Following up with their announcement that they will introduce their Achievements in "Vita Hacking" at the #35C3-Congress, both Developers @yifanlu and @DaveeFTW from @TeamMolecule today presented their Talk: "Viva la Vita Vida". And in this Thread, you will learn what they got achieved with their Hacks but also what this means for the Community of "Vita Hacking" in future. And to "spoil" you a little bit, we recommend that you will read this Article while sitting on your chair in case you would come off because of your roar with laughter.
For an overview about the #35C3-Congress in General, or where you can find all Livestreams from this Talk as well from other important ones, please click here.
Did you fall off from your chair? We hope you didn't get hurt.
This is the full Talk you can watch via YouTube but to understand what they got achieved, we will include the most important Slides in a summary.
While previous Achievements in both the "User Processes" (this is the Part about past Projects like "HENkaku" and the "Web-Exploit" in General) and the "System Processes" (which allowed you to use your PSP Backups or Homebrew for example) - but also the "ARM TrustZone" were already successfully "infiltraded" by various Developers - Developer @DaveeFTW explains, how they got achieved to break into both the "F00D Kernel" and "F00D Loader". "F00D" is the "Security Co-Processor" inside the PlayStation Vita. While the "F00D Kernel" contains all the "Content Keys" to protect secure assets such as from Game Titles or System Firmwares, the "F00D Loader" contains the "Meta Keys" which protect the "Content Keys" allowing the System to revoke compromised "Content Keys". And by understanding both the "Hardware Architecture" together with the "Software Design and [it's] Implementation", he describes his method how to examine his "Attacking Surface" to break into the "Security Processor". And by tinkering with the "Private Memory" by checking each "byte by byte", they was able built a Model from the "F00D SRAM" to get a "Plain Text" from the Kernel, as they call it the "Octopus Exploit" (but they please you not to ask why it's called like that ). With this result, they was able to analyse the Kernel more deeper.
While @yifanlu takes the Stage talking about his various "Hardware Achievements", which is better explained at the Video from this Talk as mentioned above, "The Way was Clear" to get access to the "last piece of the puzzle", which was the "F00D-Loader". And with access to that, they was also able to find a Vulnerability to get the "SHA256-Hash from the Bootrom". Dumping the "Bootrom" wasn't so interesting - according to @yifanlu - due to the fact that there are no useful Keys included inside. And the "Attacking Surface" wasn't so huge compared to the "F00D Kernel". But this wasn't so tragic since with this effort, they achieved to get Full Control of the PlayStation Vita by dumping every code inside the whole Console. This sounds already very promising since you have to understand that similar to the PS3-era, when someone gets "Full Access" to a Gaming Device, then the next question would be sooner or later: "What you can actually do with such power?" Well, this Thread here can't promise you anything but the chances are high that we can see not only a newer full "Kernel Exploit" for newer System Firmwares above >3.60 or >3.65, but it should give other Developers a easier platform to create newer Homebrew Releases or even a full-fledged Custom Firmware. How you ask? Just take the PS4 as an example, where a "Full Access" is still not provided (by the Time of writing this Article) but even with less Achievements, the side-effect is still sadly Piracy and creating Homebrew is more difficult compared to play your Backups. The PlayStation Vita has a few more Homebrew Releases but the Limitations where still there for many tasks. This could change now but we aren't finished yet with this Article. Now we are getting to the fun part.
Remember the Talk from fail0verflow regarding the PS3 back at #27C3 eight years ago, where they showed the world how "unsecured" the PS3 was at the end with such an cryptographic "Epic Fail" by choosing a "supposed to be random number" the same everytime for signing their SELF-Executables? Sure you remember. And while @yifanlu sums up their Conclusions to both how good the Team from Sony secured this System after such a fiasco with the PS3 while it wasn't such a success for them regarding the Sales of the PlayStation Vita (he even mentioned many things Sony did right with the PSVita, which they didn't for the PS4), he explains that: "Not everyone is Perfect" - while a big "BUT..." is displayed in one of his slides. He admits that: "there is a slight issue in their choice of [the] bootloader encryption key", while he adds the important Tasks of such a key, namely to protect "every other key in[side] the system." So you could see this as a "Master Key." Further on he explains that after they dumped the "Bootrom", they tried to find such a "Master Key" and while the audience is already chuckling as he moves forward to his next Slide, he explains that Sony decided to fill up their "Master Key" with a single byte repeating all the time. Yes you read it right. And by hinting this byte with the Packshot from a Battery-Package including 16x AA-Batteries, he wants to inform you that this "Master Key" is as follows: AA AA AA AA AA AA AA AA - or 0xAA in "Hexadecimal". Yes, this isn't a typo and you are probably speechless like the Audience was (one Question after the Talk was indeed if "this was a Joke!?!?" ). @yifanlu also explains how they was surprised with such a Cryptographic Failure Sony did again since they thought this was just the Code from a Debug Non-Retail Device after they brute-forced this at first but then they realized that this was the "Real Deal" which means that both every PlayStation Vita and PlayStation TV (yes this works for the "PSTV" as well, as asked by one of the Audience's Question) which got sold shares this simple "Master Key". Is there something more to say?
