Yifan Lu dumps the Vita NAND, confirms it’s encrypted

I’ve mentioned a few weeks ago Yifan Lu’s ongoing experiment/attempt at looking at the vita’s hardware. Yifan’s been busy over the Christmas period, looking at the bowels of our favorite portable console. Earlier today he announced he was able to dump the Vita’s NAND.

Now before everyone gets excited for no good reason, all this really gives us today is confirmation that the vita onboard memory is encrypted. This in itself is interesting though, as this confirms Sony didn’t mess up their security on that point, and attempting to hack the Vita by modifying the NAND directly is not a possibility.

Yifan also shared a bunch of cool pictures and explanations on how he achieved the dump, something that I think is extremely valuable for all of us, especially those interested to know how hardware hacking works. As I’ve stated many times now, I believe Vita hacking will not come without massive help from hardware hackers.

vita_nand_dump_zoom

Some of Yifan Lu’s interesting findings are that the eMMC NAND is about 3.78GB, with about 800MB used by the (encrypted) system, and the remaining 3GB or so potentially empty for now.

This experiment gave Yifan Lu new cool hardware skills that he’ll use to look at more stuff in the Vita’s internals. He also details the hardware cost of this experiment, something you’ll find interesting if you want to do something similar one day :)

Oh, and this goes without saying, but yifan Lu will not publicly disclose the dumped material. Not that it would be useful anyway, given that it’s encrypted.

This might sound like a disappointment, but to me, the fact that one guy went from no hardware knowledge to being able to dump the NAND of the Vita in a matter of weeks is extremely exciting. Again, more important than the result is how he achieved it, a process that he details on his blog. I wish I had the time to do the same :)

vita_nand_dump

Source: Yifan’s blog

  1. FiahSticksm’s avatar

    Hell yeah! FINALLY!

    Reply

    1. pploco1996’s avatar

      Finally what?

      Reply

      1. mm0mmo’s avatar

        maybe finally first comment >_>

        Reply

        1. ricerrr’s avatar

          mm0mmo- 1 , FiahSticksm- 0

          Reply

    2. HarmfulMushroom’s avatar

      The only thing that came from this is proof it’s encrypted. As of this second, without the means to decrypt it it’s pretty useless.

      Reply

    3. lol’s avatar

      finally !! NOTHING !!!

      Reply

    4. wickedchew’s avatar

      Finally, its started

      Reply

      1. Dr.Nuthsell’s avatar

        Nothing has started, it’s just an experiment I believe.

        Reply

  2. Sarge127’s avatar

    This could mean a shit-ton of possibilities… POSSIBILITIES for the vita. :)

    Reply

    1. lol’s avatar

      keep your delusion for yourself.

      Reply

    2. Yifan Lu’s avatar

      Unfortunately not. It means many thought-to-be possibilities are actually impossible. For example, I once thought maybe the bootloader is stored in the boot partition of the eMMC and that we could dump and examine it. That’s not possible.

      Reply

      1. Galford’s avatar

        aw for real …!?

        Reply

      2. Netrix’s avatar

        Are you saying the bootloader is not on the NAND at all, or just that it’s encrypted along with the firmware? I’m asking because for the Zune HD, the bootloader was on the NAND with the firmware, but both were encrypted, which means there was (of course) something that took care of decrypting the bootloader in order for it to boot. I suspected the keys were stored in the ‘Atmel 8 kilobit AT88SC0808CA CryptoMemory EEPROM chip’ that is on the Zune HD’s board. Maybe I’m just an idiot and it doesn’t have anything to do with it, but that was my guess. Did you happen to see any crypto chips on the Vita’s board?

        Reply

        1. Yifan Lu’s avatar

          The first stage boot loader is not on the NAND but there could be many other stages. Encryption is done on the soc. No special chip.

          Reply

      3. Netrix’s avatar

        Ignore my first question… I started reading your blog about the dumping and it seems to have answered that question. The rest of what I said might still be relevant. You mentioned a “mystery chip”, but that could be anything I suppose. I’m not that knowledgeable hardware-wise.

