Hacking Vita Downgrade?

FaithWaith

FaithWaith

New Member
Newbie
Level 1
Joined
Nov 21, 2016
Messages
2
Trophies
0
Age
21
XP
51
Country
United States
thank you

--------------------- MERGED ---------------------------

i dont think downgrading is nessesarily possible
though..
but the update for HENkaku will come to 3.61 and 3.63

SOMEDAY...
someday
 
satan89

satan89

Well-Known Member
Member
Level 6
Joined
Jan 30, 2014
Messages
424
Trophies
1
Location
Limbo
XP
827
Country
India
FaithWaith said:
thank you

--------------------- MERGED ---------------------------

i dont think downgrading is nessesarily possible
though..
but the update for HENkaku will come to 3.61 and 3.63

SOMEDAY...
someday
Click to expand...

Nobody is working on it (publicly) and I don't think anyone would waste an exploit this early even if they found one. Currently, new boxed vitas still ship with 3.60 and there are too few games requiring 3.61 and above so releasing an exploit that takes weeks of work finding and reversing is not justified as yet. Anybody on 3.61 should look for a used 3.60 or lower, they're dirt cheap most places, or even buy a boxed set if they're picky about buying used.

The only people who are missing out are those very new to hacking scene since people have been telling not to upgrade Vita firmware way before HENkaku, I think it started back with the PSP scene.
 
  • Like
Reactions: Tony_93
Tom Bombadildo

Tom Bombadildo

Dick, With Balls
Member
Level 27
Joined
Jul 11, 2009
Messages
14,598
Trophies
2
Age
29
Location
I forgot
Website
pocket.likeits
XP
19,569
Country
United States
Haider Raza said:
Why isn't vita downgrade available? What's the issue of its not being done?
Click to expand...
There are multiple reasons why. The main one is that a downgrade would mainly require extensive kernel access which, at that point, would already allow Henkaku-levels of access to system. This would make a downgrade effectively useless, because we'd gain nothing from degrading as we already have the same or greater access on the newer firmware.

It's also suggested that the Vita's NAND encryption is device specific, meaning that unless you have a way to generate your Vita's specific encryption key (unlikely) or you have a previous NAND backup from your Vita, you wouldn't be able to just download a NAND backup from anywhere and install it no problem. It's also suggested that downgrading the NAND would require a hardmod as well, making it unavailable to people without extensive hardware modification experience. At that point, it'd simply be easier (and likely cheaper) to buy a replacement Vita motherboard that's easy to swap out than it would be to potentially ruin your system with a difficult hardmod.
 
DinohScene

DinohScene

Gay twink catboy
Global Moderator
Level 30
Joined
Oct 11, 2011
Messages
22,640
Trophies
6
Location
Восторг
XP
23,360
Country
Antarctica
Tom Bombadildo said:
There are multiple reasons why. The main one is that a downgrade would mainly require extensive kernel access which, at that point, would already allow Henkaku-levels of access to system. This would make a downgrade effectively useless, because we'd gain nothing from degrading as we already have the same or greater access on the newer firmware.

It's also suggested that the Vita's NAND encryption is device specific, meaning that unless you have a way to generate your Vita's specific encryption key (unlikely) or you have a previous NAND backup from your Vita, you wouldn't be able to just download a NAND backup from anywhere and install it no problem. It's also suggested that downgrading the NAND would require a hardmod as well, making it unavailable to people without extensive hardware modification experience. At that point, it'd simply be easier (and likely cheaper) to buy a replacement Vita motherboard that's easy to swap out than it would be to potentially ruin your system with a difficult hardmod.
Click to expand...

I should add that soldering NAND access wires to a Vita isn't that easy, let alone soldering anything to a Vita.
The points are incredibly tiny and unless you've got some impressive soldering skills, the chances of fucking it up is tremendous.

Like Tom suggested, the cheapest and easiest way to downgrade a Vita is to swap motherboards.
 
t0m_o4

t0m_o4

New Member
Newbie
Level 1
Joined
Feb 13, 2018
Messages
1
Trophies
0
Age
33
XP
51
Country
United Kingdom
Hi, is it possible to downgrade a ps vita by switching out the motherboard for one with a lower firmware????
 
