Proof of concept webkit exploit running on PS4 firmwares 2.xx

Developer Fire30 released a webkit exploit proof of concept for the PS4, ported from a webkit heap buffer overflow revealed in 2014. I haven’t tested this myself, and this is still unconfirmed information at this point.

Fire30 says the exploit should run on any PS4 firmware below 2.50, although he mentions parts of the exploit implementation will only work on firmware 2.03, presumably because this is the firmware he’s using to write the code.

There’s not much to be said about this at this point, although in theory the kernel exploits BadIRET and dlclose could be ported to this exploit, if confirmed legit: it has been mentioned these kernel exploits are compatible up to firmware 2.xx, and the only thing preventing those from being used on any other firmware than 1.76 so far was because the only publicly available userland exploit has been the 1,76 webkit exploit.

A port of the dlclose exploit to this new webkit vulnerability could bring some Linux joy to more PS4 users, and help decrease the current asking price for hackable PS4s.

Download and install the CVE 2014-1303 Proof Of Concept for PS4

You can Download Fire30’s proof of concept on his github here. You’ll need a PS4 running below firmware 2.50, ideally firmware 2.03. According to the readme:

a poc for the CVE 2014-1303 originally disclosed by Liang Chen. It has been tested to work on system firmware 2.03, but should work for systems on a firmware < 2.50, the ROP test will however only work on 2.03.
Usage
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
python fakedns.py -c dns.conf
then
python server.py
Debug output will come from this process.

Navigate to the User’s Guide page on the PS4 and various information should be printed to the console. The ROP test will print what is stored in the rsp register. Continuing execution after rsp is pivoted still needs to be done.

---

fire30 credits the following people, in addition to Liang Chen who revealed the vulnerability in 2014:
thexyz
dreadlyei

If you happen to have a PS4 running a firmware below 2.50, and have the skills to 1) confirm that this is true and 2) try and get the dlclose exploit to run on this, then by all means, help the PS4 scene 

Otherwise… stay tuned!

source: github, thanks to @isset_asset

Release: Fully operational dlclose exploit + Linux for PS4, by kR105

The name kR105 might ring a Bell to you because this developer has been credited a lot recently by CTurt on his PS4 hack work. Today, kR105 popped up on our forums to release something that lots of us had been chasing for a while: a fully operational dlclose exploit. He also emailed me to mention he has now integrated support for booting Linux straight from the PS4-Playground tools, and, icing on the cake, also provided the actual PS4 Linux files to use with the tools.

In other words, kR105 is closing the gap here, releasing everything you need to run Linux on your PS4. This is not a drill or a proof of concept video, people. The files are up for anyone to grab. I haven’t tested them myself though, because I’ve still beenhesitating on getting a 1.76 PS4, but I’m regretting not having one every day that goes by. If you’re the lucky owner of a PS4 1.76 though (we have an article here on where you might be able to get one), now’s the right time to test this! Furthermore, there’s absolutely no reason to doubt this release is real, given that it initiates strait from kR105, in CTurt’s github. Also CTurt confirmed this release to me earlier today.

So, what was just released by kR105?

A fully functional dlclose exploit. The exploit had been released about a week ago, and several people had been able to take it further, but there were still issues on how the publicly available code was working, crashing as soon as the exploit was attempting to return to userland. kR105’s release fixes all of that, it includes root, sandbox escape and jailbreak. This exploit is what you’ll want to run your native code on a 1.76 PS4

The dlclose kernel exploit was released a few days ago

An update to PS4-Playground to run Linux. Another missing link here, that will let people launch linux without having to write their own loader. The launcher integrates the dlclose exploit if I understand correctly. From the Readme:



You need a FAT32 formatted USB drive plugged in on any PS4’s USB port with the following files on the root directory:

bzImage : Kernel image that will be loaded. Recommended to use this sources to compile it.

initramfs.cpio.gz : The initial file system that gets loaded into memory during the Linux startup process. This one is recommended.

The file names must match with the above and you can have more files on the same USB drive. From there you can setup the environment to run from an NFS share or from an external drive via USB (recommended) and boot a complete distro!

