PSP 2.0 Exploit Discovered
PSP 2.0 Exploited
Lots of people want to know when 2.0 will be hacked.* It may be sooner than first thought.* It appears that a vunerability in the way PSP decodes images has allowed some code to be executed.* All that's happened is a screen colouring, but it may be the start of lots more.
Here is the email that was sent to PSP-Hacks.com:
First Homebrew Code on 2.00
1. Set wallpaper to frame_buffer.png (without overflow.tif presentin the PHOTO directory, or it will crash).2. Add overflow.tif to the PHOTO directory, and open into the photoviewer. Custom code to paint the screen! Or to write a homebrewapp! Not to run illegal games.
How It Works?1. The PNG contains a small amount of code in a known, fixed place(the VRAM). If to look closely at the wallpaper, sees smallcoloured pixels in the right down. The pixels are Allegrexopcodes, with the highest byte all zero for the ALPHA. Thesepixels do:
syscall 0x20C7 ; sceKernelDcacheWritebackInvalidateAllslt a0, zero, sp ; put 1 into a0sll a0, a0, 6 ; put 64 into a0addiu a0, sp, a0 ; get screen painter address over SPjr a0 ; jump to the screen painternop ; branch delay slot
2. The TIFF contains also some code and a buffer to trigger theknown BitsPerSample overflow in libtiff in the photo viewer.The buffer makes a jump to the VRAM which has the PNG coloursby overwriting the safed ra (return address) on the stack.The VRAM code uses SP and calculates the address of the bufferthen runs it. Then it jumps there. The screen is yellow asthe colour was 0x12345678 in Hex.
PSP Users:We didn't do this so you could steal from Sony and game companies.We believe in OSS. There are plenty of amazing programs that havebeen written for the PSP. Use this as a gift and not as an excuseto steal.
Sony:If you wanted to find us i know you could. This release wasn'tintended as a way to run pirated software on the PSP. We believethat everyone should be able to compile their own code and run it.Nothing is kept secret forever and I'm sure you know this.In the end, if it wasn't us. It would be some one else.Fighting it would be like skating up a hill. You did create thePSP and did an amazing job.
Toc2rta:To the people of the Toc2rta development network. You're our phonea friend. With out your friendship this would never of happened.I hope this brings you as much happiness as it brings us.Join us on irc.toc2rta.com, #pspchatMost importantly... Have fun!
You can download the required files HERE*and see for yourself.* We personally echo the sentiments of the creator - and we hope everyone uses this vunerability for useful rather than illegal reasons.* Discuss this in our FORUMS!
http://www.PSPHome.com/index.php?do=viewarticle&id=397
PSP 2.0 Exploit Discovered 
