Specter @SpecterDev Twitter profile

Pinned Tweet

Specter

2 years

Here it is. Thanks to everyone mentioned earlier. Be warned stability is not great, something to be improved on for sure.

GitHub - Cryptogenic/PS5-IPV6-Kernel-Exploit: An experimental webkit-based kernel exploit (Arb....

An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on <= 4.51FW - Cryptogenic/PS5-IPV6-Kernel-Exploit

github.com

81

348

1K

Last Seen Profiles

@GillianHTurner

@AteneOBF

@reallydrsam

@Gizmyyy

@GaryEdwardBlum

@newmuseum

@Rowdy_House

@jan39com

@SangueFrioX

@TereRakowsk

@PrepRedzoneNE

@aajtakjitendra

@JeffGrenz

@SariaOtani

@NigeriaStories

@MitzvahDay

@EricaKHanson

@aajtakjitendra

@jenyaree

@5under9

@dquest777

@majorarlene

@Shteyngart

@yukikawa

@proto_jp

@giglesias19

@Fas_Sab

@ShropCommHealth

@Katluke4K

@meowspaw

@darrenpbeale

@swhirly_of

@holmesdale_road

@aajtakjitendra

@LiRain_art

@chilldog_shisha

Specter

@SpecterDev

5 years

I'm releasing the WebKit code execution RCE I spoke of yesterday targetting PS4 6.20 firmware. Gadgets and potentially the code execution strategy will need to be adjusted for lower firmwares. Have fun :)

GitHub - Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit: A WebKit exploit using CVE-2018-4441...

A WebKit exploit using CVE-2018-4441 to obtain RCE on PS4 6.20. - Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit

github.com

250

322

1K

Specter

@SpecterDev

2 years

9.👀 (awesome work by chendochap & @Znullptr )

166

228

1K

Specter

@SpecterDev

6 years

The 5.05 kernel exploit stack is now released! It includes the kexploit and autolaunches homebrew patches and mira. On subsequent page loads it listens for payloads. Source is up here

GitHub - Cryptogenic/PS4-5.05-Kernel-Exploit: A fully implemented kernel exploit for the PS4 on...

A fully implemented kernel exploit for the PS4 on 5.05FW - Cryptogenic/PS4-5.05-Kernel-Exploit

github.com

279

437

1K

Specter

@SpecterDev

6 years

Within the next few weeks there will be a PS4 5.05 full stack release including tools for homebrew development. Some other tools will be dropped as time goes on. Don’t update your <= 5.05 consoles if you care about homebrew. Hope to see cool stuff soon :)

206

308

1K

Specter

@SpecterDev

2 years

For those interested in a webkit PS5 kernel exploit implementation, it's on track to be ready soon - stay on 4.03 :) Still wanna do some cleanup and such but a lot of the major work is done. Obv without @theflow0 this wouldn't be possible :P. 1/2

79

204

1K

Specter

@SpecterDev

2 years

9.00 is up. Again, grats to ChendoChap, fast work and great exploit (and @sleirsgoevy for webkit)

GitHub - ChendoChap/pOOBs4

Contribute to ChendoChap/pOOBs4 development by creating an account on GitHub.

github.com

80

162

869

Specter

@SpecterDev

6 years

Took me a bit longer than I'd hoped - but the PS4 5.05 Kernel Exploit writeup has now been published :). If you have any suggestions for clarity or corrections, please add the issue to the GitHub repo or reply them to this tweet.

138

237

845

Specter

@SpecterDev

5 years

The 6.50 FW update seems to have patched a WebKit exploit I wrote up a month or so ago. I may drop the exploit soon so if you're a dev that wants to play with WebKit don't update :)

133

120

736

Specter

@SpecterDev

2 years

PS5 Kernel Exploit v1.01. Some recent changes I made + Chendo's original stability improvements have stability high now at about 80-90%. There's also some other nice improvements + a WIP ELF loader :)

Release v1.01 · Cryptogenic/PS5-IPV6-Kernel-Exploit

Much higher stability (80-90%) 4.50 and 4.51 support WIP basic ELF loader Path localization support (redirects non-english languages to proper directory) Adds stable read/write primitive via pipe M...

github.com

48

141

745

Specter

@SpecterDev

6 years

Hope everyone had a Merry Christmas! Here's the 4.05 kernel exploit, fully implemented. Enjoy! Write-up coming soon!

