I need your help to fund Vita hardware analysis

It’s been a little more than a year since I demonstrated the first Vita running unsigned code, and it’s been dead silent since then. There is a lot of work on the PSP emulator but it’s been pretty quiet on the Vita front. In fact, there hasn’t even been any new userland exploits found (by me or others) for a year. I made a post a while ago saying that progress through hardware was one of the few options we haven’t looked extensively at, and the reason for that is because hardware hacking is an expensive endeavor. All this time I’ve been sitting and waiting for progress to be made by some unknown genius or some Chinese piracy company (sadly, for some scenes cough 3DS cough, this is the way devices get hacked since these companies have the money to do it); progress that would allow people like me to continue with the software work. Unfortunately, as of today, I have not heard of any ongoing work on Vita hardware hacking (PLEASE tell me if you are so we can collaborate). In fact, one of the simplest thing to do (hardware-wise), dumping the NAND, hasn’t been done (or publicly stated to be done) yet. Meanwhile, the PS4 has gotten its NAND dumped in a couple of weeks. Since nobody else seem to be serious about getting this device unlocked and poked at by hobbyists, I feel like it’s time for me to learn how to stop fearing and love the hardware. And I need your help.

Disclaimer

Before we talk business, I want to be as open and honest as possible. I am not a hardware hacker. I have very minimal experience with hardware (I know how to solder and I know what resistors look like), so by no means am I the best person for this job. In fact, I wish there was someone else doing this. My only qualification is the small amount of knowledge I have running userland Vita code and exploring the USB MTP protocol. It could turn out that I’m completely incompetent and not get anything useful. It could turn out that everything works out but my goals were set in the wrong direction. It could also take a very long time before any results are found (since this is a hobby after all). But, I will always be as open as possible; documenting any small discoveries I make and posting details and guides about what I’m doing. I’ll post any large transaction that takes place within the scope of this project and admit any mistakes I’ll definitely make. I won’t be able to release data I obtain from the device for legal reasons (including any actual dumps made) but I will post instruction for reproducing everything I do. I have seen other “scene” fundraisers and the problems that arises in them (mostly lack of response from the developer(s)) and will try to avoid making such mistakes. If you still believe in me, read on.

Funding the Project

I never ask for donations before I complete a project because I don’t like taking money for just expectations. I believe that the user should only donate once they try something and love it. I turned down many requests to donate money in the past and always asked for unwanted/broken hardware donations instead, however, it seems that there are more people willing to donate money than donate devices. In a perfect world, I would fund this project with my own money, but in a perfect world, I would be rich. Since this is the first time I’m looking seriously at hardware, I’m going to need to buy tools and devices to do research that would benefit the community (hopefully). I hesitantly and sincerely ask for your help. There are two main goals, the first one will let me get a hardware setup working so I have to tools to work with. The second will allow me to get hardware to test using the tools. If I end up going over the estimated amount, I will pay out of my own pocket. Any remaining money after the project is fully funded will be donated to the EFF. All your money will benefit the homebrew community. Also, all of the prices are estimated (with fees calculated in) with simple searches so if you can find a better deal or if you can get me the item directly, please contact me!

Goals

To be honest, there is no clear roadmap at this point. The first thing is to dump the NAND, try to map out signals from the CPU/SoC, and look at the data IO from the memory card, game card, and connectors. From there, I hope to get a better idea of how the hardware works and find where to go from there. I promise that I will not ask for more money once this is funded and any additional venture will come out of my own pockets.

Thanks to everyone who donated! The goal was met in less than a week. I’m currently in the process of buying the supplies and will post an update as soon as I can. If you have a broken Vita hardware, please consider donating it as more hardware to work with is better and there are other people I’m working with who can benifit also from having a logic board to work with.

Goal 1: Setup and Finding Traces ($80)

Before we can dump the NAND, we need to sacrifice a logic board to remove the NAND and trace the BGA points and find test points to solder. The board has to be sacrificed because realistically, it’s very hard to reflow such a tiny chip. In addition, the SoC would also be removed to see if there’s any interesting test points coming out of the CPU (potentially to see if there’s any JTAG or other debugging ports coming out, which is unlikely). I would need:

Vita Logic Board - $20

Vita Logic Board

It does not have to be fully working. On eBay, people are selling Vita logic boards with broken connectors for around this price (after shipping).

Heat Gun - $21

Heat Gun

A heat gun is needed to remove the surface mounted NAND and SoC. It’s also why reattaching it almost impossible because the hot air will blow the components around.

Soldering Tools - $20

Soldering Tools

I do have basic soldering tools, but throughout the project, there will be tasks that require more precision, so I would need a magnifying soldering station (cheapest is $15 on Amazon), soldering flux (about $5 on Amazon), and some small tools.

Digital Multimeter - $10

Multimeter

A cheap one will do. I only need it for continuity testing and reading resistor values.

