Sony patched up to 20 exploits with Vita firmware 3.00

We’ve mentioned several times in the past few days that firmware 3.00 has been a surprise to some of the veterans in the PSP/Vita scene, as Sony has patched several undisclosed psp exploits with this update.

It is fairly rare for Sony to patch an exploit before it gets publicly released, more so when it comes to exploits in the psp emulator, which in two years of Vita’s existence haven’t proven to be a security or business threat to Sony.

Nevertheless, firmware 3.00 appears to contain patches for several exploits that were known probably by a handful of people. Firmware 3.00 contains typical “blacklist” patches in the savedata_utility.prx, but also apparently deeper fixes in the psp kernel.

Savedata_utiliy.prx is a file that contains (among other things) a blacklist of exploits. I’ve described that file a while ago here: When the PSP and the Vita show their battle scars. With firmware 3.00, the savedata_utility.prx blacklist has been updated to block the “pawa pro” exploit from 173210 (this was expected), but also Frostegater’s Fieldrunners and Pipe Madness exploits and Yosh’s Half Minute Hero exploit, which hadn’t been publicly disclosed before the 3.00 release.

In addition to those, somewhere between 10 and 20 other undisclosed game exploits have been added to the blacklist, which means those exploits are now technically patched. (I have been asked by my sources to not be more precise than that)

It does not stop there, though, as it appears some techniques used in VHBL to increase compatibility are now patched in the psp kernel. The patches in general do not prevent VHBL from running, but limit the compatibility of some homebrews. Acid_Snake discussed this at length in his rant to Sony :)

Vita firmware 3.00 has put serious limits to ongoing efforts to open the psp emulator within the Vita. However, many devs/hackers have contacted me to let me know their own exploit wasn’t impacted, or that they had found workarounds. Total Noob’s long awaited TN-V4, an upcoming kernel exploit within the psp emulator on the Vita, does not seem to be impacted.

To me the big remaining question is the source of these fixes. Do you think Sony have a team looking for exploits in their PSP games? Or do they get contacted independently?

  1. Drugs_r_bad_4_health’s avatar

    I love you

    Reply

  2. G0l3m’s avatar

    I don’t think Sony is really looking into anything but maybe they wrote a nice letter to the gamedevelopers to look out for bugs in theyr products. We all know how the lawyers at $ony work …

    Reply

  3. Reynkz’s avatar

    Features of Firmware 3.00 or exploits; I prefer exploits, hackers and modders tend to develop more fun apps than the companies themselves.

    Reply

  4. infinix’s avatar

    i believe Sony made special division to handle FW security on PSVita and PS4.

    Reply

    1. infinix’s avatar

      *for PSVita and PS4

      Reply

  5. Dmaskell92’s avatar

    It must be on their end somehow, if nobody is disclosing the names of exploited games, it could be some sort of detection system added to 2.61. My friend on PS3 once noticed (Through PSN) I was running a SNES emulator. As Devs are using private exploits, and connected to PSN it may be a red flagging Sony. This is just a thought, as I have no idea about the inner working of the Vita. Can anyone add anything to this theory?

    Reply

    1. Haze7’s avatar

      Hey, maybe the capability to play on PSN with a lower firmware was put in place intentionally by Sony to flag the device or exploit(You know to thin out the crowd).

      Reply

    2. Jd8531’s avatar

      Unless you were using an SNES emulator on a PS3 that has CFW there isnt any way for them to see what homebrew you’re using on a Vita. VHBL is running within a game in the pspemu and the homebrew subsequent of that. Using VHBL is masked by the game you are playing.

      Reply

      1. Dmaskell92’s avatar

        That makes sense, I was in fact on CFW PS3. Still, how the hell do they know what Vita games have exploits?

        Reply

  6. Haze7’s avatar

    There might be a double agent. Or I saw some people in this scene showing their MAC addresses in tutorials(or simply their PSN ID). Maybe they are tracking your purchases to narrow down what games could be exploited and well….trying to exploit it. I would recommend that you burn every trusted hacker and start the “Circle of trust” from scratch.