A Compiled distro of Linux for the PS4. kR105 has the files bzImage and initramfs.cpio.gz ready for anyone to grab, so you don’t have to compile your own version. In his words: “those files should get you into linux with a nice bash console on your tv”.

Downloads

• You can download the new dlclose exploit from kR105’s github here.
• You can download the latest version of PS4-Playground from CTurt’s github here.
• You can download kR105’s compiled Linux files here.

Update: As pointed out by CTurt, you can simply download the compiled Linux files, put them on a FAT32 USB stick that you’ll connect to your 1.76 PS4, and test directly by going to the PS4 Playground live Demo here.

Wow, now that’s a good start for the weekend!

Is now the right time to buy a 1.76 PS4?

The PS4 scene is boiling right now, with people making daily progress on the dlclose and BadIRET kernel exploits on PS4 1.76. It’s probably going to be a matter of weeks now until people start poking into the Ps4 firmware, or get a full toolkit to install Linux on the device. Is now the right time to get a 1.76 PS4?

If you’ve been on the console scene for a while, you’re probably familiar with the concept of “golden firmware”. The golden firmware is the firmware that gives you the best of what your console can achieve, both from a perspective of official games, and from a hacking point of view. On the PSP, firmware 1.5 was the “golden firmware” for a very long time, as it was the only one with all the cool exploits, piracy, and homebrews. If I recall correctly, the first custom firmwares on the PSP from Dark Alex were basically taking all the cool stuff from firmware 1.5, and merging those on top of the latest firmware, to get the best of both worlds.

Nowadays, with online access being a prerequisite to do anything official on your console, it’s difficult to bypass firmware updates. Most games or applications on your PS4 will probably refuse to run if you’re not running on the latest firmware, and very soon you’d have to say goodbye to the latest games if you decided to stay forever on, say, firmware 1.76.

In that kind of context, I’m convinced people who are interested in the PS4 scene will need basically two consoles: one for hacks that you’d keep on a lower firmware, the other for “regular” gaming, constantly up to date.

The dlclose kernel exploit was released a few days ago

Now that the scene is just getting ramped up on PS4 exploits with firmware 1.76, it is still possible to find a 1.76 PS4 for a “reasonable” price. We’re all facing a choice at this point: some of us will be buying one now for a reasonable price, in the hope that 1.76 exploits take off soon. Others will just be waiting, hoping that new kernel exploits surface for the latest firmware (3.50?) by the time user-friendly hacks and tools are available.

Our first guy is buying a 1.76 console at a quite expensive price, but still reasonable (you can easily find 1.76 PS4s around $550 today). If hacks on 1.76 become mainstream, prices of 1.76 consoles will skyrocket, and I can easily picture such devices selling for more than $1000 very soon. On the other hand, if an exploit is revealed on the latest firmware, which gives people the same level of tools as 1.76 provides now, our  friend has overpaid about $150 for his second PS4.

My second guy doesn’t want to buy a 1.76 PS4 just yet. If an exploit is revealed for the latest firmware 3.50, he can buy any second-hand PS4 for $300, keep it at 3.50, and be done with it. On the other hand, if 1.76 PS4 hacks become mainstream and no “latest firmware” exploit is revealed for a long time, he’ll be the *** having to buy a 1.76 PS4 for more than $1000.

---

I’m personally on the fence right now. It’s a bet. Statistics tell me there’s always going to be an exploit for the latest firmware at some point, however I can’t help but realize that times have changed: hackers don’t release kernel exploits as often as they used to for, say, the PSP. Maybe what we have on 1.76 right now is a “one time thing”, and we might not see more PS4 kernel exploits for a long time.

Thoughts?

PS4 hack: Developer Zer0xFF releases dlclose exploit source

We had the technical writeup from CTurt, and the “confirmation” from bigboss. Today developer Zer0xFF put things together and released the source code for a proof of concept of the dlclose kernel exploit for the PS4. In other words, if you have a 1.76 PS4, you’re getting closer to a PS4 jailbreak, or to running Linux on your PS4.

