PlayStation Portable homebrew
This article may require copy editing for grammar, style, cohesion, tone, or spelling. |
PlayStation Portable homebrew refers to the process of executing unsigned code on the PlayStation Portable.
General information
Origins
In May 2005, it was discovered that PSPs using the 1.00 version of the firmware could execute unsigned code. What this meant in practice was that these PSPs could run homebrew software, as the mechanism for checking to make sure that software has been approved by Sony hadn't yet been activated. A proof-of-concept "Hello World" program was released to demonstrate this. This resulted in a number of pieces of homebrew software such as emulators; various small games; plus a number of simple applications such as a calendar and a calculator. All of these were built with the GNU GCC and GNU Binutils, modified to produce code for the PS2 and PSP (MIPS processor devices).
In addition, the Universal Media Discs (UMDs) that games and movies are pressed on were dumped using a homebrew technique that allowed the discs to be read to files over USB. These dumped UMD images can be written to a Memory Stick and executed, performing in exactly the same way as if they were being read from a UMD. Execution of such images still requires a firmware of 1.5 or 1.0. UMD images of PSP games are as widely available on the internet as any other. The image of Burnout Legends was leaked before its sell date, allowing people to play it (illegally) over a week before its release.
While the version 1.00 firmware had been ripped (by de-soldering the firmware flash chip and reading it), there is currently no way to revert to this firmware after updating, save for de-soldering the equivalent flash chip, reprogramming it, and re-soldering it.
1.50
It was discovered in June 2005 that homebrew could be run on a firmware with version 1.5. This discovery allowed the US to join in the development of PSP homebrew. This was due to the previous version (1.0) being sold in Japan only. This quickly lead to homebrew on the PSP being mainstreamed. An example of this was where Wired Magazine ran an article in September 2005 on how to play NES on the PSP.
The first way was a trick which involved swapping memory sticks, however, an exploit dubbed 'KXPloit' was released shortly after. This exploited a bug in the sprintf function of the PSP by having another folder named exactly the same with a percentage sign on the end. The original folder contained no data aside from images and a PARAM.SFO. The problem with this exploit was that corrupted data would show on the memory stick (as well as the normal data). However, this was shortly overcome by using two tricks. One would exploit the FAT16 system of the memory stick, and the other involved putting __SCE__ before the name of corrupted folder and %__SCE__ before the name of the normal folder (with the percentage sign at the end removed). Both tricks would remove corrupted data and still allow the EBOOT to be run.
1.51 and 1.52
It had been found that firmware version 1.51 could execute unsigned code. The EBOOT.PBP can have a DATA.PSAR file added onto itself to tell the PSP it is an update. The PARAM.SFO is edited to add a key stating that the firmware update is version 3.00. This cannot be done on version 2.00 because of the security barrier that applications in the UPDATE folder (and several other combinations) must go through. However, firmware version 1.52 does not have any support for homebrew.
Fake Downgrader
Two European hacking groups, PSP-DEV and WAB, (known for KXploit and the Universal Loader), were rumored to be making a downgrader that would re-flash the firmware to version 1.50 from versions 1.51, 1.52, and 2.00. Both of their websites claimed that they were indeed creating the downgrade. A few videos were released showing footage of claimed progress; it is now known for a fact that the videos were faking any apparent progress the groups had claimed, as evidenced by the 2.00 to 1.50 downgrader which eventually surfaced (which relied on a buffer overflow whose utility was unknown to the groups at the time).
On the 16th of September, 2005, the groups announced that the development of the downgrader was halted. However, it is a common belief throughout the homebrew community that no development existed. The groups made the following statement:
We want to announce that the collaboration between the two groups has been completely finished without success. We also want to announce that WAB has been dissolved. The relationship between the two groups were vanishing days ago (some of our members were banned from their server) and there is no progress with the collaboration. In addition, the downgrader project (never finished) is immediately cancelled (it is not an excuse, we can’t explain our reasons, but are enough to do this).
