Warning, PS vita brickers in the wild
The following information comes from MPT, who contacted us through user realshotgun, to spread the word. We at wololo.net have not verified this information, although the explanation from MPT below sounds valid enough that we feel the word needs to be spread.
On the one hand if you’re trying to pirate content then you’re probably asking for trouble. It’s not our role here at wololo.net to judge, but clearly here there was no legitimate use to downloading these games. On the other hand with this kind of stuff now out in the wild, it wouldn’t be surprising to see similar virus-like data spread in otherwise legit use of your hacked PS Vita, so please be careful what you download and where you download it from.
Based on the explanation below, you will hopefully see how easy it could be for people to not only brick your ps vita, but also to alter their virus to make it less obvious to detect.
The issue would obviously only impact people running on a hacked PS Vita, not “regular” users of the system (in particular people who have updated to firmware 3.61 are not at risk with this)
Below, the article from MPT:
Warning: Vita brickers are now in the wild
A few days ago, two malicious game backups were posted that would perma-brick vitas, with no chance for repair unless someone develops a hard mod..
The backups claimed to be “Fruit Ninja [US] [TESTED] [MAIDUMP]” and “kung fu rabbit – tested working – maidump v233.2z8” and indeed, inspecting the eboot, the overall file size, and game files, appeared to be normal game dumps. However, the mai.suprx file that is injected into mai dumps for functions like plugin and DLC support had been replaced with code that would mount and delete vs0: and os0: (which are the system partitions of the vita) and reboot the vita. Most damagingly the file deleted os0:KD where the drivers for interfacing with the hardware for things like safe mode are kept, rendering the vita irreparable short of a hardmod being developed.
The reason this code was able to run is because the eboots of both dumps were not marked as safe, meaning that HENkaku allowed them to run with full permissions. This would have happened whether they were packaged as a VPK and installed through vita shell, or installed with MaiDump (though in the case of vita shell, a warning would appear that the user would have to dismiss).
In this case the malicious code was in mai.suprx, but could feasibly have been in any of the executable files. A file can be checked for this by opening it in a hex or text editor and searching via ctrl+f for ‘os0’ ‘vshPowerRequestColdReset’ and ‘vshIoMount’ if you get a result then DO NOT INSTALL the game.
This is an example of a malicious mai.suprx
And this is a mai.suprx from a known good dump:
As of the latest version of MaiDump released several hours ago, both it and vita shell will warn the user before any dump with possibly malicious code is installed, if you see a warning, DO NOT CONTINUE WITH THE INSTALL, either try and find another dump, or if you must use that particular dump, use a tool like VPK Tool which will check games packed as VPKs, but bear in mind, this is not a guarantee that it cannot brick your vita, merely a mitigation of the risk. Presently there is no tool available to check a zip file or extracted Mai Dump, but one should surface soon.
Thanks to shotgun and MPT for spreading the word.
Geez. Next up for homebrew… PSVita Antivirus. Thanks for the heads up.
May the gods protect us…….
After that vita will have usb keyboard and mouse drivers
Baidu Vita
Can we tap into root yet?
First
ouch!!!
WOAH NELLY, well that’s some usefull info, thanks!!
Strings can be easily encrypted so your option is no go
Would be wiser to search for a vshIoMount call
Has anyone heard about the 4.00 ps4 jailbreak from ps4portal? Is it a hoax? Im to skeptical to attempt. Still have my spare 1.76 unit collecting dust waiting on a breakthrough.
yes, ps4portal dot net is a known scam website, see: http://wololo.net/2016/08/10/ps-vita-3-61-hack-beware-scam-sites/
I am not looking at wololo anymore psxhax is where i am going now they got me up to date on basicly a month worth of stuff
Thnx Wololo :/
You should give yourself a history lesson on that site. They used to have a habit of taking other people work, editing it, and claiming it as their own. Many PSP bricks happened as a result.
nyah this guy just telling the old GURU wololo is now old hahaha needs fresh sites.
PSXHaX is just PS3News regurgitated, their news is filled with poop and stolen from places like Wololo, headlines with click bait titles etc, if you are five years old, it is the perfect place for you, but for grown ups Wololo is the place to be
ohh and 4.01 ps4 update came out :/
Wololo,
Please stop the full page ads on your site. I understand the need to advertise but it’s a bit excessive. I’m going to start using an ad blocker here if it doesn’t change.
Show us on the doll where the ads hurt you…
I had two fake virus messages, one opened in a new tab, the other just updated the page I was reading. Sticking with AdBlock for a while, untill I’ll see these ads stopped.
Yeah, this site is getting irrelevant now. Other sites are putting out new content much faster than Wololo nowadays. All the guest bloggers here seem to have quit too, apart from one or two. All you’re gonna get here are weekly deals on PSN lololol
You’re right. Usually I browse from my phone and more often than not when scrolling, I accidently click on the ads which is annoying. Might enable Adblock for this page soon if it doesn’t decrease.
use AD Block + in your browser
Sony’s Revenge
Nice idea, have no compassion for pirates, Thumbs Up
Maybe it’s time for the HENKAKU exploit to update and focus on psvita system file protection.
Create security for a program whose purpose is to defeat security. It’s so contradictory it might just work! That would be kinda nice if they could implement something like Android’s permission model. “This app is attempting to modify os0: is this okay?” But I doubt it’d be very easy or worthwhile. Would probably be too easy to get around. So far it seems like this is just piracy stuff though. It’s not really a big deal.
Far out why do people create this ***? What are they gaining? People who create things like this I was to smack repeatedly on a desk.