Saleae Logic Analyzer (clone) - $10

Saleae Clone

Although a real Saleae logic is $150 (for 8 ports) or $300 (for 16 ports), there’s some cheap clones on eBay going for about $10. This would allow me to find signals coming out of a running Vita and, for example, verify that the test points found are indeed data driven.

Goal 2: Dumping the NAND and Testing ($250)

After getting all the tools and finding the traces, the first thing to do is to dump the NAND from a working console. This should be easy once the trace is found since the NAND is eMMC (can be dumped using an SD card reader). Next, I want to explore the signals coming into and out of the Vita (USB, multi-connector, mystery port, memory card, game card). Then depending on what I find, I’ll go from there.

PlayStation Vita Console - $100-150

Vita

This would be the working console that I will test with. First, I will dump the NAND with the test points found. Then I will try to analyze the game card and memory card traffic using the logic analyzer. Although the console should be working, to save money, I may get one with a broken screen, which goes for around $100 on eBay or a used unit for $150 on CowBoom. If you own a broken Vita, and want to donate it instead of money, please contact me.

PlayStation VitaTV Console - $120

VitaTV

First a NAND dump of the VitaTV would be interesting to see if there’s any differences (assuming it’s not encrypted). Also, I would like to see how the HDMI port is connected (4gamer suspect that HDMI out comes directly from the SoC) and see if I can get a regular Vita to output HDMI (most likely not possible without software and hardware modifications). I also want to do some software tests on the VitaTV as the introduction of USB host may also introduce new bugs into the system (remember how the PS3 was hacked). It seems to be about $120 after shipping from Nippon-Yasan. If you want to donate a VitaTV directly instead of money, please contact me.

PlayStation Vita Cradle - $15

vita_cradle

The Vita cradle is a good pin-out interface for the Vita multi-connector. By soldering to the cradle, it would minimize the risk of damage to the Vita directly. Exploring the multi-connector is a good way to start since there are 16 pins and only a few of them are figured out.

(Optional) PlayStation Vita PCH-2000 - $220

vita_pch-2000This is purely optional and only if someone generous would like to donate the console to me directly. There’s not much I want to do here except dump the NAND and trace the microUSB signals.

Comments

  1. plagu

    One point, dont get a regular heat gun you only ruin the nand chip, buy for eg Atten 858d+ its proper tool to remove chips (and resoldering them back)

  2. xyz

    Is there any other way to donate than via this wonderful form which doesn’t even accept my debit card number (paypal, maybe)?

  3. sf

    When you previously had a software exploit you never released it due to a, “homebrew leads to piracy”, excuse. Can we expect a similar outcome here if your discoveries lead to exploits? You should come clean and state your plans above before you start taking people’s money. They’ll expect more than teaser videos and jpegs now that they’re funding you.

  4. Abdou005

    Thank youuuu Yifan Lu. i will spread this every forum i know so to spread the message and donation goes fast. Finally someone taking ps vita native seriously <3

  5. abdou005

    Yifanlu, I shared The article in some arabic forums that i believe they will donate my friend :D. and for donation. i put the “paypal” link. I mean the one in the right side . is it Okey ? you accept it? because they don’t know how to use others. Thank you

  6. I understand your concern and I agree. Although I said I won’t promise any releases, I will be posting hardware details and stuff. The main goal is demystifying the vita internals and it is up to others to use that information as needed. Anything I post will be along the lines of “here’s how you dump the NAND” of “here’s where these pins on the CPU goes to”. Think something like ifixit but more in depth.

  7. VC

    As the usermode exploit was patched, is there any chance of you releasing it at least to the well known developers in hopes of discovering a bit more about the kernel calls? Heck, if a Chinese piracy company got hold of it, as a foothold, they might actually take the time and money to get a bit more out of the console. Anyway, that isn’t to say that I think the PSVita should be outright hacked for piracy, but considering the required funds to do it right, that does seem like the most logical path. As the exploit in question has been long since patched, I can’t see it being a real problem to at least have those able to run it doing research on it. Either way, I support your efforts and plan to donate. Thanks for taking the initiative, it’s been far too long since we, as a scene, have really made any real progress on this device. Cheers, and hope something great comes of this!

  8. The problem is exactly that. I don’t WANT a piracy company to hack it. The end doesn’t justify the means. These piracy companies give a bad name to all homebrew lovers. Plus, the exploit difficult to set up, so the last thing I want is a bunch of emails asking me how to get it working every day.