On the 18th of September, 2005, PSPCrazy.com posted an article with a link to download a Beta downgrader. Since Yoshihiro, the co-leader of WAB cancelled the project, they decided to give it out to other people so they can continue working on it. However, this downgrader did not work in any of the 2 methods he had stated. Several groups tinkered with combinations of the EBOOT.PBP files encoded to run the downgrader.
A user named CBMaster stated in PSP hacking forums:
In versions 1.5X-2.00, Sony has not added a security barrier that tells to double-check the UPDATER_VER in PARAM.SFO to see if they are both correct. When WAB released the beta, the 1.50 firmware does launch successfully when swapping memory sticks because of the fact that the latest PSP firmware still does not cover the security. Future updates may enable Sony to add a type of security layer like that. The only reason why 1.50 launched successfully, but still cannot Start, is because the MEM STICK 1 HAS A UPGRADE_VER NUMBER OF 3.00, WHILE THE MEM STICK 2 HAS A UPGRADER_VER NUMBER OF 1.50.
TIFF Exploit
In the 2.0 version of the firmware, an exploit was found in the PSP's image viewing software that could use a buffer overflow to run small pieces of code, including PONG. This exploit was used to create a downgrader, so that version 2.0 PSPs could return to 1.50 state and run homebrew software, with more than 80% of homebrew working on 2.0. Some say that 2.0 is the 'optimum' firmware, because it allows the running of games such as Grand Theft Auto: Liberty City Stories, includes a web browser, and also allows the majority of homebrew to be run. Any form of this exploit is now picked up by many virus scanners, regardless of it being dangerous or not.
GTA Exploit
An exploit was found in Grand Theft Auto: Liberty City Stories that allowed unsigned code to be run through a savegame on versions 2.00 to 2.60. The author made a CheatDevice which executes when users load the game. Fanjita released a Tetris game and a homebrew development kit through the GTA: Liberty City Stories savegame exploit. A week or so later, Fanjita released eLoader, a modded savegame that allowed users to run a fair amount of homebrew.
The leaked firmware
In January 2005, a firmware update was leaked from Sony. However, this update is a "dummy" file, and will "brick" a user's PSP if they use it. How it renders PSP useless is unknown, as with a homebrew tool called "MPH Firmware Launcher" which launches other firmware from the memory stick, the firmware runs fine, but none of the updates it said it would add are there. In firmware 1.5 and up the "update" registers as corrupt data, and cannot be started. This "update" when run on a 1.0 PSP would say before the update, that it would add:
- RSS Feed Reader
- Portable Calculator
- Email software
- Spreadsheet software
- Small word processor
- Web Browser
- Scheduler
- Bug Fixes
Currently, the RSS Feed feature has been added, but only to play sound, not read RSS news or view videos. Also, the web browser has been added, and lastly, bug fixes have been added.
Firmware/homebrew compatibility
The PSP homebrew capability currently relies on firmware version 1.00 by opening it in GAME folder, 1.50 through a sprintf bug dubbed "KXploit" or 2.00 through a buffer overflow in libtiff. There is also an exploit in the "GTA: Liberty City Stories" save data that allows unsigned code be run on firmwares 2.00 to 2.60, though homebrew support is limited due to the mode in which a UMD is run.
In order to force users to update to their latest firmware, Sony has increasingly made games firmware specific GTA: Liberty City Stories which only ran on versions 2.00 - 2.60. No known way of bypassing this requirement was known up until the 22nd of February 2006 when MPH released the first game specific loader for GTA:LCS which then created some controversy within the homebrew community due to its legal implications. Other games may request a higher firmware as well, but because they do not actually contain elements within them that require the said firmware ,they, with help from simpler exploits, can be played on any system.
ISO image loader
By utilizing the ISO image dumped from UMDs, some homebrew application called fastloader can be used as the boot loader for the ISO image, it almost makes the PSP execute any dumped UMD games or Video.
