Flash0 dump, then what?
A few weeks ago, our forum member The Z twitted about a “leak” of a full dump of the Flash0 of the PSP emu on the PS Vita. Unless you’ve been in the homebrew scene for a while, this probably doesn’t mean anything to you. Worse, you’ve been getting mixed signals from various people or websites, some of them going as far as claiming claiming this cracks the vita open, etc…
So what does this really mean for the end user? Well, in the short term, absolutely nothing, but read along for more details.
A bit of background
Flash0, PSP Emulator, PS Vita, Kernel hack… unless you’ve been in the “scene” for a while, these terms might be a bit confusing, so let me do a quick explanation on the security implemented on Sony’s devices. If you know about this already, feel free to skip to the next section.
Basically, the PSP has 2 levels of permissions: user, and kernel. If you use a shared computer at school or work, “kernel” is a bit equivalent to the “admin” rights of your computer. The user mode has a limited access to the PSP features, basically everything that’s required by games to run properly. The kernel mode, on the other hand, has access to everything, including the possibility to verify/decrypt games with DRM, or the possibility to update the firmware of the PSP, among other things.
From a hacking perspective, this means that getting access to a PSP user-level hack will give us limited features, while accessing a kernel-level hack gives us access to everything on the device, such as the possibility to rewrite the firmware (which is necessary, for example, for Custom Firmwares).
Similarly, a program running on the PSP in user mode does not have access to all files on the PSP or all sections of the memory. In particular, the “modules” used by the firmware are stored in a portion of the (Flash0) memory that can only be accessed in Kernel mode.
In addition to all that, on the Playstation Vita, the PSP emulator runs in a “sandbox”, which means that it does not have direct access to all the features of the PS Vita. In other words, a “Kernel exploit in the PSP emulator” does not give you a full access to the Vita, at best it gives you full access to the PSP emulator, which in itself is fairly limited.
Current (AFAIK) situation
Based on the explanation above, and the stuff that is publicly known, here’s what I can tell you: The only publicly available hack for now on the Vita is VHBL, which runs in User mode, inside the emulator sandbox. Davee has access to a kernel exploit that gives him access to more features of the PSP emulator, and apparently another hacker does too, since this person was able to access the PSP emulator firmware files on the Vita.
Just for reference, the schema below dirtily summarizes the permission levels (things in gray are unknown/hypothesis). And for reference, I included “where” we should be if we wanted a PS Vita iso loader, just so that people stop asking. It is worth mentioning yet again that I personally do not have any PSP Kernel exploit, and therefore it is also useless to ask me if I plan to release a PSP iso loader for the Vita.
So what about that flash0 dump?
My awesome diagram shows that the Flash0 dump is at the kernel level, so I already see people saying this thing could give us access to the PSP Kernel inside the Vita… well…no, because I suck at diagrams. Yes, Kernel access was required to get that information, but no, it doesn’t magically give us access to the Kernel. If your admin takes a screenshot of his desktop and sends it to you by email, that doesn’t give you any admin rights, but it allows you to have a look at what the admin has on his desktop.
And this is, in essence, what this “leak” is about. We do not get PSP kernel access with this, but we get access to a few files we couldn’t get otherwise. So what will this lead to? Well, first of all, it means Davee is not anymore the only one who can investigate Kermit, the library that handles communication between the PSP emulator and the vita. Secondly, it will allow (motivated) devs to investigate the differences between an actual PSP’s firmware and the one on the emulator. We already know Kermit is one such difference, but maybe there’s more.
More unlikely (but we’re allowed to dream), the PSP emulator could reveal some more interesting secrets… some universal drm encryption key maybe? This is extremely unlikely, but after all, at some point the PS3 helped us to hack the PSP, so who knows if the PSP emulator doesn’t have a flaw that would lead to a Vita hack?
Nevertheless, from the end user’s point of view, this brings absolutely nothing. This can’t lead to a PSP Kernel access, or at least, not in a way that would be any easier than finding Kernel exploits in the actual PSP (and reusing them in the emulator). After all, if Davee (Proxima/some1) got access to such an exploit, it was (obviously) one that already existed on the PSP firmware, which anybody with a PSP and enough free time can investigate whenever they want. There’s also no telling that enough developers will be interested in looking into these files and reverse them… but who knows, it only takes one guy.
Don’t get me wrong, this is still very interesting, because it gives us access to files not everyone could access before, and it tells us there are at least two groups of people with access to the PSP kernel on the Vita. This is still, of course, very far from giving us a full control of the PS Vita, but it is exciting nonetheless 🙂
What do you guys think of this? Feel free to discuss here, or in the dedicated /talk thread