forums.ps2dev.org

[jimparis]

As you may know, EdisonCarter has made a trainer for GTA that uses a straightforward exploit in the game to execute arbitrary code. He chose not to reveal his techniques, but with the new savedata encryption and decryption routines at http://forums.ps2dev.org/viewtopic.php?t=4335, now anyone can run homebrew on 2.0, 2.01, 2.50, and probably 2.60:

1. Decrypt the GTA cheat device using the savedata/decrypt sample
2. Find and modify the code (look at offset 0xc4 for the offset of the start of MIPS code)
3. Reencrypt the save using the savedata/encrypt sample

Note that the syscalls may be changed from the 2.0 VSH mode, since a different set of modules is loaded. Hopefully it shouldn't take long before someone clever like Fanjita can make a decent loader for us.

[NeoSkeith666]

Awesome. Fanjita will be happy about this :)


There should be semgame data for other games like Wipeout Pure, because i dont have GTA

[Fanjita]

[peenee]

Is there any way of running kernel mode apps with this? Since it is a game that has taken over the ENTIRE PSP?

[NeoSkeith666]

I can't say for sure, but i'm pretty sure this will be kernel.

[NeoSkeith666]

by the way. does the cheat device work for 2.6???

[peenee]

[peenee]

[NeoSkeith666]

damn, damn, damn, but fanjita can probably make it work. I mean at first the cheat device only worked for 2.0, then he got it to work on 2.5. I mean, why WOULDN'T it work on 2.6+ ?? I don't wanna be stuck on the anti-homebrew boat any longer!! I want my IS--i mean, um..homebrew!!!

[Fanjita]

Please, less of the speculation on this site - take that elsewhere, this thread should be for the discussion of the technical side of what Jim and psp123 have achieved.

Obviously I'm trying to get an EBOOT loader working using this technique as soon as possible, and that will be announced elsewhere when it is ready.
_________________
Got a v2.0-v2.80 firmware PSP? Download the eLoader here to run homebrew on it!
The PSP Homebrew Database needs you!

[peenee]

[Zenurb]

[peenee]

Zenurb, please don't flame peeps in an area where everybody will read it!
_________________
I am the peenee from PSP Updates

[NeoSkeith666]

[Zenurb]

[mrbrown]

Ok, Zenurb, you've made your point. The noise level is a bit too high in this thread, so please stay on topic.

Back on topic...

From what I understand, the only thing that prevents this exploit from fully working on 2.60 is that the list of syscalls hasn't been mapped for 2.60 yet. Developers should still be able to get something on screen to confirm that the exploit does work on 2.60, but figuring out the syscalls will take a bit longer.

BTW, what are the conditions for code running via this exploit? This is what has been gathered so far:

1. Offset 0xC4 in the save has the offset of the MIPS payload (0x0000fe74).
2. The first thing the MIPS payload does is copy itself to 0x09fb5000 (after checking to make sure it isn't already loaded). It is passed the address of itself in register a1.
3. After copying itself, it jumps to address 0x09fb5080.

I used the following to disassemble the exploit from the raw save file:

[ericthebum180]

I came up with this also dude we think alike :)!

Don't belive me think i'm just a copycat well look i even came up with it b4 him! http://forums.qj.net/showthread.php?t=28263[/url]

[ericthebum180]

also i told Fanjita and he's made posts a while ago :)!

[Mellow]

[27Bstroke6]

On a closely related topic, has there been any progress in generalizing the ability of the EBOOT loader for 2.0 to allow for homebrew access to the WiFi or serial port functions? Thanks.

[Fanjita]

[27Bstroke6]

Oops, looks like something was cut off in your previous message, but I got your drift. Fantastic. It would be ironic if the serial port was actually harder to access than the WiFi!

I'm glad to see that there's hope for the folks beyond 2.0, though personally I have no interest in GTA and if the functions of interest are available via 2.0 that should serve very nicely, especially since WiFi routines mean streaming, RSS, etc. are doable without relying on post-2.0 firmware.

The 2.0 browser is a necessity -- I've found it to be far more useful than I had expected, especially since it supports SSL and privately-signed certs (though with a few extra steps to accept the latter on each page...)

Thanks again for your great work.

[nosduh92]

can an exploit/cheat device like this work with other games? im thinkin wipeout pure

[Fanjita]

It's certainly possible that exploits exist in other games' savegame functions.

But you won't be able to use this exact same exploit on other games, since it's specific to GTA.
_________________
Got a v2.0-v2.80 firmware PSP? Download the eLoader here to run homebrew on it!
The PSP Homebrew Database needs you!

[nosduh92]

yea we couldnt just put the gta code in another savegame file but when hot coffee came out for ps2 everyone tried to hack ar,gs,armax,cb codes for games other than gta and were sucsessful. btw, all of that code in the decryption routines... how do u use it? do i need a decryption program?

[skr3dii]

Any other homebrew software than tetris runs on 2.01+ ?
Simple question. Or we have to wait for EBOOT loader from Fanjita for 2.01+?

[Fanjita]

[niemand0815]

my personal problem is:
how do i convert the savegames from the uk(=eu)-version to the german version?
obviously there are some differences, as for example the name of the directory where the saves are in.

[Energy]

[niemand0815]