Binary Loader v0.2 for PSP Firmware 2.0

TheShi

Big d00d

Registered: May 2004
Location: Graz
Posts: 235

24.09.2005 - 11:30

Ich habe folgenede Meldung von http://www.pspupdates.qj.net/ gefunden, hab aber keine Ahnung, was dass ganze jetzt bedeutet?
Kann mir wer kurz in Umgangssprache sagen, was es bedeutet?

Zitat
http://pspupdates.qj.net/DSC02262_thumb.jpg
The creator(s) of the 2.0 Buffer Overflow have spoken with me and have created a way to allow the execution of a binary file from the root directory of the memory stick. I was told that it will load binary files up to 64k from the memory stick, but won’t load un-encrypted elf files yet. The file named ‘h.bin’ must be placed in the root directory of ms0: for it to run. Here’s what was said in the readme: “

Pure binary loader.

* it's loaded at 0x08810000
* it's max 64 kb
* it's pure binary MIPS code
* you have to use syscalls and not NIDs
* it runs in user space!
* it's called h.bin (paint screen blue yay!) in the root of the MemoryStick

Set the frame_buffer.png as background like before and Place the new overflow.tif in the photos dir and the h.bin on the memory stick. It loads ms0:/h.bin

Zuvor kam die Meldung:

Zitat
We have received an email from someone named 'foo bar' with a file made by unknown, which allows a buffer overflow to be run via the photos menu in Sony PSP firmware v2.0. Although it is not currently possible to run homebrew code with this exploit, the door is wide open for the future. Here is what the readme says:

First Homebrew Code on 2.00

1. Set wallpaper to frame_buffer.png (without overflow.tif present
in the PHOTO directory, or it will crash).
2. Add overflow.tif to the PHOTO directory, and open into the photo
viewer. Custom code to paint the screen! Or to write a homebrew
app! Not to run illegal games.

How It Works?

1. The PNG contains a small amount of code in a known, fixed place
(the VRAM). If to look closely at the wallpaper, sees small
coloured pixels in the right down. The pixels are Allegrex
opcodes, with the highest byte all zero for the ALPHA. These
pixels do:

syscall 0x20C7 ; sceKernelDcacheWritebackInvalidateAll
slt a0, zero, sp ; put 1 into a0
sll a0, a0, 6 ; put 64 into a0
addiu a0, sp, a0 ; get screen painter address over SP
jr a0 ; jump to the screen painter
nop ; branch delay slot

2. The TIFF contains also some code and a buffer to trigger the
known BitsPerSample overflow in libtiff in the photo viewer.
The buffer makes a jump to the VRAM which has the PNG colours
by overwriting the safed ra (return address) on the stack.
The VRAM code uses SP and calculates the address of the buffer
then runs it. Then it jumps there. The screen is yellow as
the colour was 0x12345678 in Hex.

Kennt sich wer damit aus?
Was sagt das ganze im aus?
In der PSP Scene wird es als riesen Erfolg gefeiert... :confused:

LTD

frecher fratz

Registered: Feb 2001
Location: is where it is
Posts: 6334

24.09.2005 - 11:43

die news hab i schon gepostet ... egal

sagt nur das sie eigenen code ausführen konnten (einfärben des hintergrunds) indem sie einen exploit (programmierfehler oda so) ausnutzen.

genaugenommen könnte das der durchbruch sein um auf firmware 2.0 endlich eigene anwendungen laufen lassen zu können. in ein paar tagen wird man sehen obs klappt oder nicht

retro

computer says no

Registered: Jul 2002
Location: XXII
Posts: 3260

24.09.2005 - 11:44

eine sicherheistlücke wurde in der 2.0 firm gefunden die es warscheinlich irgendwann mal zulässt "3rd" party software auszuführen

TheShi

Big d00d

Registered: May 2004
Location: Graz
Posts: 235

24.09.2005 - 12:16

Sorry für Doublepost..