Another ISO Image Loader was made by the makers of Fastloader, called UMD Emulator. This loader, instead of running the ISO, Emulates the ISO as a UMD in the drive, so then users can run the game via the XMB.
There are many other ISO Loaders, such as Devhook. The loaders are mainly concerned with piracy, and thus mentioning them in some forums is not tolerated. Speculations were made that after the MPH Downgrader was released, more and more PSP Owners were gaining access to ISO Loaders, that in the near future, UMD Game sales will go down and larger sized Memory Stick Duo/PRO Duos will increase.
There are also Booters/Loaders which only run one certain game. Some run an ISO, whereas some others run the psp_game directory (found in the UMD) from the boot of the Memory Stick. Most Loaders require a disc to be put in the drive. Any disc would do, including the Sample Disc. Most of the psp_game runners require the folder to be renamed (in the case of Coded Arms, coa_game).
Many PSP games can be found on BitTorrent servers, and torrents can be found off sites such as torrentreactor.net. When the torrents are downloaded, they can be run with torrent programs such as BitComet, and the file would be downloaded. Most torrents download a RAR Archive, similar to ZIP, ACE and 7z files, and require WinRAR or WinAce to extract. The ISO or the psp_game would then be found in the archive.
ISO Image Loaders did not work with the newer games such as GTA: Liberty City Stories(works now with new MPH-Gameloader) and Me and My Katamari, as these games only were coded to run only on Firmware version 2.XX and force users to upgrade. As of 22nd February 2006 another exploit has been located by the PSP hacking group MPH which allows 1.5 firmware users to run GTA: Liberty City Stories and other games that required 2.0 and above to run.
Version changer
As some newly released PSP games required an updated PSP firmware version, there is a need to upgrade the firmware in order to play new games. Usually, the firmware is included inside the UMD disc. To tackle this issue, homebrew team SonyXTeam's Yoshihiro (former W.A.B member) released the utility called "SXT Version Changer" to change the version number (Physically, not actually changing the revision) for the PSP to read.
The Version Changer 2.0 for 2.0 PSP's is used to launch the MPH Downgrader, since it changes the version to 1.00, therefore launching the 1.50 firmware update.
There is a program called "No Update UMD Starter" which is considered by some to be better than a version changer that actually looks for the UMD0:/PSP_GAME/SYSDIR/BOOT.BIN and skips the update which is in UMD0:/PSP_GAME/SYSDIR/UPDATE/BOOT.BIN to allow the game to load.
The 2.0 update
Sony, seeing that not many people were updating their PSPs to 1.51 or 1.52, had to release an update with something that would give people an incentive to update. This feature was an official web browser, revealed at the 2005 PlayStation Meeting on June 20. The Japanese version of the update was released a week later, on June 27. In addition to a web browser, it also has support for higher-quality MPEG-4 AVC video, the ability to change the wallpaper for the system, and many other features. When the update arrived, many people, not wanting to wait for an official US release, updated their US PSPs with the Japanese upgrade, despite Sony’s warning about upgrading a non-Japanese PSP with the Japanese version. A few days later, Sony announced that 2.0 would be released in the US on August 12, at which point Sony announced the upgrade would be delayed to August 15. In fact, it wasn’t until August 24 that the US 2.0 was released, almost two weeks after it was due. However, users who updated to the Japanese update could not overwrite it with the US version. The US 2.0 was delayed because Sony found more security holes in the Japanese version of 2.0 and had to delay the US version to patch the holes. The Japanese version was also re-released.
2.0 homebrew
When version 2.0 was released, the door was shut for homebrew. However, since 2.0 had a web browser, many people started work on games and applications that run through this browser. Some examples include:
- WinPSPortal - A collection of many games, links, and applications.
- IE2PSP - An application that converts Internet Explorer bookmarks to PSP bookmarks.
- E-Book Reader Hack - Allows users to view text files through the browser.
