First Homebrew Code on 2.00 PSP
23 September 2005, 09:34 PM
#1
Scooby Regular
Thread Starter
Join Date: May 2002
Location: Dunfermline,Fife Xbox/PS3 Gamertag: RB5black
Posts: 4,746
Likes: 0
Received 0 Likes
on
0 Posts
First Homebrew Code on 2.00 PSP
Taken from PSP updates:
We have received an email from someone named foo bar with file made by unknown which allows a buffer overflow to be run via the photos in 2.0. Although it is not currently possible to run homebrew code with this exploit, the door is open. Here is what the readme says:
Files are on PSP updates for your own testing. I've run the hack without any problems on an old JAP system (December 04 model)
Craig.
We have received an email from someone named foo bar with file made by unknown which allows a buffer overflow to be run via the photos in 2.0. Although it is not currently possible to run homebrew code with this exploit, the door is open. Here is what the readme says:
First Homebrew Code on 2.00
1. Set wallpaper to frame_buffer.png (without overflow.tif present
in the PHOTO directory, or it will crash).
2. Add overflow.tif to the PHOTO directory, and open into the photo
viewer. Custom code to paint the screen! Or to write a homebrew
app! Not to run illegal games.
How It Works?
1. The PNG contains a small amount of code in a known, fixed place
(the VRAM). If to look closely at the wallpaper, sees small
coloured pixels in the right down. The pixels are Allegrex
opcodes, with the highest byte all zero for the ALPHA. These
pixels do:
syscall 0x20C7 ; sceKernelDcacheWritebackInvalidateAll
slt a0, zero, sp ; put 1 into a0
sll a0, a0, 6 ; put 64 into a0
addiu a0, sp, a0 ; get screen painter address over SP
jr a0 ; jump to the screen painter
nop ; branch delay slot
2. The TIFF contains also some code and a buffer to trigger the
known BitsPerSample overflow in libtiff in the photo viewer.
The buffer makes a jump to the VRAM which has the PNG colours
by overwriting the safed ra (return address) on the stack.
The VRAM code uses SP and calculates the address of the buffer
then runs it. Then it jumps there. The screen is yellow as
the colour was 0x12345678 in Hex.
1. Set wallpaper to frame_buffer.png (without overflow.tif present
in the PHOTO directory, or it will crash).
2. Add overflow.tif to the PHOTO directory, and open into the photo
viewer. Custom code to paint the screen! Or to write a homebrew
app! Not to run illegal games.
How It Works?
1. The PNG contains a small amount of code in a known, fixed place
(the VRAM). If to look closely at the wallpaper, sees small
coloured pixels in the right down. The pixels are Allegrex
opcodes, with the highest byte all zero for the ALPHA. These
pixels do:
syscall 0x20C7 ; sceKernelDcacheWritebackInvalidateAll
slt a0, zero, sp ; put 1 into a0
sll a0, a0, 6 ; put 64 into a0
addiu a0, sp, a0 ; get screen painter address over SP
jr a0 ; jump to the screen painter
nop ; branch delay slot
2. The TIFF contains also some code and a buffer to trigger the
known BitsPerSample overflow in libtiff in the photo viewer.
The buffer makes a jump to the VRAM which has the PNG colours
by overwriting the safed ra (return address) on the stack.
The VRAM code uses SP and calculates the address of the buffer
then runs it. Then it jumps there. The screen is yellow as
the colour was 0x12345678 in Hex.
Craig.
Last edited by RB5-Black; 23 September 2005 at 09:36 PM.
24 September 2005, 09:48 PM
#2
Scooby Regular
Thread Starter
Join Date: May 2002
Location: Dunfermline,Fife Xbox/PS3 Gamertag: RB5black
Posts: 4,746
Likes: 0
Received 0 Likes
on
0 Posts
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
28
28 December 2015 11:07 PM
Mattybr5@MB Developments
Full Cars Breaking For Spares
12
18 November 2015 07:03 AM
Sam Witwicky
Engine Management and ECU Remapping
17
13 November 2015 10:49 AM