Native Vita Hacking: What’s the situation so far? (Part 2)
The other day I briefly touched upon the idea of using webkit as an entry point into native hacking, but I mention the actual current state of webkit’s development, so I’m gonna use this post exactly for that.
But it’s not gonna be me who will talk about it, I’m gonna handle it to a team member that’s been a strong pillar in our quest for native vita code execution. His name is CodeLion, known as bballing1 in /talk.
CodeLion has never been a big name within this scene, but he has been a member of the team for quite a while, and after dealing with life for a while, he came back a few months ago motivated enough to start development on webkit exploits. Soon enough, he found an entry point and has been developing it for a while.
Sadly, we found out (don’t ask us how) that Sony will updating webkit to a version that is invulnerable to our exploit, which means it will not be usable in later firmwares. CodeLion’s post will be mostly targeted to those with enough knowledge who are interesting in helping the cause so you can know where we’re at and what is needed.
Here’s CodeLion’s part of the post:
Hey everyone
Shortly ago Acid_Snake posted about the state of the Vita scene, calling to the forefront yifan’s recommendations to go after webkit.
Well you may all be in for some good news. Around July of this year, I returned to the scene after a while’s absence and decided to dedicate myself to webkit. I founded a new team dedicated solely to hacking the native side of the vita, codenamed Project Mayhem and eventually named “team mayh3m.”
Over a period of 3 months we have been able to get nearly all the way through the process of exploiting webkit. The purpose of this post is to encourage you not to update to 3.20 if you desire to work with webkit, as well as to bring other developers up to speed in terms of where we are in the exploiting process. I will not be covering the basics of ASLR, DEP, ROP, or other security concepts in this paper. If you need to learn those you will want to study the “useful links” section.
The following link gives you a good idea of the difficulty and ease of exploiting webkit:
https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up—webkit-exploit/
Unfortunately the vita is not vulnerable to that exploit, however, I was able to find several other exploitable bugs in the vita webkit source. We currently have the ability to execute a single ARM instruction, 0xE7FE, which is equivilent to “while (1) {}”. This is a classic proof of code execution as it causes the program to hang without crashing. It hangs in a very “clean” way as it were. I will be releasing the exploits required to get to that point as soon as Sony patches them. A patch is anticipated in 3.20 as it looks as if sony is going to be pushing for parity with the browser on the playstation 4.
We also have the ability to dump the ram of the browser process. This is approximately equivalent to psplink’s savemem function. We are currently slightly stymied by ASLR, but expect to have full dumps of the process memory very soon.
The two exploits can be combined to begin a ROP chain to bypass aslr and dep. In theory, unsigned code running on the vita in usermode is only a few steps away.
I’ve got a collection of links and information below for you. The workflow should be as follows:
Search through CVE reports and bugtracker information for various webkit ports and find exploits that look promising (and have been patched in the latest version)
Look at the changelog to determine how the code has been changed to patch the exploit
Check if sony’s webkit source has been patched for the exploit
Download or create a test for the exploit and run it on the vita
If you get a reload loop (the vita browser will turn grey and say “please wait”) the browser is vulnerable to that exploit!
Now go figure out how to exploit it! I’m not gonna give you everything haha…
What you will need to help with the vita exploiting process:
SceWebkit source: http://www.scei.co.jp/psvita-license/webkit.html
Apache Server: http://www.wampserver.com/en/
A vita: http://www.amazon.com/PlayStation-Vita-Wifi/dp/B003O6EATE/ref=sr_1_2?ie=UTF8&qid=1411330952&sr=8-2&keywords=vita
What I recommend for working with webkit:
NotePad++
VMWare or equivalent running Ubuntu 11.04
Some Useful Links:
https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html
Some very useful links:
https://bugs.webkit.org/
http://www.exploit-db.com/
https://cve.mitre.org/index.html
What you are expected to know:
Have a decent understanding of c++ syntax
Have a decent understanding of modern exploit mitigation techniques (DEP, ASLR, etc)
Have a strong understanding of computer science and security in general
So in summary, the vita exploiting workflow is not all that much more complicated than the PSP exploiting workflow, except instead of trying lots of PSP games for crashes, you are trying lots of HTML files.
