Sponsored Links

Sponsored Links

Guide to Porting VHBL (PS Vita Half-Byte Loader) Game Exploits


Sponsored Links
143w ago - This weekend PlayStation Vita developer wololo has made available a guide to porting VHBL (PS Vita Half-Byte Loader) to individual game exploits for those interested.

This news comes proceeding the recent Motorstorm Arctic Edge and Everybody's Tennis PSP / PS Vita game exploits.

Below is the guide, to quote from his blog (linked above): This guide assumes that you found a [Register or Login to view links] in a game, and that you were able to write a [Register or Login to view links].

So now what’s next? Well, as you probably know if you’ve gone that far, the PSP scene doesn’t really like “hello worlds”. A hello world is nice, but it accomplishes nothing, it just draws Sony’s attention to your exploit, and you know the vulnerability will be patched soon, while nobody really used the exploit.

Well, the next step is, ideally, a HEN or a custom firmware. Of course, this requires a kernel exploit, and we know how these are difficult to find. A much more doable task, that will make lots of people happy, is to port HBL to your exploit. HBL opens the door to lots of legal contents on the PSP and the Vita, and we designed it so that porting it to your game exploit can be done fairly easily.

This tutorial is valid at the time of its writing, for all games, and up to firmware 6.60 (Vita firmware 1.61). In theory, HBL will work on future firmwares, but of course new kinds of security might be introduced in new firmwares. Additionally, depending on your game (and its function imports), the compatibility and speed of homebrews might vary.

0. Easy as pie

HBL was designed to be easily ported to new game exploits. Most Game-specific files (except one) go in a subfolder that I will describe below. To complete this tutorial, you need basic shell skills, a working pspsdk, a working game exploit and the associated binary loader / hello world, a ruby interpreter, and basic ruby skills (usually, if you know any other scripting language, you’ll figure it out easily, there are not so many changes required).

1. Get the HBL sources and compile them

The first step is to get the HBL sources, compile them, and if you’re motivated, test them on an existing game exploit, to make sure the copy you have works correctly. (As I write this, it is recommended to test compilation with either the Mototrstorm or the Everybody’s tennis exploits, as we might have broken backwards compatibility with older exploits)

The sources of HBL can be downloaded here (SVN client required: [Register or Login to view links])

In order to compile it, you need the PSPSDK (which you probably already have if you wrote a binary loader). Compilation is fairly easy, but in order to compile the HBL for a specific exploit, you have to specify the folder of the exploit. for example, make FOLDER=lifeup will compile HBL for the Motorstorm (EU) exploit.

2. Create your own exploit’s folder

As you guessed, you will create a folder dedicated to your own exploit. Let’s imagine you game is called wololo, then you can create a subfolder “wololo” in the eLoader folder. Basically, we want to reproduce the files that are in this folder for another exploit, and adapt them to our exploit. Let’s have a look at the lifeeu folder:

The folder contains 6 files and 1 folder (which contains 1 file) that you will want to adapt to your exploit. I will describe each of them separately. Most of these files are automatically generated by a script, so this should be fairly simple.

3. Create your exploit’s files

linker_loader.x

This is the linker file for h.bin. If you created a binary loader and a hello world, you already have this file from your hello world, and most likely you named it “linker.x“. Copy linker.x from your hello world to linker_loader.x. Done!

sdk_loader.S

This is the sdk for h.bin. If you created a binary loader and a hello world, you probably already have this file, and named it sdk.S. Copy sdk.s to sdk_loader.S. If you don’t have this sdk, you can create it either by running prxtool on the EBOOT.BIN of the game, or by using the moskitool (a ruby version of the moskitool can be found in the eLoader/tools folder of the HBL). Most likely, if you created a hello world, you already have this file so I won’t give more details for now. Done!
config folder, exploit_config.h, sdk_hbl.S, loader.h,

The contents of the config folder, as well as sdk_hbl.S, loader.h, and most of exploit_config.h (details below for exploit_config.h) are automatically generated by a ruby script that you can find in eLoader/tools/gen_exploit_config.rb.

