Here we list what we're doing, what's done, and so on.
Finding more kernel exploits is always needed. Check out Vulnerabilities for a list of current progress and work.
PSM would be a nice way to get homebrew without piracy. Look into getting PSM to work without Sony phone-home. Requires decrypting npdrm PSM binary to get private keys.
Publicly released 20/06/2015. A method to fake PSM activation was released a few days later.
User mode (Done!)
A new user mode exploit is needed on firmwares >=3.50 to bypass ASLR in Vulnerabilities#CMA_XML_parsing_heap_buffer_overflow. Exploiting WebKit again is not out of the question, however it is too old to be vulnerable to newly discovered exploits and too patched up to be vulnerable to the old ones. Exploiting an old app or a game (<=2.1x) that do not have ASLR support seems to be a viable alternative.
We need to make a CFW that will eventually be released to users (someday).
Signature Patching (Done!)
SceModulemgr should be patched to bypass signature checks. A good way may be to add a tail at the end of the function that decrypts buffers using F00D and returning 0 instead of the error code for signature fail (since F00D does not touch the buffer on failure so input == output). We should initially patch the SceModulemgr in the non-secure bootloader (before rebooting) so that it loads our unsigned kernel library right after SceSysmem. Our library will handle patching the real SceModulemgr on load as well as other patches. This will give us a nice single point to do all kernel patching.
A preliminary version of signature patching is implemented, see SceKernelModulemgr#Module_decryption_and_signature_checks.
Going from above, we need a custom kernel library that handles patching the rest of the kernel as they are being loaded. This library should also export calls to userland that will aid in homebrew creation (allocate code memory, peek/poke kernel, etc).
Custom SDK (Done!)
One mostly working SDK is available, https://github.com/vitasdk
Solve the PFS encryption
Currently, any files stored on the ux0: have an additional layer of encryption at rest. When an app is mounted into app0:, the files system gets a filter set that decrypts the file access on the fly. We need to learn how to decrypt these ourselves. Vita Game PKG files are stored this was as well after PKG decryption.
Right now the plan is to release a Homebrew Enabler instead of a full fledged CFW. The goal is to allow homebrew while making piracy impossible.
Things to check:
- Make sure game sharing isn't possible
- Allow allocating RWX memory
- Enable core dumps (can be used for piracy?)
- Allow full fs access (or not? see the first point)
- ... ?
Finding more information about the F00D processor. Any information leak would be nice.