Advertising
Finding the memory layout of the vita?
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Forum rule Nº 15 is strictly enforced in this subforum.
Finding the memory layout of the vita?
I've always wondered how hackers on a new platform make use of stack overflows when they don't know the memory layout? It is required that they do a hardware RAM dump? But what if the RAM is encrypted? It seems like a chicken and egg problem to me. It feels like the top priority for the vita community is to get a memory dump. (or is there another way to hack a device without knowing the memory layout?)
Re: Finding the memory layout of the vita?
I am not sure either. In the case of the psp, I think the first hello world simply "worked" as a basic mips elf file, and that led to lots of discoveries. We won't have that luxury on the Vita...
Advertising
If you need US PSN Codes, this technique is what I recommend.
Looking for guest bloggers and news hunters here at wololo.net, PM me!
Looking for guest bloggers and news hunters here at wololo.net, PM me!
Re: Finding the memory layout of the vita?
Hardware hacking. Get the RAM, input to some microchip and test all addresses.
I wanna lots of mov al,0xb
"just not into this RA stuffz"
"just not into this RA stuffz"
Re: Finding the memory layout of the vita?
On that subject, the book "Hacking the XBox" is a very interesting reading.
But Yifanlu is right, isn't it possible that the ram is encrypted?
But Yifanlu is right, isn't it possible that the ram is encrypted?
If you need US PSN Codes, this technique is what I recommend.
Looking for guest bloggers and news hunters here at wololo.net, PM me!
Looking for guest bloggers and news hunters here at wololo.net, PM me!
Re: Finding the memory layout of the vita?
RAM encrypted? I don't think so, and never heard of such a thing. How would a processor execute encrypted instructions? Encrypted instructions are not valid instructions. There has to be a RAM with full decrypted instructions at least. I'm pretty sure there's no encrypted RAM as that would slow the whole system A LOT.
I wanna lots of mov al,0xb
"just not into this RA stuffz"
"just not into this RA stuffz"
Re: Finding the memory layout of the vita?
so we need some type of "progskeet board" like for the ps3, and find the layout pins for the RAM in order to dump it??
sounds alot like what happened to the PS3 xD
sounds alot like what happened to the PS3 xD
Add me, I got a ps4
IRC
#pspcommunity
#vitadev
PS4/PS VITA IGN: raff_da_don
IRC
#pspcommunity
#vitadev
PS4/PS VITA IGN: raff_da_don
Re: Finding the memory layout of the vita?
Well you don't need any specific board. But yes, that's it... Assuming the RAM is easily accessable...
I wanna lots of mov al,0xb
"just not into this RA stuffz"
"just not into this RA stuffz"
Re: Finding the memory layout of the vita?
Isn't at least the user memory encrypted in an Xbox 360? I thought I would have read something like that before and a quick googling reveals this http://www.securityfocus.com/archive/1/461489 , which supports the theory.
I would say encrypted RAM should be no big deal if you have large on-die caches. There is no way to read them because you cannot sniff any bus and they might very well be able to hold all relevant code in an already decrypted form. But I guess this is going off-topic.
I would say encrypted RAM should be no big deal if you have large on-die caches. There is no way to read them because you cannot sniff any bus and they might very well be able to hold all relevant code in an already decrypted form. But I guess this is going off-topic.
Re: Finding the memory layout of the vita?
Nice link, thanks JJS, didn't know that.JJS wrote:Isn't at least the user memory encrypted in an Xbox 360? I thought I would have read something like that before and a quick googling reveals this http://www.securityfocus.com/archive/1/461489 , which supports the theory.
You still need to decrypt the stuff before handling to cache, and that's one additional step, which makes the machine slower. And also that means you can sniff the data being sent to the cache. Another scenario would be having the code decrypted at the cache level.JJS wrote:I would say encrypted RAM should be no big deal if you have large on-die caches.
Anyway, even if encrypted, that's not an impediment to figure out the memory map layout.
I wanna lots of mov al,0xb
"just not into this RA stuffz"
"just not into this RA stuffz"
Re: Finding the memory layout of the vita?
I hope that the RAM isn't encrypted, logically, it wouldn't, as that would use precious battery and cpu cycles that wouldn't be an issue a console. But then again, it is freedom fearing Sony.
Let's assume isn't encrypted. That means someone needs to do a hardware RAM dump in the worse case. I don't want to sound like I have any authority, but I think our top priority should be doing this as most exploits will be untestable and unusable without knowing where the stack is and how to get to the framebuffer and etc.
Now another option is somehow getting unsigned code to run that is not a buffer overflow exploit (I would think this is harder as you have to somehow get the device to load a binary willingly. Is it too much to wish for a hidden debug mode? Maybe someone can get their hands on an official devkit and use debugging features to find memory layout?).
Another option might be to look for jtag (or similar) debug ports. The vita uses proprietary soc but uses the cortex a9 cpu. IMO, this might be just as hard as dumping the memory.
Now people with more knowledge should correct me if I'm wrong, but most if not all the "first" console hack required a hardware hack of some sort right? Because only after extracting system software and/or hardware information can the developers work on "user level" exploits.
Oh, and I guess I'm Asking this because there is a chance I found a buffer overflow in vita code. However before you get your hopes up, some other explanations for the system freeze that I found could be because of a bad error handling, an intended protection mechanism, or just an unexploitable bug. The only reason I even suspect stack overflow is because it involved large inputs.
Let's assume isn't encrypted. That means someone needs to do a hardware RAM dump in the worse case. I don't want to sound like I have any authority, but I think our top priority should be doing this as most exploits will be untestable and unusable without knowing where the stack is and how to get to the framebuffer and etc.
Now another option is somehow getting unsigned code to run that is not a buffer overflow exploit (I would think this is harder as you have to somehow get the device to load a binary willingly. Is it too much to wish for a hidden debug mode? Maybe someone can get their hands on an official devkit and use debugging features to find memory layout?).
Another option might be to look for jtag (or similar) debug ports. The vita uses proprietary soc but uses the cortex a9 cpu. IMO, this might be just as hard as dumping the memory.
Now people with more knowledge should correct me if I'm wrong, but most if not all the "first" console hack required a hardware hack of some sort right? Because only after extracting system software and/or hardware information can the developers work on "user level" exploits.
Oh, and I guess I'm Asking this because there is a chance I found a buffer overflow in vita code. However before you get your hopes up, some other explanations for the system freeze that I found could be because of a bad error handling, an intended protection mechanism, or just an unexploitable bug. The only reason I even suspect stack overflow is because it involved large inputs.