Vita Modding Day

2017-04-25 22:04

Playstation Vita is another system I adopted late in its lifetime. It’s not a bad system, not like the Wii U, but it’s still expensive and proprietary. The Gravity Rush kiosk demo grabbed my attention at launch five years ago back in Atlanta, but Sony have to be Sony and a memory card of any decent size costs more than a used Vita system so I waited a few years for one.

I finally picked up a Vita 1000 3G system for a good price at a pawn shop in late 2015 since I was interested in SUPERBEAT: XONiC and a few other titles. At the time the most interesting firmware was 3.18, and I got lucky and found a system running 3.15. Firmware 3.18 had native homebrew via Rejuvenate (the Playstation Mobile exploit) and plenty of ePSP hacks available via an exploitable trigger game. The PS3 can transfer legitimately-purchased PSN games to a Vita without updating, and I used that to get the exploitable Tekken 2 copied over.

Vita 1000, 2000, and TV on stock firmwares 3.18, 3.52, and 3.35 respectively

V2H Pre-everything

The temptation to update was strong since Whoops! 3.18 was too low to run the game that sold me the system. I sat on it for a while until the announcement of Henkaku homebrew enabler for firmware 3.60. As I’ve gotten older and more boring my tendency has shifted to wait for hack scenes to stabilize instead of diving into the chaotic early days, but that was the green light to install SUPERBEAT’s on-cart update and enjoy it offline for a while. Erica wanted a Vita of her own so I also imported a Neon Orange PCH-2000 for myself while they were still available with hackable firmware. It’s sad to lose the AMOLED, but wow the orange is pretty. The PlayStation Vita TV was a big enough failure to go on sale for $20, so I grabbed one of those too and stashed it away until hacked.

It was effortless to update the 1000 and Vita TV to 3.60 using the HENkaku Update Server. You just need to use 212.47.229.76 as a DNS server in connection settings. It will redirect Sony’s update domain to update.henkaku.xyz and offer “Firmware 3.60 (変革 Compatible)”.

drill fus01.psp2.update.playstation.net @212.47.229.76

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 32196
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; fus01.psp2.update.playstation.net.	IN	A

;; ANSWER SECTION:
fus01.psp2.update.playstation.net.	604800	IN	CNAME	update.henkaku.xyz.
update.henkaku.xyz.	2	IN	A	212.47.229.76

3.60 update offered by HENkaku Update Server

My Japanese 2000, however, just kept failing with “The server is currently down for maintenance (C0-14351-4)”. The DNS server redirects fjp01.psp2.update.playstation.net, and the psp2-updatelist.xml lists all regions including jp, so there was no obvious reason why it didn’t work.

curl -H "User-Agent: Mozilla/5.0 (PlayStation Vita 3.60) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2" http://update.henkaku.xyz/update/psp2/list/us/psp2-updatelist.xml | xmllint --format -

<?xml version="1.0" encoding="UTF-8"?>
<update_data_list>
{...}
  <region id="jp">
    <np level0_system_version="01.600.000" level1_system_version="03.600.000" level2_system_version="03.600.000" map="03.600.000"/>
    <np_d level0_system_version="01.600.000" level1_system_version="03.600.000" level2_system_version="03.600.000" map="03.600.000"/>
    <version system_version="03.600.000" label="3.60 (変革 Compatible)">
      <update_data update_type="full">
        <image size="133676544">http://update.henkaku.xyz/update/PSP2UPDAT.FULL.360.PUP</image>
      </update_data>
    </version>
    <recovery spkg_type="systemdata">
      <image spkg_version="01.000.010" size="56768512">http://update.henkaku.xyz/update/PSP2UPDAT.SYSTEMDATA.360.PUP</image>
    </recovery>
    <recovery spkg_type="preinst">
      <image spkg_version="01.000.000" size="128788480">http://update.henkaku.xyz/update/PSP2UPDAT.PREINST.360.PUP</image>
    </recovery>
  </region>
{...}
</update_data_list>

I gave up and just did it manually by installing QCMA, dropping a 3.60 PSP2UPDAT.PUP and minimal psp2-updatelist.xml into QCMA’s Updates directory, and using “Update by Connecting to a PC” on the Vita.

Once on 3.60 all that’s left is visiting the HENkaku website and hitting Install. It uses a Webkit exploit to start the installer.

Ready...

Installing HENkaku after running browser exploit

...go!

Once it’s installed you end up back at the LiveArea with patches applied and with a new application bubble for molecularShell. The shell lets you browse the filesystem, enable or disable the unsafe mode that exposes all partitions on the flash, configure firmware version spoofing, and install packages.

molecularShell running FTP server on Vita

Once molecularShell is running you can hit Select to start the FTP server, transfer packages of homebrew software from a computer, then select them and install them. I only needed to transfer a few:

HENkaku Offline Installer. HENkaku is a Homebrew Enabler, not a full CFW. It has to be run through the browser after every cold boot of the system. The offline installer leaves you with a HENkaku account in the Vita’s EMail application. Just tap its single message, the exploit page will be displayed in the embedded browser, and HENkaku will run. With this I can leave Airplane Mode on.
Vita Homebrew Browser, a great native application for browsing, downloading, and installing other homebrew directly on the Vita. I used it to install everything else.

Vita Homebrew Browser

VitaRW, a simple but possibly very dangerous utility that lets you remount the read-only OS partitions as read-write so you can modify them. I used this only once to re-enable the neutered Package Installer. Package Installer was made inaccessible after firmware 3.18 but lets you install packages from QCMA’s Packages directory directly to the Vita over USB. I remounted vs0, replaced vs0:app/NPXS10031/ with the modified version, then added a LiveArea bubble for it using Bubble Studio by dumping and replacing ur0:shell/db/app.db over FTP.

Vita Package Installer showing packages served over USB from QCMA

Restored Package Installer functionality on 3.60

VitaToolbox to swap the function of the ◯ and × buttons for our two US-region systems. These have been reversed here since the PSX days, and we’re both used to the original Japanese layout. ◯ as correct (まる) and × as incorrect (ばつ) makes more sense anyway.
ePSP Bubble Installer. ePSP custom firmwares like Adrenaline have to me installed over an ePSP game so you can start it via the LiveArea bubble. I can transfer a legitimate PSP game to my Vita from my PSP, but the Bubble Installer wastes much less space and is available to anyone without a PS3.
Adrenaline EasyInstaller. Adrenaline is a custom firmware for the emulated PSP mode in the Vita. I much prefer playing PSP games on my actual PSP since I’m limited to the 64GB proprietary memory card in the Vita and would rather dedicate all of it to Vita games. The ePSP may as well be hacked as long as it exists though!

Adrenaline EasyInstaller installing ePSP custom firmware

It's CFW all the way down

The English-language mod of MaiDumpTool. This is a piracy tool, no two ways about it, but it can also rip your legit carts to the system. I’m successful enough to buy my video games now :)

MaiDumpTool extracting legitimate Dead or Alive Xtreme 3 cartridge

My wife had to import this game because America is hostile to pretty ladies in video games

I know it’s playing with fire, but I did end up spoofing the newest firmware 3.65 and signing into PSN for online play, messages, and trophy syncing. Hopefully I don’t end up banned.

Signing in to PlayStation Network on a HENkaku-enabled Vita

All done! I ripped all of the games I play most often and now have the ability to do so much more with my Vita. It’s a shame how unloved this system is.

Finished Vita 1000, 2000, and TV displayed with physical Vita game library

Who says Vita has no games?