Applications
Directory structure
d:/PCSG00001 d:/sce_module f:/libc.suprx d:/sce_pfs f:/files.db f:/pflist f:/unicv.db d:/sce_sys d:/abort f:/right.suprx d:/livearea d:/contents f:/bg0.png f:/default_gate.png f:/template.xml d:/package f:/cert.bin f:/head.bin f:/stat.bin f:/tail.bin f:/temp.bin f:/clearsign f:/icon0.png f:/keystone f:/param.sfo f:/pic0.png f:/eboot.bin
pflist
sce_pfs debug info text file
cert.bin
self-certified text file seen only in some SCE apps
<?xml version="1.0" encoding="utf-8"?> <program-configuration version="1.0" type="signed-elf-configuration"> <config> <content-id>IP9100-PCSI00009_00-UNITYDEV00000000</content-id> <program-authority-id>0x210000101CD20009</program-authority-id> <capability>0x20000000600F000000000000FFFFFFFF18000000000000000000000000000000</capability> <attribute>0x80098007000003C00000003940000000400000000000000000000000FFFFFFFF</attribute> <shared-secret-0>0x7E7FD126A7B9614940607EE1BF9DDF5E</shared-secret-0> </config> <capability privilege="game" function="usb_serial,virtual_machine"> 0x20 0x00 0x00 0x00 0x60 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xff 0xff 0xff 0x18 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 </capability> <attribute spawn_by="system" platform="cex,dex,tool" media="memcard,memcard_patch"> 0x80 0x09 0x80 0x07 0x00 0x00 0x03 0xc0 0x00 0x00 0x00 0x39 0x40 0x00 0x00 0x00 0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xff 0xff 0xff </attribute> <shared-secret-0> 0x7e 0x7f 0xd1 0x26 0xa7 0xb9 0x61 0x49 0x40 0x60 0x7e 0xe1 0xbf 0x9d 0xdf 0x5e </shared-secret-0> <digest> 0xab 0xe0 0xff 0xd2 0x53 0x13 0xaa 0xf3 0x38 0x9f 0x3d 0xf9 0xa1 0x1b 0xed 0x44 0x3d 0xfa 0xe6 0xd6 0xa9 0x55 0x91 0x5a 0x9e 0x67 0x50 0x00 0x59 0x01 0xfa 0x83 </digest> <signature version="1.0" size="256"> 0x45 0xce 0x7f 0x81 0x30 0x2f 0x00 0xca 0xc4 0x7d 0xd1 0xde 0x9f 0x6d 0x45 0xc3 0x1b 0x1c 0xaf 0x14 0x7a 0xe0 0xf2 0xca 0xa9 0x97 0x73 0xe2 0xab 0x2f 0x6b 0x6b 0x75 0x9a 0x86 0xef 0xd3 0x3a 0xa2 0x21 0xad 0xd7 0xeb 0xa7 0x18 0xf0 0x77 0x10 0xac 0x69 0x3b 0x03 0xcb 0x07 0x74 0xfd 0xce 0x98 0x63 0x83 0x1d 0x5b 0xd2 0xf8 0x2c 0xf4 0x73 0x9f 0xdc 0xe7 0x91 0xc1 0x5a 0xe9 0x0d 0x00 0x15 0x13 0x0e 0x09 0x7e 0xda 0x3b 0x3d 0x3d 0x42 0xb9 0x51 0x90 0x3c 0x34 0x3d 0xf5 0x9f 0x59 0x8b 0x00 0x5f 0xed 0x61 0x3f 0x46 0xab 0xe1 0xd0 0x38 0x68 0x4e 0xf4 0xef 0x70 0xb4 0x04 0x76 0xce 0xfa 0x03 0xa4 0x55 0x92 0xc5 0x8c 0x7d 0x27 0x64 0xd2 0x65 0xae 0x31 0x3d 0x4a 0xac 0x43 0x04 0xd7 0x08 0xdf 0xc1 0xcf 0x2d 0xe1 0x77 0x2f 0x09 0x0d 0x5c 0xbd 0x8a 0x62 0xbf 0x32 0x11 0x23 0x65 0xbf 0xfc 0x9c 0xe7 0x02 0xe2 0xbb 0x10 0x84 0x65 0x72 0x6e 0x5e 0x46 0x3d 0x14 0xc6 0x33 0xc0 0xce 0xd3 0x23 0x99 0x07 0x2e 0x60 0x8c 0x6a 0x29 0x75 0xc4 0x00 0x40 0x68 0x6e 0x62 0x8f 0x0c 0x42 0x21 0x06 0x4d 0xf2 0x62 0xda 0x66 0x24 0x85 0x0b 0xc2 0xf3 0xc3 0x02 0x76 0x4a 0xbf 0x87 0x19 0x7a 0x0f 0x4f 0xdb 0x88 0x03 0x29 0xfa 0x81 0x4f 0xe2 0x70 0x4a 0x77 0x51 0xc6 0x12 0xef 0x58 0x95 0x36 0x96 0x48 0xd3 0xde 0x0d 0xac 0x4a 0xb8 0x61 0x04 0x31 0x61 0xa6 0x55 0x26 0x4d 0xbf 0x9b 0x43 0x12 0x1f 0x55 0x73 </signature> </program-configuration>
temp.bin
Pre-embedded .rif file.
Comes with DRM free app.
Security
Program Authority Id
Applications running on the PS Vita are subject to restrictions based off of their Authority ID. Certain syscalls can only be called by applications that have permission to call it. For example, SceShell can make certain calls to install packages or mount file systems that games cannot. Therefore a usermode exploit is more valuable in a system application like ScePspEmu, PSM, CMA or even better SceShell because regular games and applications do not have access to many syscalls.
File System Sandbox
Most applications do not have the special Authority ID to access files outside of their own sandboxed directory. Applications access their own resources through app0:
, which is mounted to point to their own directory and is also mounted as read only (applications cannot modify their own resources). Certain virtual partitions can be accessed on demand as specified by the SDK. Some examples include photo0:
and savedata0
. However, there is no way to mount actual partitions like ux0
(memory card).
Since PS Vita 2.06, user shared modules like SceLibKernel are loaded to randomized addresses. The randomization was later improved to be more random in FW 2.60.
Application ASLR
Since PS Vita FW 2.60, usermode applications (the main library) themselves can be compiled with ASLR support. Although not all games and applications choose to use this feature of the compiler, more and more are.
NID Poisoning
Perhaps as a direct result of UVLoader being open source, in PS Vita 2.11, Sony replaces all entries in the library import table with junk data. This prevents disclosure of syscalls based on their NIDs.
Syscall Randomization
Syscall numbers are not statically assigned. On each boot, the same kernel module exports will have different syscall numbers. However, the delta between syscall exports from the same module are the same, so in theory if you can identify one syscall from a module, you can calculate all the other syscalls of this module.
List of System Applications
See here.