News keep pouring from the recently revealed
PS4 Kernel exploit. CTurt, the hacker behind the announce,
posted a “tease” on twitter earlier today: a dump of the root Filesystem of the PS4, as well as the processes running in the PS4 RAM. Details below.
The Filesystem root shows some similarities with your standard FreeBSD install, with folders such as /dev or /mnt.
Files that are more PS4 specific also show up, such as SceBootSplash.elf and SceSysAvControl.elf. Elf files are executables, it is safe to assume all these files are encrypted, but it would be interesting to understand how easily they can be replaced (although probably sounds like a bad idea to mess up with those, given that they might be essential at boot time, at a point where the hack is probably not running)
Notice also the “update” folder, pretty much self explanatory, and that already existed on the PSP and the PS3.
[+] Entered shellcode
[+] UID: 0, GID: 0
[DIR]: adm
[DIR]: .
[DIR]: ..
[DIR]: dev
[DIR]: app_tmp
[DIR]: data
[DIR]: hdd
[DIR]: eap_user
[DIR]: eap_vsh
[DIR]: host
[DIR]: mnt
[DIR]: hostapp
[FILE]: mini-syscore.elf
[DIR]: preinst
[FILE]: SceBootSplash.elf
[DIR]: preinst2
[FILE]: safemode.elf
[FILE]: SceSysAvControl.elf
[DIR]: update
[DIR]: system
[DIR]: system_data
[DIR]: system_ex
[DIR]: system_tmp
[DIR]: usb
[DIR]: user
The processes, here again, are a mix of typical stuff and PS4 specific processes. Look for the Sce* stuff for Sony specific processes, as well as orbis_* (hey, Orbis was the development codename for the PS4).
[+] PID 0, name: kernel, thread: mca taskq
[+] PID 1, name: mini-syscore.elf, thread: SceRegSyncer
[+] PID 2, name: SceHidAuth, thread: SceHidAuth
[+] PID 4, name: SceCameraDriverMain, thread: SceCameraDriverM
[+] PID 3, name: hidMain, thread: hidMain
[+] PID 6, name: hdmiEvent, thread: hdmiEvent
[+] PID 5, name: SceCameraSdma, thread: SceCameraSdma
[+] PID 10, name: audit, thread: audit
[+] PID 8, name: xpt_thrd, thread: xpt_thrd
[+] PID 9, name: iccnvs, thread: iccnvs
[+] PID 13, name: geom, thread: g_notification
[+] PID 11, name: idle, thread: idle: cpu0
[+] PID 12, name: intr, thread: irq273: xhci2
[+] PID 17, name: icc_thermal, thread: icc_thermal
[+] PID 14, name: yarrow, thread: yarrow
[+] PID 15, name: usb, thread: usbus2
[+] PID 16, name: md0, thread: md0
[+] PID 21, name: trsw ctrl, thread: trsw ctrl
[+] PID 18, name: sflash, thread: sflash
[+] PID 19, name: sbram, thread: sbram
[+] PID 20, name: trsw intr, thread: trsw intr
[+] PID 25, name: vmdaemon, thread: vmdaemon
[+] PID 22, name: SceBtDriver, thread: SceBtDriver
[+] PID 23, name: pagedaemon0, thread: pagedaemon0
[+] PID 24, name: pagedaemon1, thread: pagedaemon1
[+] PID 29, name: softdepflush, thread: softdepflush
[+] PID 26, name: bufdaemon, thread: bufdaemon
[+] PID 27, name: syncer, thread: syncer
[+] PID 28, name: vnlru, thread: vnlru
[+] PID 31, name: SceSysAvControl.elf, thread: SceAvSettingPoll
[+] PID 36, name: SceShellCore, thread: SceMsgMwSendMana
[+] PID 33, name: SceSysCore.elf, thread: SysCoreAppmgrWat
[+] PID 34, name: orbis_audiod.elf, thread: AoutMonitorPid40
[+] PID 35, name: GnmCompositor.elf, thread: CameraThread
[+] PID 38, name: SceShellUI, thread: SceWebReceiveQue
[+] PID 43, name: SceVideoCoreServer, thread: SceVideoCoreServ
[+] PID 39, name: MonoCompiler.elf, thread: MonoCompiler.elf
[+] PID 40, name: SceAvCapture, thread: SceAvCaptureIpc
[+] PID 41, name: SceGameLiveStreamin, thread: SceGlsStrmJobQue
[+] PID 42, name: ScePartyDaemon, thread: SceMbusEventPoll
[+] PID 44, name: SceRemotePlay, thread: SceRp-Httpd
[+] PID 49, name: SceSpkService, thread: SceSpkService
[+] PID 45, name: SceCloudClientDaemo, thread: SceCloudClientDa
[+] PID 46, name: SceVdecProxy.elf, thread: proxy_ipmi_serve
[+] PID 47, name: SceVencProxy.elf, thread: SceVencProxyIpmi
[+] PID 48, name: fs_cleaner.elf, thread: fs_cleaner.elf
[+] PID 50, name: WebProcess.self, thread: selectThread
[+] Entered main payload
[+] PID 51, name: orbis-jsc-compiler., thread: SceFastMalloc
[+] Triggering second kernel payload
This is not much at this point, it just shows that Cturt has access to the RAM and can look at all the processes running (which would generally confirm root access), but it’s still super exciting to think what could be done moving forward.
No comments :
Post a Comment