PS Vita Debug Information Accessed via USB Interface

[Nabnab]

Just a gift for PS3News and thanks to everyone.. PS Vita Access: http://pastebin.com/hk6nigZz

It's also a answer to the Scott security claim, i don't release the method now because it's too early, i already release the debug usb method available on pastebin too that you need to use with LibUSB driver Windows PS Vita and soon mac OS (not related to CMA but a alternative)

Just saw that CMA Mac OS = Based on my works confirmed by a person who works for Sony Customer Relation

For now it's all you gonna have. I confirm with this pastebin that i have all the possible access to the PS Vita

Code:

Thanks Scott ;)

--------------------------------------------------------------------------------
PS Vita Access Investigation (not all in here) ;) 
Discover by Nabnab 
PS: check the last part ;)
--------------------------------------------------------------------------------


Task Oper Get Vita Info
Mtp VITA Connection Manager
Event Args Vita Connection Status Changed
App Delegate connect Vita
App Delegate vita Negotiation Completed
Settings vita Connected
Connect Vita on OK
Connect Vita window Will Close
Connect Vita awake From Nib
Vita Connection Status Changed Event Job execute
Application Is PlayStation Vita Connected
Vita Info Get Protocol Version
BrowserCore Is Vita Info Available
BrowserCore Clear Vita Info
BrowserCore Initialize Vita Info String
Vita Info Reset
Configuration Get Vita Game Home Path
AVC_Vita Movie Profile
Vita Info Photo thumb
Vita info music thumb
vita info video thumb
vita info game thumb
vita info attr thumb width
vita info attr thumb height
Get Fake Game Pkg Home Path
Configuration Get Vita Game Account Home Path
Configuration Get PSP Game Account home path
FS File Game Package
Serializer Set Game Metadata
Serializer Set Attribute Game Type
PSP Game SFO Param
PSP Game thumb
PSP -> PSP_libccc.cpp
PSP -> PSP_libccc.o
PSP -> PSP Savedata.cpp
PSP -> PSP Savedata.o
PSP -> PSP savedata.h
PSP Savedata has Metadata
PSP save data get metadata
PSP save data has file system info
PSP save data get date created
PSP save data get data last modified
PSP save data get path
PSP -> SavedataSubFolder.cpp
PSP -> SavedataSubFolder.o
PSP -> PSPSavedataSubfile.cpp
PSP -> PSPSavedataSubfile.o
PSP Savedata Sub File
PSP -> PSPSavedataSubfile.h
PSP -> PSPSaveDataRoot.cpp
PSP -> PSPSavedataRoot.o
PSP Savedata Root
PSP Savedata Root Get Children
PSP Savedata root get Child count
PSP Savedata root Create Instance
PSP Savedata Root get type
PSP -> PSPSavedataROot.h
PSP save data root get title 
PSP Game home path
vsh meta_gen_types.h :)
Task Oper Send In stem info for VSH
vsh -> sortKeyCreator.cpp
vsh -> MDgenerator.cpp
vsh -> DBaccessor.cpp
vsh -> localfile_types.h
vsh -> file_types.h
Vita -> NPAccountdebugsetting.cpp
Vita -> NPAccountdebugsetting.o
Vita NP account debug setting
Vita NP account debug setting get instance
Vita NP account debug setting read setting file
Vita NP account debug setting get log level
Vita NP account debug setting get NP Env

[hacked2123]

Amazing. Appears we are having better luck with the PSV than the PS3. I am looking to expand the knowledge of the PSV as well if you are interested in contacting me.

[Nabnab]

Also about the PS Vita you remember i reveal few weeks ago/over month the method to access to the hidden system information on the PS Vita.. Sony Patched the method on 1.60/1.61

About the HBL i'm sorry to say that but it's already over (Sony will prevent this by updating soon the system to run only ARM native program and don't use anymore the MIPS Wrapper) 1.65/1.70 come soon

They didn't block the Debug and not sure they can block it

About the Transfer Files without CMA that i was showing on a youtube video.

