Trinity: PSP Emulator Escape presented at BlueHatIL 2020

by Andy Nguyen,


Summary : The PlayStation Vita is the successor to the PlayStation Portable (PSP) and has been one of the most secure handheld game consoles on the market. In addition to the main ARM processor, the PS Vita has a MIPS processor for PSP compatibility. The backwards compatibility feature increases the attack surface with a High-level emulation (HLE) feature that uses RPC to access the hardware devices. This talk describes the process of studying the PSP firmware, PSP emulator and PS Vita kernel; discovering and exploiting six unique vulnerabilities; and chaining them together to enable an escape from the MIPS userland to the ARM kernel. ​