    Reply

    1. The Z’s avatar

      That isnt really possible, cause some games were bought months if not YEARS ago, and then used to exploit them at the vita.

      That would have been a lot of luck to fix exactly the games that were exploitable.

      Reply

      1. Dmaskell92’s avatar

        The exploits where either detected, reported, or Sony has a time machine.

        Reply

      2. Wrozen’s avatar

        hey The Z, couldn’t they blacklist all psp games if they wanted to and end vhbl completely?

        Reply

    2. Jd8531’s avatar

      Considering there are some that haven’t been patched, I highly doubt this is the case.

      Reply

    3. fate6’s avatar

      You just want in don’t ya :3

      Reply

  7. Pronwan’s avatar

    Well, if I see the number of existing “private” exploits and compare it to the number of serious “hackers” out there, it’s not too difficult to find them. The problem is only limited to the costs of trying out every single mini game. Since this is priceless for sony, it’s probably enough to have one guy sitting there all day long, trying to create a buffer overflow on every single psp game. I guess, this is the easiest way to find a large number of exploits. If they don’t have an own “hacker”, there might be one out there, telling them exploits he or she has found for a certain amount of money. Let’s say 100 bucks per game or whatever. There will probably be many people out there, willing to do this for some amount of money.

    The bigger problem in my opinion is, that we probably won’t have another exploited game released with TN-V. It might still be workin on the remaining exploitable games, but the virtue of such a game could be too great to release it, just for the fame and at the same time lose it with the next patch.
    I’m guessing, that TN or another guys who still has a handful of games won’t share them. At least I wouldn’t, if I had them. Those who shared a game or two in the past, probably had 5 or 10 exploits running, ensuring, that they can continue their work after the next patch. The only reason to make an exploit publicly known, is to get some fame and still be able to continue working with other exploits, after the public one gets patched. Noone is going to release it’s one and only knows exploit. Possibly even not, if he or she has two or three exploits.
    That’s what I think. So I guess, the PSP emulator will be closed for a loooong time.

    Of course I still HOPE to see another exploitable game, but I don’t think so. – At least not very soon. I can imagine, the next official patches will maybe close another 10 exploits – maybe some, that aren’t known at all. Cause Sony has proven to us, that they are willing to test, test and test as much as they can. And believe me, they have the possibilities to test A LOT… I’m staying at 2.61 these days.

    Reply

    1. Pali’s avatar

      Try to think other way… maybe everybody now want to give their private exploits to public because it DOES NOT MATTER if they do it or not and their games will be patched anyway :)… think positive

      Reply

      1. Pronwan’s avatar

        Hehe, nice idea ;) I q didn’t order oysters cause I couldn’t afford them. You’d buy a hundret, hoping to be able to pay them with the one pearl inside, right?

        Reply

    2. gunblade’s avatar

      said mostly i mean there like way over five hundred psp game since the psp came out not counting mini so u would think there be a lot of games even with the psp there was a lot of updates weird tough it jus a psx in a ps2

      Reply

  8. publishe’s avatar

    can anyone help, I’m a little confused, I thought usermode exploits could only be usermode, but somehow TN-V4 is being ported to them all, how can this be if it doesn’t have access to the kernel commands in say, fieldrunners, which runs in “userland”. Maybe I’m just stupid, any help guise?

    Reply

    1. mlc’s avatar

      The usermode exploit and the kernel exploit are two different things. A kernel exploit isn’t in the game, but the pspemu itself. A usermode exploit is simply necessary to be able to run the code to trigger the kernel exploit. This is why any firmware below 2.02 can run the kernel exploit that was released with UNO, and any firmware(with a usermode exploit) will be able to run the TN-V4 kernel exploit until it is patched after release in 3.01 or higher.

      There may be a tiny chance of Sony introducing a new bug that leads to a kernel exploit, but it’s 99% certain that any kernel exploit has always existed in the pspemu, and will work on any firmware below the one on which it is released. Unless, of course, it is caught in a wave of unexpected patching like these usermode exploits in 3.00.

