UVL’s current status and some speculation on the Vita by YifanLu.

(Note from Wololo: this was posted a while ago, but we wanted to contact YifanLu to make sure he was ok with us copying the article, and sadly we dropped the ball, with Christmas and everything… but we finally got through! ) A few days back YifanLu posted an entry to his blog explaining where UVL is now, and also speculating on some of the software and system security. For those of you wondering about the current state of this project, or why hacking a console takes such a long period, then it’s most certainly worth reading. It’s rather a long read, but most certainly worth it for those of you with the patience to do so.

Note that I have left all the original links in, so that if you choose to do some further reading then the option is there.

The following was entirely written by Yifan Lu (thanks for letting us reproduce this entry!) and the original article can be found on his blog: Source

 

PlayStation Vita: the progress and the plan

Sorry that it’s been a while since I’ve said anything about the Vita. I was caught by surprise the last time of all the media attention from just a simple call for help. While I still don’t want to say too much right now, I do want to answer some common questions I’ve been getting and also go over what needs to be done.

If this is news to you, please read this interview I’ve done a while ago about it.

Did you hack the Vita? That’s a very vague question. What I have done, is run native code on the Vita with the same permissions as the game being exploited. This means I can load homebrews written and optimized for the Vita’s CPU and take full advantage of the CPU speed and RAM (unlike the PSP emulator or PSM, both impose artificial limits on resources and system functions). What has NOT been done (yet) is unlocking the system completely for tasks like USB interfacing, custom themes/system mods/plugins, and (fortunately) pirating games.

What’s UVLoader and how far along is it? The last I’ve spoken, I was beginning work on UVL and asked for any help I could get. Even though, I did not really get help, I did find people who were interested in what I was doing and we exchanged information. I also want to brag that I finished the main functionalities of UVL in a couple of weeks, and it has been “done” for about three months now. (Quotes around “done” because I decided to not worry about some features yet). That means, I can basically load most (most being the few that I manually built without an open sdk) compiled homebrews. You can run your standard hello worlds and spinning cubes and such, but in theory, it should load any homebrew built.

When’s the release? What’s taking so long? So as I’ve said, the loader was done three months ago. I have a couple of reasons for not releasing yet. The main reason is that currently, there is no open SDK for compiling and linking Vita homebrew like pspsdk did for the PSP. That means, even with the loader, it would be useless for users because there are no homebrew games, emulators, etc to run, and it would be useless for developers because they can’t build homebrews either. So what’s the progress on the open sdk? Zero, as I’m typing this right now. I have an idea of what it should look like and I spoke to a couple of people who are interested in helping, but so far, no code is written. Why is that? Because for me, I am very busy with lots of other unrelated things, and unfortunately, only me and a handful of other people know enough about the device and the executable format and etc to make the open sdk and none of us have the time currently.

The second reason is that having a Vita exploit at this stage (when it is really hard to find exploits) is very rare if not a once in a lifetime thing. Me and others I’ve talked to agree that right now it’s more important to use this exploit to gather more information about the system in order to find more exploits and such than it is to run homebrews right now. We have PSM for homebrew games and PSP emulator for homebrew emulators, so there really isn’t a huge demand for native PSVita homebrews yet. As I’ll expand on below, we’ve only scratched the surface of Vita hacking and there’s so much more to see.

Are you looking for testers/can I test UVLoader? There’s no need to “test” UVLoader right now because, as I’ve stated before, there isn’t any compiled homebrew and nothing to compile them anyways. Yes, UVL works with some of the custom still I’ve built manually, but it is unwise to write complex stuff without a working SDK.

Can help? Depends who you are. If you’re an established reverse engineer, you know how to contact me. If you just want to “beta test,” read above. If you know any other way of helping me, don’t ask, just do it™, since UVL is open source. Even though I don’t accept monetary donations before I release anything, if you have access to broken Vitas, memory cards, games, etc, or any unused hardware reversing tools like logic analyzers; anything you wouldn’t mind parting with, one of the things me and others involved don’t have access to is funds for materials to test some of the more… risky ideas and if you could help with that respect, just use the contact link at the top of the page to get in touch with me.

