The current state of Vita hacking
I receive an increasing number of messages asking me if the PS Vita scene is dead before it is even born. My typical answer is: there’s some stuff happening, you just don’t see everything, because some things are not worth mentioning, others are “too important” to be publicly mentioned until they’re more mature.
Today I want to make a summary of the stuff I know. Some of the things you will read below are a mix of things I know and of personal guesses… but in general I tend to be right about these things
Currently, the only public way to run unsigned content (homebrews) on the PS Vita is VHBL. The hack in itself is fairly limited (it only allows to run a subset of PSP homebrews), and is also not widely spread since only a few thousand lucky people are able to grab the releases (the other 2 million vita owners are people who are still not following this blog, how foolish of them) before Sony patches the exploits (or, rather, pulls out our attack vectors).
I’m not completely stupid, and I know that running fanmade homebrews is not exactly hat most people expect from a console hack. So, besides VHBL, what could or could not be done currently with Vita hacking?
I’ll first describe what’s going on with the PSP emulator side, because it’s the one I know the best, and then I’ll move on to other stuff.
Attacking the PSP emulator, more than 5 teams in the race
The PSP emulator is a nice attack vector for Vita hacking, for various reasons. The most obvious one is that we know the PSP system quite well since the scene has been studying it for years now. VHBL itself relies on user mode exploits in the PSP emulator. Those of you who have been on the PSP scene for a while know that when it comes to the PSP, the holy grail is to get access to a kernel exploit. A Kernel exploit on the PSP is synonymous with the possibility to run a Custom Firmware, with all the benefits that come with it (perfect homebrew compatibility, plugins, but also the controversial iso loaders).
Before we get any further, I want to clarify that when I am talking of a kernel exploit in this article, I am talking of a PSP kernel exploit, running inside the psp emulator, sandboxed on the vita. It is essential to understand that a psp kernel exploit alone will not give us any access to the PS Vita specific content, including its ram, its hardware, or its games. A PSP Kernel exploit, at best, would give us the equivalent of a PSP CFW inside the emulator itself. It would be a sandboxed CFW (SCFW) <– hehe coining a new term here, does any of you remember who came up with the term “LCFW” ?
- Related Read: Flash0 dump, then what?
Ok, now that this clarification is made, what do we have? Well, what I can tell you is that I have been personally contacted by 5 different teams or individuals who have access to psp kernel exploits that do work on the Vita. Now, this does not necessary mean there are 5 different kernel exploits out there (some of these teams might be using the same exploits, either through random luck, or because they are communicating with each other), and it does not necessarily mean that a release is around the corner either.
Let me develop on that last bit. The people I’ve talked to (the anonymous “Tony” is one of them) all have various goals and constraints with their hacks.
Some of them just want to use the hacks for personal experiments, and have no plans to release their work (for those of you who are shocked by this form of egoism, please remember that depending on your country, the laws against hacking on devices such as the Vita can be pretty convincing…). Others have plans to release their hacks “one day, maybe”, but not in the foreseeable future.
Others strongly believe that making those psp kernel exploits public now would be a bad move, as a psp kernel exploit on the vita emulator could be one step closer to a real vita hack. Revealing such a hack too soon would mean it would get patched by Sony, closing a possible “door” to more interesting vulnerabilities. Their point is therefore: would you like to do on your vita what you can already do on a hacked PSP, or would you rather wait a few months, or maybe a few years (sob) in order to see a true vita hack? Of course, there is no guarantee that a psp kernel exploit can be a valid entry point to a vita hack, but surely digging into the interface between the psp emulator and the vita (the now famous “kermit” module) could prove to be interesting.
- Related Read: Who’s Kermit?
Other people, finally, are hard at work to release “something” for the scene, but could not provide any specific date to me. Although there doesn’t seem to be any specific technical obstacle to run a PSP SCFW on the Vita, these things take time, and timing is the essence here, as basically all the hackers I have been in contact with agree that psp kernel exploits are quite rare and should be used wisely.
Nevertheless, the fact that so many people are working on hacking the vita with positive results is, I think, good news, and should lead to good stuff in the months to come.
Of course, none of this makes VHBL irrelevant. As a matter of fact, it actually makes VHBL, or rather, our ninja releases, more relevant than ever. PSP Kernel exploits need to be run through a user mode exploit. User mode exploits on the PSP emulator are currently found in games, and Sony can pull those games out of the store fairly fast. The ninja releases tend to counterbalance that by giving people a chance to grab the games before the information goes public. Of course, as these releases get more and more popular, they also become more and more difficult to handle, so I guess the message here is, if you already have access to a user mode exploit through one of our VHBL releases, it might be wise to not give it up, assuming you are ready to stay on the same firmware for a few months. If not, fear not, there will most likely be other ninja releases to give more people the opportunity to run VHBL on the latest firmwares.
Hacking the Vita, not going through the PSP emulator
In addition to the ongoing work on the psp emulator, some people have contacted me with “leads” on hacking the vita through other means. If you think about it, every “interface” on which the user can control the input to some extent, is a possible attack vector. With the PSP emulator, we used the savegames so far, but other entry points exist, such as the media files we copy on the device (images, music, movies), the web browser, some of the internet-connected apps (facebook, youtube,… <– although it might not be wise to attack Sony through a vulnerability in a Google or Facebook, unless you really like to make several powerful enemies at once).
As I mentioned a while ago though, all these leads are useless without knowing anything about the ram layout of the Vita (which is also why it is much simpler to hack into the PSP emulator, since the PSP Ram layout is well known).
- Related read: Where are the real Vita hacks?
Initial reports also show that the Vita is integrating several “anti hack” measures. This is not a surprise since the Vita ships for example with an ARM Cortex 9 processor, which includes a bunch of security measures. Of course, this is Sony we’re talking about here, and they are known to mess with the stuff they use in a way that eventually backfires on them, so there are probably still ways to get into the system
What are your expectations regarding Vita hacks? would you be happy with “just” PSP access? Or would you rather wait for something bigger? Should Sony be worried of “just” a psp breach on the vita?