HENkaku: Difference between revisions

From Vita Developer wiki
Jump to navigation Jump to search
(Created page with "== Introduction == HENkaku is the first ever homebrew enabler for PS Vita and PSTV. It is akin to jailbreaking your iPhone or rooting your Android device. Homebrew are games...")
 
 
(12 intermediate revisions by 4 users not shown)
Line 22: Line 22:
* FTP client on your PC
* FTP client on your PC
* Memory card
* Memory card
==Molecule==
The Molecule team was the first to hack the Vita and responsible for the majority of the reversing work done on the Vita.
== History ==
=== HENkaku ===
On 29/07/2016 HENkaku was released: http://henkaku.xyz/
HENkaku enables homebrew by patching out signature checks (works similar to [[SceKernelModulemgr#Module_decryption_and_signature_checks]]). HENkaku uses two kernel vulnerabilities: [[Vulnerabilities#Heap_use-after-free_in_sceNetSyscallIoctl]] and [[Vulnerabilities#sceIoDevctl_does_not_clear_stack_buffer]] and a usermode webkit vulnerability. HENkaku only works on firmware 3.60, however the kernel vulnerabilities are present in all firmware versions up to and including 3.60.
=== Rejuvenate ===
On 14/06/2015, Rejuvenate, which was the first public exploit that allowed to run unsigned usermode code, was released. http://yifan.lu/2015/06/14/rejuvenate-native-homebrew-for-psvita/
=== Secure Kernel ===
It was no surprise that crypto processes were not handled by the kernel (such was the case for previous Sony consoles). Libraries that deal with encrypted/signed content ([[Self Loading|SELF loading]], [[PUP]] unpacking, etc) all make calls to the [[Secure World]]. The hypothesis was that like many large manufacturers at the time, secure world was used for cryptography and security tasks. Getting access to the secure kernel was even harder than non-secure kernel because there was much less exposure and much less information. However, with a vulnerability that abused some lightly documented features of the ARM architecture, the secure kernel was dumped on 06/09/2014, a little less than a year after owning kernel. Unfortunately, almost immediately, the team found that secure kernel was a red herring. There was no keys or any sensitive information in secure world (Sony was wiser here than most other ARM device makers), but the sole task of the secure kernel was to communicate with an external processor which the team named [[F00D Processor]] because of the <code>e_machine</code> field of the ELF headers.
=== Kernel ===
For about a year research was focused on getting kernel code execution. Through some ingenuity and a lot of luck, on 27/08/2013 the first kernel exploit on the Vita was realized. The vulnerability was an integer overflow leading to a heap overflow and a misconfiguration that allowed a small portion of kernel heap memory to be leaked. The exploit and tools were completed on 01/09/2013 and for the first time, kernel memory was revealed. After a week of dumping the large kernel codebase (there were many factors that made it a slow process), work begin in parallel to reverse the system and find more vulnerabilities.
=== Userland ===
On 18/08/2012, a vulnerability was discovered in [[PSM]] that allowed both for memory to be dumped and code to be executed.<ref>[https://www.youtube.com/watch?v=w1GICNXTOhM&list=UUNIviKniCqbDShbAvldEOtA First memory dump]</ref> [[UVLoader]] was developed and in a couple of weeks, the first working native code homebrew ran on 12/09/2012. Although the source for UVLoader was released in anticipation for excitement in the homebrew community, there was no serious response from developers. Unfortunately, Sony used the source for UVLoader to secure the system in later updates and make userland code loading a much harder reality.
<references/>
=== ROP ===
In early 2012, the first ROP exploit was achieved through the [[Web Browser]]. Memory dumps of the browser were obtained through a disclosed WebKit vulnerability that was not patched because Sony did not use the most up-to-date WebKit version. The same vulnerability allowed ROP code execution. [[ROPTool]] was written to make creation and testing of ROP payloads easy.
=== PSP ===
Molecule has done some work on PSP in the past. Initial reversing of the [[PSP Emulator]] was done by members of Molecule including the first flash0 dump that opened the door for all future PSP emulator hacks.


==Important Links==
==Important Links==
Line 31: Line 71:


[[Homebrew]]
[[Homebrew]]
[https://github.com/vitasdk Vita SDK]
==Help Forums==
'''English'''
[http://wololo.net/talk/viewforum.php?f=116 Wololo]
[http://playstationhax.it/forums/forum/129-ps-vita-henkaku/ PlayStationHaX]
[http://www.psx-place.com/forums/henkaku.191/ PSX-Place]
[https://gbatemp.net/forums/ps-vita-hacking-homebrew.217/ GBATemp]
'''Italian'''
[http://www.biteyourconsole.net/community/playstation-vita/ Bite Your Console]
'''French'''
[http://www.customprotocol.com/forum/ps-vita/ Custom Protocol]
[https://modconsoles.fr/forums/forum/19-psvitatv/ ModConsoles]
'''German'''
[https://psxtools.de/index.php/Board/281-Playstation-Vita/ PSXTools]
[http://www.kingx.de/forum/forumdisplay.php?fid=1 KINGx]


==Other Links==
==Other Links==
Line 38: Line 110:


[https://twitter.com/DaveeFTW Davee's Twitter]
[https://twitter.com/DaveeFTW Davee's Twitter]
[http://wololo.net/ Wololo]

Latest revision as of 19:55, 16 January 2018

Introduction[edit | edit source]

HENkaku is the first ever homebrew enabler for PS Vita and PSTV. It is akin to jailbreaking your iPhone or rooting your Android device.

