​

Earlier today, Yifan Lu, a well-known member of the Vita hacking scene famous for the Rejuvenate hack for the Dev Assistants, has announced that a new (native!) Vita homebrew enabler for the latest firmware version, as of writing (3.60), will be arriving tomorrow at "9:00AM UTC".

The new hack, known as "HENKaku", will require the following:

• A Vita/PSTV running 3.60
• A memcard with at least 10MB of free space (internal memory is currently not supported!)
• An FTP client
• An internet connection**

**Offline support is now available! Launch the exploit straight from the email app without the need for internet access at all! See the unofficial release thread for more details. (Internet connection still required for installation)


This is a small paragraph of Yifan Lu himself explaining what the properties of this new homebrew enabler does:

HENkaku simply lets you install homebrew as bubbles in LiveArea. It is a native hack that disables the filesystem sandbox. It installs molecularShell, a fork of VitaShell that lets you access the memory card over FTP and install homebrew packages (which we create as VPK files). With vita-toolchain, developers have access to the same system features licensed developers have access to as well as undocumented features that licensed developers cannot use (including overclocking the processors).

The hack has been released at http://henkaku.me ~ Furthermore, the hack is said to be exclusive to 3.60, and there is to be no backports for the time being.

Source: http://yifan.lu/2016/07/28/henkaku-vita-homebrew-for-everyone/

 

[4gionz]

Yeah for ARK to install on 3.60. The unknown person singed a copy of ark, then using a app.db Mod they just added the path over a system app. That made it so when they opened welcome park it was ARK. Problem they were saying was that ISO load 1 of 20 times

Well the fact that it even loaded 1 of twenty times means that there's something too it. If you can get it to load even once then it's some stability issue maybe offsets I have no clue but it is not a signature issue, which is what most people would expect without a psp kernel access..I'm skeptical but I truly believe that henkaku gives us a lot more control than psvita "user land" or else why else would yifan and co keep the source hidden for a whole year?

Edit:whoops apparently he a phony..to bad

 

[VitaType]

Yeah for ARK to install on 3.60. The unknown person singed a copy of ark, then using a app.db Mod they just added the path over a system app. That made it so when they opened welcome park it was ARK. Problem they were saying was that ISO load 1 of 20 times

*Imagines itself in the future, feeling like a donkey after having tried launching a iso 40 times* (And I will try it anyways if there is something to try...)

 

[DrDaxxy]

That would be a pretty trivial fix though, unless they're worried about piracy safety measures, which is kinda stupid. Might just be a new feature/fix that introduced a bug that didnt exist before.. idk.
I'd rather not try to upgrade though if this fw version has a shot at kernel access.

Yifan said (don't remember where, might have been on IRC) that lower firmwares (up to a point) are vulnerable.

Getting it working once is one thing, but then they'd have to buy (and keep) more devices on lower firmwares if they want to test further updates to HENkaku, the SDK and MolecularShell or provide support. I can see why they'd rather not.

Well the fact that it even loaded 1 of twenty times means that there's something too it. If you can get it to load even once then it's some stability issue maybe offsets I have no clue but it is not a signature issue, which is what most people would expect without a psp kernel access..I'm skeptical but I truly believe that henkaku gives us a lot more control than psvita "user land" or else why else would yifan and co keep the source hidden for a whole year?

A year? I don't think they've ever given a timeframe except in sarcasm.
Anyway, obfuscating the code makes it harder for Sony to figure out what's going on (though they still have a huge leg up on the rest of us, of course...) so there's a reason for you.

 

[pikpol]

nvm

 

[a9lh-1user]

Ther is now a challenge for all RE to try to get the whole code and explain how it works : http://yifan.lu/2016/08/05/henkaku-koth-challenge/
If you read it completle and thing twice what he wrote there is an interesting ending note!
"My hope is that in a year, HENkaku would no longer be needed and molecule can quietly retire."
There is another point: "Some questions to be thinking about are: how do we manage to run unsigned code? do we get kernel access? if so, how? if not, what other ways are there?"
And very interesting is this point: "However, the risk is that if their code is indeed buggy, then once the floodgates open (someone finds a single exploit), there is no closing it (all the bugs will be found)."

I'am not sure what that will mean ..... but i think yifan lu and the molecule team have found something that is much more than only a new entrance to run HB

 

[metroid maniac]

And very interesting is this point: "However, the risk is that if their code is indeed buggy, then once the floodgates open (someone finds a single exploit), there is no closing it (all the bugs will be found)."

I'am not sure what that will mean ..... but i thing yifan lu and the molecule team have found something that is much more than only a new entrance to run HB

I think the meaning here is very clear. Yifan lu describes the chicken and egg problem in his post; it's difficult to find an exploit because we can't read the firmware, and it's difficult to read the firmware until we find an exploit.
There's a lot of propietary and custom-made code in the Vita. It might be buggier than open source and freely available code but that doesn't matter if we can't identify the bugs.
Once we get our foot in the door and dump+decrypt some of the key firmware files, it should be easy to continue to find exploits even on new firmwares.

