Advertising (This ad goes away for registered users. You can Login or Register)

Small Update on Vita Kernel Exploit from Yifan_Lu

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Jd8531
Posts: 1753
Joined: Wed Apr 04, 2012 5:23 pm

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by Jd8531 » Mon Aug 19, 2013 10:25 pm

wololo wrote: I do not know/understand why we are not seeing the same activity on the hardware side that can be seen on other devices. Is it because the Vita is way harder to look into? Is it because hardware hackers have no interest (not enough Vita owners) ? Or are worried of legal action from Sony?
Id say all three. I mean Nintendo is going after sites, sellers ect. of Gateway. They just took action against one site. However I don't see Sony going after anyone, especially if its only homebrew.

@Yifanlu have you talked to SKFU lately? It seems he has exploits running above 1.80 as well as some other things.
Advertising

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by yifanlu » Tue Aug 20, 2013 12:16 am

Jd8531 wrote:
wololo wrote: I do not know/understand why we are not seeing the same activity on the hardware side that can be seen on other devices. Is it because the Vita is way harder to look into? Is it because hardware hackers have no interest (not enough Vita owners) ? Or are worried of legal action from Sony?
Id say all three. I mean Nintendo is going after sites, sellers ect. of Gateway. They just took action against one site. However I don't see Sony going after anyone, especially if its only homebrew.

@Yifanlu have you talked to SKFU lately? It seems he has exploits running above 1.80 as well as some other things.
His exploit is my exploit. I've seen his other stuff and they're pretty nice but not code execution-nice.
Advertising

udo4ever
Posts: 53
Joined: Mon Nov 05, 2012 2:18 am

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by udo4ever » Tue Aug 20, 2013 12:41 am

While I am sure that a Softmode exploit is definitly in the horizons for the 3ds, I am thinking that it would take a while longer to make it into the public seeing as how the hacking community for that device are quite protective of their information.

What puzzles me is the lack of interest for the vita itself. It seems to me that this hardware should be way more interesting than the 3ds due to its OLED touch screen, it's raw processing power and its graphics. That, coupled with the Vita ability to connect to a ps3 (hacked or not) seems to me, to be a really good reason to get excited about the Vita's potential as a hacked device. I just don't get the snub from the hacking community. What gives???

@Yifanlu, what can we do to help out with your search for a kernal exploit? You mentioned offering a broken Vita or unused games... Are there other things. Is there anything else. I really want to help get the ball rolling here as I really would love to see some seriously cool homebrew on the device.

PCMGR
Posts: 116
Joined: Tue Dec 25, 2012 4:02 pm

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by PCMGR » Tue Aug 20, 2013 1:22 am

udo4ever wrote:While I am sure that a Softmode exploit is definitly in the horizons for the 3ds, I am thinking that it would take a while longer to make it into the public seeing as how the hacking community for that device are quite protective of their information.
I don't quite think so.
Basically,someone will try to "revenge" on gateway for trying to milk the exploit (or maybe as a way to protest for Nintendoh killing the card hue) and release a user-friendlier way to do w/e you want on your 3DS (although,none can really stop Gateway from getting profit...unless Nin wants to make a fool of themselves,as the card itself doesn't seem to come bundled with illegal content/parts,if the resellers want to profit further by risking bundling roms...that is their fault :>).There is a legal "open" sdk released for 3DS hb development so this furthers my confidence.
yifanlu wrote:
DarkenLX wrote:
yifanlu wrote: So your statement was "to hack the CPU, we need to hack the CPU"?
YES,makes sense :lol:
What do I have:
[spoiler]Nothing to lose.[/spoiler]

User avatar
endrift
Guru
Posts: 42
Joined: Mon Feb 27, 2012 10:43 pm
Location: California
Contact:

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by endrift » Tue Aug 20, 2013 4:39 pm

Disclaimer: I've never looked into the internals of the Vita, if not just because A) I've never really communicated with people who have been able even break into the Vita a little bit and B) I haven't either the skill or experience to do so myself, so there are quite likely things that are wrong in this post simply because there are things I don't know about the Vita.

