MyQJ | QJ.NET | Apple | Mobile | Science | MMORPG | Nintendo DS | Wii | World of Warcraft | PlayStation 3 | PSP | Xbox 360 | Gadgets | PC Gaming | Age of Conan | DL.QJ | QJ.NET Forums

Breaking News: 2.60 Firmware Exploit Found - Kernel Access!

Posted Jun 28, 2006 at 10:20AM by Jake D. Listed in: Hacks & Exploits, Homebrew Development, News Tags: eLoader, Fanjita, hitchhikr
Ó

Kernel Mode Unlocked


This post has been updated as of Wednesday, 10:50am EST


Break out your calendars folks, because this may be a day that you want to mark as a pivotal day in the history of PSP homebrew. A developer known as hitchhikr of "hitchhikr SoftWorks" and demo scene group Neural have come out with a Proof of Concept of a 2.50/2.60 Firmware Exploit! Once implemented and fine tuned for "normal user" use, this will bring 2.50 and 2.60 Firmware up to the same homebrew capability that 1.50 PSP owners enjoy with FULL kernel mode access - although Grand Theft Auto: Liberty City Stories will still be required, just like with eLoader.

Speaking of eLoader, Fanjita is already working with hitchhikr on incorporating this new exploit into an easily executable means via eLoader. After a brief chat with Fanjita, he's told us that you can expect some generic application for developers to hopefully be released in the next 24 hours. It will take a bit longer before something useable for non-devs will be released.

The exploit takes advantage of an added security check in 2.50/2.60 Firmware for sceKernelLoadExec, which is responsible for loading EBOOTs, but Sony also accidentally added an overflow bug, which means this exploit will not work with 2.0 and 2.01 Firmware.

Below you will find a download of hitchhikr's & Neural's Proof of Concept - this is not intended for the casual user. It creates dump files containing kernel memory dumps in the root of the memstick (boot.bin, kmem.bin, klib.bin). It also creates writeaccess.bin which contains just the hex (12 34 56 78) to prove that kmem CAN be written to.

But don't start upgrading those PSP's yet until a viable means of implementation is released! Also, this breakthrough does not open up the possibility of a downgrader due to the protection in the IPL in 2.50+ firmware. Although speculation has already begun that this will open the door to the decrypting of 2.70+ Firmware, allowing it to be emulated a la Devhook.

We will stay on top of this breaking news all day long and be constantly updating this news post with information as soon as we get it! Stay with QJ.NET and PSPUpdates for all the latest!

Download: [2.60 Firmware Exploit - Proof of Concept]
Read: [QJ.NET Forum Discussion Thread]


UPDATE #1: Fanjita has released the "source" of his work so far today on this newly discovered exploit. If you would like to take a look at it and continue investigating where he left off for today, have a look!
Only for v2.5 / v2.6.

Based on Proof of Concept code by Hitchhikr / Neural.

Function : Attempts to load ms0:/kernel.elf using sceLoadModule/sceStartModule when in kernel mode, after writing a NOP to 0x8801A5B4.

Diags: Writes a log of operations to ms0:/GTALOG.TXT.
If LoadModule fails, writes the error code to ms0:/failload.trc.
If StartModule fails, writes the error code to ms0:/failstart.trc.
Check out the included readme for more info! (Thanks for the tip, gangsta_psp!)

Download: [Fanjita's Exploit Source - Day 1]


Update #2: Fanjita has taken a moment to respond to some of the many questions being asked in our forums regarding the update above and his "source":

Rumour clear-up time : this was posted in the pspdev IRC, so that people who know what they're doing can play with it if they want. I don't mind it being spread around, but if you don't understand how sceKernelLoad* apply security checks, then it's probably not for you.

It's work-in-progress, it's not an eLoader beta, it's just a more convenient way of experimenting with the exploit (maybe), and also an effort to test some in-RAM hacks to remove some security checks.

It doesn't seem to work at the moment, and the main thing that needs to be done is to investigate why - presumably, there's a problem with the format of the ELFs being loaded.

Kernel.elf is just an arbitrary ELF - nothing I've tried so far has worked, feel free to try your own.

The source that's given is just the source of the function that's attempting to do stuff with the exploit - it doesn't show any of the exploit code, and is not a complete app in its own right.

He also went on to say that the main focus right now is to replicate a "nokxploit functionality" making 2.50/2.60 PSP's behave the same way that 1.0 PSP's do in regards to homebrew. He says that a "kernel eLoader" would be possible but more cumbersome than a nokxploit approach.

Note: This news post will stay at the top of the page for most of the day to ensure everyone gets a chance to see this breaking story unfold. Scroll down for more up to the minute news from QJ.NET!

If you want to help spread the word about this breakthrough, CLICK HERE to Digg It!! (Note: An alternate URL has been used because QJ.NET is banned from Digg. If this outrages you as much as it does us, email Digg and tell them to take QJ.NET and PSPUpdates off the ban list!)