 

[a9lh-1user]

Yep you are right!
But dont forget that yifan lu and the molecule team dont like the way it would be used (play IOS's and open the Vita completly)!
If you are doing RE you do it until you "cross the finsh line"! And the team (yifan lu and the molecule team) will do now new projects!
They will update molecule but working on other projects.
For me it sounds like they have "Crossed the finish line"

 

[sj33]

You're over-thinking it.

Yifan_lu reverse engineers stuff. That's why his page is basically full of nothing but reverse engineering stuff. Presumably he loves the challenge, and has evidently designed Henkaku to be fun to reverse engineer for like-minded people who also love that stuff.

Of course everything can be unlocked. But wouldn't be any fun without a challenge, would it?

 

[a9lh-1user]

Maybe you are right maybe not.
Let's see what the future holds up for us on the PSVita.
I'am very thankfull that i can "again" use my emulators with henkaku and it is enough for me!
But i think there are interesting times coming for the PSVita scene

 

[memomo]

Something interesting going on here :
http://yifan.lu/2016/08/05/henkaku-koth-challenge/#comment-7062

 

[laharl22]

Something interesting going on here :
http://yifan.lu/2016/08/05/henkaku-koth-challenge/#comment-7062

What its interessing?

 

[memomo]

What its interessing?

Let's just wait the story to be completed.

 

[Lazy0wnage]

HENkaku is a kernel exploit

KoriTama:
http://pastebin.com/Gi8TVT9t
H:
http://pastebin.com/5gwQYWfC

 

[Firion Hope]

I feel like this might actually be a way to get around legal stuff, challenge people to reverse engineer it themselves so they can find a true full access exploit and then its in their hands if they decide to do something with it, the team gets to avoid taking responsibility legally and "morally". Also possible I'm reading too much into it.

 

[VitaType]

HENkaku is a kernel exploit
http://pastebin.com/Gi8TVT9t

http://pastebin.com/5gwQYWfC

I think KoriTama's one hasn't its name in it, so it would be better to write the nick in front of the pastbin link (like "from KoriTama: http://pastebin.com/Gi8TVT9t")

 

[memomo]

I knew that from the first second

Bypass Web browser sandbox and install unsigned apps/homebrews in the LiveArea is more than Userland access

 

[chocoboss]

Nice no surpris about the kernel access, we can write where standard user can't so it can be seen as a kind of privilege esclation I guess.

But we will have to think about what will we do when we will have access to full source code. Use it for HB only to get them better or going to evil piracy...

 

[SirByte]

I don't think you need the source to HENkaku to write better homebrew, efforts would be better spent documenting the psp2 sdk, writing libraries and example code. For instance it seems that there's still a problem with sound on many emulators.

 

[Sonic Angel Knight]

I don't think you need the source to HENkaku to write better homebrew, efforts would be better spent documenting the psp2 sdk, writing libraries and example code. For instance it seems that there's still a problem with sound on many emulators.

Why is there a sound issue on emulators? I only tried on one emulator but all of them have sound issues? O_O

 

[Madridi]

@yifan_lu

I have been trying for hours to get the offline files to work properly, but I'm failing. The instructions on github is a bit vague in the running section. I'll just list the steps I did here and maybe you can point out my mistake (if any?)

So for the server, I have xampp setup with a folder for wiiu exploit hosting, and a folder for 3ds for spidertools hosting.
In addition to having an apache server, it also has PHP support so it supposedly should the only server I need.

So here is what I did:
1- Downloaded the source
2- Created a vita folder on my server
3- extracted and compiled the source using this command: "build.sh http://10.37.86.113:80/vita/ http://10.37.86.113:80/vita/pkg"
- Note: This IP is my internal IP, not my external IP
- Note2: Both are using port 80, which is what the apache server is using
4- I copy the entire "Host" folder to "vita" folder on my server
5- I run http://10.37.86.113:80/vita/exploit.html on my vita
6- I get the welcome screen, and when I press ok, I get the famous C2-12828-1 error

Now, I have tried clearing cookies, rebooting, rebuilding database and all other conventional methods mentioned (with the exception of memory card formatting), but nothing changes.
Henkaku.xyz works fine so my vita is also presumably fine.

So, what am I missing, I'm not quite understanding the "running" section in github (non-GO implementation).. am I supposed to do something for stage1 and stage2?
At one point, I thought I may have to run http://10.37.86.113:80/vita/stage2.php before exploit.html or something, but that returned the word "nope"

Once I get this up and running, I'll probably write a tutorial on how to get this working.

Thanks