Sponsored Links

Sponsored Links

Guide to Porting VHBL (PS Vita Half-Byte Loader) Game Exploits


Sponsored Links
152w ago - This weekend PlayStation Vita developer wololo has made available a guide to porting VHBL (PS Vita Half-Byte Loader) to individual game exploits for those interested.

This news comes proceeding the recent Motorstorm Arctic Edge and Everybody's Tennis PSP / PS Vita game exploits.

Below is the guide, to quote from his blog (linked above): This guide assumes that you found a user mode exploit in a game, and that you were able to write a binary loader.

So now what’s next? Well, as you probably know if you’ve gone that far, the PSP scene doesn’t really like “hello worlds”. A hello world is nice, but it accomplishes nothing, it just draws Sony’s attention to your exploit, and you know the vulnerability will be patched soon, while nobody really used the exploit.

Well, the next step is, ideally, a HEN or a custom firmware. Of course, this requires a kernel exploit, and we know how these are difficult to find. A much more doable task, that will make lots of people happy, is to port HBL to your exploit. HBL opens the door to lots of legal contents on the PSP and the Vita, and we designed it so that porting it to your game exploit can be done fairly easily.

This tutorial is valid at the time of its writing, for all games, and up to firmware 6.60 (Vita firmware 1.61). In theory, HBL will work on future firmwares, but of course new kinds of security might be introduced in new firmwares. Additionally, depending on your game (and its function imports), the compatibility and speed of homebrews might vary.

0. Easy as pie

HBL was designed to be easily ported to new game exploits. Most Game-specific files (except one) go in a subfolder that I will describe below. To complete this tutorial, you need basic shell skills, a working pspsdk, a working game exploit and the associated binary loader / hello world, a ruby interpreter, and basic ruby skills (usually, if you know any other scripting language, you’ll figure it out easily, there are not so many changes required).

1. Get the HBL sources and compile them

The first step is to get the HBL sources, compile them, and if you’re motivated, test them on an existing game exploit, to make sure the copy you have works correctly. (As I write this, it is recommended to test compilation with either the Mototrstorm or the Everybody’s tennis exploits, as we might have broken backwards compatibility with older exploits)

The sources of HBL can be downloaded here (SVN client required: http://code.google.com/p/valentine-hbl/source/checkout)

In order to compile it, you need the PSPSDK (which you probably already have if you wrote a binary loader). Compilation is fairly easy, but in order to compile the HBL for a specific exploit, you have to specify the folder of the exploit. for example, make FOLDER=lifeup will compile HBL for the Motorstorm (EU) exploit.

2. Create your own exploit’s folder

As you guessed, you will create a folder dedicated to your own exploit. Let’s imagine you game is called wololo, then you can create a subfolder “wololo” in the eLoader folder. Basically, we want to reproduce the files that are in this folder for another exploit, and adapt them to our exploit. Let’s have a look at the lifeeu folder:

The folder contains 6 files and 1 folder (which contains 1 file) that you will want to adapt to your exploit. I will describe each of them separately. Most of these files are automatically generated by a script, so this should be fairly simple.

3. Create your exploit’s files

linker_loader.x

This is the linker file for h.bin. If you created a binary loader and a hello world, you already have this file from your hello world, and most likely you named it “linker.x“. Copy linker.x from your hello world to linker_loader.x. Done!

sdk_loader.S

This is the sdk for h.bin. If you created a binary loader and a hello world, you probably already have this file, and named it sdk.S. Copy sdk.s to sdk_loader.S. If you don’t have this sdk, you can create it either by running prxtool on the EBOOT.BIN of the game, or by using the moskitool (a ruby version of the moskitool can be found in the eLoader/tools folder of the HBL). Most likely, if you created a hello world, you already have this file so I won’t give more details for now. Done!
config folder, exploit_config.h, sdk_hbl.S, loader.h,

The contents of the config folder, as well as sdk_hbl.S, loader.h, and most of exploit_config.h (details below for exploit_config.h) are automatically generated by a ruby script that you can find in eLoader/tools/gen_exploit_config.rb.

The gen_exploit_config.rb has 2 “modes”, but I will only describe the first one, which is required the first time you adapt your exploit. You need to have a usermem dump named memdump.bin (that you acquired from psplink with the command savemem 0x08800000 0x01800000 memdump.bin). Important note: For Vita compatibility, that dump must be done on a PSP running firmware 6.60. In addition to memdump.bin, you need a list of UIDs from the same psplink session, that you will name uidlist.txt.

