PSXHAX.COM website and domain for sale. Contact Us with your offer!
PS4 4.55 BPF Race Condition Kernel Exploit Writeup by SpecterDev
Earlier this month we saw the PS4 4.55 WebKit Exploit Write-up by PlayStation 4 developer @SpecterDev, and now he announced on Twitter that he's added the PS4 4.55 / FreeBSD BPF kernel exploit writeup to his GitHub repository crediting qwertyoruiop and stating: "The bug is present on any system running FreeBSD such that you have privileges (which we did on PS4). Could be used on other systems for root to ring0 code execution."

Below is an excerpt from it, with the full documentation available on the Github Repo for those interested in learning more about it! :geekxf2:

To quote: Conclusion

This was a pretty cool bug to exploit and write-up. While the bug is not incredibly helpful on most other systems as it cannot be exploited from an unprivileged user, it is still valid as a method of going from root to ring0 code execution.

I thought this would be a cool bug to write-up (plus I love writing them anyway) as the attack strategy is fairly unique (using a race condition to trigger an out-of-bounds write on the stack). It's also a fairly trivial exploit to implement, and the strategy of overwriting the return pointer on the stack is an easy method for learning security researchers to understand.

It also highlights how while an attack strategy may be old, perhaps this one being the oldest there is - they can still be applied in modern exploitation with slight variations.

Credits
References
Thanks to...
PS4 Wifi / Bluetooth Firmware Reversing H4x v1.0 by Xorloser
Following his PS4 Serial / Flash Pinouts, PlayStation 4 scene developer @xorloser announced on Twitter that he's added PS4 Wifi / Bluetooth Firmware reversing h4x v1.0 to Github with details and the related Tweets below. :geek:

Download: ps4_wifi_bt-master.zip / GIT / 19-Researching-Marvell-Avastar-Wi-Fi.pdf (1.64 MB)

To quote from the README.md: PS4 wifi/bluetooth firmware reversing h4x

v1.0 xorloser march 2018

Overview

The PS4 uses a hardware module codenamed torus for its wifi and bluetooth. Currently there are two different versions of this; the older torus1 and the newer torus2.

The torus firmwares are stored in plaintext on the PS4's flash. The PS4 loads them into the hardware module.

This is not going to lead to some magical hack of the PS4, its just fun to poke around inside it to see what it does.

Torus1

The older torus1 is based around the Marvell Avastar 88W8797 SoC. It supports up to wifi n. This SoC has a Marvell Feroceon CPU (ARMv5TE-compliant) inside it. Check this pdf for more specs: marvell_avastar_88w8797.pdf.

Torus2
The newer torus2 is based around the Marvell Avastar 88W8897 SoC. This updated SoC adds wifi ac. It is used in PS4 Pro consoles and probably PS4 slim since I see that PS4 Slim supports wifi ac. Check this pdf for more specs: marvell-wireless-88w8897-product-brief-2018-10.pdf

Apparently this SoC also inside the XboxOne :)

Firmware files

The torus firmware files are stored in plaintext in the PS4 flash. You can parse the flash partitions and filesystems to find it stored as the filename "C0020001". Or if you have a flashdump just search for the string "C0020001" in it. The size of the firmware is a 32bit value stored 0xC bytes before the "C0020001" filename. The firmware data will be stored 0x1D0 bytes after the "C0020001" filename.

The...
OpenOrbis: Open Source PS4 Homebrew Initiative by The Sugarleaf
Awhile back we saw the Russian WIP of PS4HEN called MiraHEN by The Sugarleaf, and today scene developer @Mathieulh shared a few details on their other projects including OpenOrbis ***- a free and legal PS4 development kit, OpenOrbis Toolchain- tools, patches and scripts to build PS4 homebrew and OpenOrbis Marketplace- an online marketplace for homebrew publishing similar to Cydia but without the repos. :geekxf2:

According to Mathieulh, to quote: "The only place to find information on OpenOrbis is the github, any discord, twitter, reddit, or any social media otherwise is fake."

He also confirmed, "It's legit, someone from the group has asked me to tweet this" and that "It's a placeholder for now" although other PS4 developers including BigBoss replied with "They should change the open in the name then. Try to build a dev community without sharing sources is stupid." :cautiousxf2:

Here are some details from Github on the OpenOrbis project, as follows from the README.md:

OpenOrbis - ***

OpenOrbis Team strives to provide an open source, free, legal *** for development of the PlayStation 4 console. We will not be providing any interfaces for kernel development. With this being said all of the things that will be included are as follows
  • Software Development Kit
  • Portable Homebrew/Payload Launcher Source (Currently for 1.76/5.01)
  • Replacement LLVM lld linker for no-prototype/stub generation of source code
New Features!
  • In order to ease development of userland applications like emulators, media players, and homebrew games, we have included a fully modified LLVM linker to replace the standard. This linker will automatically generate the approperate imports and import id's needed to run using the provided loader (TOOD: Link to source)
  • Faster compile times than other competitve homebrew software development kits...
PS4 WebKit Exploit Port for Firmware 5.03 by Thierry
Following the 5.01 PS4 WebKit Exploit and 5.50 PS4 WebKit Exploit Rewrite, today @thierry passed along word on Twitter that he ported qwertyoruiop's PlayStation 4 v5.50 Userland Exploit to 5.03 Firmware with details below. :geek:

Download: ps4-5.03-webkit-exploit-master.zip / GIT

To quote from the README.md: PS4 WebKit Exploit for Firmware 5.03

Information


A port of the PS4 5.50 WebKit exploit by qwertyoruiopz. Port possible thanks to the offsets from the 5.01 PoC by Alex and qwertyoruiopz's gadget finder code included in the exploit.

It should work for firmwares 5.01 - 5.05 but the gadget offsets might need to be changed for the other versions.

Changes
  • Added a check to not list the current and parent directory directories when browsing the browser directories
Reference
Code:
0x5E8024AC -> 0x5E4024AC
Only difference between 5.05 and 5.03 exploit wise, wasted all day rewriting the whole thing just to get this. At least it was a learning experience.
From Pastebin.com: PS4 5.03 Offsets
Code:
#define kdlsym_addr__mtx_lock_flags                        0x00401C90
#define kdlsym_addr__mtx_lock_sleep                        0x00401D30
#define kdlsym_addr__mtx_unlock_flags                      0x00401F60
#define kdlsym_addr__mtx_unlock_sleep                      0x00402060
#define...
PS4 5.50 WebKit (Userland) Exploit Rewrite by Qwertyoruiop
This is covered in numerous topics already including the PS4 Holy Grail, 5.01 PS4 WebKit, 5.05 PS4 Breacher and 5.50 PS4 OFW discussion threads but for those who missed it PlayStation 4 developer Qwertyoruiop released a PS4 v5.50 Firmware re-write of the user-level exploit code available HERE (Mirror) which he states should be 100% reliable and that the old kexploit was fixed in 5.50. :ninja:

:alert: Needless to say this is a 5.50 PS4 WebKit (Userland) exploit and not a Kernel-level exploit, meaning until a fully implemented 5.50 Kernel exploit is publicly available you won't be able to jailbreak PlayStation 4 consoles on v5.50 Firmware so don't update!

In related news, PS4 developer @Al Azif also confirmed on Twitter that he "Pushed qwertyoruiopz's webkit rewrite to the DNS server for 4.55, just mashed it together but it seems to work will take a closer look later" and updated to PS4 Exploit Host v0.4.1 alongside an update to Ps4_Serve2_v1_6.apk by stooged.

As usual the tweets can be found below alongside a demo video by @Andrew Marques for those interested.
...
Back
Top