What needs to be done to “hack” the Vita? Again, that term is very vague, but I know what you mean. This is the perfect time to describe (as far as I know) the Vita’s security structure and what needs to be done at each level.

PSP emulator

I’ll start with the PSP emulator just because that is what’s “hacked” right now. How much control do you have of the Vita when you use vHBL? Almost none. On the PSP itself, games are “sandboxed” (meaning some other process tells it what functions of the PSP can be used by the current game, main thing being that one game can’t load another game). Because the Vita emulates the PSP, it also emulates this structure.

PSP kernel

One level up, we have “kernel exploits” on the PSP, which means that we are no longer limited to what functions of the PSP we can use. Any PSP function that is emulated by the Vita can be used, that’s why you see ISO loading as the main thing. However, all of this, the PSP emulator, sits in the Vita game sandbox. This sandbox is just like the PSP one, in that another Vita process tells the game (in this case, the PSP emulator running some PSP game) what Vita functions can be used in a similar fashion. For example, if a game doesn’t explicitly declare that it’s going to use the camera or bluetooth (and Sony approves), any code that tries to use these functions will crash.

Vita userland

This is where UVLoader works; we exploited some game to run code inside it’s sandbox, meaning that if that game doesn’t have camera functions, no UVLoader Vita homebrew can use the camera either. This also means, of course, we can’t load pirated Vita games and so on. A fun fact here is that, in theory, if someone finds an exploit in Kermit, the system inside the PSP emulator that talks to the Vita through a virtual serial port, they can run UVLoader in the process hosting the emulator (one level higher than a PSP kernel exploit), meaning they may be able to modify the emulator to have more RAM or faster CPU or etc. Another advantage of running UVLoader here is that because the PSP emulator has access to more Vita hardware than most games (bluetooth, camera, etc), homebrews could have more access too.

However, it’s easier said than done. It’s hard to appreciate  how hard it is to get a Vita userland exploit. Let’s work backwards: we want to somehow run native ARM code, how? Well, the classic route is some stack smash. But wait, modern ARM processors have XN (eXecute Never), which is a feature that only allow code in memory to run at specific locations (these locations are determined by the kernel and are read only). Ok, we have some other choices here: heap overflows, ROP (google if you don’t know), and so on (assuming you even know you got a working exploit, which in itself is hard to know without additional information; most “crashes” are useless), but all of these choices require that you know enough about the system to create a payload fitted for the system. That means, you need either a memory sniffer or somehow dump the memory. Well, let’s rule out hardware memory sniffing since the Vita has the RAM on the same system-on-a-chip as the CPU. How do we dump the memory then? Usually, you need to run some code to dump the memory or do some kind of oracle attack on crashes or error messages or something. Option one only works if we hacked the system before, and the second one, AFAIK, won’t work because the Vita doesn’t give any information when it crashes. So how did I get the first userland exploit? I’ll leave that as an exercise to the reader…

Vita kernel (lv2?)

Vita userland is the most we have access right now and PSP kernel mode is the most that is public. What comes after? Remember all information at this point could be wrong and is based off of the little evidence I have currently. We are in the Vita sandbox right now, which means we can run homebrew, but we can’t use functions that the game doesn’t use (camera, bluetooth, USB, etc). We also can’t modify the system (run Linux, change the theme, add plugins, etc). For those to work, we need to go one level up: the Vita kernel, which might be called lv2. Even with complete userland access, we can’t even poke at the kernel. The kernel acts like a black box, providing functions to the system through syscalls. You pass input into these syscalls and it returns some output, without revealing how the output is created. The kernel’s memory is separate from userland obviously, and even guessing what syscalls do (there’s no names in the memory, only numbers) is a challenge. In order to hack the kernel, we have a problem that is very much like the one I’ve stated above about getting Vita userland, except with even more limitations. Again, there’s the circular problem of needing a kernel RAM dump to inspect for exploits and requiring a kernel exploit to dump the RAM. Now, there’s even less “places” to inspect (visually and programmatically). In order of likelihood, one of the following needs to happen before there’s even a CHANCE of a kernel exploit: 1) Sony does something stupid like the PS3 keys leak, 2) we get REALLY lucky and basically stumble upon an exploit by just testing one of the several hundreds of syscalls with one of an infinite amount of different inputs, 3) some information leaks out from Sony HQ.