The gen_exploit_config.rb has 2 “modes”, but I will only describe the first one, which is required the first time you adapt your exploit. You need to have a usermem dump named memdump.bin (that you acquired from psplink with the command savemem 0x08800000 0x01800000 memdump.bin). Important note: For Vita compatibility, that dump must be done on a PSP running firmware 6.60. In addition to memdump.bin, you need a list of UIDs from the same psplink session, that you will name uidlist.txt.

You can get that file by typing uidlist > uidlist.txt in psplink. That file needs to be in unix format, so be sure to convert it if you are running windows. Finally, you need a file named sdk.S, which is nothing else than the sdk.S you created for your game exploit, the one we just named sdk_loader.S above.

Put these 3 files (memdump.bin and uidlist.txt obtained from the same psplink session, as well as sdk.S from your exploit) in the tools folder, and run gen_exploit_config.rb

This should display a list of addresses (you will want to copy these addresses inside the stubs array of gen_exploit_config.rb so that other people who want to improve your exploit won’t need a memory dump/uidlist anymore, although they will still need the sdk.S file), and generate a series of files in the tools/output subfolder.

The files generated by gen_exploit_config.rb in the output folder can be copied “as is” into your game’s folder.
Final edits to exploit_config.h

You’re almost done, but the file exploit_config.h need to be edited in two places, that you will find because they say “TODO” in big letters.

HBL_LOAD_ADDRESS This is where you will load HBL in RAM. You want a value that is outside of the boundaries of the game, and basically, a place where the PSP will accept to alloc roughly 200kB. you can get such an address in psplink while the game is running by typing malloc 2 test l 204800

HBL_ROOT is the name of the folder where your exploited savedata is. That folder name looks like ms0:/PSP/SAVEDATA/UCUS12345000. Important note: my tutorial on how to create a binary loader assumes you will load a file named ms0:/h.bin. On the PS Vita, this is not possible anymore, so you will have to adapt your binary loader in order to load the exploit from ms0:/PSP/SAVEDATA/XXXXXXX/h.bin (where XXXX is the folder of your savedata). In the Vita version of HBL, all HBL files for in that folder, and there is no subfolder.

linker_hbl.x

copy linker_loader.x into linker_hbl.x, and replace the address value with the value of HBL_LOAD_ADDRESS that you figured out earlier while creating exploit_config.h. Done.

4. Compile

  • Run make FOLDER=yourfolder (alternate ways: make distrib FOLDER=yourfolder to remove debug messaging, make nonids FOLDER=yourfolder to remove NIDs-related heavy debug messaging)
  • You’re done, grab the h.bin and hbl.bin in the root, the config folder from your exploit’s folder, and the libs_… folders from the root. You now have the meat of your HBL port ready.

5. Last but not least

HBL is licensed under the GPL. If you plan to distribute your compiled binaries, it is required that you provide your source code as well. Don’t make us ask for it

This tutorial is voluntarily vague. Porting HBL is fairly easy, but we assume that if you made it that far, you probably are skilled enough to do some research on your own. Nevertheless, don’t hesitate to ask questions if you are running into problems

You are allowed to reproduce this article on other websites and/or translate it on condition that you put a clear link to this page in your copy.

6. More details

Porting VHBL is simple in theory, but many games do not import some functions that are necessary for HBL to run properly. One goal of the script gen_exploit_config.h is to analyze the imports of your game (this is why the sdk.S is necessary), and define some workarounds in exploit_config.h in case your game does not have all the necessary exports. This should work in most cases, but that script is still experimental and might make mistakes. Below are a few details on some of the “define” sections it creates:

TH_ADDR_LIST, EV_ADDR_LIST, SEMA_ADDR_LIST, and GAME_FREEMEM_ADDR can be computed for you by the tool eLoader/tools/freemem.rb. For that you will need a memory dump and a file uidlist.txt which is the output of the uidlist command in psplink (uidlist > uidlist.txt ). It is important to note that the memory dump and the uidlist need to be from the same session, otherwise the addresses will be incorrect. If you’re on windows, also make sure that the uidlist.txt file is in the unix format (use your favorite editor to convert it if needed). For those interested, here are some technical details about those variables, but basically the tool should do it for you

TH_ADDR_LIST, is the list of threads you want to kill. Threads are defined by a SceUID, but since this value changes all the time, what we actually want is the addresses where they are defined. in psplink, while your game (or your hello world) is running, you can get a list of these thread by typing thlist. Then look for each thread’s uid in ram. The address (hopefully unique) where the thid is defined, is what you want to put in this list.

