Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - teakhanirons

Pages: [1]
1
PS 2 / Injecting ELFs via Disc Swapping
« on: February 03, 2020, 04:28:25 AM »
Silica suggested that we could use the same technique used with the 007: Agent Under Fire method of PS2 hacking with other games.

It's simple, you find a game that loads other ELFs, you swap the DVD (without the system knowing) with a copy of the game but the ELF game calls swapped (preferably with uLaunchELF or wLaunchELF due to their small sizes since you have to keep the Table Of Contents same, more on that later)

This is the earliest record of this technique being public knowledge we could find (aside from 007: Agent Under Fire): https://www.1emulation.com/forums/topic/28441-turn-any-ps2-game-into-a-swap-disc/
Then we found a forum post about this used with 007: Nightfire back in 2009, they use the same engine after all: https://forums.afterdawn.com/threads/turn-007-nightfire-into-a-boot-disk.660416/
There's also this: http://web.archive.org/web/20160306121528/http://bootleg.sksapps.com/tutorials/fmcb/swap.php
There were even reports of demos like Jak 2 working!

Some things to keep in mind:
You need the disc manipulation software Apache Version 1.1 (newer versions reported not to work)
You need to swap the disc when the system is not reading anything, menus should work.
You can't mess with the Table Of Contents of the disc, more on this later.
You can't load an ELF that's larger than the ELF you want to replace, that'd mess with the TOS.
Games released after 2001 may have checks in place, this is not guaranteed to work.

Here's how it'd go:
Open Apache and load the backup you made.
Highlight the ELF you want replace.
While highlighted click "ISO TOOLS", then "Change TOC For Selected File"
Now DO NOT CHANGE THE LBA!!! Change The SIZE to the EXACT size in bytes as the ELF file you wish to inject (for example, uLE 4.21 is 877420)
Rename the ELF you want to inject to with the ELF you want to replace's name.
Highlight the ELF you want to replace, click "ISO TOOLS" and click "Update Selected File".
Close Apache and burn with either DVDDecryptor, IMGburn or any other software that's capable of raw write.
Swap the disc when the system is not loading anything and make the game load that ELF (for example, you enter a driving stage in 007 games or run the network configuration on netplay games)

Some games with multiple ELFs:
007: Agent Under Fire (duh)
007: Nightfire (second link)
007: From Russia with Love
Jak 2 demo was reported to work
Demo Disc 066 [NTSC-U] [SCUS-97241]
Metal Gear Solid 2: Substance (the one with the skate minigame)
Metal Gear Solid 3: Subsistence Disc 2 has a main.elf, depending on when it's loaded, it may be exploitable.
I think some Splinter Cell games have multiple ELFs too but not too sure.
Silica says any game that has netplay may also be exploitable since they have the network configuration ELF.

As there are some demos reported to work as well as multiple very common games, this means potential free entry points for lots of users.

If you're fast enough to swap the disc right before the system loads the ELF but right after the disc checks are complete, theoretically, any game is exploitable.

2
PS Vita / Re: Vita Babe Of The Week
« on: January 25, 2020, 12:01:19 AM »
Makise Kurisu from Steins;Gate

3
PS Vita / Re: Performing a PS Vita UART Mod
« on: January 19, 2020, 11:39:22 PM »
Based. I'd leave the Arduino part out and just mount a serial connector though.  Other than that, really really based. So based it makes me want to do it too.

4
PS Vita / [Release] LolicopocalypseVita
« on: January 13, 2020, 01:38:04 AM »
A Vita Port of Lolicopocalypse, a game by quasist for Ludum Dare 24.

dots-tb did most of the work including finding the game, getting it to compile, controls and handling sound. I only did the image scaling and the live area.

Here's what the game looks like:


Download
Join our Discord server if you're interested in our work.

5
PS Vita / Persona 4 Golden PS2 Opening Movie Mod
« on: December 21, 2019, 08:55:28 PM »
Can't believe no one made this mod before.
The PS2 opening movie exists in the game files under the name "P4CTOP1.MP4" and you can just decrypt that and use rePatch to direct to it when the game calls for the actual file. Of course, this will have the side effect of the P4G opening movie playing in the TV guide thingy. I've Googled it and found a /vg/ post about it though so I'm not the first person to come up with this.


Don't mind the no audio, I'm too lazy to record a new video.

Installation
If you don't have rePatch for some reason, install it.
Drop PCSE00120 for US release/PCSB00245 for EU release in your rePatch folder.

