0×05: Invalid signature<br /> 0x0C: isInCriticalSection violation<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid seed/code (cipher operations)<br /> 0x0F: Invalid ?header size? (cipher operations)<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version PRE-IPL public key is unknown.<br /> * Commands 2, 3, 5, 6, 8, and 9 are mostly unknown and need testing/documentation.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12240 Kirk 2024-01-08T19:12:52Z <p>CelesteBlue: /* Error codes */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> All (or almost all) the static keys used by the engine (plus the private key for Kirk command 1) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk command 1 ==<br /> <br /> This curve is used for the ECDSA verification of Kirk command 1.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0x10, 0x11, and likely 0x12.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> The public key is variable. For the latest Pre-IPL version which add an additional ECDSA verification of the XOR of the block hashes, the public key is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> ! scope=&quot;col&quot;| Uses slot key? (if yes, specify)<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti bootrom size<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> | slot 0 (AES) and 1 (CMAC)<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led<br /> | {{no}}<br /> | slot 2 (AES and CMAC)<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | <br /> | {{yes}}<br /> | slot 3 (AES)<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab<br /> | {{no}}<br /> | slot 4 (AES)<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | ?<br /> | ?<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab<br /> | {{no}}<br /> | slot 4 (AES)<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | ?<br /> | ?<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE sig)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | <br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_INIT<br /> | Initializes Kirk. As long as Kirk is uninitialized only commands 0 and 15 can be used.<br /> | 0<br /> | 0<br /> | IPL<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab<br /> | {{yes}}<br /> | {{no}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | Signature Verification (checks for generated signatures)<br /> | 0x64<br /> | 0<br /> | memab<br /> | {{no}}<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification (IDStorage Certificates CMAC)<br /> | 0xB8<br /> | 0<br /> | openpsid, memab<br /> | {{yes}}<br /> | {{no}}<br /> |}<br /> <br /> == Command 1: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> This function is used to both decrypt and verify the signature of the IPL blocks.<br /> <br /> There are two versions of this service: AES CMAC Verification, and ECDSA Verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The first 0x60 bytes depend on the version. The last 0x30 bytes are the same in both cases:<br /> <br /> '''Metadata Header Structure (Length 0x30)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x60 || 4 || Set to 1<br /> |-<br /> | 0x64 || 4 || 0 indicates AES CMAC version, 1 indicates ECDSA version<br /> |-<br /> | 0x68 || 4 || 0<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 8 || 0<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 16 || Decryption key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Decryption process ====<br /> <br /> The first 0x20 bytes of the Key Header are decrypted with the Kirk command 1 Stored AES Key. This was allegedly discovered by Datel by decapping the chip and reversing engineering the algorithms and keys. This was also recovered through the failure in PS3 cryptography by decrypting the isolated module in the PSP emulator on the PS3.<br /> <br /> The first block is the AES Key used for decrypting the main data. The second block is used to decrypt the next two blocks (0x20 bytes at offset 0x20). These represent the Metadata Header CMAC and the Data CMAC. They are checked against the AES CMAC of the metadata header section and the AES CMAC of the whole data, from the metadata header section to the end of the data (including padding in-between).<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 0x10 || Decryption key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Decryption process ====<br /> <br /> The ECDSA version is slightly different. Only the first block (0x10 bytes) is decrypted with the Kirk command 1 AES Key. It is used to decrypt the main data section just as in the AES CMAC version. Rather than a CMAC, the Metadata header is checked by SHA1 hashing its 0x30 bytes and checking the signature components through a ECDSA Verify call. The encrypted Data section is also checked via SHA1 of the entire data through a ECDSA Verify call.<br /> <br /> The ECDSA curve parameters are indicated above.<br /> <br /> == Commands 2 &amp; 3: DRM encrypt &amp; decrypt ==<br /> <br /> These commands are mostly unknown. The header is the same as Kirk command 1, with the mode set to 2 or 3.<br /> <br /> In command 2, the input data passed to Kirk is first checked (presumably CMAC), then decrypted, and re-encrypted with the console unique private key.<br /> Having that common key would allow legit creation of DRM BB install packages.<br /> <br /> Command 3 is the decryption counterpart of command 2.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0.<br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F)<br /> - Commands 5 (encryption) and 8 (decryption) use an unknown per-console key (it is unknown if it is derived from other data, or just stored as-is on the chip)<br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from the keyseed using an unknown key derivation function<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header:<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption, 5 for decryption<br /> |-<br /> | 0x04 || 8 || Unknown (0?)<br /> |-<br /> | 0x0C || 4 || Keyseed<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |}<br /> <br /> == Command 10: AES CMAC verification ==<br /> <br /> Used to verify IdStorage IDPS certificates.<br /> <br /> This seems to be the AES CMAC verification of Kirk command 1, and takes the same header as Command 1, the only difference is that no decryption is performed.<br /> <br /> See command 1 information for details.<br /> <br /> It could also possibly verify CMACs for commands 2 and 3, but that is unknown.<br /> <br /> == Command 11: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 12: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 13: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point(x and y are each 0x14 bytes long).<br /> <br /> == Command 14: PRNG ==<br /> <br /> This function takes no input and generates random data of the given size (depending on the specified size of the output buffer).<br /> <br /> == Command 15: Init ==<br /> <br /> This function takes no input and no output.<br /> <br /> Kirk initialization.<br /> <br /> == Command 16: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with a device-specific encryption using the FuseID.<br /> <br /> Here is the code of the decryption, thanks to Davee &amp; Proxima. g_fuse90 and g_fuse94 are the two words composing the FuseID (present at the 0xBC100090 and 0xBC100094 hardware registers).<br /> <br /> Output is 0x20-byte long, but the last 0xC bytes are ignored (and possibly always equal to zero) for the private key.<br /> <br /> &lt;pre&gt;<br /> void decrypt_kirk16_private(u8 *dA_out, u8 *dA_enc)<br /> { <br /> int i, k;<br /> kirk16_data keydata;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> <br /> keydata.fuseid[7] = g_fuse90 &amp;0xFF;<br /> keydata.fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> keydata.fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> keydata.fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> keydata.fuseid[3] = g_fuse94 &amp;0xFF;<br /> keydata.fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> keydata.fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> keydata.fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> /* set encryption key */<br /> rijndael_set_key(&amp;aes_ctx, kirk16_key, 128);<br /> <br /> /* set the subkeys */<br /> for (i = 0; i &lt; 0x10; i++)<br /> {<br /> /* set to the fuseid */<br /> subkey_2[i] = subkey_1[i] = keydata.fuseid[i % 8];<br /> } <br /> <br /> /* do aes crypto */<br /> for (i = 0; i &lt; 3; i++)<br /> {<br /> /* encrypt + decrypt */<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> /* set new key */<br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128);<br /> <br /> /* now lets make the key mesh */<br /> for (i = 0; i &lt; 3; i++)<br /> {<br /> /* do encryption in group of 3 */<br /> for (k = 0; k &lt; 3; k++)<br /> {<br /> /* crypto */<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> /* copy to out block */<br /> memcpy(&amp;keydata.mesh[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> /* set the key to the mesh */<br /> rijndael_set_key(&amp;aes_ctx, &amp;keydata.mesh[0x20], 128);<br /> <br /> /* do the encryption routines for the aes key */<br /> for (i = 0; i &lt; 2; i++)<br /> {<br /> /* encrypt the data */<br /> rijndael_encrypt(&amp;aes_ctx, &amp;keydata.mesh[0x10], &amp;keydata.mesh[0x10]);<br /> }<br /> <br /> /* set the key to that mesh shit */<br /> rijndael_set_key(&amp;aes_ctx, &amp;keydata.mesh[0x10], 128);<br /> <br /> /* cbc decrypt the dA */<br /> AES_cbc_decrypt((AES_ctx *)&amp;aes_ctx, dA_enc, dA_out, 0x20);<br /> }<br /> &lt;/pre&gt;<br /> <br /> == Command 17: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature using the ECDSA curve described above.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, 5 on failure to verify the signature).<br /> <br /> == Command 18: verify certificate ==<br /> <br /> This command has most likely no output header.<br /> <br /> It takes as an input a 0xB8-long buffer:<br /> *0x00: certificate data (either ConsoleID or OpenPSID)<br /> *0x10: certificate public key (x and y)<br /> *0x38: ECDSA signature (r and s)<br /> *0x60: ECDSA public key used for the signature<br /> *0x88: certificate encrypted private key (padded)<br /> *0xA8: AES-CMAC hash of the rest of the header.<br /> <br /> Details are on PS Vita wiki. See also DespertarDelCementerio and CEX2DEX programs source codes.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header digest<br /> 0×04: Invalid data digest<br /> 0×05: Invalid signature<br /> 0x0C: isInCriticalSection violation<br /> 0x0D: Invalid operation (out of 1-18 range)<br /> 0x0E: Invalid seed/code (cipher operations)<br /> 0x0F: Invalid ?header size? (cipher operations)<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version PRE-IPL public key is unknown.<br /> * Commands 2, 3, 5, 6, 8, and 9 are mostly unknown and need testing/documentation.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12234 Kirk 2024-01-08T18:26:06Z <p>CelesteBlue: /* Code Samples */</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> All (or almost all) the static keys used by the engine (plus the private key for Kirk command 1) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk command 1 ==<br /> <br /> This curve is used for the ECDSA verification of Kirk command 1.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0x10, 0x11, and likely 0x12.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> The public key is variable. For the latest Pre-IPL version which add an additional ECDSA verification of the XOR of the block hashes, the public key is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> ! scope=&quot;col&quot;| Uses perconsole key fuse based algo?<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti bootrom size<br /> | decrypted kbooti bootrom size<br /> | tachsm.o<br /> | {{no}}<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led<br /> | {{no}}<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | <br /> | {{no}}<br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | <br /> | {{no}}<br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab<br /> | {{no}}<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> | {{yes}}<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | ?<br /> | ?<br /> | <br /> | {{yes}}<br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab<br /> | {{no}}<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, psheet since PSP FW 2.81 for PGD<br /> | {{yes}}<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | ?<br /> | ?<br /> | <br /> | {{yes}}<br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE sig)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> | {{yes}}<br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab<br /> | {{no}}<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab<br /> | {{no}}<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | <br /> | {{no}}<br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm<br /> | {{no}}<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_INIT<br /> | Initializes Kirk. As long as Kirk is uninitialized only commands 0 and 15 can be used.<br /> | 0<br /> | 0<br /> | IPL<br /> | {{yes}}<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab<br /> | {{yes}}<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | Signature Verification (checks for generated signatures)<br /> | 0x64<br /> | 0<br /> | memab<br /> | {{no}}<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification (IDStorage Certificates CMAC)<br /> | 0xB8<br /> | 0<br /> | openpsid, memab<br /> | {{yes}}<br /> |}<br /> <br /> == Command 1: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> This function is used to both decrypt and verify the signature of the IPL blocks.<br /> <br /> There are two versions of this service: AES CMAC Verification, and ECDSA Verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The first 0x60 bytes depend on the version. The last 0x30 bytes are the same in both cases:<br /> <br /> '''Metadata Header Structure (Length 0x30)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x60 || 4 || Set to 1<br /> |-<br /> | 0x64 || 4 || 0 indicates AES CMAC version, 1 indicates ECDSA version<br /> |-<br /> | 0x68 || 4 || 0<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 8 || 0<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 16 || Decryption key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Decryption process ====<br /> <br /> The first 0x20 bytes of the Key Header are decrypted with the Kirk command 1 Stored AES Key. This was allegedly discovered by Datel by decapping the chip and reversing engineering the algorithms and keys. This was also recovered through the failure in PS3 cryptography by decrypting the isolated module in the PSP emulator on the PS3.<br /> <br /> The first block is the AES Key used for decrypting the main data. The second block is used to decrypt the next two blocks (0x20 bytes at offset 0x20). These represent the Metadata Header CMAC and the Data CMAC. They are checked against the AES CMAC of the metadata header section and the AES CMAC of the whole data, from the metadata header section to the end of the data (including padding in-between).<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 0x10 || Decryption key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Decryption process ====<br /> <br /> The ECDSA version is slightly different. Only the first block (0x10 bytes) is decrypted with the Kirk command 1 AES Key. It is used to decrypt the main data section just as in the AES CMAC version. Rather than a CMAC, the Metadata header is checked by SHA1 hashing its 0x30 bytes and checking the signature components through a ECDSA Verify call. The encrypted Data section is also checked via SHA1 of the entire data through a ECDSA Verify call.<br /> <br /> The ECDSA curve parameters are indicated above.<br /> <br /> == Commands 2 &amp; 3: DRM encrypt &amp; decrypt ==<br /> <br /> These commands are mostly unknown. The header is the same as Kirk command 1, with the mode set to 2 or 3.<br /> <br /> In command 2, the input data passed to Kirk is first checked (presumably CMAC), then decrypted, and re-encrypted with the console unique private key.<br /> Having that common key would allow legit creation of DRM BB install packages.<br /> <br /> Command 3 is the decryption counterpart of command 2.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0.<br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F)<br /> - Commands 5 (encryption) and 8 (decryption) use an unknown per-console key (it is unknown if it is derived from other data, or just stored as-is on the chip)<br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from the keyseed using an unknown key derivation function<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header:<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption, 5 for decryption<br /> |-<br /> | 0x04 || 8 || Unknown (0?)<br /> |-<br /> | 0x0C || 4 || Keyseed<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |}<br /> <br /> == Command 10: AES CMAC verification ==<br /> <br /> Used to verify IdStorage IDPS certificates.<br /> <br /> This seems to be the AES CMAC verification of Kirk command 1, and takes the same header as Command 1, the only difference is that no decryption is performed.<br /> <br /> See command 1 information for details.<br /> <br /> It could also possibly verify CMACs for commands 2 and 3, but that is unknown.<br /> <br /> == Command 11: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 12: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 13: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point(x and y are each 0x14 bytes long).<br /> <br /> == Command 14: PRNG ==<br /> <br /> This function takes no input and generates random data of the given size (depending on the specified size of the output buffer).<br /> <br /> == Command 15: Init ==<br /> <br /> This function takes no input and no output.<br /> <br /> Kirk initialization.<br /> <br /> == Command 16: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with a device-specific encryption using the FuseID.<br /> <br /> Here is the code of the decryption, thanks to Davee &amp; Proxima. g_fuse90 and g_fuse94 are the two words composing the FuseID (present at the 0xBC100090 and 0xBC100094 hardware registers).<br /> <br /> Output is 0x20-byte long, but the last 0xC bytes are ignored (and possibly always equal to zero) for the private key.<br /> <br /> &lt;pre&gt;<br /> void decrypt_kirk16_private(u8 *dA_out, u8 *dA_enc)<br /> { <br /> int i, k;<br /> kirk16_data keydata;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> <br /> keydata.fuseid[7] = g_fuse90 &amp;0xFF;<br /> keydata.fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> keydata.fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> keydata.fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> keydata.fuseid[3] = g_fuse94 &amp;0xFF;<br /> keydata.fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> keydata.fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> keydata.fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> /* set encryption key */<br /> rijndael_set_key(&amp;aes_ctx, kirk16_key, 128);<br /> <br /> /* set the subkeys */<br /> for (i = 0; i &lt; 0x10; i++)<br /> {<br /> /* set to the fuseid */<br /> subkey_2[i] = subkey_1[i] = keydata.fuseid[i % 8];<br /> } <br /> <br /> /* do aes crypto */<br /> for (i = 0; i &lt; 3; i++)<br /> {<br /> /* encrypt + decrypt */<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> /* set new key */<br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128);<br /> <br /> /* now lets make the key mesh */<br /> for (i = 0; i &lt; 3; i++)<br /> {<br /> /* do encryption in group of 3 */<br /> for (k = 0; k &lt; 3; k++)<br /> {<br /> /* crypto */<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> /* copy to out block */<br /> memcpy(&amp;keydata.mesh[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> /* set the key to the mesh */<br /> rijndael_set_key(&amp;aes_ctx, &amp;keydata.mesh[0x20], 128);<br /> <br /> /* do the encryption routines for the aes key */<br /> for (i = 0; i &lt; 2; i++)<br /> {<br /> /* encrypt the data */<br /> rijndael_encrypt(&amp;aes_ctx, &amp;keydata.mesh[0x10], &amp;keydata.mesh[0x10]);<br /> }<br /> <br /> /* set the key to that mesh shit */<br /> rijndael_set_key(&amp;aes_ctx, &amp;keydata.mesh[0x10], 128);<br /> <br /> /* cbc decrypt the dA */<br /> AES_cbc_decrypt((AES_ctx *)&amp;aes_ctx, dA_enc, dA_out, 0x20);<br /> }<br /> &lt;/pre&gt;<br /> <br /> == Command 17: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature using the ECDSA curve described above.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, 5 on failure to verify the signature).<br /> <br /> == Command 18: verify certificate ==<br /> <br /> This command has most likely no output header.<br /> <br /> It takes as an input a 0xB8-long buffer:<br /> *0x00: certificate data (either ConsoleID or OpenPSID)<br /> *0x10: certificate public key (x and y)<br /> *0x38: ECDSA signature (r and s)<br /> *0x60: ECDSA public key used for the signature<br /> *0x88: certificate encrypted private key (padded)<br /> *0xA8: AES-CMAC hash of the rest of the header.<br /> <br /> Details are on PS Vita wiki. See also DespertarDelCementerio and CEX2DEX programs source codes.<br /> <br /> = Error codes =<br /> <br /> &lt;pre&gt;<br /> 0×00: Success<br /> 0×01: Kirk not enabled<br /> 0×02: Invalid mode<br /> 0×03: Invalid header digest<br /> 0×04: Invalid data digest<br /> 0×05: Invalid signature<br /> 0×06:<br /> 0×07:<br /> 0×08:<br /> 0×09:<br /> 0x0A:<br /> 0x0B:<br /> 0x0C: isInCriticalSection violation<br /> 0x0D: Invalid operation (1-18)<br /> 0x0E: Invalid seed/code (cipher operations)<br /> 0x0F: Invalid ?header size? (cipher operations)<br /> 0×10: Invalid data size (equals 0) (sign/cipher operations)<br /> &lt;/pre&gt;<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version PRE-IPL public key is unknown.<br /> * Commands 2, 3, 5, 6, 8, and 9 are mostly unknown and need testing/documentation.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Kirk&diff=12230 Kirk 2024-01-06T21:47:02Z <p>CelesteBlue: Improve consistence and add precisions.</p> <hr /> <div>The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is interfaced via memory mapped registers at base of 0xBDE00000 ([[SPOCK Crypto Engine]] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC.<br /> <br /> All (or almost all) the static keys used by the engine (plus the private key for Kirk command 1) have been found through the PS3 hacks or glitching and can be found on the [[Keys]] page.<br /> <br /> = Invocation =<br /> <br /> All of the Kirk commands can be used using the function sceUtilsBufferCopyWithRange, which takes five arguments:<br /> *the output buffer (if there is one, NULL otherwise)<br /> *the output buffer size (if there is one, 0 otherwise)<br /> *the input buffer (if there is one, NULL otherwise)<br /> *the input buffer size (if there is one, 0 otherwise)<br /> *the index of the command (as detailed below).<br /> <br /> = Elliptic curves =<br /> <br /> The PSP uses ECDSA for public-key cryptography. Elliptic curves are known for being fast and only requiring small keys, contrary to other public-key cryptography algorithms. They are still considered to be very secure, even for the 160-bit curves used by the PSP, unless a mistake is made when using them.<br /> <br /> These curves have been designed by Sony only for the console. They are not vulnerable to any known attack.<br /> <br /> Both use the usual Weierstrass form.<br /> <br /> == Elliptic curve for Kirk command 1 ==<br /> <br /> This curve is used for the ECDSA verification of Kirk command 1.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F<br /> G = (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0x65D1488C0359E234ADC95BD3908014BD91A525F9<br /> &lt;/pre&gt;<br /> <br /> The public key is hardcoded, and is equal to: (0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39).<br /> <br /> == Elliptic curve for the other commands ==<br /> <br /> This curved is used for Kirk commands 0xC, 0xD, 0x10, 0x11, and likely 0x12.<br /> <br /> &lt;pre&gt;<br /> p = 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127<br /> G = (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF)<br /> n = 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF<br /> a = -3<br /> b = 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B<br /> &lt;/pre&gt;<br /> <br /> The public key is variable. For the latest Pre-IPL version which add an additional ECDSA verification of the XOR of the block hashes, the public key is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87).<br /> <br /> == Code sample ==<br /> <br /> Below is an example of how to manipulate these curves using the ecpy python library.<br /> <br /> &lt;pre&gt;<br /> import ecpy.curves<br /> <br /> psp_curve_cmd1 = {<br /> 'name': &quot;psp_curve_cmd1&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0),<br /> 'order': 0xFFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0x65D1488C0359E234ADC95BD3908014BD91A525F9,<br /> }<br /> <br /> psp_curve_cmd17 = {<br /> 'name': &quot;psp_curve_cmd17&quot;,<br /> 'type': &quot;weierstrass&quot;,<br /> 'size': 160,<br /> 'field': 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF,<br /> 'generator': (0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, 0x5958557EB1DB001260425524DBC379D5AC5F4ADF),<br /> 'order': 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127,<br /> 'cofactor': 1,<br /> 'a': -3,<br /> 'b': 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B,<br /> }<br /> <br /> crv1 = ecpy.curves.WeierstrassCurve(psp_curve_cmd1)<br /> crv17 = ecpy.curves.WeierstrassCurve(psp_curve_cmd17)<br /> <br /> pt1 = ecpy.curves.Point(0xED9CE58234E61A53C685D64D51D0236BC3B5D4B9, 0x049DF1A075C0E04FB344858B61B79B69A63D2C39, crv1)<br /> pt17 = ecpy.curves.Point(0xbc660611a70bd7f2d140a48215c096d11d2d4112, 0xf0e9379ac4e0d387c542d091349dd15169dd5a87, crv17)<br /> <br /> # verify the Kirk command 1 ECDSA private key<br /> crv1_g = ecpy.curves.Point(0x2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA, 0x604358456D0A1CB2908DE90F27D75C82BEC108C0, crv1)<br /> assert(crv1.mul_point(crv1.generator, 0xF392E26490B80FD889F2D9722C1F34D7274F983D) == pt1)<br /> &lt;/pre&gt;<br /> <br /> = Commands =<br /> <br /> On PSP there are 19 Kirk commands. On PSVita, there are these 19 commands plus some new commands to support bigger keys (192 bits for example). See [https://wiki.henkaku.xyz/vita/F00D_Commands#gcauthmgr_sm.self F00D commands].<br /> <br /> Kirk commands are called with the same 5 arguments (outbuf, outbuf_size, inbuf, inbuf_size, service_number (which is the command ID)). Depending on the service number used, the expectations of the inbuf or outbuf vary and are detailed below.<br /> <br /> == Table ==<br /> <br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! scope=&quot;col&quot;| Command ID<br /> ! scope=&quot;col&quot;| Name<br /> ! scope=&quot;col&quot;| Short description<br /> ! scope=&quot;col&quot;| Input size<br /> ! scope=&quot;col&quot;| Output size<br /> ! scope=&quot;col&quot;| Used in<br /> |-<br /> | 0<br /> | KIRK_CMD_DECRYPT_BOOTROM<br /> | Decryption of the psp devkit kbooti bootrom (no inverse)<br /> | encrypted kbooti bootrom<br /> | decrypted kbooti bootrom<br /> | tachsm.o<br /> |-<br /> | 1<br /> | KIRK_CMD_DECRYPT_PRIVATE<br /> | Super-Duper decryption (no inverse)<br /> | buf_size+0x90<br /> | buf_size<br /> | memlmd, mesg_led<br /> |-<br /> | 2<br /> | KIRK_CMD_DNAS_ENCRYPT<br /> | Encrypt Operation for DNAS (inverse of command 3)<br /> | buf_size+0x90<br /> | buf_size<br /> | <br /> |-<br /> | 3<br /> | KIRK_CMD_DNAS_DECRYPT<br /> | Decrypt Operation for DNAS (inverse of command 2)<br /> | buf_size+0x90<br /> | buf_size<br /> | <br /> |-<br /> | 4<br /> | KIRK_CMD_ENCRYPT_STATIC<br /> | Encrypt Operation (inverse of command 7) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, memab<br /> |-<br /> | 5<br /> | KIRK_CMD_ENCRYPT_PERCONSOLE<br /> | Encrypt Operation (inverse of command 8) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, psheet since PSP FW 2.81 for PGD, ?openpsid for IDPS Certificates?<br /> |-<br /> | 6<br /> | KIRK_CMD_ENCRYPT_USER<br /> | Encrypt Operation (inverse of command 9) (key=user-defined)<br /> | ?<br /> | ?<br /> | <br /> |-<br /> | 7<br /> | KIRK_CMD_DECRYPT_STATIC<br /> | Decrypt Operation (inverse of command 4) (key=static)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | memlmd, mesg_led,chnnlsv, memab<br /> |-<br /> | 8<br /> | KIRK_CMD_DECRYPT_PERCONSOLE<br /> | Decrypt Operation (inverse of command 5) (key=per-console)<br /> | buf_size+0x14<br /> | buf_size+0x14<br /> | chnnlsv, psheet since PSP FW 2.81 for PGD<br /> |-<br /> | 9<br /> | KIRK_CMD_DECRYPT_USER<br /> | Decrypt Operation (inverse of command 6) (key=user-defined)<br /> | ?<br /> | ?<br /> | <br /> |-<br /> | 10 (0xA)<br /> | KIRK_CMD_PRIV_SIGVRY<br /> | Private Signature Verify (checks for private SCE sig)<br /> | buf_size+0x90<br /> | 0<br /> | <br /> |-<br /> | 11 (0xB)<br /> | KIRK_CMD_HASH<br /> | SHA1 Hash<br /> | buf_size &gt;= 0x14<br /> | 0x14<br /> | memlmd, mesg_led, memab<br /> |-<br /> | 12 (0xC)<br /> | KIRK_CMD_ECDSA_GENKEY<br /> | ECDSA Generate Private/Public Key Pair<br /> | 0<br /> | 0x3C<br /> | memab<br /> |-<br /> | 13 (0xD)<br /> | KIRK_CMD_ECDSA_MUL<br /> | ECDSA Multiply Point<br /> | 0x3C<br /> | 0x3C<br /> | <br /> |-<br /> | 14 (0xE)<br /> | KIRK_CMD_PRNGEN<br /> | Pseudo Random Number Generation<br /> | 0<br /> | 0x14<br /> | mesg_led, chnnlsv, memab, semawm<br /> |-<br /> | 15 (0xF)<br /> | KIRK_CMD_INIT<br /> | Initializes Kirk. As long as Kirk is uninitialized only commands 0 and 15 can be used.<br /> | 0<br /> | 0<br /> | IPL<br /> |-<br /> | 16 (0x10)<br /> | KIRK_CMD_SIGGEN<br /> | ECDSA Signature Generation<br /> | 0x34<br /> | 0x28<br /> | memab<br /> |-<br /> | 17 (0x11)<br /> | KIRK_CMD_SIGVRY<br /> | Signature Verification (checks for generated signatures)<br /> | 0x64<br /> | 0<br /> | memab<br /> |-<br /> | 18 (0x12)<br /> | KIRK_CMD_CERTVRY<br /> | Certificate Verification (IDStorage Certificates CMAC)<br /> | 0xB8<br /> | 0<br /> | openpsid, memab<br /> |}<br /> <br /> == Command 1: decryption and authentication ==<br /> <br /> === Overview ===<br /> <br /> This function is used to both decrypt and verify the signature of the IPL blocks.