PSXHAX.COM website and domain for sale. Contact Us with your offer!
Fail0verflow on PS4 Crashdumps & Dumping a Kernel in Only 6 Days
Back in October Fail0verflow released their Adieu PS4 Kernel Exploit for 4.05 OFW, and since SpecterDev's Follow-up they've now shared documentation on PlayStation 4 crashdumps and dumping a PS4 kernel in "only" 6 days for other scene developers to learn from. :geekxf2:

Previously we also saw PS4 Developer Flat_z Bid PS4 Crash Dumps Good Bye using conventional means thanks to Sony patching the existing holes. :cautiousxf2:

To quote from their latest Blog Entry: Crashdumps on PS4

The crash handling infrastructure of the ps4 kernel is interesting for 2 main reasons:
  • It is ps4-specific code (likely to be buggy)
  • If the crashdump can be decoded, we will gain very useful info for finding bugs and creating reliable exploits
On a normal FreeBSD system, a kernel panic will create a dump by calling kern_reboot with the RB_DUMP flag. This then leads to doadump being called, which will dump a rather tiny amount of information about the kernel image itself to some storage device.

On ps4, the replacement for doadump is mdbg_run_dump, which can be called from panic or directly from trap_fatal. The amount of information stored into the dump is gigantic by comparison - kernel state for all process, thread, and vm objects are included, along with some metadata about loaded libraries. Other obvious changes from the vanilla FreeBSD method are that the mdbg_run_dump encodes data recorded into the dump on a field-by-field basis and additionally encrypts the resulting buffer before finally storing it to disk.

Dumping Anything

Let’s zoom in to a special part of mdbg_run_dump - where it iterates over all process’ threads and tries to dump some pthread state:
Code:
void mdbg_run_dump(struct trapframe *frame) {
   // ...
   for ( p = allproc; p != NULL; p = cur_proc->p_list.le_next ) {
       // ...
       for (td = p->p_threads.tqh_first; td != NULL; td = td->td_plist.tqe_next) {
           // ...
           mdbg_pthread_fill_thrinfo2(&dumpstate, td->td_proc,
               (void...
PS4 NamedObj 4.05 Kernel Exploit Writeup Published by SpecterDev
Following his Christmas Eve Confirmation and PS4 4.05 Kernel Exploit release, today PlayStation 4 developer @SpecterDev announced on Twitter that he published his "NamedObj" 4.05 Kernel Exploit Writeup as promised! :notworthyxf2:

PS4 developers can check it out in it's entirety on Github, and below is a brief summary of the 1.76 changes and his conclusion to quote: "NamedObj" 4.05 Kernel Exploit Writeup

Changes Since 1.76

Some notable things have changed since 1.76 firmware, most notably the change where Sony fixed the bug where we could allocate RWX memory from an unprivileged process.

The process we hijack via the WebKit exploit no longer has RWX memory mapping permissions, as JiT is now properly handled by a seperate process. Calling sys_mmap() with the execute flag will succeed; however any attempt to actually execute this memory as code will result in an access violation. This means that our kernel exploit must be implemented entirely in ROP chains, no C payloads this time.

Another notable change is kernel ASLR (kASLR) is now enabled past 1.76.

Some newer system calls have also been implemented since 1.76. On 1.76, there were 85 custom system calls. On 4.05, we can see there are 120 custom system calls.

Sony has also removed system call 0, so we can no longer call any system call we like by specifying the call number in the rax register. We will have to use wrappers from the libkernel.sprx module provided to us to access system calls.


Conclusion

This exploit is quite an interesting exploit, though it did require a lot of guessing and would have been a lot more fun to work with should I have had a proper kernel debugger. To get a working object can be a long a grueling process depending on the leak you're using.

Overall this exploit is incredibly stable, in fact I ran it over 30 times and WebKit nor the Kernel crashed once. I learned a lot from implementing it, and I hope I helped others like myself who are interested in exploitation and hopefully others will learn some things from this...
PS4 4.05 Scene LIT AF, Kernel Exploit Now Released by SpecterDev!
Following the Adieu PS4 Kernel Exploit and his confirmation yesterday, today the PS4 scene is LIT AS F*CK for the holidays with the RELEASE of a fully implemented kernel exploit for PS4 v4.05 Firmware by @SpecterDev via Twitter alongside a debug_settings.bin Test Payload! :tree::santa: Howbow dah, Sony? :bananaman3::bananaman13:

Download: PS4-4.05-Kernel-Exploit-master.zip / GIT / Live Demo via @01cedric / Live Demo (Mirror #2) via @0x199 / Live Demo (Mirror #3) via @Red7s / Live Demo (Mirror #4) via @tunip3 / Live Demo (Mirror #5) via @EdiTzZMoDz / debug_settings.bin (16.23 KB Test Payload)
In addition, proceeding his PS4 Package (PKG) research today PlayStation 4 developer @flatz announced on Twitter that in a few days he'll share some of his recent work so that it can be backported from 4.55 to 4.05 for use on PS4 jailbroken consoles! <3:fire:

To quote from the README.md: PS4 4.05 Kernel Exploit

Summary

In this...
JailbreakMe PS4 4.05 Exploit / Webkit Working Confirms SpecterDev
Since his Christmas Eve Updates, today PlayStation 4 developer @SpecterDev confirmed on Twitter that the JailbreakMe PS4 4.05 Exploit originally by Qwertyoruiopz is now working with a stable Webkit and games launching properly! :lovexf2:

While Sony's PS4 4.05 OFW is over a year old now, according to our Site Poll results 31.9% of members are between PlayStation 4 Firmware 2.00 through 4.01 with 19.6% on 1.76 or below and 2.4% on 4.05 specifically... but that may soon change. :sneakyxf2:

Last month in an interview PS4 developer @SpecterDev stated "I hope to get a release out soon (within the next week or so)," and while the timeframe may be a bit off here's hoping he follows through to kickstart the PS4 v4.05 scene so progress can happen with help from the entire community of developers and end-users working together testing everything out. :thumbup:

  • Exploit Works ✓
  • WebKit Stable ✓
  • Games Launch ✓
:smilexf2:

Cheers to both @hyndrid and @xthird16 in the PSXHAX Shoutbox tonight for the news tips! <3
PS4 4.05 Jailbreak Updates from SpecterDev on Christmas Eve
'Twas the night before Christmas... as the story goes! :santa::tree: Last we heard from PlayStation 4 developer SpecterDev on his PS4 4.05 Kernel Exploit Progress he ran into some issues, but recently he Tweeted the following update to quote:

"WebKit exit seems to be stabilized in the exploit chain, however launching games will freeze on boot. But at least payloads can be ran with system stability now with games aside (-:"

Since then, when asked for an official comment on his PS4 v4.05 work @SpecterDev followed-up on Reddit's Discord channel earlier today stating "Oh ye should be done today or tomorrow I'm just working on a game I've decided to start making (-:"

Also below are some related Tweets from @HydrogenNGU for those following the ongoing PS4 4.05 jailbreak news this Christmas Eve:

:idea: If you just got a PlayStation 4 or PS4 Pro console for Christmas, check out this Brief FAQ for answers to some commonly asked questions to bring you up to speed on PS4 jailbreaking and related topics.

Here's to hoping the PS4 scene soon graduates from the PlayStation 4 v1.76 era into a new v4.05 norm complete with exploit ports so more people can enjoy all of the recent 1.76 PS4 game releases and homebrew developments! :D
Back
Top