Although it hasn’t been a good year for all of us, 2016 was a great year for the Vita. In August, molecule released the first user-friendly Vita hack which builds on four years of research and a year of building a SDK platform from scratch. Since then, we saw dozens of homebrews, new hackers showing up in the scene, and the creation of a community that I am proud to be a part of. In November, I released taiHEN, a CFW framework that makes it easy to extend the system and to port future hacks. As such, it was a busy year for molecule. We are a team of five individuals and we served as pen testers, exploit writers, web developers, UI designers, web masters, IT, moderators, PR, recruiters, software architects, firmware developers, support, and lawyers for the Vita hacking community. These are roles we took out of necessity because Vita hacking is such a niche interest. However, these are not roles we can hold forever. Back in November, I said that I (and I am assuming the rest of molecule but I do not speak for them) would retire from the scene after taiHENkaku was stable enough and that time has finally come. Aside from a parting gift from Davee that should be released in a couple of days we will be retiring from all non-research tasks. Since we entered the scene with no drama, no bullshit, and no corruption, we will leave in the same manner. Firstly, all our work are either already open sourced or are in the process of being tidied up and released. Second, we have extensively documented all our findings on the Vita with the exception of our TrustZone (lv1) hacks which we left out at the request of other hackers who wish to try the challenge without aid. Lastly, we revamped the process for setting up development and making homebrew is easier than ever. Fixing the toolchain required a lot of boring and tedious work and I want to thank everyone who helped with the process. I am proud that our toolchain is the only unofficial toolchain that was designed rather than hacked together.
The community
We leave the rest to you, the hacking community. We hope HENkaku will be ported to other firmwares. We hope that taiHEN will be used to make spectacular extensions. We hope that someone will make a debugger for the SDK. We hope someone will find a way to dump the latest firmware and enable PSN spoofing. We opened a new forums for Vita developers and hackers alike to share ideas and creations. I know realistically, because of how small the user base is, we will not have the level of activity that exists on the 3DS or iOS jailbreaking community. But nevertheless, I am thankful for everybody who has participated in Vita hacking.
What is left
There are four distinct security levels on the Vita. Userland, kernel (lv2), TrustZone (lv1), and F00D (lv0). We have hacked the first three levels, but owning F00D is particularly challenging. It uses a proprietary instruction set and an architecture that is severely underdocumented. It has minimal attack surface, and we can’t see any code that runs on it because of multiple levels of encryption. Even if we get a crash through fuzzing, it is unclear how we can exploit any vulnerability. Hardware attacks are not useful here because we don’t have any control of the code running on it (typically hardware attacks involve escalating the privilege of running code). Attacking F00D will be my only focus in Vita hacking at this point and I welcome anyone who wants to help me in this journey.
Hardware mods
If you are a skilled hardware hacker and can wire together an external eMMC flasher for the Vita or PS TV, please contact me. I am willing to pay for such a device and it would help speed up fuzzing efforts. The pinouts can be found here. The problem is there there are no test points for the eMMC (unlike most other devices) so the only way to get access is by cutting the trace or by soldering to the tiny (~0.5mm) noise reducing resistors next to the CPU. I believe that replacing these resistors with solder bridges would be safe. Then external wires can be soldered onto the bridge and connected to some port that we can drill into the case. However, the scale of all this is beyond my skills and equipment. If you know anyone who can help with this, please forward this request to them. It would be an immense service to molecule and the Vita hacking scene.
Final Words
In this day and age when hacking has been politicized, fetishized, and commoditized, we should remember where hacking came from. Hacking is about freedom of knowledge not an ego contest about who knows what. Hacking is about control over the devices we own by us not control by other hackers. Hacking is about fun and exploration and challenges not about showing off and making profits. As our skills becomes ever more relevant for the connected world and generates power and revenue for many organizations, it is easy to forget that. But luckily for us, we are Vita hackers. Nobody has ever profited off the Vita.
Thanks team molecule and specially yifanlu for giving our vitas a second life
Thanks for all the effort put into this and for breathing new life into the Vita scene, you guys are the reason I bought my vita, best of luck to you all.
You do good work. God bless you all.
Thanks to give life to an already dead system you did what sony couldnt!
Thanks for all the kind comments guys.