        Reply

  3. Bla’s avatar

    The ps3 is more or less hacked
    So we can use the ps3 to decryped the dump
    Then we also could use the hacked vita one the ps4!?????

    Reply

    1. paul’s avatar

      Now theres an idea. Theres a good chance they used the same encryption on both consoles. Its worth taking a look at the very least.

      Reply

      1. lol’s avatar

        same encryption, different key, so what !?

        Reply

    2. lol’s avatar

      it won’t be, Sony would never use same key to different hardware

      Reply

      1. JeoWay’s avatar

        Sony used the same AES key from the PSP on the Vita lol…

        Reply

        1. Acid_Snake’s avatar

          that was only in the early test firmwares, they changed the key starting from firmware 1.00

          Reply

  4. NakedFaerie’s avatar

    You really think they wont encrypt everything after what happened to the PS3 and PSP?

    Thats why the PS4 is missing so many good and standard features. Less features means less exploits.

    Reply

  5. god’s avatar

    Vita is only good for shoving in a girls vagina.

    Reply

    1. Sky Yuki’s avatar

      No it suck
      It doesn’t have vibration feature
      So it suck

      Reply

      1. moo’s avatar

        valid point

        Reply

    2. dAVEY’s avatar

      I cant stop laughing now LOL now if it only vibrated! Quad-Shock controller or Octo-Shock the Vita would be a real pleasure toy then.

      Reply

  6. matt123337’s avatar

    I’m pretty sure the 3ds’s NAND was dumped the same way,w itht eh 3ds you could also upgrade/downgrade with your own nand dumps, could this be possible on the vita as well?

    Reply

    1. asfggggg’s avatar

      sure, it is nand after all :)

      Reply

    2. Yifan Lu’s avatar

      It is a possibility, I have not tested. They could block downgrades by changing the encryption keys for every upgrade or any number of ways. I didn’t test it because at this point, having the ability to downgrade is pretty useless.

      Reply

      1. asfggggg’s avatar

        what about with the development vitas, don’t they need to connect online to sony every 30 days?
        With backing up and restoring the nand, this could be bypassed, right?

        Reply

  7. joe’s avatar

    Vita RHG lol

    nice job man.

    Reply

  8. L2SSnake’s avatar

    My geek part of the brain is OC xD

    Reply

  9. mma_jedi’s avatar

    Now Yifan Lu is working on a Video Out possibility!! Idk if Sony has even said what the mystery mini usb port is for…but we’ll own that shiit.

    Reply

    1. zxskylinekidxz’s avatar

      I believe the Video Out only works with a Sony TV. I have a Vizio and the Screen shows me “Not Supported” when I used the PS Vita’s USB. Try testing it on a Sony TV. I researched it when the Vita came out and Video Out was said to be only supported by a Sony TV.

      Reply

  10. necro_something’s avatar

    I hope the Vita portion never gets hacked- at least not so early in it’s cycle.
    It’ll truly be the end of the system that’s been struggling for so long if it does get hacked.

    Reply

    1. moo’s avatar

      it’s about time it gets hacked

      Reply

  11. heathrowairpor247RCcars’s avatar

    guys vita is a dead platform sell your OLED versions to hardcore monsterhunter fans in japan and be done with it.

    I think even sony is ready to move on moving many of their vita teams from last year onto ps4.

    vita is pointless because soon remote play will work on ipad and stuff effectively via playstation now.

    seriously this console is 100% dead.. it picked it up as soon as my life become 100% dead.

    give up its for the best I know.

    Reply

    1. Sky Yuki’s avatar

      No i’m going to use my vita as streaming device (as soon as it available in asia)
      Because i don’t have other console
      And smartphone? i’m not going to use touch screen

      Well if i have iphone i would get powershell thought

      Reply

    2. Dark GOD’s avatar

      You can play PS Now on your iPad..
      I rather use real controls of the VITA without the need for a 3rd party overpriced controller.

