Release: Fully operational dlclose exploit + Linux for PS4, by kR105

The name kR105 might ring a Bell to you because this developer has been credited a lot recently by CTurt on his PS4 hack work. Today, kR105 popped up on our forums to release something that lots of us had been chasing for a while: a fully operational dlclose exploit. He also emailed me to mention he has now integrated support for booting Linux straight from the PS4-Playground tools, and, icing on the cake, also provided the actual PS4 Linux files to use with the tools.

In other words, kR105 is closing the gap here, releasing everything you need to run Linux on your PS4. This is not a drill or a proof of concept video, people. The files are up for anyone to grab. I haven’t tested them myself though, because I’ve still beenhesitating on getting a 1.76 PS4, but I’m regretting not having one every day that goes by. If you’re the lucky owner of a PS4 1.76 though (we have an article here on where you might be able to get one), now’s the right time to test this! Furthermore, there’s absolutely no reason to doubt this release is real, given that it initiates strait from kR105, in CTurt’s github. Also CTurt confirmed this release to me earlier today.

So, what was just released by kR105?

A fully functional dlclose exploit. The exploit had been released about a week ago, and several people had been able to take it further, but there were still issues on how the publicly available code was working, crashing as soon as the exploit was attempting to return to userland. kR105’s release fixes all of that, it includes root, sandbox escape and jailbreak. This exploit is what you’ll want to run your native code on a 1.76 PS4

The dlclose kernel exploit was released a few days ago

An update to PS4-Playground to run Linux. Another missing link here, that will let people launch linux without having to write their own loader. The launcher integrates the dlclose exploit if I understand correctly. From the Readme:



You need a FAT32 formatted USB drive plugged in on any PS4’s USB port with the following files on the root directory:

bzImage : Kernel image that will be loaded. Recommended to use this sources to compile it.

initramfs.cpio.gz : The initial file system that gets loaded into memory during the Linux startup process. This one is recommended.

The file names must match with the above and you can have more files on the same USB drive. From there you can setup the environment to run from an NFS share or from an external drive via USB (recommended) and boot a complete distro!

A Compiled distro of Linux for the PS4. kR105 has the files bzImage and initramfs.cpio.gz ready for anyone to grab, so you don’t have to compile your own version. In his words: “those files should get you into linux with a nice bash console on your tv”.

Downloads

• You can download the new dlclose exploit from kR105’s github here.
• You can download the latest version of PS4-Playground from CTurt’s github here.
• You can download kR105’s compiled Linux files here.

Update: As pointed out by CTurt, you can simply download the compiled Linux files, put them on a FAT32 USB stick that you’ll connect to your 1.76 PS4, and test directly by going to the PS4 Playground live Demo here.

Wow, now that’s a good start for the weekend!

PS4 hack: Developer Zer0xFF releases dlclose exploit source

We had the technical writeup from CTurt, and the “confirmation” from bigboss. Today developer Zer0xFF put things together and released the source code for a proof of concept of the dlclose kernel exploit for the PS4. In other words, if you have a 1.76 PS4, you’re getting closer to a PS4 jailbreak, or to running Linux on your PS4.

This goes without saying, but this is not a CFW, it will not magically let you run pirated PS4 games. This is just one step closer for those of you with reasonable coding skills, who are trying to hack their PS4. You’ll need to be able to compile this and run it on your PS4. We give lots of details on how to do this in this article. That’s pretty much the same except you’ll use the dlclose exploit instead of the BadIRET one. (People have said that the dlclose exploit is cleaner and easier to handle).

From a scene perspective, it’s also good to see that more and more people are confirming the exploit and working on it.

Zer0xFF mentions that he got help from bigboss, but also from Twisted, whom you might remember for hisRemote Play PC work. There’s more than a handful of people building on top off CTurt‘s work right now, which is promising.

Bigboss also hinted that he might release something for the sceen soon (ETA might be his birthday which is next week) , which I assume could be the exploit in a compiled way and potentially more user friendly.