A release is imminent with an HTML file capable of dumping the Webkit process memory
A release is coming within the next months capable of running unsigned code through ROP chain
Future steps include a compiler to ROP, allowing any ordinary developer compile code for the native vita. Thats right, some day quite soon, anyone will be able to compile a hello world for the native vita.
Happy Hacking!
CodeLion
For the end user this means that there’s a few things that need to be done to get homebrews working: a ROP compiler, an SDK and enough homebrew developers interested in coding homebrews that take advantage of what the exploit has to offer. Fortunately those things are easy to do (and we are in the process of doing it: we have people working on ROP and codestation and I are working on the SDK), except for the homebrew developers part.
But there’s one more thing to overcome: NID poisoning. But I will leave that for the next post.
Pole
Shameless whoring: If anyone wants to send me PSN cards so I can buy myself Persona 4 Arena, hit me up on /talk.
lol.
I’m more broken than Akuma in SSF2T
Lol this is the internet equivalent to standing under a bypass with a cardboard sign.
Except CodeLion is definitely spending your donation on “booze,” whereas the homeless person might really need help. He did make a Street Fighter joke, though, so it’s not like he’s above working for his donations. lol
Why would you get Persona 4 Arena when the sequel, Persona 4 Arena: Ultimax is coming out in a week?
My college has a FGC club and P4A is one of the games. Its the only one I’m remotely good at, for some reason. I don’t think we’ll be switching to ultimax.
./derail
A release is coming within the next months capable of running unsigned code through ROP chain
this is not trolling isn’t it?
within next months we will have a working native Vita homebrew???
Unsigned code isn’t quite homebrew. We might have a hello world, but remember, people will need to program the homebrew, which takes time.
This would be pretty cool, if it can be done. It may get me back into making homebrew.
It depends if they can find a way to get native code to run via ROP. Running ROP itself isn’t necessary homebrew (you can’t execute any code that isn’t already in memory so you don’t have 100% control). Look at the situation of gateway on 6.3 3DS, that’s where the Vita is at: a way to ROP but no way to run native code (yet).
it sounds as if someone already has their hand on it (the exploit)
Amazing! Glad to see that if Sony isn’t loving the PSvita this seen is!
Great work sounds like its not going to be as hard as a lot of people thought
Its actually just as difficult, except work being done underground in the past is now coming to light.
Fap fap fap fap fap fap fap fap
I understood some of those words.
Does this mean soon we will able to download and not pay for vita games??? This is awesome!!!!!!!!!!!!!
pirating is not awesome and it is not condoned here.
Ah ah,yeah right,like Wololo is trying to avoid that.
acid_snake thanks for alerting sony and getting rid of the webkit exploit just like the epsp fiasco
dumba55
They would fix it anyway with the new 3.20 as already mentioned. Youre the real ***.
Stay on 3.18 when you want the native usermode exploit or its your own fault.
@thewolf16
still thanks to acid_snake we lost 2 exploits-webkit and the epsp
Well by what I see it runs in the browser and that does not have enuf power. Its like vhbl on the PSP emulator. Its sandboxed. But because the codes running natively someone may find a way to break out and have full control.
LeK, what I think personally is irrelevant. If only for legal reasons, we do not condone piracy on this site. End of story.
Then why the pirate flag under the word HACKERS!?
I mean hackers aren’t pirates, right, RIGHT!?
ROFLMAO
Statements like this one make me wish that the exploit devs would fail.