      Reply

      1. JeoWay’s avatar

        You cant play it on iPad… i’m sure Sony will try to make sure its only optimized to work on their brand products. Like how they said it will work on TVs, only the new Bravia TVs, which is owned by Sony. Or Sony tablets and phones, etc.

        Reply

        1. dboyz’s avatar

          yup, I second this…just see how playstation mobile goes….not even flagship andorid phones have it (S4, Nexus etc) only certain Sony phones, HTC etc (well rooted phone can install PS mobile tho)

          Reply

    3. Davey’s avatar

      Thats actually a good point and Im serious, Sony might as well had made remote play for the 3DSXL. By making it available to a huge market that directly competes with the struggling handheld; they signed its death warrant.

      The Vita and all its glorious hardware and many are naive into thinking these independent 2-bit games are going to support it. Take a step back and look at the big picture and keep it real – we havent see crap on the handheld that really shows us what it can do. The Vita games I have, and I have a few are just boring. All I’ve played on it lately thats entertaining are PSP and PS1 games and as cool as they were and as great as they look on the display Im not getting my moneys worth. 95% of the games are crap. Im tired of SNES quality games when I have this $300 device. I myself want to see a freaking RPG that shows off what the handheld can really do and not ports. Something made for grown ups. Im jelious of Nintendo and the developers that pushed the SNES to do more and more (eg RARE). The devs making games for the Vita are keeping so much scaled back as half of them are porting the game to inferior tablets and phones as well.

      In the end at least I have my emulators running on the Vita because of the $100′s Ive spent on Vita games, at least these are getting use on it. How sad I could have just ran these on my PC in the end. -_-

      Reply

      1. Yukon’s avatar

        Killzone.

        Reply

    4. Franz’s avatar

      Its not dead till sony says it just like the dreamcast.. Borderlands 2 is still comin and we vita exploit owners can still play a glorified psp haha

      Reply

  12. Dark GOD’s avatar

    Interesting stuff.

    Read some comments and..
    Vita isn’t dead.

    No system ever truly dies if there are people who are still using it.

    DEAD is when you apply a hammer or a brick to your device.
    -Microwave it
    -Blend it
    -Give it an acid bath

    Now that’s dead.
    You get the idea.

    Reply

  13. xlovenuggetx’s avatar

    thanks guy.

    Reply

  14. Nazar_Ops’s avatar

    I still think that it will be hard to hack the VITA. PSP 3000 is still not hardware wise hacked, like the older PSPs. We only manage to run an exploit that lets us use stuff. But it is not a permament hack. If we never managed to permament hack PSP 3000, I doubt we will ever hack the PS VITA permamently, so that Sony can’t patch it.

    Reply

    1. Yukon’s avatar

      PSP 3000 & PSPgo, both had permanent cfw’s created by virtual flame.

      Reply

  15. ivo’s avatar

    and a flash player for ubuntu 804 (SHELLSCRIPT INSTALLER)
    and a vita bios decrypter encrypter vitabios-crypter

    Reply

  16. gunblade’s avatar

    So the psn stream for the tablets android and the android second screen so it lets u play play pstwo games think if they let u download the games it be like in a seperate app that store the game think it would work on the psvita and stores the games but lets u emulate the pstwo to play pstwo games or is streaming faster some how since html Browser games cool.. wish …hack// for the vita thinking of getting phtasy star or soul sacrifice soul sacrifice seems more skyrim….

    Reply

  17. gunblade’s avatar

    Nice. Job yifan … I guess the new psvita got two gig upgrade and twice ram… It setup or the vita dump reminds me of how I use two play my psp… Maybe head backto gamestop today get sum new games then ross…

    Reply

  18. kelso’s avatar

    this is some crazy shit guys!!! some ps3 shit hahah Geohots, it’s crazy how he is putting so much work into it and hopefully does find a cfw for the vita it’s about time!!!

