PS VITA / PS TV Huge Vita News from #35C3- @yifanlu & @DaveeFTW presents their Talk "Viva la Vita Vida"

Discussion in 'PS Vita News' started by Roxanne, Dec 29, 2018.

By Roxanne on Dec 29, 2018 at 5:35 PM
  1. 152
    544
    172
    Roxanne

    Roxanne Moderator

    Joined:
    Mar 3, 2018
    Messages:
    152
    Likes Received:
    544
    Trophy Points:
    172
    Gender:
    Female
    Location:
    Germany
    Home Page:
    Following up with their announcement that they will introduce their Achievements in "Vita Hacking" at the #35C3-Congress, both Developers @yifanlu and @DaveeFTW from @TeamMolecule today presented their Talk: "Viva la Vita Vida". And in this Thread, you will learn what they got achieved with their Hacks but also what this means for the Community of "Vita Hacking" in future. And to "spoil" you a little bit, we recommend that you will read this Article while sitting on your chair in case you would come off because of your roar with laughter. :)

    For an overview about the #35C3-Congress in General, or where you can find all Livestreams from this Talk as well from other important ones, please click here.

    01 - Vita la Vita Vida.jpg


    Did you fall off from your chair? We hope you didn't get hurt. :)
    This is the full Talk you can watch via YouTube but to understand what they got achieved, we will include the most important Slides in a summary.


    • While previous Achievements in both the "User Processes" (this is the Part about past Projects like "HENkaku" and the "Web-Exploit" in General) and the "System Processes" (which allowed you to use your PSP Backups or Homebrew for example) - but also the "ARM TrustZone" were already successfully "infiltraded" by various Developers - Developer @DaveeFTW explains, how they got achieved to break into both the "F00D Kernel" and "F00D Loader". "F00D" is the "Security Co-Processor" inside the PlayStation Vita. While the "F00D Kernel" contains all the "Content Keys" to protect secure assets such as from Game Titles or System Firmwares, the "F00D Loader" contains the "Meta Keys" which protect the "Content Keys" allowing the System to revoke compromised "Content Keys". And by understanding both the "Hardware Architecture" together with the "Software Design and [it's] Implementation", he describes his method how to examine his "Attacking Surface" to break into the "Security Processor". And by tinkering with the "Private Memory" by checking each "byte by byte", they was able built a Model from the "F00D SRAM" to get a "Plain Text" from the Kernel, as they call it the "Octopus Exploit" (but they please you not to ask why it's called like that :) ). With this result, they was able to analyse the Kernel more deeper.​
      02 - F00D.jpg
      Simple Sketch about their attempt building a Model from the "F00D-SRAM" by checking each "byte-by-byte"

    • While @yifanlu takes the Stage talking about his various "Hardware Achievements", which is better explained at the Video from this Talk as mentioned above, "The Way was Clear" to get access to the "last piece of the puzzle", which was the "F00D-Loader". And with access to that, they was also able to find a Vulnerability to get the "SHA256-Hash from the Bootrom". Dumping the "Bootrom" wasn't so interesting - according to @yifanlu - due to the fact that there are no useful Keys included inside. And the "Attacking Surface" wasn't so huge compared to the "F00D Kernel". But this wasn't so tragic since with this effort, they achieved to get Full Control of the PlayStation Vita by dumping every code inside the whole Console. This sounds already very promising since you have to understand that similar to the PS3-era, when someone gets "Full Access" to a Gaming Device, then the next question would be sooner or later: "What you can actually do with such power?" Well, this Thread here can't promise you anything but the chances are high that we can see not only a newer full "Kernel Exploit" for newer System Firmwares above >3.60 or >3.65, but it should give other Developers a easier platform to create newer Homebrew Releases or even a full-fledged Custom Firmware. How you ask? Just take the PS4 as an example, where a "Full Access" is still not provided (by the Time of writing this Article) but even with less Achievements, the side-effect is still sadly Piracy and creating Homebrew is more difficult compared to play your Backups. The PlayStation Vita has a few more Homebrew Releases but the Limitations where still there for many tasks. This could change now but we aren't finished yet with this Article. Now we are getting to the fun part. :)

