Native Vita Hacking: What’s the situation so far? (Part 1)
As I said in previous posts, I’m leaving behind ePSP development in favor of native vita hacking, it was one of the reasons I gave a helping hand to qwikrazor87 into fully destroying the PSP/ePSP scene a few days ago.
The PSP is a system from 2004 and any new development in it is just beating the same old dead horse, so it was time this site finally moved on. So with that said, what’s the current situation of Vita Native hacking and why do we not see that much information floating around?
It’s no secret that the Vita is a damn well secured device, it implements quite a few security measures that make it really hard to hack and execute code, but, yifanlu once said it best:
So what’s webkit and why is it so important for Vita hacking? and more importantly, how do webkit exploits work?
Webkit is an open source web browser engine used by most web browsers today to render web pages.
Since it’s open source and widely used by many big browsers like Chrome and Safari, it’s really common to find webkit in proprietary embedded devices like gaming consoles, and normally it is an older, more exploitable version. Did I mention the Vita uses webkit?
This basically means that we have the source code for a software used by the Vita that has a lot of exploits giving us code execution, or at the very least the ability to do a ROP chain, and on top of that, we don’t even have to find exploits ourselves, there’s lots of devs and hackers outside the scene that make a living out of finding effective webkit exploits.
But how do these exploits work? we’re not talking about PSP usermode exploits that rely on buffer overflows, or PSP kernel exploits that rely on missing checks or flawed implementations, webkit exploits usually rely on the so called use-after-free exploits.
Use after free essentially means a pointer is used after the memory is references has been freed. Here’s a very basic code showing the idea behind this:
int* pointer = (int*)malloc(sizeof(int)); // we allocate a region of the heap
*pointer = 0; // we use the allocated space
free(pointer); // we free the area we allocated previously
*pointer = 1; // we use the pointer even after it has been freed
This code causes what’s known as undefined behaviour, meaning nothing at all could happen, or the entire thing can crash.
Of course webkit code doesn’t really do this intentionally, a bunch of things need to happen for this scenario to take place, we need to make it happen ourselves, and to do that we make use of one of webkit’s features: javascript.
Javascript allows us to access underlying C++ classes and other functionality, which allows us to trigger a uaf exploit. But how do we use uaf to our advantage? well we need to understand how C++ classes work.
C++ classes are represented by a structure in a manner similar to this:
typedef struct _myClass_{
void* vtable[MEMBERS];
// actual data here
} myClass;
A C++ class has an array called virtual table, which contain pointers to all the members of the class (be it attributes or methods). When you pass a pointer to class to one of the methods, this virtual table is reconstructed so the pointers are pointing to the needed data at the needed offsets in the vtable, this allows for class inheritance and polymorphism.
When a uaf exploit is triggered, the vtable can be sprayed with data so we have control over the pointers and hopefully one of them is a pointer to a method, and hopefully this method gets called and the system jumps to our specified address. Hoppefully we also spray a pointer to an attribute that gets loaded, giving us control over a register or two.
Unfortunately we have something called NX bit that prevents us from executing instructions in an address not marked as executable, so where do we go from here? a ROP chain, but that’s to be explained in another blog post.
Thanks for this post and a bit insight into what takes to hack the vita. looking forward to the nex t one
Any progress on a Native Vita Hack is good progress.
Since I’m not a dev/coder, I appreciate all the hard work you guys are putting in.
Thanx.
good read
Thanks for the update! Always appreciate the hard work you guys put in to keep the scene alive 🙂
Can’t wait for the next part. Really cool and well explained insight into webkit exploits. Thx Acid
i really wish to understand this things.. but im no coder/dev
if there is a will, there is a way. too bad i dont have the resources XD
i got a vita , a dual core PC just to play dota 2.. that’s it.. end of resources.. huhu
I’m happy for this to happen. This is the “first step” a hard choice to make but a i believe it is the right one. Now like the psp we had well know devs like DA and so anyone that was interested in psp hack/develop now that vita hacking is in baby steps, is a good time to learn about it. What better inspiration and examples like total_noob, DA, and if im correct just like wololo did and many others. Full support to this Acid_Snake
wololo,DA ,cold bird and virtuos flame etc are the best devs
acid_snake,djgodman and total_noob ruin the scene more than anything
@acid_snake your decision was bad,come back with a native vita exploit or dont come back at all
acid ***, you need to ***.
You do realize this statement would only be valid if the devs “ruining the scene” weren’t the new generation of devs that stepped in as the “best devs” stayed back with PSP or moved on to something completely different, right?
lmao it’s best that if u don’t know sh*t don’t talk sh*t
Can’t wait. Starting my first year of school for C++ I’ll be able to help you guys in five years lol 😉
Good to see you guys finally putting effort into WebKit! Brace yourselves for 3.20 though…
yeah with the PSP scene out of the way and fresh motivation, we’re finally getting things done. We’re working on webkit and the open sdk.
