Everybody's Tennis Vulnerability for PSP on PS Vita is Revealed
Following up on his PS Vita VHBL Motorstorm Arctic Edge release, this weekend PS Vita and PSP hacker wololo has revealed that Everybody's Tennis (known as Hot Shots Tennis in the US and Minna no Tennis in Japan) contains a vulnerability that could lead to the execution of external code and has since been removed from PSN by Sony.
To quote from his blog (linked above) as follows: Dear Sony, it has come to my http://wololo.net/wagic/2012/03/23/vhbl-name-of-the-new-exploited-game-will-be-announced-soon that one of the PSP games available on the PlayStation Vita has a vulnerability that could lead to the execution of external code by some malicious users. Therefore I am writing this blog post so that you can patch the game or remove it from the PSN store as soon as possible.
Preferably, I suggest you take the money from your clients first, and prevent them from downloading the game afterwards, just like you did with Motorstorm Arctic Edge, 3 weeks ago. This way it will be a win-win situation for you, and you can always blame it on the hackers later on.
As a matter of fact, I have discovered that some “hackers” (I prefer to call them terrorists) have already prepared a http://wololo.net/talk/viewtopic.php?f=52&t=10766 which, using this vulnerability, could allow people to run software that would be extremely dangerous for your business, such as 20 year-old 8 bit games and 154 different versions of pong.
I think this puts your business at risk, and I’ve tried to stop those vilains by all means necessary, but sadly it seems they are not breaking any law. Hopefully, giving you the name of the game will help you to take some efficient action.
Those people are clearly wrong in their mind to try to play crappy open source software, when they could enjoy a great game such as Ridge Racer for less than 10$ a track, (which is clearly not a ripoff compared to the price one would have to pay in the real world to drive cars that completely defy the laws of physics. Although on that subject I woud like if you could help me, as my version of the game seems to be blocked in “demo mode” for some reason. All the 5 cars have exactly the same specs, so surely there’s something I’ve done wrong somewhere.)
I digress. The name of the game is Everybody’s Tennis. It is also known as Minna no tennis in Japan. Thankfully the game is not available on the US Vita store, so this should limit the problems on your end. I heard however that these hackers have prepared a US version of the hack just in case that version is being sold somewhere such as the HK store. I also heard people can buy the UK version from the US if they buy some PSN cards from resellers on ebay and other sites.
If I may give some advice, I think this is not secure enough. True, you did a good job in preventing people from buying games outside of the country they live in (and being a French living in Japan, I can’t tell you how much I appreciate the fact that I can’t buy any game on the French PSN, this is exactly how globalization should work, and it helps me sparing lots of money by not buying any game), but I think in order to avoid future hacks, you should simply prevent everyone from buying games on the PSN, which will guarantee you a complete control of the market.
The hackers also announced they would release their hack a few hours or days after they announce the name of the game being used. They claim this only allows people to run “homebrew” games and that in no way it allows people to play pirated PSP or vita games, but I think this is not an excuse to hack.
I realize it is saturday evening for your teams in Europe, and Sunday morning in Japan. I hope you will not have to wake some people in the middle of the night just to take action, I would have chosen a better time, but I myself have very little time to blog outside of weekends.
Hoping that working together we will be able to stop hackers. I seem to be one of the few people on Earth who understand that the real enemies of the Vita are not your poor marketing techniques, the terrible software such as the “back to the 90′s” netfront browser, the bad launch lineup, the delays on the playstation suite, the recent downgrade from 5 to 2 allowed copies of any given psn game, and the increasing competition of smartphones that all have better CPUs than the Vita. No, the real enemies are those people playing Lamecraft, who are clearly killing the videogame market, so let’s destroy them together.
Please pay extra attention to the dev known as wth, who apparently is behind this whole thing, as well as Teck4 who apparently helped him for the Japanese version of the hack. I also heard that somes guys named mamosuke and msparky83 were involved in the testing. It would be good if you have a way to maybe track these guys’ phones or something. Or maybe you can simply sue them, I heard it’s something you do very well.
