Vita Reverse Engineering Leak (Cobra Blackfin) – part 1
A foreword from wololo:
I was recently contacted by someone who claims to be the main tech person behind the Cobra blackfin project. The hacker provided substantial proof that he is who he claims to be, although I’d be lying if I said I still have the technical skills today to confirm that all the analysis he’s provided is 100% valid. Today’s release, and potentially the ones to follow, will allow the scene to go through the files and confirm the legitimacy and importance (or lack thereof) of this leak.
The hacker states he has 76GB of reverse engineering data related to the PS Vita (the bulk of it being dumps, logs, but also, he says, some juicy stuff), the result of 4 years of work on the cobra blackfin project.
Due to not being paid for his work by the owner of Cobra team, the developer has decided to make his files public for the scene, with the double goal of 1) providing interesting stuff to the vita community and 2) attempting to get paid for his work. Because of this, it is possible, if he reaches an agreement with Cobra, that the hacker will not send me all the files.
My part of the agreement with him is that I will publish his announcements and release his files here as he sends them to me. I do it in the hope that this could lead to interesting code/discoveries for the psvita scene, and also because I don’t like the idea of a developer not being paid for their work. This is independent of my opinion on piracy devices such as the Cobra Blackfin, which I believe I’ve made clear multiple times.
This first release is “minor” but still contains interesting stuff. From my perspective it is mostly here as a “warning shot”, proving he is not kidding with the upcoming leaks. The hacker intends to release more interesting parts of the project progressively.
Below are an announce and notes from the hacker, as well as download links for the first part of his work. I have left this mostly untouched except for a few typos and formatting (you can find the original notes and announce documents in the downloadable archive):
Announce
I developed the BlackFin device for the Vita, on contract for Cobra.
Unfortunately, I was stupid and too trusting, and the contract was for payment on delivery of the product and the guy running the Cobra business sc*** me of over 4 years of work by not paying after I delivered the product.
The BlackFin didn’t sell, so he decided that he wasn’t going to pay me, citing *** excuses to justify his theft of my money, my hard work and my intellectual property. The most baffling thing is that after one year of fighting/negotiating/requesting my money which he still refuses to pay (but promises he’ll pay it “someday”), he still tries to argue to me that he is a man of his word and he isn’t a lying and thieving scumbag.
I have told him that if I do not get paid, then he is forfeiting all intellectual property rights on my work on this project and that I will do what I want with it. I have decided that what I want to do is to release it to the community. There is about 76GB of data to sift through, so these releases will be done over the next few months, so I can take the time to prepare worthwhile releases for everyone to enjoy.
This first release is minor and it’s a tool that emulates an MMC host controller and can be used to talk to a vita card. My notes on the authentication mechanism of the Vita game cards is also released here as well as some nice XRay scans of the game cards. It should be interesting to see what the community can do with this information.
A message to hackers out there: Stay away from Cobra, stay away from anyone who thinks so highly of himself that he is robbing you while trying to convince you he is the good guy.
A message to the thief: Stop crying, you’ve had plenty of time to fix your mistake. A year has passed since you decided not to pay me for work done and delivered, 6 months has passed from the last deadline I gave you, and 2 months from the deadline that you gave me yourself for rectifying your mistake. The time for pitiful excuses is past. If you want me to stop, then pay right away, otherwise just shut up about it.
Notes + content of the archive
This release is the first of many, the files here are to help test/debug some of the stuff on the vita GC (game card).
Most of these files have not been touched in years, so their information might be outdated, or the code might not compile, or may need small fixes for it to work properly. It’s all released as is with no guarantees.
Here’s the run down of the attached files :
- vitacardxray: an XRay scan of the Vita GC, it wasn’t very useful and I never did anything with it, but it can be a nice addition to some wiki page somewhere.
- MMC_BB : This is an MCC host emulator written using Bit-Bang mode on an FTDI chip. I had soldered wires to a GC and used an FTDI UM232H to communicate with it. The code is old and potentially buggy. I know that I re-used that code a couple of years later and it wasn’t working as well as it did 5 years ago, maybe it was because of cross talk or a poorer soldering job. Either way, I had to comment out some parts in the ReceiveData function and lower the baudrate.. this might not be necessary anymore, I suggest you test and see what works for you, you may need to understand its code and debug it before it becomes useful.
In any case, you should of course read the source code to figure out what it does exactly. There is a ‘usage’ if you run it without arguments, but that’s outdated, there’s a few commands that were added to the app but not to the usage, read the source to know what they do. This is what I used to brute force the GEN_CMD behavior and some things are hardcoded in it as well (like with the ‘read’ command, the sector to read is hardcoded in the source code, or whether the card is 2GB or 4GB is hardcoded with a #define), so really, consider this a “developer tool” for quick testing/hack jobs, rather than a usable tool for most people.
