Last fall PS4 developers saw
PS4 Aux Hax 4: Belize (Southbridge) via HDMI CEC from
fail0verflow which allowed hackers to get code exec on all PS4 southbridge versions using HDMI-CEC
without requiring other parts of the system to be compromised, and following his recent
GhidraPS4 ELF Loader / PS4FlashTool releases PlayStation 4 developer
@g991 (aka
goldfitzgerald jogold32 on
Twitter X) has been examining the PS4 southbridge and shared some reverse-engineered code today.
He states, to quote: "Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge to change data for a correlation power analysis attack against the APU bootrom loading the second bootloader."
If you're a prospective PS4 developer, be sure to check out the Tweets
below!
Picture of the PlayStation 4 APU bootrom reading the second bootloader over PCIe, this is read from the system flash using SPI via the southbridge. The low spots are where the data is all 0xFF, where hamming distance between data lines/registers stays constant.
If you look at a system flash dump, located at 0x200000 is this data. There is a main header and a header that switches between two other headers that are each associated with their own bootloader. I call these boot slots.
Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge...