Is a PS4 Jailbreak usb device in the works?

I am receiving enough questions about this that I feel an article is now required.

There are growing rumors that a group affiliated with the Cobra team (a team popular for some of their PS3 hardware mods, and the same team that announced the – yet to be released – cobra blackfin for PS Vita) have been working on a PS4 Jailbreak usb dongle.

The device, named “usb whistle”, would allegedly allow people to run pirated games on the latest PS4 firmware, firmware 3.15, and be released in February this year. The group also claims they will be releasing a CFW for that PS4 firmware, sometimes in March.

After some research, most of the rumors about that group actually originate directly from that group’s twitter account. And so far there’s absolutely no evidence that this twitter account or the group behind it is legit.

On the contrary, some of that group’s claims are actually so obviously incorrect that it’s probably ok to dismiss them as a fake for now.

For example, they state that their dongle will be available on Amazon for $50, on February 25th. It is pretty obvious that Amazon would not sell such an illegal device, and that this kind of tweet is complete BS.

Although the broken English gives an exotic “foreign team of hackers in an unregulated country” twist to that twitter account, so far there is no reason to believe any of what they say is legit.

PS3 Custom Firmware 4.78 Rebug REX/D-REX has been released

Korean developer Joonie from Team Rebug did it once again, he published today the Rebug CFW REX and D-REX for Firmware 4.78. This is not only a port of 4.78, with this release he added the XMB CFW settings which was developed by mysis. Now you got surely the question what are these “XMB CFW settings”?

CFW Settings v0.1 {xai_plugin) is an ultimate add-on for XMB, developed by mysis. This plugin is disabled by default, however can be enabled via REBUG TOOLBOX 2.02.09.

Features:

• XMB Icons for nice CFW tasks, available in Network Column
• Simply select and it’s executed!
• Rebug Settings – Toggle COBRA and Debug Menu Type
• Dump Tools – Klicense, File Secure ID, IDPS, Disc Hash key
• Service Tools – Display Minimum Downgrade FW Version, Rebuild Database, Check File System, Entering Recovery Mode (NOR Models Only)
• Advanced Service Tools – Entering FSM (!!!DO NOT Install FW while on FSM that may lead RSOD!!!), Remarry BD drive and RSOD fix

With those added, he also added support for the XMB Manager Plus. This Manager is multifunctional and allows you not only to install package files on your PS3, it also comes with a bunch of features such as a Download Manager. Like all Custom Firmwares, you can only install these if you’re already running a Custom Firmware, or Official Firmware 3.55 and below on your PS3.



FEATURES FOR REBUG REX/D-REX EDITION

• FEATURE – Dual LV2 Kernels CEX/DEX
• (Swap your EID0/LV2 kernel using Rebug Toolbox in seconds)
• FEATURE – ALL Retail functions available in CEX mode (No need to install different firmware)
• FEATURE – ALL Debug functions available in DEX mode (No need to install different firmware)
• FEATURE – FULL ProDG Connectivity in DEX mode (Full Support on both Normal mode and Cobra mode)
• FEATURE – QA Token compatibility
• FEATURE – OtherOS++ support enabled (Use Rebug Toolbox to Boot OtherOS with different LV1 patches)
• FEATURE – Package Manager
• (Replacement for the standard ‘Install Package Files’ option)
• INCLUDED – Rebug Toolbox 02.02.09 *UPDATED
  (Install included Rebug Toolbox or higher for full compatibility)
• PATCHED – Appldr: LV2 memory hash check is disabled
  (Memory protection on LV2 is disabled in higher level)
• PATCHED – LV1: Disable System Integrity Check
  (Safe to use with mismatched COREOS/SYSCON versions or if PS3 is not QA enabled)
• PATCHED – LV1: Undocumented function 114
  (Allow mapping of protected memory)
• PATCHED – LV1: Skip all ACL Checks
  (Needed to allow booting of OtherOS)
• PATCHED – LV1: Peek and Poke support
  (Unused LV1 call 182 and 183)
• PATCHED – LV2: Peek and Poke support
  (LV2 Syscall 6 and 7)
• PATCHED – LV2: Peek and Poke support for LV1
  (LV2 Syscall 8 and 9)
• PATCHED – LV2: LV1 CALL System call
  (LV2 Syscall 10)
• PATCHED – Recovery: Prevent accidental OFW update while on Recovery mode
• PATCHED – VSH: Allow Unsigned act.dat and *.rif files
• PATCHED – VSH: Disable Unlinking/Deleting of act.dat
  (Improved patches applied)
• PATCHED – VSH: Disable NEW PSP DRM Check
• (Allowing unsigned PSP pkg contents on 4.78 or higher CFW)
• PATCHED – VSH: Disable Epilepsy Warning for Faster Boot-Up Speed
• FUN FEATURE – Fake Save Data Owner
  (Use Game Saves from ANY Owner)
• FUN FEATURE – In Game Screenshot
  (Allows taking screenshots in Game)
• FUN FEATURE – Disabled flag check in PARAM for Remote Play
  (For better compatibility with remote play, custom flags in PARAM is recommended)
• FUN FEATURE – Lock/Unlock Trophies (Offline only)
• FEATURE – Cinavia protection fully disabled
  (Supports optical media/bd iso, AACS must be decrypted)
• FEATURE – Full BD/DVD Playback support on both CEX/DEX mode
  (BD/DVD movies can now be played on DEX mode, major thanks to mysis!)
• FEATURE – Cobra 7.2
  (Disabled by default, Toolbox required to enable)
• FEATURE – 1.43.25 MOD REBUG EDITION *UPDATED
  (Full Webman intergration supports both CEX/DEX 4.78)
• FEATURE – XMB CFW settings v0.1a *NEW
  (XMB icons for simple CFW tasks available via REBUG TOOLBOX 2.02.09)
• FEATURE – PSN/SEN Accesibility
  (PSN /SEN Accessible , until the next OFW update)
• FEATURE – XMBM+ Compatibility *NEW

