Live in Your World, HAX in Ours!
Hello World! I've been reporting on Sony PlayStation hacking news since 2000 and started PSXHAX in 2014 to cover PlayStation (PSX), PlayStation 2 (PS2), PlayStation 3 (PS3), PlayStation 4 (PS4), PlayStation Portable (PSP), PlayStation Vita (PS Vita), PlayStation TV (PS TV) and next-gen PlayStation 5 (PS5) platforms along with anything else of interest.
Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM!
Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM!
Simple Shooting Game PS4 TestKit, MK XL PS4 4.05 Debug Menu Demos
Today we have a few demo videos, the first being a Single User Shooting Game from the Sony PS4 *** leak (removed) running on a TestKit courtesy of PS4 developer @MrNiato on Twitter who states the following about it in the caption to quote:
"This is a Simple Shooting Game from Sony's *** which is.... fun to play but laggy. I won't give download link sorry."
Download: IV0002-CUSA99990_00-SIMPLESHOOTINGA1-A0100-V0100.pkg (77.44 MB) via Sili / SIMPLESHOOTINGAM.rar (4.05 OFW) (78.23 MB)
The other demonstration video comes from PS4 developer @GrimDoe in the forums HERE, which is a MK XL demo running on PS4 4.05 OFW showcasing the Debug Menu... check them both out below!
[PS4 Testkit] Simple Shooting Game from Sony
MK XL/4.05/Debug Menu/
MK XL Game Update Patch (1.00 to 1.04) /Debug Menu/P$4 4.05 OFW
Finally, below is a simple way to code your own C# tool known as PS4DLL RTM with details from MrNiato as follows, to quote:
Download: PS4DLL RTM + Sample.zip (595 KB)
Today I bring you a C# library which allow you to code easily your RTM tool for PlayStation 4. This library include the PS4Lib by BISOON but also include something new like an addresses library.
In this Library you will be allow to put your own offset and bytes like you can see on the pictures so it will be very easy to code your tool and share your offsets with the rest of the community. I share this project in open source and I have included a sample to help to understand how it work. You...
"This is a Simple Shooting Game from Sony's *** which is.... fun to play but laggy. I won't give download link sorry."
Download: IV0002-CUSA99990_00-SIMPLESHOOTINGA1-A0100-V0100.pkg (77.44 MB) via Sili / SIMPLESHOOTINGAM.rar (4.05 OFW) (78.23 MB)
The other demonstration video comes from PS4 developer @GrimDoe in the forums HERE, which is a MK XL demo running on PS4 4.05 OFW showcasing the Debug Menu... check them both out below!
[PS4 Testkit] Simple Shooting Game from Sony
MK XL/4.05/Debug Menu/
MK XL Game Update Patch (1.00 to 1.04) /Debug Menu/P$4 4.05 OFW
Finally, below is a simple way to code your own C# tool known as PS4DLL RTM with details from MrNiato as follows, to quote:
Download: PS4DLL RTM + Sample.zip (595 KB)
Today I bring you a C# library which allow you to code easily your RTM tool for PlayStation 4. This library include the PS4Lib by BISOON but also include something new like an addresses library.
In this Library you will be allow to put your own offset and bytes like you can see on the pictures so it will be very easy to code your tool and share your offsets with the rest of the community. I share this project in open source and I have included a sample to help to understand how it work. You...
PS4 Exploit and Loader Sender by FigaroCool for 4.05 Firmware
Many may recall reading How to Host Your Own PS4 Webkit Exploit Page a few months ago, and today PlayStation 4 developer @figarocool84 let us know on Twitter he made a new Local Host and Payload Sender Windows application called PS4 Exploit and Loader Sender for PS4Exploit 4.05 jailbroken consoles.
Unlike the recent PS4 4.05 JailbreakME Noobs Guide, this Windows app doesn't require Python so if anyone was having issues with it this may be worth a try and was tested out last night by @LightningMods.
Download: Ps4exploit-win.zip (12 MB) / Scan Result
Unlike the recent PS4 4.05 JailbreakME Noobs Guide, this Windows app doesn't require Python so if anyone was having issues with it this may be worth a try and was tested out last night by @LightningMods.
Download: Ps4exploit-win.zip (12 MB) / Scan Result
PS4 Payload Sender to Send Payloads by Valentinbreiz, Ez Payload Sender by DjPopol
Similar to Simple Payload Loader, today PlayStation 4 developer @valentinbreiz (Twitter) and writer on CustomProtocol.com made available PS4 Payload Sender v1.0 followed by a v1.1 fix shortly afterwards for use with PS4 4.05 Exploited consoles. 
Download: PS4.Payload.Sender.exe / GIT / PS4 Payload Sender APK for Android / EzPayloadSenderV1.01.zip (includes EzPayloadSender.exe) / GIT (Fork) by @djpopol on Github
PS4 Payload Sender
Send payload to your PS4 (tried on 4.05)
Changelog
v1.0
Download: PS4.Payload.Sender.exe / GIT / PS4 Payload Sender APK for Android / EzPayloadSenderV1.01.zip (includes EzPayloadSender.exe) / GIT (Fork) by @djpopol on Github
PS4 Payload Sender
Send payload to your PS4 (tried on 4.05)
Changelog
v1.0
- First release.
- That fix the null reference exception.
Fail0verflow on PS4 Crashdumps & Dumping a Kernel in Only 6 Days
Back in October Fail0verflow released their Adieu PS4 Kernel Exploit for 4.05 OFW, and since SpecterDev's Follow-up they've now shared documentation on PlayStation 4 crashdumps and dumping a PS4 kernel in "only" 6 days for other scene developers to learn from. 