GitHub - Cryptogenic/PS4-4.05-Kernel-Exploit: A fully implemented kernel exploit for the PS4 on...

A fully implemented kernel exploit for the PS4 on 4.05FW - Cryptogenic/PS4-4.05-Kernel-Exploit

github.com

85

351

712

Specter

@SpecterDev

6 years

The PS4 4.55/FreeBSD BPF kernel exploit writeup is now up on my GitHub repo! The bug is present on any system running FreeBSD such that you have privileges (which we did on PS4). Could be used on other systems for root to ring0 code execution.

42

306

703

Specter

@SpecterDev

4 years

The PS4 toolchain BETA has dropped! Massive thanks to all the effort by everyone. Shouts @CrazyVoidPS4 @kd_tech_ @m4xton @flat_z and anyone else I may have missed! This took months of effort from all and it's awesome to be able to finally share it.

GitHub - OpenOrbis/OpenOrbis-PS4-Toolchain: The OpenOrbis PS4 custom toolchain. Allows developers...

The OpenOrbis PS4 custom toolchain. Allows developers to build homebrew for the PS4 without the official SDK. - OpenOrbis/OpenOrbis-PS4-Toolchain

github.com

98

103

692

Specter

@SpecterDev

4 years

ChendoChap released a PS4 exploit implementation of ipv6 for firmwares 5.05 - 6.72, recommend checking it out :D might be more stable than current implementations where it's hand-written ROP.

GitHub - ChendoChap/ps4-ipv6-uaf

Contribute to ChendoChap/ps4-ipv6-uaf development by creating an account on GitHub.

github.com

66

161

672

Specter

@SpecterDev

4 years

After many months of work in collaboration with @diwidog and @CrazyVoidPS4 w/ help from @flat_z , we have a hello world homebrew app running on the PS4 built with a custom toolchain / non-sony SDK! Still work to be done, but this is a big step for homebrew.

85

120

647

Specter

@SpecterDev

4 years

Seems homebrew built with the OpenOrbis PS4 Toolchain works out of the box on 6.72 with no changes needed from 5.05 (unless you do kernel stuff in your homebrew which need offsets ported). Happy homebrew dev :)

53

75

636

Specter

@SpecterDev

2 years

PPPoE bug patch in PS4. As can be seen, patched in 9.03 on the right. Probably not worth attempting to exploit this on PS4 as it won't move firmware forward. Also probably would end up less stable than exFAT exploit because mbuf zone corruption kinda sucks.

65

90

614

Specter

@SpecterDev

2 years

Seeing a bit of confusion on 9.03 - this will *not* work on 9.03, it's patched. Only 9.00 and below.

61

37

568

Specter

@SpecterDev

6 years

A few notes on the 5.05 exploit: 1) The page will crash after the kernel exploit successfully runs, this is normal 2) First load after successful exploitation will autoload HEN and Mira (can get klog by nc [ps4 ip] 9998 3) Subsequent loads go to the usual payload launcher.

61

113

538

Specter

@SpecterDev

4 years

Please don't donate to people rehosting sleirsgoevy's exploit who add their own donation links on there (esp the ones who don't make it clear it's not actually going to him). People really out here adding their own donation links to other people's exploits.

33

76

543

Specter

@SpecterDev

3 years

Everyone be out here like "it'd be cool to get a ps5 exploit/jailbreak" and I'm here like "it'd be cool to get a ps5"

39

38

546

Specter

@SpecterDev

4 years

PS4 Toolchain at it's current stage can now support video out, audio out, freetype, and full libc support. This is a video demonstrating all of these pulled directly from the PS4, built without using any Sony SDK material :D

37

111

530

Specter

@SpecterDev

3 years

Win. Not winning super often, but with @tihmstar 's tips + slow CPU on the PS4 I think it'll be more stable with some work.

21

58

505

Specter

@SpecterDev

6 years

Exploit Works ✓ WebKit Stable ✓ Games Launch ✓ :)

81

164

469

Specter

@SpecterDev

6 years

I've published my writeup of the PS4 4.05 Kernel Exploit! Please feel free to send corrections to me if you find any errors :)

19

236

482

Specter

@SpecterDev

2 years

We've released a PS5 SDK (primarily for building payloads atm). It resolves basic libkernel/libc stuff and has some kernel hacking helpers. You will need latest version of WebKit+Kernel chain for ELF loader updates. As always, contribution appreciated.