It’s still unknown how much control we would have if kernel mode is compromised, but me and some others think that we MAY at least be able to do something like a homebrew enabler (HEN) that patches signature checks temporarily until reboot, allowing for homebrews with no sandbox limitations (access to camera, BT, etc) and POSSIBILITY system plugins and themes. It is very unlikely at any keys will be found at this point or being able to create or run a CFW.

Hypervisor? (lv1?)

At this point, it is purely a thought experiment, as we literally have no information beyond what we THINK the kernel does. It is highly possible that there is a hypervisor that makes sure everything running is signed and the kernel isn’t acting up and such. Getting to this would be EVEN HARDER than getting kernel, which I already think is impossible. Even at kernel, it seems to be over my skill limit, but this would definitely be above me, and someone with real skills would have to attack this. I’m thinking at least, decaps will have to be attempted here. If somehow this gets hacked, we may be able to run CFWs, but like the PS3 before the lv0, newer firmwares would not be able to be CFW’d until…

Bootloader? (lv0?)

Again, only conjecture at this point, but this is the holy grail, the final boss. Once this is compromised, the Vita would be “hacked” in every sense of the word. We may never get here (and by never, I mean maybe 5-10 years, but I would most likely not be working on the Vita at this point). Here’s is where I think the keys are stored. With this compromised, CFW of any past, present, or future firmwares could be created, and anything would be possible.

Summary

I guess to summarize, the reason there’s no release in the foreseeable future isn’t just because I don’t have time to make an sdk so there won’t be homebrews to use even if UVL is released. Even if the SDK does get done, at this point, it would be more attractive to use the control we currently have, double down, and try to get more control. If the exploit is revealed prematurely, getting the game pulled, and the firmware patched, sure we may get a fast N64 emulator in a couple of months when somebody has the chance to write it (and at that point, most people might be enticed to upgrade anyways for new firmware features and PSN access), but we will have to start at square one (read above about finding userland exploits) before having another chance at exploring the full potential of the system. Deep down, I am a researcher, and would have more interest in reversing the system than I would at making a release for users just so I could be the “first”. Like all gambles, I may end up with nothing, but that’s a risk I’m willing to take.

 

 

Tags: , , , ,

  1. Shura’s avatar

    Simply amazing

    Reply

  2. Sladey’s avatar

    could have sworn I read this a few weeks ago on this site?

    what happened to the Christmas cfw release that was touted a few weeks back? its christmas day and still no cfw on my vita :(

    Reply

    1. wololo’s avatar

      It’s possible you read about it either on my twitter account (I mentioned it there), or on our forum, or on another scene website. As the article says, we were a bit late on publishing the article since I wanted to get yifanlu’s authorization but I took too long to follow up with him because I was pretty busy IRL

      About the Christmas CFW release… well, I can’t say much, it wouldn’t be a ninja release otherwise

      Reply

      1. techsweney’s avatar

        thanks. thats still good news. plus it a long time for the ps3 and psp when they first was able to.

        Reply

    2. RagingCore’s avatar

      I read that somewhere a few weeks back, I just can’t remember where.

      Reply

  3. Gustbran’s avatar

    Arigatouuuuuuuuuuuuu

    Reply

  4. Metalliphyll’s avatar

    Very interesting read, thanks for posting

    Reply

  5. Astien’s avatar

    Very interesting indeed, makes you want to understand more about “how it works” !

    Reply

  6. ricerrr’s avatar

    Yes this was a good read

    Reply

  7. T3CHW0LF’s avatar

    Very interesting Article! This kind of stuff is why I enjoy mobile consoles.

