搜索 社区服务 统计排行 帮助
  • 1892阅读
  • 3回复

[转贴]PSP 2.6固件破解漏洞公布!(系列转贴)

楼层直达
级别: 精灵王
注册时间:
2003-01-27
在线时间:
1小时
发帖:
3947
pspupdate报道--一个名为Hitchhikr Softworks的开发人员发现了PSP 2.5/2.6固件存在的一个新内核漏洞,能够允许第三方普通用户获得完整2.6固件内核读取权限。

也就是说,目前最主流的PSP固件版本将在短期内被利用该漏洞的开发人员破解。

目前Hitchhikr已经公布了这一PSP固件漏洞的源代码,并邀请所有有兴趣的编程人员参与漏洞破解工作。

点击这里进入源码下载页面
http://dl.qj.net/2.60-Firmware-Exploit-Fanjita-Source-PSP-Development/pg/12/fid/8488/catid/203
----------------------------------------------------------------
转自 http://pspupdates.qj.net/

原文:
Break out your calendars folks, because this may be a day that you want to mark as a pivotal day in the history of PSP homebrew. A developer known as hitchhikr of "hitchhikr SoftWorks" and coder companion Neural have come out with a Proof of Concept of a 2.50/2.60 Firmware Exploit! Once implemented and fine tuned for "normal user" use, this will bring 2.50 and 2.60 Firmware up to the same homebrew capability that 1.50 PSP owners enjoy with FULL kernel mode access - although Grand Theft Auto: Liberty City Stories will still be required, just like with eLoader.

Speaking of eLoader, Fanjita is already working with hitchhikr on incorporating this new exploit into an easily executable means via eLoader. After a brief chat with Fanjita, he's told us that you can expect some generic application for developers to hopefully be released in the next 24 hours. It will take a bit longer before something useable for non-devs will be released.

The exploit takes advantage of an added security check in 2.50/2.60 Firmware for sceKernelLoadExec, which is responsible for loading EBOOTs, but Sony also accidentally added an overflow bug, which means this exploit will not work with 2.0 and 2.01 Firmware.

Below you will find a download of hitchhikr's & Neural's Proof of Concept - this is not intended for the casual user. It creates dump files containing kernel memory dumps in the root of the memstick (boot.bin, kmem.bin, klib.bin). It also creates writeaccess.bin which contains just the hex (12 34 56 78) to prove that kmem CAN be written to.

But don't start upgrading those PSP's yet until a viable means of implementation is released! Also, this breakthrough does not open up the possibility of a downgrader due to the protection in the IPL in 2.50+ firmware. Although speculation has already begun that this will open the door to the decrypting of 2.70+ Firmware, allowing it to be emulated a la Devhook.


UPDATE #1: Fanjita has released the "source" of his work so far today on this newly discovered exploit. If you would like to take a look at it and continue investigating where he left off for today, have a look!

Only for v2.5 / v2.6.

Based on Proof of Concept code by Hitchhikr / Neural.

Function : Attempts to load ms0:/kernel.elf using sceLoadModule/sceStartModule when in kernel mode, after writing a NOP to 0x8801A5B4.

Diags: Writes a log of operations to ms0:/GTALOG.TXT.
If LoadModule fails, writes the error code to ms0:/failload.trc.
If StartModule fails, writes the error code to ms0:/failstart.trc.

iso和homebrew或者降级程序应该不久就可以在 2。6的fm上使用了!
----------------------------------------------------------------------
Breaking News: 2.60 Firmware Exploit Found - Kernel Access!

Break out your calendars folks, because this may be a day that you want to mark as a pivotal day in the history of PSP homebrew. A developer known as hitchhikr of "hitchhikr SoftWorks" and coder companion Neural has come out with a Proof of Concept of a 2.50/2.60 Firmware Exploit! Once implemented and fine tuned for "normal user" use, this will bring 2.50 and 2.60 Firmware up to the same homebrew capability that 1.50 PSP owners enjoy with FULL kernel mode access - although Grand Theft Auto: Liberty City Stories will still be required, just like with eLoader.

Speaking of eLoader, Fanjita is already working with hitchhikr on incorporating this new exploit into an easily executable means via eLoader. After a brief chat with Fanjita, he's told us that you can expect some generic application for developers to hopefully be released in the next 24 hours. It will take a bit longer before something useable for non-devs will be released.

The exploit takes advantage of an added security check in 2.50/2.60 Firmware for sceKernelLoadExec, which is responsible for loading EBOOTs, but Sony also accidentally added an overflow bug, which means this exploit will not work with 2.0 and 2.01 Firmware.

Below you will find a download of hitchhikr's & Neural's Proof of Concept - this is not intended for the casual user. It creates dump files containing kernel memory dumps in the root of the memstick (boot.bin, kmem.bin, klib.bin). It also creates writeaccess.bin which contains just the hex (12 34 56 78) to prove that kmem CAN be written to.

But don't start upgrading those PSP's yet until a viable means of implementation is released! Also, this breakthrough is not on a path to a downgrader, at least that does not seem like an option at this moment. Although speculation has already begun that this will open the door to the decrypting of 2.70+ Firmware, allowing it to be emulated a la Devhook.

We will stay on top of this breaking news all day long and be constantly updating this news post with information as soon as we get it! Stay with QJ.NET and PSPUpdates for all the latest!

原文地址: http://pspupdates.qj.net/Breakin ... ss-/pg/49/aid/57216

原文大意:
“hitchhikr”和“Neural”证实了2.50/2.60的固件漏洞,精心利用这个漏洞可以使“普通用户”在2.50和2.60固件PSP上拥有和1.50固件PSP一样的自制程序运行能力,而且拥有完全的内核访问模式,但是和eLoader一样仍然需要使用GTA。

完全的内核模式意味着有可能出现2.50/2.60固件可用的降级程序!
这个漏洞同时打开了通往解密2.70+固件的大门,允许Devhook来模拟运行2.70+固件!
真是太强了!!!!!!!!
-------------------------------------------------------


以上是几则相关的转贴。Fanjita发布的话可靠性还是满高的

哦~HEHEHE~激动之情溢于言表~大家一起来期待吧~[/TX]

级别: 小朋友
注册时间:
2004-05-24
在线时间:
176小时
发帖:
69346
只看该作者 1楼 发表于: 2006-06-28
我的是2.6

级别: 精灵王
注册时间:
2003-01-27
在线时间:
1小时
发帖:
3947
只看该作者 2楼 发表于: 2006-06-28
引用
最初由 ljoxfor 发布
我的是2.6

一起华丽的欢呼吧:o

级别: 工作组
注册时间:
2005-04-23
在线时间:
0小时
发帖:
4259
只看该作者 3楼 发表于: 2006-06-28
前次不是说2.7比2.6好破的吗。。。。。

Lux Aeterna

过去一直去,未来一直来...
快速回复

限150 字节
上一个 下一个