You can get that file by typing uidlist > uidlist.txt in psplink. That file needs to be in unix format, so be sure to convert it if you are running windows. Finally, you need a file named sdk.S, which is nothing else than the sdk.S you created for your game exploit, the one we just named sdk_loader.S above.

Put these 3 files (memdump.bin and uidlist.txt obtained from the same psplink session, as well as sdk.S from your exploit) in the tools folder, and run gen_exploit_config.rb

This should display a list of addresses (you will want to copy these addresses inside the stubs array of gen_exploit_config.rb so that other people who want to improve your exploit won’t need a memory dump/uidlist anymore, although they will still need the sdk.S file), and generate a series of files in the tools/output subfolder.

The files generated by gen_exploit_config.rb in the output folder can be copied “as is” into your game’s folder.
Final edits to exploit_config.h

You’re almost done, but the file exploit_config.h need to be edited in two places, that you will find because they say “TODO” in big letters.

HBL_LOAD_ADDRESS This is where you will load HBL in RAM. You want a value that is outside of the boundaries of the game, and basically, a place where the PSP will accept to alloc roughly 200kB. you can get such an address in psplink while the game is running by typing malloc 2 test l 204800

HBL_ROOT is the name of the folder where your exploited savedata is. That folder name looks like ms0:/PSP/SAVEDATA/UCUS12345000. Important note: my tutorial on how to create a binary loader assumes you will load a file named ms0:/h.bin. On the PS Vita, this is not possible anymore, so you will have to adapt your binary loader in order to load the exploit from ms0:/PSP/SAVEDATA/XXXXXXX/h.bin (where XXXX is the folder of your savedata). In the Vita version of HBL, all HBL files for in that folder, and there is no subfolder.

linker_hbl.x

copy linker_loader.x into linker_hbl.x, and replace the address value with the value of HBL_LOAD_ADDRESS that you figured out earlier while creating exploit_config.h. Done.

4. Compile

  • Run make FOLDER=yourfolder (alternate ways: make distrib FOLDER=yourfolder to remove debug messaging, make nonids FOLDER=yourfolder to remove NIDs-related heavy debug messaging)
  • You’re done, grab the h.bin and hbl.bin in the root, the config folder from your exploit’s folder, and the libs_… folders from the root. You now have the meat of your HBL port ready.

5. Last but not least

HBL is licensed under the GPL. If you plan to distribute your compiled binaries, it is required that you provide your source code as well. Don’t make us ask for it

This tutorial is voluntarily vague. Porting HBL is fairly easy, but we assume that if you made it that far, you probably are skilled enough to do some research on your own. Nevertheless, don’t hesitate to ask questions if you are running into problems

You are allowed to reproduce this article on other websites and/or translate it on condition that you put a clear link to this page in your copy.

6. More details

Porting VHBL is simple in theory, but many games do not import some functions that are necessary for HBL to run properly. One goal of the script gen_exploit_config.h is to analyze the imports of your game (this is why the sdk.S is necessary), and define some workarounds in exploit_config.h in case your game does not have all the necessary exports. This should work in most cases, but that script is still experimental and might make mistakes. Below are a few details on some of the “define” sections it creates:

TH_ADDR_LIST, EV_ADDR_LIST, SEMA_ADDR_LIST, and GAME_FREEMEM_ADDR can be computed for you by the tool eLoader/tools/freemem.rb. For that you will need a memory dump and a file uidlist.txt which is the output of the uidlist command in psplink (uidlist > uidlist.txt ). It is important to note that the memory dump and the uidlist need to be from the same session, otherwise the addresses will be incorrect. If you’re on windows, also make sure that the uidlist.txt file is in the unix format (use your favorite editor to convert it if needed). For those interested, here are some technical details about those variables, but basically the tool should do it for you

TH_ADDR_LIST, is the list of threads you want to kill. Threads are defined by a SceUID, but since this value changes all the time, what we actually want is the addresses where they are defined. in psplink, while your game (or your hello world) is running, you can get a list of these thread by typing thlist. Then look for each thread’s uid in ram. The address (hopefully unique) where the thid is defined, is what you want to put in this list.