It may or may not be useful, but it will probably help at least testing the GC authentication from a PC when it comes times to implement an open source solution.
One thing I remember is that you need to do ‘./MMC init’ to init the card before you try to read/auth/whatever from it and that the unbrick command was to unbrick a card but I don’t really know if it ever actually worked (a card will brick/lock up if you fail too many auth attempts, but I think it unbricks itself on its own after some time). Also, the Vita will reject a card that answers 0x0000 to the 0xc2 command right away (a card that was already authenticated) so you need to unauth a card before you can use it with the vita again.
One way to use read/write tests is to wire 3.3v to the VCC pin of the card, then tape over it to isolate it, insert GC into the vita for the auth to take place, then remove the card, since it stays powered from your ftdi (or other external source), you can then read/write to it as much as you want. Of course, write is protected for the actual game partition, but you can play/test that if you wish to.
Notes and logs:
The full.log is a full boot log captured using a logic analyzer and the LA data analyzed through a script (not in the release) to show every command sent and received by the card between the Vita and the GC. We can easily see in it the SD init commands (which go unanswered) followed by the MMC commands (which init the card), then the regular sequence of CID/CSD/EXT_CSD, followed by the enablement of high speed and 4 bit data mode, then the GEN_CMD auth commands then the card sectors being read in various ways by the Vita. I believe this was an Uncharted game and the log continues until the game was launched.
Note that I changed the card’s serial number and removed the data from the auth commands in case it is identifiable.
The GEN_CMD.log file is the GEN_CMD auth commands extracted from the full log (before I cropped it and with the data slightly modified so it wouldn’t decrypt to valid content anymore), it’s useful to follow up on that file when trying to understand how the authentication works.
Note the “Command” here is actually “transaction id” and the “Data arg” is the actual command code.
The authentication.txt is my interpretation of how auth works and the results of brute forcing every command/TID combinations. It’s probably not exhaustive due to how the GC acts as a state machine (some commands may not works until auth is successful), but it’s useful and shows many commands in there that the GC supports but which are not used by the vita itself. I wrote most of it in 2012, and the “Card authentication” paragraph sometime in 2014, so it may not be accurate/up-to-date.
With a vita CFW, you should be able to simulate the auth from a Vita and send/receive modified auth messages (does changing the 0xa1 data cause the 0xa2 request to fail, or not until the 0xa3 command, for example), although I believe that with the F00D command sequence, motoharu has already discovered which data is dependent on which, so it may not be extremely useful anymore.
Download PS Vita Reverse Engineering Leak Part 1
The files for the Vita RE leak part 1 can be downloaded here.
Update:
Interesting!
Can’t wait for the “juicy” parts…….I hope they come to that.
Vita Rom Compiled Dumps I Swear That’s Coming Up
Well…I hope we get the juicy parts…but I also hope this poor guy gets paid, just those few notes I read, and having SOME of very little coding/hardware experience…that dude put allot of time into this project….good luck bro I hope it works out for you
I think that it will be lawsuit wave around article by Sony side.
ok I gotta ask what does this mean for the scene in terms of development
please excuse my ignorance
Your guess is as good as ours. May not be anything, may be a really interesting part of the puzzle which has yet to be solved. Time will tell. Until then, enjoy the show!
Maybe this will help lead to an end to the 3.61+ firmware requirements, but that is most likely just a dream….
3.61 will not happen they focus on 3.60 noob
Actually Cobra Black Fin was pre 3.60, it didnt work on 3.60 at all. When i was talking about 3.61+ requirements i was talking about running 3.61+ games, ie the ones that came out after 3.60’s firmware. If your going to call someone a noob, which i wouldnt necessarily deny being one, then at least get the facts straight.
3.61 is just a dream irony….
The only one way to downgrade your PSV is to buy a board to go to 3.60 and if you cant afford it while its cheap then get a job stop asking this stupid question about 3.61 because this will never happen or i will be direct to you it will take 10 years or more before they emulate 3.61 or higher the developer said this already
@Megumihan : Well, the ‘noob’ gave more insightful facts than you did. Maybe you should grow up a little.
Is not enough with what YifanLu made? I mean, what other stuff can we found about PS Vita?
There’s anything and everything to be found. Sony is obviously not complete garbage when it comes to software and security, unlike Nintendo, but a lot of things could happen. No software is perfect though, and one new discovery could lead to a whole tree of new ones
I love how every post from you is “gne gne gne Nintendo security” when we have multiple news on Ps4 abd Vita exploits. You’re not biased at all.