GitHub - PS5Dev/PS5SDK: An SDK to build payloads/ELF files compatible with the loader in the PS5...

An SDK to build payloads/ELF files compatible with the loader in the PS5 WebKit+Kernel Exploit chain. - GitHub - PS5Dev/PS5SDK: An SDK to build payloads/ELF files compatible with the loader in the...

github.com

18

100

467

Specter

@SpecterDev

3 years

Want to clear some things up that are confusing some people. Please don't donate to our streams thinking you're "investing" in an exploit release or something, only donate if you enjoy the streams and want to. We're streaming the research because it's educational and interesting.

31

38

413

Specter

@SpecterDev

21 days

Since I've seen a lot of ppl asking about it, theflow's latest RCE won't easily be adapted to PS5. PS4 is much weaker in terms of mitigations which played a part in allowing a remote exploit w/o userland code execution. PS5 is different. SMAP+CFI make this much harder to do. 1/2

22

47

432

Specter

@SpecterDev

3 years

I cleaned up my kernel exploit POC for the IP6 FreeBSD bug. If anyone wants to play with it I put it up. Mostly it's a reference for when @tihmstar and I get around to the PS4 port, so I didn't tweak stability a lot for BSD VM, but timings can be tweaked.

Kernel exploit POC (Proof-of-Concept) for IP6_EXTHDR_CHECK double free (CVE-2020-9892). Interleaves...

Kernel exploit POC (Proof-of-Concept) for IP6_EXTHDR_CHECK double free (CVE-2020-9892). Interleaves with multi-threads for code exec. Mainly a reference for PS4 implementation. - ip6_expl_poc.c

gist.github.com

14

73

389

Specter

@SpecterDev

4 years

I just fixed a performance bug in create-eboot in the toolchain which resulted in a performance boost of 7800%... this is probably the happiest debugging moment I've ever had.

16

26

366

Specter

@SpecterDev

2 years

Was hoping to get exfat bug working but the exploit scenario on PS5 is much tougher than PS4. Might still be possible to find a way but a lot of work will need to be put into finding a viable path. But at least the userland portion is out there so it can be attempted/tested :P

Z

@Znullptr

2 years

We've released a small writeup and some code for userland exec on PS5. DNS redirection to https works.

34

177

711

12

45

375

Specter

@SpecterDev

3 years

I'll do a stream in about 15 minutes w/ @tihmstar looking at the new new IPV6 bug and exploiting PS4 (first on 5.05 then moving up after). Probably the first of multiple streams.

dayzerosec - Twitch

A podcast featuring vulnerability research, exploit development, and general security/technology discussion.

www.twitch.tv

15

43

365

Specter

@SpecterDev

8 months

Released payload source for decrypting PS5 SELFs. Read notes in README as they're fairly important, will also need to pull latest PS5SDK changes to build it. It's not perfect and may hang/freeze due to not being able to do proper locking.

GitHub - Cryptogenic/PS5-SELF-Decrypter: A portable payload to decrypt PS5 SELF files from the...

A portable payload to decrypt PS5 SELF files from the filesystem to USB drive - Cryptogenic/PS5-SELF-Decrypter

github.com

12

86

375

Specter

@SpecterDev

3 years

Not sure how useful it'll be to others out there, but I cleaned up and open sourced the kernel hooking payload I wrote up for the streams. It's a minimal payload so you don't have to run a daemon, handy for exploit debugging. Excuse it's nasty hacks.

GitHub - Cryptogenic/PS4-KHook: PS4 kernel hooking library / payload.

PS4 kernel hooking library / payload. Contribute to Cryptogenic/PS4-KHook development by creating an account on GitHub.

github.com

20

40

339

Specter

@SpecterDev

2 years

@ps4_hacking @Znullptr Very stable, ChendoChap wrote an excellent exploit here, it's near the stability of 5.05. It takes a bit more effort than previous exploits to do but it's not a big problem since it's so stable.

22

36

340

Specter

@SpecterDev

2 years

Mira is already ported for enabling homebrew, loader and ELF can be found here . Loader -> port 9020 on payload page ELF -> port 9021.