So if i understand correctly
the vitas web browser has a search engine called webkit
the webkit is capable of using javascript and you intend to find a hole in it to indirectly access C++ classes in the vita
through these C++ classes youre looking for a
at this point im lost could anyone who understands dumb it down further
‘skfu’s vita browser 1.5’ is it means webkit?
http://wololo.net/2013/01/25/skfu-interview-details-more-on-his-native-vita-hack/
skfu is a scammer who also knows how to use a proxy. Nothing more, nothing less
good luck!!!!!!! i know you will find the way…
keep us in touch ok??
Interesting…
Thanks for all the hard work!
For now, I’m glad to at least be playing Super Metroid on my Vita.
So its basically function hooking? Or function trampolining!
This is the method I used to use to create hacks for games like Americas Army Ops and Enemy Territory like 10-12 years ago (but i dont code anymore!). Hook the hack onto a function that is routinely called by the game, and it in turns injects your code!
We also did this to bypass PunkBuster anticheat software in said games!
Interesting read.
Conspiracy theory: Acid_Snake and quikrazor87 working undercover for Sony the whole time! He he he
So then why would they develop save exploits for homebrew, or let ninja releases continue when they’re not leaked?
Beacouse they are waiting for the big NATIVE PS VITA HACK MUAHAHAHAHA
ha.
Good post, and a good reason to deaden the previous scene. Many people won’t agree or understand but you are right, if it just keeps going the psp hack route then native vita hacks will be further and further away. Good luck to you guys figuring this stuff out and for all the hard work a huge thanks 🙂 if ever need any help with anything give me a shout, I’m happy to give a hand where I can.
GO! GO!
The whole thing with leaving psp exploiting behind is bitter sweet but in the long run we will see a lot of new and exciting benefits. Vita security works quite well… .. It’s not perfect but it works. It is because of this that one day it will be exploited.
really wish dark Alex was still around hacking away… I bet he would have had this figured out by now….. The whole cat and mouse game during the psp days was very interesting and exciting…. Those were the days
As for Sony’s Vita security, yes it may be good; but remember that anything that can be Made, can be Unmade!
For the Vita to be locked, there must be a way to open it! Otherwise even Vita games wouldnt get in/access!
Couldnt we just trick the Vita into thinking that Unsigned code is a legit game or something?
Of course. Why didnt I think of that. Fasinating Jim.
so any native cma for 3.18 ?
so if im reading this right couldnt we just load an emu with a signed .pkg like the pkg loader all we need is our ps vitas pass code put that in a coustom pkg and bam free games or at lest emulators right? but that code would be $ony property so it wouldn’t be shared here right? i have a feeling that my be a way to do this but i could be wrong.
no one other than Sony has the private signing keys for the Vita, only for the PSP and PS3.
Good to see the Vita has not been abandoned
Not to put the cart before the horse here but this shows quite a bit more promise than I originally thought was possible. Not too many people in the scene have been talking about native Vita hacks (and I understand keeping things secret means Sony can’t patch them out) so I thought not much was being done. Thanks Acid. This information has me hopeful that homebrew and emulation on a more powerful device than the PSP could potentially be reality at some point. This is essentially the only reason I’m still hanging on to my Vita. Tell you what. You successfully get homebrew working on Vita natively and I won’t just buy you a beer, I’ll buy you a 24 case.
When the day comes that the Vita is natively hacked and publicly released, I will personally donate some money to all those who made it possible! I wont say HOW much, as this will depend on how many devs are involved lol, im not rich! But will be very thankful!
Just remember guys, for years ppl thought the PS3 was unhackable! But in the end it was ripped wide open!
I just hope native Vita hacks wont need hardware mods! I wouldnt even consider it if hardware mod is the only way!
ps3 isn’t wide open just yet sadly. I still can’t hack my system in any way since it’s a newer model
Ahh i see, here’s hoping the Vita isnt as locked down!
Great article, looking forward to the next one! Loving the information, the better my programming skills get the more I understand. Haha I used to always read articles like this and scratch my head. Now everything makes sense, which makes it more interesting and fun to read.
Best article in past three years 😀 exploit releases apart. This is a really interesting way of approaching to a device, waiting for second part 😉
does not matter, Vita is dead
Not dead yet, Japan alone is keeping the thing alive….thankfully!
Though I do hate JRPGs and hope we get some GOOD AAA titles in the future! Even ports of games like GTA would be good enough for me! ANYTHING! Sick of all these Asian based games, they suck lol
Ok not JUST the Japs keeping the Vita alive, there are still many of us in the rest of the world supporting the Vita =)
So what would a native hack bring us? What kind of homebrew are people thinking about? Vita wouldn’t be able to handle any crazy emulators, right?
A native hack would allow scene members/coders to create games, apps and emulators that can utilize the full power of the Vita’s hardware!
Right now all we have managed to do is hack the PSP emulator built into the Vita, and being a PSP emulator hack, the homebrew made for it can only use PSP power (ie: 333mhz cpu speed and 32/64mb ram), which is very slow these days!
