PSXHAX.COM website and domain for sale. Contact Us with your offer!
PS4 Dlclose Exploit for PlayStation 4 Firmware 1.62 Port by Zecoxao
Following his 1.01 and 1.76 decrypt_pup_header patches for the original Dlclose exploit and recent PS4 Playground for Webkit Exploits 1.62 OFW Port, today PlayStation 4 developer @zecoxao announced on Twitter he added a PS4 Dlclose Exploit 1.62 Port on Github for interested developers alongside a 1.52 Port below. :thumbup:

Download: ps4_dlclose_162-master.zip / GIT / ps4_dlclose_152-master.zip / GIT

Also PlayStation 4 developer @ZeraTron hinted on Twitter that PS4 sceners can "Expect some great goodies for Christmas guys" although he added the note "1.76... obviously" but hopefully SpecterDev will follow-up with some PS4 v4.05 Christmas cheer in coming weeks for everyone else. :love:

Greets to @Wultra for the heads-up in the PSXHAX Shoutbox earlier today! :-D
SpecterDev on PlayStation 4 v4.05 Kernel Exploit Progress Updates
Since his PS4 NamedObj Kernel Exploit Strategy Overview PlayStation 4 developer SpecterDev shared a progress update on the PS4 v4.05 kernel exploit today with a release expected to arrive in coming weeks. :biggrinxf2:

This comes following the recent PS4 4.01 / 4.05 Code Execution proof-of-concept and of course the Adieu: PS4 Kernel Exploit for Firmware 4.05 documentation by the Fail0verflow Team.

Here's an excerpt from @SpecterDev via Wololo's recent interview, to quote:

Wololo: Speaking of your implementation, do you still plan on releasing it? If so, do you have a rough estimate of how far you are? What are the issues you’re dealing with when it comes to this implementation?

SpecterDev: Yes I do, I’m at that point of leaking a good object to ensure the exploit is stable. I do have a good object leaking as well as a trigger for code execution, it’s just a matter of how practical it is to implement into the exploit, which I am currently testing now. After I know the object can be used effectively in the exploit, things get much easier. I hope to get a release out soon (within the next week or so) – I’ve just been busy with real life stuff so with the exception of weekends, I don’t have a lot of time to work on the exploit during the week.

I’ll also be publishing a write-up for the kernel exploit when it is ready, in it I’ll break down how the exploit works step by step. My hope is it will not only be a nice read for security researchers interested in the PS4, but will also give those in the community without a background in infosec a bit more information on how big releases involving kernel exploits work behind the scenes. Maybe it will inspire some to look into software security where they otherwise would not have :veryhappy:

Here's looking forward to his PlayStation 4 v4.05 Kernel Exploit release in the next week or so alongside the related documentation for other PS4 developers to examine and put...
PS4 Scene Group UNLiMiTED Releases Some 1.76 Game Dumps!
It's been just over a week since the last KOTF release, but fear not as today a new PlayStation 4 scene release group known as UNLiMiTED in other scenes has stepped up to the plate kicking things up a notch releasing both DRIVECLUB and NBA 2K14 for PS4 1.76 console owners to enjoy for free! :fire:

Don't forget to share your test results and included in the PS4 NFO files HERE and HERE is their own revision of the how to play the PlayStation 4 game dumps they release, as follows to quote:

NBA.2K14.PS4-UNLiMiTED / NBA 2K14 PS4 UNLiMiTED
Code:
Release Info:

This dump was made using a FW 1.76 PS4 and the tools available at the time

While the scene and people are warming up with announcements of new exploits, coming homebrews and cool other things for the 4.XX firmwares, we wanted to show you that we were ready for the fun yet to come !