Yours truly, W. Ololo
Update: Following our discovery yesterday that the Honk Kong version of Everybody’s Tennis was different from the 3 other ones, wth got to work and adapted VHBL to this version. I haven’t tested this, but hopefully people who bought the HK version of Everybody’s Tennis can confirm if it works.
WTH also hinted to me that he might be able to get rid of the current limitation on the European version of the exploit, in which people have to switch the language of their console to French before running VHBL. Stay tuned.
Thanks to the great work of wth, here is the long awaited second release of VHBL. Those of you who missed the Motorstorm exploit probably had a chance to grab a copy of Everybody’s Tennis before Sony pulled it (let’s be happy, they gave us a bit more than 30 hours this time, last time was 8 hours). If not, well stay tuned, there are still other PSP user exploits lying around, and I’m sure something will come eventually.
But let’s get to the real subject here, this new release of VHBL. Sadly, I didn’t test it myself on my Vita, only on a PSP, so here’s to hope everything will go well. The full port has been done by wth (a.k.a. Yosh), with some help from Teck4 (JP exploit), and msparky83 and mamosuke (testing). I wasn’t involved in this port, so all credit goes to these guys. I want to thank as usual all the developers behind HBL, who made it relatively easy to port, in particular m0skit0 and JJS. Yosh also adds special thanks to dridri85, Zer01ne, Truthkey, and other devs who kept this a secret while it was being developed. From the readme:
HBL port to the EU/US/JP versions of the exploit by Yosh
EU/US Exploit by Yosh, JP Exploit by teck4, discovered by Yosh
wololo for the help
Thanks go to:
All the devs who made HBL what it is today, in particular m0skit0 and JJS
dridri85, Zer01ne, Truthkey and all the other devs who kept the secret, that’s much appreciated guys
Monsieur2T2R for the cool VHBL icons/wallpapers
Apologies to all the people who bought the Everybody’s Tennis game from the HK store, it turns out that version is a 4th version of the game for which no exploit was prepared yet.
The HK version of the game is difficult to find, so if you happen to own that game on your PSP and are a bit technical savvy, you might want to give it a try and port VHBL to it. I’m convinced it’s just a matter of time, it just takes one guy.
So, to whoever will do that port, thanks in advance, and to people who are waiting for the HK version of VHBL, please stay tuned. Neither wth nor me were actually aware that the HK version was different from the other 3, so it might take a while for something to be ready, but we’re not forgetting you.
HOW TO INSTALL AND RUN HBL ON EVERYBODY'S TENNIS
It is *strongly* recommended that you turn of all wireless connections on your PS Vita, and that you use OpenCMA on your PC instead of the regular CMA. This is recommended because otherwise your console has a way to force you to upgrade the firmware even before you get a chance to use the exploit.
Extract the HBL archive matching your version of the game in your CMA PSP Savedata folder. It is a folder on your PC named PSSAVEDATA/[lots of random characters here]. If you don’t know where it is, check your settings in CMA
Connect your PS Vita to the PC through the CMA, it should give you the possibility to copy the savedata from your PC to the Vita. If not, you probably extracted it in the wrong folder. (Note: You will also want to install some homebrews with a similar technique, read the section below)
Important for owners of the European version of the game: Before running Everybody’s tennis, you need to change the language of your PS Vita/PSP to French. This is a limitation of the exploit for now, this might or might not change in future revisions. you can of course switch your console back to your own language once you are done playing with VHBL.
