PS Vita Debug Information Accessed via USB Interface

[Griever2kx]

Thanks for your efforts Nabnab, but unfortunately i get my Vita tomorrow. I'm not going to Update the FW but i have some questions.

Is there a workaround with the Facebook-App ? Because i think many of us haven't got the Facebook-App already... and do i need an PSN-Account ? (maybe for Future Solutions..) to install the App on another way (just thoughts...)

I remember that SKFU could sign Vita-Packages... there should be an way to Install the Facebook-App... but they already signed for the Vita with the PSN-Account who downloaded the App. Could someone code an Install-Pkg.....?

Thanks

Ted Mosby

[D3mone]

Hi Nabnab,

I don't get the point, all your pastebin are empty, I mean there is clearly no information inside. You only tell us that the Vita can communicate by USB and we can sniff what CMA send or read. Thank you for that but this is not a news.

It's like your last post showing the number of threads CMA created and the function call stack for each one of those. If you've discovered something, I understand that you can tease the scene, but your "teasing" show nothing: like your video called "PS Vita Hello World And USB Debug mode", I'm sorry but in this video I saw only a "PS Vita" and a "USB cable" but no "debug mode" and no "Hello World"...

I truly hope that I'm wrong. I hope that you find a first step of an exploit. Why I would love to see that ? Because I don't understand Sony's choice to not support seamless third applications (today it's so easy to create an application for Android/IOS, why not try to do the same for a portable gaming console ?

They created a 3G version of the console, it's time to use that 3G not only for FB or tweeter but for a whole set of third party apps or I don't get the point of having 3G). I would love to develop a game or app for the PS Vita, but I don't have enough money to buy a dev' kit or even a way to distribute the game/app. I'm very disappointed about that part of the PS Vita but I love all other parts =0)

By the way, I do hope that you have really find a first step of an exploit and that the truth is only that you are just not good at teasing =0). If you need a technical help, I would be glad to help you. I'm sure I can bring you more than you can image and more over I have plenty of time for now.

[Nabnab]

Take your time Griever2kx we are not in a hurry it's hope to you if you want to update or not but for sure that Sony can't fix a USB port

About the Facebook-App that every person ask -> you can't use the Facebook APP from another PS Vita that is properly signed with your unique PS Vita key (based on the Serial of the PS Vita and the Serial of your related account -> that follow
the 16-bytes path of your documents made with CMA Unique ID)

That it's about why you can't execute under another PS Vita. Concerning the fail algo that is include on the app/appmeta that let you to write ARM native code on it without having any problem, broke the sign or corrupted file under the PS Vita

The psvimg that include all the important stuff (elf, pkg info, etc) and psvmd that inform about the psvimg

About the sign, it's never the same and only Sony patch/sign on fly the SEN APP, it's a generate key with your unique ID and properly App, that's why also you can't use this generate key
to resign another App (this generate key work only with the App that is related)

I remember that Sony use a difficult encryption on the PS2 Game available on SEN -> PS3 (VME-> Virtual Matrix Encryption, that is only available for commercial purpose) i didn't hear anything about somebody who crack this encryption.

I know they use a completely new encryption/sign for the PS Vita but not VME

Anyway i can't do that myself but i do other stuff

[mrlowalowa]

But maybe you could install the fb app over the PS3? Because I have downloaded it just for fun before they have token it offline.

So maybe you could put this app on your jailbroken PS3 and install it from this PS3 at your PS Vita?

[Nabnab]

Not possible, you need to log with your account to install App on the PS Vita

[playhard]

that's cool tho..

[mrlowalowa]

But if you put it on your PS3 at a 3.55 firmware and update to 4.11 (only with an Flasher to downgrade) it should work.

Or In my case too because I'm on OFW 4.11 and have a waiting fb app at my xmb

[Griever2kx]

So you mean that's the USB Debug Mode can't be fixed through a FW-Update. That's cool. And I heard that some other App's have a fail algo too. You know what i mean Please don't mention it, because Sony reacts really quick these days.

Does i have the same possibilities with an App who has an fail algo too since the Facebook app went offline ?

And he says that the PS3 can decrypt the new packages on firmware 4.00 which contains the new PS VITA PKG AES key for the PS3 <--> PS VITA content exchange feature. This means we can decrypt and get the content of the PS VITA PKG files via a 4.00 PS3. Sadly there's no solution to re-encrypt it again, yet. But maybe we will find a way to do it. Or there will be a Way if the Jailbreak from Waninkoko appears out of the wild. We will see.

