Why hacking the Vita is hard (or: a history of first hacks)

It’s been about a year since I revealed the first userland Vita exploit and I still occasionally get messages asking “what happened” (not much) or “when can I play my downloaded games” (hopefully never) or “I want homebrew” (me too). While I don’t have anything new exploitwise (same problems as before: no open SDK, lack of interest in the development community, lack of time on my part), I do want to take the time and go over why it’s taking so long.

Where are the hackers?

A common (and valid) complaint I hear is that there is a lack of hackers (a word I hate) working on the Vita. The fail0verflow team has a great post about console hacking that applies just as well to the Vita. In short, there isn’t as much value to hacking a console now than before. Not too long ago, the PSP and DS were the only portable device people owned that plays games and, for many people, the only portable device they owned period. I had a DS Lite that I carried everywhere long before I had a smartphone. But then I got a smartphone (and so did everyone else). iPhones and Androids (and don’t forget Windows Phone) are the perfect platform for what we used to call homebrew. Indie developers who wanted to write a portable game no longer has to use a hacked PSP and an open SDK. Writing apps is much easier and much more profitable. Meanwhile users can play all the emulators they want on their Android phone or their jailbroken iPhone. The demand for hacked consoles shrunk dramatically with those two audiences gone. Plus with smartphones gaining a larger audience while the Vita barely sells (which by the way is a tragedy since it’s a pretty awesome console), a hacker can get a lot more attention (for for those who seek “donations”, a lot more money) spending time rooting phones that are coming out every month.

But [insert device here] was hacked very quickly, we just need more people working, right?

To some extent, that is true, but even with a large group of talented reverse engineers, I would not bet that the Vita would be hacked any time soon. To be clear here, when I say “hacked,” I refer to completely owning the device to the point that decryption keys are found and unsigned code can be run in kernel mode (or beyond). The problem is that even talented reverse engineers (who can read assembly code and find exploits) are out of luck when they don’t have the code to work with. I mentioned this circular problem before, but to restate it: you need to have access to the code before you can exploit it, and to get access to the code, you need to exploit it. But, if that’s the case, you ask, how would any device ever be hacked? That is why I believe that the first (real) hack of any device is the most important. Let’s look at some examples of “first hacks” and see why it doesn’t work with the Vita.

Insecure First Version

This is the most common situation. Let’s look at the PSP. The 1.00 firmware ran unsigned code out of the box. Someone found a way to access the filesystem, and saw that the kernel modules were unencrypted. They analyzed the kernel modules and found an exploit and owned the system. All it takes is to have an unreleased kernel exploit from one firmware version; then update to the next one; exploit it and dump the new kernel to find more exploits. Rinse and repeat.

Same with the iPhone. The first version(s) allowed you to read from the filesystem through iBoot. It was a matter of dumping the filesystem, analyzing the (unencrypted) binaries, and creating exploits. Plus, the kernel is from the same codebase as OSX, so analyzing it was not as difficult as looking at a new codebase.

The Vita however, has a fairly secure original firmware. No filesystem access (even to the memory card), proper encryption of things that do come out of the device, and very little areas of interaction in general (you have CMA and that’s pretty much it).

Similarities to other Devices

Most Android phones fall into this category. One Android root will most likely work across multiple manufactures. Plus, Android is open source, so it’s a matter of searching for an exploit. Once the device is rooted, someone has to find a way to dump the bootloader (which for many phones is just a matter of reading from a /dev/ endpoint), and analyze the bootloader for a way to root it.

The Kindle Touch (which I was the first to jailbreak), ran essentially the same software as the Kindle 3 and had a debugging console port.

The Vita has similarities to the PSP, but most of the system is different. With multitasking support, the Vita memory model is completely different from PSP and has proper abstraction of virtual memory. The Vita has NetBSD code, but the kernel is completely proprietary. No PSP exploit will work on the Vita.

Hardware Methods

This is usually the “last resort” because it takes the most skill and money to perform. This usually involves physically dumping the RAM with hardware to analyze the code. The most recently hacked console, 3DS had this done. I believe the first Wii hack was developed with a hardware RAM dumper. Many consoles had some kind of hardware analyzing done before the first hack is developed.

It would be very hard to do a hardware hack on the Vita. The system memory is on the same chip as the CPU, so you cannot try to piggyback the RAM. Plus anyone doing a hardware hack would have to have expert electrical engineering skills and access to expensive tools.

