Vita hack: the webkit exploit fully explained (+ more code for you to look at!)
This was kind of out of the blue: Developer acez just posted an article on his blog
explaining all the details of the Webkit exploit that was recently revealed for the Vita, describing how he and a group of friends worked on a Webkit vulnerability on the Vita, and leveraged it to run native code. It has been explained to me that although this is the same vulnerability that Davee used for his work, the two groups worked completely separately on their exploits.
The read is extremely interesting, and I won’t pretend I’m able to summarize it in a way that would do it any justice, so I suggest you just read it.
A cynical summary for people like me who have been in the PSP hacking scene previously would be: “ha, the security on the PSP was a joke, now we’re talking”. The article truly shows that the exploit was not only about digging for CVEs and quickly and dirtily implement them on the Vita. Between the absence of a debugger, ASLR, sandboxing, no JIT, and other bumps in the road, acez’s post clearly explains this was not easy. At all.
From the scene’s perspective, it’s interesting to see that the main people behind this work (freebot, acez, and John The Ropper) are – as far as I know – not people from the PSP or PS3 scene. They seem to be, however, very, very well seasoned hackers (at least acez seems to be a regular CTF – The hacking ones, not the Quake ones – contestant). The things they pulled off, which I understand where very helpful, behind the scene, to some of the releases we’ve seen over the past few days, were not an easy thing.
Johntheropper and freebot worked with acez directly on the exploit. In addition, he credits Yifanlu and Josh_Axey for their help on the Vita, as well as Acid_Snake and Codelion, and everyone else who “made this possible”.
The exploit and all related work can be found on acez’s github.
At this point I assume this is more or less the same work that has been released in CodeLion’s recent memtools_vita, but it is worth checking it.CodeLions memtool_vita is essentially based on some of acez’s early work. the repository contains webkooz (a basic memory tool on which CodeLion’s code is based), and an SDK named akai, which will help people write basic homebrews.
Let’s hope that the interest of acez, JhonTheRopper, and freebot for the Vita will stay for a while. As mentioned in the blog article, there’s still a lot to do: Webkit is sandboxed, and without additional exploits, the scene will not be able to gain “full” native access to the Vita. From a personal point of view though, I would surely be happy to start seeing a simple SDK, and some simple homebrew, in the sandboxed Webkit exploit. Just for the sake of it.