New PSP Exploit found in Gripshift makes PSP-3000 Hackable

Come Visit the New Site at

A expoit has been found inthe PSP game called Gripshift which enables you to be able to hack your PSP 3000 in the near future! This was found by a person called MaTiaZ.

Here is what MaTiaZ said about it:

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.

and here is a video made by Freeplay showing the exploit:

There are two versions of the exploit. The first which is the raw form from MaTiAz, the other one (v2), is a version encrypted by FreePlay. It’s also been confirmed that it will all the way up to the recent CFW 5.02 GEN-A.”

To download version 1: CLICK ME

To download version 2 by Freeplay: CLICK ME

To read more about it: CLICK ME


4 Responses to “New PSP Exploit found in Gripshift makes PSP-3000 Hackable”

  1. PSP 3000 First Homebrew Game Released - Pong v1.0 « AllTechRelated Says:

    […] ever homebrew game compatible with the PSP 3000 has been released. It is Pong. This game uses the GripShift exploit found recently.Here is a video of the game […]

  2. PSP 3000 Homebrew SDK - Sparta SDK « AllTechRelated Says:

    […] 3000 Homebrew SDK – Sparta SDK January 11, 2009 — psp2468 Remember the GripShift exploit I posted about a while ago. Well, here is the SDK that allows you to create homebrew for it. The […]

  3. PSP 3000 Now Running CFW 5.02GEN-a « AllTechRelated Says:

    […] Thats right, you read right. PSP GEN have managed to custom firmware on a PSP-3000 using the GripShift exploit that was found a few days […]

  4. New Game for PSP 3000 - Bomberman Gripshift « AllTechRelated Says:

    […] January 19, 2009 — psp2468 A cool new game has been released using the GripShift exploit found in the PSP 3000. This allows you to play homebrew games created with the Sparta […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: