This is a small update to my work on this vulnerability.
Archaemic says that he's been able to have a working user mode exploit on OFW 4.20 through this vulnerability, but is unwilling to disclose a part of his work. This is sad, but it also means that something is actually possible with this vulnerability, and hope is better than nothing.
I've searched a lot, and couldn't find, mainly because I have no clue how the PSP Ram works. If some people want to try,
my files are still up. Basically this would mean people who are willing to stay on FW 4.20 wouldn't need the expensive Gripshift to play homebrews.
Other than that, it's been discovered (by Archaemic) that the vulnerability hasn't been properly patched, and there is still a buffer underflow in current firmwares. An example file that should crash all known psps can be downloaded here (I also believe this can crash many devices and software that use the libtiff, so please be careful):
Edit : link removed, send me a PM if you're serious about helping me
The file to generate it is at
Edit : link removed, send me a PM if you're serious about helping me
To run it, you need the "wololo.tif" file, or better, the "original.tif" file available in one of my previous links.
There is very little chance that this vulnerability could lead to an exploit, as we can only inject one byte in a loop. At some point, the code is trying to read its next data at an address in the form 0xXYXYXYXY where XY can be anything between 00 and FF (set in inject2.rb)
Values that could be useful for us are 04 and 09:
0x04040404 is somewhere in the framebuffer. values inside of this thing could be set by a simple wallpaper, unfortunately the Alpha component cycles between 00 and FF, which makes it practically unusable. For example a black pixel will give: 0xXY000000 where XY is an even value between 00 and FF. Not really random since it regularly cycles, but meh...
0x09090909 is in user memory, but I was told it is not word aligned (obviously), and that would cause many issues (?). Even though, a way to put some interesting stuff there remains to be found.
According to Archaemic, there is a way to inject two bytes, one of them being 0, which would allow a few more addresses to be investigated.