Yeah, you made a point, i like Nintendo systems for library of games for example 3ds, but how lazy they was to not patch 5.1 firmware exploit for months on Wii U. Now Switch and security flaws… Vita was most secured console ever made, and i am not talking about psp emu level. 3ds for example have ds flash cards that some was blocked only few times my beloved DSTWO have fw updates with new entry to max 7 days after 3ds fw update. And it was maybe 2 or 3 times. Becouse the popularity of system there is much of hackers around there. Emunand, and web browser auto security fix, and idk when was implementend after 9.2 fw. So Dinckleman sorry you’re wrong about Nintendo security
“Fix” browser and “Disable” browser aren’t the same thing tho. This argument can go a long way but you’re definitely not wrong. Nintendo just does lazy quick fixes every time that don’t fix the core issue, but just remove the dozens of silly entrypoints.
who knows, maybe this covers some areas he overlooked, did not bother with, or lacked equipment for.
those xrays and logic analyzer dumps sound promising.
Hopefully this will allow for PROPER backups (ROMs) of Vita game carts (as opposed to just the files read from them) intended for use with Vita emulator(s) mainly.
Release it what are you waiting for this will help everybody just end the PSV Scene so we can get a new handheld from Sony
You say this everytime. You’re delusional ewverytime.
WoW 😀
Unpatchable henkaku cfw for any future fw… That’s the last thing we really need.
Maybe once in the future… after ps5 is hacked….
Just when I thought the PS Vita scene couldn’t get any better… Will be interesting to see this one unravel.
i guess it all depends on how old your device’s are with lower firmware to make use of anything.
if it’s to high you will likely brick your vita
Am I the only one who thinks its crazy to work for 4 years in good faith and not receive any payment for your work?
I do find that hard to believe, but I guess we will see.
I bet you are not the only one. What I know is that all of you never hacked anything on your own. Old school hackers never did it just for the money…
I have no pity for this guy!
He should have released his findings to the public before!
🙂
No pity? so if I gave you work and promised you pay then did not pay you, would you be alright with that? then cool, come and mow my lawn and wash my dishes.
I very much disagree. He owed the public nothing. It’s up to him whether to release things to the public or not.
Holy shiit a new emulator nice release it please
Even with the upcoming NoNpDRM plugin (“Vitamin 3.0”), we still need a way to make backups (not necessarily playable) from game cards (.VGC files) for software preservation. Hopefully this will help to create a full dumper that dumps everything 100%, keys/auth stuff and all.
Finally some scene drama that is in our favor god dang. Keep it coming please, hopefully this guy gets paid one way or another, he deserves it. Whether we as a scene have to donate to you or the dude comes up and pays for the time you spent, I support you all the way.
What could this lead to? Not to be rude, but this info is really hard to process/ understand. Would appreciate it if someone could translate it for me. :p
It’s the base for creating a flash cart for Vita, Nintendo-style. It the most obvious best case scenario this will let people on 3.61+ firmwares play backups (legit games and some mods/undubs only, not the homebrew) until Sony blocks it with the next firmware update.
Assuming that there is someone’s qualified and willing enough to succeed where Cobra failed.
This leads to enlightment.
We dont know what he has, which is why its so interesting
Thos people from cobra are SNAKES!
LOL this comment Made me laugh make sense he didnt notice this at all hahahah for over 4 years he *** up
I would like to hear any information he has to release to further the Vita scene. It is unfortunate he got the shaft on getting paid for a finished product that didn’t sell.
He should have been paid upfront for the work and not for a finished product. Even if it did sell, it would be a matter of time Sony would file a lawsuit. Then the developer wouldn’t get money in the end and probably sued also.
Despite being ripped off for the work, it could be a blessing in disguise. I can say most people have been ripped off in their life. I have been. A lesson learned for business and work. “get some sort of payment along the way, for a persons ongoing work”. Trust no ones word.
its a Snake thats why they are backstabbers ^^
We are talking about Switch here? Oh no wait, this is PS Vita. Isn’t that handheld already dead? I mean what would you want to pirate on it anymore? Some indie puzzle game? Let the handheld die peacefully guys. So much drama, sheesh!
some kids are too poor to buy mem cards let alone games. I just updated 1 of my 3.60 vita . psn is better than piracy
lol at filthy robbers calling out thieves. they were all out to make money ripping off sony
Hi,I check your blog named “Vita Reverse Engineering Leak (Cobra Blackfin) – part 1 – Wololo.net” regularly.Your writing style is witty, keep up the good work! And you can look our website about اغانى http://www.aghanyna.com/arabic/.