Piracy & illegal backups do not kill consoles. They increase hardware sales EXTREMELY drastically, and also to point out, if Sony see their hardware sales increasing, they’re still going to make games for the vita, or even support it even more than they currently do right now in-fact, because if people want free games and see a larger selection on the library, that will motivate them to get a PS Vita, or buy another one when it breaks. There are still the 60/40% that won’t pirate and Sony will still receive a very generous profit from genuine vita owners.
The actual problem with piracy is definitely driving the 2nd – 3rd party game developers away, which still won’t entirely ruin the Vita.
It’s failing in sales enough as it is, even with a lack of games and most composing of ports. The vita NEEDS a kick starter. It needs to be energised.
There is a chance of piracy. But I wouldn’t bet on it.
Piracy in general is a side-product of hacking such a device like a console. Because, in general the reason for hacking a video game console is to jailbreak it to be able to do something that it is not supposed to (running a home-brew application). As such an application may be an ISO-tool on a jailbroken PSP, for example, it was very easy to make the console believe, the UMD of a retail game is in its drive.
From what I understand, PS Vita games have more security measures than PSP games had. So it won’t be sufficient just to run a home-brew ISO loader which loads a Vita game ISO. So further hacking of the security might be required. But the hackers have already archived their aim at this point: running home-brew applications on the Vita. So there will be few or at least fewer hackers who will go on to hack the left security measures.
So I believe, there might be a state in which we will be able to run home-brew software on the Vita without PSM or a ePSP exploit, but that might actually use the full potential of the Vitas hardware (multi-CPU, GPU, RAM, touch-interfaces, the screens full-resolution, buttons, sticks, gyroscope, etc.) while there might still be no piracy evolved, which I would love.
^^What he said. My hope is that we will be able to get bugless homebrew loading without needing to break the security far enough to allow piracy. We dont need piracy on the vita, its struggling enough already.
True but piracy is inevitable however vita games may require something that has never been thought of . I should study c++ so I can understand a bit more
Although learning c++ is necessary, its by far the easiest part of the work. You need to know computer architecture and assembly concepts, as well as toolchains. C++ is just another language =]
It would be the best of the worlds. Emulators without hurting game devs. Although I wonder if an exploit using webkit would be constrained by its sandbox somehow, aka less memory, cores, no gpu acceration and so on (the same way vhbl hbw do on the epsp environment) .
Or even if its not the case now, sony maybe sony would further sandbox vita browser and limit all homebrew executed via any known webkit exploit forever.
So even if they don’t patch every exploits that may show up now or in the future, all of them would be crampled by the said sandbox.
Would you care to enlight me if that could be the case? And awesome work, btw.
Without a kernel exploit, the best you can do is something like VHBL (UVLoader) for vita. Aka, no piracy.
no piracy for Vita’s games but piracy for others compatible emulators =), well anyway congratz to team mayh3m for this!!
No, this is a user mode exploit. Homebrew only. (and they’re not there yet, plus the homebrew doesn’t yet exist)
ENOUGH WITH WANTING PIRACY! Look I pirate alot myself! But right now the last thing we need for the Vita is native piracy. Sony just isn’t supporting the Vita enough right now, to justify piracy. Now what do I mean by that? See…I also firmly believe that 1 pirated copy does not equal 1 lost sale! Most of the time it’s the direct opposite. ESPECIALLY for people like me. Who use piracy as a means to demo the absolute finished product. (besides of course expansions/bug fixes) Where as most demos are horribly outdated and don’t show off the finished product at all.
So back to my original point – with the vita being so poorly supported by Sony, if native piracy happens, EVERYONE and their brother will stop buying the majority of the games they want for the vita, and instead pirate most of them and only buy say 1-2 copies(increase figures depending on your personal spending habits. Or *shudders* decrease). Thus saving them money for more PS4 titles/more Xbox one titles/more PC titles. So even though my wallet/financial situation would absolutely LOVE for native Vita piracy to actually happen…. even though I’m an avid pirate, I cannot support this stance!
