Hacking hexkyz achieves lv1 code execution on a firmware 1.50 Vita

[WiiUBricker]

Team Molecule's Henkaku challenge was a great way to lure in engage talented people in hacking the PS Vita's solid security. One of the hackers that took the challenge goes by the handle hexkyz who successfully reverse engineered all three stages of Henkaku. However, that was not the end of the road. While Henkaku enabled access up to the lv2 layer of the Vita, there are two more security layers to exploit, the Secure World Kernel (lv1) and F00D (lv0). After the challenge was over, hexkyz went on a mission to hack the remaining layers. Getting around those layers proved to be exceptionally difficult on firmware 3.60 due to constant interferences of lv1 sanity checks. So he figured out his best bet to make any progress is to hunt down a Vita on a low firmware. Ideally it would had to be a launch Vita with no firmware updates installed at all. Unsurprisingly it turned out to be very hard to get ahold of one, so he decided to go after something a bit higher.

Since the F00D processor was updated only once on firmware 1.60, hexkyz decided to get a Vita with a firmware at least lower than 1.60 in case some critical lv0 bugs were patched there. Fortunately he managed to get a firmware 1.50 Vita. From there the real fun began.

Basically, while he was able to achieve everything what Henkaku does on firmware 1.50, in the end, he went even further than Henkaku and achieved arbitrary lv1 code execution on firmware 1.50. So what does this mean for the average dude? Since the vulnerability he found was patched around firmware 1.80, nothing. At least for now. Still this is useful for hackers with a low firmware Vita who want to help hack the system even further.

Currently, hexkyz is fuzzing with the main interface of the F00D processor on firmware 1.50, while looking for new lv1 vulnerabilities for firmware 3.60. And who knows, maybe from all of that, someday the system will be hacked further on 3.60 or even 3.63. Visit hexkyz's blog to read the full post with all the details.

Source: hexkyz's blog via Yifan Lu's Retweet

 

[DinohScene]

Interesting.
Didn't took to long for lv1 code execution.

 

[Stephano]

This is so hype

 

[Pandaxclone2]

It almost makes me weep for my 3.60 Vita. On one hand I did want what henkaku offered but on the other hand I had to give up the lower firmware for it. Then again who knows what could happen down the Vita hacking road? Maybe one day we'll be able to make a downgrade app to get more out of our systems.

At any rate I won't be updating the system anymore but it sucks thinking that Vita hacking/homebrew as it currently stands is so restricted.

 

[Bonestorm]

It almost makes me weep for my 3.60 Vita. On one hand I did want what henkaku offered but on the other hand I had to give up the lower firmware for it. Then again who knows what could happen down the Vita hacking road? Maybe one day we'll be able to make a downgrade app to get more out of our systems.

At any rate I won't be updating the system anymore but it sucks thinking that Vita hacking/homebrew as it currently stands is so restricted.

why would you need a lower firmware.... 3.60 is the golden FW

 

[Pandaxclone2]

why would you need a lower firmware.... 3.60 is the golden FW

Basically the further you go back in a system's firmware history, the more exploits there could be/are. Case in point, this thread. Even the 3DS's best exploitable firmware is 9.2 but going further back than that gives you access to more, like the otp.bin needed for A9LH.

 

[Vitaminer]

So long as I can play vita and psp titles, 3.60 is good enough for me, it's not like the vita is powerful enough to emulate gamecube or ps2, even if you can fully hack the vita and unlock its full hardware potential, it's not gonna be good enough

 

[WiiUBricker]

So long as I can play vita and psp titles, 3.60 is good enough for me, it's not like the vita is powerful enough to emulate gamecube or ps2, even if you can fully hack the vita and unlock its full hardware potential, it's not gonna be good enough

Probably worst comment of the year so far.

 

[Vitaminer]

Probably worst comment of the year so far.

Explanation? Maybe I am missing out on something?

 

[perkel]

Well if he has access to it then it also means he will be able to "test" it from inside thus helping him find exploits far easier which later on could be used on newer firmware.

 

[lincruste]

Explanation? Maybe I am missing out on something?

I can't answer for WiiUBricker, but here are a few reasons to dig further into the PSVita inners:
- Knowledge. This can't be overseen.
- Improved ability to hack it (permanent hack, 3.63 vulnerabilities, 100% success rate, etc)
- Side effects (possible usage for another Sony device)
- Access to low level informations (ultimately a way to sign, inject and run arbitrary code without an exploit)
- Because if it bleeds, we can kill it.