Hacking the Vita: Yifan Lu Talks Homebrew, Security and why Games Still can’t be Pirated

With the big news of today being that the Vita has been ‘hacked’, we talk to the man behind the exploit, Yifan Lu, a ‘reverse engineer’ who plans to write a loader for the handheld. But what does the announcement really mean? Is the Vita still secure? And should we expect pirates to abuse the system soon? To find out, PSLS chatted to Lu in an exclusive interview.

To start, can you just introduce yourself and tell us a bit about your background in the homebrew scene?

First of all, I am a student and do reverse engineering as a hobby. I guess I’m most known for the Kindle stuff (jailbreaking the Kindle and some Kindle homebrew apps). I also worked on the Xperia Play a while back, allowing it to play any PS1 game using the Crash Bandicoot app that was preinstalled on the phone.

Where are you with the Vita loader now?

When word originally got out it was that I have found something interesting and want some help to write a loader. This means we are at the very early stages of running homebrew. The first step in fact. Usually, stuff doesn’t get “leaked” until much later, but this was my own fault. This means that readers will have to wait at least a couple of months before they can even see any demo at all.

What is your stance on piracy?

I am 100% against piracy and no tool I will make will benefit piracy. This tool, in fact, cannot be used for loading backups/pirated content even if I want to because of the physical limitations of the exploit (it is userland, no rights to decrypt/load games)

Are you saying that your exploit won’t be able to benefit other hackers who may wish to make the Vita piratable?

When the exploit goes public, it could be used as a stepping stone to analyze the system for farther exploits, including the more desirable kernel exploit, which if found would open the system up entirely (mods, CFW, maybe even Linux/Android, and unfortunately ISO loaders). However, it takes a lot of skills to find such an exploit, and those who I talked to with the necessary skills are all anti-piracy. However, not thinking of potential other exploits, this one can only  be used to load homebrews and nothing else.

If it did eventually lead to piracy, would you feel guilty?

Yes, it’s kind of a gamble believing that a kernel exploit would not be found by someone who wishes to use it for harm, but I also would feel guilty if I have found something that could benefit the community (running homebrews and letting developers who can’t pay the license to develop/test games) and keeping it to myself.

A metaphor could be airplanes. They are used mostly for transportation and it’s very useful. But sometimes, they’re used to carry bombs. However, to prevent bombing of cities, would it have been better if airplanes were not invented?

There’s a need for airplanes, but many would say that there isn’t a need to let developers circumvent the Vita license fee, because the PS Mobile fee is only $99 a year.

However, PSM is very limited. First of all, PSM is designed to work on all supported platforms, so Vita specific features such as the back touchpad, the camera, accessory port, etc won’t work. Secondly, PSM does not take full advantage of the processing power of the Vita. I believe there is a limit on how much RAM can be used, and by running everything as bytecode, it is slower in general. Finally, PSM, like iOS development, need to go through an approval process, so you would not see (at least) emulators.

But a) none of the homebrew on the PSP took advantage of it’s full processing power, because it’s usually a one man team and b) emulators are a very basic form of piracy.

Answering b) first, I understand the ROMs is basically piracy. However, most ROMs are for out of date systems where it is either impossible to purchase the game or it is only possible to purchase the game used and therefore the developer doesn’t make money anyways. Of course, there are digital releases, which we see PS1 and I would advice those who have a PS1 game they love on the store to buy it, but most of those are not on the store, so how do you play it? In addition, what about NES games? Could Sony ever get the licensing rights to get those on PSN? I purchased Super Mario Bros. on the Wii, but I won’t be able to play it on the Vita. I believe that when a gamer whats to play something, the first thought should be helping the developers who made the game so they can make more games in the future. Of course, that is my belief, and a more conservative gamer might say no ROMs in general and I respect that.

Now answering a), I don’t know enough about the PSP to make an educated comment, but just because something isn’t done on the PSP doesn’t mean it shouldn’t be done elsewhere.

Or couldn’t, if a developer is unable to afford a full license fee, it’s unlikely that they could afford to make a game that made full use of the processing power and therefore they might as well use PS Mobile. There are also apparently plans for PS Mobile to allow developers to choose the Vita’s other optional control methods.