THE VITA DOES NOT NEED FULL PIRACY RIGHT NOW! It will DESTROY THE PLATFORM! Again this is coming from someone who believes that ONE pirated copy does not equal ONE lost sale. But the opposite in most cases. (As I personally end up buying the majority of the titles I like that I’ve pirated. Sometimes several copies depending on the quality of the game/publisher/indy status)
So… if a diehard “pirate” doesn’t want the vita to succumb to full piracy, that should tell you something!!!
Im against piracy myself, but just for the record piracy has never kill a platform! PSP had crazy piracy but still sold like 80 million units.
But anyways, very informative thread guys! I shall be staying on 3.18 for the foreseeable future so i can have the best chance at native exploits!
Very exciting time =D
Why do you need a ROP compiler for homebrew?
I guess you can make a binary loader if you have sceKernelAllocCodeMemBlock.
You’d need a kernel exploit in vita mode for that.
Unless you have a kernel exploit, you won’t be able to call sceKernelAllocCodeMemBlock, and if you do, you still need ROP to trigger the kernel exploit.
Not true, you don’t need a kernel exploit just a userland exploit in the right app. (vsh hacking anyone?)
Seems like http://blogs.unity3d.com/2014/06/20/unity-for-playstationmobile-full-release/ could be put to better use than just porting mobile games.
You should see the source code of UVLoader.
https://github.com/yifanlu/UVLoader
The most important thing is whether it has a stub of sceKernelAllocCodeMemBlock.
Btw that’s not the actual name for that function, just something I came up with. Confusing, sorry.
Oooh, so many devs in this one comment.
Outstanding I’d Love To Have Direct Access To Emulators From My Home Screen One Day!
The advantage does not only lie in having them directly on the home-screen, but also the ability to use the Vitas full hardware, instead of only what the ePSP grants. And with hardware I mean not only CPU,GPU,RAM but also touch-interface, full resolution, both sticks, gyroscope, etc.
No homebrew on homescreen without kernel access, you still need to open web browser and trigger the exploit and launch the homebrew (or homebrews) there, like you would a PSP game.
Link is broken in article, here is the MWR labs exploit writeup
https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up—webkit-exploit/
Wow. Didn’t expect something so soon. Looks like I really will have to stay on 3.18 and skip the theme update :O
Just to clarify would this allow access to the full scope of the vitas hardware? Cpu, ram, Dual analogs, Touchscreen, backpad etc
True vita homebrew would be amazing, wonder if the daedalusx64 team are still active, a vita port of their n64 emulator would be absolutely amazing…
We’re not entirely certain what we will have access to, there are still some layers to defeat. Like Acid_Snake added, NID poisoning is going to be real tricky to get around.
The point is, major progress is being made.
@CodeLion As the old Dark_Alex teaches us once you have found the possibility of writing you can not do a downgrade to an older firmware is to see if there are other exploits to exploit? I think it’s a feasible idea : D
Ahh I miss this kind of stuff from the old psp days. This is going to be awesome. Not sure if you all remember how crazy the psp scene was when it came to cracking the system.
Sadly the first years of vita hacking was a bit ho-hum but from here on out we goin to see some interesting developments
Any of you guys remember the memory stick swap exploit from the psp firmware 1.5 days? Those are the days heh
An open sdk..that does sound nice.
Tell you what. you give us an open sdk, and as my first hombrew im gonna write a text based adv that tells the story of the vita scene in a really dynamic way.
Damm you for getting me this excited.
Will there be a list of the available functions of the sdk before it gets released so we can already learn them to speed up the creation of homebrew? 🙂
so you are saying that if we update past 3.18,we are out of luck?(end user)
yes, Sony will patch this in future updates, so until we (or someone else) finds another webkit exploit, there won’t be any of this for anything above 3.18 for a while.
