Vita webkit hack: Codelion releases memtools_vita
Developer Codelion (a.k.a. @BBalling1), one of the main people behind the recently revealed webkit exploit on the Vita, just released an advanced tool for developers who want to play with the exploit. More specifically, memtools_vita allows developers to dump the content of the modules used from within the webkit process on the Vita.
In order to do so, you’ll need to run Codelion’s special python server, and access your computer’s local IP with the Vita, on port 8888. The readme explains it all, however let me emphasize once again that this is not a release for “end users”, but for developers.
The tools around this exploit are still quite crude, and I am sure many developers are working on their own sets of tools. CodeLion mentions however that this could help people to start doing some significant reverse engineering and ROP. From the readme:
Allows to play with the Vita’s webkit process’ memory through by leveraging a webkit vuln. Autoresolve is a little iffy, supports no special cases and skips alot of modules because it crashes (reading invalid memory)
Known issues: Does not dump the data section, only executable code. IDA does not like that, but its enough for ROP and some reversing.
Now if you’ll excuse me, I think I have a python server to put in place on my PC…
Download
memtools_vita can be downloaded here
CodeLion did mention earlier this week that this work was done partially by “a good friend”, but no specific name is mentioned in the readme.
Source: BBalling1
The bulk of the server was written by someone who did not want credit for it, I added the automated parsing, reloading, some stability…
Well it is some nice work you got going on here, very good push in the right direction!
So in what way does this tool help us get homebrew etc?
its intended as a developer tool for people to begin poking into how the vita works, etc. As well as assist in the development of ROP chains which are needed for things further down the line… *things*
i get SceWebkit.bin size 7MB is that the correct size ? o something is wrong?
~7.1MB is SceWebKit without the data section, so thats working correctly
What’s the”special python server”
| serv.py | the vita connects to that
Just to clear this up, the known and used webkit exploit basically grants user-mode code execution of the webkit modules? That is to say, we have to find a vulnerability with those modules to break out?
well you’re close. It gives us the ability to read the entire webkit process ram, as well as execute ROP chains. There’s a few things in the way of actual code running, but we’re getting there
Not a developer, but couldn’t resist playing around with this a bit 😀
Files hosted by wololo seem to be bad, get this when running serv.py
Traceback (most recent call last):
File “./serv.py”, line 15, in
from progress.bar import Bar
ImportError: No module named progress.bar
Files on github run fine.
Probably a permission error or something but it doesn’t seem to be able to dump the files for me
http://puu.sh/crqky/fca33d33aa.jpg
Bed time for me, I’ll probably play around with it tomorrow and see
I removed the code for progress bar because it wasn’t neccessary. I removed the import statement on the github copy. Create the dump folder in the main directory alongside inc, serv.py, etc and it will dump correctly. The server should check if the folder exists but I haven’t added that yet
Oh my bad, I just assumed it’d create the folder itself.
it really should, it just doesn’t… gotta fix that
Thanks, managed to dump
SceHafnium.bin 270.3KB
SceLibVitaJSExtObj.bin 20.5KB
ScePsp2Compat.bin 5.5MB
SceWebFiltering.bin 16.4KB
SceWebKit.bin 7.0MB
Using Autodump On 3.18. Might be over my head, but looks like this will be interesting to play with :3
@anonanon. lol. there is a file named SceLibVitaJSExtObj.bin ? you sure? that is one easter egg. haha
Does this work on 3.30?
No, there are no released webkit exploits on 3.30.
do you know when there will be an exploit for 3.30?
Probably in a few years. Depends on the discovery of new vulnerabilities. Until then don’t update your FW unless you receive consent from Wololo. I recommend you buy a second Vita for online uses. (That’s what I’m saving up for).
ok thanks but i need it for online use though sadly
I removed the code for progress bar because it wasn’t neccessary. I removed the import statement on the github copy. Create the dump folder in the main directory alongside inc, serv.py, etc and it will dump correctly. The server should check if the folder exists but I haven’t added that yet
Not really the same usage but I made a memory browser using the same base code (thanks to Davee’s code), that allows you to easilly browse the vita’s webkit from the vita directly. Since the vita’s webbrowser is the worst browser ever created (can’t copy paste things), I made it smart by allowing you to click on memory’s value to auto copy it in the region input (for easy pointer tracking).
I share it only because it could spare a lot of time when debugging ROP.
http://yosh.ovh/vita.htm
(thanks to yosh for puting the files on its server)
nope, you’re spreading misinformation. 3ds browser is worse than vita.
lol… I prefer not imagine what it looks like ^^
Any device with a touchscreen should at least allow users to copy paste text in the wab browser’s pages.
I guess it’s time for Sony to remove web browser, remember Linux on PS3. Hacking has consequences, I hope this thing is worth it.
That, or they can just update to a newer webkit version which patches this vulnerability…? You know, like they did?
They did. It’s standard procedure for any device. This exploit doesn’t work on firmware 3.30 anymore.
I am the End User!!
Congrats, you deserve a cookie
lmao rofl
After finishing installation of Python27 and the capstone and then i run the serv.py file ,it opens then dissappear..
i wrote in the Python path:-
”’
chmod a+x serv.py
./serv.py
”’
but after that it gives me ‘\nchmod a+x serv.py\n./serv.py\n’
whats wrong might i do ?
No need to edit the python path, just make the file executable before running it, don’t run both commands together.
1. chmod a+x serv.py
If that doesn’t give any error then run
2. ./serv.py
All done in Terminal
Thanks for reply 🙂
I wonder when is PSP3 gonna released?
Is there a particular reason none of these modules appear to have any type of header?
On further inspection is appears memtools_vita is just dumping data from random offsets (not proper modules) not sure the signatures it’s searching for are reliable.
Could you make a video about this tool step by step?
This really is not useful to us end users, and to be honest, if you’re not capable of installing python, executing a python script and reading a readme, without a video tutorial, this isn’t for you and toy should probably be staying away from tools like this
I am already installaltion python 2.7.6 32bit and capstone 2.1.2 for python27 32bit but it just show me a python.exe window and without any input functions when i try to open serv.py
The million dollar question: When can we download games from TPB and play it on vita? Everything else is irrelevant
People like you should be auto banned on this site
Traceback (most recent call last):
File “./serv.py”, line 13, in
from capstone import CS_MODE_THUMB, CS_MODE_ARM, Cs, CS_ARCH_ARM, CS_MODE_LITTLE_ENDIAN
ImportError: No module named capstone
Install capstone if you have windows you can download the capstone.exe