(XMB Manager Plus developed by Team XMBM now supported via standalone pkgs.)

Download: Rebug.me
Source: evilsperm on Twitter

Exploits updated to support 3DS 10.4, Nintendo releases Firmware 10.5

Developer Yellows8 has released an update to his popular BrowserHax and MenuHax 3DS exploits, to work with the recently released 3DS firmware 10.4. He also updated oot3DHax to work with firmware 10.4 (oot3DHax requires a legit copy of popular game The Legend of Zelda: Ocarina of Time 3D in order to run). These hacks work on the Old 3DS as well as the New 3DS.

BrowserHax will run directly in your 3DS Browser and is the most popular starting point. You can point your 3DS browser here to get started. You’ll then want to install MenuHax on top of it (Menuhax 2.2 can be downloaded here)

Once your 3DS is hacked, get the 3DS homebrew starter kit from Smealum’s site and install it on your 3DS.

It appears Nintendo just surfaced a new update, firmware 10.5.0, mere hours after Yellows8 published his updated hacks. Although this does not seem to impact the hacks, it’s recommended you stay away from that latest update, for now.



*ANOTHER* 3DS update just dropped. nothing important from the looks of it, but still wait before updating.

— smea (@smealum) January 26, 2016

The official changelog says 3DS Firmware 10.5 brings “Further improvements to overall system stability and other minor adjustments have been made to enhance the user experience”.

Source: Smealum

Kernel Keys for Wii U IOSU 5.5.1 revealed

Developer Hykem has generated some controversy with his upcomingIOSU exploit, but published additional proof that the exploit is real: Wii U Kernel keys. The release date for Hykem’s IOSU exploit has been delayed a few times. Some people have been doubting that the exploit even exists, but knowing Hykem’s history on pretty much all gaming consoles, it’s safe to say naysayers couldn’t be more wrong.

Nevertheless, to shut people off, Hykem published a screenshot showing the Wii U ancast and vWii common keys, or at least a huge part of them. Accompanying the picture was a “happy bruteforcing” message, a way to say that people with the right tools and knowledge will be able to confirm his keys are the real deal, with some level of effort.

Developer Crediar has published the full keys on his twitter account on reply to Hykem, who acknowledged the result with a smiley.

This is also Hykem’s confirmation that his IOSU exploit works on the recently released Wii U firmware 5.5.1.



All my Wii keys are belong to U… pic.twitter.com/y4hePde2Rn

— Hykem (@hykemthedemon) January 18, 2016

Hykem has recently followed up on his release on GBATemp. He hadrecently promised a release by end of January, but it seems this might get delayed again, as he is looking for ways to obfuscate his code, in an attempt to delay Nintendo patching the exploit. Hykem also decided to use Yellows8’s recently released MP4 exploit, which has been confirmed to work up to the latest firmware 5.5.1. This allows Hykem to keep his own userland exploit for future use.

