PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

March 3, 2012 // 2:53 am - Following up on my previous post, below is a video demonstration for those interested dubbed PS Vita Crash CMA Debug Time via Xcode Execution.

I just released a fast small video to show the crash and freeze of the PlayStation Vita system using Xcode Execution. I also explain how to check every information coming from the CMA to PS Vita (debugger).

Below is a pastebin with tutorial and the video that show you something interesting.. As I promise and I do what I said

The tutorial to Debug CMA PS Vita Under MacOS and Xcode:

CMA Debugging PS Vita Under Xcode Execution Tutorial

You need a Dev account Apple to have Xcode that you can use your MacOSX under a Development Environment

1- Launch Xcode (Spotlight -> Xcode)
2- Create a Empty Project (MacOSX)
3- Enter whatever name on the Product Name (For Example PSV)
4- A new window appear, change command-line builds use Debug than release
5- Click on BreakPoints
6- On the top menu of the Xcode, choose Product and make a new scheme and name your new scheme psv for example, press ok
7- A new windows appear that you can edit your scheme on the left menu you can see RUN click on it and edit the run configutation build configuration -> Debug Executable (you need to choose the CMA.APP) for that, just click on None to Other and here you choose the CMA.APP Debugger, you can choose ever LLDB or GDB (choose by default GDB) Launch = Auto
8- Choose Diagnostics and here active every option Memory Management (malloc, Guard Malloc, Objective-C) Logging (Memory/execptions/Dyld) Debugger (Legacy->Stop on debugger and debugstr) Click OK (don't forget to active breakpoints before click Ok) click OK
9- Plug-in your PS Vita and Click on RUN (if you are connected in Wifi you just connect fast and disconnect)

Xcode/IO Framework, etc it's the best way to exploit the PS Vita under MacOSX and as you would see, the Sony have a strong access to your kernel system that i really don't appreciate and can control everything

The PS Vita use also NFS -> Network File System and Open Remote System File that ping pong between the PS Vita and Sony Server.

Hope that would help some smart dev And here the video that show you a example of what you can do

Some PS Vita user ask me the PS Vita Windows Driver that i made it's available on the older thread PS Vita 1.50 Firmware but I reuploaded the driver that you don't need to search

Download: PS Vita Driver (Nabnab)

Griever2Kx It's hope to you, if you want to use your PS Vita use it and update don't worry about the update right now, anyway FW 1.06 is a firmware with too much bug that give you some problem it's unstable and some app/game will not run correctly with this Firmware. It's more easy with 1.06 but also more unstable.

Video: PS Vita Crash CMA Debug Time via Xcode Execution Demo

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#35 - D3mone - February 29, 2012 // 4:11 pm
D3mone's Avatar
Thank you, this will be useful to understand exactly how you achieved that and what is the next step to have native homebrews and not PSP homebrews.

And if you have time, I'm still willing to speak with you by live messenger, irc, skype...

#34 - Nabnab - February 29, 2012 // 3:54 pm
Nabnab's Avatar
You can use the debug trick method with the libusb psvita windows driver that a release over month ago but you also need to have Windows SDK to have more control of your kernel and system that let you fix the stupid hierarchy control (register) and check the low-level program that control your system/kernel for example -> CMA

After that i can't help you more under windows, i don't like the unstability of this OS that don't let you to do everything.

#33 - Nabnab - February 29, 2012 // 3:49 pm
Nabnab's Avatar
1- it's the basic of the endpoints, i already explain what is for, i'm not going to repeat again the endpoints, most of the USB Driver/exploit it's to use the endpoints and , the spare control don't exist, you are talking about the bulk use a spare un-allocated (after using all allocated point), also if you check correctly you can find the correct size of the data payload on the endpoint description (related to isochronous)

2- I was talking about the debug button trick that can use under a old firmware PS Vita that let you go on a Debug USB/Arm mode, after it's hope to you to exploit the debug also i wonder who doing the blabla in here don't be unrespectful, reminds me a person who talking like you, anyway

