Recently Volodymyr Pikhur has been working on a PS4 IPL AES + HMAC Key Recovery Project with help from nedos utilizing a Verilog FPGA (Field-Programmable Gate Array) to detect IPL (Initial Program Load) read and trigger capture board.
PlayStation 4 hardware guys that favor FPGA's including @Chaos Kid will definitely take interest in this project, and here's to hoping we see some more on it in the future!
Below are some related Tweets from vpikhur including the demo video alongside some fresh PS4 MEMEs for developers:
Download: 175devkitipldecryptedbytwoconsoles.7z (259.92 KB)
Turns out the "debug key" that is used to hash "debug" firmwares from SMU effectively works on ALL retail versions of the PS4 smu firmware as well (the one on the wiki). Which means things are about to become VERY interesting...
this is the key
SMU HMAC Key (System Management Unit)
no, but you can probably dump your own keys/fuses with SMU code execution
the issue during all these years was, of course, endianess... book the endianess, to hell with it. anyway, now it's confirmed that the SMU key is potentially useful to run nasty code, provided that there is a way to reset available
Some more info
samu has several keys, not just one. smu has only one used to hash the smu firmware. you can use this key to craft a payload, inject it together with its hash in smu firmware x86 memory, then reset smu and have some fun things happening
Why tho, people thinking it's about SAMU? But it's not like SMU is not a fairly well-known term, it'll come up what it is right away on a quick search
Want to own the SMU coprocessor in your AMD CPU/APU/possibly GPU? Extract the firmware signing HMAC key from the bootrom? Pre-Zen only, since its based on LM32 architecture features while Zen and later switched to Xtensa cores for their SMUs.
PS4 only
write to smu's registers, in theory, if we achieve code exec, we can use it to read our perconsole and master keys
no. the private keys are never in the console. they also were never in ps3 and psp consoles, even though they were calculated due to sony's massive fail
Exploit lets you read/write to x86 DRAM physical and use the serial port. That would allow a 4 wire “modchip” (some uC with VCC, GND, RX, TX) to talk over UART to stubs injected in a patched SMU FW that perform patches usually done from a userland/WebKit kexploit.
There's not enough SRAM to hold all the patches needed, thus the requirement of a uC talking to SMU proxy stubs. Through limited testing (it's a PITA compared to just using Linux on a PC) on the PS4, the writes to some of the SMU BP regs are ignored/blocked. Maybe AMD got wise?
But we have the PS4 SMU bootrom and FW dumped via other means and can analyze it for other vulns that might allow code execution. I’m also working on a PCIe MITM like marcan did to better understand the boot process of PS4 over PCIe instead of the normal read from SPI flash.
From what I've heard at least some models of Xbox One include a PSP so that could make a coldboot SMU based attack impossible. Though there has been some excellent work on breaking PSP's security model already done:
seems smurw doesn't write the shellcode on ps4 to the sram... sadge
i get this instead of the actual shellcode that's supposed to be written:
the exploits we have are useless against it
PlayStation 4 hardware guys that favor FPGA's including @Chaos Kid will definitely take interest in this project, and here's to hoping we see some more on it in the future!
Below are some related Tweets from vpikhur including the demo video alongside some fresh PS4 MEMEs for developers:
Download: 175devkitipldecryptedbytwoconsoles.7z (259.92 KB)
Turns out the "debug key" that is used to hash "debug" firmwares from SMU effectively works on ALL retail versions of the PS4 smu firmware as well (the one on the wiki). Which means things are about to become VERY interesting...
this is the key
SMU HMAC Key (System Management Unit)
Code:
4D7E73210B677A832B9F293B496E7C3E
the issue during all these years was, of course, endianess... book the endianess, to hell with it. anyway, now it's confirmed that the SMU key is potentially useful to run nasty code, provided that there is a way to reset available
Some more info
- ccc-final.pdf (225 KB)
samu has several keys, not just one. smu has only one used to hash the smu firmware. you can use this key to craft a payload, inject it together with its hash in smu firmware x86 memory, then reset smu and have some fun things happening
Why tho, people thinking it's about SAMU? But it's not like SMU is not a fairly well-known term, it'll come up what it is right away on a quick search
Want to own the SMU coprocessor in your AMD CPU/APU/possibly GPU? Extract the firmware signing HMAC key from the bootrom? Pre-Zen only, since its based on LM32 architecture features while Zen and later switched to Xtensa cores for their SMUs.
- amd-lm32-smu-exploit - Generic exploit for all version 7 (maybe others) LM32-based AMD SMU's used in APUs (and probably works on GPUs too)
PS4 only
write to smu's registers, in theory, if we achieve code exec, we can use it to read our perconsole and master keys
no. the private keys are never in the console. they also were never in ps3 and psp consoles, even though they were calculated due to sony's massive fail
Exploit lets you read/write to x86 DRAM physical and use the serial port. That would allow a 4 wire “modchip” (some uC with VCC, GND, RX, TX) to talk over UART to stubs injected in a patched SMU FW that perform patches usually done from a userland/WebKit kexploit.
There's not enough SRAM to hold all the patches needed, thus the requirement of a uC talking to SMU proxy stubs. Through limited testing (it's a PITA compared to just using Linux on a PC) on the PS4, the writes to some of the SMU BP regs are ignored/blocked. Maybe AMD got wise?
But we have the PS4 SMU bootrom and FW dumped via other means and can analyze it for other vulns that might allow code execution. I’m also working on a PCIe MITM like marcan did to better understand the boot process of PS4 over PCIe instead of the normal read from SPI flash.
From what I've heard at least some models of Xbox One include a PSP so that could make a coldboot SMU based attack impossible. Though there has been some excellent work on breaking PSP's security model already done:
seems smurw doesn't write the shellcode on ps4 to the sram... sadge
i get this instead of the actual shellcode that's supposed to be written:
Code:
reading shellcode memory
3f120: 2888842D
3f124: 7244062E
3f128: FEB2AF3E
3f12c: 75EF0559
3f130: 183AC358
3f134: F4B0B100
3f138: FC8C79BC
3f13c: 997EF94E
3f140: 34A92D80
3f144: 1C834C80
3f148: BF9A9BF9
3f14c: BFFEBB97