Release: Fully operational dlclose exploit + Linux for PS4, by kR105

The name kR105 might ring a Bell to you because this developer has been credited a lot recently by CTurt on his PS4 hack work. Today, kR105 popped up on our forums to release something that lots of us had been chasing for a while: a fully operational dlclose exploit. He also emailed me to mention he has now integrated support for booting Linux straight from the PS4-Playground tools, and, icing on the cake, also provided the actual PS4 Linux files to use with the tools.

In other words, kR105 is closing the gap here, releasing everything you need to run Linux on your PS4. This is not a drill or a proof of concept video, people. The files are up for anyone to grab. I haven’t tested them myself though, because I’ve still beenhesitating on getting a 1.76 PS4, but I’m regretting not having one every day that goes by. If you’re the lucky owner of a PS4 1.76 though (we have an article here on where you might be able to get one), now’s the right time to test this! Furthermore, there’s absolutely no reason to doubt this release is real, given that it initiates strait from kR105, in CTurt’s github. Also CTurt confirmed this release to me earlier today.

So, what was just released by kR105?

A fully functional dlclose exploit. The exploit had been released about a week ago, and several people had been able to take it further, but there were still issues on how the publicly available code was working, crashing as soon as the exploit was attempting to return to userland. kR105’s release fixes all of that, it includes root, sandbox escape and jailbreak. This exploit is what you’ll want to run your native code on a 1.76 PS4

The dlclose kernel exploit was released a few days ago

An update to PS4-Playground to run Linux. Another missing link here, that will let people launch linux without having to write their own loader. The launcher integrates the dlclose exploit if I understand correctly. From the Readme:



You need a FAT32 formatted USB drive plugged in on any PS4’s USB port with the following files on the root directory:

bzImage : Kernel image that will be loaded. Recommended to use this sources to compile it.

initramfs.cpio.gz : The initial file system that gets loaded into memory during the Linux startup process. This one is recommended.

The file names must match with the above and you can have more files on the same USB drive. From there you can setup the environment to run from an NFS share or from an external drive via USB (recommended) and boot a complete distro!

A Compiled distro of Linux for the PS4. kR105 has the files bzImage and initramfs.cpio.gz ready for anyone to grab, so you don’t have to compile your own version. In his words: “those files should get you into linux with a nice bash console on your tv”.

Downloads

• You can download the new dlclose exploit from kR105’s github here.
• You can download the latest version of PS4-Playground from CTurt’s github here.
• You can download kR105’s compiled Linux files here.

Update: As pointed out by CTurt, you can simply download the compiled Linux files, put them on a FAT32 USB stick that you’ll connect to your 1.76 PS4, and test directly by going to the PS4 Playground live Demo here.

Wow, now that’s a good start for the weekend!

PS4 hack: Developer Zer0xFF releases dlclose exploit source

We had the technical writeup from CTurt, and the “confirmation” from bigboss. Today developer Zer0xFF put things together and released the source code for a proof of concept of the dlclose kernel exploit for the PS4. In other words, if you have a 1.76 PS4, you’re getting closer to a PS4 jailbreak, or to running Linux on your PS4.

This goes without saying, but this is not a CFW, it will not magically let you run pirated PS4 games. This is just one step closer for those of you with reasonable coding skills, who are trying to hack their PS4. You’ll need to be able to compile this and run it on your PS4. We give lots of details on how to do this in this article. That’s pretty much the same except you’ll use the dlclose exploit instead of the BadIRET one. (People have said that the dlclose exploit is cleaner and easier to handle).

From a scene perspective, it’s also good to see that more and more people are confirming the exploit and working on it.

Zer0xFF mentions that he got help from bigboss, but also from Twisted, whom you might remember for hisRemote Play PC work. There’s more than a handful of people building on top off CTurt‘s work right now, which is promising.

