PSVita Hacking @ 35C3: Summary of talk, F00D (Bootloader) key revealed and Team Molecule releases various decryption tools – Now, the PSVita’s security is effectively blown wide open!
After releasing HENkaku, and later Enso, Team Molecule didn’t just call it a day and stopped there but they kept on working on the PSVita. Now, they have been able to pwn the fabled F00D crypto processor and they shared their findings in a talk at 35C3 yesterday!
What Was Team Molecule’s Talk About?
In their talk titled “Viva la Vita Vida” that took place less than 24 hours ago, PSVita hackers/developers Yifan Lu and Davee which are part of Team Molecule talked about the following:
- Their progress up to now on PSVita hacking
- They discussed the Vita’s security architecture and components of the Vita’s SoC.
- The first part of the talk, which was done by Davee, was about software techniques when it came to pwning F00D and he discussed the Octopus Exploit.
- In a very simplified way, the Octopus Exploit works by passing bytes into the F00D processor and having it tell you whether the byte is correct or not. Through this way, Team Molecule were able to dump the secure kernel of the PSVita which helped them in documenting and further hacking the device
- The second part of the talk, which was done by Yifan Lu, discussed hardware hacking techniques and mostly focused about voltage glitching. Voltage glitching is when you momentarily introduce a voltage change into electronics in order to change the result of logic gates thus creating a software bug through hardware
- Voltage glitching was used in order to bypass the bootloader size check (0xDE blocks) and this enabled Team Molecule to gain further insight about the bootloader/BootROM as they got its SHA-256 hash!
- Unfortunately, the BootROM didn’t contain any keys
- Later on, Yifan Lu went on to reveal that the bootloader (F00D) key was found and it was a repeating byte
- Apparently, the key was left there accidentally but it wasn’t noticed when retail builds of the bootloader were shipped
- This key is what protects every content key in the system
What Got Released By Team Molecule? What Can The Regular End-User Get Out Of This?
Shortly after the talk, Team Molecule released:
- Decryption utilities
- A BootROM RPC payload which contains an implementation of Simple Serial
- ChipWhisperer scripts for glitching the PSVita’s BootROM
- An IDA Pro module for analysing and decompiling Toshiba MeP code which the architecture used in the F00D processor
- Their slides and a video of their talk which can be found below
While all the above stuff is an excellent feat and great reading material, the question that’s on many people’s mind is what could regular end-users get with this. Unfortunately, this question hasn’t been directly tackled but this could lead to the ability of installing DEX firmware on retail units, possible FW downgrading (probably on already exploited firmwares) and possibly more.
That being said, hacked PSVita consoles can probably already do most things that regular end-users could ever dream of so there might not be too much that could come as a result of this for most users. On the other hand, there’s another interesting development relating to the Vita and that’s xerpi’s efforts to get Linux running on it which could, eventually, translate into some cool stuff for the end-user!
If you’re interested about Vita hacking or just security in general, I would personally recommend you watch the recording of the “Viva la Vita Vida” talk as it’s very interesting and quite fun.
Furthermore, it doesn’t require any knowledge of security so if you can easily understand English and have some basic knowledge in Computing, you’ll be able to understand most of it!
For further information about Vita hacking, I personally suggest you check out these Twitter accounts:
Team Molecule: https://twitter.com/TeamMolecule