    Reply

  19. Thrawn’s avatar

    Ok so yifan now has a nand dump which is encrypted. That limits the key to be in the vitas cpu. Rgh anyone?

    Reply

  20. ViRGE’s avatar

    Even if it never leads to anything, it’s still something worth congratulating. Nicely done, Yifan.

    Reply

  21. The AtoZ’s avatar

    good yifan.. you are good student of mine…
    keep up what i teach you… same goes to the z…
    keep that up my student…

    Reply

  22. LuKe_AA’s avatar

    Wonder if DS/3DS like CPU’ed cartdriges will be the way to go for Vita “full” hack and/or bypass of encryption(s).

    Reply

  23. Abdou005’s avatar

    Niiiiiiiiiiiiiceeeeee at least :D. we are “sure” now that the vita won’t be hacked by “NAnd Dump” . Yifan will start digging in the memory card, game card , mysterious port and the “software” side :D. LET THE HACKING SHOW BEGIN :D

    Reply

    1. Yukon’s avatar

      Shut the hell up…

      Reply

  24. ivo’s avatar

    what about a signed psp bios dumper
    that feeds a bios to pc and pc-tnvemu
    660 on more arch!

    Reply

    1. Unknows’s avatar

      @Ivo Everything related to the PSP has restricted access on the Vita. There is absolutely no way that, by digging into the PSP emu, will lead to a Vita “hack”.

      Besides, it’s hard enough to relocate the cpu’s mem since its all in 1.

      We just need to think out of the box a little more but kudos to Yifan lu-san for his skill set.

      Reply

  25. ivo’s avatar

    virtual breadboard psp plugin emu

    Reply

  26. Xperimental’s avatar

    The only reason i bought a Vita was to use in with a ps3/4 controller and play it on a big
    screen TV, only to find out sony F**K me over. So if hacking will give me these things
    singe me up.
    TN and the dev that made psp emulating possible gave the Vita back some life.
    but still there is no ps3/4 controller or TV out put.
    Till then I will keeping using ppsspp emulator is the best on the market right know.

    Reply

    1. CrimsonRaven25’s avatar

      All ps4 games can use the vita as a controller aside from games that require move and or camera, and that’s a really stupid reason to buy a handle gaming device as a controller only thing, I mean I knew remote play on the ps3 wasn’t gonna be what the ps4 was, you spent 250-300$ for a controller? Yes Sony indeed fucked you good sir, try buying some vita titles, yeah their maybe be only a few hundred but theirs alot well worth it, vita sales have been up since ps4, more devs are getting more interested in the vita, so there will be more games coming out, does anyone remember the psp when everyone cried baby waaah about it not getting games

      Reply

      1. yes’s avatar

        I think he means that he want to use the Vita as a console, connecting it to a TV and using a PS3 or PS4 controller instead of playing on the Vita directly.

        I dont know why he feels that Sony fucked him over though. Sony never advertised that this was possible. Its kinda like saying that Nintendo fucked you over because you cant connect the 3DS to a TV.

        But Sony did however come up with a solution for this. They released the Vita TV. It allows Vita games to be played on a TV, and you use a PS3 controller to play the games. The only downside is that all Vita games wont work (because many uses the touch screen), but at least it works with some games :)

        Reply

  27. yukon’s avatar

    This really makes me want to do “Electronics” for college.

    Reply

  28. ivo’s avatar

    root levetation sploit vita ?.?

    Reply

  29. svennd’s avatar

    Well only a couple of weeks for someone who already knows the PSP as the back of his hand … And who has allot of exp. on consoles in general.

    While his hardware skills might be “fresh” I doubt many could have an soldering iron and a vita, and do something usefull. Beside breaking it.

    Reply

  30. Calsolum’s avatar

    slow progress is always better than no progress. It doesnt seem like much but i for one am glad that there are still people working on the vita.
    thanks for posting his findings

    Reply

  31. xchatter’s avatar

    Thank you.
    Keep up the good work and don’t give up !