I’ve always said that webkit is the opening, but it’s not that much useful beyond that. Once you get all the memory dumped, you should have a lot of shared libraries. Libraries that are used in system apps and vsh. That should be your next target. Since those apps have more syscalls enabled, you can attack the kernel easier.
My personal thoughts: ROP is great for exploit development and testing but it will NEVER work as a complete homebrew solution. (Look at 3DS, they had ROP on 6.3 but never did anything with that and are waiting for a native code exploit). Aside from it being very hard to write a ROP compiler especially with the kind of instructions in Vita code, it’s also very slow (no optimized code obviously) and so on. The sole purpose of ROP should be to get enough control to get native code running. It’ll be a one-shot thing.
yifan can you connect to hangouts? I got some questions and you seem the best suited to answer them.
Hi BigBoss,
i am big fan of your work 🙂
and i wish you luck.
i just want to add this(i am total noob at this thing though)
back in the psp hacking…i dont remember correclty,there was a guy who ran unsigned codes on his unit with the help of “JTAG-HACK”
i dont know if that would be possible on vita though ?
You should Know Better Boss 😉
is a big big progress,only we need to wait,after that might appear some better with this.
In future, vita run emul ps2?
No.
The ps3 can barley emulate it.
unclocked the vita has hardware nearly comparable to the PS3
It’s not even nearly close to the PS3.
isnt the ps vita like the 5th playstation, v means 5. When ps4 comes out, the ps vita will have its hardware unlocked and will be the playstation 5 i believe.
@ekans_niger are you high? ofc not, if Vita is capable as what you claimed, then Sony already unlock the full power at this moment, because it’s not selling so well, so they could port every PS4 games, i don’t think they would let it pass. As much as i wish it to be true, it’s impossible.
Brilliant news,
If this means that we can run homebrew then I am all for it. I would love to see a media centre similar to what the ps3 has – especially dlna support. Streaming media to the vita would be amazing.
Even if we dont get a full CFW but a small HEN or vita loader that would be epic.
I hope you get everything you need in the next couple of months. Good luck guys!
I like the way you think. +1
it can also emulate the ps2 hardware or require too much effort ? thanks
I just want to run emulators on my vita. We can save pirating for when the vita loses server support.
I hope this comes out soon. So many games out there I don’t want to pay for and with this you can just get any game you want, great job Acidsnake!
You’re dumb.
Why do all the idiots want to ruin the handheld, the amount of games on the isn’t even WORTH trying to pirate them. Like 80% of them are just re-releases. Leave pirating out of the Vita, it’s what killed the psp…
Ignorant *** anyone who thinks piracy kills a console is just plain stupid. The psp was the best selling handheld for a long time it’s software sold a lot too. Just like the ps2.
How come do you think piracy could kill a console?…how long has the psp with us?…when did you born?…beside…here they are talking about hacking not piracy, hacking gives you the possibility to develop fully capacities of the Vita…when talking about piracy, as a gamer, sound like cheaper gamer…just a fan…not a gamer…gamer respect all the effort behind the development of the game…
Trolololo more next time!
P.S: Guys, remember not to feed the trolltards!
Aw man you always leave off on a cliffhanger haha
I want to apologize for how rude I responded last time, it seems you really do have a handle on things! All the more power to you.
I was just very skeptical considering the drama that unfolded and what others were claiming to be true. Still not sure why you “credited” qwikrazor in the previous post considering he obviously didn’t help voluntarily but it’s none of my business. Just keep making progress and I’ll be happy
run a psp eboot on a hacked 202 uno psvita exploit
the eboot must have remotejoy server
the eboot must have pcsx2-online
voila soccom online on vita
now qcma ycma
bytheway qcma and cma and opencma dont work on 318
verify ?
Dreamcast on psvita =D
pirating is Awesome ty Pirats and Hackers for all ur hard work if not u i wold had to buy games and movies and mp3s
“I like these things but I don’t want to support them.”