Barring the ability to dump RAM from the device, it seems like what needs to be done is to dump the firmware so that a disassembly-level investigation can be run. However, there are likely several things that are preventing us from doing this really at all, currently. If I had to guess, I'd say that the firmware itself is inaccessible from userland and would need to be dumped in one of three ways: a kernel exploit (hooray catch-22s), dumping the flash chip itself, or extracting it from update blobs. However, update blobs are obviously encrypted, and the flash chip itself is likely also encrypted, and since we don't currently have a kernel exploit, we don't know the keys to use to decrypt either of these, much less the encryption algorithm used on them (although again, if I had to guess I'd say it's likely stock AES). In each case, we have the catch-22 of needing stuff that can only be gotten out via the kernel to get into the kernel, leaving us in sort of a difficult place.

A counterpoint here though is that if the flash chip is itself encrypted then there must be some sort of boot ROM that is able to decrypt it before dropping into the kernel loaded on it, so there might be hardware keys that can be recovered, possibly through decapping a ROM chip somewhere on the board.

It really makes me wonder how the first iPhone jailbreaks were able to recover enough information to actually glean how to break out of the app jail. A userland exploit in iOS is theoretically not able to see much outside of its jail. Can we recruit comex or something? :lol:

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by yifanlu » Tue Aug 20, 2013 8:20 pm

Archaemic wrote:Disclaimer: I've never looked into the internals of the Vita, if not just because A) I've never really communicated with people who have been able even break into the Vita a little bit and B) I haven't either the skill or experience to do so myself, so there are quite likely things that are wrong in this post simply because there are things I don't know about the Vita.

Barring the ability to dump RAM from the device, it seems like what needs to be done is to dump the firmware so that a disassembly-level investigation can be run. However, there are likely several things that are preventing us from doing this really at all, currently. If I had to guess, I'd say that the firmware itself is inaccessible from userland and would need to be dumped in one of three ways: a kernel exploit (hooray catch-22s), dumping the flash chip itself, or extracting it from update blobs. However, update blobs are obviously encrypted, and the flash chip itself is likely also encrypted, and since we don't currently have a kernel exploit, we don't know the keys to use to decrypt either of these, much less the encryption algorithm used on them (although again, if I had to guess I'd say it's likely stock AES). In each case, we have the catch-22 of needing stuff that can only be gotten out via the kernel to get into the kernel, leaving us in sort of a difficult place.

A counterpoint here though is that if the flash chip is itself encrypted then there must be some sort of boot ROM that is able to decrypt it before dropping into the kernel loaded on it, so there might be hardware keys that can be recovered, possibly through decapping a ROM chip somewhere on the board.

It really makes me wonder how the first iPhone jailbreaks were able to recover enough information to actually glean how to break out of the app jail. A userland exploit in iOS is theoretically not able to see much outside of its jail. Can we recruit comex or something? :lol:
You're right about all that. In addition, kernel is the only thing we know exists. It is perfectly possible for there to exist security beyond kernel like lv1/lv0. Also, I'm only guessing, but I wouldn't be suprised if the boot rom is embedded in the CPU or they have some other way to make it hard to get. After all, for every device, the beginning of the chain of trust has the most hardware protection.

I would also add that even if we dump the kernel (and I've been trying for more than a year), it'll take months to find an exploit that can be used and perhaps a year before one that a user can use.

ViRGE
Posts: 81
Joined: Mon Oct 08, 2012 8:31 am

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by ViRGE » Wed Aug 21, 2013 12:32 am

Archaemic wrote:It really makes me wonder how the first iPhone jailbreaks were able to recover enough information to actually glean how to break out of the app jail. A userland exploit in iOS is theoretically not able to see much outside of its jail. Can we recruit comex or something? :lol:
The initial iPhone was god-awful about security. Apple didn't put much thought into it (they weren't actively trying to keep people from loading homebrew like Sony is) so there were mounds of exploits. Virtually every version of iOS 1.x had a new exploit, a far cry from today where it's one or two exploits per major version. Plus there were numerous hardware vulnerabilities in both the ARM11 and Cortex-A8 based SoCs that ultimately made it impossible to fully secure the platform.

