I'm releasing the WebKit code execution RCE I spoke of yesterday targetting PS4 6.20 firmware. Gadgets and potentially the code execution strategy will need to be adjusted for lower firmwares. Have fun :)
The 5.05 kernel exploit stack is now released! It includes the kexploit and autolaunches homebrew patches and mira. On subsequent page loads it listens for payloads. Source is up here
Within the next few weeks there will be a PS4 5.05 full stack release including tools for homebrew development. Some other tools will be dropped as time goes on. Don’t update your <= 5.05 consoles if you care about homebrew. Hope to see cool stuff soon :)
For those interested in a webkit PS5 kernel exploit implementation, it's on track to be ready soon - stay on 4.03 :)
Still wanna do some cleanup and such but a lot of the major work is done. Obv without
@theflow0
this wouldn't be possible :P. 1/2
Took me a bit longer than I'd hoped - but the PS4 5.05 Kernel Exploit writeup has now been published :). If you have any suggestions for clarity or corrections, please add the issue to the GitHub repo or reply them to this tweet.
The 6.50 FW update seems to have patched a WebKit exploit I wrote up a month or so ago. I may drop the exploit soon so if you're a dev that wants to play with WebKit don't update :)
PS5 Kernel Exploit v1.01. Some recent changes I made + Chendo's original stability improvements have stability high now at about 80-90%.
There's also some other nice improvements + a WIP ELF loader :)
The PS4 4.55/FreeBSD BPF kernel exploit writeup is now up on my GitHub repo! The bug is present on any system running FreeBSD such that you have privileges (which we did on PS4). Could be used on other systems for root to ring0 code execution.
The PS4 toolchain BETA has dropped! Massive thanks to all the effort by everyone. Shouts
@CrazyVoidPS4
@kd_tech_
@m4xton
@flat_z
and anyone else I may have missed! This took months of effort from all and it's awesome to be able to finally share it.
ChendoChap released a PS4 exploit implementation of ipv6 for firmwares 5.05 - 6.72, recommend checking it out :D might be more stable than current implementations where it's hand-written ROP.
After many months of work in collaboration with
@diwidog
and
@CrazyVoidPS4
w/ help from
@flat_z
, we have a hello world homebrew app running on the PS4 built with a custom toolchain / non-sony SDK! Still work to be done, but this is a big step for homebrew.
Seems homebrew built with the OpenOrbis PS4 Toolchain works out of the box on 6.72 with no changes needed from 5.05 (unless you do kernel stuff in your homebrew which need offsets ported). Happy homebrew dev :)
PPPoE bug patch in PS4. As can be seen, patched in 9.03 on the right. Probably not worth attempting to exploit this on PS4 as it won't move firmware forward. Also probably would end up less stable than exFAT exploit because mbuf zone corruption kinda sucks.
A few notes on the 5.05 exploit:
1) The page will crash after the kernel exploit successfully runs, this is normal
2) First load after successful exploitation will autoload HEN and Mira (can get klog by nc [ps4 ip] 9998
3) Subsequent loads go to the usual payload launcher.
Please don't donate to people rehosting sleirsgoevy's exploit who add their own donation links on there (esp the ones who don't make it clear it's not actually going to him). People really out here adding their own donation links to other people's exploits.
PS4 Toolchain at it's current stage can now support video out, audio out, freetype, and full libc support. This is a video demonstrating all of these pulled directly from the PS4, built without using any Sony SDK material :D
We've released a PS5 SDK (primarily for building payloads atm). It resolves basic libkernel/libc stuff and has some kernel hacking helpers. You will need latest version of WebKit+Kernel chain for ELF loader updates. As always, contribution appreciated.
Want to clear some things up that are confusing some people. Please don't donate to our streams thinking you're "investing" in an exploit release or something, only donate if you enjoy the streams and want to. We're streaming the research because it's educational and interesting.
Since I've seen a lot of ppl asking about it, theflow's latest RCE won't easily be adapted to PS5. PS4 is much weaker in terms of mitigations which played a part in allowing a remote exploit w/o userland code execution. PS5 is different. SMAP+CFI make this much harder to do. 1/2
I cleaned up my kernel exploit POC for the IP6 FreeBSD bug. If anyone wants to play with it I put it up. Mostly it's a reference for when
@tihmstar
and I get around to the PS4 port, so I didn't tweak stability a lot for BSD VM, but timings can be tweaked.
