来自多玩网lyq4的贴子
基于TIFF漏洞!PSP3000 Hello World发布!!来自MaTiAz
Posted by x3sphere at April 11, 2009, 9:06 pm
翻译(多玩 - 海星云)
在PSP3000上运行自制程序的日子已经越来越近了,自制程序研发人 MaTiAz 已经于最近放出了一个基于TIFF的漏洞以运行著名的“hello world”——PSP破解的一个重要标志。
这个系统漏洞运行于PSP的照片菜单,利用了TIFF图像博物馆中的一个脆弱处(大概是这意思)。你可能会觉得这些很熟悉,因为这跟那个PSP破解盛行,破解软件大行其道的“光辉时代”时候很相似。而且,安装方法也可以在readme 文档里面找到。
经过长久等待,5.03系统的自治系统的大门终于要向我们打开了!
使用方法
距离基于TIFF的系统漏洞的放出已经为时不久了,这已经是是PSP的第三个系统漏洞,大家尽情享受。
只要把文件复制到记忆棒的跟目录,断开USB链接然后进入到照片菜单。如果漏洞第一次不工作不要灰心,他非常的不稳定。即使你一次就让他工作了,你还是需要至少尝试实验20次才能真正成功!
这个h.bin会加载到0X8800000,并且PAD.PRX的文本地址会通过二进制码加入到$a0(这句话不确定,很专业),然后你就可以欺骗系统,进行导入,比如
sceDisplayWaitVblankStart:sceDisplayWaitVblankStart = (void*)(paf_addr+0x15F068);
现在放出的版本只能适用于肥PSP(PSP-1000),瘦P的版本会稍后放出。我不会在这里列出制作人名单,我想我很可能会忘掉一些重要的名字然后我就死定了:P,那些参与其中并且需要让我列名单的人反正自己都明白。
祝大家愉快!
PS:只要再过几天,将会有一份大礼降临
-MaTiAz
作者特别强调只要再过几天,将会有一份大礼降临,让大家瞪大眼睛关注!尤其是2K和3K的玩家(A separate release is being prepared for Slim models, specifically the PSP-2000 and PSP-3000.)
多玩本地附件分流:
tiff_release.zip (79.08 KB) 说明:之前因为大神的一个错误所以附件出现了一点问题,现在我们已经更新附件,具体请参看此贴:关于最新的MaTiAz放出的系统漏洞的小说明原文和出处:The prospect of running homebrew on PSP-3000 units is rapidly inching closer, as homebrew developer MaTiAz has released a TIFF-based exploit in the form of a “Hello World,” proof of concept application.
The exploit is run from the PSP’s photo menu, taking advantage of a vulnerability found in the TIFF image library. Should be quite a familiar process if you were around back in the heyday of the PSP scene, when software-based downgraders were all the rage. Nonetheless, installation instructions can be found in the included readme file.
According to MaTiAz, “a bit of awesomeness” is due out within the coming days, so keep your eyes peeled. After a long wait, the gates to homebrew access on firmware 5.03 have been opened up.
The days of TIFF based exploits aren't long gone, at least not yet
Here's the third TIFF exploit for the PSP, enjoy.
Just copy the files to the memory stick root, disconnect USB and go to photo menu.
Don't dismiss the exploit even if it doesn't work on the first time, it's *very* unstable.
You might get it working on the first time, but you might as well have to try it 20 times!
The h.bin is loaded to 0x08800000, and the text address of paf.prx is passed in $a0 to the
binary code. You can then trick out function imports, like for example sceDisplayWaitVblankStart:
sceDisplayWaitVblankStart = (void*)(paf_addr+0x15F068);
This release works _only_ on fat PSPs. The slim version will come out later.
I'm not gonna include a list of credits here, I'll just forget some important names and then
I'll be screwed :P The people who need to be credited will know it anyway.
Have fun!
P.S. Just wait a few days, there's a bit of awesomeness coming up.
- MaTiAz
看来离PSP3000破解不远了
请注意看MaTiAz的PS 希望他所说的大礼,真的是份大礼.
本贴转自多玩网PSP3000专区