Live in Your World, HAX in Ours!
Hello World! I've been reporting on Sony PlayStation hacking news since 2000 and started PSXHAX in 2014 to cover PlayStation (PSX), PlayStation 2 (PS2), PlayStation 3 (PS3), PlayStation 4 (PS4), PlayStation Portable (PSP), PlayStation Vita (PS Vita), PlayStation TV (PS TV) and next-gen PlayStation 5 (PS5) platforms along with anything else of interest.
Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM!
Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM!
SilicaAndPina PS4 Web Browser Crash HENkaku4.tk Webpage Demo
Following the PS4 JailBreak ROP Tool release yesterday and many PS4 WebKit Crash videos, today PlayStation 4 developer @SilicaAndPina ran across another which she linked on her HENkaku4.tk page as a proof-of-concept with a demo below! 
Not to be confused with the PlayStation 4 3.55 code execution PS4 HENkaku Exploit, to give the PS4 Web Browser Crash a try, simply:
Below are some related Tweets from SilicaAndPina, and also check out her Silica YouTube Channel for a lot of other kewl demonstration videos.
PS: If you haven't done so already, check out the SPOILER near the bottom of THIS article for a plethora of useful PlayStation file download links from her as well!
Thanks to @PS4HELPER123 for the news in the PSXHAX Shoutbox!
Not to be confused with the PlayStation 4 3.55 code execution PS4 HENkaku Exploit, to give the PS4 Web Browser Crash a try, simply:
- Navigate to HENkaku4.tk on your PS4 (similar PS4 browser test page located at PS4-Expo.NeoCities.org and also PS4Playground.tk)
- Click on the 'Crash The Browser (Ps4)' link (or run PSNS: from the PS4 browser)
- Profit and post your results below if you're feeling froggy
Below are some related Tweets from SilicaAndPina, and also check out her Silica YouTube Channel for a lot of other kewl demonstration videos.
PS: If you haven't done so already, check out the SPOILER near the bottom of THIS article for a plethora of useful PlayStation file download links from her as well!
Thanks to @PS4HELPER123 for the news in the PSXHAX Shoutbox!
ROP Tool Released by Chaitin Tech Used in PS4 Jailbreak Exploit
Following recent research from PlayStation 4 developers into the 4.01 PS4 Jailbreak by Chaitin Tech, today the Chinese PS4 Jailbreaking Team have released an ROP (Return Oriented Programming) tool on their Pro GIT to aid developers in exploiting the PlayStation 4.
Download: pro-master.zip / GIT
PSXHAX Moderator @Centrino points out the GIT work is incomplete, referencing line 41 meaning it only contains partial information and nothing can be done with it by end-users just yet.
In other words, although Chaitin Tech are not teasing, they also are not spoon feeding (giving away their full exploit).
Here is a snippet from #ps4dev on iRC via @Fimo for those interested:
[rck`d] the nonsecure browser has no jit, only the secure browser now (used for PSN store, etc) has JIT
[rck`d] Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process
Everyone can draw their own conclusions, but thus far it wouldn't surprise me if the Chinese Team is just a 'smoke and mirrors' scheme as dongle douchbags start re-DRMing the exploit to profit off PS4 sceners... then when people whine they'll direct them to this GIT of incomplete code as a 'free' alternative to their useless 'product' but hopefully I'm mistaken. 
Anyhow, to quote from the README.md: PRO: PROgramming ROP like a PRO
This is a crappy tool used in our private PS4 jailbreak. Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process. We have to write the kernel exploitation in ROP, like what has been done in HENKaku jailbreak.
Build
Download: pro-master.zip / GIT
PSXHAX Moderator @Centrino points out the GIT work is incomplete, referencing line 41 meaning it only contains partial information and nothing can be done with it by end-users just yet.
In other words, although Chaitin Tech are not teasing, they also are not spoon feeding (giving away their full exploit).
Here is a snippet from #ps4dev on iRC via @Fimo for those interested:
[rck`d] the nonsecure browser has no jit, only the secure browser now (used for PSN store, etc) has JIT
[rck`d] Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process
Everyone can draw their own conclusions, but thus far it wouldn't surprise me if the Chinese Team is just a 'smoke and mirrors' scheme as dongle douchbags start re-DRMing the exploit to profit off PS4 sceners... then when people whine they'll direct them to this GIT of incomplete code as a 'free' alternative to their useless 'product' but hopefully I'm mistaken. Anyhow, to quote from the README.md: PRO: PROgramming ROP like a PRO
This is a crappy tool used in our private PS4 jailbreak. Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process. We have to write the kernel exploitation in ROP, like what has been done in HENKaku jailbreak.
Build
Code:
pip install...
Sony Licensed PS4 Controllers: Razer Raiju and Nacon Revolution
If the PlayStation 4's DualShock 4 (DS4) seems a little too vanilla for your style, check out these new Sony officially licensed third-party professional PS4 controllers coming this holiday season- the Razer Raiju and Nacon Revolution!
Here's a summary of each PS4 pro controller straight from Andrew Mason:
Razer Raiju
The Razer team’s extensive knowledge in developing eSports peripherals made them an ideal partner to create a tournament-grade controller for PS4.
Designed for conquering professional eSports tournaments, the Razer Raiju is equipped with advanced controller customisation and ergonomics. Its features include:
Developed with the eSport player in mind, the Nacon team of industrial designers and engineers collaborated with pro-gamers to develop the Revolution Pro Controller to meet a wide range of their gameplay needs.