Really though if your downloading vpks you should be using vitamirror , not reddit pages or anything else
can’t you simply enable safe mode with safe-mode toggler?
that sock
Just a word of warning, probably wasnt the best idea to include all the specific details of how to brick a Vita in this post….you are just asking for ppl to try it (both ignorant ppl wanting to “test” this, and those who will use said info to develop MORE malware!).
Maybe some of the community devs couold get together and create a plugin or homebrew (or windows based app) that checks for those strings or other sus stuff in VPK’s and other files – ala Vita AntiVirus…even though its technically not a virus as it doesnt replicate, its a Trojan.)
As a side note, we should also update the Homebrew contest to NOT allow Antivirus homebrew for Vita to be entered into the comp, because that might just cause some of the jerkoffs in the community to start flooding the scene with Trojans just so ppl “Need” their Antivirus to be safe…which sure would win them a lot of votes in the comp.
So yeah, we need a Vita antivirus plugin/homebrew, but an open source free for all to use kind.
TBH, im kinda tempted to brush up on my rusty C/C++ skills and create one myself, but being a single parent doesnt leave me with much free time for such an endeavor.
how is an anti-virus a good idea? anti-virus is a blog joke( a good one! ). a real anti-virus would only encourage bad people to bypass it with more viruses, turning the whole ordeal into a cat and mouse game.
easy virus bypass: encode the string or obtain the value by enumerating devices. what will your anti-virus do then?
lets say you capture it at the unlink() level, a new method will be developed that won’t rely on file deletion or do supervisor calls directly. what then? will you keep the anti-virus up to date for eternity?
not even a trojan, it just plain NUKE
Making how the malware works public is a better way to fight it than keeping it a secret. You ask for an open source antivirus, which works because the code is public and anyone is free to see how it works. Those capable of writing code for the Vita would have easily been able write such a simple piece if malware and keeping it from the public only allows more people to brick their vitas
Yes I see your point, re-reading my post I can see I contradict myself lol. As you said, anyone could just look at the AntiVirus code, see what its looking for, and then do what its trying to stop.
Though its still possible to alert the community without giving out exact details on how to recreate said trojan/malware/nuke.
nice SJW mods here aylmao
gud.
no rust needed captain fancywords who thinks that difference btw. trojan and virus lies in replication
This issue has been happened for over 3 days i believe this site is late to post
Worth mentioning
SafeDump
VPK_Brick_Tester_1.3
and I believe Vitaorganizer has ways to switch a dump to safe mode turning off permissions that allow it to access important files. I use SafeDump currently, but no idea if this method is foolproof.
thumbs up!
Now I kind of want a version of VitaShell that’ll never let me install unsafe vpk files. Ever.
Sounds like the Vita scene and the Xbox 360 scene need to talk. A Vita version of abgx360 is what is needed. abgVita anyone?
I guess Vita shell should implement something that searches for the vs0 stuff.
3ds fanboy strike!
Is there some way to hook api calls in a suprx in order to make a plugin that would check the destination of any API call able to erase/open in write mode any file from the system partition, and would have a role of safeguard for any running app ?
We need supersu for android its same thing.
Or henkaku needs a dev mode and user mode
If we could setup henkaku like this it would be great
Henkaku acts as kernal xploit gains root
Based on mode of execution (dev,user) it then will start an app in userspace or system space accordingly now im not sure if usrspace has access to the kd folder but it seems to me sony wouldnt allow their devs to write code to brick the system but im not really well versed in the vita hardware
If the normal games that launch can access the kd folder then were gunna have to figure out how to hook the delete function and add a directory check with blocked directory list
Is there a way to purposely brick my vita running 3.61( it updated on its own)?
As long as you install it through vitashell or molecularshell it doesn’t brick your system
comment by yifanlu himself on gbatemp
The Vita doesn’t allow this to happen. We specifically gave homebrew all that extra power because something something owning the device. We quickly realized that trolls might abuse it (duh) which is why we introduced the safe homebrew system. As long as your eboot.bin is set to “02 00 00 00 00 00 00 2F” at offset “0x80”, it should not be able to wipe the nand. There is no reason not to mark all pirated dumps with that because by construction, games do not require the extended permissions (duh). However, it is up to the user (and whoever wrote the installer utility) to check that the permissions are set. We cannot do this without establishing some sort of whitelist/signing system and then we are no better then sony. Therefore, if you go installing stuff without using molecularShell/VitaShell then it is at your own risk. You might install something that bricks your system. If you want to be 99.9% safe, just stick to molecular/vitashell and don’t install anything marked unsafe unless there’s confirmation it doesn’t break your stuff. This should be common sense for any computer user (who goes installing random drivers, for example) but unfortunately console hackers are too naive.
wow what a bunch of jerks.
Just wondering about this phrase
“The reason this code was able to run is because the eboots of both dumps were not marked as safe, meaning that HENkaku allowed them to run with full permissions”
if it is not safe why henkaku allowed it to be run? isn’t it supposed to only allowed to run if marked safe?
Early game dumps made with the leaked Vitamin dumper are all marked unsafe by default, the safe flag was added later.
Unsafe isn’t really the best description for it, it’s more like “Requires Administrator privileges”, which Henkaku allows because some tools need Admin privileges.
Would it be wise to make a hash based verification of dumps from legit sources and compare them. I don’t know how many methods there are to pack and modify a dump that would make a dump hash library difficult, but it might be worth a try unless I’m missing something.
what about 6F 53 30 os0???? is it safe
There needs to an abgPSVita to verify game rips and repair infected or damaged eboots and such.
yeah cool scene you have here….