Notes: For now, in order to play our rips you will need :

— a PS4 with FW 1.76
— an original bluray game (running on your 1.76 FW PS4]
— not mandatory but recommended : an http proxy
— zecoxao's 1.1 codebase to host your own PS4—Playground [included]
— a computer to send the kernel hooks to your PS4 [socat / netcat]

How—to:

— Install Charles Proxy on your computer

— Configure your PS4 to use that proxy

— Black List connections you find suspicious to playstation.net ie:

http://deuk01.ps4.update.playstation.net:80
http://fuk01.ps4.update.playstation.net:80
https://ps4.updptl.np.community.playstation.net:443
https://ps4updptl.uk.np.community.playstation.net:443
https://ps4—static—cif.sec.np.dl.playstation.net:443
http://crepo.ww.dl.playstation.net:80
and so on

— Map the following url to your local PS4—Playground [Map Local] protocol : http
url : manuals.playstation.net
port : 80
path : /document/en/ps4/*
localpath : computer/path/to/ps4—1.1.0/PS4—playground

— Format your USB drive to exFAT

— Extract the game files to /UNLiMiTED [root of the drive and no subfolder]

— Copy the eboot.bin and the prx/sprx from Crack folder ie: game eboot will be here /UNLiMiTED/eboot.bin

— Plug your USB drive to...
PS4 4.01 / 4.05 Code Execution Support PoC by AN0NY420
Since the recent Adieu PS4 4.05 Kernel Exploit, NamedObj Strategy Overview and following the past JailBreakMe / WebKit Playgrounds today PlayStation 4 developer AN0NY420 (aka @ANONYM0US) updated the WebKit adding both 4.01 and 4.05 PS4 Firmware support! :biggrinxf2:

Download: PS4-4.0x--4.05-Code-Execution-PoC-master.zip / GIT / Live Demo

To quote from the README.md: PS4 4.0x Code Execution

This repo is specterdev's edit of the 4.0x webkit exploit released by qwertyoruiopz. The edit re-organizes, comments, and adds portability across 3.50 - 4.07 (3.50, 3.55, 3.70, 4.00, 4.01, 4.05 and of course 4.06/4.07).

The commenting and reorganization was mostly for my own learning experience, however hopefully others can find these comments helpful and build on them or even fix them if I've made mistakes. The exploit is much more stable than FireKaku and sets up the foundation for running basic ROP chains and returns to normal execution. Credit for the exploit goes completely to qwertyoruiopz.

Organization

Files in order by name alphabetically;
  • expl.js - Contains the heart of the exploit and establishes a read/write primitive.
  • gadgets.js - Contains gadget maps and function stub maps for a variety of firmwares. Which map is used is determined in the post-exploitation phase.
  • index.html - The main page for the exploit. Launches the exploit and contains post-exploitation stuff, as well as output and code execution.
  • rop.js - Contains the ROP framework modified from Qwerty's original exploit as well as the array in which module base addresses are held and gadget addresses are calculated.
  • syscalls.js - Contains a system call map for...
PS4 NamedObj Kernel Exploit Strategy Overview by SpecterDev
Yesterday we saw disclosure of a 4.05 PS4 Kexec, and combined with a Userland Exploit like JailbreakMe PS4 4.0x WebKit RCE the PlayStation 4 scene is eagerly awaiting a public PlayStation 4 Jailbreak for Firmware 4.05 to surface. :D

In the meantime, since Porting JailBreakMe and Breaking Down PS4 4.0x WebKit Exploit PlayStation 4 developer @SpecterDev shared on Twitter a PS4 NamedObj kernel exploit strategy overview of the 4.05 Kernel Exploit that Fail0verflow released. :ninja:

To quote from the NamedObj Kernel Exploit Overview.md:

Introduction

So fail0verflow released a writeup today on the namedobj exploit. I and a few others have had this exploit for some time but did not release as we received help indirectly from f0f, so it was not entirely ours to release. Now that it is out however, I'd like to talk about it as it is a really interesting exploit.

Below is not going to be a full write-up, but more of a framework or strategy that those who are interested can use to try to implement this kernel exploit. In due time I will release my implementation after I've edited non-burned components out of the exploit.

The Bug

So the bug is essentially type confusion with the 'kind' field of the 'id_entry' object used in named objects. Named objects are objects that have properties associated to them (such as a name as you might have guessed), that points to the real object in the heap. By specifying a type 0x5000 for your object, you can cause type confusion.

You now need to find another area of the kernel that can abuse to corrupt your object. Luckily, there is sys_mdbg_service(). This will allow you to...
Back
Top