I just fixed a performance bug in create-eboot in the toolchain which resulted in a performance boost of 7800%... this is probably the happiest debugging moment I've ever had.
Was hoping to get exfat bug working but the exploit scenario on PS5 is much tougher than PS4. Might still be possible to find a way but a lot of work will need to be put into finding a viable path. But at least the userland portion is out there so it can be attempted/tested :P
I'll do a stream in about 15 minutes w/
@tihmstar
looking at the new new IPV6 bug and exploiting PS4 (first on 5.05 then moving up after). Probably the first of multiple streams.
Released payload source for decrypting PS5 SELFs. Read notes in README as they're fairly important, will also need to pull latest PS5SDK changes to build it. It's not perfect and may hang/freeze due to not being able to do proper locking.
Not sure how useful it'll be to others out there, but I cleaned up and open sourced the kernel hooking payload I wrote up for the streams. It's a minimal payload so you don't have to run a daemon, handy for exploit debugging. Excuse it's nasty hacks.
@ps4_hacking
@Znullptr
Very stable, ChendoChap wrote an excellent exploit here, it's near the stability of 5.05. It takes a bit more effort than previous exploits to do but it's not a big problem since it's so stable.
Published part 2 of the AMD PSP reversing stuff. This one focuses on the Crypto Co-Processor (CCP) and looking at the system for loading firmware and decrypting it.
Put out a blog post on some reversing I've been doing on the side of the AMD Platform Security Processor / PSP. Part 1 is an overview of the design and memory-mapped I/O (MMIO), part 2 will be on the Crypto Co-Processor MMIO.
In my presentation
@hardwear_io
I talked about how underestimated data-only attacks can be. Here's an example: decrypting system files by sending messages to the PSP with just kernel arb. read/write :)
Thanks to some RE work by ChendoChap, repo should now have support for 4.50. If you're on that fw give it a try. If you're on lower, you should probably stay lower :P
Another FreeBSD PoC, now utilizing TheFlow's hint. Does not do any zone drains, so should be more portable.
Fun fact: it **seems** that the function tweeted by TheFlow does not need to be buggy. A patched one would also do its job.
PS4 toolchain v0.5 is out! Includes stub modules to avoid breaking games, SDL2, C++ threading and synchronization, and a big bag of bug fixes. More in the changelog.
Recommend updating your Mira version and using the updated VS templates.
Look at that jump cut, obviously fake.. the specter guy said it was to censor the mac address but really that's just an excuse who cares about mac addresses anyway
Just to clarify I won't be dropping new exploits/bugs it's mostly a reversing-focused talk and talks about exploitation techniques/mitigations on a whole :P
I laugh at people who call researchers who report to sony's H1 bounty "traitors". Imagine thinking that a researcher should effectively throw away 10's of thousands of dollars to drop a 0d for a scene comprised of 98% piracy and like 2% homebrew. 1/2
Seems we're ok - it was a bad UART connection. Seems if you have UART enabled and the data can't be sent, the system hangs indefinitely when booting. Silly code but doubtful Sony would test for faulty UART connection in QA :D
PS4 should be good for tuesday for more punishment.
Been seeing people criticize the progress of Mira. If you think it's development is taking too long - find an open issue, fork the repo, and contribute - it's open source after all! If you don't want to contribute that's fine, but don't make unhelpful comments.
Just wanna temper some expectations; if/when the IPV6 exploit is released, post-exploitation is not as easy as PS4. Homebrew will take a lot of effort. XOM prevents dumping kernel and HV prevents patching/hooking kernel. It'll mostly only really be useful for devs.
Seeing some people curious about firmware (4.03/4.50) with the webkit/kernel chain. From what I know webkit exploit should work on 4.50 (haven't tested myself), but you'd need to bruteforce ROP gadgets or dump the modules with bd-j exploit. I did 4.03 as I had chendo's gadgets.
There's also a lot of people who seem to misunderstand where a lot of instability comes from. On 7.0x+ a lot of the instability comes from the webkit exploit because of the ASLR bruteforce. Seen a fair share of people unfairly attributing instability to
@sleirsgoevy
Same people who were saying yesterday they'd be fine with a 1:100 success rate are bitching on day one about the success rate... And people are wondering why I'm holding off on adding it to the DNS...