Also wirklich der Durchbruch?
Homebrew auf der 2.0 PSP wäre der Hammer... :cool:

TheShi Big d00d Registered: May 2004 Location: Graz Posts: 235	24.09.2005 - 11:30 Ich habe folgenede Meldung von http://www.pspupdates.qj.net/ gefunden, hab aber keine Ahnung, was dass ganze jetzt bedeutet? Kann mir wer kurz in Umgangssprache sagen, was es bedeutet? Zitat http://pspupdates.qj.net/DSC02262_thumb.jpg The creator(s) of the 2.0 Buffer Overflow have spoken with me and have created a way to allow the execution of a binary file from the root directory of the memory stick. I was told that it will load binary files up to 64k from the memory stick, but won’t load un-encrypted elf files yet. The file named ‘h.bin’ must be placed in the root directory of ms0: for it to run. Here’s what was said in the readme: “ Pure binary loader. * it's loaded at 0x08810000 * it's max 64 kb * it's pure binary MIPS code * you have to use syscalls and not NIDs * it runs in user space! * it's called h.bin (paint screen blue yay!) in the root of the MemoryStick Set the frame_buffer.png as background like before and Place the new overflow.tif in the photos dir and the h.bin on the memory stick. It loads ms0:/h.bin Zuvor kam die Meldung: Zitat We have received an email from someone named 'foo bar' with a file made by unknown, which allows a buffer overflow to be run via the photos menu in Sony PSP firmware v2.0. Although it is not currently possible to run homebrew code with this exploit, the door is wide open for the future. Here is what the readme says: First Homebrew Code on 2.00 1. Set wallpaper to frame_buffer.png (without overflow.tif present in the PHOTO directory, or it will crash). 2. Add overflow.tif to the PHOTO directory, and open into the photo viewer. Custom code to paint the screen! Or to write a homebrew app! Not to run illegal games. How It Works? 1. The PNG contains a small amount of code in a known, fixed place (the VRAM). If to look closely at the wallpaper, sees small coloured pixels in the right down. The pixels are Allegrex opcodes, with the highest byte all zero for the ALPHA. These pixels do: syscall 0x20C7 ; sceKernelDcacheWritebackInvalidateAll slt a0, zero, sp ; put 1 into a0 sll a0, a0, 6 ; put 64 into a0 addiu a0, sp, a0 ; get screen painter address over SP jr a0 ; jump to the screen painter nop ; branch delay slot 2. The TIFF contains also some code and a buffer to trigger the known BitsPerSample overflow in libtiff in the photo viewer. The buffer makes a jump to the VRAM which has the PNG colours by overwriting the safed ra (return address) on the stack. The VRAM code uses SP and calculates the address of the buffer then runs it. Then it jumps there. The screen is yellow as the colour was 0x12345678 in Hex. Kennt sich wer damit aus? Was sagt das ganze im aus? In der PSP Scene wird es als riesen Erfolg gefeiert...
LTD frecher fratz Registered: Feb 2001 Location: is where it is Posts: 6334	24.09.2005 - 11:43 die news hab i schon gepostet ... egal sagt nur das sie eigenen code ausführen konnten (einfärben des hintergrunds) indem sie einen exploit (programmierfehler oda so) ausnutzen. genaugenommen könnte das der durchbruch sein um auf firmware 2.0 endlich eigene anwendungen laufen lassen zu können. in ein paar tagen wird man sehen obs klappt oder nicht
retro computer says no Registered: Jul 2002 Location: XXII Posts: 3260	24.09.2005 - 11:44 eine sicherheistlücke wurde in der 2.0 firm gefunden die es warscheinlich irgendwann mal zulässt "3rd" party software auszuführen
TheShi Big d00d Registered: May 2004 Location: Graz Posts: 235	24.09.2005 - 12:16 Sorry für Doublepost.. Also wirklich der Durchbruch? Homebrew auf der 2.0 PSP wäre der Hammer...

Binary Loader v0.2 for PSP Firmware 2.0

Forum Index > Hardware > Systeme > Smartphones & Tablets

TheShi

LTD

retro

TheShi