On the 23rd of September 2005, a buffer overrun in the image rendering was discovered by toc2rta, allowing an unsigned binary file to be executed. The method involved the user setting a PNG image as their background and a TIFF file in their photo directory. When the Photo menu was accessed, the binary file (h.bin) was loaded.
Two days later, the first "Hello World" program was released. The size of the binary was limited to 64kb, and the PSP could not yet read unencrypted ELF files, so further experimentation was required before any kind of homebrew software could be run. A day later, the first playable game using the exploit was released, titled "TIFF Pong 2.00".
On the 28th of September, 2005, a successful downgrade method was released by a modding group known as MPH. This would change the system's version to 1.00, tricking the PSP into allowing a 1.5 update, thus downgrading it and allowing for execution of unsigned code.
Moving quickly to fix this exploit, on October 3rd 2005 Sony released the version 2.01 firmware. This update offers nothing new in the way of features and only fixes the exploit in the previous firmware.
Trojan.PSPBrick
On October 2, 2005, an individual under the name "PSP Team" released a homebrew that was believed to be another version of the downgrader. As it turned out, the program was actually a trojan that, if run, would destroy the Firmware and BIOS. In turn, the PSP would become un-bootable and turn into a "Brick". This was officially reported by Symantec as Trojan.PSPBrick. After the release, many PSP homebrew sites were brought to a standstill making sure that every homebrew was safe to use.
Any files that are based on the toc2rta TIFF exploit (including the EBOOT Loader and the MPH Downgrader) are seen as a trojan, even if they are perfectly safe.
2.01 - 2.60 Homebrew
Using an exploit from GTA: Liberty City Stories, a fair amount of homebrew can be run on firmware versions 2.01 to 2.60. The exploit started in the form of a cheat device. Homebrew that has been custom made for this exploit cannot be played on previous firmwares. However, the EBOOT loader relies on EBOOTs which are in the same format to those used on version 1.00.
History
On the 28th of November, 2005, EdisonCarter released a homebrew that was executed by loading a saved game file, and ran behind Liberty City Stories allowing for various modifications to the game, such as infinite health and the ability to "spawn" any of the vehicles in the game.
A developer known as Fanjita created a "Hello World" on the 13th of December. A day later, PSP3D created the first playable homebrew for version 2.01, titled "Tetris for Firmware 2.01".
Two days later, EdisonCarter had found support for his Liberty City Stories exploit for the 2.60 firmware, leading to Fanjita (and Ditlew) creating Tetris for version 2.50 (on the 6th of January) and 2.60 (on the 11th of January). A developers kit was released on the 14th of January.
On the 22nd of January, Fanjita (and Ditlew] came to a major breakthrough in creating an EBOOT Loader for 2.01+, in which he succeeded in remove all traces of Liberty City Stories from the RAM. This was released on the 26th. On the 29th, a new version of the eLoader was released which supported version 2.60, marking homebrew for all PSP users.
WiFi connectivity was added on the 2nd of April, 2006, due to the system calls being found which allow it to be initialized without kernel mode.
On the 25nd of April 2006, Sony released Firmware Version 2.70. There is curently no Homebrew support for this version although it is being worked on by many.
Dead ends
A claimed "overflow" by PSP3D is just a crash. It is not an exploit as claimed, and cannot be further exploited. Several crashes have been created by various people, and none of them lead to an exploit. A similar "overflow" made by viewing savegames (the PSP3D "exploit" had the crash caused by viewing an "update" in the GAMES section).
A vulnerability was found from libungif at version below 4.1.4 and it was fixed at (2005-10-19 08:54), which was after the time when the 2.01 Firmware update was released. It has been tested on some PSPs to cause crashes. Currently there is no idea if this can be turned into an exploit that can load unsigned code.
