Native Vita Hacking: What’s the situation so far? (Part 1)
As I said in previous posts, I’m leaving behind ePSP development in favor of native vita hacking, it was one of the reasons I gave a helping hand to qwikrazor87 into fully destroying the PSP/ePSP scene a few days ago.
The PSP is a system from 2004 and any new development in it is just beating the same old dead horse, so it was time this site finally moved on. So with that said, what’s the current situation of Vita Native hacking and why do we not see that much information floating around?
It’s no secret that the Vita is a damn well secured device, it implements quite a few security measures that make it really hard to hack and execute code, but, yifanlu once said it best:
So what’s webkit and why is it so important for Vita hacking? and more importantly, how do webkit exploits work?
Webkit is an open source web browser engine used by most web browsers today to render web pages.
Since it’s open source and widely used by many big browsers like Chrome and Safari, it’s really common to find webkit in proprietary embedded devices like gaming consoles, and normally it is an older, more exploitable version. Did I mention the Vita uses webkit?
This basically means that we have the source code for a software used by the Vita that has a lot of exploits giving us code execution, or at the very least the ability to do a ROP chain, and on top of that, we don’t even have to find exploits ourselves, there’s lots of devs and hackers outside the scene that make a living out of finding effective webkit exploits.
But how do these exploits work? we’re not talking about PSP usermode exploits that rely on buffer overflows, or PSP kernel exploits that rely on missing checks or flawed implementations, webkit exploits usually rely on the so called use-after-free exploits.
Use after free essentially means a pointer is used after the memory is references has been freed. Here’s a very basic code showing the idea behind this:
int* pointer = (int*)malloc(sizeof(int)); // we allocate a region of the heap
*pointer = 0; // we use the allocated space
free(pointer); // we free the area we allocated previously
*pointer = 1; // we use the pointer even after it has been freed
This code causes what’s known as undefined behaviour, meaning nothing at all could happen, or the entire thing can crash.
Of course webkit code doesn’t really do this intentionally, a bunch of things need to happen for this scenario to take place, we need to make it happen ourselves, and to do that we make use of one of webkit’s features: javascript.
Javascript allows us to access underlying C++ classes and other functionality, which allows us to trigger a uaf exploit. But how do we use uaf to our advantage? well we need to understand how C++ classes work.
C++ classes are represented by a structure in a manner similar to this:
typedef struct _myClass_{
void* vtable[MEMBERS];
// actual data here
} myClass;
A C++ class has an array called virtual table, which contain pointers to all the members of the class (be it attributes or methods). When you pass a pointer to class to one of the methods, this virtual table is reconstructed so the pointers are pointing to the needed data at the needed offsets in the vtable, this allows for class inheritance and polymorphism.
When a uaf exploit is triggered, the vtable can be sprayed with data so we have control over the pointers and hopefully one of them is a pointer to a method, and hopefully this method gets called and the system jumps to our specified address. Hoppefully we also spray a pointer to an attribute that gets loaded, giving us control over a register or two.
Unfortunately we have something called NX bit that prevents us from executing instructions in an address not marked as executable, so where do we go from here? a ROP chain, but that’s to be explained in another blog post.
Thanks for explaining the situation.
I now understand that in order to discover native Vita hacks, it was necessary to release over 50 Working VHBL exploits.
By releasing these exploits, you guys now have more time to look up native hacks.
It’s not like you could of just stopped working on PSP exploits since there were over 50 completed exploits and release them one by one every time a new system update gets released.
Instead, it was necessary to waste them all on this single firmware.
Brilliant
It helps that Sony’s apparently given up on pulling the games from the store since so there are so many games exploited at once, giving even more people a chance to put PSP homebrew on their Vitas.
Dude, he can’t even admit fault. He’s certainly not going to admit that it was a mistake, since that would involve admitting more guilt than he’d like to feel.
Sorry if this is off topic. I have a my Kingdom Hearts Birth By Sleep ISO can I’m having trouble installing it to my vita. I’m able to install it but it has that gray default icon in the games folder of the XMB. It also has the name of the game I last installed and when i try installing it the game it had the name of would be uninstalled.
What I did was, I got the ISO and put it in my save data, copied it via CMA on PC and used PSP Filer to copy it to the ISO folder on the root of TN-V 10 (I also ran the Pro Update which I don’t think is necessary as I never used it again after) moral of it – Copy the ISO to the ISO folder on the ROOT of TN-V.
Awesome ill try it later!
I had that same issue too, but I believe it was due to the installed ISO and the ISO I was installing both having the same filename, as when I changed the filename of one of the ISOs, both installed separately.