EV_ADDR_LIST is the list of events you want to kill. You get this list by typing evlist in psplink. The rest is similar to the construction of TH_ADDR_LIST

SEMA_ADDR_LIST is the list of semaphores you want to kill. You get this list by typing smlist in psplink. The rest is similar to the construction of TH_ADDR_LIST above

GAME_FREEMEM_ADDR this is the address in Ram where the game’s memory was allocated. Most game have this but for those that don’t have it (patapon2), this value can be commented out. To find this value, type uidlist” PSPLink and look under the SceSysMemMemoryBlock section. You’re looking for blocks that have a 0xFF (user) attribute (not 000!), and are not “stack”. In the golf exploit, this block was simply called “block” and was easy to find. Again, you’re interested in the entry address, not the uid.

UNLOAD_ADDITIONAL_MODULES : define this variable if possible. Comment it out only if you run into issues at the “free memory” stage of HBL

Other variables: The variables above are the basics of the config file. With those, HBL should basically work, or at least take you to a step where you can start debugging. But with time, HBL has grown and has been updated by several people. In order to maintain backwards compatibility and increase game coverage, the exploit_config file was added several config values.

DISABLE_P5_STUBS is useful if you run into a crash/freeze even before hbl is loaded (just after firmware detection). SYSCALL_* are used for perfect syscall estimation on firmwares where this is available (TODO: explain syscalls estimation), etc… at this point you will probably need to dig in previous exploit_config.h files in order to find more on each macro you can possibly define.




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew releases!

Comments 191 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
 
#156 - ils - 147w ago
ils's Avatar
Following up on the previous update, today PS Vita homebrew developer wololo has revealed the game used for the PlayStation Vita Half Byte Loader (VHBL) is Motorstorm Arctic Edge (Motorstorm Raging Ice in Japan) and shared a video of it in action below!

As a result, Sony has officially removed the Motorstorm Arctic Edge title from PlayStation Store.

To quote: "Ok, so, since the PSN maintenance is being postponed, there is no reason for me to not give the name of the game used by Teck4 for his exploit:

The Game is Motorstorm Arctic Edge, also known as Motorstorm Raging Ice in Japan. It is available for 19.99 euro on most European Playstation Stores, 15.99 Pounds in the UK, and for 3800 yen on the Japanese store.

Note for North American readers: that game, despite being available on the US Store, is marked as not compatible with the Vita in the US. People who have bought it in the US and tried to transfer it to their vita have failed as far as I know, which is why a few days ago I recommended people in the US to get a European PSN account.

Now what's next?

Well it's simple and stressful at the same time: I'm giving you guys a couple days to buy a copy of that game if you think VHBL is worth it (and assuming you trust that I'm not lying), and then I'll release the VHBL files. There are pros and cons to this "2 steps" release. The cons are that you have to trust me, and there's a possibility Sony actually patches/patched something without me knowing it, the pros are that I don't think Sony will remove the game from their store until they actually have something to patch, so I think this gives you guys a couple days to buy the game.

Or, you can wait until I release the files and other people confirm it works, at which point you run the risk that Sony patches the exploit and/or removes the game from the store before you can even buy it.

Now, let me be clear once again: buy the game if you want to play it, I have no way to guarantee VHBL will work for you, I can just tell that a few days ago this was confirmed to work by a few testers.

Also keep in mind that VHBL gives you no iso, no special access to the Vita hardware, just a limited PSP homebrew experience on your vita. If like me you think it's fun, then you might be interested. Or, if you think that 20 euros is a fair price for one of the best PSP games, then, well, just consider VHBL as a "bonus".

VHBL has been confirmed to work on firmware 1.61. If your console asks you to update to firmware 1.62 or something, I cannot guarantee it will still work. It is also recommended, after you bought the game, to be paranoid and disconnect your console from the network, and to install openCMA. Again, there are lots of unknown things going on with the Vita, it is impossible for me to tell if this will work for everyone.