Bigboss also hinted that he might release something for the sceen soon (ETA might be his birthday which is next week) , which I assume could be the exploit in a compiled way and potentially more user friendly.

If you’re a dev looking for help in building this, we also have a thread on /talk to get help on running the exploits on your PS4. Feel free to join.

Seems like these are good times to own a PS4 running firmware 1.76

Download the PS4 dlclose exploit

---

You can download Zer0xFF’s work on his github here. Keep in mind that this is the source code, it will be useless to you if you’re not a dev.

Also remember that a kernel exploit, especially in the early stages like this, is a dangerous tool: you could brick your PS4 if you handle this incorrectly. Understand that this is work in progress stuff from people who are willing to share their work with the scene in an open way. Don’t make them regret it!

Source: playstationhax.it, thanks to @isset_asset

Is a PS4 Jailbreak usb device in the works?

I am receiving enough questions about this that I feel an article is now required.

There are growing rumors that a group affiliated with the Cobra team (a team popular for some of their PS3 hardware mods, and the same team that announced the – yet to be released – cobra blackfin for PS Vita) have been working on a PS4 Jailbreak usb dongle.

The device, named “usb whistle”, would allegedly allow people to run pirated games on the latest PS4 firmware, firmware 3.15, and be released in February this year. The group also claims they will be releasing a CFW for that PS4 firmware, sometimes in March.

After some research, most of the rumors about that group actually originate directly from that group’s twitter account. And so far there’s absolutely no evidence that this twitter account or the group behind it is legit.

On the contrary, some of that group’s claims are actually so obviously incorrect that it’s probably ok to dismiss them as a fake for now.

For example, they state that their dongle will be available on Amazon for $50, on February 25th. It is pretty obvious that Amazon would not sell such an illegal device, and that this kind of tweet is complete BS.

Although the broken English gives an exotic “foreign team of hackers in an unregulated country” twist to that twitter account, so far there is no reason to believe any of what they say is legit.

CTurt publishes new PS4 Kernel exploit details (sys_dynlib_prepare_dlclose PS4 kernel heap overflow)

Hacker CTurt, known for sharing lots of his work on PS4 vulnerabilities and in particular a PS4 Kernel exploit, has published today explanations on a new PS4 Kernel vulnerability, involving a heap overflow.

The exploit has been patched around firmware 2.00, so it will not be useful for people expecting a PS4 hack on the latest firmware 3.15. Cturt also announced that he will not release a fully weaponized exploit, and is just sharing the knowledge on how the vulnerability was exploited.

But this new article from CTurt brings some interesting information to the “end user”:

First, CTurt hasn’t fully stopped working on the PS4 it seems, unlike what he announced a few weeks ago. He’s apparently actively working on the PS4 with other hackers such as Qwertyoruiop (a well know hacker famous for his work on iOS, among other things).

Second, it seems there are lots of potential exploits on the PS4. As Qwertyoruiop stated later in the day: there’s a “ton of attack surface..”



Sony is *** ***. Why would anyone do a kernel-mode dynamic linker? That’s literally a *** ton of attack surface..

— Luca Todesco (@qwertyoruiop) January 18, 2016

This seems to confirm what Fail0verflow stated a few weeks ago: “We also have no doubt that vulnerabilities in the latest firmware can be found without too much trouble”
The exploit itself lies in function sys_dynlib_prepare_dlclose and some of its internal calls such as copyin . Full details can be found in CTurt’s article.

---

What I find particularly interesting here is how FreeBSD is pretty much used as the experiment and debugging tool for Cturt’s work. Hacking a console is often done through running a debugger directly on the console, on a formerly exploited version of the firmware, with the “first exploit” being the hard one (and sometimes, throughout the history of hacking, involving illegally acquired dev units or SDKs). Here the work is done on a FreeBSD image that’s been compiled to be “as close as possible” to the version running on the PS4. This lets CTurt work on proof of concepts with all the comfort of his computer, and then tweak them on the real device. Although I know security through obscurity is not great, it seems here that using an open source OS as the base for the PS4 System is not in favor of Sony from the hacking perspective.

