HENkaku PS Vita 3.60 hack: Team molecule challenges hackers to reverse the hack

wololo

We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!

41 Responses

  1. meysam25

    i feel really good feeling about this . something great will come .

  2. Crusader

    Exploit has to do something with rows attribute. Figured out that they’re probably somehow causing buffer overflow there.

  3. Asurey

    “Sony engineers are already looking at ways to understand the bug and patch it.”
    By removing Web Browser entirely from their next PS console, like they removed any form of internal media playing on PS4. -_-

    • Dav_Dabz

      They sure know how to party.

    • makak1984

      It is not funny, because Nintendo do not provide internet browser for their 3DS out of the box… You must update in order to get it. There was much problems with that in order to get most current hacks.

    • 1

      How can they remove something that never was there to begin with? 😛 PS4 never had internal media playing. The web browser wont be removed.

  4. Franky

    Watch the Vita get cracked open and sales mysteriously pick up out of nowhere.

  5. sowhat

    I knew it. The needed help and stil ldare to create a group with a stupid name selling it as their own.

  6. Franky

    Are there any plans to make it possible to launch this from a local server just in case some of us have a computer, but no internet?

  7. Dudebro

    Oh please no, not @Mathieulh… please nooooooooooo.

  8. Derek

    It is possible to create plugins?

    Can we expect PSP/PS1 image support?

  9. Runehasa

    Should offer a price to someone who figures out how to dump and play backups. Come on you know you all want it

  10. Alperoot

    Wait what? I’ve already seen the source code at github yesterday. Or I just spotted the wrong thing lol.

  11. Gutpunch

    This is a joke charmram a hongkong hacker already had this hack sometime ago so the reverse part should be out shortly.

  12. Darien

    Is this hack worth updating for?
    I own two vitas the 1000 model running 3.36, and a 2000 running 3.51
    Im debating updating my1000 its old and beaten up anyway

  13. Bobesal

    This îs the chance for the ps vita to be revived.

  14. 173210

    I’m not actually reversing. As I always say, I’m not good at and interested on reversing. I just downloaded the payload and looked for strings (e.g. http://go.henkaku.xyz/x). That’s it.
    The binary is a bit small, but it seems obfusticated. Go ahead if you like reversing. Maybe it is pleasant for you (but not for me)

    Here are some hints:
    * Not confirmed, but probably consisted of three vulnerabilities: WebKit, code execution, and privilege escalation
    * The WebKit exploit was already known in 2014. (Google tells you.)
    * Code is in Thumb. (probably you can figure out that as soon as you look at it with hex editor!)

    Anyway, I was bored with playing Tetris on PC and seeing the binary. I want a PS Vita!

  15. Yifan Lu

    You do know he’s trolling by posting a random hex dump right?

  16. orange

    “an anonymous contributor".
    i think this should have been mentioned earlier. or at least given a bit more attention. as far as i knew before all the credit went to ‘molecule’.
    not getting at anyone but its an important part of the story

  17. TheDemon

    1. – Spoof browser useragent to mimic Vita’s agent
    2. – Access http://henkaku.xyz and install
    3. – Intercept browser requests and figure out the redirect to http://go.henkaku.xyz
    4. – Download the page source code and take a look at the exploit: http://pastebin.com/tmuHDreY
    5. – Follow the execution path and reach the bootstrap binary at http://go.henkaku.xyz/x (or https://www.sendspace.com/file/3asukv)
    6. – Pair the payload/relocs (http://pastebin.com/ZJNPFn3k) obfuscation with this binary
    7. – ???
    8. – PROFIT!!

    Bonus:
    – Find out the molecularShell binary at http://go.henkaku.xyz/pkg/eboot.bin (or https://www.sendspace.com/file/663jt9)

    Notes:
    – The browser exploit is a reimplementation of the sort() bug that was not properly fixed.
    – The “x” binary is deobfuscated and loaded at the last stage of the exploit using the scrollLeft attribute.

    Am I cool yet? 😛

  18. lollypop

    somebody got a working quake12 vpk with pak1 ?