Emulators using the Vita’s quad core cpu and quad core graphics chip would run MUCH better! Not having to be limited to 333mhz and crappy low ram! ROMS would run nice and smooth with much better framerates!
That makes sense. Really cool. Thanks for the reply.
I’m holding out hope for an N64 emulator for the Vita, though even N64 emulation on the PC isn’t perfect.
I always thought that with the pkg installer, if there was some way to create installable pkg files from demos or something that would be the major ticket in. but I’m not an expert so idk
For that to happen you need some keys to encrypt the packages yourself, and only Sony has them. PKG installer will be useful when you can patch it to install unsigned (unencrypted) packages, and you need a kernel exploit for that.
When can we expect to see part 2 of this article? very interested to hear some more about the native hacking progress!
Actually this article has made me download Code::Blocks again, and after not programming for nearly 12 years, im gunna get back into it again =D. Though ill have to refresh my knowledge of C and C++ with some tutorials!
Very interesting post!
I would really like to help you guys in searching of the adresses needed. Is there any way I can help you?
I have some experience in C, C++ and a little bit of java. Also I am able to program microcontrollers which could be helpful if we need to do some hardware modifications. (I’m an electronics engineer)
This is great news, can’t wait to steal and download free games.
I won’t hold my breath just yet, as i wholly expect it to take a while, but I’d be lying if i didn’t say I’m not excited and have a gleam in my eye about native vita hacks.
I enjoyed my dead horse for a while but this is cool too. After all with a native exploit we can always do a hook call to the Emulator right? (Once the exploits calls and hooks are mapped.)
I dont understand sony’s ambivalent attitude toward the PS Vita, I was a great admirer of the psp yet I always felt that it was lacking in comfort and features to become a ‘beside the bed’ grab to play for minutes and set on sleep mode at ease and convenience. I own a 3DS and I must say it surprises me that its less pronounced that it is much more lacking in its gamd library regardless of personal feeliing of the device its self vs the Vita. My vita is the first hand held I really fell in love with since my Gba sp (with flash cart XD) and it has become a platform that attracts Fantastic indie titles and arcade style games(giving its games that good old dreamcast vibe). the psp was pushed forward and givin a slew of triple A titles and originals even though it never really lived up to the great quality and feel the vita provided from day one. And now I keep reading dichotomous reports of the unprecedented and unpredicted landslide success of the ps4 the overall success of the ps3 from the latter years of its lifecycle and on the otherside they post massive Q2 and soon Q3 losses and cuts plus the claim that they will focus less on pushing the vita to its limits with top quality Vita designed titles like Teraway, Uncharted, Little-Big Planet and Killzone … What about God of war or twisted metal. or more original IP’s using the vita hardware creatively like Teraway. this disapoints me and puzzles me. I was always a pirate of games but since I became older and since ps plus and horrific banning practices I started buying games but I remember and still know a massive amount of people who will only buy a platform if its hacked and for online play they buy games but with no hack they will never be a customer so its a loss to sony. maybe a good hack could help the vita in the market so im “rooting” for the scene and the hackers. personally pirated games made me buy much more games than demos since nowadays sc*** over midsize game studios can spell their end I feel strongly about supporting good devs and artists….
great artical and very well explained since as a seconds year development students I understood every word(not common when reading others articals about hacking or exploiting) I hope the tides will turn for the best hand held created to date it just needs a happier scene and more first and third party dev love.
btw I feel sony will might pull a stupid sega/nintendo move and fiddle with a 1/2 genaration hardware itteration. I allways hated that move and it ended badly historicaly for the most part exept maybe for the DSi. the Vita is a Fantastic, durable comftrable and graphic pleasing console that can have a jawdropping catalog of games it just needs better marketing. I predicts though a new Playstation Xperia hybrid that mixes the two in greater synergy and emphasis on the Playstation part as the market is being gutterballed by the mobile phone indestry and the horid casual gamers nintendo and facebook originally spawned. and this hardware plus Gaikai research will attempt more and more to supply the ps4 via 4G and home wifi to you handheld. thats where I think we are hedding instaed of device tailors creative and wonderful games
There won’t be another Xperia hybrid. The last one may have done well with a cult following after it was long discontinued, but the fact that it was regarded as a very niche device is too much risk for Sony. The closest you will get is a slide out keyboard that has some pseudo game controls integrated into it.
as i know some thing you say is imposible ( i make website )
but what if its posible ! thats great
The people here that help with the vita scene are not “Lazy”. they spend countless hours and days looking to improve the vita for users and *** bags alike.
Also don’t say anything negative about the Z. He is one of the main people who helps with the vita scene here. The knowledge the Z offers and help to other people here is tremendous. Anyone who is visits here regularly knows that.
Stop complaining on the people here who truly make this site great. Its no ones “job” to do this work. I don’t think anyone is being paid.
People do this because of their interest in various ways of wanting to improve the vita experience.
I don’t need to defend anyone here, because if a person that is great, is on their own merits and accomplishments. So enjoy your improved vita and say thanks!
what happens on SKFU’s PSV hacks?
I thought he makes the native hack for retail vita