Live in Your World, HAX in Ours!
Hello World! I've been reporting on Sony PlayStation hacking news since 2000 and started PSXHAX in 2014 to cover PlayStation (PSX), PlayStation 2 (PS2), PlayStation 3 (PS3), PlayStation 4 (PS4), PlayStation Portable (PSP), PlayStation Vita (PS Vita), PlayStation TV (PS TV) and next-gen PlayStation 5 (PS5) platforms along with anything else of interest.
Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM!
Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM!
EasyRPG PS Vita RPG Maker & HENkaku Raycast3D by Rinnegatamante
Recently added to the ever-expanding PS Vita homebrew list (also check out VPK Mirror and VPK Showcase repos) comes EasyRPG Vita - RPG Maker 2k/2k3 player and RayCast3D Engine - 3D Game Engine by PlayStation Vita developer Rinnegatamante for HENkaku.
Below is an EasyRPG Vita RPG Maker 2k/2k3 player demo and a HENkaku Raycast3D Vita video from with more on his official site at Rinnegatamante.it/site/
And from Twitter here are some related tweets:
Download: RPGMV-DECRYPTOR v1.0 / GIT
Below is an EasyRPG Vita RPG Maker 2k/2k3 player demo and a HENkaku Raycast3D Vita video from with more on his official site at Rinnegatamante.it/site/
And from Twitter here are some related tweets:
Download: RPGMV-DECRYPTOR v1.0 / GIT
UkakNEH: HENkaku PS Vita Jailbreaking Exploit Reversed by H
The PlayStation Vita jailbreaking exploit known as HENkaku has been in the wild around a week and wololo now reports that a 'mysterious' user by the name of H has shared a Pastebin partially reverse-engineering HENkaku with details below. 
To quote from the Pastebin: HENkaku exploit teardown - Part 1
- Stage 1 (browser exploit):
Visiting http://henkaku.xyz and pressing the "Install" button results in a server side useragent check. If the browser's useragent matches the one of a PS Vita/PSTV on the latest firmware version (3.60), the user is redirected to http://go.henkaku.xyz and an exploit is deployed.
This exploit re-uses elements from the older public exploits (heap spraying method, sort() bug, scrollLeft attribute manipulation) and pairs them with a new heap corruption technique.
Team molecule renamed variables and methods to provide a simple obfuscation layer on the HTML code.
You can find the partially reversed code (focusing on the most crucial portions) here: http://pastebin.com/bYA4xGaQ
Similarly to older exploits, this allows to corrupt an object's vtable and achieve ROP inside the SceWebkit module. Offsets for libraries and relevant ROP gadgets are fetched from a javascript file (http://go.henkaku.xyz/payload.js) during the last stage of the exploit.
Team molecule implemented a dynamic method to relocate gadgets and functions' offsets for each module after their base addresses' are found (by looking at SceWebkit's import stubs).
- Stage 2 (ROP payload 1):
At this stage, the browser exploit has layed out the memory space to start the first ROP payload which is reconstructed from the payload.js file. The payload.js file contains two arrays, one containing the payload's binary data and another containing the relocation type for each word.
By crossing this information the exploit reads the payload and relocates all code offsets to their target module's address space by adding the module's base address to them:
To quote from the Pastebin: HENkaku exploit teardown - Part 1
- Stage 1 (browser exploit):
Visiting http://henkaku.xyz and pressing the "Install" button results in a server side useragent check. If the browser's useragent matches the one of a PS Vita/PSTV on the latest firmware version (3.60), the user is redirected to http://go.henkaku.xyz and an exploit is deployed.
This exploit re-uses elements from the older public exploits (heap spraying method, sort() bug, scrollLeft attribute manipulation) and pairs them with a new heap corruption technique.
Team molecule renamed variables and methods to provide a simple obfuscation layer on the HTML code.
You can find the partially reversed code (focusing on the most crucial portions) here: http://pastebin.com/bYA4xGaQ
Similarly to older exploits, this allows to corrupt an object's vtable and achieve ROP inside the SceWebkit module. Offsets for libraries and relevant ROP gadgets are fetched from a javascript file (http://go.henkaku.xyz/payload.js) during the last stage of the exploit.
Team molecule implemented a dynamic method to relocate gadgets and functions' offsets for each module after their base addresses' are found (by looking at SceWebkit's import stubs).