As far as I know, there are 5 versions of this game out there. I ported VHBL to 4 of them, and I am sure the fifth one is vulnerable too, but I couldn't find any place selling or "distributing" it, so I couldn't port the exploit to it. That being said, it should be "doable" if somebody can get a copy, to port the exploit to that version as well.

Finally, for those who want proof, here's a video:





I want to thank the people who made this release go as smoothly as possible, especially Teck4 and Mamosuke, HBL devs (in particular m0skit0 and JJS, thanks for lurking on the scene for so long, you guys are the real deal!) the mods at /talk who have helped a lot over the past week, the handful of devs/testers who know how to keep a secret (you know who you are), but also the thousands of /talk users who, for some of them, have been knowing the game's name for several days now, and haven't leaked anything.

You guys are truly an awesome community, you can of course now go ahead and let your friends know, or brag about how you've known about the game for a while and hold the secret. It was so far an awesome experiment, let's hope the result will be worth it!"

Too bad my Vita will arrive in 9th March (international delivery) hopefully someone find another exploit by then.

More PlayStation 3 News...

#155 - ModderFokker - 147w ago
ModderFokker's Avatar
I shall wait and be ready master... for you to reveal our glorious future.

#154 - PS3 News - 147w ago
PS3 News's Avatar
Following up on his previous update, today PS Vita homebrew developer wololo has announced that the PS Vita Half Byte Loader (VHBL) will arrive shortly after March 1, 2012 with details below.

To quote: "This has been a tough week for lots of you, coming to my blog everyday to see that no new information was available about the release of VHBL. Trust me, it's been a much tougher week for me, making sure things go according to my humble plan, coping with a few more issues than expected, and overall, taking all the insults about "being a faker" or "trying to boost my ego" without being able to say anything else than "please trust me".

Ok, let's reveal a few essential things here, starting with the bad news: The game used by Teck4′s exploit is not available on the US vita store. Blame Sony and their "275 out of 900 PSP games available for your vita" scheme for this, not us. Part of the waiting time was to see if Sony would add this game to the US store at some point. It is obviously compatible since it is available in other continents, so my guess is that this is a marketing or a legal decision.

Long story short, people in the US who want to enjoy HBL on their vita, for now, will have to create a European (or HK, or JP,...) PSN account, buy a PSN card for that specific store (google for online shops that can sell you those and email you the code within a few minutes), and buy the game from there. A 20 euros card will cover for the price of the game as far as I know (Update: a 20 pounds card will be enough on the UK store).

This also means you'll have to "link" your vita to a European store every time you want to use HBL. Yes, it's super impractical, yes, it makes HBL even less likely to be interesting for you if you're in the US, but no, that clearly was not part of the plan. The game is, after all, available on the US PSN Store, just not for the vita.

I do not plan to wait even more until Sony adds the game to the US Vita store, since that could pretty well never happen, and is wasting everybody's time (people waiting for HBL in Asia have been waiting for this release for almost 3 months now, keep that in mind if you are one of the few who complained that you had to wait for a week). We waited a week for good measure, and saw that Sony is not adding PSP titles on a daily basis.

Waiting in hope for the game to be added to the US store is not the only reason that I "waited" for the release, but that's one of the reasons. Another reason is that there is a maintenance of the PSN, inconveniently scheduled on march 1st, that is, basically 2 days after I initially planned to publicly reveal the name of the game.

After discussing with a bunch of people, I've decided to wait until after the PSN maintenance to reveal the name of the game. Best case scenario, the game magically appears on the store and everybody's happy (I wouldn't dream about that), worst case scenario, the PSN update patches some of the vulnerabilities used for VHBL, and we're screwed. So we'll see...

I'm using the opportunity to remind everybody that HBL is only a PSP homebrew loader. The exploit and HBL do not give you any access to PSP isos, or vita isos, or the vita system, or anything like that. Even compatibility with PSP homebrews is limited, so basically you're better off getting a hacked PSP if playing homebrews is really what you want, and you're better off going elsewhere if piracy or pure vita hacking is what you're looking for. Basically, this hack is for those of us who want to be part of the "first step", however insignificant that step might be. Other people should not buy the game and then blame me for spending their money foolishly, the choice is entirely yours.