A Kernel exploit released on the latest PS4 firmware 3.15 would be invaluable for the PS4 scene right now, as it is the key component missing to running the linux port on the PS4 from Fail0verflow.

We keep up to date details on the latest status of PS4 hacking on ourPS4 Jailbreak page.

Source: CTurt on twitter, thanks to everyone who tipped me on this, including CTurt himself!

Linux on PS4: Fail0verflow publish their fork of the linux Kernel (WIP)

After announcing earlier this week that they managed to run Linux on the PS4, the Fail0verflow hacking crew promised they would publish their sources once in a stable state. They just published a github link on twitter, which contains their PS4 fork of  the Linux Kernel.

What is this PS4 Linux source code, and is it useful for me?

Unless you’re a PS4 hacker with a Kernel exploit in your possession, these sources will most likely not be useful for you at this point. Fail0verflow have explained during the CCC conference that although they will actively work on providing a Linux port for the PS4 community, they will not provide the hacks/Jailbreaks/exploits they used to install and run it in the first place.

We know that several PS4 hacking groups have PS4 exploits running, so it will be interesting to see what these groups do with this newly announced github repository. For the individual reader, you’ll want to check who forks the Fail0verflow github, as a hint to whom might have running exploits 😉

For those of you interested to jump into the code and understanding what changes Fail0verflow have been working on, the best way is probably to look at the full diff of the PS4 Linux port compared to the base.

When will Linux for the PS4 be released?

For the “end user”, you’ll still have to wait for several things to happen before any of this gets released: this Linux port to be finalized, a group of hackers to release a working PS4 Jailbreak, and someone connecting the dots together between the exploit and booting Linux. Don’t hold your breath, but this might happen sooner than most think.

Source: Fail0verflow on twitter

Linux on PS4: Fail0verflow showcase Linux on the PS4, run a Pokémon Demo (video)

As we guessed last week in an article entitled “Fail0verflow to announce a PS4 Jailbreak Next week?“, Fail0verflow announced today at the CCC that they owned the PS4 and have Linux up and running on the PS4. They did a very short presentation to showcase the hack, and ran a Pokémon game within Linux on the PS4.

The PS4 hack entry point runs through what seems to be a Webkit exploit. It is likely they are running the hack on a 1.76 PS4 because of that, but it is also very possible that their exploit runs on higher firmwares (and they’re just using the PS4 Webkit 1.76 entry point for convenience).

Fail0verflow hint at critical bugs in the southbridge of the GPU, but do not give more details on the exploit in their presentation, besides “NOP Command is broken on the GPU”.

Linux for PS4 – Release?

Fail0verflow promised in their presentation that they would release the Linux patches to compile for the PS4 soon. They however stated that people wishing to use Linux on the PS4 should “bring their own exploit”, adding “PS4 security is crappy enough that you don’t need us for that”. In other words, the exploit they found will not be released.

Other hackers, contacted about this announce, have told us that the

Fail0verflow hack is probably hardware based and a release would not necessarily be convenient anyway

. Update: we’re getting conflicting signals on that: it is also possible this is a software hack (a Kernel exploit in the PS4 firmware), running on top of the Webkit 1.76 exploit. Assuming a new userland exploit (similar to the webkit one) was found on recent firmwares, this whole thing could run on recent PS4 firmwares without any hardware mod.

So, yeah, Linux for the PS4 will be released in the short term, but this won’t be helpful for the majority of us, who don’t have the exploit to run it. At this point though, If you own aPS4 running on Firmware 1.76, it’s probably wise that you do not update (see here some links on where to get a PS4 running on 1.76).

