Finding the memory layout of the vita?

[yifanlu]

I've always wondered how hackers on a new platform make use of stack overflows when they don't know the memory layout? It is required that they do a hardware RAM dump? But what if the RAM is encrypted? It seems like a chicken and egg problem to me. It feels like the top priority for the vita community is to get a memory dump. (or is there another way to hack a device without knowing the memory layout?)

[wololo]

I am not sure either. In the case of the psp, I think the first hello world simply "worked" as a basic mips elf file, and that led to lots of discoveries. We won't have that luxury on the Vita...

[m0skit0]

Hardware hacking. Get the RAM, input to some microchip and test all addresses.

[wololo]

On that subject, the book "Hacking the XBox" is a very interesting reading.

But Yifanlu is right, isn't it possible that the ram is encrypted?

[m0skit0]

RAM encrypted? I don't think so, and never heard of such a thing. How would a processor execute encrypted instructions? Encrypted instructions are not valid instructions. There has to be a RAM with full decrypted instructions at least. I'm pretty sure there's no encrypted RAM as that would slow the whole system A LOT.

[rafael707]

so we need some type of "progskeet board" like for the ps3, and find the layout pins for the RAM in order to dump it??

sounds alot like what happened to the PS3 xD

[m0skit0]

Well you don't need any specific board. But yes, that's it... Assuming the RAM is easily accessable...

[JJS]

Isn't at least the user memory encrypted in an Xbox 360? I thought I would have read something like that before and a quick googling reveals this http://www.securityfocus.com/archive/1/461489 , which supports the theory.

I would say encrypted RAM should be no big deal if you have large on-die caches. There is no way to read them because you cannot sniff any bus and they might very well be able to hold all relevant code in an already decrypted form. But I guess this is going off-topic.

[m0skit0]

Isn't at least the user memory encrypted in an Xbox 360? I thought I would have read something like that before and a quick googling reveals this http://www.securityfocus.com/archive/1/461489 , which supports the theory.

Nice link, thanks JJS, didn't know that.

I would say encrypted RAM should be no big deal if you have large on-die caches.

You still need to decrypt the stuff before handling to cache, and that's one additional step, which makes the machine slower. And also that means you can sniff the data being sent to the cache. Another scenario would be having the code decrypted at the cache level.

Anyway, even if encrypted, that's not an impediment to figure out the memory map layout.

[yifanlu]

I hope that the RAM isn't encrypted, logically, it wouldn't, as that would use precious battery and cpu cycles that wouldn't be an issue a console. But then again, it is freedom fearing Sony.

Let's assume isn't encrypted. That means someone needs to do a hardware RAM dump in the worse case. I don't want to sound like I have any authority, but I think our top priority should be doing this as most exploits will be untestable and unusable without knowing where the stack is and how to get to the framebuffer and etc.

Now another option is somehow getting unsigned code to run that is not a buffer overflow exploit (I would think this is harder as you have to somehow get the device to load a binary willingly. Is it too much to wish for a hidden debug mode? Maybe someone can get their hands on an official devkit and use debugging features to find memory layout?).

Another option might be to look for jtag (or similar) debug ports. The vita uses proprietary soc but uses the cortex a9 cpu. IMO, this might be just as hard as dumping the memory.

Now people with more knowledge should correct me if I'm wrong, but most if not all the "first" console hack required a hardware hack of some sort right? Because only after extracting system software and/or hardware information can the developers work on "user level" exploits.

Oh, and I guess I'm Asking this because there is a chance I found a buffer overflow in vita code. However before you get your hopes up, some other explanations for the system freeze that I found could be because of a bad error handling, an intended protection mechanism, or just an unexploitable bug. The only reason I even suspect stack overflow is because it involved large inputs.