I haven't tested the EU release, I don't have this release but it'll %99 work since they didn't rename the files.
The JP counterpart is missing, since that release uses USM files instead of MP4 and I'm too lazy to download that release.
Oh, and no Mod Compendium install thingy since the movie file is not in the CPK.

Downloads
catbox.moe mirror
MEGA mirror

6
PS Vita / Re: [RELEASE] LOLITA500
« on: November 10, 2019, 09:29:02 PM »
Here's a 444mhz fork.

7
PS Vita / [RELEASE] LOLITA500 / LOLITA444
« on: November 10, 2019, 02:23:32 AM »
What's this?
Being subjected to LOLIcon's glitchy and flickery menu, incompatibility crashes with Adrenaline and having to deal with profiles for over a year was getting pretty annoying, so I tried looking for a "just OC no bullshit" plugin. I couldn't find any. I can't believe no one made one before. How could people put up with it for a year? So here I present to you:
"LOLITA500", stands for "LOLIcon Offended Little Idiots - TOTAL ACCELERATION to 500".
Sets all clocks to max (including 500mhz for CPU) at all times and disables power limits like high brightness and Wi-Fi not working on intensive games!
No dealing with menus, profiles, settings, error messages anymore!
No over complicated hooks, just 5 hooks (4 to clocking, 1 to disable power limits). It's literally smaller than 3KB.
I dealt with it so you don't have to!
 
Features
  • The clocks are maxed out system wide, so every application including: shell, system apps such as web browser, and of course games will have maxed clocks.
  • Not as complex as other actual overclock plugins like LOLIcon, so it works with Adrenaline.
  • It does not have a menu system, so no more messing around with menus to set a profile. Useful for PSTV users that want to use their systems at max clock at all times.
  • Power limits are disabled, this means brightness and W-Fi settings are no longer disabled on games that attempt to do so.
  • Each clock is hooked, so even if a game dynamically sets the clock, it will still stay maxed out.

Will this kill my Vita?
Overclocking should always be done with caution, however I did an hour long stress test live:


 
Installation
Put "lolita500.skprx" in 'tai' folder in 'ur0' or 'ux0' and add the following:
Code: [Select]
*KERNEL
ur0:tai/lolita500.skprx

Where do I get it from?
https://github.com/teakhanirons/lolita500/releases/tag/1.0
Also join the Discord server if you're into these stuff: discord.cbps.xyz I-it's not like I want you in or anything, b-baka!
 
Credits
by teakhanirons, dots-tb, marburg, CelesteBlue, SilicaAndPina and CBPS allies.

8
PS Vita / [release] DerInClocKS - OSD clocks display
« on: November 08, 2019, 09:58:40 PM »
What is this?
Just a clocks OSD display for Vita. I don't think anyone made one (that uses the kernel functions at least, looking at you VitaIdent) so I made one.

Download?
Here you go mate: https://github.com/teakhanirons/DerInClocKS/releases/latest

9
Reverse Engineering / An (incomplete) list of statically compiled games
« on: August 27, 2019, 07:59:44 AM »
Ran my library of 265 games thru https://github.com/teakhanirons/batchpsvpfsparser and https://github.com/teakhanirons/BatchHexValueChecker/releases (sorry, I lost the source and binaries to this one but it simply checked one byte and logged to a file, easily reproducible in your language of choice) to find which ones were potentially exploitable according to the criteria stated in https://forum.devchroma.nl/index.php/topic,13.0.html.
I do a US only library and other region releases of games listed here are probably exploitable if the US release is exploitable too.
This is not a list of exploitable games, this is a list of potentially exploitable games that should be investigated more, now that bitter smile entry point is patched in 3.72.
It would be very appreciated if others could help look for these as well. (https://forum.devchroma.nl/index.php/topic,13.msg16.html#msg16)
Code: [Select]
PCSA00010
PCSA00011
PCSA00029
PCSA00068
PCSA00080
PCSA00086
PCSA00088
PCSA00096
PCSA00097
PCSA00098
PCSA00107
PCSA00113
PCSA00114
PCSA00133
PCSA00135
PCSA00142
PCSA00144
PCSB00428
PCSE00010
PCSE00016
PCSE00017
PCSE00020
PCSE00051
PCSE00052
PCSE00053
PCSE00057
PCSE00088
PCSE00120
PCSE00249
PCSE00258
PCSE00268
PCSE00277
PCSE00283
PCSE00288
PCSE00293
PCSE00302
PCSF00006
PCSG00007
PCSG00122
PCSG00129
PCSG00146
PCSG00206
PCSG00215
PCSG00250