<br /> <br /> There are two versions of this service: AES CMAC Verification, and ECDSA Verification. They use the header section of the input buffer slightly differently.<br /> <br /> In both cases, the total header length is 0x90. The first 0x60 bytes depend on the version. The last 0x30 bytes are the same in both cases:<br /> <br /> '''Metadata Header Structure (Length 0x30)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x60 || 4 || Set to 1<br /> |-<br /> | 0x64 || 4 || 0 indicates AES CMAC version, 1 indicates ECDSA version<br /> |-<br /> | 0x68 || 4 || 0<br /> |-<br /> | 0x6C || 4 || 0 for retail version and 0xFFFFFFFF for dev versions<br /> |-<br /> | 0x70 || 4 || Length of decrypted data<br /> |-<br /> | 0x74 || 4 || Length of the padding after the header and before the real data<br /> |-<br /> | 0x78 || 8 || 0<br /> |}<br /> <br /> === AES CMAC Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 16 || Decryption key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x10 || 16 || CMAC key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x20 || 16 || Header hash (CMAC)<br /> |-<br /> | 0x30 || 16 || Data hash (CMAC)<br /> |-<br /> | 0x40 || 32 || 0<br /> |}<br /> <br /> ==== Decryption process ====<br /> <br /> The first 0x20 bytes of the Key Header are decrypted with the Kirk command 1 Stored AES Key. This was allegedly discovered by Datel by decapping the chip and reversing engineering the algorithms and keys. This was also recovered through the failure in PS3 cryptography by decrypting the isolated module in the PSP emulator on the PS3.<br /> <br /> The first block is the AES Key used for decrypting the main data. The second block is used to decrypt the next two blocks (0x20 bytes at offset 0x20). These represent the Metadata Header CMAC and the Data CMAC. They are checked against the AES CMAC of the metadata header section and the AES CMAC of the whole data, from the metadata header section to the end of the data (including padding in-between).<br /> <br /> === ECDSA Version ===<br /> <br /> '''Key Header Structure (Length 0x60)''':<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 0x10 || Decryption key, encrypted with the Kirk command 1 AES master key<br /> |-<br /> | 0x10 || 0x14 || Header ECDSA signature r<br /> |-<br /> | 0x24 || 0x14 || Header ECDSA signature s<br /> |-<br /> | 0x38 || 0x14 || Data ECDSA signature r<br /> |-<br /> | 0x4C || 0x14 || Data ECDSA signature s<br /> |}<br /> <br /> ==== Decryption process ====<br /> <br /> The ECDSA version is slightly different. Only the first block (0x10 bytes) is decrypted with the Kirk command 1 AES Key. It is used to decrypt the main data section just as in the AES CMAC version. Rather than a CMAC, the Metadata header is checked by SHA1 hashing its 0x30 bytes and checking the signature components through a ECDSA Verify call. The encrypted Data section is also checked via SHA1 of the entire data through a ECDSA Verify call.<br /> <br /> The ECDSA curve parameters are indicated above.<br /> <br /> == Commands 2 &amp; 3: DRM encrypt &amp; decrypt ==<br /> <br /> These commands are mostly unknown. The header is the same as Kirk command 1, with the mode set to 2 or 3.<br /> <br /> In command 2, the input data passed to Kirk is first checked (presumably CMAC), then decrypted, and re-encrypted with the console unique private key.<br /> Having that common key would allow legit creation of DRM BB install packages.<br /> <br /> Command 3 is the decryption counterpart of command 2.<br /> <br /> == Commands 4~9: AES encrypt &amp; decrypt ==<br /> <br /> All these commands do AES128-CBC encryption/decryption with an IV equal to 0.<br /> - Commands 4 (encryption) and 7 (decryption) use a one of the 128 keys stored in the Kirk chip and available on the [[Keys]] page, index being given by the keyseed field (which must be between 0x00 and 0x7F)<br /> - Commands 5 (encryption) and 8 (decryption) use an unknown per-console key (it is unknown if it is derived from other data, or just stored as-is on the chip)<br /> - Commands 6 (encryption) and 9 (decryption) use a key derived from the keyseed using an unknown key derivation function<br /> <br /> In all cases, data is prefixed with a 0x14-byte long header:<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Address !! Size !! Description<br /> |-<br /> | 0x00 || 4 || Mode: must be 4 for encryption, 5 for decryption<br /> |-<br /> | 0x04 || 8 || Unknown (0?)<br /> |-<br /> | 0x0C || 4 || Keyseed<br /> |-<br /> | 0x10 || 4 || Size of the following data<br /> |}<br /> <br /> == Command 10: AES CMAC verification ==<br /> <br /> Used to verify IdStorage IDPS certificates.<br /> <br /> This seems to be the AES CMAC verification of Kirk command 1, and takes the same header as Command 1, the only difference is that no decryption is performed.<br /> <br /> See command 1 information for details.<br /> <br /> It could also possibly verify CMACs for commands 2 and 3, but that is unknown.<br /> <br /> == Command 11: SHA1 ==<br /> <br /> This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long.<br /> <br /> == Command 12: ECDSA key pair generation ==<br /> <br /> This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve.<br /> <br /> This returns the following into the keypair buffer, of size 0x3C (each value is 0x14 bytes long):<br /> *0x00 - randomly generated private key<br /> *0x14 - Public Key point x value<br /> *0x28 - Public Key point y value<br /> <br /> == Command 13: ECDSA point multiplication ==<br /> <br /> This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve.<br /> <br /> Input (size 0x3c):<br /> *0x00 - scalar k<br /> *0x14 - point x value P.x<br /> *0x28 - point y value P.y<br /> <br /> Output (size 0x28):<br /> *0x00 - point x value (kP).x<br /> *0x14 - point y value (kP).y<br /> <br /> The result is a new point(x and y are each 0x14 bytes long).<br /> <br /> == Command 14: PRNG ==<br /> <br /> This function takes no input and generates random data of the given size (depending on the specified size of the output buffer).<br /> <br /> == Command 15: Init ==<br /> <br /> This function takes no input and no output.<br /> <br /> Kirk initialization.<br /> <br /> == Command 16: ECDSA signature generation ==<br /> <br /> This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key.<br /> <br /> Input is:<br /> *0x00: 0x20-byte long encrypted buffer containing the private key<br /> *0x20: the message hash.<br /> <br /> The output is a 0x28-byte long signature (r and s, both 0x14-byte long).<br /> <br /> The private key buffer is encrypted with a device-specific encryption using the FuseID.<br /> <br /> Here is the code of the decryption, thanks to Davee &amp; Proxima. g_fuse90 and g_fuse94 are the two words composing the FuseID (present at the 0xBC100090 and 0xBC100094 hardware registers).<br /> <br /> Output is 0x20-byte long, but the last 0xC bytes are ignored (and possibly always equal to zero) for the private key.<br /> <br /> &lt;pre&gt;<br /> void decrypt_kirk16_private(u8 *dA_out, u8 *dA_enc)<br /> { <br /> int i, k;<br /> kirk16_data keydata;<br /> u8 subkey_1[0x10], subkey_2[0x10];<br /> rijndael_ctx aes_ctx;<br /> <br /> keydata.fuseid[7] = g_fuse90 &amp;0xFF;<br /> keydata.fuseid[6] = (g_fuse90&gt;&gt;8) &amp;0xFF;<br /> keydata.fuseid[5] = (g_fuse90&gt;&gt;16) &amp;0xFF;<br /> keydata.fuseid[4] = (g_fuse90&gt;&gt;24) &amp;0xFF;<br /> keydata.fuseid[3] = g_fuse94 &amp;0xFF;<br /> keydata.fuseid[2] = (g_fuse94&gt;&gt;8) &amp;0xFF;<br /> keydata.fuseid[1] = (g_fuse94&gt;&gt;16) &amp;0xFF;<br /> keydata.fuseid[0] = (g_fuse94&gt;&gt;24) &amp;0xFF;<br /> <br /> /* set encryption key */<br /> rijndael_set_key(&amp;aes_ctx, kirk16_key, 128);<br /> <br /> /* set the subkeys */<br /> for (i = 0; i &lt; 0x10; i++)<br /> {<br /> /* set to the fuseid */<br /> subkey_2[i] = subkey_1[i] = keydata.fuseid[i % 8];<br /> } <br /> <br /> /* do aes crypto */<br /> for (i = 0; i &lt; 3; i++)<br /> {<br /> /* encrypt + decrypt */<br /> rijndael_encrypt(&amp;aes_ctx, subkey_1, subkey_1);<br /> rijndael_decrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> /* set new key */<br /> rijndael_set_key(&amp;aes_ctx, subkey_1, 128);<br /> <br /> /* now lets make the key mesh */<br /> for (i = 0; i &lt; 3; i++)<br /> {<br /> /* do encryption in group of 3 */<br /> for (k = 0; k &lt; 3; k++)<br /> {<br /> /* crypto */<br /> rijndael_encrypt(&amp;aes_ctx, subkey_2, subkey_2);<br /> }<br /> <br /> /* copy to out block */<br /> memcpy(&amp;keydata.mesh[i * 0x10], subkey_2, 0x10);<br /> }<br /> <br /> /* set the key to the mesh */<br /> rijndael_set_key(&amp;aes_ctx, &amp;keydata.mesh[0x20], 128);<br /> <br /> /* do the encryption routines for the aes key */<br /> for (i = 0; i &lt; 2; i++)<br /> {<br /> /* encrypt the data */<br /> rijndael_encrypt(&amp;aes_ctx, &amp;keydata.mesh[0x10], &amp;keydata.mesh[0x10]);<br /> }<br /> <br /> /* set the key to that mesh shit */<br /> rijndael_set_key(&amp;aes_ctx, &amp;keydata.mesh[0x10], 128);<br /> <br /> /* cbc decrypt the dA */<br /> AES_cbc_decrypt((AES_ctx *)&amp;aes_ctx, dA_enc, dA_out, 0x20);<br /> }<br /> &lt;/pre&gt;<br /> <br /> == Command 17: ECDSA signature verification ==<br /> <br /> This command verifies an ECDSA signature using the ECDSA curve described above.<br /> <br /> It takes no output, and takes as an input:<br /> * 0x00: public key<br /> * 0x28: signed message hash<br /> * 0x3C: signature r<br /> * 0x50: signature s<br /> <br /> The result of the operation is given by the return value (0 on success, 5 on failure to verify the signature).<br /> <br /> == Command 18: verify certificate ==<br /> <br /> This command has most likely no output header.<br /> <br /> It takes as an input a 0xB8-long buffer:<br /> *0x00: certificate data (either ConsoleID or OpenPSID)<br /> *0x10: certificate public key (x and y)<br /> *0x38: ECDSA signature (r and s)<br /> *0x60: ECDSA public key used for the signature<br /> *0x88: certificate encrypted private key (padded)<br /> *0xA8: AES-CMAC hash of the rest of the header.<br /> <br /> Details are on PS Vita wiki. See also DespertarDelCementerio and CEX2DEX programs source codes.<br /> <br /> = Code Samples =<br /> <br /> * [https://github.com/DaveeFTW/iplsdk/tree/master/src/kirk]<br /> <br /> * [https://github.com/TheHellcat/psp-hb/blob/master/KirkCrypt/intercom/silvercode.c]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/2007/10/ipl-decrypt-sample-direct-hw-access/index.html]<br /> <br /> * [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/kirk-crypto-engine/index.html]<br /> <br /> = Open problems =<br /> <br /> * The private key corresponding to the latest version PRE-IPL public key is unknown.<br /> * Commands 2, 3, 5, 6, 8, and 9 are mostly unknown and need testing/documentation.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12127 Vulnerabilities 2023-10-15T20:23:08Z <p>CelesteBlue: /* qwikTrick (or Perfect Syscalls) by qwikrazor87: PSP/PS Vita any version */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-08 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin, Skylark and Toc2rta.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader from 2.00 to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> [https://web.archive.org/web/20060130220231/http://sunkone.cja.net/psp/loader2/README.txt] -&gt; cjb<br /> <br /> https://repo.zenk-security.com/Magazine%20E-book/EN-Hacking%20PSP.pdf<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed: PSP any version ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === Fixed syscall numbers: PSP &lt;= ?6.50? ===<br /> <br /> On PSP System Software version below 6.60, you could guess the syscall number for any kernel export, allowing you to call any syscall without having the resolved stub readily available.<br /> <br /> Fixed on PSP System Software version 6.60 or just before. On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore.<br /> <br /> === qwikTrick (or Perfect Syscalls) by qwikrazor87: PSP/PS Vita any version ===<br /> <br /> Discovered by qwikrazor87 around 2013 but independently discovered by others before, probably in 2011. Released by Acid_snake on 2023-10-15.<br /> <br /> On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore. Therefore hackers became restricted to the functions imported by the application they exploited. This led to limited kernel function access (less chances of triggering a kernel bug) and it also drastically reduced V/HBL compatibility.<br /> <br /> If you load a utility module, which loads a prx in user space, you can have a background thread that changes the PRX's stubs table to whichever imports you want. It relies on a race condition so you have to run the code a few times until it works. Eventually you can resolve whatever kernel export even if the original game did not have it.<br /> <br /> This exploit was very useful since most Minis games (main attack vector back in time) had limited imports. Team OILIX never released it because they wanted to keep it in case they came across a kernel exploit on some obscure function that not a lot of games import. Also because by then VHBL was already abandoned and everyone wanted eCFW (ARK, TN) instead so making VHBL have perfect syscalls for better compatibility was a waste for this hack. In hindsight it was a bad decision since Team OILIX never actually used the function because soon after was figured out how to craft PBOOT.PBP for PS Vita with any desired imports.<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/add6c946b4bab17ed7488114ccda3357ea42e0f2/common/utils/imports.c#L91<br /> <br /> = Kernel =<br /> <br /> == UID planting Type Confusion kexploits by qwikrazor87 and TheFloW ==<br /> <br /> Exploiting this bug is straightforward:<br /> 1) Plant a fake UID object into kernel.<br /> 2) Encode this UID object.<br /> 3) Delete the UID object.<br /> <br /> Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> === sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita &lt;= 3.74 ===<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> === sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita &lt;= 3.50 ===<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid-&gt;uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> === Stack Pointer UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-29 by qwikrazor87.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> === sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-03 by qwikrazor87.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> === sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2013-10-15 by qwikrazor87.<br /> <br /> == Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> https://github.com/DaveeFTW/ChickHEN/blob/main/Launcher/main.c<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/GTA%20stub/loader.c<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/dump_reboot_v2.6/copy.c<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12126 Vulnerabilities 2023-10-15T20:19:13Z <p>CelesteBlue: /* System */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-08 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin, Skylark and Toc2rta.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader from 2.00 to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> [https://web.archive.org/web/20060130220231/http://sunkone.cja.net/psp/loader2/README.txt] -&gt; cjb<br /> <br /> https://repo.zenk-security.com/Magazine%20E-book/EN-Hacking%20PSP.pdf<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed: PSP any version ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === Fixed syscall numbers: PSP &lt;= ?6.50? ===<br /> <br /> On PSP System Software version below 6.60, you could guess the syscall number for any kernel export, allowing you to call any syscall without having the resolved stub readily available.<br /> <br /> Fixed on PSP System Software version 6.60 or just before. On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore.<br /> <br /> === qwikTrick (or Perfect Syscalls) by qwikrazor87: PSP/PS Vita any version ===<br /> <br /> Discovered by qwikrazor87 around 2013 but was discovered by others before, probably in 2011. Released by Acid_snake on 2023-10-15.<br /> <br /> On PSP System Software version 6.60, SCE developers randomized syscall numbers so you could not guess them anymore. Therefore hackers became restricted to the functions imported by the application they exploited. This led to limited kernel function access (less chances of triggering a kernel bug) and it also drastically reduced V/HBL compatibility.<br /> <br /> If you load a utility module, which loads a prx in user space, you can have a background thread that changes the PRX's stubs table to whichever imports you want. It relies on a race condition so you have to run the code a few times until it works. Eventually you can resolve whatever kernel export even if the original game did not have it.<br /> <br /> This exploit was very useful since most Minis games (main attack vector back in time) had limited imports. Team OILIX never released it because they wanted to keep it in case they came across a kernel exploit on some obscure function that not a lot of games import. Also because by then VHBL was already abandoned and everyone wanted eCFW (ARK, TN) instead so making VHBL have perfect syscalls for better compatibility was a waste for this hack. In hindsight it was a bad decision since Team OILIX never actually used the function because soon after was figured out how to craft PBOOT.PBP for PS Vita with any desired imports.<br /> <br /> = Kernel =<br /> <br /> == UID planting Type Confusion kexploits by qwikrazor87 and TheFloW ==<br /> <br /> Exploiting this bug is straightforward:<br /> 1) Plant a fake UID object into kernel.<br /> 2) Encode this UID object.<br /> 3) Delete the UID object.<br /> <br /> Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> === sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita &lt;= 3.74 ===<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> === sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita &lt;= 3.50 ===<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid-&gt;uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> === Stack Pointer UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-29 by qwikrazor87.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> === sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-03 by qwikrazor87.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> === sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2013-10-15 by qwikrazor87.<br /> <br /> == Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> https://github.com/DaveeFTW/ChickHEN/blob/main/Launcher/main.c<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/GTA%20stub/loader.c<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/dump_reboot_v2.6/copy.c<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12103 Vulnerabilities 2023-10-12T23:09:28Z <p>CelesteBlue: /* sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-08 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin, Skylark and Toc2rta.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader from 2.00 to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> [https://web.archive.org/web/20060130220231/http://sunkone.cja.net/psp/loader2/README.txt] -&gt; cjb<br /> <br /> https://repo.zenk-security.com/Magazine%20E-book/EN-Hacking%20PSP.pdf<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == UID planting Type Confusion kexploits by qwikrazor87 and TheFloW ==<br /> <br /> Exploiting this bug is straightforward:<br /> 1) Plant a fake UID object into kernel.<br /> 2) Encode this UID object.<br /> 3) Delete the UID object.<br /> <br /> Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> === sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita &lt;= 3.74 ===<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> === sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita &lt;= 3.50 ===<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid-&gt;uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> === Stack Pointer UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-29 by qwikrazor87.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> === sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-03 by qwikrazor87.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> === sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2013-10-15 by qwikrazor87.<br /> <br /> == Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> https://github.com/DaveeFTW/ChickHEN/blob/main/Launcher/main.c<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/GTA%20stub/loader.c<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/dump_reboot_v2.6/copy.c<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12100 Vulnerabilities 2023-10-11T20:46:05Z <p>CelesteBlue: /* libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-08 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin, Skylark and Toc2rta.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader from 2.00 to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> [https://web.archive.org/web/20060130220231/http://sunkone.cja.net/psp/loader2/README.txt] -&gt; cjb<br /> <br /> https://repo.zenk-security.com/Magazine%20E-book/EN-Hacking%20PSP.pdf<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == UID planting Type Confusion kexploits by qwikrazor87 and TheFloW ==<br /> <br /> Exploiting this bug is straightforward:<br /> 1) Plant a fake UID object into kernel.<br /> 2) Encode this UID object.<br /> 3) Delete the UID object.<br /> <br /> Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> === sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita &lt;= 3.74 ===<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> === sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita &lt;= 3.50 ===<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid-&gt;uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> === Stack Pointer UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-29 by qwikrazor87.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> === sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-03 by qwikrazor87.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> === sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2013-10-15 by qwikrazor87.<br /> <br /> == Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/GTA%20stub/loader.c<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/dump_reboot_v2.6/copy.c<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12099 Vulnerabilities 2023-10-11T20:40:47Z <p>CelesteBlue: /* sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-08 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == UID planting Type Confusion kexploits by qwikrazor87 and TheFloW ==<br /> <br /> Exploiting this bug is straightforward:<br /> 1) Plant a fake UID object into kernel.<br /> 2) Encode this UID object.<br /> 3) Delete the UID object.<br /> <br /> Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> === sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita &lt;= 3.74 ===<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> === sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita &lt;= 3.50 ===<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid-&gt;uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> === Stack Pointer UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-29 by qwikrazor87.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> === sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-03 by qwikrazor87.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> === sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2013-10-15 by qwikrazor87.<br /> <br /> == Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/GTA%20stub/loader.c<br /> <br /> https://github.com/mathieulh/3.90-M33/blob/master/experiments/iplreboot/experiments/experiments/kernel/dump_reboot_v2.6/copy.c<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12097 Vulnerabilities 2023-10-11T09:43:41Z <p>CelesteBlue: /* _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-08 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == UID planting Type Confusion kexploits by qwikrazor87 and TheFloW ==<br /> <br /> Exploiting this bug is straightforward:<br /> 1) Plant a fake UID object into kernel.<br /> 2) Encode this UID object.<br /> 3) Delete the UID object.<br /> <br /> Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> === sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita &lt;= 3.74 ===<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> === sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita &lt;= 3.50 ===<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid-&gt;uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> === Stack Pointer UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-29 by qwikrazor87.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> === sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-03 by qwikrazor87.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> === sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2013-10-15 by qwikrazor87.<br /> <br /> == Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12096 Vulnerabilities 2023-10-11T09:41:59Z <p>CelesteBlue: /* _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-08 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == UID planting Type Confusion kexploits by qwikrazor87 and TheFloW ==<br /> <br /> Exploiting this bug is straightforward:<br /> 1) Plant a fake UID object into kernel.<br /> 2) Encode this UID object.<br /> 3) Delete the UID object.<br /> <br /> Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> === sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita &lt;= 3.74 ===<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> === sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita &lt;= 3.50 ===<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid-&gt;uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> === Stack Pointer UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-29 by qwikrazor87.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> === sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-03 by qwikrazor87.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> === sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2013-10-15 by qwikrazor87.<br /> <br /> == Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex race condition kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12095 Vulnerabilities 2023-10-10T22:56:32Z <p>CelesteBlue: /* Kernel */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-08 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == UID planting Type Confusion kexploits by qwikrazor87 and TheFloW ==<br /> <br /> Exploiting this bug is straightforward:<br /> 1) Plant a fake UID object into kernel.<br /> 2) Encode this UID object.<br /> 3) Delete the UID object.<br /> <br /> Basically, what you can do with this primitive is overwriting a function pointer in kernel and make it pointing to some function in usermode instead. Then, we can invoke it and run our code in kernel mode.<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> === sceKernelAllocPartitionMemory UID plant kexploit by TheFloW (Trinity, ARK-4): PS Vita &lt;= 3.74 ===<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> === sceKernelDeleteThread UID plant kexploit by qwikrazor87: PS Vita &lt;= 3.50 ===<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> After qwikrazor87 released this exploit, Sony of course could not just change their whole design. Instead, they added a few mitigations like XOR’ing uid-&gt;uid with a random seed, or detecting that the UID object was within the heap region. These mitigations were quite effective. As you’d have to plant 2^32 different UID object’s to successfully guess the random seed. Furthermore, planting data within this heap region was not quite obvious, as that was only used by kernel internals.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> === Stack Pointer UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-29 by qwikrazor87.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> === sceKernelFreePartitionMemory UID plant kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2014-01-03 by qwikrazor87.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> === sceKernelClearEventFlag UID plant (project OILIX) kexploit by qwikrazor87: PS Vita &lt;= ?3.50? ===<br /> <br /> Discovered around 2013-10-15 by qwikrazor87.<br /> <br /> == Kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == _sceKernelFreeMemoryBlock kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12094 Vulnerabilities 2023-10-10T22:34:27Z <p>CelesteBlue: /* PS1 Game Savedata */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Wipeout (NPEE00004, NPUI94301, NPJI00035) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-08 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12093 Vulnerabilities 2023-10-10T22:31:07Z <p>CelesteBlue: /* Kernel */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-10-21 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12092 Vulnerabilities 2023-10-10T22:25:22Z <p>CelesteBlue: /* PS1 Game Savedata */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 and vonjack ===<br /> <br /> Discovered around 2014-04-19 by qwikrazor87 and vonjack.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87, Acid_snake and vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-31 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-12-12 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12091 Vulnerabilities 2023-10-10T22:18:43Z <p>CelesteBlue: /* Kernel */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 and Acid_snake. Discovered around 2014-10-03 by vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-31 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-12-12 by qwikrazor87 and Acid_snake. Implemented in TN-V4 by Total_Noob around 2013-12-12. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by by qwikrazor87 and Acid_snake (ARK, TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by qwikrazor87 and Acid_snake. Implemented in TN-V by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12090 Vulnerabilities 2023-10-10T22:09:27Z <p>CelesteBlue: /* Kernel */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 and Acid_snake. Discovered around 2014-10-03 by vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-31 by qwikrazor87 and Acid_snake.