Gnarmagon

Gnarmagon

Noob <3
Member
Level 6
Joined
Dec 12, 2016
Messages
647
Trophies
0
Age
22
XP
829
Country
Germany
It's possible to downgrade from 3.60 to anything below that but I have no PSVita's to brick nor do I have the money or skills to install a NAND Mod with a microscope XD

https://wiki.henkaku.xyz/vita/index.php?title=Updater&mobileaction=toggle_view_mobile

int start_decryption1(int code1, unsigned char * buf, int buflen, int code2, int * phandle) {
int argst[11];
int res;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[1]=code1;
argst[2]=(int)buf;
argst[3]=buflen;
argst[4]=code2;
sceClibPrintf("Calling type 1 decryption with code1 = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x
", code1, (int) buf, buflen, code2);
res=callKernelFunction(SceSblSsUpdateMgr_0x6E8DDAC4,code1,argst,phandle,0 );
return res;
}

int start_decryption2(int code1, unsigned char * buf, int buflen, int code2, int * phandle) {
int argst[11];
int res;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[1]=code1;
argst[2]=(int)buf;
argst[3]=buflen;
argst[4]=code2;
sceClibPrintf("Calling type 2 decryption with code1 = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x
", code1, (int) buf, buflen, code2);
res=callKernelFunction(SceSblSsUpdateMgr_0x1A39F6EE,code1,argst,phandle,0 );
return res;
}

int start_decryption3(int code1, unsigned char * buf, int buflen, int code2, int * phandle) {
int argst[11];
int res;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[1]=code1;
argst[2]=(int)buf;
argst[3]=buflen;
argst[4]=code2;
sceClibPrintf("Calling type 3 decryption with code1 = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x
", code1, (int) buf, buflen, code2);
res=callKernelFunction(SceSblSsUpdateMgr_0xC1792A1C,code1,argst,phandle,0 );
return res;
}

int check_decryption_status(int code,int handle,int * out1, int * out2, int * out3, int * out4) {
int argst[11];
int res;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[7]=(int)out1;
argst[8]=(int)out2;
argst[9]=(int)out3;
argst[10]=(int)out4;
sceClibPrintf("Calling status with code = 0x%x handle = 0x%x
", code, handle);
res=callKernelFunction(SceSblSsUpdateMgr_0xF403143E,code,handle,argst,0);
return res;
}
int get_final_size(unsigned char * buf) {
int * poffs;
int * psize;
poffs = (int *) (buf+0x10);
psize = (int *) (buf+(*poffs)+0x20);
return *psize;
}
int get_type(unsigned char * buf) {
int * poffs;
int * psize;
if ( *(int *)buf == 0x00454353 )
{
poffs = (int *) (buf+0x10);
psize = (int *) (buf+(*poffs)+4);
return *psize;
}
else
{
return -1;
}
}
unsigned char * get_data_offset(unsigned char * buf) {
int * poffs;
poffs = (int *) (buf+0x10);
return (buf+(*poffs)+0x80);

}

int complete_decryption(int code, int handle, unsigned char * buf, int maxlen) {
int argst[11];
int res;
unsigned char * payload;
int size;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[1]=code;
argst[5]=(int)buf;
argst[6]=maxlen;
sceClibPrintf("Calling complete decryption with code = 0x%x handle = 0x%x buf = 0x%x maxlen = 0x%x
", code, handle, (int) buf, maxlen);
res=callKernelFunction(SceSblSsUpdateMgr_0x4897AD56,code,handle,argst,0);
return res;
}

