Advertising (This ad goes away for registered users. You can Login or Register)

Finding the memory layout of the vita?

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Finding the memory layout of the vita?

Post by yifanlu » Sun Mar 11, 2012 6:49 am

I've always wondered how hackers on a new platform make use of stack overflows when they don't know the memory layout? It is required that they do a hardware RAM dump? But what if the RAM is encrypted? It seems like a chicken and egg problem to me. It feels like the top priority for the vita community is to get a memory dump. (or is there another way to hack a device without knowing the memory layout?)
Advertising

wololo
Site Admin
Posts: 3619
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Finding the memory layout of the vita?

Post by wololo » Mon Mar 12, 2012 1:12 pm

I am not sure either. In the case of the psp, I think the first hello world simply "worked" as a basic mips elf file, and that led to lots of discoveries. We won't have that luxury on the Vita...
Advertising
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

User avatar
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Finding the memory layout of the vita?

Post by m0skit0 » Mon Mar 12, 2012 1:19 pm

Hardware hacking. Get the RAM, input to some microchip and test all addresses.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"

wololo
Site Admin
Posts: 3619
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Finding the memory layout of the vita?

Post by wololo » Mon Mar 12, 2012 1:29 pm

On that subject, the book "Hacking the XBox" is a very interesting reading.

But Yifanlu is right, isn't it possible that the ram is encrypted?
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

User avatar
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Finding the memory layout of the vita?

Post by m0skit0 » Mon Mar 12, 2012 3:13 pm

RAM encrypted? I don't think so, and never heard of such a thing. How would a processor execute encrypted instructions? Encrypted instructions are not valid instructions. There has to be a RAM with full decrypted instructions at least. I'm pretty sure there's no encrypted RAM as that would slow the whole system A LOT.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"

User avatar
rafael707
Posts: 1271
Joined: Thu Sep 30, 2010 6:10 pm
Location: VITA/PS4 section

Re: Finding the memory layout of the vita?

Post by rafael707 » Mon Mar 12, 2012 4:35 pm

so we need some type of "progskeet board" like for the ps3, and find the layout pins for the RAM in order to dump it??

sounds alot like what happened to the PS3 xD
Add me, I got a ps4 ;)

IRC
#pspcommunity
#vitadev

PS4/PS VITA IGN: raff_da_don

User avatar
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Finding the memory layout of the vita?

Post by m0skit0 » Mon Mar 12, 2012 4:59 pm

Well you don't need any specific board. But yes, that's it... Assuming the RAM is easily accessable...
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"

JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

Re: Finding the memory layout of the vita?

Post by JJS » Mon Mar 12, 2012 5:42 pm

Isn't at least the user memory encrypted in an Xbox 360? I thought I would have read something like that before and a quick googling reveals this http://www.securityfocus.com/archive/1/461489 , which supports the theory.

I would say encrypted RAM should be no big deal if you have large on-die caches. There is no way to read them because you cannot sniff any bus and they might very well be able to hold all relevant code in an already decrypted form. But I guess this is going off-topic.

User avatar
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Finding the memory layout of the vita?

Post by m0skit0 » Mon Mar 12, 2012 6:38 pm

JJS wrote:Isn't at least the user memory encrypted in an Xbox 360? I thought I would have read something like that before and a quick googling reveals this http://www.securityfocus.com/archive/1/461489 , which supports the theory.
Nice link, thanks JJS, didn't know that.
JJS wrote:I would say encrypted RAM should be no big deal if you have large on-die caches.
You still need to decrypt the stuff before handling to cache, and that's one additional step, which makes the machine slower. And also that means you can sniff the data being sent to the cache. Another scenario would be having the code decrypted at the cache level.

Anyway, even if encrypted, that's not an impediment to figure out the memory map layout.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Finding the memory layout of the vita?

Post by yifanlu » Tue Mar 13, 2012 2:39 am

I hope that the RAM isn't encrypted, logically, it wouldn't, as that would use precious battery and cpu cycles that wouldn't be an issue a console. But then again, it is freedom fearing Sony.

Let's assume isn't encrypted. That means someone needs to do a hardware RAM dump in the worse case. I don't want to sound like I have any authority, but I think our top priority should be doing this as most exploits will be untestable and unusable without knowing where the stack is and how to get to the framebuffer and etc.

Now another option is somehow getting unsigned code to run that is not a buffer overflow exploit (I would think this is harder as you have to somehow get the device to load a binary willingly. Is it too much to wish for a hidden debug mode? Maybe someone can get their hands on an official devkit and use debugging features to find memory layout?).

Another option might be to look for jtag (or similar) debug ports. The vita uses proprietary soc but uses the cortex a9 cpu. IMO, this might be just as hard as dumping the memory.

Now people with more knowledge should correct me if I'm wrong, but most if not all the "first" console hack required a hardware hack of some sort right? Because only after extracting system software and/or hardware information can the developers work on "user level" exploits.

Oh, and I guess I'm Asking this because there is a chance I found a buffer overflow in vita code. However before you get your hopes up, some other explanations for the system freeze that I found could be because of a bad error handling, an intended protection mechanism, or just an unexploitable bug. The only reason I even suspect stack overflow is because it involved large inputs.

Locked

Return to “Programming and Security”