And ill try this first
We shall remember Acid_Snake as the one who killed off what remains of PSVITA software support. Once PSVITA is hacked properly, idiots will pirate software and with warm sales WW, this will surely kill any support it has.
The one thing I liked about the PSP soft hacks was that it kept it away from a full native VITA hack. It gave people a thing to do with their “hacking” skills and enjoy emulators and such on the VITA. Now once this *** is done to the actual VITA, people will just pirate games and developers wont want to show any type of support.
Not for nothing Acid, but you will go down on history as the one who ruined the VITA scene and killed off dev support like it happened to PSP.
http://youtu.be/_R6xCWcf_VU?t=2m13s
The only devs who regularly support the Vita are indie devs, unlike the PSP, which was more supported by Sony. Indie devs don’t have as much to lose as AAA devs, though that’s not to say piracy wouldn’t hurt them. I’m not trying to argue, I’m just saying that the Vita’s barely being kept alive.
It seems strange that these words are written by people who have a custom firmware for psp , you could not do the same thing for life? you could not go back to the development of native homebrew ? or you have to stay back by force ? Alex this attitude seems a bit ‘ too paid by sony. A previously she had disappeared from the scene .. UAHAuHua
Webkit exploits are certainly a start. Here’s to hoping we find a way to support the Vita ourselves, since Sony seems to be taking a hands-off approach to it.
Support!? U mean abusing software u didn’t pay for….yeah riiiiiiiiiiight! 😉
Excuse me? Hacking consoles for homebrew is never a “job”. No-one has to look for exploits, and Sony would rather they didn’t. Even if such an exploit was found, nothing has to be made of it, and no-one has to make it available to the public. Homebrew developers owe us nothing, they could be doing plenty of other things with their lives, but they want to do this, despite people like you.
When’s my next paycheck coming in boss?
*smirks*
“I’m leaving behind ePSP development in favor of native vita hacking, it was one of the reasons I gave a helping hand to qwikrazor87 into fully destroying the PSP/ePSP scene a few days ago.”
I’m sure people will be grateful once it’s 2017 and you still haven’t succeeded.
Guess you proved me wrong, dark knight.
That was really interesting. I look forward for part 2!
Well done, snake.
Given that sales for the Vita have been abysmal in the west, there is now even more of an incentive to completely hack the Vita. The Vita being unhackable as well as the proprietary memory cards is the main reason why sales are so low, combined with Sony’s nanny/surveillance like features (cma, mandatory kernel updates, etc) the only thing that can save the Vita is for it to be fully exploited.
Awesome read
very nice article, very interesting!
I don’t think I understood a word I read
Haha lol
So basically, the bomb last weekend was to try and force Vita devs to look for ways to natively hack the Vita?
I’m OK with this.
Pretty much, we saw the opportunity to finally end the ePSP scene and move on when qwikrazor87 leaked the first exploit. With the ePSP away, this should attract attention from devs that were interested in the Vita, but native part, not ePSP, and didn’t want to do anything cause all they were seeing was the same old PSP hacks.
Whether this is true or just a clever way to spin the story, it is sad that developers would avoid the Vita because the stuff they saw was too typical or not advanced enough. Sounds more like they just didn’t want to put in the effort unless they had to and that isn’t exactly the mindset for unpaid hobbies like console hacking. Again, assuming this is true.
Who is “we”? Also, if it doesn’t attract the attention of other devs, then it will basically have been a huge waste of a lot of work. I do hope this plan works out, though.
are you ***…. no i don think so, but please read the full comment
we are: acid_snake and quikrazor87
pretty much:
“we” the rest of the OILIX team, maybe other people
“qwikrazor87″=qwikrazor87
written on psvita itself, not the best keyboard as you can see.
You should first read before insulting someone. “We” is obviously not Acid_Snake and qwikrazor87. Why would he say “WE saw the opportunity … when QWIKRAZOR87 leaked…”? The way he was saying it, and the only way that makes sense, he was referring to quikrazor87 as a third party, and not a part of WE. Are you saying that qwikrazor87 was purposely taking part in ending the ePSP scene and is now moving on WITH Acid_Snake?
does this mean there will be no more exploits in the future? Fully behind u don’t get me wrong but destroying is not a beautifull word 😉
nativehacking okey
but what if psvita says cannot connect to pc
“gave a helping hand” lol
somehw iunderstood dis cant wait fr part 2
The leaks were not just an inside job, but handled by Acid Snake himself, to purposely destroy the ePSP scene? That’s some Watergate *** right there. Not that I care too much now. Now that I know that the leaks were part of a plan, I feel much better about the future of Homebrew on the Vita 😀
Awesome! but my nose is bleeding. lol.. let’s go for a native vita hack!