Here you will find several Releases based on the Achievements showed at this Great Talk.
Several "F00D Keys" released by @Mathieulh on "HENkaku Development Wiki"
Developer @theflow0 teases a new "hack" for System Firmware 3.69 in 2019
Developer @pomfpomfpomf3 (from @TeamMolecule) published their "MeP Emulator" together with a "Compiler", which was also mentioned inside the Presentation giving support for "remote debugging"
Developer @DaveeFTW wrote a whole blog post about their Talk at #35C3 with additional details where he didn't have the time to talk about.
We hope that you enjoyed our coverage from this second important Talk at 35C3. Feel free to discuss your opinions about today's Talk in the Comments Section down below. Unlike yesterday's Talk, we are pretty sure here that the PSVita will see very bright days in the near future.
The whole Talk can be found here: media.ccc.de
Twitter: @yifanlu / Twitter: @DaveeFTW / Twitter @TeamMolecule
Bootrom glitching scripts + various SCE decryption units: @GitHub
PS VITA / PS TV Huge Vita News from #35C3- @yifanlu & @DaveeFTW presents their Talk "Viva la Vita Vida"
By Roxanne on Dec 29, 2018 at 5:35 PM
webMAN MOD 1.47.12: New Auto PS2 Config / Support for boot_init.txt (like a "autoexec.bat" script)It appears that developer @aldostools is back in full force currently as we have seen the dev add new support with 4.83/4.84 DEX Support for webMAN MOD. While also Incorporating a few new features into the popular plugin as well. This powerful little plugin contains tons of functionality (feature list below), With this new release of v1.47.12, we now see a couple of fun new features have that have been introduced to the plugin as well.
For nonBC consoles owners, that use the webMAN MOD plugin to load and mount PS2 ISO will be pleased to know that developer Aldostools has added improved support for PS2 Configs with new automation and detection of PS2 Config files, like what we see in @Zar's ManaGunZ backup manager. Also another fun feature with some potential for various uses has been been support for boot_inif.txt, This feature is an automation feature (like a "autoexec.bat" script) that includes support for various commands outlined (see tab below). Some uses Aldostools has outlined have included the ability to backup important files at system boot like Game Saves, Registry Backup, Logs, ect,,, Swap Files, Remap multiple files/folders at startup, System clenup and/or initialization on every boot. For additional details about these newly added features please revert to the corresponding tabs below.Continue reading
PASTA 4.84 DEX CFW v1.0 (by Joonie) - For Debugging Stations / Converted Retail Consoles
It's pretty much inspired by @Rancid-o 's PS3iTA except this does not come with "CFW Setup" homebrew neither "Package Manager". I know the demographic is very little for this type of CFW but I could image this this would be still useful for those who do not want COBRA neither REBUG.
The features are pretty basic.For PSN, you will either have to use CCAPI or webMAN to spoof IDPS if your unit is converted retailContinue reading
4.84.1 REBUG REX (w/ Cobra v8.01 + Rebug Toolbox v2.03.01) Released (+ DECR LE version)Team REBUG just recently released 4.84 REBUG LITE Edition just the other day. Now,since that time the team has aquired all the resources needed for the creation of 4.84.1 REBUG REX Custom firmware . Now that the testing phase has concluded, the team has now released 4.84 REX version of their famed Custom Firmware for the PS3. What makes REX different from LITE is that Lite is made of only CEX (retail) firmware and REX contains both retail firmware and then also contains debug (DEX) firmware elements as well. To create this powerful hybrid custom firmware. Which expands the feature list over any other CFW type with the included REBUG Toolbox (requires pkg installation),
The updated Cobra payload of v8.00/1 that made its recent debut in habib's 4.84 Starbuged CFW has also been bundled with this latest version of REBUG REX. One of the highlights of the version 8.0 progression of the Cobra payload has been a new feature allowing Kernel payload support via plugin developed by habib, The update to Cobra also brought a number of new improvements besides that lone feature, other feature consist of a much faster boot time on start up as in Cobra 8.00+ stage 1 has been removed. Then also in this version of REX you should note COBRA is ENABLED by default where as in previous versions of REX it has not been and required a toggled "ON" via the REBUG Toolbox, that is no more, in this version its enabled "out of the box" and ready to goContinue reading
Share This Page
- henkaku homebrew
- homebrew game
- playstation 2
- playstation 2 resources
- playstation portable
- playstation portable cfw
- playstation portable resources
- playstation tv
- ps vita
- ps2 emulator
- ps2 resources
- ps3 cfw
- ps3 homebrew
- ps3xploit 3.0
- psp cfw
- psp emulator
- psp resources
- pstv homebrew
- vita homebrew
- webman mod
- User Record:
- Latest Member:
ALL OpenBOR OPL ready ISOs -Neill Corlett