I'm just trying to cover my #ss here: don't go and buy a PSN PSP game for your vita if you're deeply expecting something useful out of this. You should buy the game first to play it, second, as a bonus, to get HBL to (maybe) work with it. Again, HBL has been confirmed to work by a few people already, but I cannot predict if Sony will do a magical trick to patch the game under our feet.

Unless something goes wrong, the name of the game will be publicly announced here on March 2nd, after the March 1st PSN maintenance (give me up to 24 hours, I'm not necessarily in the same timezone as you and I also have a real life). The files for VHBL itself will be available shortly after that."

More PlayStation 3 News...

#153 - PS3 News - 151w ago
PS3 News's Avatar
Below is another update on how the PS Vita HBL release will happen from wololo via: wololo.net/wagic/2012/02/03/vita-hbl-how-the-release-will-happen/

To quote: As the release of the PS Vita in the US and the EU gets closer, I’m getting an increasing amount of requests from people about HBL on the vita. I did post a FAQ a few weeks ago, but people still seem to have questions. When will it be released? Will it allow to run PSP isos? Will it work with a demo like for the patapon 2 exploit? Does it support this or that homebrew? etc…

Let me try to answer some of these questions, with more up-to-date answers.

First of all, the easy ones: VHBL (that’s the super new cool name of HBL on the Vita, I’ll let you guess what the V means, I know, I’m super original) will not support loading PSP isos. Basically VHBL will have the same limitations and features as HBL on the PSP, and, last time I checked, running psp isos was not possible through HBL.

The same HBL limitations apply to compatible homebrews. In a general way, user mode homebrews should work for the most part, while homebrews that require kernel access will not work. For now (but that could change), homebrews requiring network access might not work (or at least, the network part of them will not work).

Like in the patapon exploit era, it is possible, depending on the success of VHBL, that we progressively increase compatibility if we (as a community) keep improving the HBL code in the weeks following the release. Oh, and I am talking about PSP homebrews, running in HBL within the PSP emulator. So, for now, don’t dream about a full speed N64 or psp2 emulator. What we’ll get are the PSP homebrews that you already know.

Second, the vulnerability we rely on to run VHBL is a vulnerability in a PSP full Game, not a Demo. This means you will have to buy that game on the PSN in order to run VHBL (just like in the good old days of GTA:LCS for the first eLoader on the PSP). This also means that as soon as we reveal the name of that game, Sony can probably remove it from the PSN and/or patch it.

This leads to the most asked question: when and how will this be released? Well, I have a basic idea on how the release will happen. Nothing spectacular but it should hopefully be enough to guarantee that people who are really motivated in getting their hands on HBL on their Vita will get it. I’m hoping that constantly reminding people that this doesn’t allow the to run any pirated content will attract the right people to this exploit, and not the 95% of pirates that define any console hacking scene these days

In the past weeks I’ve been polishing the release process, and I can’t predict the future, but hopefully it will go well.

Nevertheless, getting access to this exploit for you guys will be a matter of being at the right place, at the right time.

For now I’m thinking Sony’s reaction wil be to remove the game from the PSN within 24h of the public announcement. Worst case scenario, Sony is already aware of the vulnerability and have already patched the game. This is unfortunately not something I can test without getting any more guinea pigs... these guinea pigs will basically be you when the release happens, I can’t really do any better than that.

Obviously, the release will not happen like your typical hack release (a dramatic article on every news site of the planet copying the hacker’s initial blog post). It will be, I expect, a bit more subtle than that.

Anyways, I added a page (wololo.net/wagic/vhbl/) on this blog where the VHBL downloads will be available, so if you’re waiting for HBL on your Vita, just check that page (and our /talk forums - wololo.net/talk/) regularly for updates.

#152 - Prince Valiant - 153w ago
Prince Valiant's Avatar
I'm getting one as early as I can to get a low firmware model, provided it isn't too high.

 

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News