To run HBL, start the Tennis game, select “Continue” in the Main Menu. At this point, HBL should start
HOW TO INSTALL AND RUN HOMEBREW
Installing homebrew on the PSP was an easy task. On the Vita, until better solutions are provided, it’s quite a pain in the rear. The CMA will only let you copy savedata, and will not recursively browse folders. To address this, HBL comes with a tool that can extract archives with a specific structure.Packaging the homebrew for installation on the Vita:
1) download PSP homebrew from your favorite Web site (wololo.net/downloads)
2) extract the homebrew somewhere on your hard drive, and with your favorite utility, zip it again with the *store* setting (no compression), in a file that you will name “install.zip”
3) take any PSP savedata (but not the one used for HBL!), and add the “install.zip” to that folder, in your PC CMA folder. so your PSP Savedata will look something like this:
in folder PSSAVEDATA/1a2b3c4def5678/UCUS12345000/ (or something like this) you will have the following files:
1) run OpenCMA on your PC, and CMA on your Vita
2) copy the previously packaged SAVEDATA (see above) with your homebrew in “install.zip” on your Vita
3) run HBL (how to run HBL is explained in the previous section)
4) navigate with the HBL menu to the SAVEDATA folder, then go to the folder you just downloaded (in my example, UCUS12345000), and clikc cross or circle on it
5) At this point, the HBL menu should ask you if you want to install the homebrew. select yes, and wait until HBL is done extracting your homebrew
6) The homebrew is now installed, and you can run it by going to the GAME folder, if everything went well, a new subfolder with your homebrew has been created here, and you can run the homebrew
OpenCMA (wololo.net/downloads/index.php/download/1252) is strongly recommended to install if you want to use VHBL. Open CMA is a tool by Virtuous Flame that allows you to copy files from and to your vita without being connected to the internet. This is useful, especially if you don’t want Sony to forcefully update your firmware.
Update 2: PlayStation Vita developer wololo[ has updated (wololo.net/wagic/2012/04/15/new-vhbl-version-for-everybodys-tennis-gets-rid-of-language-limitation-in-eu-version/) the VHBL version for Everybody’s Tennis, which now gets rid of language limitation in EU version. Downloads:
To quote: "Developer wth released today an update to his Everybody’s Tennis exploit, specifically for the EU store. This change does not improve homebrew compatibility, but will work independently of the language of your console. Yes, finally, no need to switch your console to French or Spanish.
Even though there is no new homebrew compatibility, I’m sure this will be a welcome update for those of you who are using this exploit."
Sony is CRAPPING themselves from any even minor attempts to hack Vita - it was clearly rushed out to meet the release dates (both in Japan as well as worldwide) and is still full of security holes as Emental cheese ... the sooner this get permanently hacked the better.
Video: Lamecraft (Minecraft Clone) PSP Homebrew for PS Vita
Following up on the PS Vita HBL and Doom releases, PlayStation Vita developer wololo reports that http://drakon.ixan.net/?p=622/ has made available a Lamecraft (Minecraft Clone) PSP homebrew port that runs on PS Vita with a demonstration video below.
Below is the guide, to quote from his blog (linked above): This guide assumes that you found a http://wololo.net/wagic/2009/03/11/finding-gamesaves-exploits-on-the-psp/ in a game, and that you were able to write a http://wololo.net/wagic/2010/02/27/writing-a-binary-loader/.
So now what’s next? Well, as you probably know if you’ve gone that far, the PSP scene doesn’t really like “hello worlds”. A hello world is nice, but it accomplishes nothing, it just draws Sony’s attention to your exploit, and you know the vulnerability will be patched soon, while nobody really used the exploit.
Well, the next step is, ideally, a HEN or a custom firmware. Of course, this requires a kernel exploit, and we know how these are difficult to find. A much more doable task, that will make lots of people happy, is to port HBL to your exploit. HBL opens the door to lots of legal contents on the PSP and the Vita, and we designed it so that porting it to your game exploit can be done fairly easily.
This tutorial is valid at the time of its writing, for all games, and up to firmware 6.60 (Vita firmware 1.61). In theory, HBL will work on future firmwares, but of course new kinds of security might be introduced in new firmwares. Additionally, depending on your game (and its function imports), the compatibility and speed of homebrews might vary.
0. Easy as pie
HBL was designed to be easily ported to new game exploits. Most Game-specific files (except one) go in a subfolder that I will describe below. To complete this tutorial, you need basic shell skills, a working pspsdk, a working game exploit and the associated binary loader / hello world, a ruby interpreter, and basic ruby skills (usually, if you know any other scripting language, you’ll figure it out easily, there are not so many changes required).