 

The story always starts with getting access to the code, then finding an exploit, and then using that exploit to get more code to find more exploits in the future. Most of the jailbreaks, roots, and hacks you see are developed with information gathered from a previous hack. I believe that Sony knows this and really made sure that their device does not suffer any of the flaws I listed. Lots of people make fun of Sony for not handing security well, but after spending countless hours on the Vita, I could honestly say that the Vita is one of the most secure devices I’ve ever seen. So far, they seem to have done everything well; using all the security features in modern computers and not trusting any code. But, as we learned countless times, nothing is completely secure.

EDIT: I’m seeing a lot of comments speculating that Vita slim or Vita TV may help hacking it. In my opinion, this is grasping at straws. There are no evidence that a minor revision of the console will magically create software or hardware holes.

23 thoughts on “Why hacking the Vita is hard (or: a history of first hacks)

  1. Don’t you think that having a $100 SKU with the Vita TV will potentially make it easier for hackers to support?

  2. @Sam The PSVita TV is just a PSVita on a BOX without screen, the CPU and GPU are the same, so Hardware hack like Yifan said is too hard cause of the SoC system used for the Vita CPU/MEMORY/BUS.

  3. FYI, the first Wii hack wasn’t quite a hardware RAM dumper – it was a software RAM dumper running in the (insecure) Gamecube mode, plus a hardware glitch (shorting out address pins) to get access to RAM that you normally wouldn’t have access to from Gamecube mode. Same as the first PS3 hack: shorting out a RAM line to produce a random glitch that (preventing a write to the page table) puts the hypervisor memory protection model into an inconsistent state that could be abused to break out of the Other OS sandbox. Both of those require access to the RAM pins (and unhashed/insecure RAM) but do not require a full hardware sniffer/injector, which would be orders of magnitude harder to design/use.

    OTOH, the Wii U exploits didn’t require any hardware tricks, mostly due to similarities to the Wii and other devices.

  4. Well the situation is quite clear. Vita is one hard piece to crack. The time has come for the PS Vita slim model to be announced and (we can already call it this way) the Vita PHAT still hasnt been natively hacked. (except the VHBL PSP stuff). Maybe Sony did some hardware modification to the Slim model aka stupid mistakes and we might get lucky and crack it? i hope so! Vita Slim or shall we call it the low budget version? will be released on 10th October in Japan. Release the hackers!!

  5. Yifan.lu I LOVE YOU HAVE MY BABY…all joking aside, I’m a dude so yeah can’t bear children, awesome write up. I followed you back during your Touch days, got it mostly because of you because I wanted the touch but I wanted to load my own pictures for the screensaver. When I saw you jailbroke it, I went ahead and got one, and being the nondouchebag that I am got the no ads 3g one, because I know there are a few that got the ad one and disabled that; that’s like playing downloaded games on the vita in my mind, just tsk tsk.

  6. What about the linking and similarity with PS3? I think that if devs (or hackers if you wants) work on this point, would find a little hole or a way to hack this console.
    Like savegame exploit. We can sign PSP and PS3 savegame.. and Ps Vita savegames?

  7. The time has come this must be revealed…
    i hardware modded mine. its Really Good Hacks… Look no further the hacks are near. Step to the begining of Really Good Hack… Sony lied so look from my 360* perspective… I. Was hire i was fired. what was that sony your gonna sue me? Well guess what ur fucked already so what’s the point

  8. Interesting but just as you said nothing is “secure” and imo its just a matther of time when the vita gets hacked. The question is by who and when.

  9. I dont think its the matter of less number of hackers.Its just that security of the new systems like vita have been so good that hackers just are not able to hack .

  10. The only hope for a (near the future) vita hack is some kind of sdk leak or something.. or a big team with the apropriate tools to make an hardware hack.. but for those kind of “companies” there must be a way to make money out of this.. like a dongle or something so.. again i don’t see that coming soon.. :(

  11. I’m thinking about several approaches to get to the kernel. For example – ps4. I’m almost certain it will be hacked at some point because of it’s architecture similarities with a common pc. I’m wondering about the skype/browser approach. Always wondered what happens when you call from psp (inside the vita) to another vita. Skype is a well known program on pc, x360, psp and vita. There must be some similarities between them.
    About the browser – it’s javascript capable. What if somebody created a virus/sniffer to see inside the vita through the browser.
    The last one that bothers my mind is a hardware hack to temporarily shortcut vita to cause error in reading/writing and hijack a key vault. Possibly could be done during the backup process via usb.

    Your thoughts?

  12. I don’t know anything about hacking or cracking, but I would like to see an answer to this. ^^

  13. The problem is that new devices will require higher and higher time to be hacked (saying 5, 10 years, or even more…) which will be pointless because it would need a lot of patience from developers and there won’t be much interest in exploiting the console…
    Also we can predict that new consoles will have almost perfect protection: sure not 100% but 99%

Leave a Reply