int
do_decrypt_file (const char *inpath, const char *outpath, const char *errpath, unsigned int size)
{
int fd;
int res;
int memid;
int read;
int maxlen=0x810000;
int argst[0x2c/4];
int id;
int type;
int code;
unsigned char * src, *outbuf;
unsigned int handle, p1,p2,p3,p4;
res=callKernelFunction(SceSblSsUpdateMgr_0x4C06F41C,size,&src,0,0);
sceClibPrintf("Allocation returned 0x%x addr 0x%x
", res, (int)src);
if(res) {
sceClibPrintf("Cannot allocate memory. (size 0x%x) fail.
", size);
return 0;
}
//sceClibPrintf("Loading Firmware pkg file from host0:");
fd= sceIoOpen(inpath,1,0);
read = 0;
while ((read = sceIoRead(fd,src,size-read)) > 0);
sceIoClose(fd);
code = get_type(src);
switch (code) {
case -1:
sceClibPrintf("Not an encrypted file.
");
goto ERROR;
case 3:
case 4:
case 0x1B:
type = 3;
res=start_decryption3(code,src,size,9,&handle);
break;
case 0:
case 2:
case 5:
case 6:
case 7:
case 0xE:
case 0x1A:
sceClibPrintf("Warning, code %x is unsupported!
", code);
default:
type = 2;
res=start_decryption2(code,src,size,9,&handle);
break;
}
if(res) {
sceClibPrintf("start_decryption failed. (0x%x)
", res);
goto ERROR;
}
for(;;) {
res=check_decryption_status(type,handle,&p1,&p2,&p3,&p4);
if(res) {
sceClibPrintf("check_decryption_status failed. (0x%x)
", res);
goto ERROR;
}
if(p3 == 5) {
break;
} else {
sceKernelDelayThread(0x7A120);
}
}
sceClibPrintf("p1= 0x%x p2 = 0x%x p3 = 0x%x p4 = 0x%x
", p1,p2,p3,p4);
if(p2 == 0) {
sceClibPrintf("Starting to write %s
", outpath);
fd= sceIoOpen(outpath,0x603,0x186);
read = get_final_size(src);
while ((read -= sceIoWrite(fd,get_data_offset(src),read)) > 0);
sceIoClose(fd);
} else {
sceClibPrintf("Error decrypting. Writing results to %s
", errpath);
fd= sceIoOpen(errpath,0x603,0x186);
read = get_final_size(src);
while ((read -= sceIoWrite(fd,get_data_offset(src),read)) > 0);
sceIoClose(fd);
goto ERROR;
}

res=complete_decryption(type,handle,src,maxlen);
if(res) {
sceClibPrintf("complete_decryption failed. (0x%x)
", res);
goto ERROR;
}

res=callKernelFunction(SceSblSsUpdateMgr_0xBD677F5A,src,0,0,0);
return 1;
ERROR:
res=callKernelFunction(SceSblSsUpdateMgr_0xBD677F5A,src,0,0,0);
return 0;
}

void
do_decrypt_dir (const char *path)
{
int fd;
SceIoDirent dir;
char input[256];
char output[256];
char errput[256];

if ((fd = sceIoDopen(path)) < 0)
{
sceClibPrintf("Error opening pkg dir.
");
return;
}

while (sceIoDread(fd, &dir) > 0)
{
sprintf(input, "%s/%s", path, dir.d_name);
sprintf(output, "%s/%s.dec", path, dir.d_name);
sprintf(errput, "%s/%s.err", path, dir.d_name);
sceClibPrintf("Decrypting %s (size 0x%x)
", input, (unsigned int)dir.d_stat.st_size);
if (do_decrypt_file(input, output, errput, (unsigned int)dir.d_stat.st_size))
sceClibPrintf("Decrypted to %s
", output);
else
sceClibPrintf("Failed to decrypt %s
", dir.d_name);
}

sceIoDclose(fd);
}

--------------------- MERGED ---------------------------

t0m_o4 said:
Hi, is it possible to downgrade a ps vita by switching out the motherboard for one with a lower firmware????
Click to expand...
yes, did it myself XD because I bricked the original one
 