Hykem advises people to not update their Wii U and block future update from Nintendo, as they will most likely implement patches in their next firmware update. Blocking updates is done by blocking some specific IP addresses at your router level, this is easier than it sounds and you can google for it.

Hykem’s full statement:



In case you were afraid to deduce it from the screen I posted, yes, the hack works up to 5.5.1. However, I strongly recommend everyone to start blocking updates. That’s why I announced I was working on IOSU in the first place, to raise awareness.
I reached IOSU in 5.5.1 using a different bug (another lame UAF in WebKit) than yellows8‘s, but the libstagefright one is much more reliable and it’s already public. Which means that the release for 5.5.1 will be using yellows8‘s exploit while I keep the crappy one I used private.

Beware that Nintendo will likely push a big update to the Internet Browser anytime soon (I believe it’s logical to deduce that), which will quite likely patch (properly) both the libstagefright bugs and other previously unpatched WebKit bugs (the one I mentioned included).

Marionumber1 also made a solid point about investigating userland bugs in areas not related to the browser (like Mii data, for example), which is something we will likely investigate soon.

Aside from all that, the exploit just needs obfuscation to be released. Like I stated before, the obfuscation layers will be complex which will take time to implement properly. If any delays follow, they will be strictly related to the obfuscation of the exploit.
Also, I mentioned that my “vacations” are extended to the end of February, but that doesn’t mean the exploit will only be released by then. I’m guessing it will be done quite before that, but right now it’s just a matter of getting it right so Nintendo won’t patch it as soon as it comes out.

Sources: Hykem, GBATemp

CTurt publishes new PS4 Kernel exploit details (sys_dynlib_prepare_dlclose PS4 kernel heap overflow)

Hacker CTurt, known for sharing lots of his work on PS4 vulnerabilities and in particular a PS4 Kernel exploit, has published today explanations on a new PS4 Kernel vulnerability, involving a heap overflow.

The exploit has been patched around firmware 2.00, so it will not be useful for people expecting a PS4 hack on the latest firmware 3.15. Cturt also announced that he will not release a fully weaponized exploit, and is just sharing the knowledge on how the vulnerability was exploited.

But this new article from CTurt brings some interesting information to the “end user”:

First, CTurt hasn’t fully stopped working on the PS4 it seems, unlike what he announced a few weeks ago. He’s apparently actively working on the PS4 with other hackers such as Qwertyoruiop (a well know hacker famous for his work on iOS, among other things).

Second, it seems there are lots of potential exploits on the PS4. As Qwertyoruiop stated later in the day: there’s a “ton of attack surface..”



Sony is *** ***. Why would anyone do a kernel-mode dynamic linker? That’s literally a *** ton of attack surface..

— Luca Todesco (@qwertyoruiop) January 18, 2016

This seems to confirm what Fail0verflow stated a few weeks ago: “We also have no doubt that vulnerabilities in the latest firmware can be found without too much trouble”
The exploit itself lies in function sys_dynlib_prepare_dlclose and some of its internal calls such as copyin . Full details can be found in CTurt’s article.

---

What I find particularly interesting here is how FreeBSD is pretty much used as the experiment and debugging tool for Cturt’s work. Hacking a console is often done through running a debugger directly on the console, on a formerly exploited version of the firmware, with the “first exploit” being the hard one (and sometimes, throughout the history of hacking, involving illegally acquired dev units or SDKs). Here the work is done on a FreeBSD image that’s been compiled to be “as close as possible” to the version running on the PS4. This lets CTurt work on proof of concepts with all the comfort of his computer, and then tweak them on the real device. Although I know security through obscurity is not great, it seems here that using an open source OS as the base for the PS4 System is not in favor of Sony from the hacking perspective.

A Kernel exploit released on the latest PS4 firmware 3.15 would be invaluable for the PS4 scene right now, as it is the key component missing to running the linux port on the PS4 from Fail0verflow.

We keep up to date details on the latest status of PS4 hacking on ourPS4 Jailbreak page.

Source: CTurt on twitter, thanks to everyone who tipped me on this, including CTurt himself!