Firmware Loaders
It is possible to run games specifically for Firmware versions 2.00 and above (such as GTA: Liberty City Stories) on previous Firmware versions. This is done by using a Firmware Loader. To explain how they work, the PSP has four drives:
- ms0:\ - Memory Stick
- flash0:\ - BIOS
- flash1:\ - Flash Memory
- disc0:\ - UMD Drive
Files from the BIOS and Flash Memory (on a different version) are copied to seperate folders on the Memory Stick. The Firmware Loader proceeds to load these files. Currently the Firmware Loaders aren't stable enough to give a perfect load, as many games and features are unsupported.
Emulation
Emulators for the PSP include:
- Amiga 500
- Atari ST
- Commodore 64
- Game Boy Color
- Game Boy Advance
- Sega Genesis
- Mac OS 7 and Mac OS 8
- MAME
- MSX
- NeoGeo
- NES
- Nintendo 64
- PC Engine
- PC-9801
- PlayStation
- Sega Master System
- Super NES
- x86 (Windows, Linux)
- WonderSwan
- ZX Spectrum
Notable homebrew programs
The following programs have been dubbed the Jewels of Homebrew.
- Flashmod - A Flash Modification Program which edits different aspects of your PSP.
- File Assistant - a file management program in which users can transfer files to and from the assistant, run, play files and other related tasks.
- Peldet - a TELNET and IRC client
- Portable VNC - a VNC client for the PSP
- PSP-httpd - a simple implementation of a web server on the PSP. Users can browse through stored files using any computer on the network, as if they are surfing a website.
- PSP Millionaire - the Who Wants to Be a Millionaire? game on the PSP
- PSP-OSS - an Open-Source Operating System/Shell/GUI.
- PSPRadio - a client for streaming (Shoutcast) Internet radio
- PSP Quake - Quake port for the PSP.
- Sudoku - A Sudoku game for the PSP.
- pspChess
- SuperMiniMario - Mario clone, more info: pspsmm
PMP Video Format
PMP is a video format specifically for the PSP created by a developer named Johnny. The features of this format include MPEG-4 ASP, up to 480x272 resolution, up to 38 fps and up to 320 kbps MP3 audio.
Recently, "dickydick1969" began work on a modified version of PMP, which was given the name "PiMPStreamer". It allows streaming of AVI/WMV/MPEG from PC to PSP using a Windows-based streaming server.
PSP Shells
Due to the limitation of the PSP's firmware, homebrew shells were sought after. The first of it's kind was MbShell, which included audio and graphical capabilities. This led to many other shells being released, including PSP-OSS which was open source. Most shells are implemented combinations of other homebrew features.
PSP hacking/homebrew teams
- Beta.pesepe
- DST - Team DST claimed to have created a PSP modchip that allows Homebrew on all Firmwares. They stated that they would release and sell the first batch in November 2005 on eBay. There was no release and is most likely fake.
- ESPAL-PSP - The best page of downloads for PSP of Spain and the world. In Spanish!
- Fanjita - Developer of the eLoader for v2.01, 2.50 and 2.60. Also the developer of EBOOT Loader for v2.0 homebrew. He is claimed to be the most active supporter in PSP homebrew history.
- MPH - active creators of the MPH Downgrader, MPH Firmware Loader, and MPH Game loader.
- Orbis PSP Development - A single person team which has released Flashmod, J-Mania, Deflect and many other PSP applications/games.
- PSP3D - After several failures in the homebrew scene, they started to bring out some quality hacking achievements, and also ported the first game to 2.01 firmware PSPs, and work closely with Fanjita to bring out many nice releases. Have also faked news in the past.
- PSP-DEV - attempted the downgrader along with WAB. Created the Lumines Launcher. Also made Kxploit for 1.5 PSPs(allowing homebrew on them).
- PSP Team - creators of the so-called PSP Team Downgrader, which is really Trojan. PSPBrick.
- Team Emergency Exit - Created PSPSet, and the Quake 2 port, they are currently attempting a Dual-BIOS Dual-Load PSP Motherboard. Currently working on bugs in Quake 2 for the PSP. Consists of McZonk and Placa.
