Hacking Vita Flashcard

  • Thread starter Thread starter SirByte
  • Start date Start date
  • Views Views 28,729
  • Replies Replies 38
This concept of exploiting a cartridge is being worked on presently by some wololo community members and some people further off in the shadows.
Myself and one other (katsu, who first developed the proof of concept) have the retail carts hooked up in such a fashion that we can dump NAND and potentially write some parts back to certain sections. I am still having issues with my dumping method though.
The issue is that without an attack vector in the auth for the cartridge or system we can't progress much further. There is some analysis being done on parts of the dump.

This doesn't mean it is coming, this just means we're poking around and the concept of a "flash cart" is not completely outlandish some time in the future. It's like anything current though, in the console security world: we require a security breach of some kind with the system. A vector to attack it from or some kind of leak perhaps. Then there is everything else we have to do analysis wise, to reverse engineer what we can find out, get keys, etc. Don't hold your breath. You will die by the time we get there at our current rate.

I just thought for the sake of knowledge, you guys might be interested in that piece of current info.
Check out that info elsewhere for a better and more complex breakdown. I may have done a bad job relaying it. Sorry!
 
This is being worked on presently by some wololo community members and some people further off in the shadows.
Myself and one other (katsu, who first developed the proof of concept) have the retail carts hooked up in such a fashion that we can dump the encrypted NAND contents on it, and also potentially write dumps back (well, we can now, but we brick the card obviously).
The issue is that without an attack vector in the auth/encryption for the cartridge we can't progress much further. We have gotten some analysis done on the non-encrypted game update and save sectors of the dumped images.

This doesn't mean it is coming, this just means we're poking around and the concept of a "flash cart" is not completely outlandish. It's like anything current though, in the console security world: we require attack vectors for peeking at some of the parts of the encryption keys if at all possible. Then there is everything else we have to do analysis wise, assuming we can even glimpse enough of the parts of the key to break it. Don't hold your breath. You will die by the time we get there at our current rate.

I just thought for the sake of knowledge, you guys might be interested in that piece of current info.

Interesting, you skim past many points that I would like clarifications:
1) "dump the encrypted NAND contents" Is it plain NAND? I assume you use katsu's pinout diagrams? He however said that you have to have the card inserted for the dump to work. Is that true? If so, is the reason because of some auth? Do you have pictures of your dump setup?
2) "also potentially write dumps back" So you say you can write to the NAND on the game's partition (not just saves/extra content)? Can you write a 2GB image and then read it back?
3) "non-encrypted game update" What do you mean by this? I was not aware such a thing exists. All game updates I've see are encrypted sony .pkg files.
4) "some of the parts of the encryption keys" Parts? What do you mean by part of the key? And I assume you mean decryption keys? Since encryption keys are always private.
 
Interesting, you skim past many points that I would like clarifications:
1) "dump the encrypted NAND contents" Is it plain NAND? I assume you use katsu's pinout diagrams? He however said that you have to have the card inserted for the dump to work. Is that true? If so, is the reason because of some auth? Do you have pictures of your dump setup?
2) "also potentially write dumps back" So you say you can write to the NAND on the game's partition (not just saves/extra content)? Can you write a 2GB image and then read it back?
3) "non-encrypted game update" What do you mean by this? I was not aware such a thing exists. All game updates I've see are encrypted sony .pkg files.
4) "some of the parts of the encryption keys" Parts? What do you mean by part of the key? And I assume you mean decryption keys? Since encryption keys are always private.


Hey yifan_lu.
Sorry, yes, I failed at paraphrasing the issues that katsu has had so far. I have addressed them below with your numbers. My english is not very good at times.

1) Yes, I am following his instructions. I have hit a road block with getting corrupted dumps most of the time so far. I have left a message in his thread a few days ago asking if he had any specific pointers I may have messed up. It is just a plain old dump, yes. I will be taking some pics some time this week and posting it up I hope. I didn't want to post until I can get past this crappy dumping problem.
2) Sorry, I was talking about the ability to write to the other save/content area being a possibility. Not something we can do, but something we may be able to do. Cannot read it back (hence saying if we do it now, we break it).
3) I mean the extra content area, I will rephrase in my post.
4) Yes, I mean decryption key. I will change the word. I am referring to gaining the key from attacks on the encryptions implimentation on the device.

To clarify, I was trying to relay the information and suggest that one day, we may have something similar should we get around the encryption/decryption issue. But it will not likely be soon.
I have changed my initial post to better outline the state of affairs.
Sorry for confusion?
 
Thank you for the clarification. Did you also use a memory stick pro duo to do the dump, or did you dump the NAND directly with some hardware like Teensy2++?
 
Thank you for the clarification. Did you also use a memory stick pro duo to do the dump, or did you dump the NAND directly with some hardware like Teensy2++?

I am attempting it using a memory stick as well. I have been thinking about getting my hands on a dev board to play around with doing it though. But first off I wanted to be able to successfully be able to repeat the original method without fail. It is a shame katsu seems to be quiet and has not replied.
EDIT: Has anyone else been playing with this that you know of?
 
