Live in Your World, HAX in Ours!
Hello World! I've been reporting on Sony PlayStation hacking news since 2000 and started PSXHAX in 2014 to cover PlayStation (PSX), PlayStation 2 (PS2), PlayStation 3 (PS3), PlayStation 4 (PS4), PlayStation Portable (PSP), PlayStation Vita (PS Vita), PlayStation TV (PS TV) and next-gen PlayStation 5 (PS5) platforms along with anything else of interest.
Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM!
Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM!
Native Linux / PS4 Development on Windows Tutorial by Kiwidog
Yesterday we reported on the HENkaku PS4 Exploit port and now Kiwidog shared a Native Linux / PS4 Development on Windows Tutorial with other PlayStation 4 developers! 
Here are some recent Tweets from A-Town Thomas as diwidog:
And below is an introduction from the PlayStation 4 development on Windows tutorial, to quote:
"If you are like me, you hate developing on Linux. Nothing beats Microsoft’s Visual Studio, nothing. Recently with the Windows 10 Anniversary update you have WSL or Windows Subsystem for Linux, as excited as I was for this to come out Visual Studio is a “slow” adopter of this technology and I currently spent many hours poking and tweaking things until I got them right. So here it is, a full tutorial on how to get PlayStation 4 development going on Windows.
Note: This is not using any of Sony’s official software development kit, and is free for anyone to use.
Before I begin, I would like to personally thank Marc Goodner and the Visual Studio C++ for Linux development team. Without them and the WSL team none of this would have been possible.
At the time of this writing you will need the 1.0.5 or higher VS C++ for Linux which has not been...
Here are some recent Tweets from A-Town Thomas as diwidog:
And below is an introduction from the PlayStation 4 development on Windows tutorial, to quote:
"If you are like me, you hate developing on Linux. Nothing beats Microsoft’s Visual Studio, nothing. Recently with the Windows 10 Anniversary update you have WSL or Windows Subsystem for Linux, as excited as I was for this to come out Visual Studio is a “slow” adopter of this technology and I currently spent many hours poking and tweaking things until I got them right. So here it is, a full tutorial on how to get PlayStation 4 development going on Windows.
Note: This is not using any of Sony’s official software development kit, and is free for anyone to use.
Before I begin, I would like to personally thank Marc Goodner and the Visual Studio C++ for Linux development team. Without them and the WSL team none of this would have been possible.
At the time of this writing you will need the 1.0.5 or higher VS C++ for Linux which has not been...
HENkaku Exploit Teardown Part 2 by PS Vita Hacker Known as H
Last week we saw Part 1 of the HENkaku Exploit Teardown by an anonymous PS Vita Hacker known as H, and today H returns with Part 2 of his HENkaku Exploit Teardown below from Pastebin.com via notzecoxao! 
To quote: HENkaku exploit teardown - Part 2
- Stage 3 (ROP payload 2):
The second payload is composed by another ROP chain and data. It creates two userland threads (each one with it's own ROP chain), that take care of leaking kernel pointers (by issuing devctl commands to "sdstor0:") and breaking the userland sandbox (by exploiting sceNet functions).
To quote: HENkaku exploit teardown - Part 2
- Stage 3 (ROP payload 2):
The second payload is composed by another ROP chain and data. It creates two userland threads (each one with it's own ROP chain), that take care of leaking kernel pointers (by issuing devctl commands to "sdstor0:") and breaking the userland sandbox (by exploiting sceNet functions).
Code:
// Copy SD card device path and param
strcpy(x_stack + 0x000086B4, "sdstor0:");
strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext");
// Clear devctl 0x05 outbuf
// From x_stack + 0x00006F34 to x_stack + 0x00007334
memset(x_stack + 0x00006F34, 0x00000000, 0x00000400);
// Copy dummy device path
strcpy(x_stack + 0x000086E4, "molecule0:");
// Mount path?
sceLibKernel_A4AD("molecule0:");
// Send command 0x05 to "sdstor0:"
sceIoDevctl("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);
// Store leaked kernel pointer 1
// Comes from devctl_outbuf + 0x3D4
0x00(x_stack + 0x00008464) = 0x00(x_stack + 0x00007308) + 0xFFFFA8B9
// Create "pln" thread
// "pln" == "pointer leak n"?
// Entry (0x000054C8): LDMIA R1,{R1,R2,R4,R8,R11,SP,PC}
int thread_id = sceKernelCreateThread("pln", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);
// Store "pln" thread's ID
0x00(x_stack + 0x00008E94) = thread_id
// Store SceKernelThreadInfo size
0x00(x_stack + 0x0000862C) = 0x7C
// Get thread info structure
sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C);
// Save pln_threadinfo.stack + 0x00001000
0x00(x_stack + 0x00008EA0) = 0x00(x_stack + 0x00008660) + 0x00001000
// Stack parameters for "pln" ROP chain
0x00(x_stack + 0x00008954) = 0x00000014
0x00(x_stack + 0x00008958) = x_stack + 0x00006F34
0x00(x_stack + 0x0000895C) = 0x000003FF
// Stack parameters for "pln" ROP chain...