''the unique key of your PS Vita are save in a special cache on your Windows for example and as you can see if you check the key of CMA on your windows reg, you can find that the CMA work in read-only mode that you can't modify and only Sony can modified this (this is pretty illegal, it works like a spyware/malware that let Sony control your computer) anyway this can be fixed, check your reg'' <= Does it mean you can dump the Keys....

And whats the future Plans for this Exploit. Just a few people downloaded the Facebook App...

Thanks for your quick answer

[Nabnab]

It can't work 3.55 Firmware don't include the necessary driver to recognize the PS Vita, etc...

4.11 with a flasher will change anything because anyway you can't install PS Vita app that is not properly sign with your unique ID PS Vita Account, etc..

When you install a PS Vita App with the PS3, the PS3 go under a special mode that you don't have anymore access to the PS3 XMB, you control everything with the CMA Lite task background of the PS3 and the CMA from the PS Vita, it's more the PS Vita control the transfer than the PS3, the PS3 only call the PS Vita system to install PS Vita APP, kernel call to the PS3 system that lets you to control PS3/PS Vita transfer file.

If you talk about unit13, it's not a problem of a fail it's just the 3D engine need more optimisation, fix some memory access for decompressing textures, shaders,

About the USB Debug mode they can't fix, i was starting to making a pastebin with more explain about the PS Vita/Debug why it can't be fixed and why it's useful. i'm sure that have already many dev who know how to exploit it (the PS Vita = A smartphone)

I didn't check all but it seems that Netflix have also a similar problem (probably because the App was release a little bit too fast without checking everythings)

I'm pretty sure he was saying about the update of the PS Vita that for sure don't need that much security that already have, about the stuff of the SEN Store and Vita Game Card is different the Vita Card (memory card) it's a Micro m2 + Encryption (not sure if is the best but that go to far for me) nothing else than that but the Encryption is generated by the PS Vita system and save your Unique ID in cache that when you install a game or app you can only launch that with your system.

Actually is not the PS3 decrypt the PS Vita App, it's the PS Vita system when is connected to the PS3 system the PS3 system = Host

Now about the dump the keys, it's not my job i try to offer more than that, like i said dualboot/bootstrap and also a alternative app that you can use under Linux/MacOS to exploit the PS Vita more easily i'm not here yet but i have the more important to exploit it.

Take a look to my last pastebin that i hope will let you understand more http://pastebin.com/hU1M9eWH

Code:

PS Vita ARM Debug Explain.

Probably some dev already know that but it's good to explain why we can go under Debug mode on the PS Vita that don't change that much than a Smartphone with ARM Architecture.

ARM CPU include a Debug mode and Monitor Mode (related to the Embedded) 

As you probably know the Debug mode of the ARM, let you have a full control of the CPU, System Execution, Software, etc... 

The Monitor Mode (related to the Interface) let you control some part of the system software in real-time (RTOS)

About the debug mode that use a breakpoint exception (remember USB is a external signal) that let you to use the external signal (hw,data breakpoint, enter debug and act debug state) the CMA use Monitor Mode to let you control the transfer file to your computer or PS Vita but with some limitation on the software and hardware access restricted

The instruction is stocked in a sequential memory of the PS Vita system, that if you use a breakpoint -> you read/write the memory 

Take a look to this excellent pdf of ARM Cortex-A9 (CPU of the PS Vita) http://infocenter.arm.com/help/topic/com.arm.doc.ddi0407g/DDI0407G_cortex_a9_mpcore_r3p0_trm.pdf

Reason why i was talking about the CMA, the debug execution and the IOCTL call

Add this to all my last pastbin log execution (CMA, etc)

Also another one ;) http://infocenter.arm.com/help/topic/com.arm.doc.dui0440b/DUI0440B_realview_platform_baseboard_for_cortexa9_ug.pdf

[D3mone]

Hi Nabnab,

I'm happy that you discover the first step of an exploit, and I would love to see homebrews coming to Vita. If you say that Sony can't fix the USB Debug, stop your teasing and unveil the USB debug trick and everyone will have the chance to help you (as a developer, I will probably the first one).