Homebrew on 2.0+ through GTA savedata

[jimparis]

As you may know, EdisonCarter has made a trainer for GTA that uses a straightforward exploit in the game to execute arbitrary code. He chose not to reveal his techniques, but with the new savedata encryption and decryption routines at http://forums.ps2dev.org/viewtopic.php?t=4335, now anyone can run homebrew on 2.0, 2.01, 2.50, and probably 2.60:

1. Decrypt the GTA cheat device using the savedata/decrypt sample
2. Find and modify the code (look at offset 0xc4 for the offset of the start of MIPS code)
3. Reencrypt the save using the savedata/encrypt sample

Note that the syscalls may be changed from the 2.0 VSH mode, since a different set of modules is loaded. Hopefully it shouldn't take long before someone clever like Fanjita can make a decent loader for us.

[NeoSkeith666]

Awesome. Fanjita will be happy about this :)


There should be semgame data for other games like Wipeout Pure, because i dont have GTA

[Fanjita]

Awesome. Fanjita will be happy about this :)


There should be semgame data for other games like Wipeout Pure, because i dont have GTA

Fanjita is over the moon... :)

[peenee]

Is there any way of running kernel mode apps with this? Since it is a game that has taken over the ENTIRE PSP?

[NeoSkeith666]

I can't say for sure, but i'm pretty sure this will be kernel.

[NeoSkeith666]

by the way. does the cheat device work for 2.6???

[peenee]

I can't say for sure, but i'm pretty sure this will be kernel.

SWEEEEEEEEEEEEEEEEEEEET!!!! Once we get a hello world app running, LET THE HOMEBREWING BEGIN!!! (All over again! :p)

[peenee]

by the way. does the cheat device work for 2.6???

Not to my knowledge, unfortunately =(

[NeoSkeith666]

damn, damn, damn, but fanjita can probably make it work. I mean at first the cheat device only worked for 2.0, then he got it to work on 2.5. I mean, why WOULDN'T it work on 2.6+ ?? I don't wanna be stuck on the anti-homebrew boat any longer!! I want my IS--i mean, um..homebrew!!!

[Fanjita]

Please, less of the speculation on this site - take that elsewhere, this thread should be for the discussion of the technical side of what Jim and psp123 have achieved.

Obviously I'm trying to get an EBOOT loader working using this technique as soon as possible, and that will be announced elsewhere when it is ready.

[peenee]

damn, damn, damn, but fanjita can probably make it work. I mean at first the cheat device only worked for 2.0, then he got it to work on 2.5. I mean, why WOULDN'T it work on 2.6+ ?? I don't wanna be stuck on the anti-homebrew boat any longer!! I want my IS--i mean, um..homebrew!!!

It seems like sony patched up many, many bugs in 2.60 that were in 2.50 >=(

Okay, Fan

[Zenurb]

I want my IS--i mean, um..homebrew!!!

You know, pirating games is illegal and also a fucking bad idea to discuss on this board. Fuck off if you're visiting this site and that's your only interest. Get the hell out.

[peenee]

Zenurb, please don't flame peeps in an area where everybody will read it!

[NeoSkeith666]

I want my IS--i mean, um..homebrew!!!

You know, pirating games is illegal and also a fucking bad idea to discuss on this board. Fuck off if you're visiting this site and that's your only interest. Get the hell out.

Chill, i was joking

[Zenurb]

Zenurb, please don't flame peeps in an area where everybody will read it!

That's kind of the point of flames.

Chill, i was joking

No you weren't. This is what drives me nuts. If you're insterested in piracy of any kind, your place is not on this site. People who pirate are those who are stopping legitimate homebrew authors.

[mrbrown]

Ok, Zenurb, you've made your point. The noise level is a bit too high in this thread, so please stay on topic.

Back on topic...

From what I understand, the only thing that prevents this exploit from fully working on 2.60 is that the list of syscalls hasn't been mapped for 2.60 yet. Developers should still be able to get something on screen to confirm that the exploit does work on 2.60, but figuring out the syscalls will take a bit longer.

BTW, what are the conditions for code running via this exploit? This is what has been gathered so far:

1. Offset 0xC4 in the save has the offset of the MIPS payload (0x0000fe74).
2. The first thing the MIPS payload does is copy itself to 0x09fb5000 (after checking to make sure it isn't already loaded). It is passed the address of itself in register a1.
3. After copying itself, it jumps to address 0x09fb5080.

I used the following to disassemble the exploit from the raw save file:

Code: Select all

psp-objdump -D -b binary -m mips:allegrex --start-address=0xfe74 DATA.BIN

[ericthebum180]

I came up with this also dude we think alike :)!

Don't belive me think i'm just a copycat well look i even came up with it b4 him! http://forums.qj.net/showthread.php?t=28263[/url]

[ericthebum180]

also i told Fanjita and he's made posts a while ago :)!