Homebrew are games and other software not officially approved. For example, VitaDoom is a port of the classic game DOOM and mGBA lets you play GameBoy Advanced ROMs. You can find more examples in the showcase.

Best of all, HENkaku is 100% free. No cost. No ads. No “donations”.

How To Get[edit | edit source]

Visit https://henkaku.xyz from the built-in web browser on your PS Vita and press the “Install” button to install HENkaku. You must do this every time you reboot the console–that is, every time you turn the console off and on again.


Requirements[edit | edit source]

You need a PS Vita or PSTV running system firmware 3.60. Unfortunately, it is not possible to run HENkaku on any device running a higher firmware version and it is also not possible to downgrade your system firmware.

You also need a memory card (any size) with at least 10MB of free space. Internal memory on newer devices is currently not supported. In order to transfer homebrew to your device, you also need a FTP client for your computer. We recommend FileZilla. Finally, you need an internet connection to install HENkaku.

tl;dr:

  • Vita on firmware 3.60
  • Internet connection
  • FTP client on your PC
  • Memory card

Molecule[edit | edit source]

The Molecule team was the first to hack the Vita and responsible for the majority of the reversing work done on the Vita.

History[edit | edit source]

HENkaku[edit | edit source]

On 29/07/2016 HENkaku was released: http://henkaku.xyz/

HENkaku enables homebrew by patching out signature checks (works similar to SceKernelModulemgr#Module_decryption_and_signature_checks). HENkaku uses two kernel vulnerabilities: Vulnerabilities#Heap_use-after-free_in_sceNetSyscallIoctl and Vulnerabilities#sceIoDevctl_does_not_clear_stack_buffer and a usermode webkit vulnerability. HENkaku only works on firmware 3.60, however the kernel vulnerabilities are present in all firmware versions up to and including 3.60.

Rejuvenate[edit | edit source]

On 14/06/2015, Rejuvenate, which was the first public exploit that allowed to run unsigned usermode code, was released. http://yifan.lu/2015/06/14/rejuvenate-native-homebrew-for-psvita/

Secure Kernel[edit | edit source]

It was no surprise that crypto processes were not handled by the kernel (such was the case for previous Sony consoles). Libraries that deal with encrypted/signed content (SELF loading, PUP unpacking, etc) all make calls to the Secure World. The hypothesis was that like many large manufacturers at the time, secure world was used for cryptography and security tasks. Getting access to the secure kernel was even harder than non-secure kernel because there was much less exposure and much less information. However, with a vulnerability that abused some lightly documented features of the ARM architecture, the secure kernel was dumped on 06/09/2014, a little less than a year after owning kernel. Unfortunately, almost immediately, the team found that secure kernel was a red herring. There was no keys or any sensitive information in secure world (Sony was wiser here than most other ARM device makers), but the sole task of the secure kernel was to communicate with an external processor which the team named F00D Processor because of the e_machine field of the ELF headers.

Kernel[edit | edit source]

For about a year research was focused on getting kernel code execution. Through some ingenuity and a lot of luck, on 27/08/2013 the first kernel exploit on the Vita was realized. The vulnerability was an integer overflow leading to a heap overflow and a misconfiguration that allowed a small portion of kernel heap memory to be leaked. The exploit and tools were completed on 01/09/2013 and for the first time, kernel memory was revealed. After a week of dumping the large kernel codebase (there were many factors that made it a slow process), work begin in parallel to reverse the system and find more vulnerabilities.

Userland[edit | edit source]

On 18/08/2012, a vulnerability was discovered in PSM that allowed both for memory to be dumped and code to be executed.[1] UVLoader was developed and in a couple of weeks, the first working native code homebrew ran on 12/09/2012. Although the source for UVLoader was released in anticipation for excitement in the homebrew community, there was no serious response from developers. Unfortunately, Sony used the source for UVLoader to secure the system in later updates and make userland code loading a much harder reality.

ROP[edit | edit source]

In early 2012, the first ROP exploit was achieved through the Web Browser. Memory dumps of the browser were obtained through a disclosed WebKit vulnerability that was not patched because Sony did not use the most up-to-date WebKit version. The same vulnerability allowed ROP code execution. ROPTool was written to make creation and testing of ROP payloads easy.

PSP[edit | edit source]

Molecule has done some work on PSP in the past. Initial reversing of the PSP Emulator was done by members of Molecule including the first flash0 dump that opened the door for all future PSP emulator hacks.



Important Links[edit | edit source]

Official Website

Usage Guide

Developer Guide

Homebrew

Vita SDK

Help Forums[edit | edit source]

English

Wololo

PlayStationHaX

PSX-Place

GBATemp


Italian

Bite Your Console


French

Custom Protocol

ModConsoles


German

PSXTools

KINGx

Other Links[edit | edit source]

Yifan Lu's Blog

Yifan Lu's Twitter

Davee's Twitter

Wololo