    Reply

  8. quetz’s avatar

    you cleared all my thoughts about vita ;) interesting article

    Reply

  9. musashiro’s avatar

    told ya wololo that people will find this stuff interesting.. haha. i didn’t stop reading until the last punctuation mark… :D

    musashiro of /talk wishes you Merry Christmas and Happy New Year… :)

    (“we dropped the ball” kinda suggests something. hahaha… )

    Reply

  10. mad8vad’s avatar

    Does this loader loads from ps mobile application? If so it will require developer license for us to run :(

    Reply

    1. Quade321’s avatar

      Well, one might assume it could right now, however he mentions in the article it’s an exploit through a game. And of course there would never be a public release if you needed to be a licensed developer to run it. o.o
      Reminds me of the iPhone hackers. They’ll show a picture of a jailbroken iPhone or iPad or whatever the week it comes out, but they’ll mention it needs a developer license, and it can’t be released and what not. Plus they always keep extra low-level exploits up their sleeves to get dumps of new firmwares and release other exploits.
      Hope that answers your question even though I don’t know too much about all this. And hope I didn’t get off subject. :p

      Reply

  11. notder’s avatar

    Good article.
    hmmm I’m looking forward to it. :D

    Reply

  12. Raziel’s avatar

    Doesn’t bother me I wouldn’t care if nothing came out for another year or two, these things are Rare and it shouldn’t just be thrown away.

    Reply

  13. Jeremy Stiles’s avatar

    That was very interesting, Shouldn’t a psp emulator hack be enough though? Full cfw would allow piracy and probably kill sales. At least through the psp emulation we are able to run homebrew and backups of our psp games.

    Reply

  14. GcBatman’s avatar

    Good stuff :)

    Reply

  15. The real stupid Z’s avatar

    Who fuc@king cares where is the mother fuc@ing game you as&holes

    Reply

    1. DumBish’s avatar

      You are seriously thirsty…no better yet HUNGRY!!!

      Reply

    2. nero’s avatar

      lol, your name suites you. “The Real Stupid” at least.

      Reply

  16. j-sin21’s avatar

    I wish I was a reverse engineer :S

    Reply

  17. Dario Rules’s avatar

    I agree with everyone here why wont these fuc$k faces release the game already they are just fuc@jing around as$$holes

    Reply

    1. TheZ’s avatar

      The CEF is downloadable here

      Reply

      1. Tonaki’s avatar

        You lying piece of shi&@t

        Reply

        1. TheZ’s avatar

          Why do you call me a liar? It’s a link to download the CEF, yes? Are the links broken? Did you actually try to download the files?

          Reply

          1. nero’s avatar

            i bet hes just a whiny little kid that wasnt able to get the game because he didnt understand the ninja release.

          2. hgoel0974’s avatar

            Can you put the direct link instead of adfly? ;)

          3. ramenking’s avatar

            you shouldn’t entertain these pathetic ungrateful a-holes

    2. DeadPixel99’s avatar

      They never said they would release it on Christmas.

      Reply

    3. lol’s avatar

      Haha, it’s Dario again.

      You’ll never get the release. Not this year anyways. :)

      2013. Be patient. And wait.

      Reply

  18. Tonaki’s avatar

    The game has been released its s@@@l c&,”";;

    Reply

    1. DumBish’s avatar

      I knew it! Haha

      Reply

    2. Merry Christmas’s avatar

      Santa Claus lol

      Reply

    3. Tonakai’s avatar

      Tonaki eh? I like the name. I wonder where you got the inspiration for that :P

      Reply

  19. musashiro’s avatar

    by the way, i heard the word tonakai when i watching the past of Chopper in one piece… is it somewhat related to you mr. blog poster?? :)

    apparently, i am watching the series from the start… haha…

    Reply

    1. Tonakai’s avatar

      Amazingly you’re the first person to pick up on that. Well, at least the first to say it to me. I coined the name prior to seeing that episode of One Piece, however I instantly fell in love with Choppa so I felt the name kind of fit so it stuck.

      Also, you heard the word because tonakai is the Japanese word for Reindeer which is why he’s named “Toni toni choppa”.

      Reply

      1. EvilGrin’s avatar

        Chopper is awesome! I’m surprised I never noticed the correlation between your user name and him hahhaaha boy, good to know that One Piece fans are scattered everywhere. We’ll takeover the world!

