PS Vita: the “first F00D hack” and what it means for the scene
What is F00D?
F00D is considered to be the “level 0” of the PS Vita security chain. Security checks on FOOD happen before other systems are even accessed.
It is believed that exploiting F00D could lead to a permanent hack, that possibly couldn’t be patched without a hardware upgrade of the PS Vita. Update: that last sentence has been confirmed to be incorrect. Specifically, Yifanlu said: The stuff people want: 3.63 psn spoofing, 3.61+ game decryption/running, permanent henkaku hack, hacks for 3.63, etc is orthogonal to hacking f00d. It is much “easier” to do though other means like finding a kernel exploit or porting an existing WebKit exploit. We (molecule) have retired from all that stuff so it’s up to other people to pick it up. See here for details.
YifanLu, one of the hackers behind the HENkaku Vita hack, has stated recently that he would focus his reverse engineering efforts on F00D moving forward. This was followed by lots of progress from various hackers in January, including a deeper understanding of the F00D protocol (see motoharu’s psvkirk work on github!)
What was just released by team Molecule?
I’m seeing lots of speculation on the source code that was released by xyz a few hours ago. As I’m still waiting for a comment by xyz himself, I’ll have to speculate a bit on my own, and will be sure to update this article once the members of Team molecule publicly bash my complete ignorance 🙂
Looking at the code released by xyz, “all” there seems to be here is an implementation of the state machine used by the F00D protocol, as (partially) described here.
Although it does seem to be a great tool that could be used to try some attacks on F00D, it doesn’t appear to me to be the actual “exploit” that people are hoping yet. In particular, there’s nothing mentioning any exploit in this hack, and team molecule haven’t released any official statement claiming they already hacked F00D. Furthermore, the henkaku wiki still states that most of the things the team knows about F00D is still based on educated guesses at this point.
Some “blobs” of code can be found in rvk.c and sm.c. Those would typically be where one would expect a payload of some sort in an exploit, but in this case I feel this is not what they are. Bottom line, these could be:
- Blobs of data acquired one way or another from the Vita, that are required for the F00d protocol implementation to be valid. For example the code is clear that without rvk (the revoke list?), nothing will actually work
- Or they are actually payloads for an exploit, and this article completely misses the mark, in which case I fully expect Team Molecule to call me out (and I’ll of course fix the article)
What’s next for the end user?
A full exploit on the F00D processor of the Vita could possibly mean a “permanent” hack (no need to run HENkaku each time you reboot), or potentially a hack that works on current firmwares such as 3.63, and that Sony could not necessarily fix with a firmware update. There’s lots of speculation here but this is the general expectation.
At the moment however, I see no reason for the end user to be overly excited. Whether my analysis is right or wrong, Xyz’s release is useful for the people who already know what to do with it. Today, that’s a handful of hackers worldwide. Soon, this could mean something useful will be out for the end user though. How long this will take depends on how far off my interpretation above is: if there is actually an exploit that just got released, things could happen much faster than I think.
Update: Team molecule have reached out to confirm that most of the speculation above is incorrect. Specifically, Yifanlu said: The stuff people want: 3.63 psn spoofing, 3.61+ game decryption/running, permanent henkaku hack, hacks for 3.63, etc is orthogonal to hacking f00d. It is much “easier” to do though other means like finding a kernel exploit or porting an existing WebKit exploit. We (molecule) have retired from all that stuff so it’s up to other people to pick it up. See here for details.
Update: some trusted people have come back to me to confirm that I understood things correctly. There is no exploit in this release, it is an implementation of the F00D protocol to help hackers tinkering with the deeper levels of the PS Vita. The blobs of data in rvk.c and sm.c and probably the revoke list and the sm self file, acquired directly from the Vita, as I assumed they were. Furthermore, hacker motoharu has contacted me to mention people should also have a look at his work on psvkirk to start digging deeper.
Source: xyz on twitter