We cannot thank you guys enough for your selfless effort making all these possible. Long live and kudos to you YifanLu & Team Molecule~
Amazing hackers exist and TRUE one is Yifan lu and the rest of team molecule
Thanks, on so many levels, for the work of team molecule and you, personally, Yifan. Good luck with F00D
I personally never worked on the Vita and i don’t own one at all. However i usually read your articles just for fun and curiosity, all i can say is that i really appreciate your approach on what really “Hacking” should be, your effort on keeping these kind of values up and the time you spend enjoying the information sharing with people, expecially for the ones who don’t have the same knowledge you have. I really think that this is how hacking should be, i hope to see all the drama, piracy, profiting, elitism and protagonism vanish in the future; becouse they just ruin all the fun. Keep it up!
Can you guys please update to Release 7 the henkaku offline hosting or the henkaku Android? Thank you
“Nobody has ever profited off the Vita.”
Truer words were never spoken.
Psp - Dark Alex Psvita - Yifan lu / molecule Now play ,Mame,fba.etc The impossible now is real.thank you Sorry my inglish. Brazil.
I think I can help with the Hardware mods; mail me.
@above
I don’t see your email. This is by design for privacy reasons (if verifies you are real but your email is not stored on my servers). You should instead email me from the About page.
I’d like to add my thanks. Yifan Lu and Team molecule, I thank you for your knowledge and sharing with the community. I wish you guys well.
Your small speech about hacking reminded me of a speech an artist I adore and follow did on a TEDx last year. I’m sure you will enjoy it:
https://www.youtube.com/watch?v=aOW7JZaqKGA
Apart from that , good luck with lv0. And thanks for keeping such a good console alive, at least in the West.
Quero saber mais
Thank you so much for what has been done for us. I don’t have much knowledge in CS or EE. But reading your articles is great fun.
Henkaku in 3.65 please. (Cry).
Hi Yifan Lu,
I am following your work since you were doing some stuff in egpu.io, in which you were able to do some good stuff in really few time, and then you disappeared (not blaming you, I gues you don’t want do deal with this kind of stuff). Then, I followed your ps vita work, which is impressive. I have seen you are kind of like a reverse engineering guru (as you do it full time), and that’s why I would like to ask you for some help.
I did some stuff when I was at college like almost 20 years ago, with win32dasm and softice… but not for really fancy stuff, just really small cracking stuff, like change conditionals a JNE for a JMP or a inhibit some code with a NOP. But that’s all. And it is being a while. Today, I am still a programmer, but nothing related with reverse engineering. I work more with graphics stuff and VFX.
Coming to the point of the need of your help. I will give your some context. I use a program which is called SideFX Houdini. Obviously I have it legal at work, but at home sometimes I want to do or prototype something, and a fully license is required in order to do it. When a new version is release, the X-Force group makes a new crack version, but sometimes it takes a lot of months to get it.
Basically is a licensing crack, and basically it has 2 parts:
Some people -like me-, are able to modify the keygen (pretty lame mode, changing in hex the version of the tool to the new one, not fancy stuff), in order to make it work for the following version (not major releases, but half, like from Houdini 17 to Houdini 17.5, but usually doesn’t work in Houdini 18 -sometimes in windows does, but not in MacOS, which is the one I use-). Obviously with a modified version of the keygen, if there is a new license for a new tool, there is not chance to get it. And it is not a good solution.
So I was trying to do something with a Ida Pro version (7.x something but a little bit old), but I really need help as it is complicated. I was trying to use ghidra as well, but as it has no debugger (and should be great to interact with the licensing program) it is all super static, and can perform tests easily.
My goal is been able to make a keygen and a modified sesinetd to make it work from scratch, and therefore be able to make it even for newer versions.
If I ask that is because it seems to be not that hard to be able to do it, once you got the tools. I was able to get the decompiled c++ for the licensing strings which for the validator (I guess it is this, but I am not sure, it is just a guess).
The latest version of Houdini is Houdini 18, and there is no crack released whatsoever.
So now, the question. Can you help me with the process of cracking that?
Don’t get me wrong, I am not asking you for giving me the fish, but for teaching me how to fish.
I know that everyone has his life and is super busy at work, so I understand if you are not able to make it.
Thanks and greetings.
Ed
PS: don’t know where to find your mail address… the captcha in your web doesn’t work…