EV_ADDR_LIST is the list of events you want to kill. You get this list by typing evlist in psplink. The rest is similar to the construction of TH_ADDR_LIST

SEMA_ADDR_LIST is the list of semaphores you want to kill. You get this list by typing smlist in psplink. The rest is similar to the construction of TH_ADDR_LIST above

GAME_FREEMEM_ADDR this is the address in Ram where the game’s memory was allocated. Most game have this but for those that don’t have it (patapon2), this value can be commented out. To find this value, type uidlist” PSPLink and look under the SceSysMemMemoryBlock section. You’re looking for blocks that have a 0xFF (user) attribute (not 000!), and are not “stack”. In the golf exploit, this block was simply called “block” and was easy to find. Again, you’re interested in the entry address, not the uid.

UNLOAD_ADDITIONAL_MODULES : define this variable if possible. Comment it out only if you run into issues at the “free memory” stage of HBL

Other variables: The variables above are the basics of the config file. With those, HBL should basically work, or at least take you to a step where you can start debugging. But with time, HBL has grown and has been updated by several people. In order to maintain backwards compatibility and increase game coverage, the exploit_config file was added several config values.

DISABLE_P5_STUBS is useful if you run into a crash/freeze even before hbl is loaded (just after firmware detection). SYSCALL_* are used for perfect syscall estimation on firmwares where this is available (TODO: explain syscalls estimation), etc… at this point you will probably need to dig in previous exploit_config.h files in order to find more on each macro you can possibly define.




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!
Sponsored Links
Sponsored Links

Comments 191 Comments - Go to Forum Thread »

• Please Register at PS4News.com or Login to make comments on Site News articles.
 
#141 - valid93 - 163w ago
valid93's Avatar
Thanks

#140 - PS4 News - 163w ago
PS4 News's Avatar
Cheers for the news GrandpaHomer, I have now promoted it to the main page and +Rep for submitting it!

#139 - GrandpaHomer - 163w ago
GrandpaHomer's Avatar
Following up on the previous PlayStation Vita System Software updates, today Sony of Japan has released PS Vita version 1.52 Firmware update.

Download: PS Vita 1.52 Firmware Update (JPN)

As usual, the Sony PlayStation Vita 1.52 Firmware update is a mandatory install. According to Andriasang.com the PS Vita update is simply another small bug fix.

To quote: "A number of Vita owners are saying via Twitter and blogs and so-forth that the update fixes a version 1.51 bug where the 3G system would not recognize your SIM card."

So far I'm unaware of any visible changes in the system or settings, however, this article will be updated as a change log becomes available on Sony's official PS Vita Web site.

System software version 1.52 for PlayStation Vita Update:

  • From January 16, 2012, began to update the system software version 1.52.

To become available and some features of the PlayStation Network features, updates the system software of PS Vita (Update) is required. PS Vita also system software, by updating, adding and security can be enhanced many features. Please use the update to the latest version.

The main features in system software update version 1.52:

  • The software system has improved the operational stability.

Finally, wololo reports (wololo.net/wagic/2012/01/16/forced-firmware-update-1-52-for-the-ps-vita/#more-3875), to quote: "Mamosuke confirmed to me today that Teck4's exploit for the PSP Emulator in the vita is still working on 1.52.

Note that it doesn't guarantee 100% that some of the techniques used to get HBL to work on top of this exploit haven't been patched, as I haven't tested myself. But for now I'm confident. I might update to test that, at some point."

More PlayStation 3 News...

#138 - PS4 News - 163w ago
PS4 News's Avatar
Today PS Vita hacker wololo has made available a Half Byte Loader (HBL) development FAQ for those interested in progress thus far on Sony's PlayStation Vita handheld console.

Also below he states that he has ported HBL for Teck4's exploit successfully and updated to EU/US versions.

To quote: I managed to port HBL to the US version of Teck4′s exploit in exactly 45 minutes (including writing the savedata exploit and the binary loader), which is a new personal record, thanks to the scripts included in HBL's repository, and also to the fact that the different versions of the game are internally fairly similar (which is to be expected because technically the game is supposed to be the same, just translated, but I seem to recall it wasn't that easy for the Hotshots golf exploit)

I also updated the EU/US versions of this HBL port to get the tweaks I worked on for the past weeks in order to get a fair amount of homebrews to work.

The next step for me is to write a bit of documentation on how to use all this, and then patiently wait. As far as a release is concerned... well check the FAQ I wrote yesterday.