Thanks to this collaboration, the Revolution Pro Controller features include:
Here's a summary of each PS4 pro controller straight from Andrew Mason:
Razer Raiju
The Razer team’s extensive knowledge in developing eSports peripherals made them an ideal partner to create a tournament-grade controller for PS4.
Designed for conquering professional eSports tournaments, the Razer Raiju is equipped with advanced controller customisation and ergonomics. Its features include:
- Two extra bumpers and two extra detachable triggers
- Built-in control panel on the front of the controller
- Trigger-stop switches and hair trigger mode for ultra-fast trigger responses
- Two custom profiles which you can instantly switch between and modify
- 3.5mm headset jack and dedicated headset volume and mic mute controls
- Detachable analog stick rubber caps which provide extra grip during intense gaming sessions
- Compatibility with all PS4 systems via the braided 3m-long USB cable – detachable for easy storage
Developed with the eSport player in mind, the Nacon team of industrial designers and engineers collaborated with pro-gamers to develop the Revolution Pro Controller to meet a wide range of their gameplay needs.
Thanks to this collaboration, the Revolution Pro Controller features include:
- 46° amplitude dual analogue sticks, enhanced with innovative firmware for advanced eSports accuracy and reach
- Four extra shortcut buttons
- Eight-way directional pad
- Four custom profiles – all configurable via the companion PC application, enabling players to: re-map buttons, assign macros to the four shortcut controls and adjust analog and trigger sensitivity
- Two internal compartments with six additional weights – for a tailored balance and feel
- Compatibility with all PS4 systems via the 3m-long secure connection USB cable – detachable for easy storage
MrNiato PS4 TestKit & PS3 UltraSlim Debug Menu Setting Comparison
Yesterday he shared a nice archive of PS3 and PS4 Dev Unit PUP files, and today @MrNiato returns with a video demonstrating the Debug menu setting differences between a PlayStation 4 TestKit DUH-T1000AA DEX 3.50 Firmware and a PlayStation 3 UltraSlim DECH-4000AA 4.78 DEX OFW console.
Check out MrNiato's Blog for more, and the video is below along with some related Tweets via Twitter:
PS: At 1pm tomorrow (later today) he's planning to release something PS4 developers may find useful... so stay tuned!
Update: It was cancelled, see the Tweet on his Testkit 1.76 Dump below:
To quote from MrNiato's Blog: "Today at 1PM I posted a full dump of my TestKit on 1.76 Non Retail Firmware, unfortunately I've decided to delete this dump to avoid any problem with Sony. Maybe Am I wrong and I risk nothing but we don't know what Sony can do....
Thanks for reading."
Check out MrNiato's Blog for more, and the video is below along with some related Tweets via Twitter:
PS: At 1pm tomorrow (later today) he's planning to release something PS4 developers may find useful... so stay tuned! Update: It was cancelled, see the Tweet on his Testkit 1.76 Dump below:
To quote from MrNiato's Blog: "Today at 1PM I posted a full dump of my TestKit on 1.76 Non Retail Firmware, unfortunately I've decided to delete this dump to avoid any problem with Sony. Maybe Am I wrong and I risk nothing but we don't know what Sony can do....
Thanks for reading."
PlayStation 4 Developer Specter on CVE-2016-1885 Vulnerability
Yesterday we reported on research being done by PlayStation 4 developers and enthusiasts to uncover the Chaitin Tech PS4 4.01 Kernel Exploit, and today @SpecterDev shared another Tweet which sheds more light on the suspected CVE-2016-1885 (Exploit-DB) vulnerability. 
Below is a brief excerpt, and be sure to check it out in it's entirety on his Latest PS4 Dev Blog entry!
To quote: "My ultimate goal of the lower half of this article is to show a little snippet of the complexity of such an exploit to be developed, so whenever something is found, don't expect an exploit to be released right away.
If and when such a POC is released, be thankful and respectful to the developer, after all many in this scene are doing this work for free."
From Pastebin.com also comes a log from #ps4dev on iRC via @B7U3 C50SS, as follows:
Below is a brief excerpt, and be sure to check it out in it's entirety on his Latest PS4 Dev Blog entry!
To quote: "My ultimate goal of the lower half of this article is to show a little snippet of the complexity of such an exploit to be developed, so whenever something is found, don't expect an exploit to be released right away.
If and when such a POC is released, be thankful and respectful to the developer, after all many in this scene are doing this work for free."
From Pastebin.com also comes a log from #ps4dev on iRC via @B7U3 C50SS, as follows:
Code:
[12:32] <HI_Ricky> but .env is encrypt
[12:32] <HI_Ricky> XD
[12:34] <HI_Ricky> not yet to know what it did when check system update from beta test user
[12:35] <HI_Ricky> hidusbpower look like hidden usb power
[12:35] <HI_Ricky> hid_config look like hidden config, XD
[12:36] <flatz_> why do you need env?
[12:36] <HI_Ricky> for downgrade?
[12:38] <HI_Ricky> i dont know XD
[12:39] <HI_Ricky> so why beta test user can check beta fw and rls fw at same time
[12:49] <maxton> hid_config sounds like human interface device config to me
[12:49] <HI_Ricky> right XD
01[12:54] <Fimox> the "magic CVE" is CVE-2016-1885 ? http://www.securityfocus.com/archive/1/archive/1/537812/100/0/threaded
01[12:54] <Fimox> has it been confirmed ?
[12:56] <maxton> not necessarily. that is just a denial of service vulnerability. it is difficult or impossible to get kernel code exec with that
01[12:57] <Fimox> have you read "8.1. FreeBSD amd64_set_ldt Integer Signedness Vulnerability" on that link ?
01[12:58]...