3DS: Gateway 3DS Beta 3.7 brings emuNAND 10.3 support to New 3DS

Gateway 3DS released an update to their “popular” Gateway 3DS flashcard for the Nintendo 3DS. This latest update brings support for Emunand 10.3 on the New 3DS. Don’t get mistaken though, this does not let users on firmware 10.3 user a Gateway 3DS on their console! This lets users running a 9.2 3DS (or lower) access the eShop and other official Nintendo features, if they have a Gateway 3DS.

Confused? Me too, so let’s get back to the basics:

What is emuNAND?

emuNAND is basically a way to “dual boot” your 3DS into 2 firmware. an older firmware (such as 9.2) which is the real firmware on your console, and the latest firmware (e.g: 10.3) is a “fake” firmware to access the latest official Nintendo features from your older console. EmuNAND is necessary because flashcards do not work on the latest 3DS firmwares.

From the emuNAND author:



This tool can be used to extract the NAND file from a emuNAND SD card and to inject a NAND file into the emuNAND SD card.
The extracted NAND file is a fully working 3DS NAND file and is also flashable to the 3DS.

Supported emuNANDs: Gateway and clones like R4i Gold 3DS Deluxe Edition, 3DS Link, Orange 3DS, MT Card

The emuNAND SD gets detected automatically!
To inject a NAND file, the SD card has to already contain an emuNAND partition.

What is NOT possible?
This tool does not enable you to magically use the Gateway (and clones) on a non 4.x system version.
You can’t inject games.
You can’t flash the Gateway mode to the 3DS.
You can’t modify the firmware (no region bypass, backups,…).
You can’t extract any keys.
You can’t downgrade your 3DS with this tool. It only modifies the emuNAND on your SD card.
You can’t use a NAND from another 3DS on your 3DS.

(Source)

In other words, emuNAND lets you fake a 10.3 firmware on your 9.2 console, and the 10.3 fake firmware is now supported for Gateway 3DS owners. It does not let you magically get the Gateway 3DS on a 10.3 console.

A few weeks ago, Gateway had announced support for Firmware 10.3 on Gateway 3DS. If that’s what they had in mind, although I’m sure Gateway3DS users will be happy about this release, this is slightly disappointing for those who were awaiting actual support of the 10.3 3DS.

Gateway Ultra 3.7 Public Beta

The latest beta from Gateway 3DS can be downloaded from their official site.

The full announce from Gateway 3DS:



Today we are back with another BIG update! Let’s see what is new:

• Latest emunand (10.3) support for New 3DS!
• Cheat code edit bug fixed

That’s right! From the start we promised you New 3DS emunand support for later firmware versions after 9.6, and today is that day!
We always deliver and with this new update you can finally update emunand on New 3DS to the latest 10.3 firmware!

We also fixed a bug in when trying to edit an existing cheat code from the cheat config menu, as it was not always showing the proper code.

That’s it for now, and more to come soon!

And as always, ENJOY!

Source: Gateway

Wii U 5.5.1 Browser exploit: Yellows8’s browserhax exploit for 5.5.0 works out of the box in 5.5.1

So, remember a few days ago when Nintendo released Wii U firmware 5.5.1, and Yellows8 decided to release his browserhax exploit for 5.5.0, because 5.5.1 was patching it? Well, it turns out WiiU 5.5.1 didn’t patch the exploit after all.



lol so turns out yellows8’s wiiu browser exploit everyone thought had been patched works totally fine on 5.5.1 apparently woops ?

— smea (@smealum) January 15, 2016

Yellows8 had done some reverse-engineering work and wrongly assumed at a glance that firmware 5.5.1 fixed his exploit. It turn out, after careful investigation (that is, people actually trying the exploit in 5.5.1) that Browserhax just works out of the box on 5.5.1.

From Yellows8’s github:



• 5.5.1: Originally this exploit was thought to be fixed via doing manual code-RE(hence why it was released when it was). However, that was actually wrong due to misreading that code: this exploit works fine as-is on 5.5.1(no testing on 5.5.1 was done before release, only code-RE).

As we explained when this was initially released, this is “only” an exploit, not a full homebrew loader. As such it is not directly useful to the end user. People willing to use this can host the exploit on an Apache+php server (which you can set up for free on your computer), and compile “simple” homebrews themselves for now. GBATemp have a thread for those of you who want to give a try at compiling and hosting the homebrews themselves.

Source: via Smealum