yifan.lu Open in urlscan Pro
185.199.111.153  Public Scan

Form analysis
1 forms found in the DOM

GET //yifan.lu/search/

<form role="search" method="get" class="search-form" action="//yifan.lu/search/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="q">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

Text Content

Skip to content
 * Home
 * Projects
 * About Me
 * Contact Me
 * Archives


FEATURED POSTS




FOLLOW ME ON TWITTER


Tweets by @yifanlu
 * Twitter
 * LinkedIn
 * GitHub

Search for:


YIFAN LU


RANDOM STUFF I'M MAKING AND THINKING

Menu
Widgets
Social Links
Search


UNBRICKING SHIELD TV (2015) WITH A BOOTROM EXPLOIT

Last year, a friend gave me his SHIELD TV when he moved. He worked at NVIDIA and
got it for free and had used it only a handful of times before it traveled from
his closet to my own. I had forgotten about it until I had a need for a
Raspberry Pi and discovered that they were all still sold out. Wouldn’t the
SHIELD TV make a great RPI replacement? It has been out for almost a decade now
and surely people have gotten Linux working on it. After following a guide from
2015, I quickly bricked the device trying to flash an outdated DTB file. It
turns out that a bad DTB brick was quite common in the community and
unfortunately the only proposed solution of “return it to Best Buy” was not an
option for me. Even though I have never cared about this device, I was still
ashamed at my negligence and felt guilty about creating more e-waste. Thus began
my journey to recover the device.

Continue reading →

Jun 17, 2022 yifanlu


GLITCHING A $20K PIECE OF HISTORY

A few months ago, a contact reached out to me with an irresistible offer. I
would be given the opportunity to experiment with an insanely rare, prototype
development kit PlayStation Vita. The only ask from my source is that I somehow
dump the boot code. I’ve spent the last seven years hacking every last bit of
the Vita from exploiting the kernel to extracting hardware keys with AES fault
injections. In that long journey, I’ve gotten intimate with every model and
revision of the Vita so it seems inevitable that I would find myself with the
very first prototype. The DEM-3000L is actually more rare than the DEM-3000H
that recently made headlines having been sold for $20,000. Although I cannot
confirm this independently, my source claims that the DEM-3000H units were
distributed to early game developers while the DEM-3000L was used internally at
Sony to develop the system firmware. The history of this particular DEM-3000L
was that two of these were originally found side by side at a Chinese landfill.
They had extensive water damage (I was told they were “at the bottom of a lake”)
and was carefully repaired. One of the two (the one with the broken display)
eventually made it to me.

Continue reading →

Aug 16, 2019 yifanlu


ATTACKING HARDWARE AES WITH DFA

For the past couple of months, I have been trying to extract the hardware keys
from the PlayStation Vita. I wrote a paper describing the whole process with all
the technical details, but I thought I would also write a more casual blog post
about it as well. Consider this a companion piece to the paper where I will
expand more on the process and the dead ends than just present the results. In
place of technical accuracy, I will attempt to provide more intuitive
explanations and give background information omitted in the paper.

Continue reading →

Feb 22, 2019 yifanlu


THE FIRST F00D EXPLOIT

This article was originally written 2019-01-11 and published on 2019-07-29 for
the third anniversary of HENkaku, the first Vita jailbreak. It documents the
work we did in early 2017, just days after the seminal “octopus” exploit.
Although the work is dated and does not open any new doors, the technical
contents might be interesting for a particular audience. The original intention
was to post this after someone else independently discovers the same
vulnerability. There were many overt hints on the HENkaku wiki that the 0x50002
service was buggy but I underestimated the interest (or skills) that people
would have in hacking an exotic processor that ultimately does nothing for
people who just want to run homebrews or play pirated games.

Continue reading →

Jan 11, 2019 yifanlu


INJECTING SOFTWARE VULNERABILITIES WITH VOLTAGE GLITCHING

I am not a fan of New Year’s resolutions, but I do want to do more technical
writing this year. So here is a preprint of a paper I wrote on glitching the PS
Vita as well as a simple model for reasoning about voltage glitches at a low
level.

Continue reading →

Jan 10, 2019 yifanlu


POST NAVIGATION

←
Twitter | GitHub | Theme: Hexa by Automattic.