PSXHAX.COM website and domain for sale. Contact Us with your offer!
PS4 Aux Hax: Hacking Aeolia, Syscon and DS4 by Fail0verflow!
It's been awhile since we last heard from Fail0verflow on PS4 Crashdumps and Kernel Dumping, but today they've made available a new trio of PlayStation 4 hacking documentation dubbed PS4 Aux Hax covering hacking the Aeolia (Southbridge), Syscon (System Controller) and DS4 (DualShock 4 Controller) for other developers to learn from! :notworthy:

The PlayStation 4 research can be found on their blog at Fail0verflow.com in the following pages for those who'd like to read through all the juicy details:
They also credit Volodymyr Pikhur for EAP / EMC work done including side-channel analysis, glitching and ROM recovery in his PS4 IPL AES + HMAC Key Recovery project, the original exploit and Recon Brussels 2018 presentation and PlayStation 4 developer @flatz who aided with reversing, bug hunting and hinted earlier today at signing PS4 CFW (PS4 Custom Firmware) through this research... although @Abkarino of Team Rebug also reminds everyone that more hardware exploiting work is necessary. :fire:

PlayStation 4 developer @xxmcvapourxx announced on...
PS4Debug: PlayStation 4 Debugger Updates by G991 (Golden)
Following the previous release, here are some recent PS4Debug updates to my PlayStation 4 debugger application introducing the Debug Watch utility. :geek:

A debugger with software breakpoints, hardware breakpoints, pause, stop, read memory, write memory, and all other sorts of functionality! You can use this along side my old project jkpatch or by itself.

Debug Watch - A simple tool I made to test the debugger out!

Download: debugwatch.zip (1.36 MB) / debugwatch.zip (Mirror) / ps4debug.bin / PS4 Debug fork via jormbs / ps4debug.bin (52 KB) / libdebug.dll (26 KB) / ps4debug672_GiantPluto_DeathRGH.rar (32.14 KB) / ps4debug.bin / libdebug.dll (For 6.72) (with ASLR fix) / GIT Fork via GiantPluto / ps4debug.bin for 7.02 / ps4debug_for_755.bin (51.8 KB) / Unified ps4debug.bin (5.0X, 6.72, 7.02, 7.5X) / ps4debug.bin (52 KB - 9.00 Port / Mirror via @karo218) /...
PS4 5.05 Kernel Exploit Writeup Documentation by SpecterDev
As he did with the 4.05 Kernel Exploit and 4.55 WebKit Exploit, following the initial announcement and 5.05 Kernel Exploit release PlayStation 4 developer @SpecterDev has now made available via Twitter a writeup documenting his PS4 5.05 Kernel Exploit for others to examine and learn from. :notworthyxf2:

To quote from the PS4 5.05 BPF Double Free Kernel Exploit Writeup.md on Github, in part: Conclusion

Another cool bug to exploit. It should have been a trivial exploit, however Sony's new mitigation that prevents exploit devs from pivoting RSP into userland memory while in kernel context is quite effective, and some tricks had to be used to get the chain into kernel memory - but as demonstrated, it is beatable.

This exploit is also a good example of how double free()'s can be exploited fairly easily on FreeBSD if they're on an object of decent size.

Credits
Additional Thanks
  • TheFloW - Suggestions and Feedback
References
...
History Blocker Payload for Exploited PS4 Web Browser by Stooged
Following my ApplicationCache.db release, this is just a simple payload to enable or disable the auto loading of the last page used in the PS4 webbrowser when you open it.

To toggle the enable or disable state just run the payload again and it will turn it on or off.

History Block: Enabled
  • when enabled the browser will not auto load the last page used when you open it.
  • the browser will show the Frequently Used Pages tab instead
History Block: Disabled
  • when disabled the browser will operate normally and auto load the last used page.
Download:
Source:
Offline Cache (ApplicationCache.db) Install Payload to PS4
Following my previous update, I have created a payload to install the ApplicationCache.db for hosting offline PS4 exploits.

Download: Cache_Install.zip / Cache_Install_html.zip / Source Code (GIT) / 9.00 Port fork by kmeps4

The payload contains a basic set of exploits for anyone that just wants a simple set of exploits.. just run the payload then go to http://cache/index.html or the user guide. If you delete the browser data just run the payload again and it will reinstall the basic exploits.

You don't need to disable the network connection so the ftp payload will still work.

The DB_SG_Backup payload also backs up the cache db, if you already have a offline cache setup you can back that up.

If you delete the browser data you can put the ApplicationCache.db file from the backup on the root of a usb drive and reinstall it using this payload.

For anyone that is looking to make their own db file I have included the SQL File to create a db using DB Browser.

Just modify the sql to suit your needs and create a new database in DB Browser called ApplicationCache.db and execute the sql and save.. you can put the ApplicationCache.db on the root of a usb drive and run the install payload to install it.

If you want to modify the payload to contain your version of the db file just encode your db file with base64 and put the data into the ApplicationCache.h file of the source and compile.

Inbuilt (basic) exploits:

How to Cache PS4 Jailbreak Payloads on Firmware 5.05 or Lower Offline Tutorial
Back
Top