I was able to load arbitrary code (NOP's followed by a JMP loop (essentially a 'halt') by editing a Wipeout Pure "ghost" save file. I believe this exploit may be extensible to the Wipeout Pure game save files. If so, this may be a good entry point for a bootloader.
Unfortunately, while executing NOP's is an interesting start ... I'll need to bone up on the instruction set of the PSP cpu before anything useful can be done with this.
The entry point to edit and insert an overflow of NOP instructions is at offset 0xA14 in any ghost save file.
All I'm seeing is that the game freezes when he hex edits in some 0x0s, and the operating system doesnt close the game for some reason. Until its shown that other instructions besides noping into oblivion work, theres no reason to think that this is anything more than that.
...
Anyone know some instructions to test that would show if this is valid or not?
He did more that NOPs. He did some NOPs, and then an infinite loop, which is what would have caused the freeze. It's possable that its actually running becuase he had to remove the battery to turn it off. Usually when something goes wrong the PSP just shuts off, but the battery doesn't have to be removed (see How To Crash The PSP).
a crash or mishandled exception in kernel results in shutdown, games code is allowed to hang indefinately if wished. in other words wipeout save handler could get stuck in an infiniteloop saying stuff is just not right to itself - and consequently not *executing those nops & loop*