- Stage 2 (ROP payload 1):
At this stage, the browser exploit has layed out the memory space to start the first ROP payload which is reconstructed from the payload.js file. The payload.js file contains two arrays, one containing the payload's binary data and another containing the relocation type for each word.
By crossing this information the exploit reads the payload and relocates all code offsets to their target module's address space by adding the module's base address to them:
- Relocation type 0 -> Plain data stored inside the ROP space itself. No relocation needed.
- Relocation type 1 -> Offset inside the ROP payload's stack.
- Relocation type 2 -> Offset...
Official HENkaku PS Vita Jailbreak Exploit Site Now at HENkaku.me
Today PlayStation Vita hacker Yifan Lu tweeted that the original Henkaku domain https://henkaku.xyz/ has been taken down and redirects to their new home located at https://henkaku.me/ to continue the PS Vita 3.60 jailbreak exploit love! 
Also similar to the VPK Files Archive from haxxeyHD located at http://haxxey.com/vpkmirror/, there is a growing PlayStation Vita VPK repository in the official Showcase which currently includes:
Also similar to the VPK Files Archive from haxxeyHD located at http://haxxey.com/vpkmirror/, there is a growing PlayStation Vita VPK repository in the official Showcase which currently includes:
- GenesisPlusVITA by Frangar (GIT)
- VITA-8 by xerpi (GIT)
- Numpty Physics for Vita by meetpatty (GIT)
- Snes9xVITA by skogaby (GIT)
- Flood It! by romain337 (GIT)
- VitaTester by SMOKE (GIT)
- BreakVeetOut by InvalidExcepti0n (GIT)
- CATSFC-libretro Vita by skogaby (GIT)
- Vita Doom by Netrix (GIT)
- HandyVITA by Frangar (GIT)
- NeopopVITA by Frangar (GIT)
- SMSplusVITA by Frangar (GIT)
- FTPVita by xerpi (GIT)
- realboy by xerpi (GIT)
- vitahelloworld by xerpi (GIT)
- mGBA by endrift...
RetroArch (Latest Version) for PS3 CEX / DEX and HENkaku PS Vita Port
Earlier this year the LibRetro Team released RetroArch v1.3 for PS3, PSP, PS Vita and PlayStation TV and now they are back with a RetroArch 1.3.6+ Beta for PS3 CEX / DEX via Ezi0 and a HENkaku port for PS Vita! 
Download: RetroArch.PS3.v1.3.6.PLUS.BETA.FOR.CEX.PS3.pkg (171.5 MB) / RetroArch.PS3.v1.3.6.PLUS.BETA.FOR.DEX.PS3.pkg (278.5 MB) / 2016-08-03_RetroArch.7z (33.0 MB)
Below is a RetroArch v1.3.6+ Beta demo video, and from the official PlayStation 3 release page to quote:
RetroArch 1.3.6+ beta release for PlayStation3!
The PlayStation 3 port is back after it was decommissioned for a long time. Consider this a beta version in anticipation of the upcoming 1.3.7 version which will be further fleshed out.
What doesn’t work yet
This version can be considered a beta release. Here are the current issues:
...
Download: RetroArch.PS3.v1.3.6.PLUS.BETA.FOR.CEX.PS3.pkg (171.5 MB) / RetroArch.PS3.v1.3.6.PLUS.BETA.FOR.DEX.PS3.pkg (278.5 MB) / 2016-08-03_RetroArch.7z (33.0 MB)
Below is a RetroArch v1.3.6+ Beta demo video, and from the official PlayStation 3 release page to quote:
RetroArch 1.3.6+ beta release for PlayStation3!
The PlayStation 3 port is back after it was decommissioned for a long time. Consider this a beta version in anticipation of the upcoming 1.3.7 version which will be further fleshed out.
What doesn’t work yet
This version can be considered a beta release. Here are the current issues:
- You cannot scan for content as of right now. Instead, for now you should just load content directly from the filesystem.
- To be able to use zipped ROMs on emulators like SNES9x and other similar emulators, always use ‘Open Archive As Folder’, then select the ROM you want to use. Don’t use ‘Load Archive With Core’ which won’t work for now.
- If you go to ‘Information’ -> ‘Core Information’, it currently doesn’t show anything. Not a big deal for now but something we will want to fix later on regardless.
- None of the ‘downloading’ features right now will work in the PS3 port. Our networking stack code for PS3 apparently requires some customizations still. If there are any PS3 devs who can help with this, by all means.
...