18

43

325

Specter

@SpecterDev

6 years

I've published the 4.55 WebKit exploit write-up for the "setAttributeNodeNS()" bug! As always, let me know if you find any mistakes :)

17

130

324

Specter

@SpecterDev

4 years

Not long now...

28

59

318

Specter

@SpecterDev

1 year

Published part 2 of the AMD PSP reversing stuff. This one focuses on the Crypto Co-Processor (CCP) and looking at the system for loading firmware and decrypting it.

Reversing the AMD Secure Processor (PSP) - Part 2: Cryptographic Co-Processor (CCP)

Part one: https://dayzerosec.com/blog/2023/04/17/reversing-the-amd-secure-processor-psp.html This is a follow-up part 2 to my previous post on the AMD Secure Processor (formerly known as the Platform...

dayzerosec.com

8

80

326

Specter

@SpecterDev

2 years

Also shouldn't forget @sleirsgoevy for his 9.00 webkit exploit too :)

12

22

311

Specter

@SpecterDev

1 year

Put out a blog post on some reversing I've been doing on the side of the AMD Platform Security Processor / PSP. Part 1 is an overview of the design and memory-mapped I/O (MMIO), part 2 will be on the Crypto Co-Processor MMIO.

Reversing the AMD Secure Processor (PSP) - Part 1: Design and Overview

AMD's Secure Processor (formerly known as Platform Security Processor or "PSP") is a very interesting piece of technology that is critical to the operation of all modern-day AMD CPUs. There's also...

dayzerosec.com

8

72

317

Specter

@SpecterDev

9 months

In my presentation @hardwear_io I talked about how underestimated data-only attacks can be. Here's an example: decrypting system files by sending messages to the PSP with just kernel arb. read/write :)

5

43

313

Specter

@SpecterDev

2 years

Thanks to some RE work by ChendoChap, repo should now have support for 4.50. If you're on that fw give it a try. If you're on lower, you should probably stay lower :P

26

51

305

Specter

@SpecterDev

3 years

Very nice, I do still want to see if the zone reclaim strategy is possible on PS4 though, for potential future exploits if nothing else :)

sleirsgoevy

@sleirsgoevy

3 years

Another FreeBSD PoC, now utilizing TheFlow's hint. Does not do any zone drains, so should be more portable. Fun fact: it **seems** that the function tweeted by TheFlow does not need to be buggy. A patched one would also do its job.

59

93

507

21

20

292

Specter

@SpecterDev

4 years

PS4 toolchain v0.5 is out! Includes stub modules to avoid breaking games, SDL2, C++ threading and synchronization, and a big bag of bug fixes. More in the changelog. Recommend updating your Mira version and using the updated VS templates.

Release v0.5 · OpenOrbis/OpenOrbis-PS4-Toolchain

The toolchain now includes stub/empty libc and libSceFios2 modules to avoid breaking non-homebrew games and applications! Note: This change works in conjunction with Mira, meaning you'll want ...

github.com

17

50

281

Specter

@SpecterDev

4 years

I've just put out 5 videos on an overview of the toolchain and tutorials on how to do various things. 3 more are coming in a few days time.

23

58

282

Specter

@SpecterDev

2 years

Look at that jump cut, obviously fake.. the specter guy said it was to censor the mac address but really that's just an excuse who cares about mac addresses anyway

Specter

@SpecterDev

2 years

9.👀 (awesome work by chendochap & @Znullptr )

166

228

1K

19

18

284

Specter

@SpecterDev

6 years

4.55 Full Stack Enjoy :) Cheers @qwertyoruiopz @flat_z

GitHub - Cryptogenic/PS4-4.55-Kernel-Exploit: A fully implemented kernel exploit for the PS4 on...

A fully implemented kernel exploit for the PS4 on 4.55FW - Cryptogenic/PS4-4.55-Kernel-Exploit

github.com

43

111

277

Specter

@SpecterDev

1 year

Just to clarify I won't be dropping new exploits/bugs it's mostly a reversing-focused talk and talks about exploitation techniques/mitigations on a whole :P

Wololo

@frwololo

1 year

PS5: Upcoming PS5 Security talk by SpecterDev, spreads new rumors of a Hypervisor exploit

5

24

189

26

21

289

Specter

@SpecterDev

4 years

I laugh at people who call researchers who report to sony's H1 bounty "traitors". Imagine thinking that a researcher should effectively throw away 10's of thousands of dollars to drop a 0d for a scene comprised of 98% piracy and like 2% homebrew. 1/2

43

20

276

Specter

@SpecterDev

3 years

Seems we're ok - it was a bad UART connection. Seems if you have UART enabled and the data can't be sent, the system hangs indefinitely when booting. Silly code but doubtful Sony would test for faulty UART connection in QA :D PS4 should be good for tuesday for more punishment.

