Yifan Lu Announces HENKaku - A New Native Vita Homebrew Enabler for 3.60.

nerdcoremc · Aug 9, 2016

You are amazing, thank you.

memomo · Aug 9, 2016

Can we have custom themes as .vpk ? That would make it super easy to install/swap

metroid maniac · Aug 9, 2016

Rizzorules said:
What do we need to decrypt game executables?

Probably a kernel exploit.
Without that we can't dump RAM to get decrypted executables directly, and we also don't know or haven't implemented the algorithm used to decrypt executables when loading them (though if my understanding is correct and the Vita's NPDRM engine resembles the PS3's, we should already have access to the act.dat and .rif data used for decryption. Could very well be wrong though).
A public kernel exploit would make either of these a possibility.

cearp · Aug 9, 2016

metroid maniac said:
Probably a kernel exploit.
Without that we can't dump RAM to get decrypted executables directly, and we also don't know or haven't implemented the algorithm used to decrypt executables when loading them (though if my understanding is correct and the Vita's NPDRM engine resembles the PS3's, we should already have access to the act.dat and .rif data used for decryption. Could very well be wrong though).
A public kernel exploit would make either of these a possibility.

henkaku has a kernel exploit, so we should be ok

just a short wait i imagine

Duo8 · Aug 9, 2016

About dumping from memory: what about aslr?

metroid maniac · Aug 9, 2016

Duo8 said:
About dumping from memory: what about aslr?

Then just find the offset the executable is loaded at. If you have complete access to memory that's fine.

chocoboss · Aug 9, 2016

Since henkaku is a kernel exploit ram dump should be ok. I don't know how do aslr work exactly, but since it only randomiz where the processus is stores it should not be a real problem.

But it seems too easy. If we start a commercial game it will be decrypted and them loaded in memory but is this enought ? Is it possible to just export the memory part where it is stored and use it as it ? Not sure at all

tuxdude143 · Aug 9, 2016

chocoboss said:
Since henkaku is a kernel exploit ram dump should be ok. I don't know how do aslr work exactly, but since it only randomiz where the processus is stores it should not be a real problem.

But it seems too easy. If we start a commercial game it will be decrypted and them loaded in memory but is this enought ? Is it possible to just export the memory part where it is stored and use it as it ? Not sure at all

I highly doubt it would be that easy.

Duo8 · Aug 9, 2016

chocoboss said:
Since henkaku is a kernel exploit ram dump should be ok. I don't know how do aslr work exactly, but since it only randomiz where the processus is stores it should not be a real problem.

But it seems too easy. If we start a commercial game it will be decrypted and them loaded in memory but is this enought ? Is it possible to just export the memory part where it is stored and use it as it ? Not sure at all

Or just have the system decrypt it, like with the 3DS.

Also the aslr implementation in the vita might be more complicated,not sure though.

Inaki · Aug 9, 2016

tuxdude143 said:
I highly doubt it would be that easy.

ASLR helps next to nothing on protecting from dumping if you already have kernel execution. ASLR protects against "first entry" on a exploit, that's why ROP shellcodes are used instead of classic shellcodes. But once you are executing code in kernelmode, in which you may have kernel modules' base(s) resolved or you can scan memory in several ways, it's just a matter of using some old tricks. Then you probably have kernel API functions to locate modules or you can scan memory again. For kernel module base obtention you can use ARM's architectural registers ( for system interrupts/syscall ), page tables, etc. as hints from where to start scanning backwards ( to lower positions ) for SCE / ELF headers or others. And for usermode processes' modules' base addresses you have other similar things you can do even without kernel's help.

EDIT: Actually, ROP is used because of non executable stack/heap; but ASLR makes ROP pointers to gadgets difficult to setup, because of the lack of code addresses knowledge. So, in order to prepare a successful ROP ( with proper prointers pointing to the needed code gadgets ), the kernel ( or other module ) base address must be calibrated somehow. HENkaku does this as well, so no problem here.

EDIT2: I guess the pointers leak in the stage 2-3 on henkaku reversing is the key to this calibration.

sj33 · Aug 9, 2016

ayy lmao said:
I guess I'll leave my vita on 3.60 for a few months to see if the scene grows tremendously with more emulators and apps. If it doesn't I guess I will have to update or buy a new vita or a pstv.

The Vita scene is already larger and more active than the Wii U scene, iso loaders aside.

insidexdeath · Aug 10, 2016

Apparently, someone dumped a decrypted game, ToH: Trails of Cold Steel. Not sure if it works, and I don't have a Vita on me.

As far as I know, the eboot needs to be decrypted to be able to run the game, but who knows, the pastebin link I found it on claims that the game is decrypted, don't know if the eboot is also decrypted though.

metroid maniac · Aug 10, 2016

insidexdeath said:
Apparently, someone dumped a decrypted game, ToH: Trails of Cold Steel. Not sure if it works, and I don't have a Vita on me.

As far as I know, the eboot needs to be decrypted to be able to run the game, but who knows, the pastebin link I found it on claims that the game is decrypted, don't know if the eboot is also decrypted though.

Package it as a vpk, install it and see if it runs.

I've got the same pastebin (I think) and I read that its eboot was still encrypted.

chocoboss · Aug 10, 2016

pastebin descryption :

Legend of Heroes: Trails of Cold Steel PS Vita (Decrypted) Dump

nothing about the fact that the eboot is encrypted.

Some one can test it ? XD

if it is not this mean someone, somewhere has break NPDRM or there is 1 more dev unit in the jungle ...

if it is, then it is probably useless x)

metroid maniac · Aug 10, 2016

chocoboss said:
pastebin descryption :

nothing about the fact that the eboot is encrypted.

Some one can test it ? XD

if it is not this mean someone, somewhere has break NPDRM or there is 1 more dev unit in the jungle ...

if it is, then it is probably useless x)

I don't believe the eboot is decrypted.

CoreMessageInspector · Aug 10, 2016

chocoboss said:
pastebin descryption :

nothing about the fact that the eboot is encrypted.

Some one can test it ? XD

if it is not this mean someone, somewhere has break NPDRM or there is 1 more dev unit in the jungle ...

if it is, then it is probably useless x)

i am gonna test it, just needs to finish the transfer, will take some time

laharl22 · Aug 10, 2016

CoreMessageInspector said:
i am gonna test it, just needs to finish the transfer, will take some time

Can you PM me the link if it work?

CoreMessageInspector · Aug 10, 2016

laharl22 said:
Can you PM me the link if it work?

yes, of course

Duo8 · Aug 10, 2016

Apparently it wasn't even a vpk.
Also encrypted.

snakes8291 · Aug 10, 2016

chocoboss said:
pastebin descryption :

nothing about the fact that the eboot is encrypted.

Some one can test it ? XD

if it is not this mean someone, somewhere has break NPDRM or there is 1 more dev unit in the jungle ...

if it is, then it is probably useless x)

just finish to download the game on pastebin, so data.psarc? what is that?

New Member

( ͡° ͜ʖ ͡°)

An idiot with an opinion

瓜老外

Well-Known Member

An idiot with an opinion

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

.

An idiot with an opinion

Well-Known Member

An idiot with an opinion

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

New Member

Similar threads

Popular threads in this forum