      So, in summary, usermode and kernel exploits are two different bugs in two different places, you just happen to need a usermode exploit in order to launch the kernel exploit. (the usermode exploit is in the specific game, the kernel exploit is in the PSP emulator)

      Reply

    2. Acid_Snake’s avatar

      it’s called privilege escalation, look it up

      Reply

  9. kukux89’s avatar

    it’s well know that the largest companies like sony or microsoft. hire people just for playing, hacking or crashing their games to fix all the vulnerabilities for their consoles and the VBHL and TN topic is gaining fame (i’m from mexico and even here we’re tracking down all updates from this scene) so i believe that they’ve a team doing just like you but to make the patches before the game exploits get to public, to finish i want to congratulate everybody working on vita hacking because sony are selling us very expensive the save space to buy their games i.e here 32GB vita memory card cost about $120-130 us dollars

    Reply

  10. Zyphs’s avatar

    I thought it was going to impact the TN-V4 exploit for 3.0, i was wondering if it was the right choice to update.

    Reply

  11. Sony President’s avatar

    Who the fuck is going to upgrade now???? I’m keeping my 2.02 and UNO, who is with me?????

    Reply

  12. Acid_Snake’s avatar

    here’s my two cents: I don’t think Sony are actively looking for exploits, what I think is that when we released the Arcade games exploits they realized that publishers tend to reuse the same engine and code on all their games, so a publisher with a game that has a vulnerability has other potential games with similar vulnerabilities. Sony simply looked into other games from publishers with an already known game exploit. Take a look at who made each of the private exploits that got patched, chances are its the maker of another game that did go public. They just connected the dots. As for the utility thing, well it’s safe to assume that TN releasing his test binaries where the cause of it, as they hint to where the kxploit is (although not at the kxploit itself) so it’s natural that Sony at least tried to decrease the amount of games that have access to those utilities.

    Reply

    1. Jd8531’s avatar

      +1 Exactly what I was thinking.

      Reply

    2. wololo’s avatar

      Good point.

      Reply

    3. Dmaskell92’s avatar

      This seems plausible!

      Reply

  13. DeadPixel99’s avatar

    Wow if Sony would have taken actions like these in the beginning of the psp’s life time it might not have become the open pirate handheld that it has become.

    Reply

  14. ivo’s avatar

    maybe they have build in an exploit radar and when seen an exploit instead of preventing it now … blacklist for later ?

    something like the buildin wifi radar on some jp firmware

    Reply

    1. gunblade’s avatar

      wifi radar like the radar on f 16

      Reply

  15. Nickolas’s avatar

    Could this be a possible leak? Not meaning to pick at anyone here, just wondering. Also, are the exploits going to be released now? They could prove of some educational value.

    Reply

    1. wololo’s avatar

      3 of these exploits have already been released in the past 4 days. They all use the same buffer overflow techniques described in my tutorial, so there is not much educational value in them, really.

      Reply

    2. phil87700’s avatar

      Maybe they should not release all exploits.. considering possibility that in next firmware update the patches are removed… and people on lower firmware can still put them on their Vitas, using the Open CMA or Clarles method ;-) Just a wild guess.

      Reply

  16. ivo’s avatar

    bytheway is there some sort of vita psp emulator sorta
    psplink with nethost for vhbl ?
    then maybe …
    cheers

    Reply

  17. DarkenLX (Louis Royal)’s avatar

    One Word “GeoHot” Remember They Gave him a position on thier security team

    Reply

    1. DarkenLX (Louis Royal)’s avatar

      …Instead of Jail Time

      Reply

    2. wololo’s avatar

      Lol, Geohot does not work for Sony, not sure where you heard that stuff.

      Reply

  18. Adams Myth’s avatar

    They’re pulling out all the stops.

    Reply

  19. xj107359’s avatar

    That’s too bad. Sony has begin to patch undisclosed psp exploits. Maybe I should keep my vita in v1.8@GC.

    Reply

  20. Jzc:D’s avatar

    So, when is the release date of new exploit for 3.00 ????