I could spend time polishing this port of HBL for the Vita, improve compatibility, and I might do it, but since there's a high risk this gets used by only a small amount of people before it gets patched, I'll probably leave it in its current state for now. It's probably not worth working too much on the details if nobody ends up using it. Of course if by some sort of miracle this doesn't get patched immediately by Sony, I'll update it accordingly.

Now let's all wait (I'm probably more excited than anybody else about this release, really...)

A FAQ for HBL on the Vita

We've seen through Teck4′s exploit that PSP exploits run flawlessly on the PSP emulator of the Vita. I've spent the past 3 weeks working on leveraging Teck4′s exploit and port HBL to it. I've been receiving lots of questions (probably from people who haven't used HBL back when it was the only possible way to play homebrews on the PSP Go) and will try to answer them here.

What is HBL?

HBL stands for "Half Byte Loader". This is a homebrew loader for the PSP, which was written initially by m0skit0, then improved and maintained by a bunch of devs including myself (those two links are good old memories, when HBL wasn't loading a single homebrew properly). It basically allows to run fanmade games, emulators, etc on the PSP. We've found that it can run on the PS Vita through the PSP emulator.

Will this allow to run PSP backups (isos)?

Although in theory that would be possible, HBL only has access to the PSP "user mode" which is fairly limited. Practically, all teams who have tried to create an iso loader in user mode on the PSP have failed so far.

Will this allow to run PS Vita game backups?

No

Does this give us access to the Vita hardware (touch screen, etc)?

No. HBL accesses the hardware through the PSP emulator, and therefore only has access to what is mapped to the PSP controls. It also only has access to 32MB of ram, etc

Does this give us possibilities to hack the vita further?

Most likely, not. HBL is stuck in user mode, in a sandboxed emulator. To get access to Vita information, we would need first to get kernel access in the emulator (through a psp kernel exploit), and then find other exploits in the emulator/OS itself to break away from the sandbox (which, if the Vita OS is as secure as I think it is, is close to impossible)

But will it give us more horsepower than the psp? Can we expect emulators to run faster, etc?

This still needs to be investigated deeper, but from what I've seen, not really. Memory stick access is definitely faster on the vita (Wagic loads between 5 and 10 times faster on the vita than on a psp go), but the rest seems to follow the psp limitations (as one would expect from an emulator)

Will this be made public?

Yes. Teck4 (who found the exploit) and I agreed to making this public at some point.

When will this be made public?

Some time after the Vita is released worldwide.

I heard Sony can patch this very easily as soon as it's made public?

Yes. Since this uses a vulnerability in a PSP game, as soon as they know which game it is, Sony can remove the game from the PS Store. Once they do that, they can patch the Vita firmware to reject the "malicious" files (either by preventing them from being copied through the content manager assistant, or by patching the PSP emulator, or by patching the PSP game, etc). At that point, people who don't already have the game on their console won't be able to use HBL. Also, people who do have HBL will need to never upgrade their firmware, will have to use some tools such as OpenCMA in order to copy files to the vita, and will be locked out of the PS Store as long as they want to use homebrews.

So shouldn't you keep this under wraps instead?

Meh, it's not like anything is really secret here besides the name of the game. It's already pretty sure this is not useful for hacking the vita further, so even if it gets patched I don't think we will lose "too much".

No iso, no access to the vita internals, and Sony will patch it as soon as it's out, so basically it's useless?

Yes and No. Technically, a hacked PSP is way cheaper and will allow you to do more than that. But this is, as I write these lines, the only way to run unsigned code on the Vita, which in itself makes it a great achievement (and it's always cool to show your friends that your Vita can run Mario, and theirs can't). Also, it didn't take too much time to adapt since most of the code was already available from our past work in the psp scene. It would have been even more useless to say "oh yeah, interesting, we can run psp exploits on the vita" and not do anything with it.

How do you copy/install homebrews to the ps vita, since it cannot be mounted as a regular usb drive?

This will be explained when HBL is released.

More PlayStation 3 News...

#137 - Bartholomy - 164w ago
Bartholomy's Avatar
Awesome, thanks

#136 - smokyyuwe - 164w ago
smokyyuwe's Avatar
Virtuous Flame released an update to his Open CMA tool a few days ago. Open CMA allows you to connect your playstation Vita to your PC through the Content Manager without needing to be connected to the internet. This is useful if you need to transfer some files while away from your network, or simply if like me you don’t see why it should be required to be connected to the internet when you transfer files between two pieces of hardware you own.