10
Reverse Engineering / Finding save data exploits
« on: August 27, 2019, 02:34:51 AM »
Originally written by TheFlow, deleted for some reason. archive org had a copy (https://web.archive.org/web/20180706194624/https://gist.github.com/TheOfficialFloW/81466e70d7ea57facb5897568dd28f12) and here is the text with a new link to the CrashDump Enabler for preservation purposes:

--------

How to find savedata exploits
Since the release of h-encore you might be wondering how such an user entry point is even possible.
It is possible because games that were developed with an SDK around 3.00 and lower were compiled as a statically linked executable, thus its loading address is always the same and it cannot be relocated to an other region, which means that if we have an exploit in such a game, we can happily do ROP and don't need to deal with ASLR.
They also don't have stack protection enabled by default, so stack smashing is the easiest way to trigger user ROP execution.
Savedata exploits are more powerful than WebKit exploits in terms of available syscalls.
The reason for that is after firmware 3.30 or so, Sony introduced sceKernelInhibitLoadingModule in their browser, which prevented us from loading additional modules.
This limitation is crucial, since this was the only to get syscalls, as they are randomized at boot.

Note that the following guide is written for people with few knowledge about exploitation.

How do we know that a game is a statically linked executable? They have got the value 0xFE00 for the e_type field in their ELF header. This is how you can see what type the executable has:

Choose any game you want to attempt exploiting.
Open the game in VitaShell using Open decrypted.
Click on the file eboot.bin, press triangle and select Open hex editor.
See what value is at offset 0xB0:
If it is 00 FE, it is statically linked, hence it may be exploitable.
If it is 04 FE, it is dynamically linked, hence is not exploitable due to ASLR.

If it is indeed a statically linked executable, you can now begin with fuzzing the savedata:
Download any hex editor.
Download and install CrashDump Enabler. (https://github.com/CelesteBlue-dev/CrashDumpEnabler)
Start your game and play it a little bit until you are sure that it has created a savedata.
Either use vita-savemgr or VitaShell to export the savedata. If you use VitaShell, simply navigate to ux0:user/00/savedata and use Open decrypted on your game, then copy the savedata file out of the folder.
Connect your PS Vita to your computer and begin writing crap into the savedata file using your hex editor. Simply write alot of a's at some points.
Copy the savedata back (again with Open decrypted if using VitaShell) and play the game.
Repeat this procedure until you get a crash. If the game complains that the savedata is invalid or so, then it is because there's a crc/hash check. In that case, you should give up, unless you know how to reverse engineer.
In case you get a crash, the crashdump will be written to ux0:data. You can open these dumps using VitaShell and then see whether there are any 0x61 or other repetitive values in the registers (assuming you've only written a's into your savedata):

If the register pc contains the value 0x61616161 or something similar, then congratulations, you've found a new user entry point!
If BadVaddr is 0x61616161 or something similar, then it may also be exploitable (depends on whether it was a load or a store that crashed).
If it doesn't contain anything special, then continue with fuzzing.
Be careful that in case you find something useful, you should NOT show a screenshot of the crashdump that contains any titleid/strings of the game (otherwise Sony might see and patch it).

--------

EDIT: Silica says title IDs are given in order by reserve order so when going by title ID order, if executables start to be consistently dynamic (though not instantly, since SDKs may not get updated nearing completion/throughout development.), the rest should be dynamic as well unless a title had extremely long development with no SDK updates or something.
Also, here's a batch 0xB0 checker to determine statically compiled EBOOTs: https://github.com/teakhanirons/BatchHexValueChecker/releases (source and binaries lost to the batch check script, easily reproducible in your language of choice)
And here's a batch game decryptor to be used with the value checker: https://github.com/teakhanirons/batchpsvpfsparser

11
Reverse Engineering / Megaman Legends and .TMI
« on: August 24, 2019, 07:16:53 PM »
fate6, probably most known for his moderator days back when AuroZett's /talk was still relevant, has asked for CBPS help on converting images to TMI format to help with a project of his.
I quite honestly don't care enough about TMI and its specifications to make a convertor but my impostor syndrome made me think I could make an injector based on Benjamin Collins's work on mml.dashgl.com. This decision made me remember why I hate JavaScript, but eh, it's not like I have anything better to do. Specifications are easy enough to understand looking at "main.js" so I will not be bloating this thread with them.
My work so far is on github.com/teakhanirons/MegaManLegendsTextureInjector and I plan to convert this thread to a release thread when it's done.

Pages: [1]