Previously we also saw PS4 Developer Flat_z Bid PS4 Crash Dumps Good Bye using conventional means thanks to Sony patching the existing holes.
To quote from their latest Blog Entry: Crashdumps on PS4
The crash handling infrastructure of the ps4 kernel is interesting for 2 main reasons:
On ps4, the replacement for doadump is mdbg_run_dump, which can be called from panic or directly from trap_fatal. The amount of information stored into the dump is gigantic by comparison - kernel state for all process, thread, and vm objects are included, along with some metadata about loaded libraries. Other obvious changes from the vanilla FreeBSD method are that the mdbg_run_dump encodes data recorded into the dump on a field-by-field basis and additionally encrypts the resulting buffer before finally storing it to disk.
Dumping Anything
Let’s zoom in to a special part of mdbg_run_dump - where it iterates over all process’ threads and tries to dump some pthread state:
Previously we also saw PS4 Developer Flat_z Bid PS4 Crash Dumps Good Bye using conventional means thanks to Sony patching the existing holes.
To quote from their latest Blog Entry: Crashdumps on PS4
The crash handling infrastructure of the ps4 kernel is interesting for 2 main reasons:
- It is ps4-specific code (likely to be buggy)
- If the crashdump can be decoded, we will gain very useful info for finding bugs and creating reliable exploits
On ps4, the replacement for doadump is mdbg_run_dump, which can be called from panic or directly from trap_fatal. The amount of information stored into the dump is gigantic by comparison - kernel state for all process, thread, and vm objects are included, along with some metadata about loaded libraries. Other obvious changes from the vanilla FreeBSD method are that the mdbg_run_dump encodes data recorded into the dump on a field-by-field basis and additionally encrypts the resulting buffer before finally storing it to disk.
Dumping Anything
Let’s zoom in to a special part of mdbg_run_dump - where it iterates over all process’ threads and tries to dump some pthread state:
Code:
void mdbg_run_dump(struct trapframe *frame) {
// ...
for ( p = allproc; p != NULL; p = cur_proc->p_list.le_next ) {
// ...
for (td = p->p_threads.tqh_first; td != NULL; td = td->td_plist.tqe_next) {
// ...
mdbg_pthread_fill_thrinfo2(&dumpstate, td->td_proc,
(void...
PS4 NamedObj 4.05 Kernel Exploit Writeup Published by SpecterDev
Following his Christmas Eve Confirmation and PS4 4.05 Kernel Exploit release, today PlayStation 4 developer @SpecterDev announced on Twitter that he published his "NamedObj" 4.05 Kernel Exploit Writeup as promised! 
PS4 developers can check it out in it's entirety on Github, and below is a brief summary of the 1.76 changes and his conclusion to quote: "NamedObj" 4.05 Kernel Exploit Writeup
Changes Since 1.76
Some notable things have changed since 1.76 firmware, most notably the change where Sony fixed the bug where we could allocate RWX memory from an unprivileged process.
The process we hijack via the WebKit exploit no longer has RWX memory mapping permissions, as JiT is now properly handled by a seperate process. Calling sys_mmap() with the execute flag will succeed; however any attempt to actually execute this memory as code will result in an access violation. This means that our kernel exploit must be implemented entirely in ROP chains, no C payloads this time.
Another notable change is kernel ASLR (kASLR) is now enabled past 1.76.
Some newer system calls have also been implemented since 1.76. On 1.76, there were 85 custom system calls. On 4.05, we can see there are 120 custom system calls.
Sony has also removed system call 0, so we can no longer call any system call we like by specifying the call number in the rax register. We will have to use wrappers from the libkernel.sprx module provided to us to access system calls.
Conclusion
This exploit is quite an interesting exploit, though it did require a lot of guessing and would have been a lot more fun to work with should I have had a proper kernel debugger. To get a working object can be a long a grueling process depending on the leak you're using.
Overall this exploit is incredibly stable, in fact I ran it over 30 times and WebKit nor the Kernel crashed once. I learned a lot from implementing it, and I hope I helped others like myself who are interested in exploitation and hopefully others will learn some things from this...
PS4 developers can check it out in it's entirety on Github, and below is a brief summary of the 1.76 changes and his conclusion to quote: "NamedObj" 4.05 Kernel Exploit Writeup
Changes Since 1.76
Some notable things have changed since 1.76 firmware, most notably the change where Sony fixed the bug where we could allocate RWX memory from an unprivileged process.
The process we hijack via the WebKit exploit no longer has RWX memory mapping permissions, as JiT is now properly handled by a seperate process. Calling sys_mmap() with the execute flag will succeed; however any attempt to actually execute this memory as code will result in an access violation. This means that our kernel exploit must be implemented entirely in ROP chains, no C payloads this time.
Another notable change is kernel ASLR (kASLR) is now enabled past 1.76.
Some newer system calls have also been implemented since 1.76. On 1.76, there were 85 custom system calls. On 4.05, we can see there are 120 custom system calls.
Sony has also removed system call 0, so we can no longer call any system call we like by specifying the call number in the rax register. We will have to use wrappers from the libkernel.sprx module provided to us to access system calls.
Conclusion
This exploit is quite an interesting exploit, though it did require a lot of guessing and would have been a lot more fun to work with should I have had a proper kernel debugger. To get a working object can be a long a grueling process depending on the leak you're using.
Overall this exploit is incredibly stable, in fact I ran it over 30 times and WebKit nor the Kernel crashed once. I learned a lot from implementing it, and I hope I helped others like myself who are interested in exploitation and hopefully others will learn some things from this...