This update (revision 3) patches the PC side of the content manager further, preventing it from auto updating. Without this patch, Sony’s driver is silently updating itself whenever it’s connected to the internet even if you were using open CMA so far, which makes this r3 an important update.

Download source: wololo.net/downloads/index.php/download/1252

Source: wololo.net/wagic/2012/01/10/virtuous-flames-open-cma-r3-released/

#135 - Bartholomy - 164w ago
Bartholomy's Avatar
Superb. I hope to see more and more about PSVITA hacking

#134 - NTA - 164w ago
NTA's Avatar
>_> at 0:41 I usually die of don't jump or duck. I don't see how that's possible.

Sucks that gpsp doesn't work yet. Really looking forward to that

#133 - PS4 News - 164w ago
PS4 News's Avatar
Today PlayStation Vita hacker wololo has shared a video (below) demonstrating several PSP homebrew applications and emulators running on PS Vita using their Half-Byte Loader (HBL).

To quote: In the past days I stabilized HBL for Teck4's exploit and got some major homebrews to work.

In the video below I'm showing a few homebrews running on the PS Vita. I also included Picodrive again to show that fixing the sound issue is relatively easy as it is just a setting in the emulator. Check the video below.

You can see in this video snes9xTYL (super nes emulator), Bookr (pdf reader), CSPSP, T.O.M.E. (text mode rpg), EmuMaster (game boy emulator), Zombie Crisis (FPS), Wagic (which loads about 10 times faster than on a real PSP, this talks for the improved access speed of this new memory stick format), cavestory (platform/adventure), Picodrive (sega genesis emulator), Spider solitaire, ScummVM (point-and-click adventure), Daedalus (N64 emulator, this is not DaedalusX64), FCEU-PSP (Nes emulator). Those are more or less the homebrews I recommended to HBL users back when HBL was big.

Missing from this video is (unfortunately) gpsp which I couldn't get to run on the Vita, while it ran fine on the PSP. What I could see is that the emulator is more sensitive than the PSP when a thread that's currently not running crashes. I think (not sure) that gpsp somehow crashes HBL.

On the PSP it usually means that once you quit gpsp, HBL crashes. On the vita it seems to crash as soon as gpsp does “something wrong” to hbl, which is roughly as soon as it loads.

I got major homebrews to work, and now I'll focus on reporting this to the EU and US version, which both need to be brought up to speed with these latest changes.

From what I could see, syscall estimation basically doesn't work (which is what JJS discovered a while ago when porting HBL to 6.60), which will limit the amount of homebrews that can be played with this exploit, but as you can see on the video, I got a few good ones to run already

A message to haters who say I'm reusing other people's work from the PSP scene and not contributing anything new: ask yourself who made it so easy to port HBL to new game exploits in the first place.



More PlayStation 3 News...

#132 - Nabnab - 164w ago
Nabnab's Avatar
No big update of my works but here the driver PS Vita libusb a made for Windows (x86/x64). you don't need to use anymore the generic driver ps vita from Sony.

Oh yes just to clarify about the 3 python script i made. This is nothing comparatively to the full script i'm making, the 3 script are here to show you that you can communicate with the PS Vita, about the helloworld, funny how some people didn't understand how the python script works.

First : I ask if the PS Vita is connected to my comp
Second : I ask to the PS Vita the information of the USB configuration
Third : I send a message to the PS Vita and the PS Vita confirm the reception with a Hello World.
The PS Vita can't really answer to a question but can confirm that received the question. I write the answer Hello World for the PS Vita to confirm the message a send to the PS Vita has received, if the PS Vita didn't received the message, i would have a error and not the print hello world.

Is like every Hello World, it's you write the HelloWorld and it's the product show the Hello World but the product don't understand what that mean.

You need to think that have different possibility to make a hello world possible on every platform.

Sure that the Hello World is not impressive but like i said it's one of the investigation that show you where to work.

More info about the USB PS Vita

USB_BUS_INTERFACE_USBD1_V1
Size 0024h
Version 0001h
BusContext B3B72BC8h
InterfaceReference 8C8214B9h
InterfaceDerefence 8C830ADBh
GetUSBDIVersion 8C8305C9h
QueryBusTime 8C8155CFh
SubmitIsoOutUrb 8C830365h
QueryBusInformation 8C830476h
IsDeviceHighSpeed 8C82287Bh

 

Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS4 Downloads - PS4 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 4 News