HENkaku Offline Hosting and HENkaku KOTH Challenge by Yifan Lu
PlayStation Vita hacker yifanlu has recently made available HENkaku Offline Hosting source code and officially presents the HENkaku KOTH Challenge!
Download: HENkaku Offline Hosting GIT / Source code (zip) / Source code (tar.gz)
To quote from Yifan Lu's Blog on the HENkaku KOTH Challenge:
We released HENkaku a week ago and were blown away by the reception. There has been over 25k unique installs and every day new homebrew are being announced. This is all thanks to those who contributed to the *** project back when Rejuvenate was announced. Without a working toolchain for developers and a couple of working homebrews at the time of HENkaku’s launch, I doubt the reception would have been as popular.
Since the release, there have been a couple of questions we’ve been getting over and over again: When will this work on older firmware versions? How does HENkaku work? Where is the source code? I am going to address these questions in a bit. First, I want to thank Sony. It is common for hackers to laugh and poke fun at companies on the receiving end of hacks. But I think that’s unfair–security issues are a learning experience for all sides and we should all be thankful for it.
For myself, I started my work on the Vita since its North America release in 2012. Although Davee beat me in hacking the PSP compatibility mode and getting ROP on WebKit, I was the first to run native code and dump the memory through PSM.
Since then, Davee, Proxima, I, and later xyz (collectively “molecule”) have been working on the Vita on and off through the years. It is a tremendous learning experience both working with these smart individuals and getting my hands dirty with real world hacks.
I think I owe a large portion of what I know about security due...
Download: HENkaku Offline Hosting GIT / Source code (zip) / Source code (tar.gz)
To quote from Yifan Lu's Blog on the HENkaku KOTH Challenge:
We released HENkaku a week ago and were blown away by the reception. There has been over 25k unique installs and every day new homebrew are being announced. This is all thanks to those who contributed to the *** project back when Rejuvenate was announced. Without a working toolchain for developers and a couple of working homebrews at the time of HENkaku’s launch, I doubt the reception would have been as popular.
Since the release, there have been a couple of questions we’ve been getting over and over again: When will this work on older firmware versions? How does HENkaku work? Where is the source code? I am going to address these questions in a bit. First, I want to thank Sony. It is common for hackers to laugh and poke fun at companies on the receiving end of hacks. But I think that’s unfair–security issues are a learning experience for all sides and we should all be thankful for it.
For myself, I started my work on the Vita since its North America release in 2012. Although Davee beat me in hacking the PSP compatibility mode and getting ROP on WebKit, I was the first to run native code and dump the memory through PSM.
Since then, Davee, Proxima, I, and later xyz (collectively “molecule”) have been working on the Vita on and off through the years. It is a tremendous learning experience both working with these smart individuals and getting my hands dirty with real world hacks.
I think I owe a large portion of what I know about security due...
PS4 HENkaku Exploit: PlayStation 4 3.55 Code Execution by Fire30!
Following the initial release, decryption tutorials and reverse-engineering, PlayStation 4 developer Fire30 (who did the PS4 Webkit Exploit 2.XX PoC) has ported the PlayStation 4 HENkaku exploit allowing PS4 3.55 code execution! 
Download: PS4-3.55-Code-Execution-PoC-master.zip / GIT
From atreyu187 come some additional details on this HENkaku PS4 port as follows:
"This is only a userland code execution. This is nothing like dlclose or BADIret. We still need an exploit to reach 1.76 level of hacks. Both just mentioned have been patched out of FreeBSD and CTurt has been working with FreeBSD devs to fix the OS making it that much harder. We have had this access opened up in 3.50 already that the WebKit has lead nowhere."
Thanks to @B7U3 C50SS and @Plankton in the Shoutbox and @mcmrc1 in the Forums for sharing the news!
Download: PS4-3.55-Code-Execution-PoC-master.zip / GIT
From atreyu187 come some additional details on this HENkaku PS4 port as follows:
"This is only a userland code execution. This is nothing like dlclose or BADIret. We still need an exploit to reach 1.76 level of hacks. Both just mentioned have been patched out of FreeBSD and CTurt has been working with FreeBSD devs to fix the OS making it that much harder. We have had this access opened up in 3.50 already that the WebKit has lead nowhere."
Thanks to @B7U3 C50SS and @Plankton in the Shoutbox and @mcmrc1 in the Forums for sharing the news!