Homebrew News

UVLís current status and some speculation on the Vita by YifanLu.

Rate this Entry
Quote Originally Posted by wraggster View Post
via http://wololo.net/2012/12/25/uvls-cu...ta-by-yifanlu/

A few days back YifanLu posted an entry to his blog explaining where UVL is now, and also speculating on some of the software and system security. For those of you wondering about the current state of this project, or why hacking a console takes such a long period, then itís most certainly worth reading. Itís rather a long read, but most certainly worth it for those of you with the patience to do so.

The following was entirely written by Yifan Lu

PlayStation Vita: the progress and the plan

Sorry that itís been a while since Iíve said anything about the Vita. I was caught by surprise the last time of all the media attention from just a simple call for help. While I still donít want to say too much right now, I do want to answer some common questions Iíve been getting and also go over what needs to be done.

Did you hack the Vita? Thatís a very vague question. What I have done, is run native code on the Vita with the same permissions as the game being exploited. This means I can load homebrews written and optimized for the Vitaís CPU and take full advantage of the CPU speed and RAM (unlike the PSP emulator or PSM, both impose artificial limits on resources and system functions). What has NOT been done (yet) is unlocking the system completely for tasks like USB interfacing, custom themes/system mods/plugins, and (fortunately) pirating games.

Whatís UVLoader and how far along is it? The last Iíve spoken, I was beginning work on UVL and asked for any help I could get. Even though, I did not really get help, I did find people who were interested in what I was doing and we exchanged information. I also want to brag that I finished the main functionalities of UVL in a couple of weeks, and it has been ďdoneĒ for about three months now. (Quotes around ďdoneĒ because I decided to not worry about some features yet). That means, I can basically load most (most being the few that I manually built without an open sdk) compiled homebrews. You can run your standard hello worlds and spinning cubes and such, but in theory, it should load any homebrew built.

The second reason is that having a Vita exploit at this stage (when it is really hard to find exploits) is very rare if not a once in a lifetime thing. Me and others Iíve talked to agree that right now itís more important to use this exploit to gather more information about the system in order to find more exploits and such than it is to run homebrews right now. We have PSM for homebrew games and PSP emulator for homebrew emulators, so there really isnít a huge demand for native PSVita homebrews yet. As Iíll expand on below, weíve only scratched the surface of Vita hacking and thereís so much more to see.

Can I help? Depends who you are. If youíre an established reverse engineer, you know how to contact me. If you just want to ďbeta test,Ē read above. If you know any other way of helping me, donít ask, just do itô, since UVL is open source. Even though I donít accept monetary donations before I release anything, if you have access to broken Vitas, memory cards, games, etc, or any unused hardware reversing tools like logic analyzers; anything you wouldnít mind parting with, one of the things me and others involved donít have access to is funds for materials to test some of the moreÖ risky ideas and if you could help with that respect, just use the contact link at the top of the page to get in touch with me.

What needs to be done to ďhackĒ the Vita? Again, that term is very vague, but I know what you mean. This is the perfect time to describe (as far as I know) the Vitaís security structure and what needs to be done at each level.

Vita userland

This is where UVLoader works; we exploited some game to run code inside itís sandbox, meaning that if that game doesnít have camera functions, no UVLoader Vita homebrew can use the camera either. This also means, of course, we canít load pirated Vita games and so on. A fun fact here is that, in theory, if someone finds an exploit in Kermit, the system inside the PSP emulator that talks to the Vita through a virtual serial port, they can run UVLoader in the process hosting the emulator (one level higher than a PSP kernel exploit), meaning they may be able to modify the emulator to have more RAM or faster CPU or etc. Another advantage of running UVLoader here is that because the PSP emulator has access to more Vita hardware than most games (bluetooth, camera, etc), homebrews could have more access too.

However, itís easier said than done. Itís hard to appreciate how hard it is to get a Vita userland exploit. Letís work backwards: we want to somehow run native ARM code, how? Well, the classic route is some stack smash. But wait, modern ARM processors have XN (eXecute Never), which is a feature that only allow code in memory to run at specific locations (these locations are determined by the kernel and are read only). Ok, we have some other choices here: heap overflows, ROP (google if you donít know), and so on (assuming you even know you got a working exploit, which in itself is hard to know without additional information; most ďcrashesĒ are useless), but all of these choices require that you know enough about the system to create a payload fitted for the system. That means, you need either a memory sniffer or somehow dump the memory. Well, letís rule out hardware memory sniffing since the Vita has the RAM on the same system-on-a-chip as the CPU. How do we dump the memory then? Usually, you need to run some code to dump the memory or do some kind of oracle attack on crashes or error messages or something. Option one only works if we hacked the system before, and the second one, AFAIK, wonít work because the Vita doesnít give any information when it crashes. So how did I get the first userland exploit? Iíll leave that as an exercise to the readerÖ

Vita kernel (lv2?)

Vita userland is the most we have access right now and PSP kernel mode is the most that is public. What comes after? Remember all information at this point could be wrong and is based off of the little evidence I have currently. We are in the Vita sandbox right now, which means we can run homebrew, but we canít use functions that the game doesnít use (camera, bluetooth, USB, etc). We also canít modify the system (run Linux, change the theme, add plugins, etc). For those to work, we need to go one level up: the Vita kernel, which might be called lv2. Even with complete userland access, we canít even poke at the kernel. The kernel acts like a black box, providing functions to the system through syscalls. You pass input into these syscalls and it returns some output, without revealing how the output is created. The kernelís memory is separate from userland obviously, and even guessing what syscalls do (thereís no names in the memory, only numbers) is a challenge. In order to hack the kernel, we have a problem that is very much like the one Iíve stated above about getting Vita userland, except with even more limitations. Again, thereís the circular problem of needing a kernel RAM dump to inspect for exploits and requiring a kernel exploit to dump the RAM. Now, thereís even less ďplacesĒ to inspect (visually and programmatically). In order of likelihood, one of the following needs to happen before thereís even a CHANCE of a kernel exploit: 1) Sony does something stupid like the PS3 keys leak, 2) we get REALLY lucky and basically stumble upon an exploit by just testing one of the several hundreds of syscalls with one of an infinite amount of different inputs, 3) some information leaks out from Sony HQ.

Itís still unknown how much control we would have if kernel mode is compromised, but me and some others think that we MAY at least be able to do something like a homebrew enabler (HEN) that patches signature checks temporarily until reboot, allowing for homebrews with no sandbox limitations (access to camera, BT, etc) and POSSIBILITY system plugins and themes. It is very unlikely at any keys will be found at this point or being able to create or run a CFW.

Bootloader? (lv0?)

Again, only conjecture at this point, but this is the holy grail, the final boss. Once this is compromised, the Vita would be ďhackedĒ in every sense of the word. We may never get here (and by never, I mean maybe 5-10 years, but I would most likely not be working on the Vita at this point). Hereís is where I think the keys are stored. With this compromised, CFW of any past, present, or future firmwares could be created, and anything would be possible.


I guess to summarize, the reason thereís no release in the foreseeable future isnít just because I donít have time to make an sdk so there wonít be homebrews to use even if UVL is released. Even if the SDK does get done, at this point, it would be more attractive to use the control we currently have, double down, and try to get more control. If the exploit is revealed prematurely, getting the game pulled, and the firmware patched, sure we may get a fast N64 emulator in a couple of months when somebody has the chance to write it (and at that point, most people might be enticed to upgrade anyways for new firmware features and PSN access), but we will have to start at square one (read above about finding userland exploits) before having another chance at exploring the full potential of the system. Deep down, I am a researcher, and would have more interest in reversing the system than I would at making a release for users just so I could be the ďfirstĒ. Like all gambles, I may end up with nothing, but thatís a risk Iím willing to take.

Submit "UVLís current status and some speculation on the Vita by YifanLu." to Digg Submit "UVLís current status and some speculation on the Vita by YifanLu." to del.icio.us Submit "UVLís current status and some speculation on the Vita by YifanLu." to StumbleUpon Submit "UVLís current status and some speculation on the Vita by YifanLu." to Google

Tags: None Add / Edit Tags



Total Trackbacks 0
Trackback URL:
Join Date
Apr 2003
Nottingham, England
Blog Entries