Digg Update: It appears Digg is still taking potshots at QJ.NET. As of this morning, Digg has "buried" this news post. This means that they have taken a Digg story with 1000+ Diggs and removed it from their index. It still exists and can be seen by clicking the direct link above, but you cannot find the story in their main listing, nor will it come up in a search. Its becoming ever more apparent that QJ.NET is being specifically targetted by Digg editors for one reason or another and we are not being treated fairly. So much for users deciding what end up on their site - turns out biased editors still have the final say.

We apologize for distracting everyone and stealing focus from this groundbreaking exploit, but enough is enough. (If any Digg staff are reading this, please Contact Us - as we've tried to do with you dozens of times already)

Permalink  |   Email this  |   Linking Blogs   |   Digg It!

Bookmark / Find this article on:

32 Jumps     prxutility v4.0: Now compatible with CFW 4.01 M33
17 Jumps     Is it real? Capcom lists PSP Devil May Cry on Japanese site
15 Jumps     Wolfenstein 3D v4.5: now with Wolf 3D full version support
12 Jumps     Custom firmware update 4.01 M33-2 out now
11 Jumps     Sony's John Koller: PSP not dying, more PS3 integration in the future
10 Jumps     PSP Rhythm 8.0: new GUI, optimized audio engine
9 Jumps     CTF Manager v2.0 - now create your own 4.01 M33-compatible themes
8 Jumps     Dark AleX releases PSP CFW 4.01 M33; 1.50 kernel add-on to follow
7 Jumps     LuaPlayerHM Drivers for version 8
7 Jumps     Triple H, Shawn Michaels to grace WWE Smackdown vs Raw 2009 cover

694 Comments


Sort by:
   by Fr0sTy - 2006-06-27
 » kernel access...
uh oh.... here come more pirates!!!!... upgrades??

   by w00t (Unregistered) - 2006-06-27
 » w00t
I've been waiting an hour for this to showup on the homepage! *hoping for an ISO loader, obviously*

   by XxMxVxPxX (Unregistered) - 2006-06-27
 » yeah
YESSSSS i have 1.5 though

   by elad_thc (Unregistered) - 2006-06-27
 » .
awsome i cant wait

   by FLai - 2006-06-27
 » .
oh jesus. oh jesus god! YES!!!!!!!

   by word (Unregistered) - 2006-06-27
 » sux
thats killer, i just upgraded to 2.71, maybe ill trade it in at eb games for a 2.5/6 >

   by Nick (Unregistered) - 2006-06-27
 » cool
I have two psp's so there is no use of htis for me, but it is still good news.

   by shin-baka (Unregistered) - 2006-06-27
 » *_*
I don't care about iso-loaders. But using snes9xTYL with kernel-access on my 2.5 firmware... wheeeee~ *^__^*

Go for it, hitchhikr and Fanjita!

   by Advertising -
   by Jordan Black - 2006-06-27
 » OMG
Im so glad i upgraded from 2.01 to 2.6

   by nikeskatekr3w (Unregistered) - 2006-06-27
 » OFMG YES!!!!!!!
THIS IS AWESOME IVE BEEN WAITING FOR THIS........does this mean 2.6 can use the ir remote control that would we SICK

   by Kite - 2006-06-27
 » :v
holyc rap

   by Muhu (Unregistered) - 2006-06-27
 » fanjita is on the case
A kernel eloader is in the works now. Great job!

   by schenksmll (Unregistered) - 2006-06-27
 » good deal
faster progs and hopefully an iso loader down the road for my lazy ass

   by Predator04 (Unregistered) - 2006-06-27
 » Sweet!
Great news! thats amzing! i knew it would come someday.. just didnt know when! good work!

   by yvrogne59 (Unregistered) - 2006-06-27
 » wow
is a great day for the psp 2.00+

   by ZFB8 (Unregistered) - 2006-06-27
 » Holy *****.
Oh my dear God. I just came to PSPU to see if any news had come up, and I see this. This is un-mother-*****ing-believable. I almost screamed when I saw this

   by Zettablade - 2006-06-27
 » old
This is old, but at least you gave a full story. and by old, I mean a couple hours. anyways, who knows, this could lead to a downgrader. We'll just have to wait and see. hopefully though it'll keep people off those awful mod chips.

   by Advertising -
   by icemasta (Unregistered) - 2006-06-27
 » Nice
this is really great and all but now it ruins the fun of having a 1.5 which i have.

   by Mang (Unregistered) - 2006-06-27
 » *****in
yea this means you can use Ir remote control... it also means iso loaders... better emulators and being able to run the shells, such as psp-oss.

   by alatnet1 - 2006-06-27
 » Two Words:
HELL YEA!!!

   by Jordan Black - 2006-06-27
 » 1.5 usrs
U said that 2.6 is the worst firmwire. Oh guess what we have kernel accress and mayb a downgrader to ur beloved 1.5. Hahaha 1.5users spent loads for their ebay psp's and the price of them will totally Drop unless their geniuei

   by Pherk (Unregistered) - 2006-06-27
 » Very nice...
This means homebrew for everyone (except 2.7 lol)! Finally my friends can play isos too.

