Last week, the shock of a Day1 exploit on the Playstation Vita generated lots of buzz, discussions, and other various related events (Kim Jong Il couldn’t take it anymore and decided that living in a world where consoles get hacked on the day of their release was not worth it)

Now, as I said before, don’t get your hopes too high, as this is not really a Vita exploit rather than a PSP exploit within the sandboxed emulator. That being said, in the current state of our knowledge, there is strong hope that this could lead to PSP homebrew running on the vita, possibly through HBL. Developer Teck4, with the help of J416, plans to try and port HBL to this exploit. J416 was the first person to adapt HBL to a new game after we released it publicly for the patapon exploit, so I’m confident that the task is in good hands. I will of course do my best on my side to see if I can help solve some of the issues along the way.

That exploit set aside, I had the opportunity to look quickly at the PS Vita in the past few days. I don’t have the free time I wish I had to test everything within a few days, but what I can say so far is that Sony intends this console to be as secure as possible.

technical protections

Sony introduced not one but two new formats of memory cards for the Vita. As explained by a spokesperson from the Hardware division at Sony, this is part of a plan to make piracy more difficult. Until the format of the cards is reverse engineered, no reader will exist to try and read/write what’s on those cards. It is arguable why Sony added two new formats instead of one, although the paranoid guy inside of me thinks it’s to prevent piracy as much as possible (manufacturers will probably focus their efforts on duplicating the read/write cards rather than the PSVita cards)

In order to make this even more efficient, Sony removed one of the key features of the PSP: the possibility to use it as a USB drive when you plug in to a computer. Instead, a piece of software (the content management assistant) needs to be run on your PC and your PS Vita, which will allow you to import files from the PC to the Vita. I will give details on that piece of crapware tool from a user’s perspective in another post (hint: it’s very bad), but from a security point of view, this is a strong system. Unlike the iTunes pattern where iTunes runs on your computer and copies files to your iPhone, the “contents management assistant” runs on the PS Vita while your PC is just a fairly passive client. This is clever because a PC binary could have easily been decompiled, analyzed, and modified, but in this case, the Vita is the one that chooses which files go in, which files don’t. I can already foresee updates coming to that tool for every hack we will find involving the copy of files to the Vita.

The Content management assistant...yuck

In other words, Sony made it practically impossible to copy anything to the Vita, besides a very restricted list of file formats: jpg, png, tiff, mp3, wav, PSP savedata, psp games/apps, vita games/apps. The PSP/Vita games of course need to be correctly signed and packaged in the vita format (forget about your PSP homebrews for now), and potentially already linked one way or another to your Vita account. Bottom line: forget about using it as a convenient storage format, that super expensive memory card you bought for the Vita will be used exclusively to store stuff you buy on the Playstation Store. For the hackers, it means that attack vectors are limited.

Additionally, it seems the memory cards are tightly linked to the system itself. When a memory card is inserted/removed, the system requires a restart before being able to use the card. Is it in order to prevent some of the clever hacks that appeared in the early days of the PSP, and that consisted in quickly swapping 2 memory sticks? Whatever reason that is, it is highly probable that the data on the card is entirely encrypted, and bound to the playstation network account (which would be why switching accounts require a different memory card?).

I quickly tried some of the old crashes and exploits that were lying on my hard drives. Some of these involved for example mp3 files or image files… None of them was fully exploited, but I wanted to see the results on the Vita. So far all my “damaged” files that would make the PSP crash or display “hello world” types of messages are recognized as “corrupted” by the tool. It still agrees to copy damaged audio or photo files to the console, but simply refuses for games.

Legal protections

As mentioned before, the Terms and Conditions of the PS Vita are fairly restrictive. The “funny” part in particular is this one:

You may not
(i) use any unauthorized, illegal, counterfeit or modified hardware or software with System Software;

(ii) use tools to bypass, disable or circumvent any PS Vita encryption, security or authentication mechanism;

(iii) re-install earlier versions of the System Software (“downgrading”),

(iv) violate any laws, regulations or statutes or rights of SCE or third parties in connection with your access to or use of System Software; (v) use any hardware or software to cause System Software to accept or use unauthorized, illegal or pirated software or hardware;

(vi) obtain System Software in any manner other than through SCE’s authorized distribution methods; or

(vii) exploit System Software in any manner other than to use it with your PS Vita according to the accompanying documentation and with authorized software or hardware, including use of System Software to design, develop, update or distribute unauthorized software or hardware for use in connection with the PS Vita.

These restrictions will be construed to apply to the greatest extent permitted by the law in your jurisdiction.

The legality of this contract is doubtful, and this section is actually entirely illegal in some countries (at least in France as far as I know), but in some third-world countries where strong individual censorship is enforced such as the United States, this kind of contract has sometimes been used successfully in court.