21

18

254

Specter

@SpecterDev

6 years

Been seeing people criticize the progress of Mira. If you think it's development is taking too long - find an open issue, fork the repo, and contribute - it's open source after all! If you don't want to contribute that's fine, but don't make unhelpful comments.

27

18

242

Specter

@SpecterDev

2 years

Just wanna temper some expectations; if/when the IPV6 exploit is released, post-exploitation is not as easy as PS4. Homebrew will take a lot of effort. XOM prevents dumping kernel and HV prevents patching/hooking kernel. It'll mostly only really be useful for devs.

8

22

248

Specter

@SpecterDev

2 years

Seeing some people curious about firmware (4.03/4.50) with the webkit/kernel chain. From what I know webkit exploit should work on 4.50 (haven't tested myself), but you'd need to bruteforce ROP gadgets or dump the modules with bd-j exploit. I did 4.03 as I had chendo's gadgets.

7

27

240

Specter

@SpecterDev

3 years

There's also a lot of people who seem to misunderstand where a lot of instability comes from. On 7.0x+ a lot of the instability comes from the webkit exploit because of the ASLR bruteforce. Seen a fair share of people unfairly attributing instability to @sleirsgoevy

Al Azif

@_AlAzif

3 years

Same people who were saying yesterday they'd be fine with a 1:100 success rate are bitching on day one about the success rate... And people are wondering why I'm holding off on adding it to the DNS...

1

4

313

16

24

234

Specter

@SpecterDev

6 years

From what I'm seeing it seems 5.05 and 5.07 (a rare firmware) webkit and kernel binaries may be identical, so release should work on both :)

18

40

227

Specter

@SpecterDev

4 years

I've been working on porting and smoothly integrating SDL into the PS4 toolchain for v0.5 based on @Znullptr 's initial port, and after many hours and noob game dev pitfalls, I have a cool little game :D (recorded from the PS4)

14

227

Specter

@SpecterDev

3 years

RIP @m4xton , PS4 homebrew wouldn't be possible without your awesome contributions.

28

22

222

Specter

@SpecterDev

6 years

I wonder if any of the people taking shots at @qwertyoruiopz saying he doesn’t contribute to the scene realize: 1. He assisted with 1.76 dlclose 2. The bpf kernel exploit (4.55) is his bug 3. He’s assisted devs such as myself on many occasions He’s contributed more than most :>

34

35

226

Specter

@SpecterDev

7 years

I've done a little write-up about the PS4 4.0x exploit. Those more knowledgeable feel free to correct my mistakes :)

11

139

233

Specter

@SpecterDev

6 years

Here's a roadmap on projected tools and such for homebrew development on the PS4. Green = done, Yellow = in progress, Red = not started.

17

53

223

Specter

@SpecterDev

4 years

v0.3 of the PS4 toolchain has dropped, includes MUSL, debugging info / section table support for OELFs, and various bug fixes.

Release v0.3 · OpenOrbis/OpenOrbis-PS4-Toolchain

Added MUSL libc support, removed old BSD headers, and reworked samples to use MUSL. Added libraries sources for Continuous Integration (CI). Added debugging info via section header table into OELFs...

github.com

20

53

217

Specter

@SpecterDev

1 year

Relative relocations should work now in the ELF loader of the latest PS5 webkit-based exploit chain. Build scripts and such have also been updated in PS5SDK.

Release v1.03 · Cryptogenic/PS5-IPV6-Kernel-Exploit

Adds support for relative relocations. Fixed various minor bugs/typos (thanks John Tornblom).

github.com

14

48

226

Specter

@SpecterDev

6 years

I'm gonna debunk these "devs are waiting for X game to drop another jailbreak" theories with one simple fact: none of us care about piracy. If I want to play X game, I'll buy it and play it on my main PS4.

57

22

220

Specter

@SpecterDev

1 year

Time to pack it in everyone, sorry to say but security research is over.