<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= 3.36 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2013-12-13 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12089 Vulnerabilities 2023-10-10T22:03:59Z <p>CelesteBlue: /* _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?2.02? */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 and Acid_snake. Discovered around 2014-10-03 by vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita 3.30-3.36 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?2.02? ==<br /> <br /> Discovered around 2014-01-19 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-01 by qwikrazor87 and Acid_snake.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-12-31 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12088 Vulnerabilities 2023-10-10T22:03:34Z <p>CelesteBlue: /* sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita 3.30-3.36 */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 and Acid_snake. Discovered around 2014-10-03 by vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita 3.30-3.36 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The following functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode, _sceVideocodecSetMemory.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?2.02? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-01 by qwikrazor87 and Acid_snake.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-12-31 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12087 Vulnerabilities 2023-10-10T22:03:01Z <p>CelesteBlue: </p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 and Acid_snake. Discovered around 2014-10-03 by vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Never implemented.<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered around 2014-04-03 by qwikrazor87 and Acid_snake. Implemented around 2014-04-03 in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> On the PSP, if you save the game, then the address for the Memory Card you saved are stored in 0x09FFE550 which is in that range (0x09C00000 to 0x0A000000) and in 0x09FFE560 on PS Vita. But on the PS Vita, it is also always there in some other address so no need to save the game. What we did was jump to the start of the memory card. One would normally guess that the header file for .vmc would produce bad instructions, but guess again, it actually produces a positive branch with a delay slot that has no effect (basically a nop). So the system branches further into the VMC where there is absolutely nothing, so we happily injected a normal binloader there.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita 3.30-3.36 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Three functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?2.02? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-01 by qwikrazor87 and Acid_snake.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-12-31 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12086 Vulnerabilities 2023-10-10T21:58:52Z <p>CelesteBlue: /* PS1 Game Savedata */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87, Acid_snake and vonjack ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 and Acid_snake. Discovered around 2014-10-03 by vonjack. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered by qwikrazor87 and Acid_snake. Implemented in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita 3.30-3.36 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Three functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?2.02? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-01 by qwikrazor87 and Acid_snake.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-12-31 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12085 Vulnerabilities 2023-10-10T21:50:27Z <p>CelesteBlue: /* Kernel */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered by qwikrazor87 and Acid_snake. Implemented in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == Free kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> A good hijacked function is _sceG729EncodeTermResource but other functions can be hijacked.<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita 3.30-3.36 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Three functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita &lt;= 3.20 ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. Implemented in TN-X by Total_Noob around 2014-04-22.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.20? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> Simply call &lt;code&gt;_sceUsbGpsGetData(0x10000, sw_address);&lt;/code&gt; where &lt;code&gt;sw_address&lt;/code&gt; is the address of the function to hijack, usually _sceKernelLibcTime.<br /> <br /> == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> The exploit steps are:<br /> 1) Execute assembly that does saves context.<br /> 2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000.<br /> 3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread.<br /> 4) Execute assembly that does something.<br /> 5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory.<br /> 6) Execute assembly that restores context.<br /> 7) Call the hijacked function _sceKernelLibcTime.<br /> <br /> == _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita &lt;= ?2.02? ==<br /> <br /> Discovered around 2014-01-29 by qwikrazor87 and Acid_snake.<br /> <br /> In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel.<br /> <br /> == sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-03 by qwikrazor87 and Acid_snake.<br /> <br /> Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory.<br /> <br /> == __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2014-01-01 by qwikrazor87 and Acid_snake.<br /> <br /> == sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-12-31 by qwikrazor87 and Acid_snake.<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22 by Total_Noob.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1: PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (named ifhandle 6.60) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceNetMFree race condition (named ifhandle 5.70) kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested Wlan kexploit: PSP &lt;= 5.50 ==<br /> <br /> Davee does not remember much about this kexploit. GEN 5.50 source code is not public so decompilation is required in order to potentially find this exploit.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=POPS&diff=12082 POPS 2023-10-10T13:59:43Z <p>CelesteBlue: /* Internal Compatibility Flags */</p> <hr /> <div>==Overwiew==<br /> POPS is Playstation 1 emulator for PSP, bundled with PSP firmware since 3.00 release. Currently (6.61) there are 7 different versions bundled with every firmware. This weird approach is not uncommon on psp, and many other modules come with 7 different versions (impose, power, loadexec, etc.). 6.61 bundle pops for 7 PSP generations: 01g(PSP-1000), 02g(PSP-2000), 03g/04g/07g/09g(PSP-3000), 11g(PSP-E1000 known as PSP Street), but like master Yoda like to say, &quot;there is another&quot;. Firmware for PSP Go bundle POPS for fifth generation 05g which is of course PSP Go (N1000). Differences are unknown, but changes in strictly emulation code are unlikely, compatibility should be the same. From technical point of view there is no recompiler/interpreter per se. There is also no emitter in form known from different emulators, instead there are predefined functions able to emit some predefined code. Does it mean PS1 code run natively? No, not really. Code analyzer is needed to hijack execution of things that can't be done natively. That include cycle counting, hardware registers handling, memory remapping, GTE emulation, DMA emulation, MDEC emulation, I/O accesses. Beside that anything that happen outside of r3000 need to be emulated too, like GPU, SPU, etc.<br /> <br /> ==Important Memory Addresses==<br /> Warning!<br /> *Addresses in this table refer to pops01g from 6.61 firmware. They could be different for different versions, specially addresses for BIOS.<br /> *Addresses which hit 0x10000 - 0x14000 are accessing PSP Scratchpad memory. This can be confusing because disassemblers think this hits main PSP memory, and there is already our pops code.<br /> *This table need more work, for now it can be not 100% accurate.<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Info !! Address !! Size !! Notes<br /> |-<br /> | PS1 RAM || 0x9800000 || 0x200000 || Seems to be used only for reads/writes, never executed.<br /> |-<br /> | PS1 RAM || 0x9C00000 || 0x200000 || Seems to be used only for code execution, code analyzer can patch and hook it if needed<br /> |-<br /> | PS1 ROM || 0x9E00000 || 0x80000 || Seems to be used only for code execution, code analyzer can patch and hook it if needed<br /> |-<br /> | PS1 Scratchpad || 0x13000 || 0x400 ||<br /> |-<br /> | PS1 GTE Registers || 0x10000 || 0x100 || FLAG register is using S330.s VFPU reg, and it is flushed to memory only when needed.<br /> |-<br /> | PSISOIMG0000 header || 0x9E80000 || unk<br /> |-<br /> | PS1 SPU Registers || 0x9F40000 || 0x2C0 || Accessed by 0x49F40000 (uncached mode).<br /> |-<br /> | PS1 SPU RAM || 0x9F402C0 || 0x80000 || Also accessed by 0x49F40000 mirror (uncached mode).<br /> |-<br /> | PS1 SPU Emulator || 0x00 || 0x19E0 || Emulator on SPU init do something with pointer to emu as first param and 0x9FF8000 as second param, using fnid sceMeAudio 0xDE630CD2 function. I can only guess that is sending emulator to MediaEngine, and map some kind of memory region (maybe just $sp as emu never sets it on start).<br /> |-<br /> | PS1 HW Registers (from 0x1F801000) || 0x12000 || 0x1000 || There are many exceptions here for addresses that need special handling, for example ps1 gpu registers are not there, same for mdec.<br /> |-<br /> | PS1 BIOS || 0x53C20 || 0x80000 || As a file, copied to PS1 ROM area.<br /> |-<br /> | PS1 BIOS Patch || 0x3DB00 || 0x16120 || Patch is applied to PS1 bios starting from 0x6BC20, if Disc ID third character is P (mostly JPN titles).<br /> |-<br /> |}<br /> <br /> ==Compatibility Flags Values==<br /> {| class=&quot;wikitable&quot;<br /> |-<br /> ! Command ID !! Bitfield !! Notes<br /> |-<br /> | 0xFFFFFFFF || Yes || Multi command<br /> bit:<br /> 0 = Used in GP0(E3-E4h) handler.<br /> 2 = Used in GP0(A0h) handler.<br /> 3 = Used in vblank related function.<br /> 4 = Used in gpu dma related function.<br /> 5 = Used in GP0(2x-3xh) commands handler.<br /> 6 = Skip GP0(80h) / GP0(A0h) commands (if cmd != 0x80000000) or (if cmd != 0xA0000000).<br /> Probably game accidentally send trash data, and that activate VRAM2VRAM copy. Real PS2 use something similar for Final Fantasy Tactics with 80h cmd.<br /> 7 = Spu related setting.<br /> 8 = Spu related setting.<br /> 9 = Spu dma related setting.<br /> 10 = Cdrom related, when enabled seems to update msf/lba more frequently.<br /> 12 = Counters/timers related setting.<br /> 13 = Cdrom related setting. When enabled max_disc_lba_without_lead_out is used instead of second_track_lba in one function.<br /> 16 = Skip some additional checks for Pause/ReadS/ReadN/GetTN/Setmode cmds during cdrom command processing.<br /> 17 = Used in MDEC related functions. <br /> 20 = Use second nBuf in sceCtrlPeekBufferNegative instead of first one. <br /> 23 = Allows discs to be swapped at any time, regardless of game prompting to or not.<br /> 24 = In GP0(02h) - Fill Rectangle in VRAM command. Top Left Corner X position &amp; 0x3F0, without command Top Left Corner X position &amp; 0x3FF.<br /> 25 = Used GP0(&lt;=67h) handler.<br /> 27 = Used in function which is handling reading GPUSTAT.<br /> 29 = Used in vblank related function.<br /> |-<br /> | 0x00 || Yes || Only bits 0-1 seems to be used<br /> |-<br /> | 0x01 || No ||<br /> |-<br /> | 0x02 || Unk ||<br /> |-<br /> | 0x03 || Unk ||<br /> |-<br /> | 0x04 || Yes || This config is multi-command for cdrom behavior. Value is bitfield, but not usual one. This config default value is 0xFFFFFFFF, to &quot;enable&quot; bits we need to really disable them. Windows programmer mode calculator in dword mode should shed some light here. To see enabled bits just use NOT operator.<br /> |-<br /> | 0x05 || No ||<br /> |-<br /> | 0x06 || No || Import memory card from existing game installation. Used for example to unlock additional content in Arc The Lad games [[https://arcthelad.fandom.com/wiki/Save_Transfers#List_of_transfer_rewards]]. Value is pointer to emulator memory which value holds different DISC ID. Possibly bugged for NTSC-U Arc The Lad III because checks for NTSC-J Arc The Lad II save version. JPN releases should be fine. <br /> |-<br /> | 0x07 || No || When value is not -1, then run some additional code.<br /> |-<br /> | 0x08 || No || Alternative GE Dither Matrix settings. Valid values are 0 or 1, when one of them is detected display list is patched directly before sending to GE. More info about mentioned settings [[https://hitmen.c02.at/files/yapspd/psp_doc/chap11.html#sec11.5.185]]<br /> Default: value = 0: value = 1: <br /> 0xE2001D0C 0xE2000F01 0xE200D9C8 <br /> 0xE300F3E2 0xE3000100 0xE300BFAE <br /> 0xE4000C1D 0xE400000F 0xE400C8D9 <br /> 0xE500E2F3 0xE500F001 0xE500AEBF <br /> |-<br /> | 0x09 || No || Mask for BGR (blue green red) from PS1 GPU 0x6X-0x7X cmd. Warning! Do not mask first byte as this is GE command (0x55 Ambient Model Color), only BGR. Valid mask will be 0xFFBBGGRR. <br /> |-<br /> | 0x0A || No ||<br /> |-<br /> | 0x0B || No || Value is used as an Divider at some point, only u16 is used.<br /> |-<br /> | 0x0C || No || Value is r3000 memory address. In known configs command is always used in conjunction with 0x0D command using the same address.<br /> |-<br /> | 0x0D || No || Value is r3000 memory address.<br /> |-<br /> | 0x0E || Unk ||<br /> |-<br /> | 0x0F || No || Cdrom related. Param is disc LBA, only 2 releases of Crash 2 use it. While JPN version use LBA where file S000000C.NSF starts on disc, EU version LBA seems to hit completely different spot. <br /> |-<br /> | 0x10 || No || Cdrom GetlocP/GetlocL related.<br /> |-<br /> | 0x11 || No || Value is r3000 memory address. This command performs additional check if (address &amp; 1 != 0), and use different code path depending on result. <br /> |-<br /> | 0x12 || No || When value is 0 or higher substrat 2 from it, and store on addr.<br /> |-<br /> | 0x13 || No || When value is 0 or higher, store it on addr. Only u8 seems to be used.<br /> |-<br /> | 0x14 || No || SPU emulation related command.<br /> |-<br /> | 0x15 || No || Cdrom related.<br /> |-<br /> | 0x16 || No || When value is not less than 0, run some additional code related to vblank (seems to be scheduling some event).<br /> |-<br /> | 0x17 || No || GP0 0x2X-0x3X related, value is used to add to another value.<br /> |-<br /> | 0x18 || No || Used during GPUREAD (read from 0x1F801810)<br /> |-<br /> | 0x19 || No || GP0 drawing commands related. Only s16 is used (after sign extending to 32 bits)<br /> |-<br /> | 0x1A || No || Used as a shift amount for srav opcode in GP0(80h) - Copy Rectangle (VRAM to VRAM) command. Negative value is negated to positive value...<br /> |-<br /> | 0x1B || No || Initialize PSX scratchpad memory to given value + 1. Similar setting is found in ps1_netemu on PS3. Only one game seems to rely on it.<br /> |-<br /> | 0x1C || Unk || Seems to be unused.<br /> |-<br /> | 0x1D || Unk || Seems to be unused.<br /> |-<br /> | 0x1E || Unk || Seems to be unused.<br /> |-<br /> | 0x1F || Unk || Seems to be unused.<br /> |-<br /> |}<br /> <br /> == Internal Compatibility Flags ==<br /> <br /> To fix games that do not behave correctly, Sony decided to implement compatibility settings, a solution well known from other Sony platforms, yet implemented differently again.<br /> <br /> === Commands used internally in 6.61 POPS ===<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Disc ID Hash !! Disc ID !! Name [Lang] !! Commands Count !! Data (command + value)<br /> |-<br /> | 0x4B41C042 || SCPS-18011 || UM JAMMER LAMMY [J] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000100<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE2<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x4B41F041 || SCPS-18012 || VIB RIBBON [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00080108<br /> cmd: 0x0000000B<br /> val: 0x00010003<br /> |-<br /> | 0x4B42F051 || SCPS-18002 || PARAPPA THE RAPPER [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x41DB3C36 || SLES-12965 || FINAL FANTASY IX - [ 2 DISC ] [E] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x41DBCC35 || SLES-12966 || FINAL FANTASY IX - [ 2 DISC ] [F] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x41DBDC34 || SLES-12967 || FINAL FANTASY IX - [ 2 DISC ] [G] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x41DBEC3B || SLES-12968 || FINAL FANTASY IX - [ 2 DISC ] [I] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x41DBFC3A || SLES-12969 || FINAL FANTASY IX - [ 2 DISC ] [S] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x43C4CD3B || SCES-10868 || FINAL FANTASY VII - [ 2 DISC ] [F] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> |-<br /> | 0x43C4DD3A || SCES-10869 || FINAL FANTASY VII - [ 2 DISC ] [G] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> |-<br /> | 0x43C43D34 || SCES-10867 || FINAL FANTASY VII - [ 2 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> |-<br /> | 0x43CA0D07 || SLES-10854 || G-POLICE - [ 2 DISC ] [G] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x43CA1D06 || SLES-10855 || G-POLICE - [ 2 DISC ] [I] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x43CA2D05 || SLES-10856 || G-POLICE - [ 2 DISC ] [S] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x43CA7D00 || SLES-10853 || G-POLICE - [ 2 DISC ] [F] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x43CB4D33 || SLES-10860 || COLONY WARS - [ 2 DISC ] [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x43CB5D32 || SLES-10861 || COLONY WARS - [ 2 DISC ] [F] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x43CB6D31 || SLES-10862 || COLONY WARS - [ 2 DISC ] [G] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x43CB7D30 || SLES-10863 || COLONY WARS - [ 2 DISC ] [I] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x43D46C21 || SLES-10972 || RESIDENT EVIL 2 - [ 2 DISC ] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00030020<br /> cmd: 0x00000000<br /> val: 0x00000006<br /> cmd: 0x0000000A<br /> val: 0x00000018<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF9<br /> |-<br /> | 0x50C1FD7B || SCES-03828 || FINAL FANTASY VI [ 1 DISC ] [E] ||0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x80000012<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x00000000<br /> val: 0x00008003<br /> cmd: 0x00000011<br /> val: 0x800417F8<br /> |-<br /> | 0x50C77D13 || SCES-03840 || FINAL FANTASY ANTHOLOGY [ 1 DISC ] [E] || 0x00000002 ||<br /> cmd: 0x0000000B<br /> val: 0x000F0010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFB<br /> |-<br /> | 0x51C41D20 || SCES-02873 || VIB RIBBON [E][F][G][I][S] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00080108<br /> cmd: 0x0000000B<br /> val: 0x00010003<br /> |-<br /> | 0x51CB6822 || SLPS-02871 || MAX SURFING 2ND [J] ||0x00000003 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x51CC7D52 || SLES-02801 || ALONE IN THE DARK - THE NEW NIGHTMARE - [ 1 DISC ] [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x51CCC854 || SLPS-02807 || URAWAZA MAHJONG - KORETTE TENHOUTTE YATSUKAI [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x51CDC844 || SLPS-02817 || FIRE PRO WRESTLING G [SPIKE LIBRARY #001] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000800<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x51CE2876 || SLPS-02825 || PERSONA 2 - ETERNAL PUNISHMENT - [ 1 DISC ] [J] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> |-<br /> | 0x51D4E9DA || SLPS-02989 || YAMASA DIGI GUIDE - HYPER RUSH [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000010<br /> cmd: 0x00000016<br /> val: 0x000064EC<br /> |-<br /> | 0x51D4F9DB || SLPS-02988 || SANYO PACHINKO PARADISE 4 - SUSHIYA DA GEN-SAN!! [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x51D479D3 || SLPS-02980 || YAMASA DIGI GUIDE - NEW PULSAR R [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000010<br /> cmd: 0x00000016<br /> val: 0x000064EC<br /> |-<br /> | 0x51D82916 || SLPS-02945 || GOCHACHIRU [PANDORA MAX SERIES VOL.5] [J] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE4<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFB<br /> |-<br /> | 0x51DA3C36 || SLES-02965 || FINAL FANTASY IX - [ 1 DISC ] [E] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x51DA1931 || SLPS-02962 || BLACK MATRIX CROSS - [ 1 DISC ] [J] ||0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x51DA2936 || SLPS-02965 || KIMI NI STEADY [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x51DACC35 || SLES-02966 || FINAL FANTASY IX - [ 1 DISC ] [F] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x51DADC34 || SLES-02967 || FINAL FANTASY IX - [ 1 DISC ] [G] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x51DAEC3B || SLES-02968 || FINAL FANTASY IX - [ 1 DISC ] [I] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x51DAFC3A || SLES-02969 || FINAL FANTASY IX - [ 1 DISC ] [S] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x51DB2926 || SLPS-02975 || KOWLOON'S GATE [ARTDINK BEST CHOICE] - [ 1 DISC ] [J] || 0x00000006 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x00000003<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000005<br /> val: 0x000000C0<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x51DBC924 || SLPS-02977 || KOWLOON'S GATE [ARTDINK BEST CHOICE] - [ 3 DISC ] [J] || 0x00000006 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x00000003<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000005<br /> val: 0x000000C0<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x51DBD925 || SLPS-02976 || KOWLOON'S GATE [ARTDINK BEST CHOICE] - [ 2 DISC ] [J] || 0x00000006 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x00000003<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000005<br /> val: 0x000000C0<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x51DBF92B || SLPS-02978 || KOWLOON'S GATE [ARTDINK BEST CHOICE] - [ 4 DISC ] [J] || 0x00000006 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x00000003<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000005<br /> val: 0x000000C0<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x51DE0970 || SLPS-02923 || SIMPLE 1500 SERIES VOL.036 - THE RENAI SIMULATION: NATSU IRO CELEBRATION [J] || 0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x52C418D0 || SLPS-01883 || FINAL FANTASY VIII - [ 4 DISC ] [J] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x52C448D3 || SLPS-01880 || FINAL FANTASY VIII - [ 1 DISC ] [J] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x52C468D1 || SLPS-01882 || FINAL FANTASY VIII - [ 3 DISC ] [J] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x52C478D2 || SLPS-01881 || FINAL FANTASY VIII - [ 2 DISC ] [J] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x52C84813 || SLPS-01840 || REFRAIN LOVE 2 - [ 1 DISC ] [J] ||0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x52C86811 || SLPS-01842 || BLOODY ROAR 2 - BRINGER OF THE NEW AGE [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x52C87812 || SLPS-01841 || REFRAIN LOVE 2 - [ 2 DISC ] [J] ||0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x52C91800 || SLPS-01853 || CHIPPOKE RALPH NO DAIBOUKEN [THE ADVENTURE OF LITTLE RALPH] [J] ||0x00000001 ||<br /> cmd: 0x00000016<br /> val: 0x00010D20<br /> |-<br /> | 0x52CA7832 || SLPS-01861 || MORI NO OUKOKU - KINGDOM OF FOREST [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0x52CAC83B || SLPS-01868 || IS - INTERNAL SECTION [J] || 0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> |-<br /> | 0x52CB2825 || SLPS-01876 || OMISE DE TENSYU [J] ||0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0x52CD3D45 || SLES-01816 || DRIVER - YOU'RE THE WHEELMAN [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0x52CDC84B || SLPS-01818 || LANGRISSER IV &amp; V - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE4<br /> |-<br /> | 0x52CDF84A || SLPS-01819 || LANGRISSER IV &amp; V - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE4<br /> |-<br /> | 0x52CE2875 || SLPS-01826 || NIHON PRO MAHJONG RENMEI KOUNIN - TEHODOKI MAHJONG NYUUMON-HEN [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> |-<br /> | 0x52CE4873 || SLPS-01820 || PALM TOWN [J] || 0x00000001 ||<br /> cmd: 0x00000016<br /> val: 0x0000541A<br /> |-<br /> | 0x52D549C3 || SLPS-01990 || SAGA FRONTIER 2 - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> |-<br /> | 0x52D97902 || SLPS-01951 || CHOCOBO RACING [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000E7<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> |-<br /> | 0x52DC0957 || SLPS-01904 || COMBAT CHORO Q [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> |-<br /> | 0x52DC1950 || SLPS-01903 || FARLAND SAGA - TOKI NO MICHISHIRUBE [J] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000080<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0x52DC6951 || SLPS-01902 || GUNHO BRIGADE [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x52DE0977 || SLPS-01924 || SUPER ROBOT WARS F FINAL [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFBC<br /> |-<br /> | 0x52DE2975 || SLPS-01926 || CHIISANA KYOJIN MICROMAN [J] || 0x00000005 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> |-<br /> | 0x52DE6971 || SLPS-01922 || DEVIL SUMMONER - SOUL HACKERS [ 2 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> |-<br /> | 0x52DE7972 || SLPS-01921 || DEVIL SUMMONER - SOUL HACKERS [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> |-<br /> | 0x52DFF96A || SLPS-01939 || NURSE STORY [J] ||0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000016<br /> val: 0x0000541A<br /> |-<br /> | 0x53C5C8CA || SLPS-00899 || PANZER BANDIT [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x53C5CD3B || SCES-00868 || FINAL FANTASY VII - [ 1 DISC ] [F] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> |-<br /> | 0x53C5D8CB || SLPS-00898 || SAGA FRONTIER [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0x53C5DD3A || SCES-00869 || FINAL FANTASY VII - [ 1 DISC ] [G] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> |-<br /> | 0x53C53D34 || SCES-00867 || FINAL FANTASY VII - [ 1 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> |-<br /> | 0x53C57DC1 || SLUS-00892 || FINAL FANTASY VIII - [ 1 DISC ] [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x53C86D10 || SLUS-00843 || REEL FISHING II [E] ||0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020002<br /> cmd: 0x00000003<br /> val: 0x00000008<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0x53C87D11 || SLUS-00842 || DRIVER - YOU ARE THE WHEELMAN [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0x53C90D07 || SLES-00854 || G-POLICE - [ 1 DISC ] [G] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x53C91D06 || SLES-00855 || G-POLICE - [ 1 DISC ] [I] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x53C92D05 || SLES-00856 || G-POLICE - [ 1 DISC ] [S] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x53C97D00 || SLES-00853 || G-POLICE - [ 1 DISC ] [F] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x53C528C4 || SLPS-00897 || LANGRISSER I &amp; II [J] || 0x00000003 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000003<br /> val: 0x0000000B<br /> cmd: 0x00000002<br /> val: 0x0000000B<br /> |-<br /> | 0x53C548C2 || SLPS-00891 || ZERO DIVIDE 2 [J][E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00080000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000011<br /> val: 0x8009351D<br /> |-<br /> | 0x53C91807 || SLPS-00854 || ASSAULT SUITS VALKEN 2 [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> |-<br /> | 0x53CA4D33 || SLES-00860 || COLONY WARS - [ 1 DISC ] [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x53CA5D32 || SLES-00861 || COLONY WARS - [ 1 DISC ] [F] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x53CA5DC2 || SCES-00891 || DISNEY'S HERCULES - THE ACTION GAME [E] ||0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> |-<br /> | 0x53CA6D31 || SLES-00862 || COLONY WARS - [ 1 DISC ] [G] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x53CA7D30 || SLES-00863 || COLONY WARS - [ 1 DISC ] [I] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x53CB1D26 || SLES-00875 || BUGRIDERS - THE RACE OF KINGS [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> |-<br /> | 0x53CB2D24 || SLUS-00877 || R-TYPE DELTA [E] || 0x00000004 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> |-<br /> | 0x53CB0826 || SLPS-00875 || QUIZ NANAIRO DREAMS - NIJIIRO MAKI NO KISEKI [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x53CBCD2A || SLUS-00879 || FINAL FANTASY ANTHOLOGY - [ 1 DISC ] [E] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0x53CD7841 || SLPS-00812 || FADE TO BLACK [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x53CE1877 || SLPS-00824 || NEORUDE - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0x53CE6870 || SLPS-00823 || NEORUDE - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0x53CE7871 || SLPS-00822 || FIGHTER'S IMPACT [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x53CF1867 || SLPS-00834 || THE KING OF FIGHTERS '96 [J][E][P][S] || 0x00000001 ||<br /> cmd: 0x00000011<br /> val: 0x0801B3E0<br /> |-<br /> | 0x53D9DC0B || SLUS-00958 || SUIKODEN II [E] ||0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> |-<br /> | 0x53D53C34 || SCES-00967 || CRASH BANDICOOT 2- CORTEX STRIKES BACK [E][F][G][I][S] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x53D419D7 || SLPS-00984 || WIZARD'S HARMONY 2 [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000016<br /> val: 0x00008690<br /> |-<br /> | 0x53D85913 || SLPS-00940 || SPACE INVADERS [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0x53D91907 || SLPS-00954 || SIDEWINDER II - LET'S DANCE IN THE SKY [J][E] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> |-<br /> | 0x53D96900 || SLPS-00953 || FRONT MISSION ALTERNATIVE [J] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x53DA0936 || SLPS-00965 || ...IRU! [J] ||0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x0000000F<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> |-<br /> | 0x53DB6C21 || SLES-00972 || RESIDENT EVIL 2 - [ 1 DISC ] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00030020<br /> cmd: 0x00000000<br /> val: 0x00000006<br /> cmd: 0x0000000A<br /> val: 0x00000018<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF9<br /> |-<br /> | 0x53DCCC5A || SLUS-00909 || FINAL FANTASY VIII - [ 3 DISC ] [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x53DCDC5B || SLUS-00908 || FINAL FANTASY VIII - [ 2 DISC ] [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x53DD5C43 || SLUS-00910 || FINAL FANTASY VIII - [ 4 DISC ] [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x53DD2944 || SLPS-00917 || CLOCK TOWER - THE FIRST FEAR [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x53DDC94A || SLPS-00919 || CARNAGE HEART EZ - EASY ZAPPING [J] ||0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x53DE6C70 || SLUS-00923 || RESIDENT EVIL 3 - NEMESIS [E] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> |-<br /> | 0x53DE7C71 || SLUS-00922 || DINO CRISIS [ 1 DISC ] [E] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> |-<br /> | 0x53DF4962 || SLPS-00931 || MY HOME DREAM [J] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA0<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x61D5CC35 || SLES-32966 || FINAL FANTASY IX - [ 4 DISC ] [F] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x61D5DC34 || SLES-32967 || FINAL FANTASY IX - [ 4 DISC ] [G] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x61D5EC3B || SLES-32968 || FINAL FANTASY IX - [ 4 DISC ] [I] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x61D5FC3A || SLES-32969 || FINAL FANTASY IX - [ 4 DISC ] [S] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x61D53C36 || SLES-32965 || FINAL FANTASY IX - [ 4 DISC ] [E] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x71D4CC35 || SLES-22966 || FINAL FANTASY IX - [ 3 DISC ] [F] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x71D4DC34 || SLES-22967 || FINAL FANTASY IX - [ 3 DISC ] [G] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x71D4EC3B || SLES-22968 || FINAL FANTASY IX - [ 3 DISC ] [I] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x71D4FC3A || SLES-22969 || FINAL FANTASY IX - [ 3 DISC ] [S] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x71D43C36 || SLES-22965 || FINAL FANTASY IX - [ 3 DISC ] [E] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x73CB3D34 || SCES-20867 || FINAL FANTASY VII - [ 3 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> |-<br /> | 0x73CBCD3B || SCES-20868 || FINAL FANTASY VII - [ 3 DISC ] [F] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> |-<br /> | 0x73CBDD3A || SCES-20869 || FINAL FANTASY VII - [ 3 DISC ] [G] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001802<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> |-<br /> | 0x334F2054 || SIPS-60007 || TWISTED METAL [J] || 0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> |-<br /> | 0x334F4052 || SIPS-60001 || DESTRUCTION DERBY [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000420<br /> |-<br /> | 0x334F6050 || SIPS-60003 || WIPEOUT [J] ||0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> |-<br /> | 0x411AE00B || SLES-12558 || PARASITE EVE 2 - [ 2 DISC ] [E] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x411AF00A || SLES-12559 || PARASITE EVE 2 - [ 2 DISC ] [F] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x411B0031 || SLES-12562 || PARASITE EVE 2 - [ 2 DISC ] [I] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x411B6033 || SLES-12560 || PARASITE EVE 2 - [ 2 DISC ] [G] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x411B7032 || SLES-12561 || PARASITE EVE 2 - [ 2 DISC ] [S] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x416A37D6 || SCES-12285 || SYPHON FILTER 2 - [ 2 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x416AC7D5 || SCES-12286 || SYPHON FILTER 2 - [ 2 DISC ] [F] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x416AD7D4 || SCES-12287 || SYPHON FILTER 2 - [ 2 DISC ] [G] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x416AE7DB || SCES-12288 || SYPHON FILTER 2 - [ 2 DISC ] [I] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x416AF7DA || SCES-12289 || SYPHON FILTER 2 - [ 2 DISC ] [S] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x421D3055 || SLES-11506 || METAL GEAR SOLID - [ 2 DISC ] [F] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x421DC054 || SLES-11507 || METAL GEAR SOLID - [ 2 DISC ] [G] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x421DD05B || SLES-11508 || METAL GEAR SOLID - [ 2 DISC ] [I] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x432AD30A || SLES-10659 || WING COMMANDER IV - THE PRICE OF FREEDOM - [ 2 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x000A0008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x434A20D4 || SCPS-10087 || GEKISOU TOMARUNNER [J] || 0x00000008 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000011<br /> val: 0x80038EC8<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000002<br /> val: 0x0000000D<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF3<br /> cmd: 0x00000019<br /> val: 0xFFFF0011<br /> |-<br /> | 0x434A40D2 || SCPS-10081 || MEDIEVIL [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x434AC0DA || SCPS-10089 || WILD ARMS - SECOND IGNITION - [ 1 DISC ] [J] || 0x00000005 ||<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> cmd: 0x00000003<br /> val: 0x00000004<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000015<br /> val: 0x00000001<br /> |-<br /> | 0x434AD0DB || SCPS-10088 || BOKU NO NATSUYASUMI - SUMMER HOLIDAY 20TH CENTURY [J] || 0x00000005 ||<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x434B1027 || SCPS-10074 || ORE NO SHIKABANE WO KOETE YUKE [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> |-<br /> | 0x434B2024 || SCPS-10077 || CIRCADIA - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> |-<br /> | 0x434B4022 || SCPS-10071 || I.Q. FINAL [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x434B6020 || SCPS-10073 || CRASH BANDICOOT 3 - BUTTOBI! SEKAI ISSHUU! [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x434B7021 || SCPS-10072 || WANDER TREK [J] ||0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x434BD02B || SCPS-10078 || CIRCADIA - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> |-<br /> | 0x500E947A || SLPS-03429 || YAMASA DIGI SELECTION [J] || 0x00000003 ||<br /> cmd: 0x00000010<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> cmd: 0x0000000B<br /> val: 0x000E0010<br /> |-<br /> | 0x500F6463 || SLPS-03430 || FINAL FANTASY I [J] ||0x00000004 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000016<br /> val: 0x00007E27<br /> |-<br /> | 0x500FD466 || SLPS-03435 || YAKITORI MUSUME [J] ||0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x500FF464 || SLPS-03437 || BAKURETSU SOCCER [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x501A0531 || SLPS-03562 || JALECO COLLECTION VOL.1 [J] ||0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000002<br /> val: 0x00000010<br /> |-<br /> | 0x501B2527 || SLPS-03574 || BLACK MATRIX 00 - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x501B3520 || SLPS-03573 || BLACK MATRIX 00 - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x501C0551 || SLPS-03502 || FINAL FANTASY II [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000003<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> |-<br /> | 0x502A83CA || SCES-03699 || SYPHON FILTER 3 [G] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x502AE3C4 || SCES-03697 || SYPHON FILTER 3 [E] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x502AF3CB || SCES-03698 || SYPHON FILTER 3 [F] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x504C0051 || SLPS-03002 || BOMBERMAN LAND [J] || 0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> |-<br /> | 0x504D0041 || SLPS-03012 || LITTLE PRINCESS +1 - MARU OUKOKU NO NINGYOU HIME 2 - [ 1 DISC ] [J] ||0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF9<br /> |-<br /> | 0x504FE06B || SLPS-03038 || YAMASA DIGI GUIDE - M-771 [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000010<br /> cmd: 0x00000016<br /> val: 0x000064EC<br /> |-<br /> | 0x505A6133 || SLPS-03160 || MONSTER FARM JUMP [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x505CC155 || SLPS-03106 || ONI ZERO FUKKATSU [PANDORA MAX SERIES VOL.6] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x505FD166 || SLPS-03135 || MEMORIAL STAR SERIES - SUNSOFT CLASSICS VOL.1 - IKKI &amp; SUPER ARABIAN [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x506AE734 || SLES-03267 || DISNEY'S THE LION KING - SIMBA'S MIGHTY ADVENTURE [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> |-<br /> | 0x507AC335 || SLPS-03366 || MEMORIAL STAR SERIES - SUNSOFT CLASSICS VOL.3 - MADOOLA NO TSUBASA &amp; TOUKAIDOU GOJUUSAN TSUGI [J] || 0x00000001 ||<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x507D0341 || SLPS-03312 || SANYO PACHINKO PARADISE DX [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x510AC135 || SLES-02466 || PRO PINBALL - FANTASTIC JOURNEY [E][F][G][S] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x02000000<br /> |-<br /> | 0x510EC474 || SLPS-02427 || TANTEI JINGUUJI SABURO - TOMISHIBI GA KIENUMANI [J] ||0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFB<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0x510F7463 || SLPS-02430 || CHRONO TRIGGER [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x04000000<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFB<br /> |-<br /> | 0x511A0031 || SLES-02562 || PARASITE EVE 2 - [ 1 DISC ] [I] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x511A0530 || SLPS-02563 || GENSOU NO ALTEMIS - ACTRESS SCHOOL MYSTERY ADVENTURE [J] || 0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x511A6033 || SLES-02560 || PARASITE EVE 2 - [ 1 DISC ] [G] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x511A7032 || SLES-02561 || PARASITE EVE 2 - [ 1 DISC ] [S] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x511C6552 || SLPS-02501 || ROBIN LLOYD NO DAIBOUKEN - THE ADVENTURES OF ROBIN LLOYD [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x511E0570 || SLPS-02523 || CHOCOBO COLLECTION - HAPPY 10TH ANNIVERSARY! - [ 3 DISC ] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x511ED575 || SLPS-02526 || SPECTRAL BLADE [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0x512B3627 || SLPS-02674 || CHAMPIONSHIP BASS [J] || 0x00000002 ||<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x512E6672 || SLPS-02621 || STRIDER HIRYU 1 &amp; 2 - [ 2 DISC ] [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x512E7673 || SLPS-02620 || STRIDER HIRYU 1 &amp; 2 - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> |-<br /> | 0x512F0660 || SLPS-02633 || SANYO PACHINKO PARADISE 3 [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x512FC664 || SLPS-02637 || RUBBISH BLAZON [PANDORA MAX SERIES VOL.3] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000003<br /> val: 0x00000006<br /> cmd: 0x00000010<br /> val: 0x00000003<br /> |-<br /> | 0x513C2756 || SLPS-02705 || MABOROSHI TSUKIYO - [ 1 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000000<br /> cmd: 0x0000000B<br /> val: 0x00010016<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0x513CD755 || SLPS-02706 || MABOROSHI TSUKIYO - [ 2 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000000<br /> cmd: 0x0000000B<br /> val: 0x00010016<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0x513D1741 || SLPS-02712 || CATCH! KIMOCHI SENSATION [PANDORA MAX SERIES VOL.4] [J] ||0x00000001 ||<br /> cmd: 0x00000019<br /> val: 0xFFFF0008<br /> |-<br /> | 0x513ED775 || SLPS-02726 || SIMPLE 1500 SERIES VOL.028 - THE DUNGEON RPG [J] || 0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFF9E<br /> cmd: 0x00000003<br /> val: 0x0000000A<br /> |-<br /> | 0x513EF77B || SLPS-02728 || BREATH OF FIRE IV [J] || 0x00000004 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> |-<br /> | 0x513F1260 || SLES-02733 || WALT DISNEY'S WORLD QUEST - MAGICAL RACING TOUR [E][F][G][I][Du][S][N][D][Sw] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000008<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> |-<br /> | 0x514B3027 || SLPS-02074 || ASUKA 120% - BURNING FEST FINAL [J] ||0x00000001 ||<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x514C0050 || SLPS-02003 || FINAL FANTASY IX - [ 4 DISC ] [J] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x514C1051 || SLPS-02002 || FINAL FANTASY IX - [ 3 DISC ] [J] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x514C6052 || SLPS-02001 || FINAL FANTASY IX - [ 2 DISC ] [J] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x514C7053 || SLPS-02000 || FINAL FANTASY IX - [ 1 DISC ] [J] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x514D2046 || SLPS-02015 || TOKYO MAJIN GAKUEN OBORO KITAN [J] || 0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFC<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x514FC064 || SLPS-02037 || DRAGON MONEY [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x514FF06B || SLPS-02038 || RACING LAGOON [J] || 0x0000000B ||<br /> cmd: 0x00000011<br /> val: 0x800AE38C<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000D<br /> val: 0x800CBE38<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000C<br /> val: 0x800CBE38<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000017<br /> val: 0x000001F4<br /> |-<br /> | 0x515A3137 || SLPS-02164 || SANYO PACHINKO PARADISE [J] ||0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000001<br /> val: 0x000000EA<br /> |-<br /> | 0x515B7123 || SLPS-02170 || SEIKEN DENSETSU - LEGEND OF MANA [ 1 DISC ] [J] ||0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20001080<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0x515C7153 || SLPS-02100 || PERSONA 2 - INNOCENT SIN [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> |-<br /> | 0x515CF15B || SLPS-02108 || TRON NI KOBUN - THE MISSADVENTURES OF TRON BONNE - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x515D0140 || SLPS-02113 || TONDEMO CRISIS! [J] ||0x00000003 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x00000002<br /> val: 0x00000006<br /> cmd: 0x00000010<br /> val: 0x00000003<br /> |-<br /> | 0x515D7143 || SLPS-02110 || '99 KOSHIEN [J] ||0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0x515E1171 || SLPS-02122 || PACAPACA PASSION [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> |-<br /> | 0x515E7173 || SLPS-02120 || SHIRITSU JUSTICE GAKUEN - NEKKETSU SEISHUN NIKKI 2 [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x516AC234 || SLPS-02267 || ZOKU MIKAGURA SHOUJO TANTEIDAN - KANKETSUHEN - [ 2 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00201000<br /> cmd: 0x00000004<br /> val: 0xFFFFFDFD<br /> |-<br /> | 0x516AD235 || SLPS-02266 || ZOKU MIKAGURA SHOUJO TANTEIDAN - KANKETSUHEN - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00201000<br /> cmd: 0x00000004<br /> val: 0xFFFFFDFD<br /> |-<br /> | 0x516AE23A || SLPS-02269 || ZOKU MIKAGURA SHOUJO TANTEIDAN - KANKETSUHEN - [ 4 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00201000<br /> cmd: 0x00000004<br /> val: 0xFFFFFDFD<br /> |-<br /> | 0x516AF23B || SLPS-02268 || ZOKU MIKAGURA SHOUJO TANTEIDAN - KANKETSUHEN - [ 3 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00201000<br /> cmd: 0x00000004<br /> val: 0xFFFFFDFD<br /> |-<br /> | 0x516B37D6 || SCES-02285 || SYPHON FILTER 2 - [ 1 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x516B0220 || SLPS-02273 || GUILTY GEAR [RERELEASE] [J] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> |-<br /> | 0x516B6222 || SLPS-02271 || KIMI NO KIMOCHI BOKU NO KOKORO [J] || 0x00000003 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x00000003<br /> val: 0x00000001<br /> |-<br /> | 0x516BC7D5 || SCES-02286 || SYPHON FILTER 2 - [ 1 DISC ] [F] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x516BD7D4 || SCES-02287 || SYPHON FILTER 2 - [ 1 DISC ] [G] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x516BD225 || SLPS-02276 || DIGITAL GLIDER AIRMAN [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0x516BE7DB || SCES-02288 || SYPHON FILTER 2 - [ 1 DISC ] [I] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x516BF7DA || SCES-02289 || SYPHON FILTER 2 - [ 1 DISC ] [S] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0x516C0250 || SLPS-02203 || L NO KISETSU - A PIECE OF MEMORIES [LIMITED EDITION] [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0x516DE74B || SLES-02218 || SHEEP [E][F][G][I][S] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x00000100<br /> |-<br /> | 0x516E0270 || SLPS-02223 || KINDAICHI SHOUNEN NO JIKENBO 3 - SHOURYUU DENSETSU SATSUJIN JIKEN - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x516E1271 || SLPS-02222 || FRONT MISSION 3 [J] ||0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x516E3277 || SLPS-02224 || KINDAICHI SHOUNEN NO JIKENBO 3 - SHOURYUU DENSETSU SATSUJIN JIKEN - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x517A2336 || SLPS-02365 || CHRONO CROSS - [ 2 DISC ] [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x00000000<br /> val: 0x00000005<br /> cmd: 0x0000000D<br /> val: 0x801C5E04<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x517A3337 || SLPS-02364 || CHRONO CROSS - [ 1 DISC ] [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x00000000<br /> val: 0x00000005<br /> cmd: 0x0000000D<br /> val: 0x801C5E04<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x517A7333 || SLPS-02360 || PRISMATICALLIZATION [J] ||0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0x517BC324 || SLPS-02377 || VAGRANT STORY [J] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x0000000A<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0x517BE32A || SLPS-02379 || ROCKMAN 6 - SHIJOU SAIDAI NO TATAKAI!! [COMPLETE WORKS] [J] ||0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x517C7353 || SLPS-02300 || BIOHAZARD 3 - LAST ESCAPE [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> |-<br /> | 0x517DF34B || SLPS-02318 || ZEUS II - CARNAGE HEART [J] ||0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x00000003<br /> val: 0x00000001<br /> |-<br /> | 0x517E7373 || SLPS-02320 || SILVER JIKEN [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x517F3367 || SLPS-02334 || SILENT BOMBER [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00041000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x520A4433 || SLPS-01460 || YUUWAKU OFFICE RENAIKA [J] || 0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> |-<br /> | 0x520DC44B || SLPS-01418 || ATELIER MARIE PLUS [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA7<br /> |-<br /> | 0x520E4173 || SLUS-01420 || SPEC OPS - COVER ASSAULT [E] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> |-<br /> | 0x520E7472 || SLPS-01421 || KAGERO - KOKUMEIKAN SHINSHOU [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> cmd: 0x00000005<br /> val: 0x00000020<br /> |-<br /> | 0x520F1460 || SLPS-01433 || TOKYO MAJIN GAKUEN KEN KAZE TOBARI - [ 2 DISC ] [J] ||0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x520F3466 || SLPS-01435 || PUCHI CARAT [J] ||0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x520F6461 || SLPS-01432 || TOKYO MAJIN GAKUEN KEN KAZE TOBARI - [ 2 DISC ] [J] ||0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x521AD534 || SLPS-01567 || CAPTAIN COMMANDO [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0x521B1520 || SLPS-01573 || DOKI DOKI POYATCHIO!! [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x521B3526 || SLPS-01575 || GEOMETRY DUEL [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0x521BC52B || SLPS-01578 || ALBALEA NO OTOME - URUWASHI NO SEISHIKITACHI [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001030<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x521C0557 || SLPS-01504 || DEZAEMON KIDS! - [ 2 DISC ] [J] ||0x00000005 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> cmd: 0x00000003<br /> val: 0x00000009<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000016<br /> val: 0x00008690<br /> |-<br /> | 0x521C1550 || SLPS-01503 || DEZAEMON KIDS! - [ 1 DISC ] [J] ||0x00000005 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> cmd: 0x00000003<br /> val: 0x00000009<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000016<br /> val: 0x00008690<br /> |-<br /> | 0x521C3055 || SLES-01506 || METAL GEAR SOLID - [ 1 DISC ] [F] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x521CC054 || SLES-01507 || METAL GEAR SOLID - [ 1 DISC ] [G] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x521CD05B || SLES-01508 || METAL GEAR SOLID - [ 1 DISC ] [I] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x521D3546 || SLPS-01515 || NÖEL - LA NEIGE SPECIAL [J] ||0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x521DC54B || SLPS-01518 || ECHO NIGHT [J] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x521F2565 || SLPS-01536 || KAWA NO NUSHI TSURI [J] ||0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF9<br /> |-<br /> | 0x521F7562 || SLPS-01531 || KNIGHT &amp; BABY [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0x522A2635 || SLPS-01666 || ZEUS - CARNAGE HEART SECOND [J] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> |-<br /> | 0x522B2625 || SLPS-01676 || KUON NO KIZUNA [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000080<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x00000014<br /> val: 0x00001416<br /> |-<br /> | 0x522BF62A || SLPS-01679 || SAIKYOU TODAI SHOGI [J] ||0x00000003 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> |-<br /> | 0x522C0657 || SLPS-01604 || SERIAL EXPERIMENTS LAIN - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> |-<br /> | 0x522C1650 || SLPS-01603 || SERIAL EXPERIMENTS LAIN - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> |-<br /> | 0x522C4653 || SLPS-01600 || PILOT NI NAROU! [J] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000082<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x522D0647 || SLPS-01614 || MIKAGURA SHOUJO TANTEIDAN - [ 4 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001002<br /> cmd: 0x00000004<br /> val: 0xFFFFFDFD<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000010<br /> val: 0x00000006<br /> |-<br /> | 0x522D1640 || SLPS-01613 || MIKAGURA SHOUJO TANTEIDAN - [ 3 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001002<br /> cmd: 0x00000004<br /> val: 0xFFFFFDFD<br /> |-<br /> | 0x522D6641 || SLPS-01612 || MIKAGURA SHOUJO TANTEIDAN - [ 2 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001002<br /> cmd: 0x00000004<br /> val: 0xFFFFFDFD<br /> |-<br /> | 0x522D7642 || SLPS-01611 || MIKAGURA SHOUJO TANTEIDAN - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001002<br /> cmd: 0x00000004<br /> val: 0xFFFFFDFD<br /> |-<br /> | 0x522E2675 || SLPS-01626 || HIMITSU SENTAI METAMOR V DELUXE [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00800000<br /> |-<br /> | 0x522EC67B || SLPS-01628 || SPECTRAL FORCE 2 [J] || 0x00000001 ||<br /> cmd: 0x00000016<br /> val: 0x0000C9D8<br /> |-<br /> | 0x522ED674 || SLPS-01627 || HIMITSU SENTAI METAMOR V DELUXE [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00800000<br /> |-<br /> | 0x522F2665 || SLPS-01636 || POP 'N' POP [J] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> |-<br /> | 0x523A5233 || SLES-01760 || POPULOUS - THE BEGINNING [E][F][G][I][N][S][Sw] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0x523AC73B || SLPS-01768 || THEME AQUARIUM [J] || 0x00000001 ||<br /> cmd: 0x00000003<br /> val: 0x00000002<br /> |-<br /> | 0x523BD724 || SLPS-01777 || STREET FIGHTER ZERO 3 [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x40000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> |-<br /> | 0x523C2755 || SLPS-01706 || 1 ON 1 [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x523D2745 || SLPS-01716 || WIZARD'S HARMONY R [J] || 0x00000004 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000016<br /> val: 0x0000C9D8<br /> cmd: 0x00000004<br /> val: 0xFFFFFFDE<br /> |-<br /> | 0x523DD744 || SLPS-01717 || BOMBERMAN [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000016<br /> val: 0x00008690<br /> |-<br /> | 0x523E0777 || SLPS-01724 || MOBILE SUIT GUNDAM - CHAR'S COUNTERATTACK [J] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> |-<br /> | 0x523E1770 || SLPS-01723 || SOUGAKU TOSHI OSAKA - [ 2 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000003<br /> val: 0x00000002<br /> |-<br /> | 0x523E6771 || SLPS-01722 || SOUGAKU TOSHI OSAKA - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000003<br /> val: 0x00000002<br /> |-<br /> | 0x523ED774 || SLPS-01727 || SUPER ROBOT WARS F [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFBC<br /> |-<br /> | 0x523F1267 || SLES-01734 || METAL GEAR SOLID - [ 1 DISC ] [S] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x523FC76B || SLPS-01738 || MARBY BABY STORY [J] || 0x00000006 ||<br /> cmd: 0x00000000<br /> val: 0x00000009<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000003<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000019<br /> val: 0xFFFF0003<br /> |-<br /> | 0x523FD764 || SLPS-01737 || SUSUME! KAIZOKU - BE PIRATES! [J] || 0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x00000016<br /> val: 0x0000541A<br /> |-<br /> | 0x524A3036 || SLPS-01065 || PUZZLE BOBBLE 3 DX [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x524A4033 || SLPS-01060 || FINAL FANTASY VII INTERNATIONAL - [ 4 DISC ] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000804<br /> cmd: 0x00000004<br /> val: 0xFFFFFFBF<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x524BF02A || SLPS-01079 || SIDE POCKET 3 - 3D POLYGON BILLIARD GAME [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0x524CC05B || SLPS-01008 || EINHÄNDER [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x524D1040 || SLPS-01013 || PROJECT GAIARAY [J] ||0x00000003 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> cmd: 0x00000002<br /> val: 0x0000000D<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> |-<br /> | 0x524D1540 || SLUS-01013 || LEGEND OF MANA [E] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20001080<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0x524D4043 || SLPS-01010 || KAZE NO KLONOA - DOOR TO PHANTOMILE [J] ||0x00000001 ||<br /> cmd: 0x00000011<br /> val: 0x800ABE4C<br /> |-<br /> | 0x524D7042 || SLPS-01011 || CYBERBOTS - FULL METAL MADNESS [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00080002<br /> cmd: 0x00000014<br /> val: 0x0001FFFF<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x525A1130 || SLPS-01163 || MOTO RACER [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000F0<br /> |-<br /> | 0x525A4133 || SLPS-01160 || XENOGEARS - [ 1 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001002<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x525A7132 || SLPS-01161 || XENOGEARS - [ 2 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001002<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x525AC13B || SLPS-01168 || TOUKI DENSHOU - ANGEL EYES [J] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x525AD134 || SLPS-01167 || TOUR PARTY - SOTSUGYOU RYOKOU NI IKOU [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> |-<br /> | 0x525BF12A || SLPS-01179 || SPECTRAL TOWER II [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> |-<br /> | 0x525C1150 || SLPS-01103 || GAKKOU O TSUKUROU!! - LET'S MAKE A SCHOOL!! [J] ||0x00000003 ||<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x525E4173 || SLPS-01120 || A5 - A RESSHA DE IKOU 5 [J] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x00000005<br /> val: 0x00000018<br /> |-<br /> | 0x526A6231 || SLPS-01262 || OVERBLOOD 2 [ 2 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00400000<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x526A7232 || SLPS-01261 || OVERBLOOD 2 [ 1 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00400000<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x526AD234 || SLPS-01267 || IMAGE FIGHT &amp; X-MULTIPLY [J] || 0x00000003 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA5<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0x526B7222 || SLPS-01271 || SEIRISHOUKAN - PRINCESS OF DARKNESS [J] ||0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> |-<br /> | 0x526C0257 || SLPS-01204 || '98 KOSHIEN [J] ||0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000008<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> |-<br /> | 0x526C3256 || SLPS-01205 || GROOVE JIGOKU V - SWEEPSTATION VERSION [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> |-<br /> | 0x526E1270 || SLPS-01223 || BIOHAZARD 2 - [ 2 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00030020<br /> cmd: 0x00000000<br /> val: 0x00000006<br /> cmd: 0x0000000A<br /> val: 0x00000018<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF9<br /> |-<br /> | 0x526E6271 || SLPS-01222 || BIOHAZARD 2 - [ 1 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00030020<br /> cmd: 0x00000000<br /> val: 0x00000006<br /> cmd: 0x0000000A<br /> val: 0x00000018<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF9<br /> |-<br /> | 0x526EC27B || SLPS-01228 || TENSHI DOUMEI [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> cmd: 0x00000016<br /> val: 0x00004348<br /> |-<br /> | 0x526F2265 || SLPS-01236 || R-TYPES [J] ||0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> |-<br /> | 0x526F4263 || SLPS-01230 || PARASITE EVE [ 1 DISC ] [J] ||0x00000004 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000008<br /> val: 0x00000001<br /> |-<br /> | 0x526F7262 || SLPS-01231 || PARASITE EVE [ 2 DISC ] [J] ||0x00000004 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000008<br /> val: 0x00000001<br /> |-<br /> | 0x526FD264 || SLPS-01237 || BUST A MOVE [J] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20100000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x527A1630 || SLUS-01363 || FINAL FANTASY CHRONICLES - [ 2 DISC ] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x04000000<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFB<br /> |-<br /> | 0x527A3336 || SLPS-01365 || KLAYMEN KLAYMEN - NERVERHOOD NO NAZO [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020000<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x527A4333 || SLPS-01360 || POCKET FIGHTER [J] || 0x00000007 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x40000000<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000013<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x527A4633 || SLUS-01360 || FINAL FANTASY CHRONICLES - [ 1 DISC ] [E] || 0x00000002 ||<br /> cmd: 0x0000000B<br /> val: 0x000F0010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFB<br /> |-<br /> | 0x527B0327 || SLPS-01374 || WAKUSEI KOUKITAI LITTLE CATS [J] || 0x00000002 ||<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA0<br /> |-<br /> | 0x527B0627 || SLUS-01374 || VIRTUAL POOL 3 [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x527B1320 || SLPS-01373 || GANSO FAMILY MAHJONG [J] || 0x00000001 ||<br /> cmd: 0x00000016<br /> val: 0x00004348<br /> |-<br /> | 0x527B5623 || SLES-01370 || METAL GEAR SOLID - [ 1 DISC ] [E] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x527DC34B || SLPS-01318 || ADVANCED V.G. 2 [J] ||0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000001<br /> val: 0x000000EA<br /> |-<br /> | 0x527E0677 || SLUS-01324 || BREATH OF FIRE IV [E] || 0x00000004 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> |-<br /> | 0x527E3376 || SLPS-01325 || CLASSIC ROAD YUUSHUN 2 [J] || 0x00000001 ||<br /> cmd: 0x00000019<br /> val: 0x0000FFFF<br /> |-<br /> | 0x530A6430 || SLPS-00463 || FISH EYES [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> |-<br /> | 0x530A7131 || SLUS-00462 || MASS DESTRUCTION [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x530AC13A || SLUS-00469 || ONE [E] ||0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0x530B2424 || SLPS-00477 || WING COMMANDER III - HEART OF THE TIGER - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x530B3425 || SLPS-00476 || SPECTRAL TOWER [J] || 0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0x530BC42A || SLPS-00479 || WING COMMANDER III - HEART OF THE TIGER - [ 3 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x530BD42B || SLPS-00478 || WING COMMANDER III - HEART OF THE TIGER - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x530C1457 || SLPS-00404 || GAKKOU DEATTA KOWAI HANASHI S [J] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> |-<br /> | 0x530C3455 || SLPS-00406 || AQUANAUT NO KYUUJITSU - MEMORIES OF SUMMER '96 [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x00000000<br /> val: 0x00008008<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> |-<br /> | 0x530C5453 || SLPS-00400 || TOBAL Nº.1 - [ 1 DISC ] [J] ||0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> |-<br /> | 0x530C7451 || SLPS-00402 || PRO MAHJONG KIWAME PLUS [J] ||0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0x530D5143 || SLUS-00410 || COMMAND &amp; CONQUER - [ 2 DISC ] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000005<br /> val: 0x00000020<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> |-<br /> | 0x530F6160 || SLUS-00433 || FIGHTING FORCE [E] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000001<br /> |-<br /> | 0x531C3054 || SLES-00507 || SOVIET STRIKE [E] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x01080208<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE0<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0x531C5553 || SLPS-00500 || MEGAMI IBUNROKU PERSONA [J] ||0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000003<br /> val: 0x0000000C<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0x531DD04B || SLUS-00518 || NUCLEAR STRIKE [E] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x01080208<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE0<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0x531E3575 || SLPS-00526 || BLOODY BRIDE - IMODOKI NO BANPAIA [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x531F3064 || SLES-00537 || RE-LOADED [E][F][G] ||0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020000<br /> |-<br /> | 0x531F4063 || SLES-00530 || COMMAND &amp; CONQUER - [ 1 DISC ] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000005<br /> val: 0x00000020<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> |-<br /> | 0x531FC56A || SLPS-00539 || STAR GLADIATOR - EPISODE 1 - FINAL CRUSADE [J] || 0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x532A0336 || SLUS-00665 || COMMAND &amp; CONQUER - RED ALERT - RETALIATION - [ 1 DISC ] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0x532A1337 || SLUS-00664 || XENOGEARS - [ 1 DISC ] [E] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001002<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x532A2334 || SLUS-00667 || COMMAND &amp; CONQUER - RED ALERT - RETALIATION - [ 2 DISC ] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0x532A7331 || SLUS-00662 || PARASITE EVE - [ 1 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000008<br /> val: 0x00000001<br /> |-<br /> | 0x532AC33A || SLUS-00669 || XENOGEARS - [ 2 DISC ] [E] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001002<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x532AD3CA || SCES-00699 || ACE COMBAT 2 [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x532AD33B || SLUS-00668 || PARASITE EVE - [ 2 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000008<br /> val: 0x00000001<br /> |-<br /> | 0x532BD62B || SLPS-00678 || RAYSTORM [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x00000000<br /> val: 0x00008003<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x532C1657 || SLPS-00604 || FIRST QUEEN IV - VARCIA SENKI [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000000<br /> |-<br /> | 0x532C2355 || SLES-00606 || PRO PINBALL - TIMESHOCK! [E][F][G][I][S] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x02000000<br /> |-<br /> | 0x532E1677 || SLPS-00624 || GAIA SEED - PROJECT SEED TRAP [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x532F5663 || SLPS-00630 || ROCKMAN 8 [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0x533A2734 || SLPS-00767 || TACTICS OGRE - LET US CLING TOGETHER [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x533B3225 || SLUS-00776 || METAL GEAR SOLID - [ 2 DISC ] [E] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x533B5723 || SLPS-00770 || FINAL FANTASY TACTICS - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x533C1757 || SLPS-00704 || HASHIRIYA - OOKAMI TACHI NO DENSETSU [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x533C2754 || SLPS-00707 || KOWLOON'S GATE - [ 2 DISC ] [J] ||0x00000006 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x00000003<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000005<br /> val: 0x000000C0<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x533C3755 || SLPS-00706 || KOWLOON'S GATE - [ 1 DISC ] [J] ||0x00000006 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x00000003<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000005<br /> val: 0x000000C0<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x533CC75A || SLPS-00709 || KOWLOON'S GATE - [ 4 DISC ] [J] ||0x00000006 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x00000003<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000005<br /> val: 0x000000C0<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x533CD75B || SLPS-00708 || KOWLOON'S GATE - [ 3 DISC ] [J] ||0x00000006 ||<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x00000003<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000005<br /> val: 0x000000C0<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x533D2744 || SLPS-00717 || TILK - AOI UMI KARA KITA SHOUJO [J] ||0x00000005 ||<br /> cmd: 0x00000000<br /> val: 0x00000008<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x533DC24B || SLES-00718 || TOMB RAIDER II - STARRING LARA CROFT [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFEFF<br /> |-<br /> | 0x533EC77A || SLPS-00729 || KOSHIEN FIVE BASEBALL [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x0000000E<br /> val: 0x00000001<br /> cmd: 0x00000019<br /> val: 0xFFFF0005<br /> |-<br /> | 0x533F0766 || SLPS-00735 || SOVIET STRIKE [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x01080208<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE0<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0x533F1767 || SLPS-00734 || MAD STALKER - FULL METAL FORCE [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000017<br /> val: 0x00000200<br /> |-<br /> | 0x533F4762 || SLPS-00731 || SANGOKU MUSOU [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x08000000<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000019<br /> val: 0xFFFF0001<br /> |-<br /> | 0x533F7261 || SLUS-00732 || DESTREGA [E] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> |-<br /> | 0x533FC26A || SLUS-00739 || FUTURE COP L.A.P.D. [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000008<br /> cmd: 0x00000000<br /> val: 0x0000000B<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010003<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x534A4532 || SLUS-00061 || SOVIET STRIKE [E] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x01080208<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE0<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0x534AC03A || SLPS-00069 || KING'S FIELD II [J] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x0000000E<br /> val: 0x00000001<br /> |-<br /> | 0x534CD05B || SLPS-00008 || METAL JACKET [J][E] ||0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> |-<br /> | 0x534D0046 || SLPS-00015 || TWINBEE TAISEN PUZZLE DAMA [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> |-<br /> | 0x534D2044 || SLPS-00017 || KING'S FIELD [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> |-<br /> | 0x534D2544 || SLUS-00017 || THEME PARK [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x534D5043 || SLPS-00010 || FALCATA [J] ||0x00000001 ||<br /> cmd: 0x00000016<br /> val: 0x00008690<br /> |-<br /> | 0x534D7041 || SLPS-00012 || SPACE GRIFFON VF-9 [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00002000<br /> |-<br /> | 0x534DC54A || SLUS-00019 || WING COMMANDER III - HEART OF THE TIGER - [ 1 DISC ] [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x534E0076 || SLPS-00025 || BATTLE ARENA TOSHINDEN [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000006<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0x534E0577 || SLES-00024 || TOMB RAIDER [E] ||0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFEFF<br /> |-<br /> | 0x534EC57A || SLUS-00029 || MAGIC CARPET [E][F][G][S][SW] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x535B4122 || SLPS-00171 || HI-OCTANE [J] || 0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> |-<br /> | 0x535C1157 || SLPS-00104 || GOUKETSUJI ICHIZOKU 2 - CHOTTODAKE SAIKYOU DENSETSU [J] ||0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFF77<br /> |-<br /> | 0x535F0466 || SLUS-00135 || WING COMMANDER III - HEART OF THE TIGER - [ 3 DISC ] [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x535F1467 || SLUS-00134 || WING COMMANDER III - HEART OF THE TIGER - [ 2 DISC ] [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x535F3465 || SLUS-00136 || WING COMMANDER III - HEART OF THE TIGER - [ 4 DISC ] [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x536A1736 || SLES-00265 || ACTUA TENNIS [E][A] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020000<br /> cmd: 0x00000002<br /> val: 0x0000000B<br /> |-<br /> | 0x536B4722 || SLUS-00271 || WING COMMANDER IV - THE PRICE OF FREEDOM - [ 2 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x000A0008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x536B5723 || SLUS-00270 || WING COMMANDER IV - THE PRICE OF FREEDOM - [ 1 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x000A0008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x536B6720 || SLUS-00273 || WING COMMANDER IV - THE PRICE OF FREEDOM - [ 4 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x000A0008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x536B7721 || SLUS-00272 || WING COMMANDER IV - THE PRICE OF FREEDOM - [ 3 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x000A0008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x536C0256 || SLPS-00205 || BLOCKIDS [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00080000<br /> |-<br /> | 0x536C2254 || SLPS-00207 || RING OF SIAS [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0x536C6250 || SLPS-00203 || TENCHI WO KURAU II - SEKIHEKI NO TATAKAI [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFA<br /> |-<br /> | 0x536CD25B || SLPS-00208 || ADVANCED V.G. [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EA<br /> cmd: 0x00000009<br /> val: 0xFFFEFEFE<br /> |-<br /> | 0x536CD75A || SLES-00209 || FADE TO BLACK [E][F][G][I][S] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x536D0246 || SLPS-00215 || POLICENAUTS - [ 1 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000090<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA0<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000014<br /> val: 0x00000017<br /> |-<br /> | 0x536D1247 || SLPS-00214 || KYUIN [J] || 0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> cmd: 0x00000004<br /> val: 0xFFFFFFEF<br /> cmd: 0x00000016<br /> val: 0x00008690<br /> |-<br /> | 0x536D3245 || SLPS-00216 || POLICENAUTS - [ 2 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000090<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA0<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000014<br /> val: 0x00000017<br /> |-<br /> | 0x536D5742 || SLES-00211 || MAGIC CARPET [E][F][G][S][SW] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x536F3765 || SLUS-00236 || FADE TO BLACK [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x536FD26B || SLPS-00238 || HONKAKU MAHJONG - TETSUMAN SPECIAL [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> |-<br /> | 0x536FD76B || SLUS-00238 || INTERNATIONAL TRACK &amp; FIELD [E] ||0x00000001 ||<br /> cmd: 0x00000009<br /> val: 0xFFFEFEFE<br /> |-<br /> | 0x537BC62A || SLUS-00379 || COMMAND &amp; CONQUER - [ 1 DISC ] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000005<br /> val: 0x00000020<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> |-<br /> | 0x537C0356 || SLPS-00305 || NÖEL - NOT DIGITAL [SPECIAL EDITION] - [ 2 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20800000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x537C1357 || SLPS-00304 || NÖEL - NOT DIGITAL [SPECIAL EDITION] - [ 1 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20800000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x537C5353 || SLPS-00300 || TEKKEN 2 [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00002000<br /> |-<br /> | 0x537F1367 || SLPS-00334 || TSUUKAI!! SLOT SHOOTING [J] ||0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x537F5363 || SLPS-00330 || TAIYOU NO SHIPPO - WILD PURE SIMPLE LIFE [J] || 0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x537F7660 || SLES-00333 || INTERNATIONAL TRACK &amp; FIELD [E] ||0x00000001 ||<br /> cmd: 0x00000009<br /> val: 0xFFFEFEFE<br /> |-<br /> | 0x574FC567 || SLES-04034 || FINAL FANTASY ORIGINS - [ 1 DISC ] || 0x00000006 ||<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> cmd: 0x00000001<br /> val: 0x000000FF<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001008<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x732BD30A || SLES-20659 || WING COMMANDER IV - THE PRICE OF FREEDOM - [ 3 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x000A0008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x4340C07A || SCPS-10029 || I.Q. - INTELLIGENT QUBE [J] ||0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x4342C05A || SCPS-10009 || PHILOSOMA [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001010<br /> |-<br /> | 0x4342D05B || SCPS-10008 || ARC THE LAD [J] ||0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> |-<br /> | 0x4345D00B || SCPS-10058 || SOUTEN NO SHIROKI KAMI NO ZA - GREAT PEAK [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000E7<br /> |-<br /> | 0x4350C17A || SCPS-10129 || DOCCHI MECHA! [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> |-<br /> | 0x4351C14A || SCPS-10119 || THE LEGEND OF DRAGOON - [ 1 DISC ] [J] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0x4351D14B || SCPS-10118 || CRASH BANDICOOT RACING [J] || 0x00000004 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000005<br /> val: 0x00000020<br /> |-<br /> | 0x4748C567 || SLES-14034 || FINAL FANTASY ORIGINS - [ 2 DISC ] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001008<br /> cmd: 0x00000002<br /> val: 0x00000014<br /> cmd: 0x00000001<br /> val: 0x000000FF<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x5004C4D5 || SLPS-03486 || MEMORIAL STAR SERIES - SUNSOFT CLASSICS VOL.6 - BATTLE FORMULA &amp; GIMMICK! [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x5044F0D4 || SLPS-03087 || BOKUJOU MONOGATARI - HARVEST MOON FOR GIRLS [J] ||0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> |-<br /> | 0x5045C5C6 || SLES-03095 || DISNEY'S DONALD DUCK - QUACK ATTACK [E][F][G][I] || 0x00000001 ||<br /> cmd: 0x0000000D<br /> val: 0x801EB9D8<br /> |-<br /> | 0x5075F3C4 || SLPS-03397 || MEMORIAL STAR SERIES - SUNSOFT CLASSICS VOL.5 - RAF WORLD &amp; HEBEREKE [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x5104E4DA || SLPS-02489 || BOKUJOU MONOGATARI - HARVEST MOON [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> |-<br /> | 0x5115C5C4 || SLPS-02597 || NEMU LU MAYU - SLEEPING COCOON [J] || 0x00000001 ||<br /> cmd: 0x00000003<br /> val: 0x00000008<br /> |-<br /> | 0x5119E00B || SLES-02558 || PARASITE EVE 2 - [ 1 DISC ] [E] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x5119F00A || SLES-02559 || PARASITE EVE 2 - [ 1 DISC ] [F] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023395<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> |-<br /> | 0x5134E7DA || SLPS-02789 || SLAP HAPPY RHYTHM BUSTERS [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x0000000B<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x5138E71A || SLPS-02749 || TOBAKU MOKUSHIROKU KAIJI - THE GAMBLING APOCALYPSE [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> |-<br /> | 0x5159C104 || SLPS-02157 || TANTEI JINGUUJI SABURO - EARLY COLLECTION [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFB<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x5174E3DA || SLPS-02389 || SANYO PACHINKO PARADISE 2 - UMI MONOGATARI SPECIAL [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> cmd: 0x00000003<br /> val: 0x00000004<br /> |-<br /> | 0x5175F3CB || SLPS-02398 || MAX SURFING 2000 [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> |-<br /> | 0x5178C314 || SLPS-02347 || PRO MAHJONG KIWAME TENGENSENHEN [J] ||0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> |-<br /> | 0x5208E11A || SLES-01449 || FUTURE COP L.A.P.D [E][F] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000008<br /> cmd: 0x00000000<br /> val: 0x0000000B<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010003<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x5218C51B || SLPS-01548 || BATTLE ATHLETESS - DAIUNDOUKAI GTO [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00400000<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x5224C6DB || SLPS-01688 || R-TYPE DELTA [J] || 0x00000004 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> |-<br /> | 0x5249C00B || SLPS-01058 || FINAL FANTASY VII INTERNATIONAL - [ 2 DISC ] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000800<br /> cmd: 0x00000001<br /> val: 0x000000E6<br /> |-<br /> | 0x5249D004 || SLPS-01057 || FINAL FANTASY VII INTERNATIONAL - [ 1 DISC ] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000800<br /> cmd: 0x00000001<br /> val: 0x000000E6<br /> |-<br /> | 0x5249F00A || SLPS-01059 || FINAL FANTASY VII INTERNATIONAL - [ 3 DISC ] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000E6<br /> |-<br /> | 0x5259D104 || SLPS-01157 || Waku Waku Derby ||0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x5265D7C4 || SLUS-01297 || FINAL FANTASY IX - [ 4 DISC ] [E] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x5265F2CA || SLPS-01299 || TAIL CONCERTO [J] || 0x00000003 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> |-<br /> | 0x5274C3DB || SLPS-01388 || PRO WRESTLING SENGOKUDEN 2 [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x5274D3D4 || SLPS-01387 || DYNAMITE BOXING [J] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000082<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x5278C31B || SLPS-01348 || G.DARIUS [J] || 0x00000001 ||<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x5314D5DB || SLPS-00588 || GUSSUN PARADISE [J] ||0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x5324C6DA || SLPS-00689 || YAKU TSUU - NOROI NO GAME [J] || 0x00000003 ||<br /> cmd: 0x00000003<br /> val: 0x00000002<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0x5329C30A || SLUS-00659 || BACKSTREET BILLIARDS [E] || 0x00000001 ||<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x5329D30A || SLES-00659 || WING COMMANDER IV - THE PRICE OF FREEDOM - [ 1 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x000A0008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x5338D21B || SLUS-00748 || RESIDENT EVIL 2 (DUAL SHOCK VERSION) - [ 1 DISC ] [E] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00030020<br /> cmd: 0x00000000<br /> val: 0x00000006<br /> cmd: 0x0000000A<br /> val: 0x00000018<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF9<br /> |-<br /> | 0x5344C0DA || SLPS-00089 || THE ONI TAIJI - MEZASE! 2-DAIME MOMOTAROU [J] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000008<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> |-<br /> | 0x5345D0CB || SLPS-00098 || RAY TRACERS [J] ||0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x5348D51A || SLES-00049 || RAYMAN [E][F][G] || 0x00000002 ||<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> cmd: 0x00000002<br /> val: 0x00000010<br /> |-<br /> | 0x5358C11A || SLPS-00149 || PUPPET ZOO PILOMY [E][J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000006<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x5358D11B || SLPS-00148 || THE FIREMEN 2 - PETE &amp; DANNY [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000006<br /> |-<br /> | 0x5368C21A || SLPS-00249 || KOKUMEIKAN - TRAP SIMULATION GAME [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> |-<br /> | 0x6324D30A || SLES-30659 || WING COMMANDER IV - THE PRICE OF FREEDOM - [ 4 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x000A0008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x414505D1 || SLES-12082 || FINAL FANTASY VIII - [ 2 DISC ] [G] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x414515D0 || SLES-12083 || FINAL FANTASY VIII - [ 2 DISC ] [I] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x414525D7 || SLES-12084 || FINAL FANTASY VIII - [ 2 DISC ] [S] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x414565D3 || SLES-12080 || FINAL FANTASY VIII - [ 2 DISC ] [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x414575D2 || SLES-12081 || FINAL FANTASY VIII - [ 2 DISC ] [F] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x434565D1 || SLES-10082 || G-POLICE - [ 2 DISC ] [E] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x434900C6 || SCPS-10095 || THE BOOK OF WATERMARKS - [ 2 DISC ] [E] ||0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00008000<br /> cmd: 0x00000003<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000E0<br /> cmd: 0x00000000<br /> val: 0x00008008<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> |-<br /> | 0x434910C7 || SCPS-10094 || THE BOOK OF WATERMARKS - [ 1 DISC ] [E] ||0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00008000<br /> cmd: 0x00000003<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000E0<br /> cmd: 0x00000000<br /> val: 0x00008008<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> |-<br /> | 0x434930C5 || SCPS-10096 || PANEKIT - INFINITIVE CRAFTING CASE [J] || 0x00000004 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x434950C3 || SCPS-10090 || WILD ARMS - SECOND IGNITION - [ 2 DISC ] [J] || 0x00000005 ||<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> cmd: 0x00000003<br /> val: 0x00000004<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000015<br /> val: 0x00000001<br /> |-<br /> | 0x434960C0 || SCPS-10093 || MINNA NO GOLF 2 [J] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00100000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x434970C1 || SCPS-10092 || DOKO DEMO ISSYO [J] ||0x00000001 ||<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x500424D7 || SLPS-03484 || YAMASA DIGI SELECTION 2 [J] ||0x00000003 ||<br /> cmd: 0x00000010<br /> val: 0x00000005<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> cmd: 0x0000000B<br /> val: 0x000E0010<br /> |-<br /> | 0x504520C7 || SLPS-03094 || FUURAIKI [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000200<br /> cmd: 0x0000000B<br /> val: 0x0001000F<br /> |-<br /> | 0x505411D2 || SLPS-03181 || MEMORIAL STAR SERIES - SUNSOFT CLASSICS VOL.2 - ROUTE 16 - TURBO &amp; ATLANTIS NO NAZO [J] ||0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x505421D7 || SLPS-03184 || SENTIMENTAL GRAFFITI [J] || 0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000010<br /> |-<br /> | 0x505561C3 || SLPS-03190 || SANYO PACHINKO PARADISE 5 - UKIUKI TAIRYOUBATA [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> |-<br /> | 0x507403D1 || SLPS-03382 || MEMORIAL STAR SERIES - SUNSOFT CLASSICS VOL.4 - CHOU WAKUSEI SENKI METAFIGHT &amp; LIPPE ISLAND [J] ||0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x507493DA || SLPS-03389 || ZOIDS 2 - HELIC REPUBLIC VS GUYLOS EMPIRE [J] || 0x00000001 ||<br /> cmd: 0x00000006<br /> val: 0x000F1FF4<br /> |-<br /> | 0x510464D2 || SLPS-02481 || PARASITE EVE II [ 2 DISC ] [J] || 0x0000000B ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023629<br /> cmd: 0x0000000C<br /> val: 0x8017EC08<br /> cmd: 0x0000000D<br /> val: 0x8017EC08<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x510474D3 || SLPS-02480 || PARASITE EVE II [ 1 DISC ] [J] || 0x0000000B ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x80023629<br /> cmd: 0x0000000C<br /> val: 0x8017EC08<br /> cmd: 0x0000000D<br /> val: 0x8017EC08<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x514405D1 || SLES-02082 || FINAL FANTASY VIII - [ 1 DISC ] [G] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x514415D0 || SLES-02083 || FINAL FANTASY VIII - [ 1 DISC ] [I] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x514425D7 || SLES-02084 || FINAL FANTASY VIII - [ 1 DISC ] [S] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x514465D3 || SLES-02080 || FINAL FANTASY VIII - [ 1 DISC ] [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x514475D2 || SLES-02081 || FINAL FANTASY VIII - [ 1 DISC ] [F] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x514560C2 || SLPS-02091 || SOUKOU KIDOUTAI L.A.P.D. [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000008<br /> cmd: 0x00000000<br /> val: 0x0000000B<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010003<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x515401D0 || SLPS-02183 || TOKYO WAKUSEI PLANETOKIO - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x515411D1 || SLPS-02182 || TOKYO WAKUSEI PLANETOKIO - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x515431D7 || SLPS-02184 || TOKYO WAKUSEI PLANETOKIO - [ 3 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x515471D3 || SLPS-02180 || DINO CRISIS [J] ||0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> |-<br /> | 0x515561C2 || SLPS-02191 || DRAGON VALOR - [ 2 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00084000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFC<br /> cmd: 0x00000003<br /> val: 0x0000000B<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0x515571C3 || SLPS-02190 || DRAGON VALOR - [ 1 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00084000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFC<br /> cmd: 0x00000003<br /> val: 0x0000000B<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0x516512C1 || SLPS-02292 || PET PET PET [J] ||0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x517403D0 || SLPS-02383 || FISH EYES II [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020002<br /> cmd: 0x00000003<br /> val: 0x00000008<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0x520444D3 || SLPS-01480 || U.P.P. [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0x520544C3 || SLPS-01490 || BRAVE FENCER MUSASHIDEN [ 1 DISC ] [J] || 0x00000005 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> cmd: 0x0000000D<br /> val: 0x80128638<br /> cmd: 0x00000000<br /> val: 0x0000000F<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> |-<br /> | 0x521575C2 || SLPS-01591 || DESTREGA [J] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> |-<br /> | 0x523407D7 || SLPS-01784 || LUCIFER RING [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> |-<br /> | 0x523517C0 || SLPS-01793 || INITIAL D [J] || 0x00000004 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> cmd: 0x00000016<br /> val: 0x0000541A<br /> |-<br /> | 0x523547C3 || SLPS-01790 || ERETZVAJU [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x524405D7 || SLUS-01084 || CHAMPIONSHIP BASS [E] || 0x00000003 ||<br /> cmd: 0x00000003<br /> val: 0x00000008<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x524445D3 || SLUS-01080 || CHRONO CROSS - [ 2 DISC ] [E] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x00000000<br /> val: 0x00000005<br /> cmd: 0x0000000D<br /> val: 0x801C5E04<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x524470D2 || SLPS-01081 || SEROFANS [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> |-<br /> | 0x524515C0 || SLUS-01093 || SNO CROSS CHAMPIONSHIP RACING [E] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000000<br /> val: 0x0000000B<br /> |-<br /> | 0x524570C2 || SLPS-01091 || MAGICAL DATE - DOKI DOKI KOKUHAKU DAISAKUSEN [J] || 0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000018<br /> val: 0x00000200<br /> |-<br /> | 0x525541C3 || SLPS-01190 || NÖEL - LA NEIGE [SPECIAL EDITION] - [ 1 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x525561C1 || SLPS-01192 || NÖEL - LA NEIGE [SPECIAL EDITION] - [ 3 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x525571C2 || SLPS-01191 || NÖEL - LA NEIGE [SPECIAL EDITION] - [ 2 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x526427D5 || SLUS-01286 || DISNEY'S THE LITTLE MERMAID II [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000001<br /> cmd: 0x00000002<br /> val: 0x00000006<br /> |-<br /> | 0x526527C5 || SLUS-01296 || FINAL FANTASY IX - [ 3 DISC ] [E] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x526537C6 || SLUS-01295 || FINAL FANTASY IX - [ 2 DISC ] [E] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x527463D1 || SLPS-01382 || HONOO NO RYOURININ - COOKING FIGHTER TAO [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20001000<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> |-<br /> | 0x527533C6 || SLPS-01395 || KITCHEN PANIC [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x530454D3 || SLPS-00480 || WING COMMANDER III - HEART OF THE TIGER - [ 4 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0x530524C4 || SLPS-00497 || BUILDING CRUSH! [J] ||0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000006<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x530544C2 || SLPS-00491 || GENEI TOUGI - SHADOW STRUGGLE [J] || 0x00000002 ||<br /> cmd: 0x00000009<br /> val: 0xFFFEFEFE<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0x531425D4 || SLPS-00587 || MAGIC CARPET [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x531475D1 || SLPS-00582 || BELTLOGGER 9 [J] || 0x00000006 ||<br /> cmd: 0x00000000<br /> val: 0x00000008<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000005<br /> val: 0x00000010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFB8<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000017<br /> val: 0x00000320<br /> |-<br /> | 0x531510C7 || SLUS-00594 || METAL GEAR SOLID - [ 1 DISC ] [E] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x533437D5 || SLPS-00786 || KURUMI MIRACLE [J] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00000008<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0x533567C0 || SLPS-00793 || NIPPON PRO MAHJONG RENMEI KOUNIN - DOUJOU YABURI [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> |-<br /> | 0x534460D0 || SLPS-00083 || ZERO DIVIDE [J][E] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> |-<br /> | 0x534465D1 || SLES-00082 || G-POLICE - [ 1 DISC ] [E] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x00000107<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> |-<br /> | 0x534520C4 || SLPS-00097 || GENSO SUIKODEN [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x535451D3 || SLPS-00180 || DERON DERO DERO [J] ||0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x535461D0 || SLPS-00183 || CHO ANIKI - KYUUKYOUKU MUTEKI GINGA SAIKYOU OTOKO [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x535511C7 || SLPS-00194 || WIZARD'S HARMONY [J] || 0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0x535524C4 || SLUS-00197 || STREET FIGHTER ALPHA - WARRIORS' DREAMS [E] ||0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> |-<br /> | 0x536412D7 || SLPS-00284 || PUZZLE BUBBLE 2 [J] ||0x00000003 ||<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x536577C1 || SLUS-00292 || SUIKODEN [E] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x537436D5 || SLUS-00386 || STAR WARS - REBEL ASSAULT II - [ 2 DISC ] [E] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00080000<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> |-<br /> | 0x537446D2 || SLUS-00381 || STAR WARS - REBEL ASSAULT II - [ 1 DISC ] [E] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00080000<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> |-<br /> | 0x537463D0 || SLPS-00383 || TIME GAL &amp; NINJA HAYATE - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0x614705D1 || SLES-32082 || FINAL FANTASY VIII - [ 4 DISC ] [G] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x614715D0 || SLES-32083 || FINAL FANTASY VIII - [ 4 DISC ] [I] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x614725D7 || SLES-32084 || FINAL FANTASY VIII - [ 4 DISC ] [S] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x614765D3 || SLES-32080 || FINAL FANTASY VIII - [ 4 DISC ] [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x614775D2 || SLES-32081 || FINAL FANTASY VIII - [ 4 DISC ] [F] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x714605D1 || SLES-22082 || FINAL FANTASY VIII - [ 3 DISC ] [G] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x714615D0 || SLES-22083 || FINAL FANTASY VIII - [ 3 DISC ] [I] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x714625D7 || SLES-22084 || FINAL FANTASY VIII - [ 3 DISC ] [S] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x714665D3 || SLES-22080 || FINAL FANTASY VIII - [ 3 DISC ] [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x714675D2 || SLES-22081 || FINAL FANTASY VIII - [ 3 DISC ] [F] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00000017<br /> cmd: 0x0000000A<br /> val: 0x00000008<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x5156721C || MMIISSIINN || !! || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000200<br /> |-<br /> | 0x33417071 || SIPS-60022 || RALLY CROSS [J] ||0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0x40462510 || SCES-13043 || THE LEGEND OF DRAGOON - [ 2 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0x42381267 || SLES-11734 || METAL GEAR SOLID - [ 2 DISC ] [S] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x42745623 || SLES-11370 || METAL GEAR SOLID - [ 2 DISC ] [E] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000088<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0x42790610 || SLES-11343 || COMMAND &amp; CONQUER - RED ALERT - RETALIATION - [ 2 DISC ] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x43184063 || SLES-10530 || COMMAND &amp; CONQUER - [ 2 DISC ] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000005<br /> val: 0x00000020<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> |-<br /> | 0x43403075 || SCPS-10026 || ARC THE LAD 2 [J] || 0x00000002 ||<br /> cmd: 0x00000006<br /> val: 0x000F390C<br /> cmd: 0x00000012<br /> val: 0x00000001<br /> |-<br /> | 0x43404072 || SCPS-10021 || JUMPING FLASH! 2 - ALOHA VOLUME OF BARON LARGE WEAKENING - [ 1 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000000<br /> val: 0x0000000A<br /> cmd: 0x00000011<br /> val: 0x80023B88<br /> |-<br /> | 0x43414042 || SCPS-10011 || SENGOKU CYBER - FUJIMARU JIGOKUHEN [J] || 0x00000003 ||<br /> cmd: 0x00000005<br /> val: 0x00000018<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF6<br /> |-<br /> | 0x43417041 || SCPS-10012 || HERMIE HOPPERHEAD SCRAP PANIC [J] || 0x00000003 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000002<br /> val: 0x00000006<br /> cmd: 0x00000010<br /> val: 0x00000005<br /> |-<br /> | 0x43422054 || SCPS-10007 || JUMPING FLASH! - ALOHA DANSHAKU FUNKY DAISAKUSEN NO KAN [J] ||0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0x43426050 || SCPS-10003 || CRIME CRACKERS [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> |-<br /> | 0x43441037 || SCPS-10064 || KULAQUEST [J] || 0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x43445033 || SCPS-10060 || RAPID RACER [J] ||0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x43446030 || SCPS-10063 || JET MOTO '98 [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> |-<br /> | 0x43451007 || SCPS-10054 || YARUDORA SERIES VOL.1 - DOUBLE CAST - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000008<br /> |-<br /> | 0x43455003 || SCPS-10050 || POPOROGUE [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x00000001<br /> val: 0x000000EB<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000016<br /> val: 0x0000541A<br /> |-<br /> | 0x43456000 || SCPS-10053 || YARUDORA SERIES VOL.1 - DOUBLE CAST - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000008<br /> |-<br /> | 0x43462014 || SCPS-10047 || CRASH BANDICOOT 2 - CORTEX NO GYAKUSHUU! [J] || 0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> cmd: 0x0000000F<br /> val: 0x00003BEB<br /> |-<br /> | 0x43464012 || SCPS-10041 || ARC THE LAD MONSTER GAME WITH CASINO GAME - [ 2 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000007<br /> val: 0x000F18D0<br /> cmd: 0x00000002<br /> val: 0x00000006<br /> |-<br /> | 0x43465013 || SCPS-10040 || ARC THE LAD MONSTER GAME WITH CASINO GAME - [ 1 DISC ] [J] || 0x00000004 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE0<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x00000016<br /> val: 0x00004348<br /> cmd: 0x00000007<br /> val: 0x000F18D0<br /> |-<br /> | 0x43470066 || SCPS-10035 || ALUNDRA [J] ||0x00000002 ||<br /> cmd: 0x00000016<br /> val: 0x00008690<br /> cmd: 0x00000001<br /> val: 0x000000EA<br /> |-<br /> | 0x43472064 || SCPS-10037 || CRIME CRACKERS 2 [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000003<br /> val: 0x0000000C<br /> |-<br /> | 0x43473065 || SCPS-10036 || GANBARE MORIKAWA KIME 2ND - PET IN TV [J] || 0x00000002 ||<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> |-<br /> | 0x43502174 || SCPS-10127 || KONEKO MO ISSYO [J] ||0x00000001 ||<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x43503175 || SCPS-10126 || ADDIE NO OKURIMONO - TO MOZE FROM ADDIE [J] ||0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> |-<br /> | 0x43504172 || SCPS-10121 || THE LEGEND OF DRAGOON - [ 3 DISC ] [J] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0x43505173 || SCPS-10120 || THE LEGEND OF DRAGOON - [ 2 DISC ] [J] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0x43506170 || SCPS-10123 || XI [SAI] JUMBO [J] || 0x00000002 ||<br /> cmd: 0x00000019<br /> val: 0xFFFF0005<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x43507171 || SCPS-10122 || THE LEGEND OF DRAGOON - [ 4 DISC ] [J] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0x43510146 || SCPS-10115 || ALUNDRA 2 - MASHINKA NO NAZO [J] || 0x00000002 ||<br /> cmd: 0x00000005<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x43511147 || SCPS-10114 || POPOLOCROIS II [ 3 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x10000000<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> |-<br /> | 0x43513145 || SCPS-10116 || GRAN TURISMO 2 - THE REAL DRIVING SIMULATOR - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0x43516140 || SCPS-10113 || POPOLOCROIS II [ 2 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x10000000<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> |-<br /> | 0x43517141 || SCPS-10112 || POPOLOCROIS II [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x10000000<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> |-<br /> | 0x43520156 || SCPS-10105 || BRIGHTIS [J] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> |-<br /> | 0x43522154 || SCPS-10107 || ARC THE LAD III - [ 2 DISC ] [J] || 0x00000004 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE4<br /> cmd: 0xFFFFFFFF<br /> val: 0x00008000<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000006<br /> val: 0x000F36CC<br /> |-<br /> | 0x43523155 || SCPS-10106 || ARC THE LAD III - [ 1 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00008000<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000006<br /> val: 0x000F36CC<br /> |-<br /> | 0x43526150 || SCPS-10103 || ROBBIT MON DIEU [J] ||0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020002<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x43565113 || SCPS-10140 || CRASH BANDICOOT CARNIVAL [J] || 0x00000001 ||<br /> cmd: 0x00000003<br /> val: 0x00000008<br /> |-<br /> | 0x43571167 || SCPS-10134 || GEKITOTSU TOMA L'ARC - L'ARC EN CIEL VS. TOMARUNNER [J] ||0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x00000004<br /> val: 0xFFFFFF98<br /> |-<br /> | 0x43573165 || SCPS-10136 || GUNPARADE MARCH [J] ||0x00000002 ||<br /> cmd: 0x00000003<br /> val: 0x00000008<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0x43576160 || SCPS-10133 || DIG-A-DIG PUKKA [J] ||0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> |-<br /> | 0x50330252 || SCES-03701 || SYPHON FILTER 3 [S] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x50337253 || SCES-03700 || SYPHON FILTER 3 [I] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x50472510 || SCES-03043 || THE LEGEND OF DRAGOON - [ 1 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0x51196502 || SLPS-02551 || SHISHA NO YABU TACHI [PANDORA MAX SERIES VOL.2] [J] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000003<br /> val: 0x00000006<br /> cmd: 0x00000010<br /> val: 0x00000003<br /> |-<br /> | 0x51280610 || SLPS-02643 || THEME PARK WORLD [J] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000005<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x51291601 || SLPS-02652 || SEIREI HATA RAYBLADE [J] || 0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000016<br /> val: 0x000064EC<br /> |-<br /> | 0x51380710 || SLPS-02743 || MARIONETTE COMPANY 2 CHU! [J] || 0x00000001 ||<br /> cmd: 0x0000001B<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x51487013 || SLPS-02040 || MOTO RACER 2 [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x51533456 || SCES-02105 || CRASH TEAM RACING [E][F][G][I][S] || 0x00000004 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000005<br /> val: 0x00000020<br /> |-<br /> | 0x51586112 || SLPS-02141 || AQUANAUT NO KYUUJITSU 2 [J] ||0x00000001 ||<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x51692206 || SLPS-02255 || ROCKMAN 2 - DR WILY NO NAZO [COMPLETE WORKS] [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0x51780310 || SLPS-02343 || LE CONCERT PP - PIANISSIMO [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20100000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFB8<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x51783317 || SLPS-02344 || LE CONCERT FF - FORTISSIMO [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20100000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFB8<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x52015173 || SCES-01420 || CRASH BANDICOOT 3 - WARPED [E][F][G][I][S] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0x52094403 || SLPS-01450 || KUROI HITOMI NO NOIR - CIELGRIS FANTASM [J] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x52187012 || SLUS-01541 || FINAL FANTASY ORIGINS || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000003<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF1<br /> |-<br /> | 0x52191500 || SLPS-01553 || THE RAPID ANGEL [J] ||0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> cmd: 0x00000016<br /> val: 0x0000C9D8<br /> |-<br /> | 0x52286611 || SLPS-01642 || LSD - DREAM EMULATOR [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFDFF<br /> |-<br /> | 0x52357231 || SCES-01762 || R-TYPE DELTA [E] || 0x00000004 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> cmd: 0x00000010<br /> val: 0x00000004<br /> |-<br /> | 0x52390707 || SLPS-01754 || MAHOU TSUKAI NI NARU HOUHOU [J] ||0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> |-<br /> | 0x52394703 || SLPS-01750 || EHRGEIZ [J] ||0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> |-<br /> | 0x52435553 || SCES-01000 || KULA WORLD [E] || 0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x52480017 || SLPS-01044 || CRITICAL BLOW [J] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0x52486511 || SLUS-01042 || PARASITE EVE 2 - [ 1 DISC ] [E] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x8002325D<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x52487511 || SLES-01042 || ACTUA GOLF 3 [E] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> |-<br /> | 0x52487512 || SLUS-01041 || CHRONO CROSS - [ 1 DISC ] [E] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x00000000<br /> val: 0x00000005<br /> cmd: 0x0000000D<br /> val: 0x801C5E04<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0x52491000 || SLPS-01053 || SUPER ADVENTURE ROCKMAN - [ 3 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> |-<br /> | 0x52492005 || SLPS-01056 || SPECTRAL FORCE [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x52493506 || SLUS-01055 || PARASITE EVE 2 - [ 2 DISC ] [E] ||0x00000009 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000030<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x0000001A<br /> val: 0x00000001<br /> cmd: 0x00000013<br /> val: 0x00000005<br /> cmd: 0x00000000<br /> val: 0x0000001B<br /> cmd: 0x00000011<br /> val: 0x8002325D<br /> cmd: 0x00000004<br /> val: 0xFFFFFFA4<br /> cmd: 0x00000002<br /> val: 0x0000000C<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x52496001 || SLPS-01052 || SUPER ADVENTURE ROCKMAN - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> |-<br /> | 0x52497002 || SLPS-01051 || SUPER ADVENTURE ROCKMAN - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> |-<br /> | 0x52580117 || SLPS-01144 || ORE! TOMBA [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0x52592105 || SLPS-01156 || MOMOTAROU DENSETSU 7 [J] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> |-<br /> | 0x52686211 || SLPS-01242 || MOTTEKE TAMAGO WITH GANABARE KAMONOHASHI [J] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x0000000F<br /> |-<br /> | 0x52690707 || SLUS-01254 || ARC THE LAD III - [ 2 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE4<br /> cmd: 0xFFFFFFFF<br /> val: 0x00008000<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000006<br /> val: 0x000F36CC<br /> |-<br /> | 0x52691700 || SLUS-01253 || ARC THE LAD III - [ 1 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00008000<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> cmd: 0x00000006<br /> val: 0x000F36CC<br /> |-<br /> | 0x52697702 || SLUS-01251 || FINAL FANTASY IX - [ 1 DISC ] [E] || 0x00000006 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFA<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x52780610 || SLES-01343 || COMMAND &amp; CONQUER - RED ALERT - RETALIATION - [ 1 DISC ] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0x52781310 || SLPS-01343 || REBUS [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0x52784313 || SLPS-01340 || KINDAICHI SHOUNEN NO JIKENBO 2 - JIGOKU YUUEN SATSUJIN JIKEN - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0x52787312 || SLPS-01341 || KINDAICHI SHOUNEN NO JIKENBO 2 - JIGOKU YUUEN SATSUJIN JIKEN - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF9<br /> |-<br /> | 0x52792305 || SLPS-01356 || TANTEI JINGUUJI SABURO - YUMENO OWARINI [J] ||0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> |-<br /> | 0x53085113 || SLUS-00440 || REEL FISHING [E] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> |-<br /> | 0x53087411 || SLPS-00442 || NYAN TO WONDERFUL [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> |-<br /> | 0x53181517 || SLPS-00544 || TANTEI JINGUUJI SABURO - MIKAN NO REPORT [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> |-<br /> | 0x53186010 || SLUS-00543 || COLONY WARS - [ 1 DISC ] [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x53190506 || SLPS-00555 || SOUL EDGE [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0x53191007 || SLUS-00554 || COLONY WARS - [ 2 DISC ] [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE3<br /> |-<br /> | 0x53195503 || SLPS-00550 || SHIN SUPER ROBOT TAISEN [J] ||0x00000001 ||<br /> cmd: 0x00000019<br /> val: 0xFFFF0002<br /> |-<br /> | 0x53285613 || SLPS-00640 || REAL BOUT GAROU DENSETSU [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x53292604 || SLPS-00657 || CLOCK TOWER 2 [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001020<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0x53296300 || SLUS-00653 || POCKET FIGHTER [E] || 0x00000007 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x40000000<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000013<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0x53393205 || SLUS-00756 || RESIDENT EVIL 2 (DUAL SHOCK VERSION) - [ 2 DISC ] [E] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00030020<br /> cmd: 0x00000000<br /> val: 0x00000006<br /> cmd: 0x0000000A<br /> val: 0x00000018<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF9<br /> |-<br /> | 0x53396200 || SLUS-00753 || R-TYPES [E] ||0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> |-<br /> | 0x53424543 || SCES-00010 || WIPEOUT [E] ||0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> |-<br /> | 0x53433554 || SCES-00007 || AIR COMBAT [E] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> |-<br /> | 0x53437550 || SCES-00003 || JUMPING FLASH! [E] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0x53484012 || SLPS-00041 || GUSSUN OYOYO [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x08000000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> cmd: 0xFFFFFFFF<br /> val: 0x00080000<br /> |-<br /> | 0x53485013 || SLPS-00040 || TEKKEN [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> |-<br /> | 0x53580116 || SLPS-00145 || J.B. HAROLD - BLUE CHICAGO BLUES - [ 2 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00088000<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x53581117 || SLPS-00144 || J.B. HAROLD - BLUE CHICAGO BLUES - [ 1 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00088000<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0x53597101 || SLPS-00152 || YAKU - YUUJOU DANGI [J] ||0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x53686210 || SLPS-00243 || ROAD RASH [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0x53784312 || SLPS-00341 || IREM ARCADE CLASSICS [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> |-<br /> | 0x60442510 || SCES-33043 || THE LEGEND OF DRAGOON - [ 4 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0x70452510 || SCES-23043 || THE LEGEND OF DRAGOON - [ 3 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000F8<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0xC26D41D3 || SLPS-91180 || ATELIER ELIE [PLAYSTATION THE BEST] [J] ||0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFBF<br /> |-<br /> | 0xC70A3151 || SCUS-94402 || THE RAIDEN PROJECT [E] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0xC70D0102 || SCUS-94451 || SYPHON FILTER 2 - [ 1 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0xC70DC106 || SCUS-94455 || GRAN TURISMO 2 - THE REAL DRIVING SIMULATOR - [ 1 DISC ] [E] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0xC70DD107 || SCUS-94454 || TOMBA! 2 - THE EVIL SWINE RETURNS [E] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0xC70E911B || SCUS-94448 || UM JAMMER LAMMY [E] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000100<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE2<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0xC72E1313 || SCUS-94640 || SYPHON FILTER 3 [E] ||0x00000004 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x0000000D<br /> val: 0x80151600<br /> cmd: 0x00000011<br /> val: 0x8002C0CD<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0xC72EF315 || SCUS-94646 || DISNEY'S LILO &amp; STITCH [E] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000001<br /> |-<br /> | 0xC75A945B || SCUS-94108 || JUMPING FLASH! 2 [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000011<br /> val: 0x800239D4<br /> |-<br /> | 0xC75A2450 || SCUS-94103 || JUMPING FLASH! [E] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0xC75C2430 || SCUS-94163 || FINAL FANTASY VII - [ 1 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000E6<br /> |-<br /> | 0xC75CC436 || SCUS-94165 || FINAL FANTASY VII - [ 3 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000E6<br /> |-<br /> | 0xC75CD437 || SCUS-94164 || FINAL FANTASY VII - [ 2 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001800<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000E6<br /> |-<br /> | 0xC75CE434 || SCUS-94167 || JET MOTO 2 [E] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> |-<br /> | 0xC75DD407 || SCUS-94154 || CRASH BANDICOOT 2 - CORTEX STRIKES BACK [E] ||0x00000002 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> cmd: 0x0000000F<br /> val: 0x00011EDC<br /> |-<br /> | 0xC76A1753 || SCUS-94200 || BATTLE ARENA TOSHINDEN [E] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000006<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0xC76C2730 || SCUS-94263 || BUST A GROOVE [E][S] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20100000<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0xC76E1713 || SCUS-94240 || SYPHON FILTER [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0xC76ED717 || SCUS-94244 || CRASH BANDICOOT 3 - WARPED [E] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0xC77A0652 || SCUS-94301 || WIPEOUT [E] ||0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> |-<br /> | 0xC77A865A || SCUS-94309 || JET MOTO [E] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> |-<br /> | 0xC77A965B || SCUS-94308 || RALLY CROSS [E] ||0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0xC77A3651 || SCUS-94302 || DESTRUCTION DERBY [E] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000420<br /> |-<br /> | 0xC77AD657 || SCUS-94304 || TWISTED METAL [E] || 0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> |-<br /> | 0xC77DC606 || SCUS-94355 || MOTOR TOON GRAND PRIX [E] || 0x00000001 ||<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0xC246F04A || SLPS-91019 || A IV EVOLUTION GLOBAL [PLAYSTATION THE BEST] [J] || 0x00000004 ||<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x00000005<br /> val: 0x00000017<br /> |-<br /> | 0xC248D074 || SCPS-91027 || MOTOR TOON GRAND PRIX USA EDITION [PLAYSTATION THE BEST] [J] || 0x00000001 ||<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0xC708D177 || SCUS-94424 || BLOODY ROAR 2 [E] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0xC708F175 || SCUS-94426 || CRASH TEAM RACING [E] || 0x00000004 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000005<br /> val: 0x00000020<br /> |-<br /> | 0xC712D1D7 || SCUS-94484 || WILD ARMS 2 - [ 1 DISC ] [E] || 0x00000005 ||<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> cmd: 0x00000003<br /> val: 0x00000004<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000015<br /> val: 0x00000001<br /> |-<br /> | 0xC713F125 || SCUS-94476 || HOT SHOTS GOLF 2 [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00100000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0xC722C0D6 || SCUS-94585 || THE LEGEND OF DRAGOON - [ 3 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0xC722D0D7 || SCUS-94584 || THE LEGEND OF DRAGOON - [ 2 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0xC722F0D5 || SCUS-94586 || THE LEGEND OF DRAGOON - [ 4 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0xC768E774 || SCUS-94227 || MEDIEVIL [E] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0xC71101C2 || SCUS-94491 || THE LEGEND OF DRAGOON - [ 1 DISC ] [E] || 0x00000004 ||<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000ED<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000004<br /> val: 0x0000FFA0<br /> |-<br /> | 0xC71131C1 || SCUS-94492 || SYPHON FILTER 2 - [ 2 DISC ] [E] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF5<br /> |-<br /> | 0xC71191CB || SCUS-94498 || WILD ARMS 2 - [ 2 DISC ] [E] || 0x00000005 ||<br /> cmd: 0x00000002<br /> val: 0x00000004<br /> cmd: 0x00000003<br /> val: 0x00000004<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000015<br /> val: 0x00000001<br /> |-<br /> | 0xC76224D0 || SCUS-94183 || PARAPPA THE RAPPER [E][F][G][I][S] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF7<br /> |-<br /> | 0xC2024403 || SLPS-91450 || DOUKYUU RE-MIX - BILLIARDS MULTIPLE [PSONE BOOKS] [J] || 0x00000001 ||<br /> cmd: 0x00000010<br /> val: 0x00000003<br /> |-<br /> | 0xC2063446 || SLPS-91415 || THE ADVENTURE OF PUPPET PRINCESS [PSONE BOOKS] [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> |-<br /> | 0xC2470077 || SLPS-91024 || SAMURAI SPIRITS - ZANKUROU MUSOUDEN [PLAYSTATION THE BEST] [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0xC2520107 || SLPS-91154 || TAMAMAYU MONOGATARI [PLAYSTATION THE BEST] [J] || 0x00000001 ||<br /> cmd: 0x00000011<br /> val: 0x8003B450<br /> |-<br /> | 0xC7093141 || SCUS-94412 || BLASTO [E] || 0x00000001 ||<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> |-<br /> | 0xD5C4E848 || SLPM-86805 || MAGICAL DROP F - DAIBOUKEN MO RAKUJYANAI! [MAJOR WAVE SERIES] [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0xD5C3283C || SLPM-86871 || SIMPLE 1500 SERIES VOL.072 - THE BEACH VOLLEY [J] || 0x00000001 ||<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> |-<br /> | 0xD5C3383D || SLPM-86870 || SIMPLE 1500 SERIES VOL.071 - THE RENAI SIMULATION 2 [J] ||0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0xD5D3C93E || SLPM-86973 || SIMPLE 1500 SERIES VOL.082 - THE SENSUIKAN [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0xD5D3E938 || SLPM-86975 || SIMPLE 1500 SERIES VOL.091 - THE GAMBLER [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0xD5D4B945 || SLPM-86908 || DX HYAKUNIN ISSYU [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> |-<br /> | 0xD5D6F969 || SLPM-86924 || SHIN MEGAMI TENSEI II [J] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> |-<br /> | 0xD5D5995B || SLPM-86916 || DRAGON QUEST IV - MICHIBIKARESHI MONOTACHI [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x10000010<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x00000005<br /> val: 0x00000080<br /> |-<br /> | 0xD5DC28CC || SLPM-86881 || TOKIMEKI MEMORIAL 2 - SUBSTORIES VOL. 3 - MEMORIES RINGING ON - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00A00000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0xD5DCD8CF || SLPM-86882 || TOKIMEKI MEMORIAL 2 - SUBSTORIES VOL. 3 - MEMORIES RINGING ON - [ 2 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00A00000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0xD5DDA8D4 || SLPM-86899 || LOVE GAME'S - WAI WAI TENNIS PLUS [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x00000002<br /> val: 0x00000005<br /> |-<br /> | 0xD5ECD9CF || SLPM-86982 || SUPERLITE 3 IN 1 - BOARD GAME SYUU [J] || 0x00000003 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x00000016<br /> val: 0x00004348<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0xD47CE2C9 || SLPM-87284 || AZITO [MAJOR WAVE SERIES] [J] || 0x00000004 ||<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF2<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> cmd: 0x00000016<br /> val: 0x00004348<br /> |-<br /> | 0xD52C25CC || SLPM-86581 || THE TETRIS [SUPERLITE 1500 SERIES] [J] || 0x00000001 ||<br /> cmd: 0x00000008<br /> val: 0x00000000<br /> |-<br /> | 0xD52CA5C4 || SLPM-86589 || ACID [MAJOR WAVE SERIES] [E] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0xD52CF5C9 || SLPM-86584 || TENKUU NO RESTAURANT [J] || 0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFD<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0xD55C20CC || SLPM-86081 || FINAL FANTASY V [J] ||0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF3<br /> |-<br /> | 0xD55CB0C5 || SLPM-86088 || ASTRONOKA - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0xD55DE0D8 || SLPM-86095 || THE KING OF FIGHTERS KYO [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0xD55DF0D9 || SLPM-86094 || TOKIMEKI NO HOUKAGO - NE QUIZ SIYO [J] || 0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0xD56DB1D5 || SLPM-86198 || FINAL FANTASY VI [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x80000010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x00000000<br /> val: 