-On MAC OS, use the Application Share and WebShare (or use a alternative on Windows)
-DNS Settings/Proxy server on your PS Vita -> Add the IP of your iMac/Macbook/hackintosh/Windows Computer
and put the files on your webshare that you want to transfer or show on your PS Vita
-Open the Navigator of the PS Vita and write the IP of your computer, press enter
and you would see all the files from your computer, you just need to click on it to transfer that on your PS Vita

(nothing related to the debug access etc...)

[mrlowalowa]

Dude.. You are amazing and have too much time

Great work

[cfwprophet]

The part about the webshare is already known and was discovered weeks ago from some one else

[Nabnab]

What are you talking about ? the part of webshare was discovery by me and explained by me on the video from over month ago
if you don't have anything to say, please don't post in this thread.

[Nabnab]

OK Actually two method give you the possibility to go under Debug USB PS Vita

The debug USB key button mode only work with a old firmware.
The debug USB and more access on new firmware is different and work on a specific mechanism that need to exploit ioctl.

I'm talking about a full access to the system.

Did you know why they take off the facebook app from the PS Vita ?... because facebook app include a fail algo that let you execute unsigned code hello arm coding

[mrlowalowa]

that is something that I would call Epic FAIL!!

They do not really learn about their failours before, or do they?

[Nabnab]

They learn but a USB connectivity working also with windows app, i don't call that a super security (i can say that the 3DS is more secure than the PS Vita) when you know that the USB connectivity talk too much

Small update about the Full Access

http://pastebin.com/M2Y40JRG

More infos Full Access PS Vita Information

On the new firmware, the debug usb mode work differently (the key button doesn't work on it) That you need to use a mechanism that exploit the ioctl to call the debug usb mode and more

CMA use specific point and include secret key the unique key of your PS Vita are save in a special cache on your Windows for example and as you can see if you check the key of CMA on your windows reg, you can find that the CMA work in read-only mode that you can't modify and only Sony can modified this (this is pretty illegal, it works like a spyware/malware that let Sony control your computer) anyway this can be fixed, check your reg

For now, i need to keep that secret for while but i give you some clue
When you connect the PS Vita to your computer (use a USB Log), i already explain that before but i do again, the PS Vita try to connect to the Sony server by the help of CMA Application (globalsign server also) that confirm everythings is ok and updated.

Open CMA.exe with a hexa editor and copy all the http/https and add them into your hosts file.

if you want to exploit your PS Vita, again, check into the ioctl !! it's important ever kernel Unix or Win NT use this for the USB rooting

About Facebook App on the PS Vita recently retired
One of the reason was maybe because the Facebook App allow us to run unsigned code on the PS Vita (ARM Code what's up)

This was a badly fail but don't worry, i can say that the PS Vita is already so open (i don't like to use the word hacked) but Open is better to represent how the PS Vita offer more information than what we are thinking

Also to my friends that made VHBL, better to release that now before the update 1.65/1.70

Sony already know and would release a cutie update to prevent this thing (remember not anymore MIPS Wrapper and welcome ARM native program)

Anyway the PS Vita use Third-Party Software that you can find some source on the Web

About technical USB information (that is important to know) sure that some people saw it

The USB Port of the PS Vita have 21 Pin
The USB Cable of the PS Vita have only 9 Pin (12 pin out)

[Nabnab]

More infos about IOCTL Access/Control and also CMA Request under Mac OS

http://pastebin.com/HPWN3wSK

Code:

PS Vita Access under Mac OS/Linux -> BSD Control SysCall

Use POSIX I/O functions to access to the PS Vita. 
you also can use the fcntl and ioctl functions to control files and devices.

Launch Terminal Windows with the command man ioctl (under sudo it's better)

You are supposed to have this

IOCTL(2)                    BSD System Calls Manual                   IOCTL(2)

NAME
     ioctl -- control device

SYNOPSIS
     #include <sys/ioctl.h>

     int
     ioctl(int fildes, unsigned long request, ...);

DESCRIPTION
     The ioctl() function manipulates the underlying device parameters of spe-
     cial files.  In particular, many operating characteristics of character
     special files (e.g. terminals) may be controlled with ioctl() requests.
     The argument fildes must be an open file descriptor.

     An  ioctl request has encoded in it whether the argument is an ``in''
     parameter or ``out'' parameter, and the size of the argument argp in
     bytes.  Macros and defines used in specifying an ioctl request are
     located in the file <sys/ioctl.h>.