    Reply

  32. ivo’s avatar

    okey 101 now works for me thanks to the fixes 7.3
    :)
    megacheers xD

    Reply

  33. mlc’s avatar

    That’s a shame that it is encrypted, and that you can’t release it, but good job.

    Where do you think the Vita gets the decryption key for the NAND?

    Reply

  34. ivo’s avatar

    what about a tnv2.71se and some libtiff sploits

    Reply

  35. Ry’s avatar

    …Theoretically if we dumped the slim vita nand and updated the phat vita NAND with it we would get an additional 2GB of onboard memory.

    Reply

    1. Yifan Lu’s avatar

      There’s a good chance that it’s a per-console encryption. Also, I know that the firmware/updater enables/disables specific features for each console (for example some apps aren’t copied into VitaTV), so the features may still not be enabled.

      Reply

  36. stonemandy’s avatar

    I believe its possible to figure this out watch some 13 year old kid will find a way . Anything is hackable even the world’s biggest supercomputers. There is alot of people that don’t want the vita hacked yet but don’t give up its only a matter of time

    Reply

    1. svenn’s avatar

      supercomputers aren’t stronger protected then say, any other computers … in fact there allot less protected then the vita, since speed and raw calculations is the target of super computers not gaming ;-)

      Reply

  37. Mr Genius’s avatar

    hack ps vita just like ps3 im sure boom many consumer buy ps vita… Like psp a lot people buy psp right it’s been a years people using psp now it’s time !!!

    Reply

  38. Jah Nix’s avatar

    Thanks Wololo for the update – Great work Yifan Lu! Highly interesting read and we can only hope it leads on to better things!

    Reply

  39. nevercall’s avatar

    how ’bout the vita game card? maybe we can do the same trick they do on 3ds w/c they play backups(cough) from it?

    Reply

    1. Yifan Lu’s avatar

      Gateway 3DS required a kernel exploit.

      Reply

      1. Hazer7’s avatar

        I thought we had a kernel exploit for the vita. Just not the native. And is decryption that hard. You should go further into details about what type of encryption it is.

        Reply

        1. Yifan Lu’s avatar

          We don’t have native kernel exploit for the Vita. We have it for the PSP emulator ON the vita.

          “And is decryption that hard.”
          If done correctly, it would take more than the life of the universe to crack AES encryption of a reasonable key length (which is what they are using).

          Reply

  40. 110706’s avatar

    “”I believe Vita hacking will not come without massive help from hardware hackers.”" and “Oh, and this goes without saying, but yifan Lu will not publicly disclose the dumped material.”.

    Translation : i want hardware hackers to help us hack vita, but i dont want to share what i have already discovered and maybe someone smarter than me can figure it out.

    Good luck getting more people interested in hacking Vita if you act like this. PS Vita chances of getting hacked are slimmer by each day…meanwhile each day newer and more powerful hardware arrives for handheld devices, ultimately making Vita totally not worth it.

    Reply

    1. JS22’s avatar

      Exactly what I was thinking. I was wondering what he meant by saying: “I won’t be able to release data I obtain from the device for legal reasons (including any actual dumps made) but I WILL post instruction for REPRODUCING everything I do.”

      Which means, he won’t be releasing the actual dumps, and most likely, won’t release a Native Hack for the PS Vita, BUT, someone who is following his instructions can reproduce it and release it. Unlike Yifan, he is just avoiding Sony haunting him down. Understandable, but that’s where most people got confused, or mislead, and donated right away because they thought they were going to see a Native Hack and Homebrews on their system…ONLY by following his instructions that he post up, NOT by downloading a Ninja Release or a Nand Dump, or anything like that.

      The real question is…no, the real question was, “are we going to see a Ninja Release of a Native Hack for our PS Vita? The only people that would most likely to have it (in the future), would be the massive help from the hardware hackers and coders, not people who donated, UNLESS they are following Yifan instructions. So you donated AND must purchase the items that Yifan bought by your donations, and follow his instructions on how to do a Nand Dump. Please correct me if I am wrong. I have nothing against anyone. Just trying to make it clear for myself and maybe others.

