"Christmas - the time to fix the computers of your loved ones" « Lord Wyrm

Binary Loader v0.2 for PSP Firmware 2.0

TheShi 24.09.2005 - 11:30 996 3
Posts

TheShi

Big d00d
Avatar
Registered: May 2004
Location: Graz
Posts: 235
Ich habe folgenede Meldung von http://www.pspupdates.qj.net/ gefunden, hab aber keine Ahnung, was dass ganze jetzt bedeutet?
Kann mir wer kurz in Umgangssprache sagen, was es bedeutet?

Zitat
http://pspupdates.qj.net/DSC02262_thumb.jpg
The creator(s) of the 2.0 Buffer Overflow have spoken with me and have created a way to allow the execution of a binary file from the root directory of the memory stick. I was told that it will load binary files up to 64k from the memory stick, but won’t load un-encrypted elf files yet. The file named ‘h.bin’ must be placed in the root directory of ms0: for it to run. Here’s what was said in the readme: “

Pure binary loader.

* it's loaded at 0x08810000
* it's max 64 kb
* it's pure binary MIPS code
* you have to use syscalls and not NIDs
* it runs in user space!
* it's called h.bin (paint screen blue yay!) in the root of the MemoryStick

Set the frame_buffer.png as background like before and Place the new overflow.tif in the photos dir and the h.bin on the memory stick. It loads ms0:/h.bin

Zuvor kam die Meldung:

Zitat
We have received an email from someone named 'foo bar' with a file made by unknown, which allows a buffer overflow to be run via the photos menu in Sony PSP firmware v2.0. Although it is not currently possible to run homebrew code with this exploit, the door is wide open for the future. Here is what the readme says:

First Homebrew Code on 2.00

1. Set wallpaper to frame_buffer.png (without overflow.tif present
in the PHOTO directory, or it will crash).
2. Add overflow.tif to the PHOTO directory, and open into the photo
viewer. Custom code to paint the screen! Or to write a homebrew
app! Not to run illegal games.

How It Works?

1. The PNG contains a small amount of code in a known, fixed place
(the VRAM). If to look closely at the wallpaper, sees small
coloured pixels in the right down. The pixels are Allegrex
opcodes, with the highest byte all zero for the ALPHA. These
pixels do:

syscall 0x20C7 ; sceKernelDcacheWritebackInvalidateAll
slt a0, zero, sp ; put 1 into a0
sll a0, a0, 6 ; put 64 into a0
addiu a0, sp, a0 ; get screen painter address over SP
jr a0 ; jump to the screen painter
nop ; branch delay slot

2. The TIFF contains also some code and a buffer to trigger the
known BitsPerSample overflow in libtiff in the photo viewer.
The buffer makes a jump to the VRAM which has the PNG colours
by overwriting the safed ra (return address) on the stack.
The VRAM code uses SP and calculates the address of the buffer
then runs it. Then it jumps there. The screen is yellow as
the colour was 0x12345678 in Hex.

Kennt sich wer damit aus?
Was sagt das ganze im aus?
In der PSP Scene wird es als riesen Erfolg gefeiert... :confused: :confused: :confused:

LTD

frecher fratz
Avatar
Registered: Feb 2001
Location: is where it is
Posts: 6333
die news hab i schon gepostet ... egal

sagt nur das sie eigenen code ausführen konnten (einfärben des hintergrunds) indem sie einen exploit (programmierfehler oda so) ausnutzen.

genaugenommen könnte das der durchbruch sein um auf firmware 2.0 endlich eigene anwendungen laufen lassen zu können. in ein paar tagen wird man sehen obs klappt oder nicht :)

retro

computer says no
Avatar
Registered: Jul 2002
Location: XXII
Posts: 3260
eine sicherheistlücke wurde in der 2.0 firm gefunden die es warscheinlich irgendwann mal zulässt "3rd" party software auszuführen

TheShi

Big d00d
Avatar
Registered: May 2004
Location: Graz
Posts: 235
Sorry für Doublepost.. :o

Also wirklich der Durchbruch?
Homebrew auf der 2.0 PSP wäre der Hammer...:cool: :cool: :cool:
Kontakt | Unser Forum | Über overclockers.at | Impressum | Datenschutz