1. Get the HBL sources and compile them
The first step is to get the HBL sources, compile them, and if you’re motivated, test them on an existing game exploit, to make sure the copy you have works correctly. (As I write this, it is recommended to test compilation with either the Mototrstorm or the Everybody’s tennis exploits, as we might have broken backwards compatibility with older exploits)
In order to compile it, you need the PSPSDK (which you probably already have if you wrote a binary loader). Compilation is fairly easy, but in order to compile the HBL for a specific exploit, you have to specify the folder of the exploit. for example, make FOLDER=lifeup will compile HBL for the Motorstorm (EU) exploit.
2. Create your own exploit’s folder
As you guessed, you will create a folder dedicated to your own exploit. Let’s imagine you game is called wololo, then you can create a subfolder “wololo” in the eLoader folder. Basically, we want to reproduce the files that are in this folder for another exploit, and adapt them to our exploit. Let’s have a look at the lifeeu folder:
The folder contains 6 files and 1 folder (which contains 1 file) that you will want to adapt to your exploit. I will describe each of them separately. Most of these files are automatically generated by a script, so this should be fairly simple.
3. Create your exploit’s files
This is the linker file for h.bin. If you created a binary loader and a hello world, you already have this file from your hello world, and most likely you named it “linker.x“. Copy linker.x from your hello world to linker_loader.x. Done!
This is the sdk for h.bin. If you created a binary loader and a hello world, you probably already have this file, and named it sdk.S. Copy sdk.s to sdk_loader.S. If you don’t have this sdk, you can create it either by running prxtool on the EBOOT.BIN of the game, or by using the moskitool (a ruby version of the moskitool can be found in the eLoader/tools folder of the HBL). Most likely, if you created a hello world, you already have this file so I won’t give more details for now. Done!
config folder, exploit_config.h, sdk_hbl.S, loader.h,
The contents of the config folder, as well as sdk_hbl.S, loader.h, and most of exploit_config.h (details below for exploit_config.h) are automatically generated by a ruby script that you can find in eLoader/tools/gen_exploit_config.rb.
The gen_exploit_config.rb has 2 “modes”, but I will only describe the first one, which is required the first time you adapt your exploit. You need to have a usermem dump named memdump.bin (that you acquired from psplink with the command savemem 0x08800000 0x01800000 memdump.bin). Important note: For Vita compatibility, that dump must be done on a PSP running firmware 6.60. In addition to memdump.bin, you need a list of UIDs from the same psplink session, that you will name uidlist.txt.
You can get that file by typing uidlist > uidlist.txt in psplink. That file needs to be in unix format, so be sure to convert it if you are running windows. Finally, you need a file named sdk.S, which is nothing else than the sdk.S you created for your game exploit, the one we just named sdk_loader.S above.
Put these 3 files (memdump.bin and uidlist.txt obtained from the same psplink session, as well as sdk.S from your exploit) in the tools folder, and run gen_exploit_config.rb
This should display a list of addresses (you will want to copy these addresses inside the stubs array of gen_exploit_config.rb so that other people who want to improve your exploit won’t need a memory dump/uidlist anymore, although they will still need the sdk.S file), and generate a series of files in the tools/output subfolder.
The files generated by gen_exploit_config.rb in the output folder can be copied “as is” into your game’s folder.
Final edits to exploit_config.h
You’re almost done, but the file exploit_config.h need to be edited in two places, that you will find because they say “TODO” in big letters.
HBL_LOAD_ADDRESS This is where you will load HBL in RAM. You want a value that is outside of the boundaries of the game, and basically, a place where the PSP will accept to alloc roughly 200kB. you can get such an address in psplink while the game is running by typing malloc 2 test l 204800
HBL_ROOT is the name of the folder where your exploited savedata is. That folder name looks like ms0:/PSP/SAVEDATA/UCUS12345000. Important note: my tutorial on how to create a binary loader assumes you will load a file named ms0:/h.bin. On the PS Vita, this is not possible anymore, so you will have to adapt your binary loader in order to load the exploit from ms0:/PSP/SAVEDATA/XXXXXXX/h.bin (where XXXX is the folder of your savedata). In the Vita version of HBL, all HBL files for in that folder, and there is no subfolder.
copy linker_loader.x into linker_hbl.x, and replace the address value with the value of HBL_LOAD_ADDRESS that you figured out earlier while creating exploit_config.h. Done.