        Reply

        1. musashiro’s avatar

          yah… i know that tonakai is japanese for reindeer.. thats why he is also called tony.. :D

          good to know that i am right on the money… :D

          Reply

          1. musashiro’s avatar

            sorry, though i am not really a fan since last week.. haha…

            i downloaded all the episodes and watch the series from the top…

            probably the reason is that they don’t air the series here continuosly, they stop and go…

            anyway, i am now a big fan… even bought an OP shirt this xmas… haha….

  20. 200C under’s avatar

    I suppose,if there’s any possibilities,we could hack CMA first and then build something like emulator on win or Mac to break the PSP sandbox on VITA maybe with the VITA connected,I just wish there’s some useful knowledge in my brain with ARM and win32 progamming,but unfortunately none……

    Reply

    1. Anonymous’s avatar

      I think you are fully right. Hackers should “explore” opencma.

      Reply

    2. hgoel0974’s avatar

      Take a look at yifanlu’s website, he has been working on an open source version of CMA

      Reply

  21. khairul’s avatar

    love it…hoping he will fully hacked vita…great article Tonakai and wololo..and of course a great news..

    Reply

  22. swordchi’s avatar

    awesome, even though it isnt released as said, its still worht the wait.

    Reply

  23. Axel’s avatar

    Great post.
    I just hope the Vita will never be able to run pirated games.

    Reply

    1. nero’s avatar

      but it does? its called EFCW.

      Reply

      1. hgoel0974’s avatar

        eCFW runs pirated PSP games, I believe that Axel means native games

        Reply

    2. Dario’s avatar

      We want it to run pirated games because who wants to pay for games. This is the reason everyone bought a vita to be pirates as like you.

      Reply

      1. hgoel0974’s avatar

        not really, though free games are a luxury but the smart people understand that piracy can kill a console

        Reply

      2. n1nurt4’s avatar

        I bought a vita because I wanted to be able to play games on the street, in a market, or at a bus stop, etc. Never once did I think, “Oooh I’m going to pay $250 for the chance that MAYBE someone will hack it to where I can play pirated games.” Do you think piracy is cool or something? Either way, if you paid for a vita just for that, maybe you should rethink your motivations for everything you do in life?

        Reply

  24. nanobot77’s avatar

    hi :) merry christmas

    Reply

  25. LittleEUROdingDONG’s avatar

    What rubbish another waste of article why didn’t you post the best of 2012′s best moments for the vita or 2012′s top games to play on your vita fuck that faghag!

    Reply

  26. CEF CEF’s avatar

    Has the CEF been released yet???? I know the Z likes to call it CEF and we should all call it now from now on. Bring on the CEF!!!!

    Reply

  27. Juan Sanchez’s avatar

    The almighty vita just can’t simply DIE!

    Reply

    1. Tonakai’s avatar

      Don’t worry, it won’t. People thought the PSP would die initially, and it took quite some time for the hacks to be released. We’re incredibly lucky with the Vita, because it has the PSP Emu and with the knowledge the devs have, we’ve been able to run VHBL and even CEF through this. Of course, it’ll take some time for a full Vita hack, but it’ll be worth the wait.

      Reply

  28. fairy’s avatar

    ia dont whant pirate games ia only need thes to run emulator as cps2 or neogeo ia buy my on games

    Reply

  29. Reece Dematteo’s avatar

    JeoWay is working on a project called “CFU, (Custom Firmulous)” which will be a loader for games and homebrew like MULTIMAN :D

    Reply

    1. Tonakai’s avatar

      This is very interesting. I’ve just looked into it, and I’m going to get into contact with JeoWay and get some more info.

      Reply

  30. vgee’s avatar

    I’ve been reading all the comments, and i understand alot of the frustration that is going arround, im not here to say:
    RELEASE it or anything..

    Im just hoping some1 can post an article that explains the situation about when its gonna get released or if it isnt and why, cause alot of people donated and they’re frustrated.

    Hope some1 can also speak in normal plain english

    Reply

    1. Tonakai’s avatar

      Hi there, vgee.

      There has been nothing to say otherwise, so I believe it’s safe to assume that it’s still being released (though having not had contact with Frost; I can’t say for sure right now). I can understand your frustration, but it’ll be released in due time.

