PS Vita: Mathieulh and SKGleba Dump PS Vita’s “first loader” bootrom, can fix any bricked PS Vita


When you think everything that needed to be known about the Vita had already been discovered, hackers keep surprising you with a new release. Yesterday, Mathieulh and SKGleba have released a dump of the PS Vita’s “first loader”, following a successful glitch of the console’s Boot Sequence.

SKGleba states that this will help fix any bricked console in the near future, and is expecting to release the tools as well as a writeup by end of the year.

PS Vita Boot Sequence

It appears the PS Vita’s “first loader” had never been dumped before. For those interested in the PS Vita’s boot sequence, a summary can be found on the dev wiki here.

The PS Vita main application processor is an ARM Cortex A9 MPcore. It implements ARM TrustZone for execution in both a non-secure world and a sandboxed Secure World. However it is not the first processor to run on boot.

The cmep processor is the actual secure boot device rather than the ARM processor. The cmep processor bootrom (“first loader”) is the first code running on PS Vita start. Once it starts it likely maps the eMMC and directly reads in the second_loader.enp or second_loader.enp_ from the eMMC SLB2 partition. This is in the native load format of the bootrom. There are 2 layers of encryption. First it decrypts the per-console layer that was added during the firmware installation. After that it decrypts the factory-encrypted layer then begins execution. 

Mathieulh and SKGleba glitch PS Vita Boot Sequence, announce unbricking becomes possible

SKGleba had the following to say about yesterday’s result (emphasis mine):

  • bootrom glitching during SD boot is quite easy, way less work than expected. It lets us fix any “bricked” vita.
  • We have reversed around 1/3 of the available jig commands, i hope that we can wrap everything up for public release later this year.

Unbricking consoles is in my experience the ultimate goal of long term research by hackers, sometimes happening years after a console model has been discontinued. The PSP is a prime example, with Baryon Sweeper (and advanced Pandora battery, compatible with all PSP consoles) still being updated to support more PSP models to this day. The upcoming possibility to unbrick PS Vitas is exciting.

The technique will require some soldering and a bit of hardware, as far as I understand.

This is the continuity of years of efforts by the hackers to glitch the PS Vita at boot:


More PS Vita Decryption keys uncovered by successful glitch

This work has also allowed to uncover more decryption keys in the Vita’s deepest layers, which have been added to the dev Wiki by Zecoxao (and that he nicknamed “Super Keys”).




The First Loader dump provided by mathieulh can be downloaded here (mirror -not yet ready at the time of writing – here)

Source: Mathieulh