I've been working on porting and smoothly integrating SDL into the PS4 toolchain for v0.5 based on
@Znullptr
's initial port, and after many hours and noob game dev pitfalls, I have a cool little game :D (recorded from the PS4)
I wonder if any of the people taking shots at
@qwertyoruiopz
saying he doesn’t contribute to the scene realize:
1. He assisted with 1.76 dlclose
2. The bpf kernel exploit (4.55) is his bug
3. He’s assisted devs such as myself on many occasions
He’s contributed more than most :>
Relative relocations should work now in the ELF loader of the latest PS5 webkit-based exploit chain. Build scripts and such have also been updated in PS5SDK.
I'm gonna debunk these "devs are waiting for X game to drop another jailbreak" theories with one simple fact: none of us care about piracy. If I want to play X game, I'll buy it and play it on my main PS4.
I've published a write-up on the Android Binder use-after-free kernel bug that p0 discovered recently affected the Pixel 2 and Galaxy S7/S8/S9. It goes into technical details of how an arbitrary read/write is established :)
I see some people voicing stupid comments like "why didn't you release this sooner" and "why not release the payload" to
@flat_z
, please keep in mind this work took him *MONTHS* and he did it for *FREE*, so nobody has any right to complain.
XOM also plays a role, even if CFI were a non-issue, you can't easily get gadgets to ROP with either. It might not be impossible but a new strategy would be needed and you'd need to go for R/W. You'd also likely need userland code exec. I wouldn't expect anything soon.. 2/2
Almost forgot to include js_shellcode.py - my Python script to convert payloads to shellcode - you'll need to use this if you want to update Mira/HEN (and reintegrate) or add a custom payload to auto launch.
Usage: python js_shellcode.py [.bin] code_addr
Just to put this out there - I know some are having issues with the system black screening when rebooting out of sleep mode, though I believe this is an issue with Mira, not the exploit itself. It's on the to-do list. Hold power button down for ~10s to force shutdown and reboot.
Ya know, when the PS5 is rebooting from a panic and it spins for 5 minutes because it's firewall'd waiting to connect to reporting servers, I forget I even turned it back on most of the time until like 15-30min later.
I wrote a blog post on some of the interesting challenges I encountered porting MUSL to PS4, including that weird FreeBSD syscall patch which clears R8-R10 on sysret.
A few days ago I finally started working on the Guitar Hero clone engine that I've been wanting to do for so long. Partially for fun/learning, partially because I want to port it to homebrew for the PS4/Switch eventually. I now have the highway + notes rendering at low-level :)
Toolchain v0.2 has now released, includes MacOS support (thanks to
@lord_friky
) and fixes for building libraries and many other bug fixes (thanks to
@3226_2143
). Release details has full patch notes.
For all the C++-ers out there, here's release v0.4 of the PS4 toolchain, which adds libcxx support for building C++ homebrew. Also features a fancy new windows installer!
As an add-on the exploit in question isn't like the ConcatMemcpy one that was posted a few months ago - that wasn't a complete exploit, only an infoleak. The one that was patched granted code execution in userland.
Would like to pose a thought to those who feel we should be encouraging piracy as devs: When really shitty mechanisms are thrown into games that make it P2W (EA Battlefront II) - do you think piracy will make this better going forward? It'll just encourage more micro-tx schemes.
PS5 showcase was weak. Almost everything they showed released in 2021. Wow, I'll be able to play PS4 games on the PS5 at launch and nothing else. Stonks. Not like I could play those PS4 games on PS4.
Ok seems I might have been a bit wrong here - WebKit gadgets might be the same after all as it seems 4.03 and 4.50 might run the same WK build :)
So just the kernel offsets would need porting, which can be RE'd with read primitive and dumping .data.
Seeing some people curious about firmware (4.03/4.50) with the webkit/kernel chain. From what I know webkit exploit should work on 4.50 (haven't tested myself), but you'd need to bruteforce ROP gadgets or dump the modules with bd-j exploit. I did 4.03 as I had chendo's gadgets.
I've also uploaded a test payload you can use after the kernel exploit runs that jailbreaks and patches the kernel to allow access to debug settings, just needs to be netcatted to the loader via port 9020.
Seems
@i41nbeer
's iOS bug with MPTCP is similar to the PS4 4.05 kernel exploit (namedobj) strategy with 4.05 - abusing memory corruption on a kobject to establish an arbitrary free() primitive. Very cool :)
Sony's decision to use liquid metal as a TIM never made sense imo. It's a cut down zen 2 APU that shouldn't need it, it makes maintenance stupid and expensive, it's more risky, and it makes it more expensive to manufacture. It's bad any way you look at it.