Continue this way guys ! By the way, what is happening to PS3 hacking on models like CECH-3001b and sooner ? WIll it happen someday to have Rogero on those ? I want is for playing PS2 games and use them on remote play on my Vita 🙂
What a way to push things forward and quit all this playing with this vita PSP sandbox (my actual psp does better with homebrew/emulators) lol , Time to see what a psvita can really do, lots of work ahead… Great article Acid Snake 🙂
respect for your work guys,. i will wait for next update.
Nice read. It sounds like you’ve got a clear plan ahead, just as long as you can get past the obstacles. Good luck to ya~
Also, completely unrelated, do PSP games running through exploit scale the same as a PSP game bought off PSN? I’ve heard Duodecim looked good on the Vita, but it seemed a bit pixelated to me running through exploit.
this is what i wanna hear.. i really gotten tired of pointless VHBL because PSM is comparable or better for homebrewing with touchscreen and backtouch support.
well no native C/C++ though.
The King is dead (PSP), long live the King (Vita)!
Sony is/has shut down PSP support on the PS Store, and now the scene devs have killed off ePSP development…was this done on purpose? or just a big coincidence?
Only Obama has the answer to that question.
or me?
I haven’t notice that, interesting coincidence.
Cant wait to see the first native Vita hack! Excited already lol
In C++ only inherited classes have a vtable pointer inside. Meaning that all non-polymorphic classes will never reference their methods anywhere. So I suppose your method explained above to exploit UAFs only works with classes that inherit from other classes.
Found this nice tutorial of a UAF exploit use in IE.
http://www.fuzzysecurity.com/tutorials/expDev/11.html
Anyway about NX bit protection, is there a way to directly write the opcode region of the programm itself (ie the browser) ? In windows you can do this froom a dll injected inside the programm you want to modify, but probably the psvita does not allow such a thing, isn’t it ?
ps : I don’t know why my message was deleted. If it is related to the extenal link please just tell me and I’ll remove it.
I rarely delete/remove messages, this happens only when the comment is obvious spam and totally unrelated to the discussion, and/or borderline illegal (racist, etc…). In you case no such issue, I think it was just the site’s cache playing tricks on you
You also deleted my reply to this message :S
All C++ classes inherit from the class Object so they will end up having a vtable anyways.
Lol your comment was shifted at the end of the comment loop as mine to yours :p.
There is no Object class in C++, only C# and Java have one. C++0x integrates the syntax “auto” as a wild card type but it has nothing common with “object” type in c# or java.
Another update to Sony…u guys are really dumb! =)
Pirated Vita ISOS running in hacked hardware in a minimum of 5.5 years, you heard here it first leeches.
All C++ classes inherit from the class Object, so they all have a virtual table.
If there is an exploit in usermode or kernel will make it possible to write an emulator for ps2 life provides a hardware to do this?
Thanks Acid_Snake
There is no Object class in C++, only C# and Java have one.
Now that the Vita’s father (the PSP) is dead, maybe it left inheritance in its will =D
I think you’re confusing C++ with Java. There’s no “Object” class in C++, but there are vtables for all objects as defined by the language specs.
This sounds interesting. Nice to hear the leaks were planned and not some sort of temper tantrum like it first seemed.
That said, I wish anyone doing this all the luck. Can it be easily hacked by Sony, I wonder?
my idea of native hacking …
correct me if im wrong …
in their system hes the president.
in our system hes the slave of the lord.
I’ve been following yifan lu’s hardware hacking and like him I was trying eMMc dumping. I have partial success but I’m all out of fresh bodies(vita boards). I’m currently collecting vita for this purpose.
Umm partial success? You either dump it or you don’t… I don’t understand.
He gets an error around the 33% mark.
Well… I sort of understand what are you trying to do but… mechanism and implementation are as we say in my country when we don’t understand something, “Spanish village” to me. I wish you good luck and I hope that this change of course in hacking community will attract other people… but there are just too many ifs so I’m a bit skeptical. At least you didn’t quit after that incident… and that’s good… perhaps there is slim hope of progress now, that PS vita is faring better than one year ago, especially in Japan… and with Vita Tv release in the west… which may attract more fresh and experienced blood but still…
I really dumb, so please forgive simple question: can sony make dumb boxes like an atari 2600 (except like portable) and just sell cartedges for their games? Why even have download games and browser?
so in short, we can now hope to play ps vita game backups?