This explination was found on the PSPDev forums explaining how the KXploit works and theories about 1.51 and 1.52.
It appears that the reason the single-card KXploit works on 1.5 is twofold:
1. Treating the filename as a format string causes the HELLO% folder name to be translated to HELLO when being passed to the bootstrap code 2. The 1.50 bootstrap executes a bare ELF if it’s been passed one
Of course, the bare ELF execution was fixed on 1.51 and 1.52, so it no longer works there, failing after boot with 80020148 (”file type unsupported”). But this would only work if the format string vulnerability were still there. Experimentation verifies this:
When danj tried using %p etc, the error changes to 80010002, which would be because HELLO%p changed to e.g. HELLO12345678, and 80010002 is ENOENT.
When Nick Fury tried %c, the error is 8001000D, which is EACCESS and could be caused by %c generating an invalid character in the filename.
When danj tried using %n, it crashes his PSP, because %n causes writes to memory. That’s the vulnerability.
I convinced a friend to upgrade 1.51 -> 1.52 and verified that this bug does still exist on 1.52. Writing an exploit is non-trivial, partially because we can’t see the result of the format string expansion, and partially because MIPS exploits could be annoying (need to flush dcache) … but it’s definitely got potential.