      Reply

      1. Yifan Lu’s avatar

        Let me quote my entire disclaimer for reference.

        “Before we talk business, I want to be as open and honest as possible. I am not a hardware hacker. I have very minimal experience with hardware (I know how to solder and I know what resistors look like), so by no means am I the best person for this job. In fact, I wish there was someone else doing this. My only qualification is the small amount of knowledge I have running userland Vita code and exploring the USB MTP protocol. It could turn out that I’m completely incompetent and not get anything useful. It could turn out that everything works out but my goals were set in the wrong direction. It could also take a very long time before any results are found (since this is a hobby after all). But, I will always be as open as possible; documenting any small discoveries I make and posting details and guides about what I’m doing. I’ll post any large transaction that takes place within the scope of this project and admit any mistakes I’ll definitely make. I won’t be able to release data I obtain from the device for legal reasons (including any actual dumps made) but I will post instruction for reproducing everything I do. I have seen other “scene” fundraisers and the problems that arises in them (mostly lack of response from the developer(s)) and will try to avoid making such mistakes. If you still believe in me, read on.”

        Please note that it was posted BEFORE the donation button. You must scroll past the large “Disclaimer” text before even getting to donate. If you still haven’t read it by then, I’m sorry but I don’t think I’m misleading anyone by not releasing any (encrypted, aka useless without key) information.

        ‘The real question is…no, the real question was, “are we going to see a Ninja Release of a Native Hack for our PS Vita?”‘
        Nowhere in my original post did I even mention a native hack, an exploit, or anything. All I said was that I want to dump the NAND and explore the hardware and if you want to help, feel free to contribute some money.

        “So you donated AND must purchase the items that Yifan bought by your donations, and follow his instructions on how to do a Nand Dump. ”
        Nope. If you read the posts, you can see that all you need are three pieces of wire and an SD card reader that supports 1-bit read mode. The tools I bought allowed me to analyze the hardware so I can find this. It’s like saying everyone who wants to run this homebrew must download the SDK.

        Furthermore, if anyone DOES feel like they have been misled, I will happily refund their donation.

        Reply

    2. Yifan Lu’s avatar

      Real Translation: If you are working on the Vita feel free to contact me. However, I cannot release any materials because Sony is known to be very hostile towards hackers and don’t want to give them any reason to sue me.

      Reply

    3. wololo’s avatar

      @110706, your comment is just so out of place it baffles me.

      Obviously, you completely missed the point of the “this goes without saying” part, so I’ll say it anyway:

      - there are legal implications to distributing the content of the NAND, which is made of copyrighted material from Sony. Yifan couldn’t do it without risking legal action from Sony (even if, in encrypted form, that arguable)

      - The content of the NAND is encrypted, and therefore totally useless to anyone. (NO, other hackers won’t find a magical way to decrypt it!)

      As a conclusion of these two obvious (for anyone with a minimum of experience) points, the files will not (do not need to) be released.

      Makes sense? Next time, comment only if you know what you are talking about.

      Reply

  41. euss’s avatar

    Not only is it encrypted (psp2000 and later is anyhow), it is also perconsole tied – so it is not like you are going to do anything usefull with it other than comparing and documenting its rough structure with other encrypted flash dumps.

    The standpoint about not releasing full dumps is understandable, even when censored to remove personal data. It is certainly not surprising to see reluctancy to open up for legal debate. Ever since Sony sending DMCA to virtually anyone remotely hinting to Sony owned material or even removing content that is not even owned by them but opensource/public domain you can hardly find a website/person willing to pay for the legal expenses for such debates.
    It is also not exclusive Sony either, as generally other (console) hackers try to keep their releases legally safe (e.g. Wii/WiiU:Nintendo, Xbox/XboxOne: Microsoft etc.). I don’t hear you guys/commenters asking for WiiU or XboxOne dumps/keys either or making a fuss about it (hopefully that is a sign of intelligence :P).

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>