-
Notifications
You must be signed in to change notification settings - Fork 16
Full Homebrew History 2008
Soon after the PSP was released hackers began to discover exploits in the PSP that could be used to run unsigned code on the device. Sony released version 1.51 of the PSP firmware in May 2005 to plug the holes that hackers were using to gain access to the device.[1] On June 15 2005 the hackers distributed the cracked code of the PSP on the internet. Hackers refused to apply updates which would render their hacks unusable so Sony attempted to convince users that there was a benefit to upgrading by including new features in the firmware updates, such as a web browser, and not just security patches to plug the vulnerabilities. BusinessWeek dubbed this the "carrot-and-stick" approach.[2]
In August 2005 Sony released version 2.0 of the firmware which included the web browser, file compatibility updates and other features.[3] Hackers and other homebrew enthusiasts then encountered the first trojan for the PSP. Symantec called this trojan "Trojan.PSPBrick". Users attempting to downgrade their PSP using this software instead found that is was rendered inoperable as this software deleted important system files.[4] Over the course of 2005 Sony released six different versions of the firmware and hackers typically responded to it by downgrading to avoid the new security updates.[2]
In Mid-2006, after several months of problems in defeating the PSP's firmware a file was posted online which allowed new PSPs running firmware version 2.6 to downgrade to 1.5 so they could then be hacked using older methods. This reportedly caused more buzz in the community than any recent official offerings for the device.[5]
One of the drawbacks of downgrading the PSP is that new legitimate media may require the presence of a new firmware edition. A hacker by the name of Dark Alex had released a custom firmware called "Dark Alex's Open Edition firmware" which opens the firmware but allows users to use the existing feature set of the current edition. Sony quickly patched the firmware again, continuing the carrot-and-stick game with the hackers and users.[6] In 2006 Sony released six editions of the firmware and in 2007 they released another six editions.
On April 17th, 2005, a DNS redirection trick was discovered in the content-downloading feature of the game Wipeout Pure that allowed regular HTML web pages to be displayed in place of the official website. Using this trick, and with a bit of guesswork, hackers spotted that navigating to addresses such as file:///disc0:/ would allow files from the UMD to be viewed. Further exploration of a UMD disc using this method led to the discovery of the format of the executables that the PSP uses. Using a dumped PSP system ROM image, and the knowledge discovered from the Wipeout disc, the layout of the executable format was successfully reverse-engineered by a hacker named "NEM" and the "Saturn Expedition Committee" group.
In May of the same year, PSPs using the 1.00 version of the firmware were able to execute unsigned code packed in the same format as the EBOOT.BIN executable from Wipeout Pure, but from the /PSP/GAME folder on a Memory Stick. This meant that PSPs could be used to run homebrew software, as there was no mechanism to check if the code had been digitally signed by Sony in this firmware revision. This is similar to the PlayStation and PlayStation 2 consoles, which were missing many security features in their first revisions. A proof-of-concept "Hello World" was released to demonstrate this flaw. This lead to the development of a number of homebrew software programs, which were all built with a customized version of the GNU GCC and GNU Binutils modified to produce code for the PS2 and PSP (MIPS processor devices).
In addition, it became possible to dump Universal Media Discs (UMDs) using a homebrew technique. These dumped UMD images could be written to a Memory Stick Duo and executed, performing in almost exactly the same way as if they were being read from a UMD disc.
Version 1.50 of the PSP firmware, the original version shipped with non-Japanese PSPs, introduced new security measures that attempted to block the execution of homebrew software. However, in June of 2005, hackers discovered a method to run unsigned code on version 1.50. The discovery allowed early PSP adopters to run homebrew, which quickly led to articles on PSP homebrew appearing in mainstream media outlets.[1]
Two ways were developed to run unsigned code; first, through the use of an exploit known as "Swaploit", and later, via the safer 'KXPloit' method.