  • Like
Reactions: Deleted User
SKGleba

SKGleba

O ja pierdole!
Member
Level 6
Joined
Nov 11, 2016
Messages
351
Trophies
0
Location
Warsaw
XP
748
Country
Poland
Gnarmagon said:
It's possible to downgrade from 3.60 to anything below that but I have no PSVita's to brick nor do I have the money or skills to install a NAND Mod with a microscope XD

https://wiki.henkaku.xyz/vita/index.php?title=Updater&mobileaction=toggle_view_mobile

int start_decryption1(int code1, unsigned char * buf, int buflen, int code2, int * phandle) {
int argst[11];
int res;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[1]=code1;
argst[2]=(int)buf;
argst[3]=buflen;
argst[4]=code2;
sceClibPrintf("Calling type 1 decryption with code1 = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x
", code1, (int) buf, buflen, code2);
res=callKernelFunction(SceSblSsUpdateMgr_0x6E8DDAC4,code1,argst,phandle,0 );
return res;
}

int start_decryption2(int code1, unsigned char * buf, int buflen, int code2, int * phandle) {
int argst[11];
int res;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[1]=code1;
argst[2]=(int)buf;
argst[3]=buflen;
argst[4]=code2;
sceClibPrintf("Calling type 2 decryption with code1 = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x
", code1, (int) buf, buflen, code2);
res=callKernelFunction(SceSblSsUpdateMgr_0x1A39F6EE,code1,argst,phandle,0 );
return res;
}

int start_decryption3(int code1, unsigned char * buf, int buflen, int code2, int * phandle) {
int argst[11];
int res;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[1]=code1;
argst[2]=(int)buf;
argst[3]=buflen;
argst[4]=code2;
sceClibPrintf("Calling type 3 decryption with code1 = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x
", code1, (int) buf, buflen, code2);
res=callKernelFunction(SceSblSsUpdateMgr_0xC1792A1C,code1,argst,phandle,0 );
return res;
}

int check_decryption_status(int code,int handle,int * out1, int * out2, int * out3, int * out4) {
int argst[11];
int res;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[7]=(int)out1;
argst[8]=(int)out2;
argst[9]=(int)out3;
argst[10]=(int)out4;
sceClibPrintf("Calling status with code = 0x%x handle = 0x%x
", code, handle);
res=callKernelFunction(SceSblSsUpdateMgr_0xF403143E,code,handle,argst,0);
return res;
}
int get_final_size(unsigned char * buf) {
int * poffs;
int * psize;
poffs = (int *) (buf+0x10);
psize = (int *) (buf+(*poffs)+0x20);
return *psize;
}
int get_type(unsigned char * buf) {
int * poffs;
int * psize;
if ( *(int *)buf == 0x00454353 )
{
poffs = (int *) (buf+0x10);
psize = (int *) (buf+(*poffs)+4);
return *psize;
}
else
{
return -1;
}
}
unsigned char * get_data_offset(unsigned char * buf) {
int * poffs;
poffs = (int *) (buf+0x10);
return (buf+(*poffs)+0x80);

}

int complete_decryption(int code, int handle, unsigned char * buf, int maxlen) {
int argst[11];
int res;
unsigned char * payload;
int size;

memset(argst,0,0x2c);
argst[0]=0x2c;
argst[1]=code;
argst[5]=(int)buf;
argst[6]=maxlen;
sceClibPrintf("Calling complete decryption with code = 0x%x handle = 0x%x buf = 0x%x maxlen = 0x%x
", code, handle, (int) buf, maxlen);
res=callKernelFunction(SceSblSsUpdateMgr_0x4897AD56,code,handle,argst,0);
return res;
}

