PSVita Hacking @ 35C3: Summary of talk, F00D (Bootloader) key revealed and Team Molecule releases various decryption tools – Now, the PSVita’s security is effectively blown wide open!
After releasing HENkaku, and later Enso, Team Molecule didn’t just call it a day and stopped there but they kept on working on the PSVita. Now, they have been able to pwn the fabled F00D crypto processor and they shared their findings in a talk at 35C3 yesterday!
What Was Team Molecule’s Talk About?
In their talk titled “Viva la Vita Vida” that took place less than 24 hours ago, PSVita hackers/developers Yifan Lu and Davee which are part of Team Molecule talked about the following:
- Their progress up to now on PSVita hacking
- They discussed the Vita’s security architecture and components of the Vita’s SoC.
- The first part of the talk, which was done by Davee, was about software techniques when it came to pwning F00D and he discussed the Octopus Exploit.
The F00D decryption key, which can’t be disclosed for legal reasons, can be found in this totally unrelated picture! (Don’t worry, its meme potential has already been recognised by fellow community members)
- In a very simplified way, the Octopus Exploit works by passing bytes into the F00D processor and having it tell you whether the byte is correct or not. Through this way, Team Molecule were able to dump the secure kernel of the PSVita which helped them in documenting and further hacking the device
- The second part of the talk, which was done by Yifan Lu, discussed hardware hacking techniques and mostly focused about voltage glitching. Voltage glitching is when you momentarily introduce a voltage change into electronics in order to change the result of logic gates thus creating a software bug through hardware
- Voltage glitching was used in order to bypass the bootloader size check (0xDE blocks) and this enabled Team Molecule to gain further insight about the bootloader/BootROM as they got its SHA-256 hash!
- Unfortunately, the BootROM didn’t contain any keys
- Later on, Yifan Lu went on to reveal that the bootloader (F00D) key was found and it was a repeating byte
- Apparently, the key was left there accidentally but it wasn’t noticed when retail builds of the bootloader were shipped
- This key is what protects every content key in the system
What Got Released By Team Molecule? What Can The Regular End-User Get Out Of This?
Shortly after the talk, Team Molecule released:
Now that the Vita’s security has been blown wide open, some interesting stuff may be released but till then you can enjoy some F00D memes 🙂 Alternatively, you can read the talk’s slides!
- Decryption utilities
- A BootROM RPC payload which contains an implementation of Simple Serial
- ChipWhisperer scripts for glitching the PSVita’s BootROM
- An IDA Pro module for analysing and decompiling Toshiba MeP code which the architecture used in the F00D processor
- Their slides and a video of their talk which can be found below
While all the above stuff is an excellent feat and great reading material, the question that’s on many people’s mind is what could regular end-users get with this. Unfortunately, this question hasn’t been directly tackled but this could lead to the ability of installing DEX firmware on retail units, possible FW downgrading (probably on already exploited firmwares) and possibly more.
That being said, hacked PSVita consoles can probably already do most things that regular end-users could ever dream of so there might not be too much that could come as a result of this for most users. On the other hand, there’s another interesting development relating to the Vita and that’s xerpi’s efforts to get Linux running on it which could, eventually, translate into some cool stuff for the end-user!
Conclusion
If you’re interested about Vita hacking or just security in general, I would personally recommend you watch the recording of the “Viva la Vita Vida” talk as it’s very interesting and quite fun.
Furthermore, it doesn’t require any knowledge of security so if you can easily understand English and have some basic knowledge in Computing, you’ll be able to understand most of it!
For further information about Vita hacking, I personally suggest you check out these Twitter accounts:
Team Molecule: https://twitter.com/TeamMolecule
CelesteBlue: https://twitter.com/CelesteBlue123
The Twitter accounts of Yifan Lu, Davee and xyz are good accounts to follow if you like memez about tech
I love vita…and really great job…but I’m more excited about the ps4 news….the end of the year is near…we want the kernel exploit..!!
Does this mean we get a 3.68 permahack soon?
So what’s stopping 3.69 enso from happening now? If the security processor of the console has been hacked doesn’t it mean unsigned code at startup is a possibility regardless of firmware?
So in conclusion this was a breakthrough, and and there are things to come from it?
You now have the root keys to decrypt every single file for the Vita OS, including it’s kernel. This allows you to more easily find exploits for the system, or in some cases you could install a complete custom firmware in place of it, instead of something like H-encore.
With these keys, you could theoretically replace the Vita OS completely with Android or Linux, instead of running them as kernel plugins. There’s more to it to make that possible, but now exploits can be created to run by the bootrom instead of the OS, much like with the 3DS and B9S.
you don’t have those keys, to be fair. they were not released with the decryption code.
but they extracted them.
then again, maybe they put the full list here?
https://wiki.henkaku.xyz/vita/Keys#F00D_keys
That’s not correct. You can’t just replace the official firmware files with custom ones, because it’s not just about decryption, but also signature checks. And we do not have Sony’s private keys to sign firmwares or games.
An exploit for the bootrom is also unlikely. As Yifan said himself, the bootrom is super-simple and the attack surface is very low. Therefore, you’re unlikely to find a vulnerability that would let you take control over it beyond the voltage glitching procedure he performed (which will probably never become user-friendly or convenient to use).
So, in those terms, we’re still limited to exploits in the upper layers of the Vita boot-up process.
Good lord. The Master Key is so… well, it’s about as smart as a password being 12345. Not complex enough to be impossible to guess, but dumb enough that you wouldn’t guess it when assuming they were smart with their security, which in this case is not. If you didn’t assume they’d go for something so stupid, you never would guess it either.
Hope it can help boot android on vita in the future 😀 Android 2.3 would be perfect to run GTA SA on vita 😀
The only thing I am currently interested in right now, is getting a PSM Game (Everybody’s Arcade), and getting the Klondike Solitaire unlocked, which I already Paid for Years ago. It wont work on my 3G Vita, even with it Backed Up/Restored with QCMA. Worked perfectly on my other Vita. But wont on the 3G Vita.
Can you dump those games on r/vitapiracy? and ill unlock them with PSMPatch skillz
I wonder if something like Pandora Battery is possible now for Vita.
Wouldn’t Sony sue them now they show themselves in Broad Day light (Hackers Yifan Lu and Davee). This is a question for their own security for now.
I believe they’re careful to not do things that are technically illegal.
PSM Developer apps are MINE
Now we need multi-bootloader with vita\android\linux\etc etc OS =)))