After the announcement that the Vita’s f00d processor was officially hacked by xyz last week, today yifanlu released a pack of tools which allow us to decrypt Backup files and further allow some neat tricks on older and even newer firmware!
The technical part (a very short version)
After xyz and proxima investigated more into the f00d processor and its tasks, they ‘stumbled’ upon a neat trick with which they were basically able to bruteforce the secret key used for backup crypto operations! Of course said key is different for each individual (for each PSN account to be exact) and couldn’t just be shared. So you will still need a hacked Vita to first obtain your personal key and this is where yifanlu’s tools come in handy.
If you are interested in cryptography and AES-256 rings a bell, you definitely should read yifanlu’s blog post where he was kind enough to share the way it was done in every detail. https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/
What this means for you and what can be done now
Once again, for the more technical interested readers here is the detailed explanation for what each tool does but in the short version we will be able to extract, modify, repack and reinstall backups on every firmware and probably most firmwares to come!
For end users this will once again allow some neat tricks like enabling the whitelist hack for PSTVs, X/O button swapping, ePSP Homebrew, PackageInstaller, Custom Themes and probably even more in the future. Furthermore, and what is interesting for all researchers and exploit hunters out there, this is a great thing as this will allow some new attack points to tamper with regarding the filesystem.
However, as the whole process can still be quite hard to do for non-experienced users, it is recommended for those to wait until there are pre-built solutions for these tricks by the community.
To quote Yifan himself:
My hope is that other people will take my tools as building blocks for a user-friendly way of enabling some of the tricks above as currently the processes are pretty involved. This also increases the attack surface for people looking to find Vita exploits as parsing of files that users normally aren’t allowed to modify are common weak points.
So you know what to do sceners! 🙂
Thank you xyz, proxima, yifanlu , Davee and everyone else involved. It is one thing to break a system and supply everyone with user-friendly hacks for free. But even planning everything that insightful and explaining the ways that detailed shows true passion and love for the hardware. Thanks guys!
You no longer need a vita to derive your AID for CMA backup decryption. Use this: https://t.co/JB4Futqtnr
— Davee (@DaveeFTW) February 20, 2017
Download psvimgtools: github.com/yifanlu/psvimgtools/releases (Windows, Linux and OSX)
More Info about PSVIMG backups: wiki.henkaku.xyz/vita/PSVIMG
Source and release post: yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/