Advertising (This ad goes away for registered users. You can Login or Register)

Small Update on Vita Kernel Exploit from Yifan_Lu

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
udo4ever
Posts: 53
Joined: Mon Nov 05, 2012 2:18 am

Small Update on Vita Kernel Exploit from Yifan_Lu

Post by udo4ever » Sun Aug 18, 2013 5:12 am

Not sure if this has already been pointed out but if you are wondering about the progress Yifan_Lu is making on the vita kernal exploit than I have some news. While reading a thread in reagards to the inner working of Gateway, the first official 3ds flashcard that runs 3ds roms, (turns out we now have access to a kernal level exploit on 3DS!!!) over on gbatemp.net I stumbled onto this juicy bit from Yifan_Lu. Read-it and weep my friends... :cry:

Ericthegreat: "Wrong place I know, but the vita scene is just dead? Other then psp mode stuff I mean."

Yifan-Lu: "The Vita scene lack skilled hackers like neimod; people who aren't afraid of hardware. I've done as much as I can; to get kernel mode, it's going to take a lot more (the vita has more security than 3DS and it is impossible to dump the RAM with hardware)."

yifan_lu, Tuesday at 7:54 AM Top #83

I am extremely curious to find out why exactly it is impossible to dump the RAM with hardware. I wish Yifan_lu could elaborate more on this... as for advanced hackers in regards to the psvita scene, I can only shrug my shoulders rather than complain since my skills are very limited in this regard.

You can read Yifan-Lu's original reply here (scroll down to post #83): http://gbatemp.net/threads/heres-what-w ... 812/page-5

For an intersting read on the inner workings of the Gateway, I would encourage you to read his first post on the thread here: http://gbatemp.net/threads/heres-what-w ... ks.352812/

Sorry if this has been mentioned before. If it has then please let me know and I will delete this promptly ;-)
Advertising

ViRGE
Posts: 81
Joined: Mon Oct 08, 2012 8:31 am

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by ViRGE » Sun Aug 18, 2013 1:47 pm

udo4ever wrote:I am extremely curious to find out why exactly it is impossible to dump the RAM with hardware.
It's because the Vita's RAM is located on the primary SoC itself, in a stacked "system in package" configuration. The 512MB system RAM is at the top of the stack, wire-bonded to the substrate, while the 128MB VRAM is soldered directly to the CPU using BGA ***.

http://chipworksrealchips.blogspot.com/ ... ip-3d.html

This makes it practically impossible to attach any tools to the RAM to dump it. Even if you could open the package and tap the wire bonds for the system RAM, you'd still need to tap the VRAM too, and that's simply not going to happen since it's directly attached to the CPU.
Advertising

User avatar
DarkenLX
Posts: 260
Joined: Tue May 14, 2013 5:44 pm

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by DarkenLX » Sun Aug 18, 2013 10:04 pm

ViRGE wrote:
udo4ever wrote:I am extremely curious to find out why exactly it is impossible to dump the RAM with hardware.
It's because the Vita's RAM is located on the primary SoC itself, in a stacked "system in package" configuration. The 512MB system RAM is at the top of the stack, wire-bonded to the substrate, while the 128MB VRAM is soldered directly to the CPU using BGA ***.

http://chipworksrealchips.blogspot.com/ ... ip-3d.html

This makes it practically impossible to attach any tools to the RAM to dump it. Even if you could open the package and tap the wire bonds for the system RAM, you'd still need to tap the VRAM too, and that's simply not going to happen since it's directly attached to the CPU.
true attaching tools is a no go in the sense of the way e3 works on ps3 or whatnot but soldering wires to the needed points of the cpu then attaching tools to said wires should allow the tools to be connected we have done serial connections via jtag on psp we would just be attaching stuff to the cpu via wires same idea ..
PsVita 1: OLED Model 3G [3.36] [PSN?: Y]
PsVita 2: OLED Model 3G [mOFW3.00/eCFW] [PSN? :N]

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by yifanlu » Sun Aug 18, 2013 10:18 pm

DarkenLX wrote:
ViRGE wrote:
udo4ever wrote:I am extremely curious to find out why exactly it is impossible to dump the RAM with hardware.
It's because the Vita's RAM is located on the primary SoC itself, in a stacked "system in package" configuration. The 512MB system RAM is at the top of the stack, wire-bonded to the substrate, while the 128MB VRAM is soldered directly to the CPU using BGA ***.

http://chipworksrealchips.blogspot.com/ ... ip-3d.html

This makes it practically impossible to attach any tools to the RAM to dump it. Even if you could open the package and tap the wire bonds for the system RAM, you'd still need to tap the VRAM too, and that's simply not going to happen since it's directly attached to the CPU.
true attaching tools is a no go in the sense of the way e3 works on ps3 or whatnot but soldering wires to the needed points of the cpu then attaching tools to said wires should allow the tools to be connected we have done serial connections via jtag on psp we would just be attaching stuff to the cpu via wires same idea ..
Where did you hear this? Afaik, no usable interface is exposed by the SoC, especially not the ram.

udo4ever
Posts: 53
Joined: Mon Nov 05, 2012 2:18 am

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by udo4ever » Sun Aug 18, 2013 11:03 pm

Yes, I am curious to know where you heard this from. If Yifan_Lu himself seems to be surprised by this, I remain skeptical despite wishing it were true.

