Hello everyone, it’s riddle43 here with a Q & A from one of the up and coming developers of the native PSVita hacking scene @BBalling1. He has been kind enough to let us dive into his mind to see what makes him tick, so here we go.1) what made you leave?
We were making promising headway on a PSvita bug, but we ran into a wall and it seemed like it was going to prove unexploitable. I put in alot of time on that bug and it was really disappointing to think it was all a waste. I will say its not that we’ve failed to exploit it, but that we have some really weird behavior we can’t explain yet, so it still could happen, I guess. At around the same time everyone got really busy and stopped talking as much. I started working alot on Linux binary exploitation and CTF events, as well as non-vita exploit tools. So I decided it wasn’t a good use of my time to keep poking at the vita until I improved my skill set. I really think the biggest factor was the disappointment from that bug though2) what made you come back?
I just finished with a series of tests in uni and didn’t really have anything lined up to fill my time with. Smoke texted me to show me his work on pre-email package installer launching, and we started talking about different stuff going on with the vita. We’ve been friends for a long time and started talking, and he started telling me about progress he’d made while I was away. His work opened avenues that I wasn’t able to explore previously.
I started digging into one of them and a few hours later I realized I wasn’t going to be putting it back down any time soon. So this morning I decided to make it official.
3) what do want to get out off the vita hacks?
I really love binary exploitation. There’s nothing quite like the first time you get an exploit to work, even just a POC. I guess you could say I’m in it for the science. An added bonus is with gaming devices we usually get a huge homebrew community and it opens up the device to do all sorts of new things. Also there is the difficulty factor associated with the vita. Its a surprisingly secure platform, and instead of finding one major flaw that blows the device wide open we’re seeming to find lots of little bugs which all work together to get us further access. I like the challenge.
4) how difficult is it to find a native Vita hack?
Well, that’s a bit of a misleading question. With the PSP, just getting control over a stored ret pointer is enough to execute userland code. On the vita, we’ve got ASLR and DEP in the mix, as well as very limited access to the files on the device. To even get binary executable access we had to break into webkit and dump the binaries loaded into ram. Actually getting into webkit wasn’t very hard, although when I started on that I didn’t have much experience so it certain took a while. So in that sense, “exploiting” the vita isn’t that hard. However, there isn’t much we can do from within webkit. Escalating from that into further access is another story. You have to be clever. I came up with a novel method to even hunt for the bug I mentioned earlier. So its really a matter of how much access you’re talking about. As for attacking it to the point of getting CFW? I don’t even have enough access to guess at how difficult that would be. Given the rest? I’d say hard.
5) What do you think about the scene trying to work together for a common goal?
What I’ve personally tried to do is encourage collaboration and teamwork within a subset of the people looking at the vita. Due to the fact that alot of the time all you get is a little bit more access, it really accelerates things when everyone shares. We’ve seen direct results of this with everyone coming together on memtools and later on JSoS. Much of the progress we made from within webkit was directly due to collaboration. That being said, there is a mindset in gaming scenes especially of isolation and secrecy. Its understandable. A single leak means potentially all of your access is cut off , patched immediately. You have to make a judgment call as to what to share with who, and that’s very difficult. We’re moving in the right direction, though.
6) Do you feel that leaks of any exploit hurt the scene as a whole?
Well, definitely. Whenever stuff gets leaked you immediately lose access. See the reason alot of exploits get held back, at least in my experience, is because they can be used to hunt for other exploits in a way which couldn’t be done without them. In addition, the person who’s stuff got leaked is way less likely to collaborate in the future. Some unfinished projects have even been abandoned because of leaks. I’d think that’s a no brainier
7) What was the first system/game you hacked?
Hacked as in exploited myself? Or hacked as in using someone else’s exploits? Well when I was in middle school we had a Wii and I installed the homebrew channel on it. It was my first exposure to homebrew and that culture in general. When I got my vita, I was looking into developing homebrew for it but I only knew languages like python or c# at the time. I reached out to acid_snake to ask him to help me with some PSP python programming, and wound up developing a little bit for pymenu. I think it was a few months later I started looking through kernel assembly hunting for an exploit.
8) What’s your general feeling about bounty threads?
I wasn’t aware there were any, actually. But I think it makes some sense. Exploit development takes a huge amount of time and we’ve all got personal lives and economic worries, just like everyone else. And not to mention, the industry does it. Bug bounties on all sorts of software are quite common. I don’t really have a problem with it, but its definitely not a motivation for me. There are easier ways to make a buck.
9) What would you say to anyone wanting to learn to hack there Vita?
Well, I’d ask what skills you already have. Someone with a solid understanding of exploit techniques should hit me up about it. If you need to learn exploit techniques, and you have a good understanding of computer concepts in general (how binaries work at the assembly level, for example) should take a look at “capture the flag” binary pwning challenges. There really isn’t a better way to learn than by doing, but the vita isn’t a very good place to start. For the absolute beginner, learning python, java script, and C, perhaps developing some PSP homebrew as well is a good place to start, but its gonna be a long road.
10) Anything else you would like to add?
I don’t want to get anyone’s hopes up about future exploits. There is alot to be done before native homebrew loading will be possible, many hundreds (if not thousands) of man hours. That being said, I’ve really only been at this since august, and look what we’ve gotten done in that time. If we can keep encouraging interaction between devs and chipping away at the layers of our little handheld, we’ll get there eventually!
All of us here would like to thank @BBalling1 for taking time out of his day to chat with us.
And as always you can find me on Twitter @riddle43
Thats great to hear! 😀
Glad he is back; he sure does seemes like a decent hacker.