It's truly heartbreaking that this gem wasn't available for purchase back when you desperately needed a low-cost gift for that special gamer in your life, but considering how lame the chocolate box you got him / her was, there's still reason to snap this up and slap a belated label on it. Brando's ingenious 7-in-1 USB Charging Cable provides power for PSP, DS, DS Lite, DSi and Game Boy Advance handhelds, and all that is required is a powered USB port and $7. Oh, and the bravery to allow a cable made by Brando (or some random backwoods company in China that Brando is in cahoots with) charge hundreds of dollars worth of your gadgetry.
Now then, the details: MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
There are two versions of the exploit. The first which is the raw form from MaTiAz, the other one (v2), is a version encrypted by FreePlay. It's also been confirmed that it works all the way up to the recent Custom Firmware 5.02 GEN-A.
Download & Extract DCGEN then copy (PSP folder and 500.PBP) to root of the memory stick then exit.
Note: This will overwrite your existing DC8 (Custom Firmware 5.00 m33-4)
In XMB Run DC8 (you need to use DC8 included in this patch)
then Run 5.02GEN-A for DC8 (it's in French) just press O to start patching..
Now you have patched your DC8 to load Custom Firmware 5.02 GEN-A.
Enjoy!
Screenshot:
WARNING:
I've tested this myself and I haven't encounter any problems (so far) hehe :)
USE AT YOUR OWN RISK!!! THIS COULD BRICK YOUR BELOVED PSP!!!
Credits:
Miriam/PSPGen for Custom Firmware 5.02 GEN-A
Dark_Alex/M33 for the original DC8
Alpha_PCT for the DC8 Patch
Spidey (PinoyPSP/PSP4NOOBZ) for this simple tutorial
GEN developers want no reason for you to say No to their new firmware.
Here is their info for bypassing the firmware check of IRShell to run on their new firmware.
From my quick testing, there is no 'NO UMD' patch support :( *run the .prx and it says wrong firmware..so that magic bit needs to be found and the psbtn files compared for differences before it edits cause it could make for a bad time* So keep a game in the drive if you want to launch the games in that fashion.
All else is the same..If you would rather hex edit your own changes rather than download all the files, here's the info
In folder MS0:/IRSHELL/BIN/
# irshell500s.prx : Change 00 en 02 at address 0x28F5
# irspops_500.prx : Change 00 en 02 at address 0x0BB9
# nethostfs_500m.prx : Change 00 en 02 at address 0x1E75
# nethostfs_500sm.prx : Change 00 en 02 at address 0x1E75
Drop the .exe into your theme folder and run it. It will automagically change the magic bit at 0x00000010 from 00 to 02.
Your other option is to use the cxmb that matchung modified to keep the ctf the same..only problem is if any themes are released for 5.02 using miriam plugin then you will have to change the bit to use matchungs prx, or use miriams prx :(
Things are a bit sticky right now in this time of migration..but there are options :) Lets hope for some Theme Extra soon! ;)
*EDITED WARNING*
If a theme has a modified satelite.prx your psp WILL SHUT DOWN when you go to exit the vshmenu...if you are using the in XMB recovery screen this is not an issue.
*Vegetanos themes and my frosstyboxxy i know for sure have them*
Maybe one of the good programming fellows can make a program that looks in the file for
"vsh/module/SATELITE.PRX" and changes it to "vsh/module/SATELITE.PRY" then that file won't load and there will be no crashes :)
Home
Forum
Live Chat
Downloads
Search
Member List
Calendar
Help
Yesterday 08:09 AM![[image]](http://www.blogcdn.com/www.engadget.com/media/2009/01/1-3-09-brando-cable.jpg "Souce: http://www.blogcdn.com/www.engadget.com/media/2009/01/1-3-09-brando-cable.jpg")
![[image]](http://img523.imageshack.us/img523/5262/dcgencr9.png "Souce: http://img523.imageshack.us/img523/5262/dcgencr9.png")
![[image]](http://img367.imageshack.us/img367/9817/snap001ul2.png "Souce: http://img367.imageshack.us/img367/9817/snap001ul2.png")
![[image]](http://img78.imageshack.us/img78/1966/snap002yk0.png "Souce: http://img78.imageshack.us/img78/1966/snap002yk0.png")
![[image]](http://i44.tinypic.com/246otbr.jpg "Souce: http://i44.tinypic.com/246otbr.jpg")
![[image]](http://endlessparadigm.com/forum/images/english/dl_download.png "Souce: http://endlessparadigm.com/forum/images/english/dl_download.png")
![[image]](http://i43.tinypic.com/2vmj5fm.jpg "Souce: http://i43.tinypic.com/2vmj5fm.jpg")
RCO Editor
Simple Popstation GUI
PSPConv