There’s no choice but to accept that contract on the Vita as soon as you want to use the playstation store, which is the only way to acquire PSP games on the system. Hackers living in the US who would want to look for vulnerabilities in PSP games will need to take that into account.

On top of that, and as I mentioned a while ago, Sony is “learning” from some of their mistakes, and any firmware upgrade now contractually prevents US citizen from suing Sony in a class action, without some major constraints (this is in response to the class action suit that was taken against Sony for removing OtherOS from the PS3 in a firmware update). To be honest I don’t live in the US and I fell asleep in the middle of the second sentence, so I don’t know exactly what this does, I just find it creepy that there are countries in the world were Sony can change the way people can access their own country’s legal system…

The following terms in this Section 8, to the fullest extent permitted under law, only apply to you if you are a resident of the United States or a country in North, Central or South America.
[…]

If you have a Dispute with any Sony Entity or a Sony Entity’s officers, directors, employees and agents (“Adverse Sony Entity”) that cannot be resolved through negotiation as required as further described below. Other than those matters listed in the Exclusions from Arbitration clause, you and the Adverse Sony Entity must seek resolution of the Dispute only through arbitration of that Dispute according to Section 8′s terms and not litigate that Dispute in court. Arbitration means that the Dispute will be resolved by a neutral arbitrator instead of in a court by a judge or jury.
[…]

IF YOU DO NOT WISH TO BE BOUND BY THE BINDING ARBITRATION AND CLASS ACTION WAIVER IN THIS SECTION 8, YOU MUST NOTIFY SCE IN WRITING WITHIN 30 DAYS OF THE DATE THAT YOU ACCEPT THIS AGREEMENT. YOUR WRITTEN NOTIFICATION MUST BE MAILED TO SONY COMPUTER ENTERTAINMENT INC. CARE OF SONY COMPUTER ENTERTAINMENT AMERICA LLC, 919 EAST HILLSDALE BLVD., FOSTER CITY, CA 94404, ATTN: LEGAL DEPARTMENT – WAIVER AND MUST INCLUDE: (1) YOUR NAME, (2) YOUR ADDRESS, (3) YOUR PLAYSTATION®NETWORK ID, IF YOU HAVE ONE, AND (4) A CLEAR STATEMENT THAT YOU DO NOT WISH TO RESOLVE DISPUTES WITH ANY SONY ENTITY THROUGH ARBITRATION.

IF YOU HAVE A DISPUTE WITH ANY SONY ENTITY, YOU MUST SEND WRITTEN NOTICE TO SONY COMPUTER ENTERTAINMENT INC. CARE OF SONY COMPUTER ENTERTAINMENT AMERICA LLC, 919 EAST HILLSDALE BLVD., FOSTER CITY, CA 94404 ATTN: LEGAL DEPARTMENT – DISPUTE RESOLUTION TO GIVE THE ADVERSE SONY ENTITY AN OPPORTUNITY TO RESOLVE THE DISPUTE INFORMALLY THROUGH NEGOTIATION.

[…]
ANY DISPUTE RESOLUTION PROCEEDINGS, WHETHER IN ARBITRATION OR COURT, WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS OR REPRESENTATIVE ACTION OR AS A NAMED OR UNNAMED MEMBER IN A CLASS, CONSOLIDATED, REPRESENTATIVE OR PRIVATE ATTORNEY GENERAL ACTION, UNLESS BOTH YOU AND THE ADVERSE SONY ENTITY SPECIFICALLY AGREE TO DO SO IN WRITING FOLLOWING INITIATION OF THE ARBITRATION.

[…]

This Section 8 survives this Agreement’s termination.

What’s next?

This is only the surface of the security on the PS Vita. As we dig more, we will find more security, get more specific information about the system, find stronger locks, but also, who knows, weaknesses.

Sony are protecting their assets with any possible way. Personally I would have preferred if they had spent less time on security/legal terms and more time on making good games (*cough* ridge racer sucks *cough*), but given that they are probably today in the “hate list” of many hackers in the world, it’s understandable that they had to think about it a little bit.

Putting files (homebrews) on the Vita system seems to be the most interesting challenge for now. Clearly, updates to the content management tool will protect the console from hacks involving the copy of some specific files to the system, and that tool overall makes it fairly difficult to copy homebrews to the console. On that part, the help of hardware hacks will probably be needed, but I’m confident that Datel and the likes will be trying to provide third party memory cards as soon as possible… Or maybe other vectors such as the PS3 connectivity could be leveraged.

From the legal point of view…well basically until the US change their laws against reverse engineering, Sony is sending the message that they are not done harassing hackers if they find it’s the only way to protect their business. Those interesting to see details about how bad that can go can read the legal section of the excellent book “Hacking the XBox” (Disclaimer: affiliate link). Good times ahead…