Vita hack: what you can and can’t do with the recently released Webkit hack
Developer Davee released 3 days ago a webkit hack proof of concept for the PS Vita and Playstation TV. The exploit works up to firmware 3.20 included. The release sparkled a bunch of questions, so I think a quick explanation is needed here.
What can we do with this hack?
Long story short, if you’re asking the question, the answer for you is probably “nothing”. The hack, in its current form, just checks your vita browser for a specific vulnerability, and confirms if the vulnerability works or not. If it works, and if you are interested in future developments of this exploit for your vita, then the only thing you can really do as the end user is wait, and more importantly, not update your firmware.
Eventually, if you’re lucky, some homebrew support or other cool stuff might come out of this.
If you are on firmware 3.30, this exploit will not work for you. It is still interesting for you to try and not update, as, in general, the lower your firmware, the best from a hacking perspective.
Wait, this does not end here
Most of you will probably think this is useless and tell themselves, “well, I’ll come back in 3 months and see how it evolved”. I want to stress the fact that if everybody was thinking this way, console hacking would never make any progress. If nobody steps up now, the excitement could die and the hack will go nowhere.
This proof of concept is the very first step of hacking the vita to see what cool homebrew and stuff we can come up with in the future. But for now, the rest is mostly uncharted territory, except for the handful of people who did have this hack in their possession over the past few months.
In other words, now’s the right time to dig into the exploit yourself, and start and understand how it works, and how you can extend it. You might think, as an individual, that you do not have the “skills” to help the scene. For many of us, that might be true. But it is essential to understand that there is no “Vita hacking school”. The people who came up with these exploits and tools did not have “secret” knowledge available to them that is not available to you. Of course, they used their experience and knowledge in related fields (security, programming, hacking of other devices, you name it…), but the main fuel for console hacking is patience, motivation and free time.
Although I am not the best example out there, when I worked on HBL and the patapon PSP exploit back in 2009, I did not have any extensive hacking knowledge. I did, it is true, have a strong programming background which helped me dramatically, but what I want to insist on is that motivation and patience are the things that drove HBL to completion at the time. When we worked on HBL, I received lots of help from other people who had figured things out before me, for example m0skit0 (who wrote most of the code for HBL initially). The main reason these people trusted me with their time though, is that I had shown my motivation, I had shown that I had taken the necessary time on my own to dig into the existing information that google could send me.
Bottom line is, anybody can help at this point, because everyone now has access to the “difficult” first step: an entry point into the Vita’s memory (or at least the webkit bits). From there, you’ll probably have to take baby steps, such as “how do I connect to this netcat thing that CodeLion mentioned?”, or “***, I actually need to install linux for that?”. But trust me, every single step can be rewarding.
If you manage to run Codelion’s code (here: https://github.com/BrianBTB/codelion_poc) and interact between your vita and your server, you’ll be one of the maybe 30 people in the world who know more than anybody else. It’s not much, but it will take you to the next point, of understanding how to update the code, for example to dump the ram. Or things like that.
Screenshot thanks to @HarryKnucklez
Others will probably make progress as well, maybe more skilled people than you. Once you show them that you have been able to run this or that code, you’ve proven that you have enough motivation for them to spend time helping you. After all, you might be the guy who finds the next vulnerability for 3.30 🙂
Now I won’t lie, if you have no programming skills or interest in programming whatsoever, there’s close to no chance you’ll be able to go very far. But anyone who has basic programming skills should be able to give it a try.
Really fantastic tool by a friend. Module dumps coming along nicely. Yes, that is vita memory pic.twitter.com/GPjn2q7cyg
— Brian B (@BBalling1) October 19, 2014
It is worth mentioning that this is a very time consuming hobby. Trial and error are the majority, and this can damage your relationship with your significant other, because it is so addicting.