- TeamXHack - an up and coming team, with rumors of a WIP Downgrader using javascript surfacing. This project has been cancelled and the project disbanded due to a failure in the advanced file write system.
- toc2rta - creators of the toc2rta TIFF Exploit. Main site is a Wiki.
- WAB - creators of the WAB Launcher and WAB Version Changer. Attempted (unsuccessfully) a downgrader. Consists of Alonetrio and (fmr.) Yoshihiro. Currently the WAB website is being sold, meaning WAB is no longer active.
- PSPSMM's coding team - Lead by Mongatard, creator of The skifree clone. The team has also made Sharko's Froggergame and is now making the first racing homebrew codenamed Sharko's racer.
External links
Utilities
- PSPBrew.com – Everything Homebrew. Has a Custom Brew Pack Generator which creates a custom pack with the homebrew the user wants ready for their PSP. A simple processing of file extraction is only required
- iPSP – Converts and installs movies, music, and images onto a Memory Stick for use in a PSP; includes backup and restore for Game Saves.
- PSPware – Converts and installs movies, music, and images for use on a PSP; includes synchronization functionality (currently has Mac and Windows versions)
- PSP Video 9 – Free video conversion and management (Windows)
- PSP Media Studio - Fast DVD-to-PSP conversion software. Also supports AVI, MPEG and Quicktime source movies.
- PocketMac – Sync Entourage or Address Book contacts, music & photos from users' Macs to their PSP using iSync
- PSP Multimedia Extender – Convert video files (avi, mpeg, divx, etc.) into MPEG4, images (bmp, png, gif) and txt/HTML files to JPEG, and CD Audio to MP3 to be viewed on PSP. And mass file copying to the PSP while maintaining the directory and naming structures (Windows)
- XBConnect – provides free online multiplayer for the PSP in addition to the Xbox.
- XLink Kai – also provides free online multiplayer for PSP and other systems.
- psphacking101.com – Teaches you all you need to know about homebrew and psp's =D
Homebrew news
- PSPSMM– Great Forum which offers help and SuperMiniMario downloads. Is also having a strong coding and designing team. Rumours are talking about a magazine too.
- PSPUpdates– The biggest and most updated site for PSP News and Homebrew software.
- PSP3D– One of the biggest psp sites. a generally psp discussion site, mostly about homebrew. Co-operates whit Kaotix design in making the X5 portal. Also the source of many fake news.
- PSPupdates Forums – Awesome PSP Website. Great forum support, and homebrew downloads. Homepage at pspupdates.qj.net
- PSPCrazy – Great PSP Website. Has many downloads and a great community.
- PSPHacks.net – Another great PSP Website. One of that largest communities in the PSP scene, also very friendly.
- PSP-Hacks – Site for PSP hacking programs/Emulators and such. Also the latest hacking reports on the PSP.
- PSP Files – News about PSP hacks and exploits.
- PSP Wire – Information about games and homebrew. Accompanied by a growing archive of homebrew software and applications.
- PSP-Spot – An up-and-coming PSP scene website that has information and news about the latest games, homebrew and news related to the PSP. Rewarded number one website by PSP E-Mag's third issue PSP E Mag
- PD Roms – Covers homebrew news for many systems, also PSP. Updated daily and frequently.
- PSP News – Reports on homebrew news and commercial releases, such as games and accessories. Also has a database of nearly every PSP application ever released.
- Team X Hack Various information
- PSPLUA PSP Lua is run by a dedicated group of PSPLUA Developers.
- PSPNEWS PSPNEWS Sony Psp homebrew News Downloads and a lot more.
- PSPSQUAD Information on new PSP games
- PspFull Scene& + Psp
Homebrew resources
- PSP Programming Tutorials – Homebrew development tutorials that walk a novice all the way through creating his or her own apps in C or Lua
- PS2Dev – Developer resource site, creators of the PSP Toolchain and PSP Devkit; their forums are widely regarded as the center of PSP Homebrew Development
- Font Exploit Wikipedia
- TeamOverload's Blog