hexkyz achieves lv1 code execution on a firmware 1.50 Vita

Discussion in 'PS Vita - Hacking & Homebrew' started by WiiUBricker, Feb 12, 2017.

  1. WiiUBricker
    OP

    WiiUBricker Insert Custom Title

    Member
    7,102
    4,199
    Sep 19, 2009
    Argentina
    Espresso
    image.jpeg


    Team Molecule's Henkaku challenge was a great way to lure in engage talented people in hacking the PS Vita's solid security. One of the hackers that took the challenge goes by the handle hexkyz who successfully reverse engineered all three stages of Henkaku. However, that was not the end of the road. While Henkaku enabled access up to the lv2 layer of the Vita, there are two more security layers to exploit, the Secure World Kernel (lv1) and F00D (lv0). After the challenge was over, hexkyz went on a mission to hack the remaining layers. Getting around those layers proved to be exceptionally difficult on firmware 3.60 due to constant interferences of lv1 sanity checks. So he figured out his best bet to make any progress is to hunt down a Vita on a low firmware. Ideally it would had to be a launch Vita with no firmware updates installed at all. Unsurprisingly it turned out to be very hard to get ahold of one, so he decided to go after something a bit higher.

    Since the F00D processor was updated only once on firmware 1.60, hexkyz decided to get a Vita with a firmware at least lower than 1.60 in case some critical lv0 bugs were patched there. Fortunately he managed to get a firmware 1.50 Vita. From there the real fun began.

    Basically, while he was able to achieve everything what Henkaku does on firmware 1.50, in the end, he went even further than Henkaku and achieved arbitrary lv1 code execution on firmware 1.50. So what does this mean for the average dude? Since the vulnerability he found was patched around firmware 1.80, nothing. At least for now. Still this is useful for hackers with a low firmware Vita who want to help hack the system even further.

    Currently, hexkyz is fuzzing with the main interface of the F00D processor on firmware 1.50, while looking for new lv1 vulnerabilities for firmware 3.60. And who knows, maybe from all of that, someday the system will be hacked further on 3.60 or even 3.63. Visit hexkyz's blog to read the full post with all the details.

    :arrow: Source: hexkyz's blog via Yifan Lu's Retweet
     
  2. DinohScene

    DinohScene Feed Dino to the Sharks

    Member
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    16,567
    13,214
    Oct 11, 2011
    Antarctica
    В небо
    Interesting.
    Didn't took to long for lv1 code execution.
     
  3. Stephano

    Stephano I love you Charlie

    Member
    1,315
    1,193
    Feb 18, 2016
    United States
    an anti-anime bunker
    This is so hype:toot::yaypsp:
     
  4. Pandaxclone2

    Pandaxclone2 Pokemon Sprite Artist Hobbyist

    Member
    1,017
    397
    Aug 17, 2015
    Australia
    noun; a particular place or position.
    It almost makes me weep for my 3.60 Vita. On one hand I did want what henkaku offered but on the other hand I had to give up the lower firmware for it. Then again who knows what could happen down the Vita hacking road? Maybe one day we'll be able to make a downgrade app to get more out of our systems.

    At any rate I won't be updating the system anymore but it sucks thinking that Vita hacking/homebrew as it currently stands is so restricted.
     
  5. Bonestorm

    Bonestorm GBAtemp Fan

    Member
    421
    154
    Jan 15, 2017
    Canada
    Midgar, Sector 5
    why would you need a lower firmware.... 3.60 is the golden FW
     
  6. Pandaxclone2

    Pandaxclone2 Pokemon Sprite Artist Hobbyist

    Member
    1,017
    397
    Aug 17, 2015
    Australia
    noun; a particular place or position.
    Basically the further you go back in a system's firmware history, the more exploits there could be/are. Case in point, this thread. Even the 3DS's best exploitable firmware is 9.2 but going further back than that gives you access to more, like the otp.bin needed for A9LH.
     
    Assasin1990 likes this.
  7. Vitaminer

    Vitaminer GBAtemp Regular

    Member
    273
    32
    Nov 22, 2016
    United States
    So long as I can play vita and psp titles, 3.60 is good enough for me, it's not like the vita is powerful enough to emulate gamecube or ps2, even if you can fully hack the vita and unlock its full hardware potential, it's not gonna be good enough
     
  8. WiiUBricker
    OP

    WiiUBricker Insert Custom Title

    Member
    7,102
    4,199
    Sep 19, 2009
    Argentina
    Espresso
    Probably worst comment of the year so far.
     
  9. Vitaminer

    Vitaminer GBAtemp Regular

    Member
    273
    32
    Nov 22, 2016
    United States
    Explanation? Maybe I am missing out on something?
     
  10. perkel

    perkel GBAtemp Regular

    Member
    195
    92
    Dec 28, 2015
    Poland
    Well if he has access to it then it also means he will be able to "test" it from inside thus helping him find exploits far easier which later on could be used on newer firmware.
     
    Pandaxclone2 likes this.
  11. lincruste

    lincruste GBAtemp Regular

    Member
    244
    47
    Jan 13, 2008
    Antarctica
    france
    I can't answer for WiiUBricker, but here are a few reasons to dig further into the PSVita inners:
    - Knowledge. This can't be overseen.
    - Improved ability to hack it (permanent hack, 3.63 vulnerabilities, 100% success rate, etc)
    - Side effects (possible usage for another Sony device)
    - Access to low level informations (ultimately a way to sign, inject and run arbitrary code without an exploit)
    - Because if it bleeds, we can kill it.