int
do_decrypt_file (const char *inpath, const char *outpath, const char *errpath, unsigned int size)
{
int fd;
int res;
int memid;
int read;
int maxlen=0x810000;
int argst[0x2c/4];
int id;
int type;
int code;
unsigned char * src, *outbuf;
unsigned int handle, p1,p2,p3,p4;
res=callKernelFunction(SceSblSsUpdateMgr_0x4C06F41C,size,&src,0,0);
sceClibPrintf("Allocation returned 0x%x addr 0x%x
", res, (int)src);
if(res) {
sceClibPrintf("Cannot allocate memory. (size 0x%x) fail.
", size);
return 0;
}
//sceClibPrintf("Loading Firmware pkg file from host0:");
fd= sceIoOpen(inpath,1,0);
read = 0;
while ((read = sceIoRead(fd,src,size-read)) > 0);
sceIoClose(fd);
code = get_type(src);
switch (code) {
case -1:
sceClibPrintf("Not an encrypted file.
");
goto ERROR;
case 3:
case 4:
case 0x1B:
type = 3;
res=start_decryption3(code,src,size,9,&handle);
break;
case 0:
case 2:
case 5:
case 6:
case 7:
case 0xE:
case 0x1A:
sceClibPrintf("Warning, code %x is unsupported!
", code);
default:
type = 2;
res=start_decryption2(code,src,size,9,&handle);
break;
}
if(res) {
sceClibPrintf("start_decryption failed. (0x%x)
", res);
goto ERROR;
}
for(;;) {
res=check_decryption_status(type,handle,&p1,&p2,&p3,&p4);
if(res) {
sceClibPrintf("check_decryption_status failed. (0x%x)
", res);
goto ERROR;
}
if(p3 == 5) {
break;
} else {
sceKernelDelayThread(0x7A120);
}
}
sceClibPrintf("p1= 0x%x p2 = 0x%x p3 = 0x%x p4 = 0x%x
", p1,p2,p3,p4);
if(p2 == 0) {
sceClibPrintf("Starting to write %s
", outpath);
fd= sceIoOpen(outpath,0x603,0x186);
read = get_final_size(src);
while ((read -= sceIoWrite(fd,get_data_offset(src),read)) > 0);
sceIoClose(fd);
} else {
sceClibPrintf("Error decrypting. Writing results to %s
", errpath);
fd= sceIoOpen(errpath,0x603,0x186);
read = get_final_size(src);
while ((read -= sceIoWrite(fd,get_data_offset(src),read)) > 0);
sceIoClose(fd);
goto ERROR;
}

res=complete_decryption(type,handle,src,maxlen);
if(res) {
sceClibPrintf("complete_decryption failed. (0x%x)
", res);
goto ERROR;
}

res=callKernelFunction(SceSblSsUpdateMgr_0xBD677F5A,src,0,0,0);
return 1;
ERROR:
res=callKernelFunction(SceSblSsUpdateMgr_0xBD677F5A,src,0,0,0);
return 0;
}

void
do_decrypt_dir (const char *path)
{
int fd;
SceIoDirent dir;
char input[256];
char output[256];
char errput[256];

if ((fd = sceIoDopen(path)) < 0)
{
sceClibPrintf("Error opening pkg dir.
");
return;
}

while (sceIoDread(fd, &dir) > 0)
{
sprintf(input, "%s/%s", path, dir.d_name);
sprintf(output, "%s/%s.dec", path, dir.d_name);
sprintf(errput, "%s/%s.err", path, dir.d_name);
sceClibPrintf("Decrypting %s (size 0x%x)
", input, (unsigned int)dir.d_stat.st_size);
if (do_decrypt_file(input, output, errput, (unsigned int)dir.d_stat.st_size))
sceClibPrintf("Decrypted to %s
", output);
else
sceClibPrintf("Failed to decrypt %s
", dir.d_name);
}

sceIoDclose(fd);
}

--------------------- MERGED ---------------------------


yes, did it myself XD because I bricked the original one
Click to expand...
As i told you on discord , it is NOT possible to downgrade, at least not without a f00d hakk.
Flashing old NAND dump == brick.
Using the code you provided - fail at keys flashing& syscon ver flashing which results in a brick.
Ofc you may try to do whatever you want with this, but you have been warned what may (will) happen.
 
  • Like
Reactions: Deleted User
D

Deleted User

Guest
>no 3.61+ being worked on
id beg to differ
how else would daddy gleba get 3.67 files?

--------------------- MERGED ---------------------------

t0m_o4 said:
Hi, is it possible to downgrade a ps vita by switching out the motherboard for one with a lower firmware????
Click to expand...
that's because the motherboard is pretty much the whole system...
 