As for Yifan_Lu: thanks for all your hard work. I think we can all agree that more support is needed to get things going on the hardware front and you can only do so much. Just a quick question, has anyone made any progress on the SDK for homebrew? Assuming of course that someone else in the community has had access to your kernel exploit ;-). I dream of the day were I could tap into Vita's raw power and see just how far can we push Daedulus and other emulators. :D :D

ViRGE
Posts: 81
Joined: Mon Oct 08, 2012 8:31 am

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by ViRGE » Mon Aug 19, 2013 12:12 am

yifanlu wrote:
DarkenLX wrote:
ViRGE wrote:It's because the Vita's RAM is located on the primary SoC itself, in a stacked "system in package" configuration. The 512MB system RAM is at the top of the stack, wire-bonded to the substrate, while the 128MB VRAM is soldered directly to the CPU using BGA ***.

http://chipworksrealchips.blogspot.com/ ... ip-3d.html

This makes it practically impossible to attach any tools to the RAM to dump it. Even if you could open the package and tap the wire bonds for the system RAM, you'd still need to tap the VRAM too, and that's simply not going to happen since it's directly attached to the CPU.
true attaching tools is a no go in the sense of the way e3 works on ps3 or whatnot but soldering wires to the needed points of the cpu then attaching tools to said wires should allow the tools to be connected we have done serial connections via jtag on psp we would just be attaching stuff to the cpu via wires same idea ..
Where did you hear this? Afaik, no usable interface is exposed by the SoC, especially not the ram.
Indeed. I'm not even sure how that would work. The SoC is BGA mounted to PCB, there aren't any exposed contacts to tap on either side. You'd have to desolder the SoC to attach anything, at which point good luck getting it back on correctly. Nor for that matter has anyone identified any JTAG points elsewhere on the board, not that we'd expect Sony to leave them exposed.

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by yifanlu » Mon Aug 19, 2013 12:32 am

udo4ever wrote:Yes, I am curious to know where you heard this from. If Yifan_Lu himself seems to be surprised by this, I remain skeptical despite wishing it were true.

As for Yifan_Lu: thanks for all your hard work. I think we can all agree that more support is needed to get things going on the hardware front and you can only do so much. Just a quick question, has anyone made any progress on the SDK for homebrew? Assuming of course that someone else in the community has had access to your kernel exploit ;-). I dream of the day were I could tap into Vita's raw power and see just how far can we push Daedulus and other emulators. :D :D
For the record, I don't have an kernel exploit, that's what I'm trying to find and what I need hardware reverse engineers for. And an sdk at this point is pointless because on 1.80+, it is impossible to run UVLoader or any user land based homebrew loader, only a kernel-based homebrew loader would work.

udo4ever
Posts: 53
Joined: Mon Nov 05, 2012 2:18 am

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by udo4ever » Mon Aug 19, 2013 1:33 am

yifanlu wrote:
udo4ever wrote:Yes, I am curious to know where you heard this from. If Yifan_Lu himself seems to be surprised by this, I remain skeptical despite wishing it were true.

As for Yifan_Lu: thanks for all your hard work. I think we can all agree that more support is needed to get things going on the hardware front and you can only do so much. Just a quick question, has anyone made any progress on the SDK for homebrew? Assuming of course that someone else in the community has had access to your kernel exploit ;-). I dream of the day were I could tap into Vita's raw power and see just how far can we push Daedulus and other emulators. :D :D
For the record, I don't have an kernel exploit, that's what I'm trying to find and what I need hardware reverse engineers for. And an sdk at this point is pointless because on 1.80+, it is impossible to run UVLoader or any user land based homebrew loader, only a kernel-based homebrew loader would work.

Thanks for your reply. My mistake, now that you mentioned it, you did specifically say that you had a userland exploit in Vita and that a kernel exploit is out of reach in a previous post on these very boards! For some reason I forgot that little bit of info, sorry about that. Again, sorry if this sounds like a newb question but what exactly did the 1.80+ updates do to make it impossible for UVloader to work? I ask only because I am very interested in the inner workings of the Vita. This stuff facinates me as much as the inner workings of the 3DS and the latest development (which is a lot!!!) Obviously, feel free to not responds if this is sensitive info.

One last thing, in terms of hardware engineers, have any of the 3ds community expressed interest (Neimod and Yellow8 among others comes to mind) in the Vita? I'm sure asking them has probably crossed your mind.

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by yifanlu » Mon Aug 19, 2013 4:13 am

I've spoke to many of the 3ds people causally and have either not gotten responses or was politely declined.

Various security measures in the Vita prevent user land based applications from running. The most obvious is the ASLR, but there's also function import/export obfuscation (no way to easily dynamically link without doing a search of the entire memory or some other time consuming method), XN in writable memory regions, needing to reset states of libraries like libgxm and etc. All of these can be mitigated, but any update Sony does would automically break it and may require all homebrew to be recompiled with the non-existent sdk. It's just a lot of hassle and time is better spent trying to find a kernel exploit than to keep trying to get user land exploits to load homebrew.

wololo
Site Admin
Posts: 3619
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by wololo » Mon Aug 19, 2013 6:59 am

I've called out the need for hardware hackers on the vita more than a year ago: http://wololo.net/2012/04/09/where-are- ... ita-hacks/
I do not know/understand why we are not seeing the same activity on the hardware side that can be seen on other devices. Is it because the Vita is way harder to look into? Is it because hardware hackers have no interest (not enough Vita owners) ? Or are worried of legal action from Sony?
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

Locked

Return to “Programming and Security”