Go get a job, kiddo.
i got job kido i jast dont wanna buy
So McDonalds still paying 5 bux an hour? or did you get a payrise for blowing the manager of burger affairs bahaha!
AnimeMaster, I dont blame you for wanting to pirate things, I mean you would need to flip like 1337 burgers just to get a $10 psn card bahahaha!
Tard!
You might have a list of available emulators ?
Perhaps they could be:
1) Nintendo Wii => WOOOW
2 ) Nintendo DS => WOOW
3 ) NITENDO 3DS => WOOW
4 ) PS2 => EMM.. SLOW => WOOW
5) NINTENDO 3DS => WOOW
6) Android Games => WOOW
7) Running Android OS => WOOW
This is just a dream of mine , maybe ..
DS maybe… good luck on the rest ding dong.
I also would like to have this for emulators. A vita using full power to emulate would be awesome. i can think of Dreamcast, Sega Saturn, M.a.m.e (better compatibility) also to the list.
I don’t care for Vita games. Pirating vita games would hurt the Vita scene overall. I have a second vita for vita games, and playing online for me is the way to go.
Yes, 3DS emulator, Vita probably could do it with decent JIT. After all 3DS is not really faraway from PSP spec, more over it uses ARM architecture.
I’m still *** with Capcom 240p MH4
Android OS, yep, with kernel exploit, thanks for opensource license.
Pero, Pensar en algo como,** Emulador de control para PC** es posible a corto, o largo plazo.
think of a Vita Gamepad for PC. xD!!!!
That already exist using PSM…
I love how nobody but the normies are stupid enough to talk about piracy, I would be amazed if we had a native vita hack simply for wagic or something along those lines. “Imagine the homebrew it could run!” Thought no normie ever, it’s all about being lazy and stupid. I’m sorry I just really like the Vita and all the piracy talk leads to it dying faster.
The piracy ‘talks’ lead to nowhere, until you have actual piracy. So you say that if I start talking about PS4 piracy, it will die faster?? lol
Just ignore his comment’s he’s a ***.
A ***? god, dont give him THAT much credit!
Another thought….
If this could just remove AVLS i would be all set.
You can disable or enable that on the system settings…
OHMYGOD this is why Aliens never come to earth.
And it re-enables itself after 20 hours! Read the popup after disabling it!
What? mine aint do it.
very difficult for the amount of software tools kits.
Guys you are the Best 🙂 Good Job and very very good luck 🙂 Surprise us 🙂
this is really exciting news!! Kudos to everyone working to unlock the vita. i would love to see an android build for vita (yeah i know how likely that is, but i can dream). imagne getting android, an hdmi cable that connects to the ‘mystery port’ on the older models, and a dual boot system (android or native)
Brutal doom on vita?
Guess I will get a vita tv after all because Im about to lose remote play… Trade ins…. ” I didnt really like Metro Redux anyway.”
looks cool. dont like peeps thinking hackin is for pirated stuff. I want my game cheats, PSP filer (or equivalent) , and Bookr (or equivalent). Loved so much of old home brew community, be really nice to see what they can do if they get all vita’s rescources
When they unlock for full power of the Vita’s hardware, I will do a *** little happy dance in the middle of my street screaming ITS HERE!!! THE VITA HAS A USEEEEE!!!! LOL
I’ve been a Sony hater since 20 years, but I’d get a Vita if it runs a Model 2 emulator, to play Sega Rally on a handheld.
I don’t care about Vita isos, If I want a Vita game then I’ll buy it, they’re available anywhere. What’s interesting is in the homebrew scene, to get what we can’t have right now.
O YEEEEES I LOVE YOU C’MOOON NATIVE HACK NOW!!! <3 <3
Im sorry for asking such a stupid question but if you can run unsigned code dosen’t this mean in theory could find a way to install .pkg files that haven’t been signed as drm free by sony?
Well I don’t mean that Acid_Snake CAN run it but if he somehow does pull this .