HENkaku PS Vita 3.60 hack: Team molecule challenges hackers to reverse the hack
A few hours ahead of the HENkaku release, hacker Yifanlu taunted the scene, asking “worthy hackers” to reverse engineer the HENkaku exploit and figure it out. He promised a prize and more details to come.
8 hours to go. Might be asleep when it drops. We challenge any worthy hacker to reverse our stuff and figure it out. A big prize awaits 😉
— Yifan (@yifanlu) July 29, 2016
Now that the exploit is out, you have a shot at it.
You can access and investigate the exploit by accessing the official site (and its now famous install button) here. I personally don’t have the *cough* skills *cough* time to look into it myself, but it should be an interesting challenge for people with the right set of skills. (jeez, not you Liam Neeson, how many times do I have to tell you?)
Little is known about the HENkaku exploit, except that it relies at least on a Webkit vulnerability that was provided to team molecule by “an anonymous contributor”.
With that being said, famous PSP/PS3 hacker Mathieulh, and hacker 173210 have already been sharing some of the secrets of the HENkaku exploit as they apparently accepted the challenge:
@yifanlu A nice spot to start looking: https://t.co/YSDAHxVPSJ
— Mathieu Hervais (@Mathieulh) July 29, 2016
@yifanlu @cfwprophet 9C 75 CA FD E4 5D A9 9C 5F E6 13 DC DE EA 32 20 9C 75 CA FD E4 5D A9 9C 5F E6 13 DC DE EA 32 20
<= obfuscating much? 😛— Mathieu Hervais (@Mathieulh) July 29, 2016
Hackers will not be the only ones trying to Reverse Engineer the #HENkaku exploit. Since this opens the PSVita to unsigned code on its latest firmware 3.60, it is likely Sony engineers are already looking at ways to understand the bug and patch it. Or, at least, at a quick way to upgrade their Webkit implementation with a patch for the vulnerability.
i feel really good feeling about this . something great will come .
i have really good feeling about this . something great will come . sooooooory 😀
Like vs0 access? Caz someone made that happen
Exploit has to do something with rows attribute. Figured out that they’re probably somehow causing buffer overflow there.
Comment got cut off. Has to do something with “textarea” tag and it’s rows attribute*
“Sony engineers are already looking at ways to understand the bug and patch it.”
By removing Web Browser entirely from their next PS console, like they removed any form of internal media playing on PS4. -_-
They sure know how to party.
It is not funny, because Nintendo do not provide internet browser for their 3DS out of the box… You must update in order to get it. There was much problems with that in order to get most current hacks.
How can they remove something that never was there to begin with? 😛 PS4 never had internal media playing. The web browser wont be removed.
Ps4 kind of does. But it’s more hardware and for socializing.
Watch the Vita get cracked open and sales mysteriously pick up out of nowhere.
I don’t think so. People didn’t have smartphones that could serve all their portable multimedia needs during the heyday of the PSP. The landscape is different now.
That and 3ds has way more going for it, hax and retail.
Ps vita mainly good for ps4.
I knew it. The needed help and stil ldare to create a group with a stupid name selling it as their own.
Are there any plans to make it possible to launch this from a local server just in case some of us have a computer, but no internet?
Oh please no, not @Mathieulh… please nooooooooooo.
It is possible to create plugins?
Can we expect PSP/PS1 image support?
Should offer a price to someone who figures out how to dump and play backups. Come on you know you all want it
Prize
Yes, a shot to the head would do nicely.
Ive allready achieved dumping. And I can install it if it’s DRM free..
Can I have a prize?
Wait what? I’ve already seen the source code at github yesterday. Or I just spotted the wrong thing lol.
This is a joke charmram a hongkong hacker already had this hack sometime ago so the reverse part should be out shortly.
Is this hack worth updating for?
I own two vitas the 1000 model running 3.36, and a 2000 running 3.51
Im debating updating my1000 its old and beaten up anyway
Someone didn’t read the FAQ.
This îs the chance for the ps vita to be revived.
I’m not actually reversing. As I always say, I’m not good at and interested on reversing. I just downloaded the payload and looked for strings (e.g. http://go.henkaku.xyz/x). That’s it.
The binary is a bit small, but it seems obfusticated. Go ahead if you like reversing. Maybe it is pleasant for you (but not for me)
Here are some hints:
* Not confirmed, but probably consisted of three vulnerabilities: WebKit, code execution, and privilege escalation
* The WebKit exploit was already known in 2014. (Google tells you.)
* Code is in Thumb. (probably you can figure out that as soon as you look at it with hex editor!)
Anyway, I was bored with playing Tetris on PC and seeing the binary. I want a PS Vita!
You do know he’s trolling by posting a random hex dump right?
Nope, I did not realize :/
“an anonymous contributor”.
i think this should have been mentioned earlier. or at least given a bit more attention. as far as i knew before all the credit went to ‘molecule’.
not getting at anyone but its an important part of the story
1. – Spoof browser useragent to mimic Vita’s agent
2. – Access http://henkaku.xyz and install
3. – Intercept browser requests and figure out the redirect to http://go.henkaku.xyz
4. – Download the page source code and take a look at the exploit: http://pastebin.com/tmuHDreY
5. – Follow the execution path and reach the bootstrap binary at http://go.henkaku.xyz/x (or https://www.sendspace.com/file/3asukv)
6. – Pair the payload/relocs (http://pastebin.com/ZJNPFn3k) obfuscation with this binary
7. – ???
8. – PROFIT!!
Bonus:
– Find out the molecularShell binary at http://go.henkaku.xyz/pkg/eboot.bin (or https://www.sendspace.com/file/663jt9)
Notes:
– The browser exploit is a reimplementation of the sort() bug that was not properly fixed.
– The “x” binary is deobfuscated and loaded at the last stage of the exploit using the scrollLeft attribute.
Am I cool yet? 😛
Yup, pretty cool to me 🙂
somebody got a working quake12 vpk with pak1 ?
TheDemon does this make for a permanent molecule on 3.60 ?
what about henkaku updateblocker ? or downdowndown boy lol
How do I put emulators?
Cool. Might get into it finally got a new laptop. Going to try get a new 3g vita a realise bundle of I can find one.
Lol. Notice how the exploit work j is bu watching a YouTube video. Nice jobs guys. Thks.
hello! please someone tell me what to do
should i update my 3.18 vita to 3.60?
HTML reversed: http://pastebin.com/bYA4xGaQ
Payload analysis: http://pastebin.com/gxc0cX1i