  9. VC

    Well, from a historical stand-point, it seems that no matter the initial intentions, all consoles that are ever hacked are predominantly subjugated to the purpose of running backups. Of course, that’s not the ideal, but having full system access might just be worth letting them win this time. Consider this, for example. Datel, with the Action Replay for the GameCube, enabled clever hackers to inject code to boot homebrew code from an SD card. This led to the discovery of the potential for the PSO hack, and helped to open up the Gamecube quite a bit for everyone else. Of course, having a team like Tweezers crack it open for 100% homebrew intentions would be amazing, but judging from the current history of the Vita, it doesn’t seem all that viable, from a time and resource perspective. That’s just my opinion though. On the topic of setting up your exploit, I’m sure compiling a set of instructions good enough for one of the scene coordinators, like Wololo, to manage would be sufficient. Once it’s out there, the other members of the scene will be most likely happy to share information about getting it working, even if they don’t share all their personal progress and code along with it. Additionally, it’s not like you’re obligated to answer everyone’s questions about it. Once they have it, most of the competent scene will be able to figure it out without your assistance. Never the less though, it’s your code, and your choice. No one can truly pressure you to release it, only present the facts on the possibilities that can be brought up as a result.

    Of course, don’t take my opinion as anything more than a neutral statement, just a quantification of my thoughts. I hold nothing against you for any of your current decisions, so please continue doing what you already are. You have me support regardless.

  10. VC

    However true, as anyone educated in history would know, in many cases, history has a great deal of potential to repeat itself. I don’t want it hacked for piracy reasons, just as you don’t, but due to the utter lack of interest from the most prominent names in the hardware hacking scenes, it really seems like the choice is to either have it hacked for nefarious purposes, or never see it truly hacked. I mean, sure, we could both go back to collage or university and get hardware engineering degrees, but that’ll take just as long, if not longer, than it will for a company to crack it and therefore open it up for the rest of us to salvage. A true hack can allow for anything we want it too, just like a gun, it’s how we choose to take advantage of it that defines the scene. I guess at the end of the day, it’s more of the choice between “Do I want it hacked for everything?” or “Do I want it locked forever?”. As without an explosive burst of interest in the unit, I doubt the third option will ever be available, as sad as that thought makes me.

    Regardless, I have two Vitas running 1.81. Should you discover the pinout for the NAND, I’ll be happy to help you test it among other things. It should allow for the Wiki to be updated as well, which would be a nice change.

  11. abdou005

    Yifan lu is The first and second goal reached by donation ? because i see the meter “goal = 20% , collected = 40$ “ . and the meter is 100%. Thank you to explain :D

  12. VC

    By the way, I have all but the logic analyzer, and all in much higher quality than you’re looking at. If you want to get in contact with me, I would be willing to help. I have a few AVRs as well, so they could be turned into logic analyzers. This blog records all the e-mail addresses associated with the names as well, so feel free to contact me.

  13. Jarald Graham

    The Ps vita 1000 has video output built into it(Or at least a scalar(I count be wrong)) so I think you can just activate the already built into it. Otherwise, keep up the good work

  14. Afaik, there are exposed pads going from the soc to the video connector. Similar pads are found on the vita tv that goes to the hdmi connector along with some other components. Those are the only similarities I found.

  15. Jarald Graham

    How about developing a program similar to remotejoy for the ps vita. Do you think that would ever be possible? Say if you hack it and the figure out how to control the signal coming in and out the ps vita?

  16. Good question. $437.87 and I think 0.1BTC (need to verify). I spent $210.72 on supplies so far. By request, $70 will not be donated to the EFF. So I’ll have $37.87+0.1BTC to donate to the EFF (for sure) and $227.15 left to potentially buy a working vita (for dumping) or if that’s not needed, also donated to EFF. Hope that’s detailed enough. Let me know if you would like to see reciepts or anything.

  17. minime

    I read what VC had to say and your replies…and im quite dissapointed. So whats the point of all this anyway? why are you doing this then ? if you say you dont want to see Vita hacked or share the results with other hackers with better skills that can maybe help you/us all. You know its really starting to get pathetic. Every device out there gets hacked, everyone wants it hacked (PS4 or X1), yet the Vita community plays the good samaritan : we are saints, we dont hack it, we dont want piracy, we want some BS homebrews and TOTALLY worthless PSP eCFW exploits and VHBL crap, which can ran on a PC and at 1080p quality which craps on Vita eCFW anyday (PPSSPP). Please correct me if i understood wrong.

  18. You have to understand that Sony is a no-bullshit company. They will sue you not because you did anything illegal but to intimidate others who want to do the same. None of us want to deal with that, so we can’t give them any ammo. I’ll do my best to provide the most information I can without even getting near the line of legal vs illegal. I cannot speak for others, but I DO want to see the device hacked. And I believe there is a way to do so while still making it hard to pirate. But we are not at the point to be thinking about those things yet.

  19. minime

    Thanks for the reply. Ok i get it now. Anyway your initiative is good regardless If only more would follow you….it’s quite a shame most of them are now focused on PS4 or X1. While Vita even without piracy, CFW, it’s still pretty much going down compared to how PSP performed the same period (and PSP was hacked).Whatever it’s good to see people like you still having interest in PS Vita. Good luck to your findings and sorry my english.

Leave a Comment

Your email address will not be published. Required fields are marked *

Loading...