Kernel mode under firmware 2.6 * The proof of concept *

[psp]

@hitchhikr

if you made a deal with Undiluted Platinum (not to publish it )
you could earnd a nice sum of money.

[Kojima]

I'm new to the psp scene so could you explain to me,

does this mean I can safely go out and buy a new psp and run homebrew eventually using this exploit?( I can't find a 1.50 one anywhere)

Will it require any other software besides the psp to run it?

[ector]

Will it require any other software besides the psp to run it?

You still need GTA, just like on every firmware above 2.0.

Also, newer GTA:s are patched, so find a used one...

[Kojima]

Hmm, sounds like a bit of a gamble.

*goes back to looking for a 1.5 psp.*

Good work though, if i can't find a 1.5...i'll be back. (dum dum dum dum da.)

[Fanjita]

1.5s are quite readily available via eBay, generally at a small premium (say 25%) above the regular PSP price.

[Marco_N]

I wonder, does this exploit now allow for the 2.60 IPL key(s) to be recovered or is it too late because GTA:LCS has to be loaded in memory?

[Kojima]

1.5s are quite readily available via eBay, generally at a small premium (say 25%) above the regular PSP price.

Yeah I've got a bid in for one at just 90 quid atm. I won't say where in case someone here outbids me (Evil grin) :)

[zilt]

( I can't find a 1.50 one anywhere)

Then you're probably not looking hard enough. I brought a second PSP 2 weeks ago from BestBuy that had 1.51 on it. They still had 4 left with that version and 3 with 2.0. I also saw 5 PSP 2.0s at the local FutureShop. So around to a couple of your local large electronic stores and check the version codes on the side of the box - you might get lucky.

[crowba]

back to topic

Fanjita responded via pspupdates forum

It's work-in-progress, it's not an eLoader beta, it's just a more convenient way of experimenting with the exploit (maybe), and also an effort to test some in-RAM hacks to remove some security checks.

It doesn't seem to work at the moment, and the main thing that needs to be done is to investigate why - presumably, there's a problem with the format of the ELFs being loaded.

Kernel.elf is just an arbitrary ELF - nothing I've tried so far has worked, feel free to try your own.

The source that's given is just the source of the function that's attempting to do stuff with the exploit - it doesn't show any of the exploit code, and is not a complete app in its own right.

[Raphael]

back to topic

Fanjita responded via pspupdates forum

It's work-in-progress, it's not an eLoader beta, it's just a more convenient way of experimenting with the exploit (maybe), and also an effort to test some in-RAM hacks to remove some security checks.

It doesn't seem to work at the moment, and the main thing that needs to be done is to investigate why - presumably, there's a problem with the format of the ELFs being loaded.

Kernel.elf is just an arbitrary ELF - nothing I've tried so far has worked, feel free to try your own.

The source that's given is just the source of the function that's attempting to do stuff with the exploit - it doesn't show any of the exploit code, and is not a complete app in its own right.

That was about the source Fanjita released yesterday night before he went to sleep and which got spammed over at PSPU making them wonder what it does and if they can already turn it into an eloader or get something out of it, though it hadn't any code that would make that possible. So this statement was clearly aimed at the PSPU community and has nothing to do with us here directly :)

[PspPet]

Thanks for the 2.6 exploit and to everyone involved.

> ...Kernel mode on 2.6. The keys will be with us soon :)
> ...does this exploit now allow for the 2.60 IPL key(s) to be recovered or is it too late
Yes all the PRX decoding is in the kernel memory dumps. Time to dust off my PSP tools and update PsarDump...
Not specific to IPL decryption (there are separate IPL issues)

New keys and intentionally obscure header mangling are there for disassembling.
BTW: they added a few tricks back for 2.0->2.5 to intentionally obscure the algorithm. They added a lot more for 2.6 & 2.7
And I expect they will change it again for 2.8 (or maybe 2.9)
---
I echo Fanjita and others comment that the 1.5 era PSPs are still relatively plentiful. Second only to the original 1.0 firmware for homebrew development !

IMHO: Finding exploits in the newer releases can be fun because of the challenge, but if you want to do hardcore homebrew, find a 1.0 or 1.5 (or 1.5 downgradable) PSP.

[F.J. Sánchez]

First at all congratulations to hitchhikr for the exploit. So now we have a exploitable bufferoverflow, I think the next would be dump and dissasembling the memory to get more info. I never tried it, what is the way?

[0okm0000]

Great Work
Thank You ^o^

now i can Access Nand Flash on FW2.60

[jordan23]

Yes it is, we need to break the loop at the right time.

[tyranos]

Yes it is, we need to break the loop at the right time.

have u been holding on this comment for 2 years ??????
have u been waiting for the right time to unleash it



i m sorry but i couldnt hold myself from laughing

[PiCkDaT]

dear god.. that was genious tyranos

[hitchhikr]

Yes it is, we need to break the loop at the right time.

Yeah, that the post i made almost 2 years ago indeed (see previous page).

If it was some forum test, i'm glad to tell you that emails notifications for such old threads are working fine too.

[The Tjalian]

Yes it is, we need to break the loop at the right time.

I was starting to wonder if this was a joke thread or something, because 2.6 is OLD.

Then I saw this, and it made sense.

[jean]

ROFL
I think it's just a spammer...take a look to his webpage....no, don't take a look to that page or you'll play his game