Run make FOLDER=yourfolder (alternate ways: make distrib FOLDER=yourfolder to remove debug messaging, make nonids FOLDER=yourfolder to remove NIDs-related heavy debug messaging)
You’re done, grab the h.bin and hbl.bin in the root, the config folder from your exploit’s folder, and the libs_… folders from the root. You now have the meat of your HBL port ready.
5. Last but not least
HBL is licensed under the GPL. If you plan to distribute your compiled binaries, it is required that you provide your source code as well. Don’t make us ask for it
This tutorial is voluntarily vague. Porting HBL is fairly easy, but we assume that if you made it that far, you probably are skilled enough to do some research on your own. Nevertheless, don’t hesitate to ask questions if you are running into problems
You are allowed to reproduce this article on other websites and/or translate it on condition that you put a clear link to this page in your copy.
6. More details
Porting VHBL is simple in theory, but many games do not import some functions that are necessary for HBL to run properly. One goal of the script gen_exploit_config.h is to analyze the imports of your game (this is why the sdk.S is necessary), and define some workarounds in exploit_config.h in case your game does not have all the necessary exports. This should work in most cases, but that script is still experimental and might make mistakes. Below are a few details on some of the “define” sections it creates:
TH_ADDR_LIST, EV_ADDR_LIST, SEMA_ADDR_LIST, and GAME_FREEMEM_ADDR can be computed for you by the tool eLoader/tools/freemem.rb. For that you will need a memory dump and a file uidlist.txt which is the output of the uidlist command in psplink (uidlist > uidlist.txt ). It is important to note that the memory dump and the uidlist need to be from the same session, otherwise the addresses will be incorrect. If you’re on windows, also make sure that the uidlist.txt file is in the unix format (use your favorite editor to convert it if needed). For those interested, here are some technical details about those variables, but basically the tool should do it for you
TH_ADDR_LIST, is the list of threads you want to kill. Threads are defined by a SceUID, but since this value changes all the time, what we actually want is the addresses where they are defined. in psplink, while your game (or your hello world) is running, you can get a list of these thread by typing thlist. Then look for each thread’s uid in ram. The address (hopefully unique) where the thid is defined, is what you want to put in this list.
EV_ADDR_LIST is the list of events you want to kill. You get this list by typing evlist in psplink. The rest is similar to the construction of TH_ADDR_LIST
SEMA_ADDR_LIST is the list of semaphores you want to kill. You get this list by typing smlist in psplink. The rest is similar to the construction of TH_ADDR_LIST above
GAME_FREEMEM_ADDR this is the address in Ram where the game’s memory was allocated. Most game have this but for those that don’t have it (patapon2), this value can be commented out. To find this value, type uidlist” PSPLink and look under the SceSysMemMemoryBlock section. You’re looking for blocks that have a 0xFF (user) attribute (not 0×00!), and are not “stack”. In the golf exploit, this block was simply called “block” and was easy to find. Again, you’re interested in the entry address, not the uid.
UNLOAD_ADDITIONAL_MODULES : define this variable if possible. Comment it out only if you run into issues at the “free memory” stage of HBL
Other variables: The variables above are the basics of the config file. With those, HBL should basically work, or at least take you to a step where you can start debugging. But with time, HBL has grown and has been updated by several people. In order to maintain backwards compatibility and increase game coverage, the exploit_config file was added several config values.
DISABLE_P5_STUBS is useful if you run into a crash/freeze even before hbl is loaded (just after firmware detection). SYSCALL_* are used for perfect syscall estimation on firmwares where this is available (TODO: explain syscalls estimation), etc… at this point you will probably need to dig in previous exploit_config.h files in order to find more on each macro you can possibly define.