Swaploit was released on June 15, 2005. It was created by a Spanish team and involved swapping two Memory Sticks after attempting to launch a homebrew program, before the firmware had a chance to detect the missing Memory Stick and thus return to the XMB with an error. On one Memory Stick was an EBOOT.PBP file containing metadata such as the program title and logo; on the second Memory Stick, in the same path as the first EBOOT.PBP, there was a second EBOOT.PBP containing only the program code. There were reports of failing memory sticks using this method, but none have been verified.[citation]
KXploit was released on June 22, 2005. Developed by the Spanish Killer-X, KXploit exploited a misuse of the sprintf function of the PSP by having another folder named exactly the same with a percentage sign after the file name - for example, 'game' and 'game%'. The folder with the percent sign in its name contained the same sort of EBOOT as the first Memory Stick in the Swaploit exploit, while the folder without the percent sign contained the same sort of EBOOT as the second Memory Stick in said exploit. The problem with this exploit was that, when displayed in the XMB's Game menu, the folder without the percent sign would appear as a corrupted data icon alongside the icon for the program. This is because the EBOOT in the folder without a percent sign contained no metadata, only program code, and therefore could not be interpreted as a proper EBOOT by the XMB. However, this was shortly overcome by using two tricks. One exploited the FAT16 system of the memory stick by using folders with long names, and the other involved putting before the name of the folder containing the program code and % before the name of the folder containing the metadata (with the percentage sign at the end removed). Both tricks caused the corrupted data to disappear from the Game menu, while still allowing the EBOOT to be executed. Tools such as PSP Brew and Sei PSP Tool were later created that allowed the user to automatically hide the corrupted data and organize installed homebrew programs.
Some homebrew users complained about the need for two folders and the corrupted data icons. While there were ways to hide the icons, they could be a nuisance to new PSP homebrew users. On April 10, 2006, the No-KXploit patch was released, which patched the PSP's firmware in memory to allow non-KXploited homebrew to be executed directly. The No-KXploit patch itself required the use of KXploit for its execution. After being installed once, the patch would remain resident as long as the PSP did not lose power or undergo a full reboot.
The patch originally did not modify the firmware of the PSP or write to the flash. However, a new version was eventually released which modified the PSP's system files permanently so that the program only had to be run once.
Seeing that not many people were updating their PSPs to 1.51 or 1.52 (which were mainly security patches designed to defeat Swaploit and KXploit), Sony released an update with features that would give people an incentive to update. The main feature was an official web browser, revealed at the 2005 PlayStation Meeting on June 20, 2005. The Japanese version of the update was released a week later, on June 27, 2005. In addition to a web browser, it also had support for high-quality MPEG-4 AVC video and the ability to change the wallpaper. As version 2.00 contained a web browser, it became possible to write web-based programs that would take advantage of the PSP's HTML rendering ability, and its new found ability to connect to a server on a wireless network.
On September 23, 2005, a buffer overrun was discovered in the image rendering libraries of version 2.00 which allowed the execution of an unsigned binary file. The method involved the user opening a specially-crafted TIFF file from the Photo menu of the XMB. When the image was accessed, the exploit was triggered and program file was loaded.
Two days later, the first "Hello World" program was released. The size of the binary that could be loaded was limited to 64kb, and the PSP could not yet read unencrypted ELF files, so further experimentation was required before the more popular homebrew applications could be run. A day later, the first playable game using the exploit was released, titled "TIFF Pong 2.00".
Various developers used this exploit to create downgraders, which allowed version 2.00 users to run the version 1.50 update program and reinstall the older, less secure firmware. A PSP developer by the name of Fanjita created a program called eLoader using the same exploit, which allowed the user to run unsigned user mode homebrew launched from a menu. This was an alternative to downgrading the PSP to version 1.50 using the popular MPH Downgrader.
On October 2, 2005, an alternative downgrader was released. The "downgrader" was actually a trojan that, if run on PSP, destroys the firmware and BIOS, resulting in the PSP becoming un-bootable. This was officially reported by Symantec as Trojan.PSPBrick. After the release, many PSP homebrew sites came to a screeching halt to check every bit of homebrew for the trojan, to ensure safety for their users. Normal operation resumed shortly thereafter.
Any files that are based on the toc2rta TIFF exploit (including the EBOOT Loader and the MPH Downgrader) are now seen as trojans by anti-virus programs, even if they are perfectly legitimate.
Despite this, the PSP's browser cannot be used by a third party to install viruses onto a PSP system. All viruses that currently exist for the PSP have to be installed by the user.
A PSP bricker called Trojan.PSPBrick.B, known as 'SDL test' was circulating for a while. Its effects are the same as above, but is not detected by anti-virus programs. It is now of no threat.
Moving quickly to fix this exploit, Sony released firmware version 2.01 on October 3, 2005. This was only a security update and offered no new features.
On September 28, 2005, Cheat Device was released for Grand Theft Auto: Liberty City Stories which used a buffer overflow available during the loading of saved game data. It ran in the background of Grand Theft Auto: Liberty City Stories, allowing for various cheats to be used in the game, such as infinite health and the ability to "spawn" any of the vehicles in the game. Based on the proof-of-concept provided by the Cheat Device, a "Hello World" was created in December of 2005. A day later, the first playable homebrew for version 2.01 was released, titled "Tetris for Firmware 2.01".