[Mellow]

Ok, Zenurb, you've made your point. The noise level is a bit too high in this thread, so please stay on topic.

Back on topic...

From what I understand, the only thing that prevents this exploit from fully working on 2.60 is that the list of syscalls hasn't been mapped for 2.60 yet. Developers should still be able to get something on screen to confirm that the exploit does work on 2.60, but figuring out the syscalls will take a bit longer.

BTW, what are the conditions for code running via this exploit? This is what has been gathered so far:

1. Offset 0xC4 in the save has the offset of the MIPS payload (0x0000fe74).
2. The first thing the MIPS payload does is copy itself to 0x09fb5000 (after checking to make sure it isn't already loaded). It is passed the address of itself in register a1.
3. After copying itself, it jumps to address 0x09fb5080.

I used the following to disassemble the exploit from the raw save file:

Code: Select all

psp-objdump -D -b binary -m mips:allegrex --start-address=0xfe74 DATA.BIN

I am not good at coding of any kind. Dont know shit - if i should be honest :)
Well why would we want homebrew on 2.6 really, ok its the newest firmware with all the new functions. But the 2.5 -> 2.6 functions (the ones added) isnt really good :P
Otherwise it would be great if we got it too work but i think the concentration should be on getting ALL homebrew work on 2.0, 2.01, 2.5 if thats the easiest. Now if I have understood everything wrong, im sorry, becouse as I said i suck at coding :P.
And dont take it as I want you to change things to work, i just said my opinion :)
Hope noone has hard feelings.
Hope Fanjita or mrbrown or anyone continue on this, great work!

[27Bstroke6]

On a closely related topic, has there been any progress in generalizing the ability of the EBOOT loader for 2.0 to allow for homebrew access to the WiFi or serial port functions? Thanks.

[Fanjita]

On a closely related topic, has there been any progress in generalizing the ability of the EBOOT loader for 2.0 to allow for homebrew access to the WiFi or serial port functions? Thanks.

Wifi - yes. The in-development 0.9 version supports a few wifi apps, via the technique from the wifi demo that I released a couple of weeks ago. It should also be able to support

Once support for loading the loader under GTA is complete, I'll probably start looking at whether it's possible to improve that support, and allow simplified loading of the wifi libs, and possibly also the serial driver, via the loader. It seems likely that it can be done, at least for wifi - I haven't checked whether the serial driver is signed or not.

[27Bstroke6]

Oops, looks like something was cut off in your previous message, but I got your drift. Fantastic. It would be ironic if the serial port was actually harder to access than the WiFi!

I'm glad to see that there's hope for the folks beyond 2.0, though personally I have no interest in GTA and if the functions of interest are available via 2.0 that should serve very nicely, especially since WiFi routines mean streaming, RSS, etc. are doable without relying on post-2.0 firmware.

The 2.0 browser is a necessity -- I've found it to be far more useful than I had expected, especially since it supports SSL and privately-signed certs (though with a few extra steps to accept the latter on each page...)

Thanks again for your great work.

[nosduh92]

can an exploit/cheat device like this work with other games? im thinkin wipeout pure

[Fanjita]

It's certainly possible that exploits exist in other games' savegame functions.

But you won't be able to use this exact same exploit on other games, since it's specific to GTA.

[nosduh92]

yea we couldnt just put the gta code in another savegame file but when hot coffee came out for ps2 everyone tried to hack ar,gs,armax,cb codes for games other than gta and were sucsessful. btw, all of that code in the decryption routines... how do u use it? do i need a decryption program?

[skr3dii]

Any other homebrew software than tetris runs on 2.01+ ?
Simple question. Or we have to wait for EBOOT loader from Fanjita for 2.01+?

[Fanjita]

Any other homebrew software than tetris runs on 2.01+ ?
Simple question. Or we have to wait for EBOOT loader from Fanjita for 2.01+?

Simplest way is to wait for the EBOOT loader. So far it's running Nem's Hello World, but there are some strange thread creation problems that are blocking further progress at the moment.

If you want to try to write code to run directly in the GTA exploit environment, you can try downloading the GTA Hello World (search PSPUpdates file section), which can be used to load code compiled to .BIN files.

[niemand0815]

my personal problem is:
how do i convert the savegames from the uk(=eu)-version to the german version?
obviously there are some differences, as for example the name of the directory where the saves are in.

[Energy]

my personal problem is:
how do i convert the savegames from the uk(=eu)-version to the german version?
obviously there are some differences, as for example the name of the directory where the saves are in.

well that's what you change.... the directory. :)

[niemand0815]

my personal problem is:
how do i convert the savegames from the uk(=eu)-version to the german version?
obviously there are some differences, as for example the name of the directory where the saves are in.

well that's what you change.... the directory. :)

you should try before posting such things *g*
changing the directory does not work with the censored = 16+ german version. the 18+ "german" version is the eu-version, so no problem there.