A couple of months ago, we all saw the reveal of several low-level breakthroughs in Vita hacking, such as the “octopus” F00D exploit, BootROM exploitation through voltage glitching, and more. A “master key” was unveiled, and several new opportunities such as reF00D and memory card readers became possible. But was it truly the end for PS Vita security?
As we learn from the new article published by hacker Yifan Lu on his blog, it wasn’t there just yet. One could already say so, given how the 3.70 firmware update changed the above “master key”, and even though it was possible to recover the new one using the glitching setup and crypto engine vulnerabilities, there was no direct knowledge of one of the console’s biggest secrets: hardware keyslots. After all, if something is changeable, there has to be something else above to protect it. Something permanent. And as soon as it’s found, the protection is no more.
What do “hardware keys” mean?
Hardware keys are cryptographic keys that are stored in such a way that only special crypto hardware on the Vita can access and operate with them. Naturally, such keys are permanently fused onto physical components of the hardware (so they can not be changed, and are extremely difficult to obtain through external observation). Here is how Yifan Lu describes their purpose, and the motivation towards finding them:
If we want to see how content (games, data, firmware, updates, etc) is decrypted, we have to look at the F00D processor, which is a satellite processor that handles all the cryptographic and security critical tasks. F00D runs on a largely undocumented architecture but we were able to hack it in due time. However, even hacking F00D is not enough to fully “own" the system. There are many cryptographic keys inside F00D code, but the most important keys including the ones that decrypt the bootloader are hidden away in the silicon and only accessible by the hardware AES engine we call Bigmac. There are 250 of these keyslots. 30 of these keys are called “meta" or “master" keys because Bigmac is only allowed to use them to encrypt data to another keyslot (i.e. to derive keys). It is not possible to directly use the master keys to encrypt data and see the ciphertext.
Most of the keyslots (including all the master keys) are locked before the bootloader is executed. That means only the boot ROM is allowed to use them in Bigmac. So, to summarize the roadmap, here is what we had to have hacked before even getting to this point: WebKit to gain initial execution, ARM kernel, ARM TrustZone, F00D kernel, and F00D boot ROM. Starting from scratch, it took us six years to get to this point and with the exception of F00D boot ROM, it was all done with software vulnerabilities. (We have dumped all our knowledge in a community-maintained wiki.) A reasonable observer might wonder what the point of all this is. For all practical purposes, hacking ARM kernel is enough to jailbreak the system, run homebrew and mods, and (unfortunately) pirate games. However, the reasonable observer would likely have no fun at CTF events. Six years ago, I set an arbitrary goal for myself: to get the decryption key for the bootloader. The idea is that if we can decrypt the first piece of loadable code, then there is nothing Sony can do to hide code in future updates. Later on, this “root decryption" key gained a name: slot 0x208 (a meta key). This post is on capturing that final flag, the last leg of this six year journey.
Attacks on the crypto engine
In his blog post, Yifan Lu provides an extensive description of the methods used to attack hardware AES and obtain the keys. It even comes with an academic paper that goes into technical details of the attack, and how it works to exploit the Vita’s keyslots, with a good bit of linear algebra in-between.
The series of attempts started in January 2019 on his Twitch channel. The original focus was on performing the so-called DPA (differential power analysis) attack, which consists in analyzing the power consumption of the crypto engine while it is running an encryption or decryption process in order to retrieve the key. Faced with issues such as large amounts of external and internal noise, this method had to be abandoned. However, some of the discoveries made during the tests proved useful in the implementation of another method called DFA (differential fault analysis). This latter type of attack focuses on introducing minuscule corruptions, or “faults”, at specific stages of the AES encryption/decryption process, which, after being processed in large quantities using scientifically established algorithms, can eventually lead to the discovery of the complete encryption key. DFA proved successful, and Yifan Lu has been able to dump pretty much all hardware-only keyslots found on the Vita.
(The note about becoming a Switch hacker was a joke.)
How is this useful in the end?
Below are some, but not all, of the practical advantages gained by this research.
The direct result of this accomplishment is that all components of the PS Vita system software, as well as other software such as games, are now permanently decryptable, no matter what changes Sony decides to make in future firmware updates. It also considerably simplifies the process of decrypting new firmware files standalone (e.g. on a PC) without having to perform the hardware attacks to find the master keys every time. Decryption of firmware files ensures that hackers always have access to finding more vulnerabilities and other goodies in newer Sony updates. This includes, but is not limited to, always being able to spoof the latest firmware (in all of its senses) in case Sony re-introduces harsh verification measures for activating your console and downloading content from the PSN.
For anyone working on emulating the PS Vita, as well as creating open software and hardware to interface with its storage media, this opens the doors to their proper implementation and removes much of the dependency on a real PS Vita to do its job. For example, standalone dumps and creation of authenticated SD game carts, as well as Sony memory cards, are now much closer possibilities given that the crypto barrier is effectively removed.
This also removes the need in F00D-level and BootROM-level code execution exploits in order to perform most crypto tasks. However, some of the hardware keys are device-specific, so the aforementioned attacks technically have to be performed on every single device in order to get them. Among those are your NAND (internal memory) decryption key and the key used to uniquely encrypt the idstorage (which securely stores information identifying your Vita). The latter still warrants F00D-level code execution as the most practical way to clone (decrypt and re-encrypt) an idstorage from one console to another, which is currently thought to be one of the ways to lower the “Factory Firmware” requirement in the recently released modoru downgrading utility.
Will this help with 3.69+ hacks?
While this does mean that the Vita is completely “owned”, there is still a distinction to make between being able to decrypt code and being able to execute it on the device. The latter heavily relies on another type of security called “asymmetric cryptography”, which, when implemented properly, is impossible to break without pure brute-force (because it relies on private signing keys that only Sony themselves have). Therefore the only “universal” way to run code on any firmware is via Yifan’s BootROM glitching, which technically gives you the freedom to run almost anything you want on your device, all the while being a very impractical “modchip on steroids” solution. As it stands, the most accessible ways to hack your Vita and run HENkaku on it are still software-triggered exploit chains such as h-encore, and you still have to wait for new exploit chains to be released for your firmware. This was previously mentioned in the context of a possible F00D hack: hacking lower levels of the PS Vita security is not directly associated with what we understand as a “Vita CFW”, but mostly serves the purpose of demonstrating how to crack even the toughest “nuts” of the device’s security.
All in all, while not being of any obvious benefit to the end user, this is a serious technological achievement. It demonstrates to what lengths console manufacturers can go to secure their devices, and what effort hackers need to put into cracking all of the protections. Experience gained hacking the PS Vita may eventually be useful when new, potentially more secure consumer devices come to the market, and it reinforces the natural desire for knowledge that drives so many researchers to do their job.
It is worth noting, however, that (for legal reasons) the hardware keys will not be released by Team Molecule. This is why Yifan Lu has only posted hashes and not the keys themselves. Fortunately, all the tools used for this endeavor are publicly available on Team Molecule’s GitHub, so anyone who is keen on obtaining such secrets can now try and reproduce the setup at home.
Last but not least: even though this is the end of the Vita journey, there may still be more reveals that we can look forward to…
Interested in console hacking since the days of the PlayStation Portable.