Thursday, 21 April 2016

Proof of concept webkit exploit running on PS4 firmwares 2.xx

Developer Fire30 released a webkit exploit proof of concept for the PS4, ported from a webkit heap buffer overflow revealed in 2014. I haven’t tested this myself, and this is still unconfirmed information at this point.
Fire30 says the exploit should run on any PS4 firmware below 2.50, although he mentions parts of the exploit implementation will only work on firmware 2.03, presumably because this is the firmware he’s using to write the code.
There’s not much to be said about this at this point, although in theory the kernel exploits BadIRET and dlclose could be ported to this exploit, if confirmed legit: it has been mentioned these kernel exploits are compatible up to firmware 2.xx, and the only thing preventing those from being used on any other firmware than 1.76 so far was because the only publicly available userland exploit has been the 1,76 webkit exploit.
CVE-2014-1303
A port of the dlclose exploit to this new webkit vulnerability could bring some Linux joy to more PS4 users, and help decrease the current asking price for hackable PS4s.

Download and install the CVE 2014-1303 Proof Of Concept for PS4

You can Download Fire30’s proof of concept on his github here. You’ll need a PS4 running below firmware 2.50, ideally firmware 2.03. According to the readme:
a poc for the CVE 2014-1303 originally disclosed by Liang Chen. It has been tested to work on system firmware 2.03, but should work for systems on a firmware < 2.50, the ROP test will however only work on 2.03.
Usage
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
python fakedns.py -c dns.conf
then
python server.py
Debug output will come from this process.
Navigate to the User’s Guide page on the PS4 and various information should be printed to the console. The ROP test will print what is stored in the rsp register. Continuing execution after rsp is pivoted still needs to be done.

fire30 credits the following people, in addition to Liang Chen who revealed the vulnerability in 2014:
thexyz
dreadlyei
If you happen to have a PS4 running a firmware below 2.50, and have the skills to 1) confirm that this is true and 2) try and get the dlclose exploit to run on this, then by all means, help the PS4 scene :)
Otherwise… stay tuned!
source: github, thanks to @isset_asset

Monday, 4 April 2016

Cemu (Wii U emulator for Windows) updated to 1.4.0c, improves speed & graphics

Exzap, the dev behind the wildly popular Wii U emulator Cemu, has recently released an update that brings it up to version 1.4.0c.

Cemu Wii U emulator changes in 1.4.0.c

According to Exzap, this latest version improves the graphics and CPU emulation by a significant amount. The full changelog from the announce:

  • Added PowerPC JIT recompiler (up to 5-6 times faster CPU emulation)
  • Decreased shader compilation stutter
  • Improved audio emulation
  • Large improvements to graphics emulation
  • Tons and tons of smaller changes and bugfixes
Exzap mentions a few known limitations about Cemu 1.4.0:
  • CEMU does not work with AMD’s graphic driver 16.3 and upwards. This issue will likely be fixed in the next CEMU release.
  • Some games don’t boot or randomly crash when recompiler is enabled.
Cemu_1_4_0
Hey, these are pretty ok limitations, knowing that Cemu wasn’t working at all on AMD not so long ago. Great to see steady progress here :)
As with every new Cemu release, users so far are welcoming the new improvements. User SimonBestia on GBATemp says:
Super Mario Maker is running at 56-60fps on my PC!
It ran around 24fps on 1.3.3, now THAT’S a massive speed up!
Several users are reporting twice as much FPS on several games, others are reporting that games are now playable on Cemu with lower end configurations that did not work with former version 1.3.3. Overall, the feeling is that this version dramatically improves performance.

Download Cemu 1.4.0c

Sunday, 3 April 2016

Release: Fully operational dlclose exploit + Linux for PS4, by kR105

The name kR105 might ring a Bell to you because this developer has been credited a lot recently by CTurt on his PS4 hack work. Today, kR105 popped up on our forums to release something that lots of us had been chasing for a while: a fully operational dlclose exploit. He also emailed me to mention he has now integrated support for booting Linux straight from the PS4-Playground tools, and, icing on the cake, also provided the actual PS4 Linux files to use with the tools.
In other words, kR105 is closing the gap here, releasing everything you need to run Linux on your PS4. This is not a drill or a proof of concept video, people. The files are up for anyone to grab. I haven’t tested them myself though, because I’ve still beenhesitating on getting a 1.76 PS4, but I’m regretting not having one every day that goes by. If you’re the lucky owner of a PS4 1.76 though (we have an article here on where you might be able to get one), now’s the right time to test this! Furthermore, there’s absolutely no reason to doubt this release is real, given that it initiates strait from kR105, in CTurt’s github. Also CTurt confirmed this release to me earlier today.

So, what was just released by kR105?

A fully functional dlclose exploit. The exploit had been released about a week ago, and several people had been able to take it further, but there were still issues on how the publicly available code was working, crashing as soon as the exploit was attempting to return to userland. kR105’s release fixes all of that, it includes root, sandbox escape and jailbreak. This exploit is what you’ll want to run your native code on a 1.76 PS4
dlclose PS4 Kernel exploit
The dlclose kernel exploit was released a few days ago
An update to PS4-Playground to run Linux. Another missing link here, that will let people launch linux without having to write their own loader. The launcher integrates the dlclose exploit if I understand correctly. From the Readme:

You need a FAT32 formatted USB drive plugged in on any PS4’s USB port with the following files on the root directory:
bzImage : Kernel image that will be loaded. Recommended to use this sources to compile it.
initramfs.cpio.gz : The initial file system that gets loaded into memory during the Linux startup process. This one is recommended.
The file names must match with the above and you can have more files on the same USB drive. From there you can setup the environment to run from an NFS share or from an external drive via USB (recommended) and boot a complete distro!


linux_loader
A Compiled distro of Linux for the PS4. kR105 has the files bzImage and initramfs.cpio.gz ready for anyone to grab, so you don’t have to compile your own version. In his words: “those files should get you into linux with a nice bash console on your tv”.

Downloads

Update: As pointed out by CTurt, you can simply download the compiled Linux files, put them on a FAT32 USB stick that you’ll connect to your 1.76 PS4, and test directly by going to the PS4 Playground live Demo here.
Wow, now that’s a good start for the weekend!