This goes without saying, but this is not a CFW, it will not magically let you run pirated PS4 games. This is just one step closer for those of you with reasonable coding skills, who are trying to hack their PS4. You’ll need to be able to compile this and run it on your PS4. We give lots of details on how to do this in this article. That’s pretty much the same except you’ll use the dlclose exploit instead of the BadIRET one. (People have said that the dlclose exploit is cleaner and easier to handle).

From a scene perspective, it’s also good to see that more and more people are confirming the exploit and working on it.

Zer0xFF mentions that he got help from bigboss, but also from Twisted, whom you might remember for hisRemote Play PC work. There’s more than a handful of people building on top off CTurt‘s work right now, which is promising.

Bigboss also hinted that he might release something for the sceen soon (ETA might be his birthday which is next week) , which I assume could be the exploit in a compiled way and potentially more user friendly.

If you’re a dev looking for help in building this, we also have a thread on /talk to get help on running the exploits on your PS4. Feel free to join.

Seems like these are good times to own a PS4 running firmware 1.76

Download the PS4 dlclose exploit

---

You can download Zer0xFF’s work on his github here. Keep in mind that this is the source code, it will be useless to you if you’re not a dev.

Also remember that a kernel exploit, especially in the early stages like this, is a dangerous tool: you could brick your PS4 if you handle this incorrectly. Understand that this is work in progress stuff from people who are willing to share their work with the scene in an open way. Don’t make them regret it!

Source: playstationhax.it, thanks to @isset_asset

CTurt publishes new PS4 Kernel exploit details (sys_dynlib_prepare_dlclose PS4 kernel heap overflow)

Hacker CTurt, known for sharing lots of his work on PS4 vulnerabilities and in particular a PS4 Kernel exploit, has published today explanations on a new PS4 Kernel vulnerability, involving a heap overflow.

The exploit has been patched around firmware 2.00, so it will not be useful for people expecting a PS4 hack on the latest firmware 3.15. Cturt also announced that he will not release a fully weaponized exploit, and is just sharing the knowledge on how the vulnerability was exploited.

But this new article from CTurt brings some interesting information to the “end user”:

First, CTurt hasn’t fully stopped working on the PS4 it seems, unlike what he announced a few weeks ago. He’s apparently actively working on the PS4 with other hackers such as Qwertyoruiop (a well know hacker famous for his work on iOS, among other things).

Second, it seems there are lots of potential exploits on the PS4. As Qwertyoruiop stated later in the day: there’s a “ton of attack surface..”



Sony is *** ***. Why would anyone do a kernel-mode dynamic linker? That’s literally a *** ton of attack surface..

— Luca Todesco (@qwertyoruiop) January 18, 2016

This seems to confirm what Fail0verflow stated a few weeks ago: “We also have no doubt that vulnerabilities in the latest firmware can be found without too much trouble”
The exploit itself lies in function sys_dynlib_prepare_dlclose and some of its internal calls such as copyin . Full details can be found in CTurt’s article.

---

What I find particularly interesting here is how FreeBSD is pretty much used as the experiment and debugging tool for Cturt’s work. Hacking a console is often done through running a debugger directly on the console, on a formerly exploited version of the firmware, with the “first exploit” being the hard one (and sometimes, throughout the history of hacking, involving illegally acquired dev units or SDKs). Here the work is done on a FreeBSD image that’s been compiled to be “as close as possible” to the version running on the PS4. This lets CTurt work on proof of concepts with all the comfort of his computer, and then tweak them on the real device. Although I know security through obscurity is not great, it seems here that using an open source OS as the base for the PS4 System is not in favor of Sony from the hacking perspective.

A Kernel exploit released on the latest PS4 firmware 3.15 would be invaluable for the PS4 scene right now, as it is the key component missing to running the linux port on the PS4 from Fail0verflow.

We keep up to date details on the latest status of PS4 hacking on ourPS4 Jailbreak page.

Source: CTurt on twitter, thanks to everyone who tipped me on this, including CTurt himself!