This is a bonus article in the PlayStation Piracy series which chronicles Sony’s decades-long fight against pirates. This penultimate episode tackles Sony’s first venture into portable gaming hardware and the subsequent PSP modding, hacking and cracking scene that sprang for it.
Now that housebound consoles are out of harm’s way, we’ll focus on Sony’s other, often overlooked, piracy squabbles. Of course, it’s the PlayStation Portable’s rise/fall to fame/infamy.
Though Sony had the epic battles of the PlayStation and PlayStation 2 to keep them on their toes, the nooks and crannies of this niche history boggle the mind. Remember that the exact method of attack is always a surprise, but so is the targeted vulnerability. Both have their patterns with some degree of predictability, but the devil (and the story) is in the details.
Shaky Beginnings
On the 12th of December, 2004, Sony’s first and most successful handheld to date was released in Japan. Though it was Sony’s first attempt at handhelds, PlayStation Portable still maintains its spot as the tenth best-selling console ever. PSP sold more than the SNES, NES, Sega Genesis, Dreamcast, Xbox, GameCube, Wii, you name it. In terms of handhelds, only some Nintendo devices outsold it. And contesting with Nintendo in the handheld market is high praise in itself.
It wasn’t until September of 2005 that the rest of the world started to get their hands on PSPs. By which time a fatal flaw back in Japan had already been discovered, targeted, busted wide-open and then subsequently band-aided. Let’s wind back the clock.
Wiped Out
Shortly after the PSP’s Japan release, a modder/developer by the name of nem decided to test the system for vulnerabilities. As it turns out, one of the first PSP games to feature online content, Wipeout Pure, had a huge flaw.
The downloads section in Wipeout Pure was essentially a scaled-down web browser with a skin and a limiter. So by using a simple DNS (Domain Name System) redirect, its capabilities were unlocked and fully derestricted. This allowed for infiltration of the PSP’s UMD Drive, which gave nem all the info needed to understand PSP’s executable.
Alongside a dump of the console’s OS, nem was able to suss and create his own program on the PSP, known as ‘HELLO WORLD’, named after the utterly prehistoric line of test script nearly as old as the home PC itself. Its purpose: to confirm the successful running of that script in any coding language. If you ran the script and you didn’t see HELLO WORLD, something was wrong. This wasn’t the case for nem, who took the title of founder for the first ever PSP exploit, all on software version 1.0.
The Handheld Switcheroo (Series So Far in-joke)
By the time the PSP launched in North America and in the rest of the world, the exploit was no longer possible as the stock software version shipping with new consoles was 1.5. Many across modding communities had known-hackable version 1.0 PSPs shipped over from Japan at this time, intending to add their brains to the hivemind. Stock and availability limited the amount of homebrew developers and users on board, however, so further exploits had to be found in order for the nascent PSP modding community to be successful.
Enter the timeless Sony switcheroos. Crude in their execution, a time and again recurring glob of spit in Sony’s eye up and down their console lineup, yet dastardly, unquestionably effective. Swapping the PRO Duo memory stick for another within a small time-window as a game launched reproduced the unrestricted access nem had worked so hard for, opening up version 1.5. It was in actuality named the SwapSploit, but the disc switcheroo inspiration here is too strong to go unmentioned. Obviously, it required quick fingers and didn’t always work, much like the PlayStation and PlayStation2 switcheroos.
Sony Tries to Make Love (Not War)
Building on the successes of those before it, the Kexploit was born shortly after, promising to allow access to the use of unsigned (unauthorised) code without a switcheroo or a browser exploit/DNS redirect. All that was necessary was giving two folders the same name in the console’s file storage, the former contained the metadata, the second held the console’s executable. One needed to have a ‘%’ at the end of the folder name in order for the exploit to work. This exploit was patched through software updates, but with the floodgates open for a time and the word spreading fast, many users declined updates to join in the fun. Sony had to think fast.
In what would go down as one of the most memorable cases of Sony parrying a blow from the modding community, Sony decided to make the update tempting by developing and incrementally releasing more and more features in their updates. In software version 2.0, they released customisable themes, a sleek in-built internet browser and some new video codecs for the in-built video player, amongst other things. This method was noble and original. For the most part, it worked. That is, until modders who took the leap found a way of downgrading the OS back to 1.5 after updating.
Liberty City Stories: Viva La Revolución!
After a proof of concept known as the toc2rta exploit was released on modding forums, MPH ran with the idea and created their own 2.0 to 1.5 downgrader. This was made possible via a buffer overflow attack. It targeted an error triggered by opening a .tif image file in the console’s gallery.
There was a small amount of tinkering required with the boot files, too, but things were getting simpler. This was the toc2rta concept in a nutshell, just fully realised. In layman’s terms, a buffer overflow attack forcibly exceeds or ‘overflow(s)’ the storage capacity of a memory buffer, forcing it to overwrite data on adjacent files, creating an opening out of a vulnerability. As the PSP lacked the software downgrade/rollback restrictions that are imposed on most modern consoles these days, it could be performed as many times as a user wanted–until it was patched, of course.
It wasn’t over yet. By buffer overflow(ing) a savegame file in Liberty City Stories, modding liberty was once again restored. Sony, whose dedicated software security team was probably sweating cobs at this point, pushed updates too quickly, causing the overall secureness of their secure updates to suffer. This resulted in Sony leaving the front door open and keys in their car’s ignition on their way to shut the upstairs window.
Back-Up Appears Too Late
Even Rockstar got involved at this point, recalling all of their copies of the game on shop shelves to replace them with updated versions. To ensure the success of this plan going forward, Sony pushed a mandatory update with the game. But, if you hadn’t heard about the possibilities for hacking your PSP and weren’t advised to decline an update for it at this point, you were in the minority of users. Thankfully, for another three updates (2.5 until 2.8), the .tif buffer overflow was still wide open and going strong in the community.
Dark Alex: A Hero is Born (Then Dies)
After Liberty City liberation methods got suppressed, users stuck with the .tif exploit until that, too, was patched. An independent group in the PSP modding community, known as Team M33 paired with the up-and-coming legend: Dark Alex. Their aim was to break the wheel of downgrading and updating, as well as being stuck waiting for new exploits whenever Sony released a security update.
Their project culminated in a custom firmware release which allowed users to use Homebrew whilst continuing to update their PSPs without consequence for a time. Of course, this too was patched and Dark Alex vanished into the ether for reasons unknown. It was at this time that many custom firmwares and downgraders flooded forums, the majority of them laden with device-killing codes. Many had intricate install tutorials, where one misstep meant death. Others were viruses.
The End-Game
The arrow in Sony’s heel came as late as 2007, but thankfully the community hadn’t abandoned the console yet, thanks to the other small exploits and openings throughout the years until then. Through a small rewire trick of the PSP’s battery and by changing your ProDuo memory card into a ‘magic memory stick’ by loading it with modded files, even bricks were recoverable. This meant that no matter how bad the software you were installing or how bad you followed the instructions, there was always a safety blanket.
As it was a hardware mod, it couldn’t be patched. Sony’s hopes for more counter-attacks against the PSP modding community were dashed completely.
Ever since the 1.0 software revision, PSP modding community had the head start. Sony’s release of an unsecure console cost them a great deal of extra time, money and resources to keep the key in their hands. In the end, unsurprisingly, modders won.
Thanks for reading our latest episode on PlayStation hackery, the rest of the series can be found here. Do you think the Vita was an easy target, too? Did you mod your PSP back in the noughties or is PSP modding a recent discovery for you? Let us know in the comments!