Unbricking SHIELD TV (2015) with a Bootrom Exploit

Last year, a friend gave me his SHIELD TV when he moved. He worked at NVIDIA and got it for free and had used it only a handful of times before it traveled from his closet to my own. I had forgotten about it until I had a need for a Raspberry Pi and discovered that they were all still sold out. Wouldn’t the SHIELD TV make a great RPI replacement? It has been out for almost a decade now and surely people have gotten Linux working on it. After following a guide from 2015, I quickly bricked the device trying to flash an outdated DTB file. It turns out that a bad DTB brick was quite common in the community and unfortunately the only proposed solution of “return it to Best Buy” was not an option for me. Even though I have never cared about this device, I was still ashamed at my negligence and felt guilty about creating more e-waste. Thus began my journey to recover the device.

Continue reading

Glitching a $20k Piece of History

A few months ago, a contact reached out to me with an irresistible offer. I would be given the opportunity to experiment with an insanely rare, prototype development kit PlayStation Vita. The only ask from my source is that I somehow dump the boot code. I’ve spent the last seven years hacking every last bit of the Vita from exploiting the kernel to extracting hardware keys with AES fault injections. In that long journey, I’ve gotten intimate with every model and revision of the Vita so it seems inevitable that I would find myself with the very first prototype. The DEM-3000L is actually more rare than the DEM-3000H that recently made headlines having been sold for $20,000. Although I cannot confirm this independently, my source claims that the DEM-3000H units were distributed to early game developers while the DEM-3000L was used internally at Sony to develop the system firmware. The history of this particular DEM-3000L was that two of these were originally found side by side at a Chinese landfill. They had extensive water damage (I was told they were “at the bottom of a lake”) and was carefully repaired. One of the two (the one with the broken display) eventually made it to me.

Continue reading

Attacking Hardware AES with DFA

For the past couple of months, I have been trying to extract the hardware keys from the PlayStation Vita. I wrote a paper describing the whole process with all the technical details, but I thought I would also write a more casual blog post about it as well. Consider this a companion piece to the paper where I will expand more on the process and the dead ends than just present the results. In place of technical accuracy, I will attempt to provide more intuitive explanations and give background information omitted in the paper.

Continue reading

The First F00D Exploit

This article was originally written 2019-01-11 and published on 2019-07-29 for the third anniversary of HENkaku, the first Vita jailbreak. It documents the work we did in early 2017, just days after the seminal “octopus” exploit. Although the work is dated and does not open any new doors, the technical contents might be interesting for a particular audience. The original intention was to post this after someone else independently discovers the same vulnerability. There were many overt hints on the HENkaku wiki that the 0x50002 service was buggy but I underestimated the interest (or skills) that people would have in hacking an exotic processor that ultimately does nothing for people who just want to run homebrews or play pirated games.

Continue reading