hexkyz achieves lv1 code execution on a firmware 1.50 Vita

By WiiUBricker, Feb 12, 2017 3,242 10 8

  1. WiiUBricker

    OP WiiUBricker News Police
    Banned
    Level 18

    Joined:
    Sep 19, 2009
    Messages:
    7,828
    Country:
    Argentina
    image.jpeg


    Team Molecule's Henkaku challenge was a great way to lure in engage talented people in hacking the PS Vita's solid security. One of the hackers that took the challenge goes by the handle hexkyz who successfully reverse engineered all three stages of Henkaku. However, that was not the end of the road. While Henkaku enabled access up to the lv2 layer of the Vita, there are two more security layers to exploit, the Secure World Kernel (lv1) and F00D (lv0). After the challenge was over, hexkyz went on a mission to hack the remaining layers. Getting around those layers proved to be exceptionally difficult on firmware 3.60 due to constant interferences of lv1 sanity checks. So he figured out his best bet to make any progress is to hunt down a Vita on a low firmware. Ideally it would had to be a launch Vita with no firmware updates installed at all. Unsurprisingly it turned out to be very hard to get ahold of one, so he decided to go after something a bit higher.

    Since the F00D processor was updated only once on firmware 1.60, hexkyz decided to get a Vita with a firmware at least lower than 1.60 in case some critical lv0 bugs were patched there. Fortunately he managed to get a firmware 1.50 Vita. From there the real fun began.

    Basically, while he was able to achieve everything what Henkaku does on firmware 1.50, in the end, he went even further than Henkaku and achieved arbitrary lv1 code execution on firmware 1.50. So what does this mean for the average dude? Since the vulnerability he found was patched around firmware 1.80, nothing. At least for now. Still this is useful for hackers with a low firmware Vita who want to help hack the system even further.

    Currently, hexkyz is fuzzing with the main interface of the F00D processor on firmware 1.50, while looking for new lv1 vulnerabilities for firmware 3.60. And who knows, maybe from all of that, someday the system will be hacked further on 3.60 or even 3.63. Visit hexkyz's blog to read the full post with all the details.

    :arrow: Source: hexkyz's blog via Yifan Lu's Retweet
     
    jastolze, Deleted-379826, VinsCool and 5 others like this.
  2. DinohScene

    DinohScene hail p1ngpong
    Moderator
    GBAtemp Patron
    Level 25

    Joined:
    Oct 11, 2011
    Messages:
    21,247
    Country:
    Antarctica
    Interesting.
    Didn't took to long for lv1 code execution.
     
  3. Stephano

    Stephano pessimism = Realism
    Member
    Level 9

    Joined:
    Feb 18, 2016
    Messages:
    1,570
    Country:
    United States
    This is so hype:toot::yaypsp:
     
  4. Pandaxclone2

    Pandaxclone2 Pokemon Sprite Artist Hobbyist
    Member
    Level 8

    Joined:
    Aug 17, 2015
    Messages:
    1,114
    Country:
    Australia
    It almost makes me weep for my 3.60 Vita. On one hand I did want what henkaku offered but on the other hand I had to give up the lower firmware for it. Then again who knows what could happen down the Vita hacking road? Maybe one day we'll be able to make a downgrade app to get more out of our systems.

    At any rate I won't be updating the system anymore but it sucks thinking that Vita hacking/homebrew as it currently stands is so restricted.
     
  5. Bonestorm

    Bonestorm Banned
    Banned
    Level 3

    Joined:
    Jan 15, 2017
    Messages:
    541
    Country:
    Canada
    why would you need a lower firmware.... 3.60 is the golden FW
     
  6. Pandaxclone2

    Pandaxclone2 Pokemon Sprite Artist Hobbyist
    Member
    Level 8

    Joined:
    Aug 17, 2015
    Messages:
    1,114
    Country:
    Australia
    Basically the further you go back in a system's firmware history, the more exploits there could be/are. Case in point, this thread. Even the 3DS's best exploitable firmware is 9.2 but going further back than that gives you access to more, like the otp.bin needed for A9LH.
     
    Assasin1990 likes this.
  7. Vitaminer

    Vitaminer Banned
    Banned
    Level 3

    Joined:
    Nov 22, 2016
    Messages:
    286
    Country:
    United States
    So long as I can play vita and psp titles, 3.60 is good enough for me, it's not like the vita is powerful enough to emulate gamecube or ps2, even if you can fully hack the vita and unlock its full hardware potential, it's not gonna be good enough
     
  8. WiiUBricker

    OP WiiUBricker News Police
    Banned
    Level 18

    Joined:
    Sep 19, 2009
    Messages:
    7,828
    Country:
    Argentina
    Probably worst comment of the year so far.
     
    Tony_93, Deleted User, Assasin1990 and 1 other person like this.
  9. Vitaminer

    Vitaminer Banned
    Banned
    Level 3

    Joined:
    Nov 22, 2016
    Messages:
    286
    Country:
    United States
    Explanation? Maybe I am missing out on something?
     
  10. perkel

    perkel GBAtemp Regular
    Member
    Level 3

    Joined:
    Dec 28, 2015
    Messages:
    246
    Country:
    Poland
    Well if he has access to it then it also means he will be able to "test" it from inside thus helping him find exploits far easier which later on could be used on newer firmware.
     
    Pandaxclone2 likes this.
  11. lincruste

    lincruste GBAtemp Fan
    Member
    Level 6

    Joined:
    Jan 13, 2008
    Messages:
    353
    Country:
    Antarctica
    I can't answer for WiiUBricker, but here are a few reasons to dig further into the PSVita inners:
    - Knowledge. This can't be overseen.
    - Improved ability to hack it (permanent hack, 3.63 vulnerabilities, 100% success rate, etc)
    - Side effects (possible usage for another Sony device)
    - Access to low level informations (ultimately a way to sign, inject and run arbitrary code without an exploit)
    - Because if it bleeds, we can kill it.
     
    Pandaxclone2, DinckelMan and julio.apc16 like this.
Check for new posts
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - execution, achieves, firmware

  1. SirAllMighty

    Can't find the correct firmware. Any help is extremely appreciated

    SirAllMighty, Jun 21, 2021, in forum: R4 DS
    Replies:
    4
    Views:
    521
    Russian-Router
    Jul 26, 2021 at 2:53 PM
  2. KiiWii

    EverSD for Evercade Firmware 1.3.1 - Now with Retroarch Support!

    KiiWii, Feb 24, 2021, in forum: Other Handhelds
    Replies:
    123
    Views:
    16,383
    esmith13
    Jul 26, 2021 at 1:07 PM
  3. KyuubiBoy9

    Homebrew app Homebrew Nsp Forwarder For Firmware 12.0.0+

    KyuubiBoy9, May 4, 2021, in forum: Switch - Emulation, Homebrew & Software Projects
    Replies:
    10
    Views:
    4,439
    Minsh
    Jul 25, 2021 at 12:21 PM
  4. Leeful

    [RELEASE] PS-Phwoar! Exploit Host Menu For PS4 Firmware 5.05

    Leeful, Nov 30, 2019, in forum: PS4 - Hacking & Homebrew
    Replies:
    682
    Views:
    689,985
    WayneNg20
    Jul 25, 2021 at 10:08 AM
  5. Russian-Router

    Everyone looking for R4 Firmware/Kernels - Read this

    Russian-Router, Jul 24, 2021 at 11:34 PM, in forum: 3DS - Flashcards & Custom Firmwares
    Replies:
    0
    Views:
    218
    Russian-Router
    Jul 24, 2021 at 11:34 PM