3- Yes that is more detail about the source of the SDK PS Vita/CMA but i'm not going to talk about that (it was a detail that a add under my pastebin, it's a clue) the .h you will not find ever on the PS Vita for the rest, connectivity, system, etc.. it's under the PS Vita

4- Actually IOCTL it's the abbreviation of I/O Control, all the info is here but if you can understand better to stop in here and wait (the Python script is not even related, the Python script is one of the way to exploit the PS Vita and make a alternative driver) that help to understand the PS Vita

the IOCTL can be used with the IOKIT framework that is related to the driver/system execution/control, that what the CMA use to transfer/control the PS Vita (back the endpoint mister) that exist also on Windows dev

5- Like i said stop in here if you don't know how to use the endpoint or try to learn, i'm not going to explain all that, i can help yes but not explaining a story about the endpoint, if you are a software engineer, i wonder why you don't know that, a application that related to the driver execution need to know where to write to load the USB hardware, maybe you don't make application related to the USB Control

i log is only here to tell you where the information goes and what happen, it's also a help and the base where you need to watch, you need to go under development, i already said to use X-Code/IOKit Framework, OpenOCD, etc...
the communication is between 0x81 and 0x02, 0x83 interrupt the tranmission, use getreport that let you check the control pipe and know and check the raw descriptor-report that let you understand more.

the complete explanation is here and everything that you need for that, if you check the easy way (like the debug trick method) forget about it, i never said it would be easy to use my method that's why i'm working on it for a easy way that let the people just click and run

6-Man page of ioctl, nothing more to say ? mmm actually i show the man control of IOCTL and that you need to launch a terminal under MacOS/Linux/BSD (i'm not talking about windows in here
and for windows it's deviceiocontrol) for the rest is more than useful, it show what CMA control when the PS Vita is connected to the USB port, as you can see CMA work under a kernel mode control
of the Mac OS System

The thread of CMA communication

[Register or Login to view code]

If you can understand this, i can't help more, sorry

7- It's useful because the CMA only work under a monitor mode to control the device, if you want to exploit a USB Hardware, that you need to control the kernel of your own system that to execute what you need without have problem with permission, the mach also virtual memory, the control of the PS Vita it's also here that let the PS Vita think the Application is the right one (signature/encryption)

you don't need anymore internet, you can control the transfer and even more but like i said, you need also and more know the ARM Architecture for understand how to write/read under a external signal

8- I told that the debug trick mode, it was usefull only with a old firmware and by using the libusb windows that i release in the beginning of january, stop insulting and say i'm evasive. if you can't understand, i'm sorry but i'm not going to accept that style of conclusion, i give many many info and i still helping, explaining the last pastbin show you the link to understand the Arm architecture, it give you a lot of information about the debug, the jtag, usb external signal etc...

The CMA it's the base not the conclusion IOCTL it's the best part to exploit what you need, that already explaining a lot, please check the Arm pdf and the endpoint/IOCTL recommendation.

#32 - Griever2kx - February 29, 2012 // 3:48 pm
Griever2kx's Avatar
Yeah! I know that this wasn't been patched at the Moment, but what i read, it's easier on lower Firmwares to get access to it. (Nabnab said, that it can't be patched... we will see)

Fortunately a Friend of mine had an Mac...

#31 - racer0018 - February 29, 2012 // 3:26 pm
racer0018's Avatar
From what I have read the exploit that was said to be on there still is on it after the update. I update both of mine.

#30 - Griever2kx - February 29, 2012 // 11:29 am
Griever2kx's Avatar
No i don't expect an Iso Loader I'm interested in develop better emulators for the Vita in the Future. I'm still learning how to do this, but first i need a Vita.

Here's my other question, my Vita arrived at Home today and has the FW 1.06... here's my question. When i get home from work, should i connect to the US-SEN and download the Netflix App and go to 1.61 or should i stay on 1.06...