This is the first I’ve heard of those plans, but if so, that’s good news for developers. They still have more choices. Full Vita SDK with license from Sony, PSM, or the homebrew route.

But possibly less of a paying market if piracy becomes optional. An indie dev raised concerns with you on Twitter.

Well, first that’s only IF a pirate-hacker found a way to enable piracy. Assuming that piracy would be possible in the near future, then yes, it’s a bad thing. I really hope it doesn’t happen soon (because honestly, nobody can say it won’t ever happen at all). But I know my hopes are pointless to developers who fear piracy. Sony’s system is really well designed and I believe a kernel exploit is very far away.

Can you elaborate more on the kernel and how secure the Vita is?

First of all, we don’t have any idea what the kernel looks like, where it is in memory, or anything. In order to even begin to look for a kernel exploit, you need to dump the kernel memory or decrypt the kernel files on the NAND. In order to dump the kernel memory, usually you need system privilege (which if we have, we already hacked the kernel), so it’s a circular problem there. Another method, as we see with the 3DS scene, is physically analyzing the RAM chip. Can’t do that for the Vita because the RAM is on the same chip as the CPU. In order to decrypt the kernel files, you need either a key leak like PS3 (it’s safe to say that that will never happen again) or find a kernel exploit to get it to decrypt itself. Either way, it’s a circular problem. Now a third way is blind chance, or fuzzing. Keep throwing data at the kernel and see what sticks. However, even if you do somehow get a crash that way, it’s impossible to run a payload until you have the kernel memory dumped. Now, this was easy on the PSP because FW1.0 ran unsigned code without modifications AND the kernel files were unencrypted. All they had to do was build on that for newer FW versions.

So they really dropped the ball on the PSP. Are you looking for the kernel too, or does that not interest you?

I did look purely for intellectual curiously, but if I ever find anything (and I know I won’t it’s above my skill set) I won’t do anything with it. But as I’ve mentioned, I haven’t even found the entrance yet. everything’s circular.

That always interests me, what would you say your motives are for finding exploits? I’m sure Sony would have paid you well for the info, and the same with Amazon.

You would say that, but companies don’t usually ask you to “work for them” as that sometimes happen in movies and very rarely in life. And I’m not going to go asking because it sounds like blackmail “how much would you pay me for this exploit?” And my motives is the same for someone doing crossword or Sudoku. Thrill of the challenge and feeling of euphoria when you succeed.

But when I complete a Sudoku puzzle (not often, I suck), it’s a personal experience, I don’t have to share it. Why are you planning on releasing the loader, even though you’ve admitted there’s a chance it could aid more nefarious hackers.

I’d be lying if I didn’t say there isn’t pride involved. I don’t care what others say, anyone who releases something does so with pride involved. Yes, I want to be the first to do something that hasn’t been done. I’m not saying that’s right. But I have found things in the past where it would directly damage the party involved and I have always either 1) informed those involved of the error (and in all cases, I have not heard back from them, but the mistake was fixed), or 2) keep quiet because I have heard stories of people stumbling across something big and getting censored even though all they did was try to stop it.

Considering all the furor that your announcement caused, do you plan on being as open about further developments in the future?

See, I was naive. When I did Kindle stuff in the past, nobody cared about progress, except other developers who contacted me. People only cared about what was released. I didn’t think the same tactic wouldn’t work for the Vita. I thought it would be an easy way to call other developers working independently to come together, but instead, it brought all eyes on the internet. I think I will be less open until I actually have progress to report that is useful to users. I was on the other side before, I hate devs that tease and you don’t hear anything, but believe me, most of the stuff is boring.

And as mentioned before, Sony could unknowingly close the hole or scare me into stopping work (seen it happen, and I’m not going to mess with them if they tell me to stop). Anything could happen in the next couple of months. Nobody should get hopes up, or go out and stockpile on Vitas, or refuse to connect to PSN anymore or anything.

So, without giving too much away, would you say it’s an obvious exploit?

I mean with hindsight bias, everything seems obvious. Your keys are always the last place you look.