Developer Davee released 3 days ago a webkit hack proof of concept for the PS Vita and Playstation TV. The exploit works up to firmware 3.20 included. The release sparkled a bunch of questions, so I think a quick explanation is needed here.

What can we do with this hack?

Long story short, if you’re asking the question, the answer for you is probably “nothing”. The hack, in its current form, just checks your vita browser for a specific vulnerability, and confirms if the vulnerability works or not. If it works, and if you are interested in future developments of this exploit for your vita, then the only thing you can really do as the end user is wait, and more importantly, not update your firmware.

Eventually, if you’re lucky, some homebrew support or other cool stuff might come out of this.

If you are on firmware 3.30, this exploit will not work for you. It is still interesting for you to try and not update, as, in general, the lower your firmware, the best from a hacking perspective.

Wait, this does not end here

Most of you will probably think this is useless and tell themselves, “well, I’ll come back in 3 months and see how it evolved”. I want to stress the fact that if everybody was thinking this way, console hacking would never make any progress. If nobody steps up now, the excitement could die and the hack will go nowhere.

This proof of concept is the very first step of hacking the vita to see what cool homebrew and stuff we can come up with in the future. But for now, the rest is mostly uncharted territory, except for the handful of people who did have this hack in their possession over the past few months.

In other words, now’s the right time to dig into the exploit yourself, and start and understand how it works, and how you can extend it. You might think, as an individual, that you do not have the “skills” to help the scene. For many of us, that might be true. But it is essential to understand that there is no “Vita hacking school”. The people who came up with these exploits and tools did not have “secret” knowledge available to them that is not available to you. Of course, they used their experience and knowledge in related fields (security, programming, hacking of other devices, you name it…), but the main fuel for console hacking is patience, motivation and free time.

---

---

Although I am not the best example out there, when I worked on HBL and the patapon PSP exploit back in 2009, I did not have any extensive hacking knowledge. I did, it is true, have a strong programming background which helped me dramatically, but what I want to insist on is that motivation and patience are the things that drove HBL to completion at the time. When we worked on HBL, I received lots of help from other people who had figured things out before me, for example m0skit0 (who wrote most of the code for HBL initially). The main reason these people trusted me with their time though, is that I had shown my motivation, I had shown that I had taken the necessary time on my own to dig into the existing information that google could send me.

Bottom line is, anybody can help at this point, because everyone now has access to the “difficult” first step: an entry point into the Vita’s memory (or at least the webkit bits). From there, you’ll probably have to take baby steps, such as “how do I connect to this netcat thing that CodeLion mentioned?”, or “***, I actually need to install linux for that?”. But trust me, every single step can be rewarding.

If you manage to run Codelion’s code (here: https://github.com/BrianBTB/codelion_poc) and interact between your vita and your server, you’ll be one of the maybe 30 people in the world who know more than anybody else. It’s not much, but it will take you to the next point, of understanding how to update the code, for example to dump the ram. Or things like that.

Others will probably make progress as well, maybe more skilled people than you. Once you show them that you have been able to run this or that code, you’ve proven that you have enough motivation for them to spend time helping you. After all, you might be the guy who finds the next vulnerability for 3.30 🙂

Now I won’t lie, if you have no programming skills or interest in programming whatsoever, there’s close to no chance you’ll be able to go very far. But anyone who has basic programming skills should be able to give it a try.



Really fantastic tool by a friend. Module dumps coming along nicely. Yes, that is vita memory pic.twitter.com/GPjn2q7cyg

— Brian B (@BBalling1) October 19, 2014

It is worth mentioning that this is a very time consuming hobby. Trial and error are the majority, and this can damage your relationship with your significant other, because it is so addicting.

What you can try next

These are the things I would try to understand myself in the days to come (assuming I had the time, sigh…)

• Understand the basics of ARM assembly (some documentation here, here, and a book here)
• Understand the basics of ROP programming (the basics on wikipedia, a nice intro to ROP here)
• Try to run CodeLion’s POC with netcat running on your machine: https://github.com/BrianBTB/codelion_poc
• Based on the newly-gained knowledge above, what are the gadgets that Davee’s exploit POC is looking for, what do they actually do?
• Some people on twitter (@bballing1 a.k.a. codelion, @173210) are already apparently dumping ram from the exploit. Try to reproduce.
• Scout /talk for any knowledge that others are willing to share on their own progress, and try to see if I understand it, and if I can reproduce their progress on my own