Finding the memory layout of the vita?

[wololo]

Advertising

Sony must be damn proud of their security staff

I don't know, they're not doing anything magic. We haven't seriously started investigating software bugs on the vita because we are missing the hardware information, but that will come with time. Several interesting crashes have already been sent to me. The "security" team should not only secure the hardware, but the software too. Sony is a Japanese hardware company, if my experience in Japan is relevant, this means they treat their hardware engineers like kings, and they treat their software engineers as code monkeys (low salary, and "anybody can code, it doesn't require any special skills" type of thinking). The result is what you can experience on any Sony device: great hardware with terrible software (e.g.: PSP, PS3, Vaio computers). This also means critical bugs.

When a 3rd party developer creates a Vita game, can they sign their software for play on the Vita with what they have, or do they have to send it to Sony to sign it for them?

Based on the experience with the PSP and the PS3, most likely devs have a special test unit on which they can run their work in progress.

With the playstation suite, my understanding is that you can only test within an emulator... but maybe they will offer a system like what apple has (can "sign" the code for up to 5 devices for testing purpose). Of course difficult for me to say since I never made it to the beta (not sure why they rejected me) and also because I heard the playstation suite is actually not ready for the vita yet.

[sss0]

Advertising

Now people with more knowledge should correct me if I'm wrong, but most if not all the "first" console hack required a hardware hack of some sort right? Because only after extracting system software and/or hardware information can the developers work on "user level" exploits.

Right, this sounds correct. The first hello world on the psp was done by Nem, who was, at the core, a hardware hacker.
http://forums.ps2dev.org/viewtopic.php?t=1570
http://forums.ps2dev.org/viewtopic.php?t=1599

This was largely helped by the fact that firmware 1.0 could run unencrypted binaries.

I wonder why so few people remember nem...
He is the truly "father" of psp hacking

[wololo]

I wonder why so few people remember nem...

I think it's because most people who are on the PSP scene now didn't even know what a PSP was when Nem was active. This was, after all, 7 years ago (god, now I feel kinda old).

But, yeah, in order to try and be back on topic, I think we need similar investigation from hardware hackers before we can dig into software hack.

[dimy93]

The result is what you can experience on any Sony device: great hardware with terrible software (e.g.: PSP, PS3, Vaio computers). This also means critical bugs.

totally agree but hardware securities can take time to be bypassed
btw many software bugs are already there without even being caused by any hacker,when the hackers actually start looking for some on purpose there are going to be a lot more
btw2 hey wololo do you work in Japan you seem to have experience on the subject

[yifanlu]

Ok, here's a crazy idea.

Remember a while ago, we heard that "beta" Vita packages can be decrypted & extracted with the PSP's AES keys? Well, what if we analyze the binaries in these packages. They could provide some information like where they are loaded in memory, for example.

Now the problem is, I looked everywhere, and nobody has a link to these decrypt-able packages. I found thousands of links to "PSVita package decrypting programs" and sites claiming that with it, the Vita has been "hacked" and how sony is "screwed", but nowhere are there links to these packages.

Finally, I found this: http://www.vitadevwiki.com/index.php?ti ... ages_(.PKG) which gives two multiupload links. Unfortunately, they are down.

So, does anyone actually have decrypt-able files? If so, can you share (or if that's not allowed, PM me). Thanks.

[dimy93]

multiupload is down since megaupload is -it was such a good hosting
I'm sure that if such files exist there are carefully stored on some hacker's PC
btw am I right that even fully decrypted fw would be useless without the needed hardware information?

[yifanlu]

multiupload is down since megaupload is -it was such a good hosting
I'm sure that if such files exist there are carefully stored on some hacker's PC
btw am I right that even fully decrypted fw would be useless without the needed hardware information?

It depends. Most likely, these files will provide no new information. But there is a chance that maybe it refers to a certain area of memory that is important. Maybe it tells us that no ASLR is implemented and we have a static stack location (which would be awesome). It doesn't hurt to take a look.

Also, I assume that these old-key signed vita packages won't run on 1.61, right. Anyone tried installing a old-key signed package on the vita? What if the stars aligned and it somehow ran because sony forgot to remove the old keys?

[m0skit0]

Now the problem is, I looked everywhere, and nobody has a link to these decrypt-able packages. I found thousands of links to "PSVita package decrypting programs" and sites claiming that with it, the Vita has been "hacked" and how sony is "screwed", but nowhere are there links to these packages.

That has a common name: fake.

what if we analyze the binaries in these packages. They could provide some information like where they are loaded in memory, for example.

They will most likely be using relocation (like PSP's PRXs), so no info on where they're loaded in memory. The OS can load them anywhere it wants.

[yifanlu]

Now the problem is, I looked everywhere, and nobody has a link to these decrypt-able packages. I found thousands of links to "PSVita package decrypting programs" and sites claiming that with it, the Vita has been "hacked" and how sony is "screwed", but nowhere are there links to these packages.

That has a common name: fake.

what if we analyze the binaries in these packages. They could provide some information like where they are loaded in memory, for example.

They will most likely be using relocation (like PSP's PRXs), so no info on where they're loaded in memory. The OS can load them anywhere it wants.

Doesn't the EBOOT.BIN on the PS3 use the ELF format? If the Vita does the same, we can use the program headers in the elf files.

[sss0]

That has a common name: fake.

It was actually PSV Beta/Retail (<1.00) packages decryption programs. These packages were encrypted with the PSP AES PKG Key, which is available.

I wonder what happened to this, though: http://streetskaterfu.blogspot.com.br/2 ... -flaw.html
I remember SKFU stating that he could decrypt/encrypt PSV savedata... But I don't know if he's trustworthy... Such a thing could probably be used for a buffer overflow, couldn't it? Not an exploit, as we don't have the memory layout, but at least a crash.
It could possibly be a fake too and that was actually a Beta package that he decrypted with the PSP key. Again, I don't know if SKFU is trustworthy