If you’re a dev looking for help in building this, we also have a thread on /talk to get help on running the exploits on your PS4. Feel free to join.

Seems like these are good times to own a PS4 running firmware 1.76

Download the PS4 dlclose exploit

---

You can download Zer0xFF’s work on his github here. Keep in mind that this is the source code, it will be useless to you if you’re not a dev.

Also remember that a kernel exploit, especially in the early stages like this, is a dangerous tool: you could brick your PS4 if you handle this incorrectly. Understand that this is work in progress stuff from people who are willing to share their work with the scene in an open way. Don’t make them regret it!

Source: playstationhax.it, thanks to @isset_asset

CTurt publishes new PS4 Kernel exploit details (sys_dynlib_prepare_dlclose PS4 kernel heap overflow)

Hacker CTurt, known for sharing lots of his work on PS4 vulnerabilities and in particular a PS4 Kernel exploit, has published today explanations on a new PS4 Kernel vulnerability, involving a heap overflow.

The exploit has been patched around firmware 2.00, so it will not be useful for people expecting a PS4 hack on the latest firmware 3.15. Cturt also announced that he will not release a fully weaponized exploit, and is just sharing the knowledge on how the vulnerability was exploited.

But this new article from CTurt brings some interesting information to the “end user”:

First, CTurt hasn’t fully stopped working on the PS4 it seems, unlike what he announced a few weeks ago. He’s apparently actively working on the PS4 with other hackers such as Qwertyoruiop (a well know hacker famous for his work on iOS, among other things).

Second, it seems there are lots of potential exploits on the PS4. As Qwertyoruiop stated later in the day: there’s a “ton of attack surface..”



Sony is *** ***. Why would anyone do a kernel-mode dynamic linker? That’s literally a *** ton of attack surface..

— Luca Todesco (@qwertyoruiop) January 18, 2016

This seems to confirm what Fail0verflow stated a few weeks ago: “We also have no doubt that vulnerabilities in the latest firmware can be found without too much trouble”
The exploit itself lies in function sys_dynlib_prepare_dlclose and some of its internal calls such as copyin . Full details can be found in CTurt’s article.

---

What I find particularly interesting here is how FreeBSD is pretty much used as the experiment and debugging tool for Cturt’s work. Hacking a console is often done through running a debugger directly on the console, on a formerly exploited version of the firmware, with the “first exploit” being the hard one (and sometimes, throughout the history of hacking, involving illegally acquired dev units or SDKs). Here the work is done on a FreeBSD image that’s been compiled to be “as close as possible” to the version running on the PS4. This lets CTurt work on proof of concepts with all the comfort of his computer, and then tweak them on the real device. Although I know security through obscurity is not great, it seems here that using an open source OS as the base for the PS4 System is not in favor of Sony from the hacking perspective.

A Kernel exploit released on the latest PS4 firmware 3.15 would be invaluable for the PS4 scene right now, as it is the key component missing to running the linux port on the PS4 from Fail0verflow.

We keep up to date details on the latest status of PS4 hacking on ourPS4 Jailbreak page.

Source: CTurt on twitter, thanks to everyone who tipped me on this, including CTurt himself!

PS4 Jailbreak possible. Cturt confirms RAM Dump, next step is patching the RAM

Hacker CTurt, who’s been on the spotlight recently for confirming he has a PS4 Kernel exploit, has been making steady progress to make a PS4 Jailbreak possible. Today he announced he has a RAM Dump. Next step: patch the RAM. In other words, make the PS4 system do things it doesn’t really want to do, the first step to a PS4 Jailbreak*.

CTurt confirmed on twitter today that he was able to dump the PS4 RAM, through the kernel exploit that’s in his possession. His next step will be to selectively modify the RAM at runtime, a way to patch the PS4 software in order to make it do what it doesn’t want to do. From there, an SDK and a homebrew loader, or a Custom Firmware for the PS4 sound like the next appropriate targets.