18

14

216

Specter

@SpecterDev

5 years

I've published a write-up on the Android Binder use-after-free kernel bug that p0 discovered recently affected the Pixel 2 and Galaxy S7/S8/S9. It goes into technical details of how an arbitrary read/write is established :)

7

62

219

Specter

@SpecterDev

6 years

10

15

207

Specter

@SpecterDev

6 years

I see some people voicing stupid comments like "why didn't you release this sooner" and "why not release the payload" to @flat_z , please keep in mind this work took him *MONTHS* and he did it for *FREE*, so nobody has any right to complain.

29

23

210

Specter

@SpecterDev

21 days

XOM also plays a role, even if CFI were a non-issue, you can't easily get gadgets to ROP with either. It might not be impossible but a new strategy would be needed and you'd need to go for R/W. You'd also likely need userland code exec. I wouldn't expect anything soon.. 2/2

12

15

219

Specter

@SpecterDev

6 years

I think I'm going to try to focus efforts on fixing the suspend/wakeup issues with Mira now that I have a bit more time, as they're quite annoying.

27

12

199

Specter

@SpecterDev

6 years

Almost forgot to include js_shellcode.py - my Python script to convert payloads to shellcode - you'll need to use this if you want to update Mira/HEN (and reintegrate) or add a custom payload to auto launch. Usage: python js_shellcode.py [.bin] code_addr

A script to convert payloads into JS shellcode

A script to convert payloads into JS shellcode. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

13

29

200

Specter

@SpecterDev

2 years

@theflow0 Also shouts to @Znullptr , chendochap, @sleirsgoevy , @psxdev , @flat_z , @notzecoxao , @SocraticBliss 2/2

21

14

204

Specter

@SpecterDev

6 years

Just to put this out there - I know some are having issues with the system black screening when rebooting out of sleep mode, though I believe this is an issue with Mira, not the exploit itself. It's on the to-do list. Hold power button down for ~10s to force shutdown and reboot.

21

44

185

Specter

@SpecterDev

2 years

Ya know, when the PS5 is rebooting from a panic and it spins for 5 minutes because it's firewall'd waiting to connect to reporting servers, I forget I even turned it back on most of the time until like 15-30min later.

7

12

201

Specter

@SpecterDev

8 months

I'm gonna do a stream in about 5-10 minutes reversing some AMD PSP stuff and also just chilling discussing summer stuff.

dayzerosec - Twitch

A podcast featuring vulnerability research, exploit development, and general security/technology discussion.

www.twitch.tv

5

25

198

Specter

@SpecterDev

3 years

(hopefully not but probably) RIP old friend

43

10

187

Specter

@SpecterDev

4 years

I wrote a blog post on some of the interesting challenges I encountered porting MUSL to PS4, including that weird FreeBSD syscall patch which clears R8-R10 on sysret.

18

32

179

Specter

@SpecterDev

6 years

A few days ago I finally started working on the Guitar Hero clone engine that I've been wanting to do for so long. Partially for fun/learning, partially because I want to port it to homebrew for the PS4/Switch eventually. I now have the highway + notes rendering at low-level :)

17

12

183

Specter

@SpecterDev

4 years

All a hacker needs for a kernel exploit is 15% of a bug

9

22

173

Specter

@SpecterDev

4 years

Toolchain v0.2 has now released, includes MacOS support (thanks to @lord_friky ) and fixes for building libraries and many other bug fixes (thanks to @3226_2143 ). Release details has full patch notes.

Release v0.2 · OpenOrbis/OpenOrbis-PS4-Toolchain

Added macOS support (thanks Lord Friky). Added package file sources for samples to make deploying samples easier, and to better demonstrate how packages should be constructed. Fixed an issue where ...

github.com

12

37

175

Specter

@SpecterDev

5 years

0A0E5C02B1422D2E3DAE563CED69E8C3F529195B63F97FC5E42C6A699940A307 :)

46

26

171

Specter

@SpecterDev

2 years

Also published v1.02 for the exploit chain which has necessary improvements to the ELF loader.