    Reply

  21. gunblade’s avatar

    now till next year..

    Reply

  22. Concerned Citizen’s avatar

    I smell a rat, please find the common denominator as soon as possible to prevent further damage.

    Reply

    1. wololo’s avatar

      I don’t like this idea because the “common denominator” would likely point to people I trust a lot on the scene, including… myself :P
      It just doesn’t make sense. Acid_Snake’s explanation (they audited games from the same development studios that had been exploited in the past) is much more likely

      Reply

      1. Concerned Citizen’s avatar

        Pay for an audit on a per game, per auditor basis… or pay a hacker to infiltrate the community for all games and many auditors… I too dislike the idea.

        I am sure this event has reminded the honest developers of the value of their treasures.

        Reply

  23. Infam0us’s avatar

    Has the release date really been changed till next year?

    Reply

  24. PlaGeRaN’s avatar

    my guess, most exploits work threw savedata,
    so testing each and every game in that or similar way won’t be impossible.
    long but not impossible.

    Reply

  25. elrafu’s avatar

    Hello

    Is there any working exploit (kernel better I suppose) in PSVITA OFW 1.60 yet?

    Can I use UNO fron the PS Store?

    Thanks

    Reply

    1. phil87700’s avatar

      You can log into PSN store and look for game named “UNO -Kernel Expolit Ready” that might work for you…

      Reply

      1. elrafu’s avatar

        And UNO is not patched in the store now? (I have 1.60 OFW)

        Reply

        1. wololo’s avatar

          Games do not get patched. Firmwares are patched. If you manage to get UNO on your 1.60 console today, the exploit will work for you.

          Reply

  26. Akay’s avatar

    Sony is probably paying someone or a team of guys to keep up with forums and also to hack their consoles the best that they can.

    i guess they can monitor online when a hack is in progess.

    Reply

  27. BeefStew’s avatar

    I’ve been following for some time now. Tried to make my vita “more psp friendly” when I had 2.06…. utter failure. Can anyone help me step by step so I am ready for an exploit that comes out for 3.0? Pretty please. Also, you must know that I am an idiot and need to be handled with kid gloves when it comes to ‘technical jargon’.

    Reply

  28. razor’s avatar

    After updating I found that the Mortal Kombat 9 invite player option isn’t working at all. F**k u Sony X(

    Reply

  29. 110706’s avatar

    Not only the Vita is a sinking ship, but looks like Sony wants to take out the fun of homebrews and PSP emu stuff too. Keep it up Sony!

    Reply

  30. isnizal’s avatar

    i already update to 3.00..huhuh…hoping they will exploit for ps vita tn v 4

    Reply

  31. Voltromik’s avatar

    They got us in a corner,, im getting closer and closer to putting up my white vita with uno exploit.. im just tired of lack of games. Tired of limited OS and bugs. Tired of this 4 core device being wasted. Things have changed,, they wont ever be the same. We have begun an era of secure devices,, exploits are a thing of the past.

    Reply

  32. Chaosruler’s avatar

    Can you release the GameIDs or the game names and region, considering that now is too late? maybe the games has something in common that alerted Sony…

    on another note, I am really suprised Sony released an update that did not include a feature or a function that attracts update so much, but included so much security patchs

    Reply

  33. phil’s avatar

    in the process of trying to get vhbl+fieldrunners i updated my vita to 3.0 accidentally. i know theres no current exploits released… but i was wondering where i can find these “ninja releases” as i would like to beat sony to there next patch. i check wololo on the daily but id rather know for certain that im not just looking in the wrong area all together.

    Reply

  34. jon’s avatar

    I too updated my firmware to 3.00 accidentally..
    hoping for some trophy something…

    but then when I tried placing some files, Open CMA 5 isn’t working anymore.. the PS vita asks me to update my said CMA..

    I don’t care about the games that are being exploited yet.. as long as I can make use of my 32G memory for videos and songs, I’ll be as happy as before..

    I Hope there will be an open CMa for firmware 3.00.
    thanks.

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>