0x00008003<br /> cmd: 0x00000011<br /> val: 0x80041CEC<br /> |-<br /> | 0xD56DD1DF || SLPM-86192 || SILENT HILL [J] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000009<br /> val: 0xFFFEFEFE<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0xD440E009 || SLPM-87044 || SIMPLE 1500 SERIES VOL.090 - THE SENSHA [J] ||0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x00000019<br /> val: 0xFFFF0003<br /> |-<br /> | 0xD451E119 || SLPM-87154 || SHIN MEGAMI TENSEI IF... [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0xD460E209 || SLPM-87244 || WAI WAI KUSA YAKYUU [MAJOR WAVE SERIES] [J] ||0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000019<br /> val: 0xFFFF000B<br /> |-<br /> | 0xD461E219 || SLPM-87254 || THE FAMIRES - SHIJOU SAIKYOU NO MENU (MAJOR WAVE SERIES) [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000003<br /> |-<br /> | 0xD465F25E || SLPM-87213 || PUYO PUYO SUN - KETTEIBAN [RERELEASE] [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0xD466A265 || SLPM-87228 || ARCADE HITS - SHIENRYU [MAJOR WAVE SERIES] [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0xD477D37C || SLPM-87331 || FRONT MISSION HISTORY - [ 2 DISC ] [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> cmd: 0x00000001<br /> val: 0x000000EA<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0xD501A414 || SLPM-86459 || SANVEIN [SUPERLITE 1500 SERIES] [J] ||0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x10000030<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x0000000A<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFE1<br /> |-<br /> | 0xD502D42F || SLPM-86462 || THE KING OF FIGHTERS '99 [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> |-<br /> | 0xD507A474 || SLPM-86439 || OMIAIKOMANDOH BAKAPPURU NI TUKKOMI WO [J] || 0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0x00000001<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0xD510A504 || SLPM-86549 || TOKIMEKI MEMORIAL 2 - SUBSTORIES VOL. 1 - DANCING SUMMER VACATION - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00A00000<br /> |-<br /> | 0xD510B505 || SLPM-86548 || WINNING LURE [FISHING ROD SERIES] [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> |-<br /> | 0xD515C55E || SLPM-86513 || SUZUKI BAKUHATSU [J] || 0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0xD516C56E || SLPM-86523 || ZUTTO ISSHO - WITH ME EVERYTIME... [MAJOR WAVE SERIES] [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0xD520B605 || SLPM-86648 || BLUE BREAKER BURST - EGAO NO ASUMI [MAJOR WAVE SERIES] [J] || 0x00000005 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> cmd: 0x00000003<br /> val: 0x0000000A<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0xD520D60F || SLPM-86642 || FUSHIGI DEKA [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0xD521B615 || SLPM-86658 || CULDCEPT EXPANSION PLUS [J] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0xD522C62E || SLPM-86663 || GENSO SUIKO GAIDEN VOL.2 - CRYSTAL VALLET NO KETTOU [J] ||0x00000001 ||<br /> cmd: 0x00000006<br /> val: 0x000F19A4<br /> |-<br /> | 0xD523B635 || SLPM-86678 || THE DRUG STORE - MATSUMOTO KIYOSHI DE OKAIMONO! [MAJOR WAVE SERIES] [J] ||0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0xD524A644 || SLPM-86609 || NÖEL 3 - MISSION ON THE LINE [MAJOR WAVE SERIES] - [ 1 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000B<br /> val: 0x00010003<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0xD524D64F || SLPM-86602 || BLADE ARTS [J] || 0x00000001 ||<br /> cmd: 0x00000005<br /> val: 0x00000010<br /> |-<br /> | 0xD526C66E || SLPM-86623 || FISHING CLUB - BOUHATEI NO TSURIKEN [SUPERLITE 1500 SERIES] [J] ||0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0xD526D66F || SLPM-86622 || FISHING CLUB - BOAT NO TSURIKEN [SUPERLITE 1500 SERIES] [J] ||0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0xD526E668 || SLPM-86625 || BOUNTY SWORD - DOUBLE EDGE [MAJOR WAVE SERIES] [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0xD526F669 || SLPM-86624 || FISHING CLUB - HAMA NO TSURIKEN [SUPERLITE 1500 SERIES] [J] ||0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000004<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> |-<br /> | 0xD532D72F || SLPM-86762 || SIMPLE 1500 SERIES VOL.056 - THE SNIPER [J] ||0x00000002 ||<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF6<br /> |-<br /> | 0xD533E738 || SLPM-86775 || TOKIMEKI MEMORIAL 2 - SUBSTORIES VOL. 2 - LEAPING SCHOOL FESTIVAL - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000002<br /> cmd: 0x0000000B<br /> val: 0x00010016<br /> |-<br /> | 0xD533F739 || SLPM-86774 || GANBARE GOEMON - OOEDO DAIKAITEN [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0xD535D75F || SLPM-86712 || SIMPLE 1500 SERIES VOL.078 - THE ZERO YON [J] || 0x00000002 ||<br /> cmd: 0x00000005<br /> val: 0x00000018<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0xD535E758 || SLPM-86715 || SIMPLE 1500 SERIES VOL.057 - THE MAZE [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFF9E<br /> |-<br /> | 0xD541C01E || SLPM-86053 || TOKIMEKI MEMORIAL - FOREVER WITH YOU [PLAYSTATION THE BEST] [J] ||0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x10000030<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000003<br /> val: 0x00000008<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0xD541D01F || SLPM-86052 || KONAMI ANTIQUES - MSX COLLECTION VOL.1 [J] || 0x00000002 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> |-<br /> | 0xD542C02E || SLPM-86063 || NOON - NEW TYPE ACTION GAME [J] ||0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0xD542D02F || SLPM-86062 || KONAMI ANTIQUES - MSX COLLECTION VOL.2 [J] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> |-<br /> | 0xD543D03F || SLPM-86072 || KONAMI ANTIQUES - MSX COLLECTION VOL.3 [J] || 0x00000003 ||<br /> cmd: 0x00000000<br /> val: 0x00000008<br /> cmd: 0x00000013<br /> val: 0x00000002<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> |-<br /> | 0xD545B055 || SLPM-86018 || PRO LOGIC MAHJONG HAI-SHIN [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000010<br /> cmd: 0x00000016<br /> val: 0x0000C9D8<br /> |-<br /> | 0xD546B065 || SLPM-86028 || FINAL FANTASY IV [J] || 0x00000002 ||<br /> cmd: 0x0000000B<br /> val: 0x000F0010<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFB<br /> |-<br /> | 0xD546F069 || SLPM-86024 || JIKKYOU PAWAFURU PUROYAKYU '97 - KAIMAKUBAN [J] ||0x00000001 ||<br /> cmd: 0x0000000B<br /> val: 0x00010004<br /> |-<br /> | 0xD547A074 || SLPM-86039 || TOKIMEKI MEMORIAL DRAMA SERIES VOL.1 - NIJIIRO NO SEISHUN [J] || 0x00000007 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> cmd: 0x00000014<br /> val: 0x00000015<br /> cmd: 0x0000000B<br /> val: 0x00010016<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0xD547C07E || SLPM-86033 || TOBAL 2 [J] ||0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000EC<br /> |-<br /> | 0xD551E118 || SLPM-86155 || GANBARE GOEMON - KURUNARAKOI! AYASHI GEIKKA NO KUROIKAGE! [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0xD552B125 || SLPM-86168 || GENSO SUIKODEN II [J] || 0x00000002 ||<br /> cmd: 0x00000003<br /> val: 0x00000009<br /> cmd: 0x00000006<br /> val: 0x000F1C94<br /> |-<br /> | 0xD554E148 || SLPM-86105 || STAR OCEAN - THE SECOND STORY - [ 1 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x0000000B<br /> val: 0x000F0010<br /> |-<br /> | 0xD555E158 || SLPM-86115 || METAL GEAR SOLID - [ 2 DISC ] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0xD555F159 || SLPM-86114 || METAL GEAR SOLID - [ 1 DISC ] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0xD556C16E || SLPM-86123 || BISHI BASHI SPECIAL [J] ||0x00000003 ||<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> cmd: 0x00000013<br /> val: 0x00000001<br /> cmd: 0x00000000<br /> val: 0x00000008<br /> |-<br /> | 0xD561B215 || SLPM-86258 || MAHJONG II [SUPERLITE 1500 SERIES] [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> cmd: 0x00000008<br /> val: 0x00000001<br /> |-<br /> | 0xD561E218 || SLPM-86255 || AITAKUTE... YOUR SMILES IN MY HEART - [ 2 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000005<br /> val: 0x0000001E<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0xD561F219 || SLPM-86254 || AITAKUTE... YOUR SMILES IN MY HEART - [ 1 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000005<br /> val: 0x0000001E<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0xD562C22E || SLPM-86263 || DENSHA DE GO! [PLAYSTATION THE BEST] [J] || 0x00000001 ||<br /> cmd: 0x00000003<br /> val: 0x0000000C<br /> |-<br /> | 0xD562F229 || SLPM-86264 || PLANET LAIKA [J] || 0x00000005 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> cmd: 0x00000003<br /> val: 0x00000002<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0xD563C23E || SLPM-86273 || PSYCHIC FORCE 2 [J] ||0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001020<br /> |-<br /> | 0xD563D23F || SLPM-86272 || RAKUGAKI SHOWTIME [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x00000009<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFD<br /> |-<br /> | 0xD563E238 || SLPM-86275 || SUPERLITE 1500 SERIES - SHOGI II [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000010<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0xD563F239 || SLPM-86274 || REIKOKU - KIZOKU IKEDA'S PSYCHICS LABORATORY [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0xD566E268 || SLPM-86225 || TOKIMEKI MEMORIAL DRAMA SERIES VOL. 3 - TABIDACHI NO UTA - [ 2 DISC ] [J] || 0x00000007 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> cmd: 0x00000014<br /> val: 0x00000015<br /> cmd: 0x0000000B<br /> val: 0x00010016<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0xD566F269 || SLPM-86224 || TOKIMEKI MEMORIAL DRAMA SERIES VOL. 3 - TABIDACHI NO UTA - [ 1 DISC ] [J] || 0x00000007 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> cmd: 0x00000014<br /> val: 0x00000015<br /> cmd: 0x0000000B<br /> val: 0x00010016<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0xD571E318 || SLPM-86355 || TOKIMEKI MEMORIAL 2 - [ 1 DISC ] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0xD572B325 || SLPM-86368 || TEN MADE JACK - ODOROKI MANENOKI DAITOUBOU [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0xD572C32E || SLPM-86363 || CHAOS BREAK [J] ||0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000040<br /> cmd: 0x00000017<br /> val: 0x00000300<br /> |-<br /> | 0xD576B365 || SLPM-86328 || BAROQUE [LIMITED EDITION] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000003<br /> val: 0x0000000A<br /> cmd: 0x00000001<br /> val: 0x000000E6<br /> |-<br /> | 0xD576C36E || SLPM-86323 || JET DE GO! - LET'S GO BY AIRLINER [J] || 0x00000001 ||<br /> cmd: 0x0000000B<br /> val: 0x00010003<br /> |-<br /> | 0xD301441C || MMIISSIINN || !! || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0xD303243A || MMIISSIINN || !! || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFF8<br /> |-<br /> | 0xD443203D || SLPM-87070 || SIMPLE 1500 SERIES VOL.095 - THE HIKOUKI [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000010<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0xD455815B || SLPM-87116 || TALL INFINITE [MAJOR WAVE SERIES] [J] || 0x00000001 ||<br /> cmd: 0x00000002<br /> val: 0x00000002<br /> |-<br /> | 0xD463223D || SLPM-87270 || WOLF FANG - KUUGA 2001 [MAJOR WAVE SERIES] [J] || 0x00000002 ||<br /> cmd: 0x00000003<br /> val: 0x0000000D<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE7<br /> |-<br /> | 0xD467227D || SLPM-87230 || WAI WAI KART [MAJOR WAVE SERIES] [J] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000E9<br /> |-<br /> | 0xD501341D || SLPM-86450 || RAYCRISIS [J] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> cmd: 0x00000000<br /> val: 0x00008003<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> cmd: 0x00000010<br /> val: 0x00000007<br /> |-<br /> | 0xD510350D || SLPM-86540 || BAROQUE SYNDROME [J] || 0x00000002 ||<br /> cmd: 0x00000003<br /> val: 0x00000008<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0xD510950B || SLPM-86546 || RC DE GO! [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00020000<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0xD511351D || SLPM-86550 || TOKIMEKI MEMORIAL 2 - SUBSTORIES VOL. 1 - DANCING SUMMER VACATION - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00A00000<br /> |-<br /> | 0xD514254C || SLPM-86501 || DRAGON QUEST VII - EDEN NO SENSHI-TACHI - [ 2 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x10000010<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x00000005<br /> val: 0x00000080<br /> |-<br /> | 0xD514354D || SLPM-86500 || DRAGON QUEST VII - EDEN NO SENSHI-TACHI - [ 1 DISC ] [J] || 0x00000004 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x10000010<br /> cmd: 0x00000000<br /> val: 0x00000007<br /> cmd: 0x0000000A<br /> val: 0x00000010<br /> cmd: 0x00000005<br /> val: 0x00000080<br /> |-<br /> | 0xD520860A || SLPM-86647 || BLUE BREAKER BURST - BISHOU O ANATA TO [MAJOR WAVE SERIES] [J] || 0x00000005 ||<br /> cmd: 0x00000000<br /> val: 0x00000000<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> cmd: 0x00000003<br /> val: 0x0000000A<br /> cmd: 0x00000001<br /> val: 0x000000EE<br /> |-<br /> | 0xD520960B || SLPM-86646 || BLUE BREAKER - EGAO NO YAKUSHOKU [MAJOR WAVE SERIES] [J] || 0x00000002 ||<br /> cmd: 0x00000002<br /> val: 0x0000000A<br /> cmd: 0x00000003<br /> val: 0x0000000A<br /> |-<br /> | 0xD521961B || SLPM-86656 || RAIDEN DX [MAJOR WAVE SERIES] [E] || 0x00000001 ||<br /> cmd: 0x00000001<br /> val: 0x000000EF<br /> |-<br /> | 0xD525265C || SLPM-86611 || NÖEL 3 - MISSION ON THE LINE [MAJOR WAVE SERIES] - [ 3 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000B<br /> val: 0x00010003<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0xD525365D || SLPM-86610 || NÖEL 3 - MISSION ON THE LINE [MAJOR WAVE SERIES] - [ 2 DISC ] [J] || 0x00000003 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00001000<br /> cmd: 0x0000000B<br /> val: 0x00010003<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE5<br /> |-<br /> | 0xD526266C || SLPM-86621 || KERO KERO KING [J] || 0x00000001 ||<br /> cmd: 0x00000004<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0xD527367D || SLPM-86630 || CHIKI CHIKI CHICKEN [SUPERLITE 1500 SERIES] [J] ||0x00000002 ||<br /> cmd: 0x00000016<br /> val: 0x00004348<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0xD533973B || SLPM-86776 || TOKIMEKI MEMORIAL 2 - SUBSTORIES VOL. 2 - LEAPING SCHOOL FESTIVAL - [ 2 DISC ] [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000002<br /> cmd: 0x0000000B<br /> val: 0x00010016<br /> |-<br /> | 0xD540800A || SLPM-86047 || OTHER LIFE - AZURE DREAMS [J] || 0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0x00000000<br /> |-<br /> | 0xD541201C || SLPM-86051 || MAGICAL DROP III - YOKUBARI TOKUDAIGOU! [J] ||0x00000001 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFF0<br /> |-<br /> | 0xD543203C || SLPM-86071 || TOKIMEKI MEMORIAL DRAMA SERIES VOL. 2 - IRODORI NO LOVE SONG - [ 2 DISC ] [J] || 0x00000007 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> cmd: 0x00000014<br /> val: 0x00000015<br /> cmd: 0x0000000B<br /> val: 0x00010016<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0xD543303D || SLPM-86070 || TOKIMEKI MEMORIAL DRAMA SERIES VOL. 2 - IRODORI NO LOVE SONG - [ 1 DISC ] [J] || 0x00000007 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x20000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000004<br /> val: 0xFFFFFFE6<br /> cmd: 0x00000014<br /> val: 0x00000015<br /> cmd: 0x0000000B<br /> val: 0x00010016<br /> cmd: 0x00000002<br /> val: 0x00000007<br /> cmd: 0x00000001<br /> val: 0x000000E8<br /> |-<br /> | 0xD544804A || SLPM-86007 || VANDAL HEARTS - USHINAWARETA KODAI BUNMEI [J] || 0x00000001 ||<br /> cmd: 0x00000003<br /> val: 0x00000001<br /> |-<br /> | 0xD546306D || SLPM-86020 || BUSHIDO BLADE [J] || 0x00000002 ||<br /> cmd: 0x00000003<br /> val: 0x00000004<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFE<br /> |-<br /> | 0xD550810A || SLPM-86147 || MYSTIC ARK - MABOROSHI GEKIJYO [J] || 0x00000002 ||<br /> cmd: 0x0000000E<br /> val: 0xFFFFFFFC<br /> cmd: 0x00000013<br /> val: 0x00000000<br /> |-<br /> | 0xD550910B || SLPM-86146 || POP 'N' TANKS! [J] || 0x00000002 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000002<br /> cmd: 0x00000002<br /> val: 0x00000001<br /> |-<br /> | 0xD554914B || SLPM-86106 || STAR OCEAN - THE SECOND STORY - [ 2 DISC ] [J] || 0x00000001 ||<br /> cmd: 0x0000000B<br /> val: 0x000F0010<br /> |-<br /> | 0xD555915B || SLPM-86116 || METAL GEAR SOLID - [ 3 DISC ] || 0x00000005 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000080<br /> cmd: 0x00000000<br /> val: 0x00008000<br /> cmd: 0x00000013<br /> val: 0x00000003<br /> cmd: 0x0000000B<br /> val: 0x00010002<br /> cmd: 0x00000014<br /> val: 0x00001715<br /> |-<br /> | 0xD556316D || SLPM-86120 || ITADAKI STREET - GORGEOUS KING [J] || 0x00000002 ||<br /> cmd: 0x00000013<br /> val: 0x00000010<br /> cmd: 0x00000016<br /> val: 0x00004348<br /> |-<br /> | 0xD561821A || SLPM-86257 || AITAKUTE... YOUR SMILES IN MY HEART - [ 4 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000005<br /> val: 0x0000001E<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0xD561921B || SLPM-86256 || AITAKUTE... YOUR SMILES IN MY HEART - [ 3 DISC ] [J] || 0x00000002 ||<br /> cmd: 0x00000005<br /> val: 0x0000001E<br /> cmd: 0x00000002<br /> val: 0x00000008<br /> |-<br /> | 0xD571831A || SLPM-86357 || TOKIMEKI MEMORIAL 2 - [ 3 DISC ] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> |-<br /> | 0xD571931B || SLPM-86356 || TOKIMEKI MEMORIAL 2 - [ 2 DISC ] || 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000020<br /> |-<br /> | 0xD4509108 || SLPM-87145 || ARCADE HITS - SUIKO ENBU - OUTLAWS OF THE LOST DYNASTY [MAJOR WAVE SERIES] [J]|| 0x00000001 ||<br /> cmd: 0xFFFFFFFF<br /> val: 0x00000004<br /> |-<br /> |}<br /> <br /> === Disc ID Hash generator ===<br /> <br /> To generate hash from Disc ID, there is a simple algorithm. The code provided here expects format SLES12345 to be supplied, no underscore, no dot, etc.<br /> <br /> &lt;pre&gt;<br /> def checksum(string):<br /> x = string[0:4].encode('ascii').hex()<br /> x = int(x, 16)<br /> #print(hex(x))<br /> <br /> y = string[4:]<br /> y = int(y, 16)<br /> y = y + (y &lt;&lt; 12)<br /> #print(hex(y))<br /> <br /> suma = x ^ y<br /> print(hex(suma))<br /> <br /> checksum(&quot;SLPS01986&quot;)<br /> &lt;/pre&gt;<br /> <br /> ==External Compatibility Flags==<br /> External compatibility flags are supplied from PSISOIMG0000 header. Data starts at absolute file offset 0x420 for single disk games that do not use a PSTITLEIMG section. For games that do have a PSTITLEIMG section, the absolute offset will be shifted by 0x400 bytes, i.e. to offset 0x820 and similar.<br /> <br /> *Offsets 0x420 and 0x424 holds Config revision, that seems to be firmware related, but this could be wrong assumption. <br /> *For 6.61 pops offset 0x424 need to have value &lt;= 0x06060000, otherwise configuration will be skipped completely<br /> *For 6.61 pops offset 0x420 need to have value &gt; 0x06060000, otherwise configuration will be skipped completely<br /> *Offset 0x428 is parameter for first config command. That one is special and in official table is referred as command -1 (0xFFFFFFFF)<br /> *Offset 0x42C is parameter for config command number 0x00, next 0x430 is parameter for 0x01, etc. up to 0x1F on offset 0x4A8<br /> *This repeats again starting from command 0xFFFFFFFF up to 0x1F in next bytes (0x4AC for -1 up to 0x52C for 0x1F). This part seems to be unused, but is better to keep it like original eboots do.<br /> *For unused configs value 0xFFFFFFFF need to be set, except cfgs: -0x01, 0x10, 0x17, 0x18, 0x1D, 0x1E (0x428, 0x46C, 0x488, 0x48C, 0x4A0, 0x4A4) which should be set to 0x00000000 for unused config<br /> *Command 6 is not really unsupported. Because parameter for this command is emulator memory offset with hardcoded data.<br /> *There is some special handling if TITLE ID is set to PSRM, but that just set predefined values, we shouldn't care too much about it.<br /> <br /> '''Empty config example:'''<br /> &lt;br&gt;All values are little endian, excluding ID which is big endian ascii.<br /> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F<br /> <br /> 00000400 5F 53 4C 45 53 5F 31 32 33 34 35 00 00 00 00 00 _SLES_12345..... ID<br /> 00000410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Padding, below everything in 4 bytes units:<br /> 00000420 70 00 07 06 00 00 06 06 00 00 00 00 FF FF FF FF p...........˙˙˙˙ Revision, Revision, cfg 0xFFFFFFFF, cfg 0x00<br /> 00000430 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ cfg 0x01, cfg 0x02, cfg 0x03, cfg 0x04<br /> 00000440 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ cfg 0x05, cfg 0x06, cfg 0x07, cfg 0x08<br /> 00000450 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ cfg 0x09, cfg 0x0A, cfg 0x0B, cfg 0x0C<br /> 00000460 FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 ˙˙˙˙˙˙˙˙˙˙˙˙.... cfg 0x0D, cfg 0x0E, cfg 0x0F, cfg 0x10<br /> 00000470 FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 ˙˙˙˙˙˙˙˙˙˙˙˙˙˙.. cfg 0x11, cfg 0x12, cfg 0x13, cfg 0x14<br /> 00000480 FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ˙˙˙˙˙˙˙˙........ cfg 0x15, cfg 0x16, cfg 0x17, cfg 0x18<br /> 00000490 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ cfg 0x19, cfg 0x1A, cfg 0x1B, cfg 0x1C<br /> 000004A0 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 ........˙˙˙˙.... cfg 0x1D, cfg 0x1E, cfg 0x1F, cfg2 0xFFFFFFFF<br /> 000004B0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ cfg2 0x00, cfg2 0x01, cfg2 0x02, cfg2 0x03<br /> 000004C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ cfg2 0x04, cfg2 0x05, cfg2 0x06, cfg2 0x07<br /> 000004D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ cfg2 0x08, cfg2 0x09, cfg2 0x0A, cfg2 0x0B<br /> 000004E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ cfg2 0x0C, cfg2 0x0D, cfg2 0x0E, cfg2 0x0F<br /> 000004F0 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF ....˙˙˙˙˙˙˙˙˙˙˙˙ cfg2 0x10, cfg2 0x11, cfg2 0x12, cfg2 0x13<br /> 00000500 FF FF 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 ˙˙..˙˙˙˙˙˙˙˙.... cfg2 0x14, cfg2 0x15, cfg2 0x16, cfg2 0x17<br /> 00000510 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF ....˙˙˙˙˙˙˙˙˙˙˙˙ cfg2 0x18, cfg2 0x19, cfg2 0x1A, cfg2 0x1B<br /> 00000520 FF FF FF FF 00 00 00 00 00 00 00 00 FF FF FF FF ˙˙˙˙........˙˙˙˙ cfg2 0x1C, cfg2 0x1D, cfg2 0x1E, cfg2 0x1F<br /> <br /> ==Embed PS1 BIOS==<br /> Embed PS1 bios version &quot;System ROM Version 4.5 05/25/00 J&quot; (&quot;CEX-3000/1001/1002 by K.S.&quot;). POPS don't patch region character like PS1 on PS3 emu does, which suggest internal patch for &quot;region free&quot; was applied to it. POPS apply heavy 90400 bytes patch to bios if 3rd character of TITLE ID is &quot;P&quot; (Mostly JPN region games, but also PBPX demos...). Patch is applied to raw offset 0x18000, for now is unknown what it does.</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12080 Vulnerabilities 2023-10-09T21:59:18Z <p>CelesteBlue: /* PS1 Game Savedata */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87.<br /> <br /> Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Crash Bandicoot 3: Warped by qwikrazor87, Acid_snake and ?alex-free? ===<br /> <br /> Discovered in 2014 by qwikrazor87 and Acid_snake. Disclosed on 2015-09-16 by Acid_snake.<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == POPS ==<br /> <br /> === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) ===<br /> <br /> Discovered by qwikrazor87 and Acid_snake. Implemented in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob.<br /> <br /> Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later &lt;code&gt;jalr&lt;/code&gt; to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload.<br /> <br /> https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/<br /> <br /> == Unclassified usermode vulnerabilities ==<br /> <br /> === PsOneLoader by TheFloW ===<br /> <br /> https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> Discovered around 2015-01-29.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> Discovered around 2014-04-05 by qwikrazor87.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12073 Vulnerabilities 2023-10-08T23:20:00Z <p>CelesteBlue: /* sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 or Acid_snake.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87 or Acid_snake.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87 or Acid_snake.<br /> <br /> Once you have installed the exploit file, start Harvest Moon, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 or Acid_snake. Released on 2015-03-12 by Total_Noob.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> Discovered around 2015-01-29.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> Discovered around 2014-04-05 by qwikrazor87.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12072 Vulnerabilities 2023-10-08T23:11:08Z <p>CelesteBlue: /* PS1 Game Savedata */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-04-21 by qwikrazor87 or Acid_snake.<br /> <br /> Maybe not exploitable.<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87 or Acid_snake.<br /> <br /> Maybe not exploitable.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87 or Acid_snake.<br /> <br /> Once you have installed the exploit file, start Harvest Moon, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 or Acid_snake. Released on 2015-03-12 by Total_Noob.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> Discovered around 2014-04-05 by qwikrazor87.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12071 Vulnerabilities 2023-10-08T23:08:34Z <p>CelesteBlue: /* Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87 or Acid_snake.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87 or Acid_snake.<br /> <br /> Once you have installed the exploit file, start Harvest Moon, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-04-07 by qwikrazor87 or Acid_snake. Released on 2015-03-12 by Total_Noob.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> Discovered around 2014-04-05 by qwikrazor87.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12070 Vulnerabilities 2023-10-08T23:07:33Z <p>CelesteBlue: /* Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Noon (NPJJ00466) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-10-03 by qwikrazor87 or Acid_snake.<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87 or Acid_snake.<br /> <br /> Once you have installed the exploit file, start Harvest Moon, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-07-24 by qwikrazor87 or Acid_snake. Released on 2015-03-12 by Total_Noob.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> Discovered around 2014-04-05 by qwikrazor87.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12069 Vulnerabilities 2023-10-08T23:06:37Z <p>CelesteBlue: /* Kernel */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87 or Acid_snake.<br /> <br /> Once you have installed the exploit file, start Harvest Moon, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-07-24 by qwikrazor87 or Acid_snake. Released on 2015-03-12 by Total_Noob.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> Discovered around 2014-04-05 by qwikrazor87.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> Discovered around 2013-10-22.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12068 Vulnerabilities 2023-10-08T23:01:32Z <p>CelesteBlue: /* _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87 or Acid_snake.<br /> <br /> Once you have installed the exploit file, start Harvest Moon, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-07-24 by qwikrazor87 or Acid_snake. Released on 2015-03-12 by Total_Noob.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> Discovered around 2014-10-03 by qwikrazor87.<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12067 Vulnerabilities 2023-10-08T23:00:53Z <p>CelesteBlue: /* Sports Superbike 2 / XS Moto by qwikrazor87 and Acid_snake */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87 or Acid_snake.<br /> <br /> Once you have installed the exploit file, start Harvest Moon, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Discovered around 2014-07-24 by qwikrazor87 or Acid_snake. Released on 2015-03-12 by Total_Noob.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12066 Vulnerabilities 2023-10-08T22:55:22Z <p>CelesteBlue: /* PS1 Game Savedata */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Harvest Moon: Back To Nature (NPEF00286, NPUJ01115) by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2015-09-28 by qwikrazor87 or Acid_snake.<br /> <br /> Once you have installed the exploit file, start Harvest Moon, then after about 20 seconds the screen should flash white.<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12065 Vulnerabilities 2023-10-08T22:49:20Z <p>CelesteBlue: /* Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> Discovered around 2014-09-12 by qwikrazor87.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue http://www.psdevwiki.com/psp/index.php?title=Vulnerabilities&diff=12064 Vulnerabilities 2023-10-08T22:47:18Z <p>CelesteBlue: /* Tekken 2 by qwikrazor87 and Acid_snake */</p> <hr /> <div>= Usermode =<br /> <br /> == Exploits to sort ==<br /> <br /> https://www.psdevwiki.com/psp/Homebrew_Enabler<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History<br /> <br /> https://en.wikibooks.org/wiki/PSP/PS_Vita_Exploit_Table<br /> <br /> https://www.psdevwiki.com/vita/Non-native_Exploits<br /> <br /> https://web.archive.org/web/20150902210716/http://www.zload.net/bilder/PSVita/VitaExploitChart.png<br /> <br /> https://hackinformer.com/2015/01/14/psvita-fw-3-36-its-just-another-useless-update/<br /> <br /> https://wololo.net/2014/09/14/the-day-the-vita-scene-imploded-more-than-50-psp-game-exploits-leaked/<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> == PSP Game Savedata ==<br /> <br /> === Before PS Vita era ===<br /> <br /> ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ====<br /> <br /> Discovered by Edison Carter.<br /> <br /> The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it.<br /> <br /> The Exploit was patched in a second batch of UMD prints.<br /> <br /> Germany version:<br /> * ULES00182 - Unpatched - Contains 2.00 System Software update.<br /> <br /> Europe (UK/EU) version:<br /> * ULES00151 first batch - Unpatched - Contains 2.00 System Software update.