PSXHAX.COM website and domain for sale. Contact Us with your offer!
PS4 Southbridge Reverse-engineered Code Examination & PlayStation 4 Extraction by Jogolden
Last fall PS4 developers saw PS4 Aux Hax 4: Belize (Southbridge) via HDMI CEC from fail0verflow which allowed hackers to get code exec on all PS4 southbridge versions using HDMI-CEC without requiring other parts of the system to be compromised, and following his recent GhidraPS4 ELF Loader / PS4FlashTool releases PlayStation 4 developer @g991 (aka goldfitzgerald jogold32 on Twitter X) has been examining the PS4 southbridge and shared some reverse-engineered code today. :fire:

He states, to quote: "Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge to change data for a correlation power analysis attack against the APU bootrom loading the second bootloader."

If you're a prospective PS4 developer, be sure to check out the Tweets below! :thumbsupxf2:

Picture of the PlayStation 4 APU bootrom reading the second bootloader over PCIe, this is read from the system flash using SPI via the southbridge. The low spots are where the data is all 0xFF, where hamming distance between data lines/registers stays constant.
PS4 Southbridge Reverse-engineered Code Examination by Jogolden 2.png

PS4 Southbridge Reverse-engineered Code Examination by Jogolden 3.jpg

PS4 Southbridge Reverse-engineered Code Examination by Jogolden 4.jpg

If you look at a system flash dump, located at 0x200000 is this data. There is a main header and a header that switches between two other headers that are each associated with their own bootloader. I call these boot slots.
Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge...
PS4 6.20 WebKit Code Execution Exploit PoC by SpecterDev!
Proceeding the release of PS4 Firmware 6.50, his previous PS4 Exploit Documentation, GH Clone Demo, the 6.20 Dev Build Strings and 6.50 Dev Build Strings as promised today @SpecterDev released via Twitter a PS4 6.20 WebKit Code Execution Exploit PoC (Proof-of-Concept) using CVE-2018-4441 to obtain RCE crediting lokihardt for the vulnerability used.

From the Tweets below, he states that unlike the PS4 6.XX JSC_ConcatMemcpy WebKit Exploit which wasn't a complete exploit, this one grants code execution in userland for PS4 scene developers! :love:

Download: PS4-6.20-WebKit-Code-Execution-Exploit-master.zip / GIT / Live Demo / 6.20-FS.zip (323 MB - FULL 6.20 Fs with modules, decrypted) / Kernel_Dump_620-1.zip (20.5 MB - 6.20 kernel) / 6.20 kernel offsets via LightningMods

:alert: For newbs: This is a 6.20 PS4 WebKit (Userland) exploit and not a Kernel-level exploit, meaning until a fully implemented 6.20 Kernel exploit is publicly available you won't be able to jailbreak...
Pure HEN: Child Friendly Loader by DefaultDNB (KiiWii) and Leeful
Following their recent X-Project Updates, at the request of sdragon001 PlayStation 4 developers @DEFAULTDNB (aka KiiWii - Twitter) and @Leeful (Twitter) made available Pure HEN which is a child friendly, safe and easy to use super lightweight PS4 5.05 HEN loader.

Download: PURE_HEN_1.3_zip (8.07 MB) / PURE HEN 1.4.zip (7.7 MB - Unofficial Port Edited with PS4HEN 2.1.2) / PURE HEN 1.5.zip (7.7 MB - Unofficial Port Edited with PS4HEN 2.1.3)

Spoiler: Depreciated

According to the Tweets below, Pure Homebrew ENabler is essentially a one-shot PS4 HEN 1.8 + VR (spoof for VR headset) exploit loader that automatically caches! :love:

Kid version Hen 1.8 Vr autopay load via UnknownGamer

From the PureHEN video's description: Kid friendly version of an auto detect FW. Boot console, auto loads kids account, navigate to www. Auto loads hen 1.8 vr...
X-Project Updates for PS4 5.05 by DefaultDNB (KiiWii) and Leeful
Following the previous revisions of the X-Project PS4 5.05 Self Host / ESP8266 today we present the latest X-Project v1.5.5 followed by X-Project v1.5.6, X-Project v1.5.7 and X-Project v1.5.8 Beta updates for PS4 5.05 by myself @DEFAULTDNB aka KiiWii (Twitter) and @Leeful (Twitter) with the changes outlined below.

Downloads: X-Project_v1.5.7.zip (16.73 MB) / X-Project_v1.5.8_BETA.zip (17.19 MB)

X-Project v1.5.8 Beta Changelog:

New Features:
  • Added a 'SETTINGS' page so you can fully customize X-Project.
  • Added the ability to choose which payloads load with the button combos.
  • Added the ability to choose which payloads appear in the Quick Menu.
  • Added the ability to Show/Hide the kernel clock in the main menu.
  • Added the ability to choose from a selection of wallpapers. (you can swap these for your own if you wish)
  • Added the ability to show/hide the welcome popup.
  • Added the ability to show/hide the kernel clock.
  • Added the ability to show/hide the kernel clock by clicking on it in the main menu.
  • Added the ability to set a Username and IP, Pick a custom colour for the menu item from the Settings page.
  • Removed the black bar from the top of the menu. Now the background covers the entire page.
Updated:
  • Updated Lotus GTA V Mod Menu to v1.03.
  • Updated the ReactPSPLus payloads to instantly update the displayed kernel date and time when the payloads are run.
Fixed:
  • Fixed an issue with the ReactPSPLus payloads where the date and time would not be accurate if alternate timezones were used.
X-Project v1.5.7 Changelog:
Spoiler: X-Project v1.5.6 Downloads & Changelogs
PS4 6.20 Build Strings by Fire30, ETA WEN for Kernel Exploit?
Recently developer Fire30 shared on Twitter some PS4 Firmware 6.20 Build Strings which have been added to the Dev Wiki displaying the current status as 'dumped' leaving many asking the proverbial question of ETA WEN for a public kernel exploit release to complement the PS4 6.XX JSC_ConcatMemcpy WebKit Exploit so PlayStation 4 consoles on recent Firmware can be jailbroken. :unsure:

Previously Fire30 publicly released a PS4 Webkit Exploit PoC for 2.XX OFW, PS4 HENkaku Exploit for 3.55 Code Execution and FireKaku PS4 3.15 / 3.50 OFW Ports of the exploit... so although he may decide not to do a public 6.20 release at least he has a track record of sharing his findings publicly with the PS4 scene in the past. :lovewins:

To speculate briefly, besides obvious legal hassles a reason he may opt against doing a public 6.20 kxploit release is what developer @Mathieulh (Twitter) mentioned on Discord last month... to quote:

"No one is interested in doing a release for various reasons including how we don't have any other exploit chain after this one XD"

Like it or not, that's a compelling reason to keep things private (for the moment) among PS4 developers since end-users can still obtain jailbreakable consoles if they're willing to pay what those selling them are asking.

Code:
cat 620.elf | head -c 4096 | sha1sum 2e83ab92cf84da74b526db13500f4611583f7c45 -
Code:
r109816/release_branches/release_06.200 Nov 2 2018 05:41:33
...
Back
Top