      03 - Overview.jpg
      Now where there are no boundaries anymore, the PlayStation Vita is now "open"

      04 - Bootrom SHA256-Hash.jpg
      No, this isn't a Game "to sink your Battleship" :) - They presented you the "SHA256-Hash from the Bootrom"

    • Remember the Talk from fail0verflow regarding the PS3 back at #27C3 eight years ago, where they showed the world how "unsecured" the PS3 was at the end with such an cryptographic "Epic Fail" by choosing a "supposed to be random number" the same everytime for signing their SELF-Executables? Sure you remember. And while @yifanlu sums up their Conclusions to both how good the Team from Sony secured this System after such a fiasco with the PS3 while it wasn't such a success for them regarding the Sales of the PlayStation Vita (he even mentioned many things Sony did right with the PSVita, which they didn't for the PS4), he explains that: "Not everyone is Perfect" - while a big "BUT..." is displayed in one of his slides. He admits that: "there is a slight issue in their choice of [the] bootloader encryption key", while he adds the important Tasks of such a key, namely to protect "every other key in[side] the system." So you could see this as a "Master Key." Further on he explains that after they dumped the "Bootrom", they tried to find such a "Master Key" and while the audience is already chuckling as he moves forward to his next Slide, he explains that Sony decided to fill up their "Master Key" with a single byte repeating all the time. Yes you read it right. And by hinting this byte with the Packshot from a Battery-Package including 16x AA-Batteries, he wants to inform you that this "Master Key" is as follows: AA AA AA AA AA AA AA AA - or 0xAA in "Hexadecimal". Yes, this isn't a typo and you are probably speechless like the Audience was (one Question after the Talk was indeed if "this was a Joke!?!?" :) ). @yifanlu also explains how they was surprised with such a Cryptographic Failure Sony did again since they thought this was just the Code from a Debug Non-Retail Device after they brute-forced this at first but then they realized that this was the "Real Deal" which means that both every PlayStation Vita and PlayStation TV (yes this works for the "PSTV" as well, as asked by one of the Audience's Question) which got sold shares this simple "Master Key". Is there something more to say? :)

      05 - AAAAAAAA.jpg
      And here it is - the "Meme of the Day" at #35C3 :P

    • Here you will find several Releases based on the Achievements showed at this Great Talk.

      Several "F00D Keys" released by @Mathieulh on "HENkaku Development Wiki"


      Developer @theflow0 teases a new "hack" for System Firmware 3.69 in 2019


      Developer @pomfpomfpomf3 (from @TeamMolecule) published their "MeP Emulator" together with a "Compiler", which was also mentioned inside the Presentation giving support for "remote debugging"


      Developer @DaveeFTW wrote a whole blog post about their Talk at #35C3 with additional details where he didn't have the time to talk about.

    We hope that you enjoyed our coverage from this second important Talk at 35C3. Feel free to discuss your opinions about today's Talk in the Comments Section down below. Unlike yesterday's Talk, we are pretty sure here that the PSVita will see very bright days in the near future.


    The whole Talk can be found here: media.ccc.de
    Twitter: @yifanlu / Twitter: @DaveeFTW / Twitter @TeamMolecule

    Slides: @GitHub
    Bootrom glitching scripts + various SCE decryption units: @GitHub
     
    Last edited: Jan 2, 2019

Comments

Discussion in 'PS Vita News' started by Roxanne, Dec 29, 2018.

    1. STLcardsWS
      STLcardsWS
      WoW great summary @Roxanne and Great presentation and research by them as well.
      Should be interesting the months ahead.
    2. bguerville
      bguerville
      Great Vita work, great presentation.
      Thanks again for covering this event Rox.
      And you are right, a good laugh as well btw... ;)
      STLcardsWS likes this.
    3. Roxanne
      Roxanne
      You're welcome, and indeed. This could give the Vita a "new Life". I also added a additional Tab where we can add several "Follow-up" Releases from other Developers working now with the Achievements from this Talk.
      STLcardsWS likes this.
    4. Fin9ersMcGee
      Fin9ersMcGee
      So this could lead to an enso style hack on 3.68? Awesome!!

Share This Page