Vita Reverse Engineering Leak (Cobra Blackfin) – part 1
BY WOLOLO · SEPTEMBER 13, 2017
A foreword from wololo:
I was recently contacted by someone who claims to be the main tech person behind the Cobra blackfin project. The hacker provided substantial proof that he is who he claims to be, although I’d be lying if I said I still have the technical skills today to confirm that all the analysis he’s provided is 100% valid. Today’s release, and potentially the ones to follow, will allow the scene to go through the files and confirm the legitimacy and importance (or lack thereof) of this leak.
The hacker states he has 76GB of reverse engineering data related to the PS Vita (the bulk of it being dumps, logs, but also, he says, some juicy stuff), the result of 4 years of work on the cobra blackfin project.
Due to not being paid for his work by the owner of Cobra team, the developer has decided to make his files public for the scene, with the double goal of 1) providing interesting stuff to the vita community and 2) attempting to get paid for his work. Because of this, it is possible, if he reaches an agreement with Cobra, that the hacker will not send me all the files.
My part of the agreement with him is that I will publish his announcements and release his files here as he sends them to me. I do it in the hope that this could lead to interesting code/discoveries for the psvita scene, and also because I don’t like the idea of a developer not being paid for their work. This is independent of my opinion on piracy devices such as the Cobra Blackfin, which I believe I’ve made clear multiple times.
This first release is “minor” but still contains interesting stuff. From my perspective it is mostly here as a “warning shot”, proving he is not kidding with the upcoming leaks. The hacker intends to release more interesting parts of the project progressively.
Below are an announce and notes from the hacker, as well as download links for the first part of his work. I have left this mostly untouched except for a few typos and formatting (you can find the original notes and announce documents in the downloadable archive):
Unfortunately, I was stupid and too trusting, and the contract was for payment on delivery of the product and the guy running the Cobra business sc*** me of over 4 years of work by not paying after I delivered the product.
The BlackFin didn’t sell, so he decided that he wasn’t going to pay me, citing *** excuses to justify his theft of my money, my hard work and my intellectual property. The most baffling thing is that after one year of fighting/negotiating/requesting my money which he still refuses to pay (but promises he’ll pay it “someday”), he still tries to argue to me that he is a man of his word and he isn’t a lying and thieving scumbag.
I have told him that if I do not get paid, then he is forfeiting all intellectual property rights on my work on this project and that I will do what I want with it. I have decided that what I want to do is to release it to the community. There is about 76GB of data to sift through, so these releases will be done over the next few months, so I can take the time to prepare worthwhile releases for everyone to enjoy.
This first release is minor and it’s a tool that emulates an MMC host controller and can be used to talk to a vita card. My notes on the authentication mechanism of the Vita game cards is also released here as well as some nice XRay scans of the game cards. It should be interesting to see what the community can do with this information.
A message to hackers out there: Stay away from Cobra, stay away from anyone who thinks so highly of himself that he is robbing you while trying to convince you he is the good guy.
A message to the thief: Stop crying, you’ve had plenty of time to fix your mistake. A year has passed since you decided not to pay me for work done and delivered, 6 months has passed from the last deadline I gave you, and 2 months from the deadline that you gave me yourself for rectifying your mistake. The time for pitiful excuses is past. If you want me to stop, then pay right away, otherwise just shut up about it.
Notes + content of the archive
This release is the first of many, the files here are to help test/debug some of the stuff on the vita GC (game card).
Most of these files have not been touched in years, so their information might be outdated, or the code might not compile, or may need small fixes for it to work properly. It’s all released as is with no guarantees.
Here’s the run down of the attached files :
vitacardxray: an XRay scan of the Vita GC, it wasn’t very useful and I never did anything with it, but it can be a nice addition to some wiki page somewhere.
MMC_BB : This is an MCC host emulator written using Bit-Bang mode on an FTDI chip. I had soldered wires to a GC and used an FTDI UM232H to communicate with it. The code is old and potentially buggy. I know that I re-used that code a couple of years later and it wasn’t working as well as it did 5 years ago, maybe it was because of cross talk or a poorer soldering job. Either way, I had to comment out some parts in the ReceiveData function and lower the baudrate.. this might not be necessary anymore, I suggest you test and see what works for you, you may need to understand its code and debug it before it becomes useful.
In any case, you should of course read the source code to figure out what it does exactly. There is a ‘usage’ if you run it without arguments, but that’s outdated, there’s a few commands that were added to the app but not to the usage, read the source to know what they do. This is what I used to brute force the GEN_CMD behavior and some things are hardcoded in it as well (like with the ‘read’ command, the sector to read is hardcoded in the source code, or whether the card is 2GB or 4GB is hardcoded with a #define), so really, consider this a “developer tool” for quick testing/hack jobs, rather than a usable tool for most people.
It may or may not be useful, but it will probably help at least testing the GC authentication from a PC when it comes times to implement an open source solution.
One thing I remember is that you need to do ‘./MMC init’ to init the card before you try to read/auth/whatever from it and that the unbrick command was to unbrick a card but I don’t really know if it ever actually worked (a card will brick/lock up if you fail too many auth attempts, but I think it unbricks itself on its own after some time). Also, the Vita will reject a card that answers 0x0000 to the 0xc2 command right away (a card that was already authenticated) so you need to unauth a card before you can use it with the vita again.
One way to use read/write tests is to wire 3.3v to the VCC pin of the card, then tape over it to isolate it, insert GC into the vita for the auth to take place, then remove the card, since it stays powered from your ftdi (or other external source), you can then read/write to it as much as you want. Of course, write is protected for the actual game partition, but you can play/test that if you wish to.
Notes and logs:
The full.log is a full boot log captured using a logic analyzer and the LA data analyzed through a script (not in the release) to show every command sent and received by the card between the Vita and the GC. We can easily see in it the SD init commands (which go unanswered) followed by the MMC commands (which init the card), then the regular sequence of CID/CSD/EXT_CSD, followed by the enablement of high speed and 4 bit data mode, then the GEN_CMD auth commands then the card sectors being read in various ways by the Vita. I believe this was an Uncharted game and the log continues until the game was launched.
Note that I changed the card’s serial number and removed the data from the auth commands in case it is identifiable.
The GEN_CMD.log file is the GEN_CMD auth commands extracted from the full log (before I cropped it and with the data slightly modified so it wouldn’t decrypt to valid content anymore), it’s useful to follow up on that file when trying to understand how the authentication works.
Note the “Command” here is actually “transaction id” and the “Data arg” is the actual command code.
The authentication.txt is my interpretation of how auth works and the results of brute forcing every command/TID combinations. It’s probably not exhaustive due to how the GC acts as a state machine (some commands may not works until auth is successful), but it’s useful and shows many commands in there that the GC supports but which are not used by the vita itself. I wrote most of it in 2012, and the “Card authentication” paragraph sometime in 2014, so it may not be accurate/up-to-date.
With a vita CFW, you should be able to simulate the auth from a Vita and send/receive modified auth messages (does changing the 0xa1 data cause the 0xa2 request to fail, or not until the 0xa3 command, for example), although I believe that with the F00D command sequence, motoharu has already discovered which data is dependent on which, so it may not be extremely useful anymore.