Two days later, the exploit was released for firmware versions 2.50 and 2.60, leading to the creation of Tetris for these versions. An SDK was later released so that other developers could write their own software using the exploit. In January of 2006, versions of Fanjita's eLoader which supported version 2.01 and later version 2.60 were released. On April 2, 2006, due to the discovery of a function that allowed eLoader to initialize the WiFi hardware without access to kernel mode code execution, WiFi connectivity was enabled.
On June 27, 2006, another exploit was discovered in firmware versions 2.50 and 2.60 that allowed for kernel mode code to be utilized. Though the exploit was in the firmware itself, Grand Theft Auto: Liberty City Stories was still required to run the initial code. The exploit took advantage of another buffer overflow bug that was added when Sony included an additional security check in the 2.50 firmware.
Furthermore, during June 2006, Rockstar started shipping a version of Grand Theft Auto: Liberty City Stories that patched the buffer overflow exploit. The patched UMD also contains a compulsory upgrade to firmware version 2.60. In the PAL regions, the new disc was easily recognizable due to a new serial number and graphical layout.
On August 21, 2006 homebrew execution became possible on versions 2.00 through 2.80 due to another TIFF image exploit, this removing the requirement of Grand Theft Auto: Liberty City Stories. Contrary to popular belief, the exploit itself did not allow code to be directly executed in kernel mode, but through an exploit present in the sceKernelLoadExec command present in versions 2.50 through 2.71. This kernel mode exploit was fixed in version 2.80.
On September 5, 2006, an EBOOT loader that used the new TIFF exploit was released for firmware versions 2.00 through 2.60. It still had the same compatibility problems as previous versions of eLoader, due to its restriction to executing only user mode code.
Multi Firmware Module was announced on April 24, 2006. Multi Firmware Module contained a different PSP firmware to the one onboard the PSP itself and can be booted from, or copied to, the PSP's original NAND flash chip, unbricking the PSP. It was planned for release upon the acquisition of a suitable manufacturer, but it seems like it will never be released.
The PSP modchip ("Undiluted Platinum") was announced on May 28, 2006. It allows the user to run two separate firmwares, one on the PSP itself, and one on the modchip. It also allows the restoration of corrupted firmware ("unbricking"). However, this chip does not work with all PSP hardware, due to the lower voltage of newer, TA-082, PSP boards. The PSP Slim is also incompatible.
Undiluted Platinum was released on June 26, 2006. However its installation required some very careful soldering, and many users did not wish to install this modchip. On July 23, 2006 the custom firmware Epsilon Bios was released, it required the Undiluted Platinum to be used.
The day after Undiluted Platinum's release, a kernel exploit for 2.50 and 2.60 was revealed, aggravating many users who purchased the modchip just to downgrade from those versions.
The Undiluted Platinum modchip has arguably been made irrelevant by the Pandora's battery, which offers similar unbricking functionality, and multi-firmware booting (through Dark_AleX's Time Machine) without the need for soldering.
A new modchip called "PSP-Devolution" was in development state. It planned to have similar features from the Undiluted Platinum chip, and it will be compatible with all motherboards (TA-079 to TA-086), also providing TA-082 recovery.
A (TA-079 to TA-081) version is now available which runs on 3.3V and on June 6, 2007 a version for TA-082+ motherboards was made available which runs on 1.8V.
PSP modchips have been made obsolete with the creation of Pandora's battery. Many modchip adopters bought their chips to unbrick or downgrade, both functions now available free.
On April 25, 2006, Sony released firmware version 2.70, which patched the exploit in Grand Theft Auto: Liberty City Stories. Version 2.70 also brought support for Macromedia Flash, leading to the creation of a number of PSP Flash games. Various Flash portals were released to allow flash games and applications to be run from a single location without adding them all as bookmarks.
Throughout September 2006, hackers released downgraders and homebrew loaders for firmware version 2.71, using the second TIFF image exploit previously mentioned.
On September 12, 2006, Tetris for firmware 2.80 was released, along with an SDK for creating homebrew that could run on version 2.80 using the second TIFF exploit. This was followed just hours later by TIFF pong, and two days later by more TIFF homebrew. Later the Noobz hacker team released version 0.995 of eLoader (also known as eLoader "Kriek"), which added support for version 2.80. New with this version was xLoader, a program which allowed homebrew EBOOTs to be executed from the Game menu on version 2.80.