What you can try next
These are the things I would try to understand myself in the days to come (assuming I had the time, sigh…)
- Understand the basics of ARM assembly (some documentation here, here, and a book here)
- Understand the basics of ROP programming (the basics on wikipedia, a nice intro to ROP here)
- Try to run CodeLion’s POC with netcat running on your machine: https://github.com/BrianBTB/codelion_poc
- Based on the newly-gained knowledge above, what are the gadgets that Davee’s exploit POC is looking for, what do they actually do?
- Some people on twitter (@bballing1 a.k.a. codelion, @173210) are already apparently dumping ram from the exploit. Try to reproduce.
- Scout /talk for any knowledge that others are willing to share on their own progress, and try to see if I understand it, and if I can reproduce their progress on my own
I wish i could understand more in code
i will try to help as much as possible
lets hope good things out of this
finger crossed 🙂
WIsh i didnt upgrade to 3.30, though this and that alot of people behind it have given me the motivation to look into how these hacks work and teach myself so i can try and find an exploit in 3.30. also going to save a bit of money and might by a second hand vita to test on as i woulld like to put my experience/small knowledge of assembly and my knowledge of C etc to use
Welp time to go digging. This will be way to much fun.
,,this can damage your relationship with your significant other, because it is so addicting”
That is the moment i realised i dont have the time
I keep following the scene, when i have time i game a litlle, watch some series or movies with the wife and thats basicly it when were at home.
Lucky to have you guys out there dedicated and everything!
Ok, i accept the challenge , my programming skills could be helpful
Wololo man not alot of people do what you just did. You just actually encouraged people to go do something, instead of putting them down and blatantly insulting them.
Though sadly i cant be up to the task (Plus i only have minimal knowledge in c#) because of school, i feel like what you just typed there inspired alot.
Keep dreaming guys. Future of the vita is almost here.
Too bad, i don’t have spare vita to keep it at lower firmware.
Worth noting, the tool shown in those tweets is not released, and the author is not interested in making it public. It is however nothing that could not be programmed using the signature search JSarraybuffer modification in my POC, and some simple scripting
Time to port Linux to psvita
so u just run netcat or du allso run netcatproxy ?
could we expect some sorta remotejoy
read userscript browser
and proxy in terminal ?
next to the netcat
and jsarraymod9
@wololo I need an article explaining how the exploit works – any links to the original webkit source
the html file itself is self explanatory… do you need more than that?
Just google exploiting webki, read the source of this exploits htm file and if i can find it ill post the link to the wiki page of webkit exploits
Does this exploit work on PS3? If it does it can give a big step forward to hack the new unhackable’s PS3 since most of the security system (and more importantly keys) is well known
No it doesn’t work on the PS3.
Also the important keys are not know and probably never will be, if they were known, we would have CFW on 4.60 at the moment…
Actually this exploit works on an higher level than a standard CFW so we dont need private keys just like PSJB days when we didnt even had any key at all but it worked anyway. If this works we could just sign a custom LV1/LV2 and it may works
http://joncraton.org/blog/46/netcat-for-windows/
this help u run netcat on windows in first place
next u run and host the code on ur local webserver
or on a network server
then u try on ur vita and edit is on the way
Meh..I’ll just come back in 3 months to see how far its gotten.you can’t just start programming like this.
Lol
lol
LOLZ!
yeah i really just uh…yeah i want to learn this stuff but i really dont understand how in the heck im suppose to do this stuff…could be im just stupid
I wish I had programming knowledge but it’s not my field (studying architecture) and I know absolutely nothing about coding, I’d gladly help the community. I like to read about the progress that it’s being made, it’s really interesting and I’m thankful to those working hard to do all of this, like it or not, the vita is almost dead, I find myself playing more in my cellphone or nintendo 3ds, or even nds than my vita. This could bring really interesting things to the vita, imagine retroarch, tn-v without exploit, psp homebrew, a proper video player, and one feature that I’d love to see: a damn way to keep the saves and game data of digital games, so when you want to delete the game, you save won’t get deleted… A lot of possibilities…
A word of encouragement is better than just saying it’s useless. Maybe I try it myself after the exams ^.^
Good luck for every body.