      From what I can understand it’s going to be a ninja release, so your best bet is to check back every few days or so.

      Reply

      1. vgee’s avatar

        Thank you for your fast answer, cause i read alot on internet and was very confused! You cleared it a bit ip! Thanks for the effort

        Reply

  31. Frost’s avatar

    We will not release now they we made millions on all your idiot donations, suckers

    Reply

    1. Tonakai’s avatar

      This guy is a fake, so please ignore it.

      Reply

  32. Juan Sanchez’s avatar

    Yes..that guy is evil

    Reply

  33. The Z CEF’s avatar

    The release has been leaked so now there will be no release fuc@k you leaker.

    Reply

  34. solala’s avatar

    please keep the nonsense of pirating games will kill the vita …
    the vita is killing itself right now, because sony thought that having a device that is “hacksafe” is more appealing than a device with fun games…

    also the whole point of hacking is more of an art to surpass oneself and less to enable free games (which is more like a nice side effect)

    Reply

  35. dee’s avatar

    The game is out it’s sonic the hedghog

    Reply

    1. lol’s avatar

      It’s actually Hello Kitty Block Party.

      Reply

  36. Czarcasm’s avatar

    U best not be trollin

    Reply

  37. sony’s avatar

    The moron z said someone hacked into his twitter and messed everything up. Yeah right a$$hole liar. Just like someone stole vita its all a lie

    Reply

  38. chris’s avatar

    but wherent the psvita signing keys in the ps3 firmware 4.xx+ ? whe have 4.20 and 4.30 cfws aren´t we able to get them from the ps3 ?

    Reply

  39. icyheart’s avatar

    I think it is a great thing behined this artical
    I realy respect what u are do

    Reply

  40. Cojoo’s avatar

    To friends and douche bags alike, Merry Christmas! =D
    Thanks, for working your asses off for us.

    Reply

  41. Cojoo’s avatar

    Also to the Z and Frost go fuc$k yourselves you as$holes

    Reply

  42. GlueGun’s avatar

    Do’s any ask why Sony go’s here?
    i mean psp’s “SIGNED”, “sony’s part”. “slow breaze”, music plays
    in the Backround. meditate, imagine your flying,
    create a memory, using your hardware and comet to
    your blissing’s by adding hardware, “still sony’s part”. OK. I made it,
    now right block’s using see plus plus, “RIGHT!”, now make a Lisnece,
    ok!. Lisnece made, publish it!. —–> now where here!. We Want TO
    PLAY LEFT 4 DEAD PSP!!!!

    Reply

  43. ironysteeth’s avatar

    lol ps vita native home brews. couldnt care less if its native. tired of frekin smudgin my screen cuzz the stupid thing is touch interface. just wanna be able to organize pics into folders and choose sequence so I can read my fave mangas. bookr would be sweet too.

    Reply

  44. Banksy’s avatar

    When the fuc@k is the fuc@k coming out shi?t fuc&king

    Reply

  45. Mr. Magoo’s avatar

    Reading half of these comments reminds me how much I hate people. Thank you to the res that continue their work unpaid :-)

    Reply

  46. salor’s avatar

    i work for just one hour and got $10. expect to get 100.
    this guys works all day didnt expect us to pay a single cent.
    eventhought ads and donation help them alive.
    we should respect them. and try not to be like those disrespectfully kids.

    Reply

  47. salor’s avatar

    and btw they didnt bitch you to hurry your donation or pay them.

    Reply

  48. Quade321’s avatar

    Love the anti-piracy mention. Seems official PSP development was really stifled by that, glad to see no one wants that again. And on another note I would hope a bootloader exploit doesn’t come out this early, or even in the next few years to come, because Sony can still patch newer consoles. This would be nice to see right after the 9th generation comes out. ;p

    Reply

  49. ramenking’s avatar

    whats wrong with you people, you all sounds like 12yr trolls. Thanks for the xmas present much apperciated :D

    Reply

  50. 1fff’s avatar

    Ninja Claus was here and he brings me Hope for the new expilot XD

    Reply

1 · 2 ·

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>