On December 20, 2006, a new exploit that enabled kernel mode code execution in version 2.80 was found by Team C+D and a proof of concept program was released. This eventually lead to the development of a downgrader for version 2.80.
On January 25, 2007, a user-mode exploit was discovered which affected PSP firmware versions 2.00 through 3.03. A "Hello World" application, called the Goofy Exploit, was subsequently released by the Noobz team, proving that unsigned code could be run on a PSP running version 2.81 or higher. The exploit requires a non-patched copy of the Grand Theft Auto: Liberty City Stories UMD. It was a variation of the old Grand Theft Auto: Liberty City Stories exploit, taking advantage of the fact that Sony's patch only affected the save slots numbered 0 - 7; however, the game's auto-load feature would also load saved games from slots 8 and 9, allowing the same exploit to be used if it was stored in either of these 2 slots.
On January 28, 2007, the Noobz team released the 3.03 Homebrew Enabler, or HEN, for users of firmware version 3.03 who did not wish to downgrade but wanted the benefits of homebrew on their system. This also required the use of a non-patched copy of the Grand Theft Auto: Liberty City Stories UMD.
On June 23, 2007, a new exploit that worked on all firmwares up to version 3.50 was made public. This exploit, called the "Illuminati exploit", required a copy of the game Lumines. Three days later, Noobz made a downgrader using this exploit. In Japan, some versions of Lumines have been patched and now include the 3.51 firmware update, which patched this exploit.
On August 22, 2007, Team C+D released the "Pandora's Battery" that can convert a spare Memory Stick Pro Duo and battery into a "Magic Memory Stick" and a "JigKick Battery". The Memory Stick and the JigKick battery couple is called "Pandora's Battery". The Memory Stick and battery can then be used to downgrade any PSP of any version or to recover from a brick.
To convert the Memory Stick and battery another PSP which is able to run 1.50 homebrew is needed. The Memory Stick can also be converted without using a homebrew PSP by using a Pandora's battery program, such as Pandora Easy GUI. After the downgrade/unbrick service has been completed, the Memory Stick and battery can be restored for normal usage.
A "JigKick Battery" is a battery with the first address in the EEPROM chip changed to 0xFFFFFFFF. This unlocks the service mode of the PSP and launches the IPL from the Memory Stick (instead of from the internal NAND). A "Magic Memory Stick" consists of a reverse-engineered IPL and a customized subset of an official firmware (usually version 1.50) stored on a Memory Stick Pro Duo. This downgrader can downgrade all firmware versions. The original version is incompatible with the PSP Slim & Lite due to the 1.50 IPL being incompatible with PSP Slim & Lite hardware. However, on September 28, 2007, a version that works on both the old style PSP and the Slim & Lite was released. The new debricker is called Despertar del Cementerio ("waking from the grave"), and is also known as the Universal Unbricker, which was developed by Dark_Alex. Instead of installing firmware version 1.50, it installs a custom firmware.
The "JigKick" battery can also be created by lifting the fifth pin of the EEPROM on the battery's mainboard. This is somewhat dangerous because it disables the EEPROM entirely, and may have side effects such as overheating if pin 5 is shorted to other pins while desoldering. It can also prevent the "smart" features of the PSP's battery from reporting proper information, such as remaining battery life, charge level, and temperature.
The battery that is included with the PSP Slim can also be converted into a "Pandora" battery by using the hardware modification method mentioned above.
There is now a method developed by HellCat that will enable users of custom firmware above 3.71 M33 which does not automatically have the 1.50 firmware kernel to create a Pandora battery.
Though Sony advocates against use of any homebrew, representatives have said that the Pandora's Battery will not physically harm the PSP in any manner, as this is the same method used by Sony when customers send in their bricked PSPs for repair.
Note: All non-Android projects have moved to the BASLQC Wiki.
- Introduction - A quick intro to the rationale and ideals of this guide, and smartphone modding in general.
- General Setup - Learn how to install and run the tools you need to succeed.
- Device Guides - Customized, fully decked out guides for rooting each and every device we could find.
- General OS Customizations - General customizations that work on all devices of a specific OS.
- General Guidelines - The ideals that you should uphold while working with and editing this guide.
- Device Guide Templates - Templates and general guidelines for creating customized guides for a device.
- Linux - Run a full desktop OS on your little mobile device; research is being made to make it comfortable to use in the mobile space.
- Glossary - Contains all the crazy acronyms and word soup that you'll need to wade through when using this guide.
- Android Buying Guide for Modders - While modding can fix up an outdated device, it will make your life easier to buy the right device from the start.