Release v1.02 · Cryptogenic/PS5-IPV6-Kernel-Exploit

Adds support for firmwares 3.00, 3.20, 3.21, 4.02, and 4.51 (3.10 and 4.00 are partially supported) (thanks ChendoChap). Now cleans up fds after exploitation so child processes don't inherit a ...

github.com

8

28

173

Specter

@SpecterDev

6 years

PSA: Please stop mass tagging people, it never yields the response you want, and it can get a bit annoying when so many people start doing it :(

41

7

166

Specter

@SpecterDev

5 years

@grantstern @pewdiepie As if he has control over what people say on the other side of the world you ridiculous person

1

0

165

Specter

@SpecterDev

4 years

For all the C++-ers out there, here's release v0.4 of the PS4 toolchain, which adds libcxx support for building C++ homebrew. Also features a fancy new windows installer!

Release v0.4 · OpenOrbis/OpenOrbis-PS4-Toolchain

Added C++ support via include/c++/v1 headers and statically built libcxx. Added support for C++ init_array/fini_array dynamic tags in create-eboot / create-lib. Remade a new fancy windows installer...

github.com

10

39

165

Specter

@SpecterDev

5 years

As an add-on the exploit in question isn't like the ConcatMemcpy one that was posted a few months ago - that wasn't a complete exploit, only an infoleak. The one that was patched granted code execution in userland.

16

11

165

Specter

@SpecterDev

6 years

For Halloween this year I'm gonna be something super scary

50

14

160

Specter

@SpecterDev

6 years

Would like to pose a thought to those who feel we should be encouraging piracy as devs: When really shitty mechanisms are thrown into games that make it P2W (EA Battlefront II) - do you think piracy will make this better going forward? It'll just encourage more micro-tx schemes.

35

19

159

Specter

@SpecterDev

1 year

Maybe... possibly... conceivably!

hardwear.io

@hardwear_io

1 year

🎮 Can anyone explain what's happening here ⤵️ #hw_ioUSA2023

8

7

57

13

19

166

Specter

@SpecterDev

4 years

PS5 showcase was weak. Almost everything they showed released in 2021. Wow, I'll be able to play PS4 games on the PS5 at launch and nothing else. Stonks. Not like I could play those PS4 games on PS4.

21

12

160

Specter

@SpecterDev

7 years

Got kernel RIP control :)

23

44

153

Specter

@SpecterDev

6 years

Finally got around to launching a proper blog :)

Specter's Blog

A place for Specter's random ramblings and blog posts.

specterdev.ca

11

21

153

Specter

@SpecterDev

2 years

Ok seems I might have been a bit wrong here - WebKit gadgets might be the same after all as it seems 4.03 and 4.50 might run the same WK build :) So just the kernel offsets would need porting, which can be RE'd with read primitive and dumping .data.

Specter

@SpecterDev

2 years

Seeing some people curious about firmware (4.03/4.50) with the webkit/kernel chain. From what I know webkit exploit should work on 4.50 (haven't tested myself), but you'd need to bruteforce ROP gadgets or dump the modules with bd-j exploit. I did 4.03 as I had chendo's gadgets.

7

27

240

14

22

155

Specter

@SpecterDev

5 years

Stay safe PS4 players

NSA/CSS

@NSAGov

5 years

It takes 60 seconds to talk to your kids about #cybersecurity and make them #CyberAware

298

520

1K

23

32

154

Specter

@SpecterDev

3 years

After fixing some audio issues, @tihmstar and I are going live w/ PS4 linux stuff.

tihmstar - Twitch

tihmstar streams live on Twitch! Check out their videos, sign up to chat, and join their community.

www.twitch.tv

5

21

151

Specter

@SpecterDev

6 years

I've also uploaded a test payload you can use after the kernel exploit runs that jailbreaks and patches the kernel to allow access to debug settings, just needs to be netcatted to the loader via port 9020.

13

50

145

Specter

@SpecterDev

6 years

Seems @i41nbeer 's iOS bug with MPTCP is similar to the PS4 4.05 kernel exploit (namedobj) strategy with 4.05 - abusing memory corruption on a kobject to establish an arbitrary free() primitive. Very cool :)

7

19

141

Specter

@SpecterDev

1 year

Sony's decision to use liquid metal as a TIM never made sense imo. It's a cut down zen 2 APU that shouldn't need it, it makes maintenance stupid and expensive, it's more risky, and it makes it more expensive to manufacture. It's bad any way you look at it.

Wololo

@frwololo

1 year

You’re killing your PS5 by using it vertically, due to a design flaw by Sony, according to hardware experts

180

613

2K

12

5

150

Specter

@SpecterDev