   by SMD, xsorifc28 (Unregistered) - 2006-06-27
 » jump it jump it.
this if freawwkking awesome.
does this mean the homebrew community has over powered sony and their encryption?

   by Wanker (Unregistered) - 2006-06-27
 » A day to remember
Death to UP? guess time will tell.

   by Racer_X (Unregistered) - 2006-06-27
 » F*CK
Daamnn... Finally :D Looks like I'm gonna be upgrading my 2.00 soon. Allthough I don't see anything good enough in 2.60 to upgrade but hey, it will be just like having a 1.5 with a nice web browser, some other pretty useless options and FULL KERNEL ACCES.

Oh yeah :D

   by .p0p5ux. - 2006-06-27
 » HELL!
yeahh!!!!! yeah!!!!!!
thank you god!!!
ill be good now!

   by Djhg2000 (Unregistered) - 2006-06-27
 » There's no word to describe my frustration!!!
About a mont ago I accidently upgraded to 2.70!
#¤%&@£$€!!!
If a downgrader comes out I'm bricking my PSP and returns it for a 2.60.
GAAAAAAAAAAAAAAAAAAAAWH!!!

   by Advertising -
   by DG??? (Unregistered) - 2006-06-27
 » CAN THIS LEAD TO A DOWNGRADER???
CAN IT???

   by ROFL (Unregistered) - 2006-06-27
 » ROFL
HAHAHAHAHA I acctually laughed for a long time
SONY MADE THE SAME MISTAKE AS ROCKSTAR.
That is hilarious. Absolutely hilarious. Both had overflow bugs allowing homebrew. Funny Stuff. *wipes tear*

   by core tactic (Unregistered) - 2006-06-27
 » Besides
This was in 2.6, and no on discovered it until now. So that means they probably overlooked it and this exploit exists in 2.7 and 2.71 too!



Featured Content
Contact
QJ.NET Blog Network RSS Feeds
MyQJ Feed / PDA
MyQJ RSS / PDA
Blog of Blogs Feed / PDA
QJ.NET RSS / PDA
Gaming Consoles Feed / PDA
Nintendo DS RSS / PDA
PlayStation 3 RSS / PDA
PSP Updates RSS / PDA
Wii RSS / PDA
Xbox 360 RSS / PDA
PC Gaming Feed / PDA
Age of Conan RSS / PDA
Games for Windows RSS / PDA
MMORPG RSS / PDA
Tabula Rasa RSS / PDA
World of Warcraft RSS / PDA
Science Feed / PDA
Science RSS / PDA
Technology Feed / PDA
Apple RSS / PDA
Gadgets RSS / PDA
Mobile RSS / PDA
Photography RSS / PDA
Add QJ.NET
Add to My Yahoo!
Google Reader Subscribe with Bloglines
Add to your Kinja digest Subscribe in NewsGator Online
Subscribe with Pluck RSS reader Add 'www.qj.net' to Newsburst from CNET News.com
Subscribe with SearchFox RSS del.icio.us www.qj.net
Add to Technorati Favorite! Add to My AOL
furl! it Stumble for Treehugger!
User Favorites - July
Most Commented
(88)
(60)
(55)
(47)
(46)
(38)
(31)
(30)
(23)
(22)
(21)
(20)
(20)
(19)
(16)
(14)
(13)
(13)
(12)
(12)
User Favorites - July
Top Jumps
Dark AleX releases experime.. (154)
PspStates Experiment versio.. (125)
Is it real? Capcom lists PS.. (119)
Playstation website infiltr.. (102)
Sony announces minor update.. (91)
CXMB 4.0 updated for 4.01 M.. (90)
Custom firmware update 4.01.. (86)
Dark AleX releases PSP CFW .. (66)
LightMP3 v2.0.0 BETA 2: now.. (62)
Mario Kart 64v2 - PSP Editi.. (60)
CXMB v3.2 out, now with 4.0.. (57)
Phantasy Star Portable Demo.. (57)
AFKIM: Instant Messenger fo.. (53)
prxutility v4.0: Now compat.. (48)
Dissidia Final Fantasy at 5.. (47)
Mario Kart 64v1 - PSP Editi.. (45)
PSP Rhythm 8.0: new GUI, op.. (45)
PSP Filer v5.2 (41)
WakeUp Clock v2 - straightf.. (39)
Triple H, Shawn Michaels to.. (38)
US Patent & Trademark Offic.. (38)
Guilty Gear XX Accent Core .. (33)
Monster Hunter Portable 2nd.. (33)
CTF Manager v2.0 - now crea.. (33)
CXMB 3.2.1: bugfixes for ra.. (32)

 Username: 
 Password:
Forgot password
New user registration



Poll
Which is the greatest handheld of all time?
Categories

Emulators