-----------------------------------------------------------------------

What CMA/USB Do under Mac OS ? 

    + 2574 start  (in CMA) + 54  [0x8686] 
    
2574 Thread_412081
    +     2574 _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
    +       2574 MsvCommandExecutor::threadProc(void*)  (in CMA) + 17  [0x1bec7]
    +         2574 MsvCommandExecutor::run()  (in CMA) + 92  [0x1c50c]
    +           2574 MsvCommandExecutor::wait()  (in CMA) + 164  [0x1be42]
    +             2574 XpManualEvent::Lock(unsigned long)  (in CMA) + 87  [0xa23a1]
    +               2574 XpComboSyncObject::waitCondition(unsigned long)  (in CMA) + 44 [0x9ac6683e]
    2574 Thread_412082
    +     2574 _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
    +       2574 MsvTaskProcessor::threadProcMain()  (in CMA) + 18  [0x42602]
    +         2574 MsvTaskProcessor::run()  (in CMA) + 64  [0x43226]
    +           2574 MsvTaskProcessor::wait()  (in CMA) + 167  [0x42b15]
    +             2574 XpManualEvent::Lock(unsigned long)  (in CMA) + 87  [0xa23a1]
    +               2574 XpComboSyncObject::waitCondition(unsigned long)  (in CMA) + 44  
[0x9c98442c]
    2574 Thread_412085
    +     2574 _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
    +       2574 MtpManager::eventProc(void*)  (in CMA) + 118  [0x12bb3]
    +         2574 cellUsbMtpRecvEvent(CellMtpTransport const*, unsigned int, CellMtpEvent*)  (in CMA) + 174  [0x11ba7]
    +           2574 cellUsbdTransferRecvForEvent(unsigned int, unsigned char, void*, int, unsigned int*)  (in CMA) + 111  [0x10384]

[0x9ac64c22]
    2574 Thread_412100
    +     2574 _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
    +       2574 _ZL5entryPv  (in CMA) + 17  [0x47d07]
    +         2574 MsvFolderWatchManager::Run()  (in CMA) + 278  [0x48074]
    +           2574 MsvFolderWatchManager::IsContinue()  (in CMA) + 32  [0x47f2c]
    +             2574 XpManualEvent::Lock(unsigned long)  (in CMA) + 87  [0xa23a1]
    +               2574 XpComboSyncObject::waitCondition(unsigned long)  (in CMA) + 44   [0x9ac6683e]
    2574 Thread_412483
    +     2574 _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
    +       2574 _ZL5entryPv  (in CMA) + 17  [0x47d07]
    +         2574 MsvFolderWatchManager::Run()  (in CMA) + 278  [0x48074]
    +           2574 MsvFolderWatchManager::IsContinue()  (in CMA) + 32  [0x47f2c]
    +             2574 XpManualEvent::Lock(unsigned long)  (in CMA) + 87  [0xa23a1]
    +               2574 XpComboSyncObject::waitCondition(unsigned long)  (in CMA) + 44  [0x9ac6683e]
     +     2574 _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
    +       2574 _ZL5entryPv  (in CMA) + 17  [0x47d07]
    +         2574 MsvFolderWatcher::Run()  (in CMA) + 413  [0x47bf9]
[0x9b737c7a]
    +                   
    +     2574 _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
    +       2574 _ZL5entryPv  (in CMA) + 17  [0x47d07]
    +         2574 MsvFolderWatcher::Run()  (in CMA) + 413  [0x47bf9]
0x9b737c7a]
    +                 
    +     2574 _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
    +       2574 _ZL5entryPv  (in CMA) + 17  [0x47d07]
    +         2574 MsvFolderWatcher::Run()  (in CMA) + 413  [0x47bf9]
[0x9b737c7a]
    +                   
    2574 Thread_412487
    +     2574 _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
    +       2574 _ZL5entryPv  (in CMA) + 17  [0x47d07]
    +         2574 MsvFolderWatcher::Run()  (in CMA) + 413  [0x47bf9]
   
       9       _ZL16BeginThreadProxyPv  (in CMA) + 77  [0xa0bca]
        6       _ZL5entryPv  (in CMA) + 17  [0x47d07]