After releasing HENkaku, and later Enso, Team Molecule didn’t just call it a day and stopped there but they kept on working on the PSVita. Now, they have been able to pwn the fabled F00D crypto processor and they shared their findings in a talk at 35C3 yesterday!
What Was Team Molecule’s Talk About?
In their talk titled “Viva la Vita Vida” that took place less than 24 hours ago, PSVita hackers/developers Yifan Lu and Davee which are part of Team Molecule talked about the following:
Their progress up to now on PSVita hacking
They discussed the Vita’s security architecture and components of the Vita’s SoC.
The first part of the talk, which was done by Davee, was about software techniques when it came to pwning F00D and he discussed the Octopus Exploit.
The F00D decryption key, which can’t be disclosed for legal reasons, can be found in this totally unrelated picture! (Don’t worry, its meme potential has already been recognised by fellow community members)
In a very simplified way, the Octopus Exploit works by passing bytes into the F00D processor and having it tell you whether the byte is correct or not. Through this way, Team Molecule were able to dump the secure kernel of the PSVita which helped them in documenting and further hacking the device
The second part of the talk, which was done by Yifan Lu, discussed hardware hacking techniques and mostly focused about voltage glitching. Voltage glitching is when you momentarily introduce a voltage change into electronics in order to change the result of logic gates thus creating a software bug through hardware
Voltage glitching was used in order to bypass the bootloader size check (0xDE blocks) and this enabled Team Molecule to gain further insight about the bootloader/BootROM as they got its SHA-256 hash!
Unfortunately, the BootROM didn’t contain any keys
Later on, Yifan Lu went on to reveal that the bootloader (F00D) key was found and it was a repeating byte
Apparently, the key was left there accidentally but it wasn’t noticed when retail builds of the bootloader were shipped
This key is what protects every content key in the system
What Got Released By Team Molecule? What Can The Regular End-User Get Out Of This?
Shortly after the talk, Team Molecule released:
Now that the Vita’s security has been blown wide open, some interesting stuff may be released but till then you can enjoy some F00D memes 🙂 Alternatively, you can read the talk’s slides!
While all the above stuff is an excellent feat and great reading material, the question that’s on many people’s mind is what could regular end-users get with this. Unfortunately, this question hasn’t been directly tackled but this could lead to the ability of installing DEX firmware on retail units, possible FW downgrading (probably on already exploitedfirmwares) and possibly more.
That being said, hacked PSVita consoles can probably already do most things that regular end-users could ever dream of so there might not be too much that could come as a result of this for most users. On the other hand, there’s another interesting development relating to the Vita and that’s xerpi’s efforts to get Linux running on it which could, eventually, translate into some cool stuff for the end-user!
If you’re interested about Vita hacking or just security in general, I would personally recommend you watch the recording of the “Viva la Vita Vida” talk as it’s very interesting and quite fun.
Furthermore, it doesn’t require any knowledge of security so if you can easily understand English and have some basic knowledge in Computing, you’ll be able to understand most of it!
For further information about Vita hacking, I personally suggest you check out these Twitter accounts:
I'm a girl that's liked technology from day 1. Mostly interested in the PSVita/PSP scene but I've always modded my stuff when it's possible, that is :)Contact me via DM at @KawaiiAuroraA on Twitter if you have any questions/concerns about my articles or if you have any article requests.