Thanks for the Links, i''ll look into it.

#29 - D3mone - February 29, 2012 // 11:11 am
D3mone's Avatar
Could you please answer to my previous questions this will help everyone. Thx.

#28 - Nabnab - February 29, 2012 // 1:46 am
Nabnab's Avatar
About the 3DS i can't answer that i don't work on it, i heard about the E-Shop App and also spydump log though the wifi (air packet)

About Netflix app, it's a question of time, still available on the US Sen and it's better to take every revision of this App now before any update but i would be usefull only for who know how to exploit them
i know that i can write inside the app without any problem but i'm not good for that and it's not what i want to use, pretty useless for me to use this way.

We can go into Debug-mode (don't need anymore the debug key tricks) and have a full access to the CPU, the PS Vita fully open is a question of time (for the rest, it would depend of some dev, that want to exploit this one) you are not wrong but don't wait a isoloader or something like that related, what i'm doing to use a bootstrap that let you to load something else

Read this

Also i forget to recommend this for the dev who want to exploit the PS Vita/ARM

#27 - Griever2kx - February 29, 2012 // 12:54 am
Griever2kx's Avatar
About the 3DS there are new thoughts around of hacking the E-Shop app..but first we need a dump of the internal memory...and so on. It's like we stuck on something because the 3DS won't boot if the 3DS recognized that something changed...

And you don't answer my last question about the netflix app... should i download the app from the US SEN, and do we really need them.

What i read, we don't need the facebook-app, because we can get into the Debug-Mode and have fully access to the CPU... with a little bit of reverse engineering we've got everything we need and the Vita should be fully ''open''...and even Sony can't patch it then, because from this point we should have full control over the Vita and find workarounds for Sonys FW-Updates...

correct me if i'm wrong, because i haven't got a Vita yet. I hope my Vita arrives tomorrow.

#26 - D3mone - February 29, 2012 // 12:33 am
D3mone's Avatar
Impossible to reach you in private so let's talk here.

I'm going to summarize what I understand and what I don't understand of each of your pastebin

1 -, it's only the description of the Vita's USB interface. We learn that there is only one configuration and 3 endpoints for it. The first 81 is a bulk input, the 02 a bulk output and the 83 a interrupt in. And like every usb we maybe have a spare control endpoint which is never listed in this kind of output.

2 -, here you talk about the old button trick to enable the debug mode and blabla. No more information...

3 -, here we have a list of things... Don't know exactly what it is... but it's funny that you talk about things like "SavedataSubFolder.cpp", "SavedataSubFolder.o".

I can understand that you found .h inside the Vita filesystem but .o and .cpp ?! I don't get the point, how would you find source code directly inside the Vita filesystem ?
Can you explain exactly what is this list ? From where are coming those source files ?

4 -, You talk about IOCTL to call the debug usb mode. IOCTL can be used to performe file and I/O control and everything is based on file descriptor (I guess the USB file descriptor). So you are saying that we will need IOCTL to communicate with the USB (but the small python code you released use PYUSB and not IOCTL)... Why not giving us the complete explanation about what to do to enter in debug mode ?

5 -, You said that you are exploiting USB transmission/CMA program. I have a complete log of the USB communication between my computer and my Vita. But there isn't usefull information (maybe I need to check it more deeply?). I see the talk between the PC and the vita on endpoint 82 and 02, but nothing interesting. They only use bulk transmissions and don't know what to learn from that...

6 -, this is the man page of ioctl. Nothing more to say.

7 -, it's an execution task (from CMA under Mac Os -that why there are some functions starting by "mach_" -). I don't understand how this can be useful ? I understand that CMA calls can be ended by IOCTL call by the Mac OS, but I still don't understand how this can be usefull ? Could you explain me that ?

8 -, you explain what is the debug and monitor mode. Ok. You say that we need CMA and IOCTL to enter un debug mode. But still nothing clearly explaned about of to trigger the USB mode. Please stop to be evasive and give us more info. It will help everyone.