I am attempting it using a memory stick as well. I have been thinking about getting my hands on a dev board to play around with doing it though. But first off I wanted to be able to successfully be able to repeat the original method without fail. It is a shame katsu seems to be quiet and has not replied.
EDIT: Has anyone else been playing with this that you know of?

I have unsuccessfully; but I used a Teensy2++. Nobody else I know has tried. I don't know if the problem was with my soldering or with the reading. Did you have to plug the card into the Vita for dumping to work?
 
Good to know I am not the only one having problems. I am also wondering if (though to the experienced eye it looks OK) I have a problem with my soldering or if I am getting some noise or another problem from using inappropriate diameter wires. I am trying with it plugged in to the Vita. Are you trying to dump it without it connected?
 
Good to know I am not the only one having problems. I am also wondering if (though to the experienced eye it looks OK) I have a problem with my soldering or if I am getting some noise or another problem from using inappropriate diameter wires. I am trying with it plugged in to the Vita.

I have not spent too much time on it as I don't have interest in cloning/piracy. I am spending more time focusing on software like getting kernel code running. Good luck though, and keep me updated.
 
I have not spent too much time on it as I don't have interest in cloning/piracy. I am spending more time focusing on software like getting kernel code running. Good luck though, and keep me updated.

Thank you. Yeah I am of two minds about it. I post the info on the thread on wololo once I've got it working properly. I too have not spent much time yet on it. Hopefully I will have more luck soon. Hopefully you will have more luck with getting some kernel code running successfully.

I know it is off topic, but are you still interested in developing a toolchain for a small bounty, regardless of if the main one can get any traction? (Seeing as we are stuck with not having legal counsel to help us make sure we can do it safely)
 
Thank you. Yeah I am of two minds about it. I post the info on the thread on wololo once I've got it working properly. I too have not spent much time yet on it. Hopefully I will have more luck soon. Hopefully you will have more luck with getting some kernel code running successfully.

I know it is off topic, but are you still interested in developing a toolchain for a small bounty, regardless of if the main one can get any traction? (Seeing as we are stuck with not having legal counsel to help us make sure we can do it safely)

I don't have the time to develop a toolchain. However, I know for a fact that the leaked toolchain does not produce working images.
 
Fair enough, I guess I took what you said in the bounty thread and ran with it too far.
I was worried about mentioning the leaked toolchain. Good to know we have got some confirmation on that. It saved the need to take a look for myself. How exactly did they not work?

I really should figure out how to get a little bit more involved in directly talking to the other guys and girls playing with all of these toys. I appreciate what you've been able to confirm for me. I am kind of running blind on my own and teaching myself as I go. Sorry if I am pestering you :).
 
Fair enough, I guess I took what you said in the bounty thread and ran with it too far.
I was worried about mentioning the leaked toolchain. Good to know we have got some confirmation on that. It saved the need to take a look for myself. How exactly did they not work?

I really should figure out how to get a little bit more involved in directly talking to the other guys and girls playing with all of these toys. I appreciate what you've been able to confirm for me. I am kind of running blind on my own and teaching myself as I go. Sorry if I am pestering you :).

The problem is twofold: 1) much of the NIDs in the beta SDK are not the same in the final firmware. NIDs are sony's version of dynamic linking (traditional ELF uses symbols) and 2) the init and start code generated by the SDK is broken. Not sure if that's intentional and the beta devkits patch it on runtime, but it is not compatible with UVLoader and not compatible with sony's 1.00+ loaders either.

Now IF someone goes ahead and produces an open toolchain that compiles 1-to-1 the same output as the leaked SDK, I can modify it with reversed knowledge of Vita retail firmware to generate working ELFs.
 
I suppose #vitadev would be a better place to continue talking about this with yourself, or anyone else.

Thanks for the info re: the old SDK leak.
 
At this point, I would only bother to buy a new system if it were able to be hacked. The rate of games "worth getting" on any of the new devices is simply not there to warrant 'staying legit' as it were, especially when you have handheld games going for as much as a retail console game.
 
With the way that Playstation Plus works, I see no reason why the Vita requires piracy. The only remaining problem for me is the ability to download & play foreign titles on my unit (because of the PSN account swapping issue re: time and fuss involved). There is also the ability to do game translations for those who cannot read certain languages.
If you aren't willing to pay for a game "not worth getting" - do you need or want it anyway, if it were free? It doesn't make the game more enjoyable. Or have I missed the point?
 
If a flashcard were to appear on Vita... what gaems are there to play? :3

If a flashcard were to appear on Vita... developers would sell only 5... the same number of people who own a Vita :3
 
  • Like
Reactions: Rasa
If a flashcard were to appear on Vita... what gaems are there to play? :3

If a flashcard were to appear on Vita... developers would sell only 5... the same number of people who own a Vita :3
If ShadowSoldier wasn't 12, he'd notice that there's a lot of PSVita games, he's just not allowed to buy them yet because he's too young and the clerk would give him a row in the store. ;O;
 

Site & Scene News

Popular threads in this forum