If anything it was comparable to the launch PSP-1000. There just wasn't any real security to speak of, it was added after the fact to both the software and hardware in tandem.

Wizardinblack
Posts: 38
Joined: Wed Sep 26, 2012 7:08 am

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by Wizardinblack » Wed Aug 21, 2013 6:39 pm

wololo wrote:I've called out the need for hardware hackers on the vita more than a year ago: http://wololo.net/2012/04/09/where-are- ... ita-hacks/
I do not know/understand why we are not seeing the same activity on the hardware side that can be seen on other devices. Is it because the Vita is way harder to look into? Is it because hardware hackers have no interest (not enough Vita owners) ? Or are worried of legal action from Sony?
hey wololo! for the past four years ive been taking electrical engneering classes at an extracurricular program that sponsors high schools in my district, and im starting college this fall as a major in computer engineering. Ive been very intersted in being involved with the scene since i found out about this site over a year ago. I know all the basics of circuit design, as well as more complicated concepts. so with a little explanation of the system hardware, i would gladly take a look and see if there is any contribution for me to be made. As for right now, i may not be able to help much, but with the right resources i could learn anything. You can contact me at my email: [email protected]

I am not worried about legal action from sony, and im very passionate about technology.
Lenovo ideapad Y510p (Steam: DemonLung0x1a4)
- 2x GeForce GT755m (SLI)

(PSN: WizardinBlack71)
PS Vita 3g
PS4
PS3

User avatar
hackinformer
Posts: 45
Joined: Thu Mar 14, 2013 7:27 am
Location: Everywhere
Contact:

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by hackinformer » Wed Aug 21, 2013 6:51 pm

I wish I had the time and tools.. I found a way in with running time package for PSM, but it's sand boxed in and useless. I been trying to get in anyway any other way but I have had no real luck with it. I wish I could help more. :( The psvita is really lock up very tight and a cartridge emulator is not the way to go.
http://www.hackinformer.com
Hacked systems, psv: private 3.15fw TN-V & Ark PSP: 6.20fw pro b-9 ver.2000, Xbox360: C4eve lite-on LT+, PS3:CFW 3.55, Wii: wiikey and softmod, XBOX: mechwarrior softmod and xecutor 1.1 etc..

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Small Update on Vita Kernel Exploit from Yifan_Lu

Post by yifanlu » Wed Aug 21, 2013 7:51 pm

Wizardinblack wrote:
wololo wrote:I've called out the need for hardware hackers on the vita more than a year ago: http://wololo.net/2012/04/09/where-are- ... ita-hacks/
I do not know/understand why we are not seeing the same activity on the hardware side that can be seen on other devices. Is it because the Vita is way harder to look into? Is it because hardware hackers have no interest (not enough Vita owners) ? Or are worried of legal action from Sony?
hey wololo! for the past four years ive been taking electrical engneering classes at an extracurricular program that sponsors high schools in my district, and im starting college this fall as a major in computer engineering. Ive been very intersted in being involved with the scene since i found out about this site over a year ago. I know all the basics of circuit design, as well as more complicated concepts. so with a little explanation of the system hardware, i would gladly take a look and see if there is any contribution for me to be made. As for right now, i may not be able to help much, but with the right resources i could learn anything. You can contact me at my email: [email protected]

I am not worried about legal action from sony, and im very passionate about technology.
It's nice that you have interest. Unfortunally, circuits and electromagnetism and other high school level electrical engineering classes is not even close to enough to get knowledge on this stuff. At the very least, you have to know logic gate identification from transistors. IC design. VLSI design and techniques. Not to mention the use and operation of logic analysers, oscilloscopes, and ELMs. Most of this stuff, you won't even get to until you're a master student in electrical engineering; and hopefully the vita would be hacked before then.

Locked

Return to “Programming and Security”