<br /> * ULES00151 second batch - Patched - Contains 2.60 System Software update.<br /> <br /> North America (US) version:<br /> * ULUS10041 - Unpatched - Contains UPDL 0048501A 5, plus IFPI L332 in very small letters on the UMD.<br /> * ULUS10041 - Patched - Contains UPDL 010050 on the UMD.<br /> <br /> * ULUS10041 Unpatched, and Patched UMDs look exactly the same... Only the small codes are different.<br /> <br /> The 18 logo in a red circle is present on the spine on the pre-2.60 UMD, but on the patched 2.60 UMD the 18 red circle logo is not present on the spine.<br /> <br /> Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched.<br /> <br /> ==== Lumines (Illuminati exploit): PSP &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== Gripshift by Matiaz: PSP &lt;= 5.02?-5.03?. Patched 5.05 ====<br /> <br /> ==== Patapon 2 demo (USA) by Malloxis: PSP &lt;= ?6.20? ====<br /> <br /> ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP &lt;=? ====<br /> <br /> 2009-07-10<br /> <br /> https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/<br /> <br /> https://www.brewology.com/downloads/download.php?id=9900<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit<br /> <br /> === During PS Vita era ===<br /> <br /> ==== Everybody's Tennis (UCES01420, UCUS98701, UCJS10101, UCAS40307) by wololo: &lt;= 1.61 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/tennis_hk/<br /> <br /> ==== Motorstorm: Arctic Edge (UCES01250, NPHG00023, NPJG00047, NPHG00023) by wololo: &lt;= 1.61. Patched 1.65 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/motor_hk/<br /> <br /> ==== Super Collapse 3 (ULES01027, ULUS10287, NPHH00031) by Bryan Keller and TheCobra: &lt;= 1.67. Patched 1.69?0?, 2014-11-10 ====<br /> <br /> https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/sc3_us/<br /> <br /> ==== Monster Hunter Freedom Unite (ULES01213, ULUS10391), Monster Hunter Freedom 2 (ULES00851), Monster Hunter Portable 2ndG (ULJM05500), Monster Hunter Portable 3rd (ULJM05800): &lt;= 1.80. Patched 1.81 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhfu_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhf2_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp2g_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mhp3_jp/<br /> <br /> ==== Mad Blocker Alpha: Revenge of the Fuzzies (NPEZ00327, NPUZ00210) by Frostegater: &lt;= 1.81. Patched on 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/mbm_us/<br /> <br /> ==== Gravity Crash Portable (NPEG00020, NPUG80321, NPJG00044, NPHG00038) by teck4 and Frostegater: &lt;= 1.81 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_jp/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/gcp_hk/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) first exploit: &lt;= 1.81. Patched 2.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/urbanix_jp/<br /> <br /> ==== UNO (NPEH00020, NPUH10027, NPJH00016) by xiaolin, zer01ne, MaxiExtreme and Frostegater: &lt;= 2.02. Patched 2.05 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/uno_jp/<br /> <br /> ==== Dissidia Duodecim: &lt;= 2.05 ====<br /> <br /> ==== Apache Overkill by Tomtomdu80: &lt;= 2.06 ====<br /> <br /> ==== Gamocracy One: Legend of Robot (Europe), Gamocracy One: Legend of Robot (USA) by qwikrazor87: &lt;= 2.12 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Arcade Darts (NPEZ00053, NPUZ00097), Arcade Essentials Evolution (NPUZ00258) first exploit by Acid_snake: &lt;= 2.60. Patched 2.61 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ad_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/aee_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wop/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/php/<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: &lt;= 2.61 ====<br /> <br /> ==== Pipe Madness by Frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Jewel Keepers: &lt;= 2.61. Patched 3.00 ====<br /> <br /> ==== Half Minute Hero (ULES01359, ULUS10491, ULJS00195) by Yosh and jigsaw: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_us/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/half_min_hero_jp/<br /> <br /> ==== FieldRunners (NPEZ00098, NPUZ00014) by frostegater: &lt;= 2.61. Patched 3.00 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_eu/<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/field_us/<br /> <br /> ==== Urbanix (NPEZ00176, NPUZ00077, NPJH00082) second exploit by qwikrazor87: &lt;= 3.00 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=36217<br /> <br /> ==== Cubixx: &lt;= 3.00. Patched 3.01 ====<br /> <br /> ==== Ben 10 Alien Force: Vilgax Attacks: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== King Of Pool by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> This game was exploited 4 times and fixed 4 times.<br /> <br /> ==== Tiny Hawk (NPEZ00434) by qwikrazor87 ====<br /> <br /> Not exploited.<br /> <br /> ==== 101-in-1 Megamix by xerpi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Fifa 2011, Fifa 2012: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Persona 2: Innocent Sin, Persona 2: Tsumi: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== Arcade Air Hockey &amp; Bowling (Europe, NPUZ00103), Arcade Pool &amp; Snooker (Europe, USA), World of Pool (ULES00821), Pool Hall Pro (NPUH10091) second exploit by qwikrazor87: &lt;= 3.01. Patched 3.10 ====<br /> <br /> ==== &quot;Jikkyou Powerful Pro Yakyu 2012 Ketteiban&quot; (Japanese: 実況パワフルプロ野球 2012決定版): &lt;= 3.12 ====<br /> <br /> ==== MyStylist: &lt;= 3.15 ====<br /> <br /> ==== Skate Park City: &lt;= 3.15. Patched 3.18 ====<br /> <br /> ==== Space Invaders Extreme: &lt;= 3.18 ====<br /> <br /> ==== Z.H.P.: Unlosing Ranger VS Darkdeath Evilman (NPEH00099, ULUS10559, ULJS00262) by KanadeEngel and qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://wololo.net/talk/viewtopic.php?t=39771<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/glad_beg_demo_eu/<br /> <br /> ==== Vertigo (NPUH10092) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/vertigo/<br /> <br /> ==== Widget's Odyssey 2 (NPEZ00149, NPUZ00055) by qwikrazor87: &lt;= 3.18 ====<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/<br /> <br /> ==== Patapon 1: &lt;= 3.18 ====<br /> <br /> ==== Talkman Travel: Tokyo: &lt;= 3.18 ====<br /> <br /> ==== Go! Sudoku (UCES00152): &lt;= 3.30 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Arcade Darts: &lt;= 3.36 ====<br /> <br /> ==== Patapon 2 non-demo (UCES01177): &lt;= 3.36 ====<br /> <br /> https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/<br /> <br /> https://github.com/TheOct0/patapon_exploit<br /> <br /> https://github.com/wololo-learning-journey/patapon_exploit<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> https://wololo.net/talk/viewtopic.php?f=53&amp;t=41343<br /> <br /> ==== Numblast: &lt;= 3.36 ====<br /> <br /> ==== Hot Brain: &lt;= 3.36 ====<br /> <br /> ==== Hatsune Miku: Project DIVA extend: &lt;= 3.36 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Ape Escape: On the Loose: &lt;= 3.50. Patched 3.51 ====<br /> <br /> ==== &quot;Toukiden: Kiwami (DEMO)&quot; (討鬼伝 極 体験版) by 173210: &lt;= 3.51 ====<br /> <br /> https://code.google.com/archive/p/valentine-hbl/source/default/source<br /> <br /> ==== Puzzle Scape: &lt;= 3.52 ====<br /> <br /> ==== World of Pool, Pool Hall Pro: &lt;= 3.52 ====<br /> <br /> ==== Metal Gear Solid Portable OPS+ by 173210: &lt;= 3.57 ====<br /> <br /> https://github.com/173210/psp_exploits/<br /> <br /> === After PS Vita era ===<br /> <br /> ==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ====<br /> <br /> https://github.com/ChampionLeake/scrabblehax<br /> <br /> ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ====<br /> <br /> https://github.com/ChampionLeake/SudokuSTACK<br /> <br /> === Remarks ===<br /> <br /> PSP demo are usually not exploitable because do not use the savedata feature. Patapon 2 has been an exception to this up to PS Vita System Software version 3.18/3.20, at least.<br /> <br /> https://wololo.net/2014/04/18/pspvita-how-to-find-your-own-exploits/<br /> <br /> http://wololo.net/2009/03/11/finding-gamesaves-exploits-on-the-psp/<br /> <br /> https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/<br /> <br /> == PS1 Game Savedata ==<br /> <br /> === Tekken 2 by qwikrazor87 or Acid_snake ===<br /> <br /> Discovered around 2014-02-10 by qwikrazor87 or Acid_snake.<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Sports Superbike 2 / XS Moto by qwikrazor87 and Acid_snake ===<br /> <br /> Implemented in TN-X by Total_Noob and qwikrazor87.<br /> <br /> https://wololo.net/downloads/index.php/download/8275<br /> <br /> https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html<br /> <br /> === Castlevania Chronicles (NPUJ01384) by ChampionLeake ===<br /> <br /> https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities<br /> <br /> https://github.com/socram8888/tonyhax/issues/39<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 2: Cortex Strikes Back by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Crash Bandicoot 3: Warped by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Doki Oki (Japanese: 土器王紀) (NPJJ00560) by ?alex-free? ===<br /> <br /> https://alex-free.github.io/tonyhax-international/save-game-exploit.html<br /> <br /> === Exploitable PS1 games not available officially on PSP ===<br /> <br /> Compare with the [https://www.psdevwiki.com/ps1/index.php?title=Vulnerabilities list of PS vulnerabilities on the PS1 dev wiki].<br /> <br /> == System ==<br /> <br /> === libtiff exploit #1 (TIFF Exploit 2.00): PSP &lt;= 2.00 ===<br /> <br /> Discovered on 2005-09-23 by Niacin and Skylark.<br /> <br /> The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code.<br /> <br /> Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #2 (TIFF Exploit 2.71): PSP &lt;= 2.71 ===<br /> <br /> Discovered in 2006-09.<br /> <br /> Implemented in Kriek eLoader and xLoader by Team N00bz.<br /> <br /> https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit<br /> <br /> === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP &lt;= 4.20 ===<br /> <br /> Discovered in 2008-08. Released on 2009-03-15.<br /> <br /> https://wololo.net/2009/03/15/so-what-about-the-libtiff-vulnerability/<br /> <br /> https://www.youtube.com/watch?v=RUJnXADjxsw<br /> <br /> https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/<br /> <br /> === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP &lt;= 5.05 ===<br /> <br /> Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee.<br /> <br /> https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World<br /> <br /> https://wololo.net/2009/04/13/eggsplanations/<br /> <br /> https://www.youtube.com/watch?v=wV21QqQmX_o<br /> <br /> === Unsigned System PRX allowed: PSP &lt;= 6.20 ===<br /> <br /> Discovered in 2011 by kgsws.<br /> <br /> When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain.<br /> <br /> kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge.<br /> <br /> Fixed: since PSP System Software version 6.30.<br /> <br /> === Old System PRX allowed ===<br /> <br /> Discovered around 2005.<br /> <br /> It is possible to overwrite the PSP flash memory with older System Software files. The version of these files is not checked.<br /> <br /> Back to the SE/OE firmwares days, there was a 1.50 / 2.71 hybrid firmware.<br /> <br /> Infinity 1 uses a built in 6.31 FW and reloads into 6.60/6.61 FW with patches. The catalyst for this hybrid firmware is the giraffe bug applied to systimer.prx. I chose this specific module only due to its size. Weighing in at only 3 KB compressed and 7 KB uncompressed it is the smallest PRX before init.prx. Size is important here – the PSP NAND is nearly at capacity under normal circumstances so we have to make savings. In fact, on the original phat PSP the NAND cannot contain both 6.61 and the 6.31 subset firmware. The infinity installer actually excludes some features (location free TV) so everything important can be installed.<br /> <br /> Infinity 2 uses a signed usermode system PRX.<br /> <br /> https://github.com/DaveeFTW/Infinity<br /> <br /> https://infinity.lolhax.org/<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> The same vulnerability is present at least partially in PS3 even on latest System Software version. It allows to downgrade the WebKit version to exploit it.<br /> <br /> Fixed: no.<br /> <br /> === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake ===<br /> <br /> There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time.<br /> <br /> This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers.<br /> <br /> = Kernel =<br /> <br /> == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.74 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit.<br /> <br /> == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita &lt;= 3.70 ==<br /> <br /> https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition<br /> <br /> https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c<br /> <br /> == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 ==<br /> <br /> [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW]<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V]<br /> <br /> == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2014-10-20 by qwikrazor87.<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt<br /> <br /> == _sceG729EncodeTermResource (free) kexploit by qwikrazor87 or Total_Noob: PS Vita &lt;= 3.50 ==<br /> <br /> Discovered around 2015-02-11. Released on 2015-04-18 by anonymous (probably qwikrazor87).<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c<br /> <br /> https://pastebin.com/Sdz0XPRg<br /> <br /> == sceVideocodec race condition kexploit by qwikrazor87: PS Vita 3.30-3.36 ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c<br /> <br /> == _sceSdGetLastIndex kexploit by qwikrazor87 (TN-X, TN-V): PS Vita 3.18-3.20 ==<br /> <br /> There is a time-of-check to time-of-use exploit in chnnlsv.<br /> <br /> https://twitter.com/qwikrazor87/status/510187344893607937<br /> <br /> https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.18)%20sceSdGetLastIndex/explanation.txt<br /> <br /> https://pastebin.com/SE7UvPRR<br /> <br /> https://github.com/173210/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c<br /> <br /> == _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita &lt;= ?3.15? ==<br /> <br /> https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c<br /> <br /> == sceRegRemoveCategory buffer overflow kexploit by Freddy_156 and some1 (no implementation): PS Vita &lt;= ?2.11? ==<br /> <br /> Dicovered in 2011 by Freddy_156 and some1. Released on 2013-06-02 by Freddy_156.<br /> <br /> There is a buffer overflow in the sceRegRemoveCategory function of the registry.prx module. When passing a too long string as argument, the overflowing content can be forged to replace the return address register and trigger kernel code execution.<br /> <br /> https://wololo.net/2013/06/02/anatomy-of-a-cool-undisclosed-kernel-exploit/<br /> <br /> == 11 sceWlanDrv_lib kexploits by yosh, TheCobra and Frostegater (ARK): PS Vita &lt;= 2.02 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-27 by yosh.<br /> <br /> The person who ported PSP's sceWlanDrv to PS Vita's kermit did not understand the PSP kernel security much, because most new and rewritten functions did not perform any k1 check. Somehow back on PS Vita 1.81 SCE developpers went as far as fixing sceWlanGetEtherAddr without realising such vulnerabilities were plenty there, so the person who patched must have been someone else who did not believe such a fail could be. To patch the vulnerabilities, SCE devs simply added k1 checks everywhere it belonged.<br /> <br /> The 11 functions require an active WiFi connection.<br /> <br /> Kernel write access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_354D5D6B(char *dest); // kwrite<br /> sceWlanDrv_lib_0308B66B(u32 unk0, char *destBuf, u32 *size, u32 *dest); // kwrite<br /> sceWlanDrv_lib_2133EAA9(u32 unk0, char *bufDest, u32 *size); // kwrite<br /> sceWlanDrv_lib_638DF9C8(u32 unk0, char *dest, u32 *unk1); // kwrite : memcpy(dest, *(*0x00017A48 + 8), **0x00017A48);<br /> sceWlanDrv_lib_A77D0E66(u32 unk0, char *dest, char *buf, u32 *size); // kwrite<br /> sceWlanDrv_lib_AE8D779A(u32 unk0, char *src0, u32 size0, u32 unk1, char *src1, u32 size1, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_B991A673(u32 unk0, void *src_size, u32 limit, u32 unk1, char *src, u32 size, u32 *dest); // sw smthg, 0(dest) : kwrite<br /> sceWlanDrv_lib_D9EE3EEC(u32 unk0, u32 unk1, u32 unk2, char *dest, u32 *dest1); // kwrite<br /> &lt;/pre&gt;<br /> <br /> Kernel read access:<br /> &lt;pre&gt;<br /> sceWlanDrv_lib_9E00AA04(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48<br /> sceWlanDrv_lib_CF1A87D8(u32 unk0, char *src, u32 size); // Setter Writes to 0x00017A48 memcpy(*0x00017A48, src, size);<br /> sceWlanDrv_lib_EAB4786D(u32 unk0, u32 unk1, u32 unk2, char *src, u32 size); // Setter Writes to 0x00017A48<br /> &lt;/pre&gt;<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> https://wololo.net/talk/viewtopic.php?f=56&amp;t=27532&amp;start=40#p233947<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c<br /> <br /> https://wololo.net/2013/05/10/release-ark-ecfw-for-all-known-exploits-and-firmwares-up-to-2-02/<br /> <br /> == kermit_inet_socket kexploit by yosh, TheCobra and Frostegater (ARK, TN-A, TN-C): PS Vita &lt;= 2.01 ==<br /> <br /> Discovered by yosh, Total_Noob, TheCobra and Frostegater in 2012. Released on 2013-01-12 by yosh.<br /> <br /> kermit_inet_socket (sceWlanDrv_lib_51B0BBB8) does not require an active WiFi connection.<br /> <br /> These vulnerabilities were implemented with the UNO game savedata usermode exploit by Frostegater.<br /> <br /> https://twitter.com/Yosh778/status/295355524818546688<br /> <br /> https://www.twitlonger.com/show/kr81e0<br /> <br /> == sceWlanGetEtherAddr kexploit by yosh, TheCobra and Frostegater (VHBL, ARK): PS Vita 1.61-1.80 ==<br /> <br /> Discovered by Yosh, Total_Noob, TheCobra and Frostegater in 2012-07. Released (leaked) on 2012-11-01 by anonymous.<br /> <br /> In PSP System Software 6.60 sceWlanGetEtherAddr function is k1-checked but in PS Vita System Software &lt;= 1.80 PSPemu it is not.<br /> <br /> Because of lacking k1 checks, sceWlanGetEtherAddr can write the ethernet address to any location, even to kernel memory. This means that the exploit depends on your ethernet address. This exploit is only available in PS Vita kermit_wlan.prx module, not PSP wlan.prx.<br /> <br /> sceWlanGetEtherAddr does not require an active WiFi connection.<br /> <br /> Using this exploit, yosh made the first decryption of 1.80 PS Vita's ePSP kernel modules on 2012-07-29.<br /> <br /> https://wololo.net/talk/viewtopic.php?f=23&amp;t=12760<br /> <br /> https://pastebin.com/TNWsEfHw<br /> <br /> https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c<br /> <br /> https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c<br /> <br /> == sceRtcCompareTick kernel arbitrary read by davee (no implementation): PSP &lt;= 6.61 ==<br /> <br /> Discovered in 2009 by davee. Released on 2022-11-03 by davee.<br /> <br /> PSP implementation of sceRtcCompareTick does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a 64-bit comparison, returning different values for a0 &lt; a1, a0 == a1, and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> This vulnerability was used privately by Davee to make any PSP kernel dump and the first PS Vita's PSPemu kernel dump.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c<br /> <br /> PSP implementation of sceNetMCopyback does not check the pointers passed in. As there is no DACR in PSP nor PSPemu, kernel pointers can be passed. As it does a signed 32-bit comparison, returning different values for a0 &lt;= a1 and a0 &gt; a1, this function can be used to bruteforce the value at a kernel address. This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison.<br /> <br /> TBD: implementation by CelesteBlue<br /> <br /> == sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, ME, Chronoswitch, Infinity 2): PSP &lt;= 6.61 ==<br /> <br /> https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c<br /> <br /> https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c<br /> <br /> == sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1 and liquidzigong (ME, Chronoswitch): PSP 6.20-6.61 ==<br /> <br /> Discovered by some1 then exploited by liquidzigong.<br /> <br /> https://wololo.net/talk/viewtopic.php?t=6612<br /> <br /> https://wololo.net/2011/05/23/6-38-downgrader-by-some1/<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://github.com/smiky/psptools/blob/master/kxploit/main.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 ==<br /> <br /> https://lolhax.org/2010/12/23/arcanum/<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=947<br /> <br /> https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c<br /> <br /> https://wololo.net/2013/05/04/kernel-exploits-how-they-work-and-why-they-are-scarce/<br /> <br /> == ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 ==<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147730#p147730<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147732#p147732<br /> <br /> == GEN/M33 contested wlan exploit: PSP &lt;= 5.50 ==<br /> <br /> ?? Ask davee.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == sceDRMInstallGetFileInfo memset anywhere kexploit (psheet 5.03) by davee (ChickHEN): PSP &lt;= 5.03 ==<br /> <br /> By the lack of k1 checks, sceDRMInstallGetFileInfo allows to memset anywhere in kernel memory.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022<br /> <br /> https://wololo.net/talk/viewtopic.php?p=2022#p2022<br /> <br /> https://wololo.net/talk/viewtopic.php?f=5&amp;t=242<br /> <br /> http://www.kingx.de/forum/showthread.php?tid=15275<br /> <br /> This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after.<br /> <br /> This kernel exploit requires some modules that are not loaded by the Gripshift game. This is why WhickHEN works with the libtiff XMB bug, but was never ported to the Gripshift exploit.<br /> <br /> == Registry error store: PSP &lt;= ?2.80? ==<br /> <br /> According to davee, this registry vulnerability is pretty cool. There is an error condition that writes 0xFFFFFFFF to a user controlled address. Exploitation path is modifying the 0xBC000000 memory permission to allow usermode read/write to kernel.<br /> <br /> https://wololo.net/talk/viewtopic.php?p=147642#p147642<br /> <br /> == Registry write access from usermode: PSP &lt;= 2.60 ==<br /> <br /> Since the registry is placed on flash1, it can be accessed by usermode.<br /> <br /> == sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 ==<br /> <br /> There is a subroutine in loadexec.prx that takes a path as an argument. It looks for the character &quot;:&quot; in that path, and calculates the length of the drive name from that (e.g. &quot;ms0:&quot;). It then copies the drive name onto the stack with strncpy.<br /> <br /> The exploit is located in a subroutine in the loadexec.prx file. It is at address 0x88064C94 (game mode) in System Software version 2.60. The purpose of this procedure (used in other functions like &quot;sceKernelLoadExec&quot;) is to check that the drive part of a filename is valid and legit. It allocates 48 bytes of stack and the return address to the calling function is stored at the end of it (from 44th to 47th bytes). It starts by checking the first char of the string to see if it is an empty drive name, if it is not the routine extracts the part of the filename that contain the drive name and copies it into the allocated stack. It only stops when it encounters a ':' char. Since it does not check any string length during the copy, if the drive name supplied by user is big enough, then it will overwrite the rest of the stack based values, like the return address for example. Hence why a drive name of 48 chars (+ an extra ':' char to let the loop ends) containing an address to an arbitrary position in memory (pointing to a function of ours for example) located from the 44th to 47th chars in the filename will allow us to run any code we want in the context of the executing routine (kernel mode) as when it ends, it reloads the return address from the stack and directly jumps to it.<br /> <br /> In later System Software versions, loadexec checks if the drive name is longer than 0x1F bytes. If it is, it returns an error. Look at sub_21E0 in 6.60 loadexec_01g.prx.<br /> <br /> https://forums.ps2dev.org/viewtopic.php?t=6091<br /> <br /> https://www.hitchhikr.net/Exploit_2.6.zip<br /> <br /> == reused index.dat key: PSP 2.00, 2.01 ==<br /> <br /> == swaptrick/kxploit: PSP &lt;= 1.50 ==<br /> <br /> This exploit involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one or using the path hack.<br /> <br /> == kernel flagged ELF: PSP &lt;= 1.00 ==<br /> <br /> == Remarks ==<br /> <br /> https://www.pspx.ru/forum/showthread.php?t=97295<br /> <br /> = IPL =<br /> <br /> == Giraffe bug ==<br /> <br /> Discovered in 2016 by davee.<br /> <br /> There is a bug in PRX loading. It turns out loadcore is a bit indecisive about what it does with the optional and rarely used ~SCE header. This header is 64 bytes long and mostly unused other than a 32 bit size/offset field (lets call it sce_size) at +4 in the header. The main PRX decryption function sceKernelCheckExecFile just skips past the 64 bytes when it detects that sce_size is positive. sceKernelLoadExecutableObject, the actual ELF loading aspect of loadcore does the same thing. However, sceKernelProbeExecutableObject, which is used to get information about the PRX meta-data, skips past sce_size bytes. This inconsistency leads to the loading of an unencrypted PRX.<br /> <br /> https://lolhax.org/2017/09/24/6-61-infinity-an-explanation/<br /> <br /> Fixed: since PSP System Software version 6.35.<br /> <br /> = Lib-PSP iplloader =<br /> <br /> == NMI Backdoor ==<br /> <br /> Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Fixed: Never<br /> <br /> Applicable to: None<br /> <br /> Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom)<br /> <br /> The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.<br /> <br /> This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9<br /> <br /> If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0.<br /> <br /> Below are the relevant pieces of code:<br /> <br /> &lt;pre&gt;<br /> ROM:BFC00004 lw $v0, 0xBC100000 # store 0xBC100000 to $v0<br /> ROM:BFC0000C bnez $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> ROM:BFC00064 cfc0 $v0, $9 # store coprocessor $9 to $v0<br /> ROM:BFC00068 beqz $v0, loc_BFC00078 $ # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078<br /> ROM:BFC0006C nop<br /> ROM:BFC00070 jr $v0 # jump to register $v0 (value initially set in coproc $9)<br /> &lt;/pre&gt;<br /> <br /> This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution.<br /> <br /> == Arbitrary IPL Load Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on any PSP. On Tachyon 0x00600000 and later, this implies using SYSREG_RESET_ENABLE_REG (0xBC10004C) as a load address, which will have the CPU jump to the code stored in the the decrypted IPL block that is cached at 0xBFC00000.<br /> <br /> Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed.<br /> <br /> Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations.<br /> <br /> == Arbitrary IPL Entrypoint Address ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL time code execution on 01g and 02g, used in Pandora<br /> <br /> Fixed: Lib-PSP iplloader 2.6.0<br /> <br /> Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a &quot;valid&quot; block in a more timely fashion.<br /> <br /> Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == No minimum IPL block size ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2007-04-04<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: Pandora hack.<br /> <br /> Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100.<br /> <br /> Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block.<br /> <br /> https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/<br /> <br /> == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block ==<br /> <br /> Found by: C+D/Prometheus - Earliest discovery: 2006 Q4<br /> <br /> Introduced: Tachyon 0x00140000 bootrom<br /> <br /> Applicable to: IPL Code execution on 01g, used to dump the Tachyon bootrom for the first time.<br /> <br /> Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself.<br /> <br /> This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.<br /> <br /> == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode ==<br /> <br /> Found by: Mathieulh - Earliest discovery: 2019 Q1<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key.<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> This is not so much a vulnerability as a poor design implementation. <br /> <br /> To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions.<br /> <br /> This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed.<br /> <br /> == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution ==<br /> <br /> Found by: Proxima - Earliest discovery: 2020-01-27<br /> <br /> Introduced: Lib-PSP iplloader 3.5.0<br /> <br /> Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability<br /> <br /> Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool<br /> <br /> 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C.<br /> <br /> In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000.<br /> <br /> While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000)<br /> <br /> == Faulty ECDSA Hash Comparison ==<br /> <br /> Found by: Davee - Earliest discovery: 2021-02-12<br /> <br /> Introduced: Tachyon 0x00600000 bootrom<br /> <br /> Applicable to: IPL code execution.<br /> <br /> Fixed: never<br /> <br /> Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature.<br /> <br /> This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid.<br /> <br /> NOTE: For this to work, the block checksum of the inserted blocks has to be &quot;forged&quot; so that it matches the one of the previous block checksum<br /> <br /> = General writeups =<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/<br /> <br /> https://wololo.net/2014/01/18/10-days-of-hacking-day-5-the-psp-part-2/<br /> <br /> https://www.slideshare.net/ruyor/beginners-guide-to-psp-v50-slideshare-edit<br /> <br /> https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP</div> CelesteBlue