Just broke WebKit process out of a FreeBSD jail (cred->cr_prison = &prison0). Guess you could say the PS4 is now officially "jailbroken" :P

— CTurt (@CTurtE) December 12, 2015

Can successfully dump RAM from other processes (like SceShellUI) using ptrace! Next step: patching RAM...

— CTurt (@CTurtE) December 12, 2015

Cturt has also promised he will do a technical writeup of how the exploit works in the near future.

PS4 Jailbreak possible for firmware 1.76 only?

The hack has already been confirmed by other hackers of the PS scene. Don’t get too excited too fast, though. first of all, these things take time (think months), and secondly, the exploit has been confirmed to work only up to firmware 1.76. If you remember, firmware 1.76 is where the webkit exploit had initially been discovered. If you’re a “normal” PS4 owner, your PS4 firmware is currently on version 3.11. There’s no going back to 1.76 for you.

---

Does that mean this will make the PS4 jailbreak possible for a handful of people running on 1.76 only? Not necessarily. As we’ve discussed before, this hack will let developers gather lots of critical information about the PS4 inner workings. As I’ve explained before, this will let them analyze the entire system, and possibly find more vulnerabilities, which might be still there on the latest 3.11 firmware. That being said, some people are already trying to get their hands on 1.76 PS4. Rumors say the Last of US PS4 Bundles are shipping with firmware 1.76, we haven’t verified this at this point.

Piracy & more speculation

For everyone looking forward to run unsigned code on their PS4, this is generally good news. For the white knights who fear for piracy, keep in mind that nothing at this point has been announced about breaking any form of encryption. Getting kernel access to a console usually means that the anti-piracy locks on the device can easily be removed, but nothing on that topic has been confirmed. If history repeats itself, the people breaking the initial security will not necessarily be the ones enabling piracy on the device.

Lots of speculation is going on for now, both from scene sites, and from mainstream sites that generally have no clue what they’re talking about. Keep in mind that nothing is ready at this point. Avoid fishy websites that pretend they have a PS4 Jailbreak possible for you. As we constantly try to remind you here, these sites make their money in general by having you fill surveys with the fake promise of a jailbreak download. If and when a PS4 jailbreak happens, this will be on the frontpage of trusted scene websites such as your very own wololo.net 

Stay tuned on our PS4 Jailbreak page for details.

* Bwaah, Wololo, only iOS devices can be called “jailbroken”, bwaah, I’m gonna complain in your comments section or on twitter, the world needs to know that you’re incorrectly using a word based on my own biased perception of that word’s meaning and recommended use. Bwaaah.

Emulator on PS4: Gameboy emulator running on the PS4, source code released

After a stream of releases, developer CTurt just announced he ported Cinoop, his very own gameboy emulator, to the PS4.

Not so long ago, CTurt announced he had gained code execution on the PS4. He then released a simple pong game for the PS4, and also announced he was working on a homebrew loader. With a gameboy emulator released just a few days after these statements, he’s making progress fast, it seems.

CTurt had initially announced he would reverse engineer the graphics library on the PS4 in order to run his homebrew loader. It seems he has taken a shortcut as this is running through a HTML canvas. In other words, the PS4 does the processing job, and the rendering goes through webkit, which means the graphics lib was not used. Impressive nonetheless.

Just like for the Pong game, CTurt is controlling the homebrew through a Nintendo DS, as hackers do not have access to the Dulashock controllers through the hack yet.

Before you all get super excited, keep in mind that this is running through theWebkit exploit on PS4 firmware 1.76. Are you on firmware 1.76 or below? Yeah, I didn’t think so. This is some exciting news, but nothing that directly benefits the end user at this point, or that leads us to some full PS4 Jailbreak. It’s still awesome to see some progress.

Download Cinoop GameBoy PS4 emulator

Download Gameboy PS4 emulator Cinoop (source code) – on CTurt’s github

Source: CTurt