You are risking everything if you take the homebrew pill ;). I lost 3 girlfriends (I still have 1gf) and my PhD/snooker scenes while working on reverse engineering…
i know how to run it with netcat but i dont know program, but i gonna study that so i gonna check every code you leave to the public to know how is the structure and everythings like that
i have no knowledge about coding but i have a few friends that are quite good so im going to try and peak there interest in this and hopefully learn something in the process . I also have to get my internet sorted out at home so i can sit down and get my geek on read read and read some more and hopefully i can grasp some of this and start poking around looking with the rest of yas
Good luck to anyone who puts their effort into this 🙂
well too bad for those including me that does not know how to program…hahaha well i guess they should have tell earlier…so that we did not wait for this long hahaha….WELL good luck for those who knows how to code hahaha GOODLUCK…
WTH. It took me like 30 minutes just to figure how to do the open cma trick. I’m nowhere near being prepared or capable of this. Even though I want to b/c it seems fun. But the truth is that my head would explode just attempting step 1.
Good luck to everyone doe.
I am an ordinary person. I can not help but I can pray.
Good luck for every body
Especially
# Davee
# YifanLu
# Wololo
First off. Long time user since the early psp modding days First time Poster.
Wololo thanks for these inspiring words. True if you have enough diligence and passion for something you will progress in your goal. I’ve had my PSP 10001 for over 6 years I recently picked up a vita for its awesome game library and was hoping to start on the cutting room floor with shaping the future of the vita mod scene since I missed the beginninngs of the psps.
Again much love. And to all the PSP and vita modders (way too many to mention)
I’ll try my best to help as much as I possibly can.
Shadow_ StarLust
my guess is u try this stuff
with trial and error
thats why ist called
stuff
Very well.
I missed coding anyway.
Tank.you for writing this
I’m new to vita scene but i also want to do something
im highly anticipating
on remotejoy widget
with xming server or xserver as backend
I would like to link anyone interested this website is great to teach newcomers the basics of coding it’s how i started learning its interactive and best of all free http://www.codecademy.com/
I understand how the exploit works. Thank god he noted the bit size next to the buffer. I’ll do my best to be the 31st person on earth 😉
Definitely something to look into, once I finish my uni exams I’ll definitely look into it, Though I’m not too sure how far I’ll get. I’m studying computer science, but have never been too great at programming, I’m majoring in networking/system administration .
hi dear wololo.net
i realy wish work on vita hacking project but may life is realy mass and i dont have free time
i mean my dream is to be able hacking vita but i wish i have more free time
my ability ( asp , php , mvc , html , css , javascript , jquery , android )
hey guys can anybody confirme this,yesterday i was searching for some dlc for my games on psnstuff and i found a psvita game(PCSF00141 Resistance – Burning Skies.pkg ) them i try to pass the game by usb after a while a bubble appears on xmb with the game,when i press to install i receive a message connect your vita to transfer the game,the game will work on the vita or its block by user ID?i ask that because i no longer have a vita, i sold mine.
May I suggest something?
I recall someone was going to post an article on how to do basic coding. If that person is still around maybe he could publish it now and push us all in the right direction.
Just a thought…
Everyone should put there 3.20 firmware vita’s away for a year or more because I have a 3ds with a gateway and the homebrew for it is coming along but not there yet we have snes,nes, and gb gbc but no sound at all for any of them so it’s still POC but they do work give it a few months or year and maybe the vita will have some emu’s working
“The people who came up with these exploits and tools did not have “secret" knowledge available to them that is not available to you.”
how did they know that the webkit will be patched with 3.30? there must be a spy at sony *stir the pot*
developer questions …
compiling netcat on windows (non windows version for optimal performance)
so wher do i get sys/socket.h and its lib into mingw ?
Its my first year studying IT and dont have much knowledge at all, however im gonna study the *** out of myself and hope to help ! security isnt my favorite lesson but ill make it fun.