QuickJump QuickGuide Issue #6: The GripShift Exploit
The PSP homebrew community found a ray of hope for the PSP-3000 at the start of the new year when MaTiAz found a critical exploit in the old PSP title by Sidhe Interactive, GripShift. This paved the way for users to run homebrew on the unhacked PSP model despite the lack of custom firmware. Here’s QuickJump QuickGuide Issue #6 – say hello to the Gripshift exploit.
The PSP homebrew community found a ray of hope for the PSP-3000 at the start of the new year when MaTiAz found a critical exploit in the old PSP title by Sidhe Interactive, GripShift. This paved the way for users to run homebrew on the unhacked PSP model despite the lack of custom firmware. Here’s QuickJump QuickGuide Issue #6 – your quick guide to the Gripshift exploit.
A New Hope (insert Star Wars theme)
The new year kicked off with a bang when MaTiAz revealed that he found an exploit in GripShift, allowing him to create the first raw form of the exploit. Soon after, FreePlay teamed up with MaTiAz, and he was able to encrypt the second version of the hack. As it turned out, GripShift has a buffer flow vulnerability when loading savegames. The savegame contains a profile name, which can easily be used to overwrite $ra. At 25KB, there’s plenty of room to put your code in.Soon after, The Noobz Team confirmed that they will be joining MaTiAz and FreePlay to further develop the exploit. Although the exploit already includes an SDK that allows homebrew porting, their initial focus was to adapt eloader into it, to make it easier to run standard homebrew.
GripShift greets: Hello World
It wasn’t long after the team got together when MaTiAz and Freeplay released the Hello World version of the exploit, complete with a binary loader and an SDK that devs can use to brew using the exploit. Armed with a handy SDK, devs race to create their own homebrew games for the PSP-3000.It was dragula96 who got there first, releasing GripShift Pong v1.0, the first homebrew game for the PSP-3000, saying that it does “feel wrong when a hello world is not followed by Pong.” Soon after, Team P86 also joined in on the action, releasing Bombernan GripShift v1.
Although the exploit worked on the North American, European, and Japanese versions of GripShift, the binary loader did not. After a few days of updating the SDK, the problem of the Euro version was solved. In another corner of the development scene, Bubbletune and Miriam also found a solution for the European version – an appended SDK.
Controversy erupts
Miriam was implementing a private HEN and was in touch with DaX for advice. Despite the advice received from DaX, Miriam was still unable to get it to work. It was through the help of another friend that Miriam managed to get his HEN working, up to 95% functionality at least. – all based on Miriam’s code.
Dark-AleX handed the C+D kernel exploit to Miriam, telling him to keep quiet about it, seeing as it was joek who made it for personal use, decrypting 3k modules, and definitely not for public release. With insistent pressure, Miriam allowed MaGiXieN to make a video out of it, just to prove it’s possible, but not to disclose any details.
DaX reacted, saying that credit for GripShift HEN was stolen. “This is about how I trusted someone called “miriam” and I gave him a kernel exploit of C+D, which was found by joek (the ONLY ONE that deserves credit of that), just to play for HIMSELF, as it is being used to decrypt 3k modules, but the first thing he did was to show to others to get a bit of fame,” he said.
Miriam immediately makes a statement in response to the homebrew hero. “…under the pressure of several people I allowed MaGiXieN to make a video of the HEN in action, but not disclose any details. Which is exactly what happened. Nobody else but MaGiXieN and me have access to this homebrew-enabler, and I’m the only one who knows how the internals work,” he wrote. At the end of his statement, Miriam bids goodbye to the eDrama and the homebrew community.
It was all one big misunderstanding, and the homebrew scene lost a developer.
Now what?
Thanks to the work accomplished by everyone involved, working the exploit is now as easy as 1-2-3. First, you’ll need the GripShift UMD, US, Euro, or Japanese versions. Simple as that sounds, good luck getting one, and you’d better be ready to cough up. Simply load the savefiles below to be able to run homebrew.
Loading the savefile will cause a buffer overflow, allowing you to execute user-mode homebrew. This buffer overflow is sort of a “controlled crash” of the PSP. After that, you’re good to go.
As far as homebrew games are concerned, these are the ones we’ve got:
Download: GripShift Pong v1
Download: Bombermen GripShift v1
Download: GripShift Rtype v0.2
So that’s it for QuickJump QuickGuide #6, and hopefully, it helped you get a good grasp of the whole deal with the GripShift exploit. Check back with us next week as we dig into the persona of AhMan, the dev who brought us the iR Shell. Until then, stick around for more gaming news right here on QJ.