Due to a bug in the 1.0 firmware, it will load and run any valid PBP file, signed or not. Nothing needs to be done to run code on 1.0 PSPs.

Firmware 1.5 is slightly more complex, requiring the “KXploit” method, which is primarily a trivial filename hack. A side effect of the kxploit method is a “Corrupted Data” folder for every game folder on the psp. There is yet another filename hack that can be performed to remove these entries from the list (but they remain on the memory stick).

It is possible to hide these corrupt data icons. The VSH will not display a folder with a name that starts with __SCE__. Therefore, the folder with the executable should be prefixed with __SCE__ to make it disappear, and the folder with the empty eboot with %__SCE__ so that it will still redirect to the actual folder, but also be displayed. For example, mygame/ and mygame%/ should be changed to __SCE__mygame/ and %__SCE__mygame/ respectively. The SDK can do this for you automatically using 'make SCEkxploit'.

There is currently no known way to execute all EBOOT files under these firmware revisions without having them signed by Sony. However, it is possible to execute code using an exploit in libtiff. This exploit has been used to write downgraders which bring the firmware revision back down to 1.5, permitting the running of homebrew code.

For user mode EBOOT files you can use Fanjita's EBOOT loader, which executes EBOOT files on firmware 2.00. A special version of Lua Player, without USB support, is included in the loader.

2.01 was released soon after the libtiff exploit was discovered. It fixed the buffer overflow, making downgrading through the current method impossible. The only known way to run EBOOT files on these firmwares is to use a savegame exploit found in the Grand Theft Auto Liberty City Stories game. A version of the EBOOT loader is also available to make use of this exploit: Fanjita and Ditlew's eLoader.