Pokémon running on the PS4

---

Towards the end of the presentation, Fail0verflow ran a Pokémon démo on the exploited PS4. Although this was probably made ironically because it’s always fun to run Nintendo games on a Sony console, it was also a weird message to the homebrew community: “don’t bother writing emulators or homebrew games, Linux is all you need on your PS4”.

Emulator on ps4 – Pokemon on PS4

Biteyourconsole have extracted the presentation on youtube and you can watch it below:

You can check our PS4 Jailbreak page for more details on the latest PS4 hack developments.

Source: The original video and announce can be found on the CCC Relive page, the Fail0verflow part is at 1:31:30 in the video.

Thanks to all the people who have contacted me about this 

PS4 Jailbreak possible. Cturt confirms RAM Dump, next step is patching the RAM

Hacker CTurt, who’s been on the spotlight recently for confirming he has a PS4 Kernel exploit, has been making steady progress to make a PS4 Jailbreak possible. Today he announced he has a RAM Dump. Next step: patch the RAM. In other words, make the PS4 system do things it doesn’t really want to do, the first step to a PS4 Jailbreak*.

CTurt confirmed on twitter today that he was able to dump the PS4 RAM, through the kernel exploit that’s in his possession. His next step will be to selectively modify the RAM at runtime, a way to patch the PS4 software in order to make it do what it doesn’t want to do. From there, an SDK and a homebrew loader, or a Custom Firmware for the PS4 sound like the next appropriate targets.

Just broke WebKit process out of a FreeBSD jail (cred->cr_prison = &prison0). Guess you could say the PS4 is now officially "jailbroken" :P

— CTurt (@CTurtE) December 12, 2015

Can successfully dump RAM from other processes (like SceShellUI) using ptrace! Next step: patching RAM...

— CTurt (@CTurtE) December 12, 2015

Cturt has also promised he will do a technical writeup of how the exploit works in the near future.

PS4 Jailbreak possible for firmware 1.76 only?

The hack has already been confirmed by other hackers of the PS scene. Don’t get too excited too fast, though. first of all, these things take time (think months), and secondly, the exploit has been confirmed to work only up to firmware 1.76. If you remember, firmware 1.76 is where the webkit exploit had initially been discovered. If you’re a “normal” PS4 owner, your PS4 firmware is currently on version 3.11. There’s no going back to 1.76 for you.

---

Does that mean this will make the PS4 jailbreak possible for a handful of people running on 1.76 only? Not necessarily. As we’ve discussed before, this hack will let developers gather lots of critical information about the PS4 inner workings. As I’ve explained before, this will let them analyze the entire system, and possibly find more vulnerabilities, which might be still there on the latest 3.11 firmware. That being said, some people are already trying to get their hands on 1.76 PS4. Rumors say the Last of US PS4 Bundles are shipping with firmware 1.76, we haven’t verified this at this point.

Piracy & more speculation

For everyone looking forward to run unsigned code on their PS4, this is generally good news. For the white knights who fear for piracy, keep in mind that nothing at this point has been announced about breaking any form of encryption. Getting kernel access to a console usually means that the anti-piracy locks on the device can easily be removed, but nothing on that topic has been confirmed. If history repeats itself, the people breaking the initial security will not necessarily be the ones enabling piracy on the device.

Lots of speculation is going on for now, both from scene sites, and from mainstream sites that generally have no clue what they’re talking about. Keep in mind that nothing is ready at this point. Avoid fishy websites that pretend they have a PS4 Jailbreak possible for you. As we constantly try to remind you here, these sites make their money in general by having you fill surveys with the fake promise of a jailbreak download. If and when a PS4 jailbreak happens, this will be on the frontpage of trusted scene websites such as your very own wololo.net 

Stay tuned on our PS4 Jailbreak page for details.

* Bwaah, Wololo, only iOS devices can be called “jailbroken”, bwaah, I’m gonna complain in your comments section or on twitter, the world needs to know that you’re incorrectly using a word based on my own biased perception of that word’s meaning and recommended use. Bwaaah.