How do you hack a device running a full featured, security hardened, and completely proprietary operating system executed on a custom designed SoC? Although the PlayStation Vita did not reach the market success of its contemporaries, it was a surprisingly solid device security-wise. Sony learned from the mistakes of PS3 and PSP and there were (mostly) no "FAIL" moments. It carried exploit mitigations that are standard today but groundbreaking for a "popular" device in 2012: SMAP, kernel ASLR, > 2 security domains, and more. Molecule was the first group to run unsigned code on the device as well as the first to hack kernel mode and TrustZone. However, to target the security co-processor (F00D), we need to bring out the big guns. Using a highly customized version of the popular ChipWhisperer hardware, we carried out hardware attacks on the device including fault injection (glitching) and side channel analysis. In a board with twelve layers, dozens of unknown ICs, and hundreds of passives, how do you even begin to attack it without any information? We will start with the basics: a whirlwind tour of the theory behind the attacks. Then we will move to the practical application: mapping out the power domains of a SoC, soldering tips for microscopic points, finding a good trigger signal, finding a glitch target, and searching the right parameters. Finally, if time permits, we will also talk a bit about how to extend our existing setup to perform side channel analysis with a few modifications.
It is unfortunate that the Vita was such a niche device, but we hope this talk will inspire more people to pick it up. The Vita is dead, long live the Vita!