Gnarmagon

Gnarmagon

Noob <3
Member
Level 6
Joined
Dec 12, 2016
Messages
647
Trophies
0
Age
22
XP
829
Country
Germany
SKGleba said:
As i told you on discord , it is NOT possible to downgrade, at least not without a f00d hakk.
Flashing old NAND dump == brick.
Using the code you provided - fail at keys flashing& syscon ver flashing which results in a brick.
Ofc you may try to do whatever you want with this, but you have been warned what may (will) happen.
Click to expand...
well, the post was created before I wrote about this on Discord ......, would have been too easy if you could downgrade without f00d XD
 
  • Like
Reactions: SKGleba and Deleted User

Site & Scene News

Go to forum More news

Popular threads in this forum

SD2Vita formatting error FIXED

Hacking  What's the best way to play GBA roms and rom hacks on PS Vita?

Better Homebrew Browser last version now includes PSP stuff -/ Other repositories alternatives

Does anybody here know how to get a Sega Saturn Core on to Retroarch for the PS Vita?

Hacking  Switched SD card and now everything's gone

Has anybody here used the plugin called "SHARPSCALE"?

Ps vita 3.74 mod help

SD2VITA formatting error

General chit-chat
Help Users
  • HUNTERFOX @ HUNTERFOX:
    They both suck hahaha
  • Kirbydogs @ Kirbydogs:
    "Where is the bathroom?"
  • Kirbydogs @ Kirbydogs:
    The bar goes up in flames.
  • Kirbydogs @ Kirbydogs:
    @Xdqwerty wdym by that
  • BigOnYa @ BigOnYa:
    A old man goes to doctor and says "Doctor I take a shit every morning around 9am." Doctor says "That's good and healthy." Old man says "But I don't wake up till 10am."
     +2
  • HUNTERFOX @ HUNTERFOX:
    That's a great one @BigOnYa
  • Kirbydogs @ Kirbydogs:
    haha, kinda corny tho
  • S @ salazarcosplay:
    @BigOnYa when I read your jokes I imagine Im seeing south park and Randy Marsh is telling the joke
     +1
  • Kirbydogs @ Kirbydogs:
    also here's a better version of your vacuum cleaner joke @HUNTERFOX
  • Kirbydogs @ Kirbydogs:
    @salazarcosplay and I bet when you read mine you imagine a toilet and the dookie somebody had after eating Taco Bell
  • Xdqwerty @ Xdqwerty:
    @Kirbydogs,
    computers having hamsters inside them and stuff
     +1
  • Kirbydogs @ Kirbydogs:
    not very funny :/
     +1
  • Kirbydogs @ Kirbydogs:
    tbh kinda cringe
     +1
  • K3Nv2 @ K3Nv2:
    Ffs stop crying about it
  • Kirbydogs @ Kirbydogs:
    @K3Nv2
    crying-face-crying.png
  • Kirbydogs @ Kirbydogs:
    tbh I'm not having the best day today
  • Kirbydogs @ Kirbydogs:
    the morning could've been better
  • Kirbydogs @ Kirbydogs:
    and I do want to rest now that it's the end of school for the week
  • Kirbydogs @ Kirbydogs:
    I don't wanna get annoyed or angry about anything........ but for ONCE could we talk like actual people and not like creeps
     +1
  • BigOnYa @ BigOnYa:
    Man and wife get in bed together. Man rubs on wife wanting some and wife says, " I can't tonight, I have a gynecologist appointment in the morning." After a few minutes, man starts rubbing on her again. She says "Didn't you here me? Stop." He says "What, do you have a dentist appointment too?"
  • Kirbydogs @ Kirbydogs:
    Boy oh boy would I pay to chat on GBAtemp in 2015
  • K3Nv2 @ K3Nv2:
    https://youtu.be/vFq60PFY1-o?si=E_iTc1ZNGc32IVmu
  • Xdqwerty @ Xdqwerty:
    @Kirbydogs, I wouldnt
  • Xdqwerty @ Xdqwerty:
    @Kirbydogs, also I agree its cringe
  • Kirbydogs @ Kirbydogs:
    @Xdqwerty what was it like
    Kirbydogs @ Kirbydogs: @Xdqwerty what was it like