PSXHAX.COM website and domain for sale. Contact Us with your offer!
CTurt Updates to 4.06, Specter Porting Qwertyoruiopz's PS4 Exploit to 3.55
With Easter on the way things are definitely hoppin in the PS4 hacking scene, and following confirmation of PS4 4.50 Kernel R/W Access and his recent updates PlayStation 4 developer @CTurt sent word on Twitter that he's updated from 1.76 to 4.06 OFW (Official Firmware) to test out the recent JailbreakMe PS4 4.0x exploit! :extremelyhappy:

When asked by @flex0 why he didn't take the plunge to 4.07 instead of going only to 4.06 @CTurt replied with the following explanation, to quote:

"4.06 is the version Luca is on, and I wanted to test out his stuff. 4.07 has the same bugs though."

In related news, following the PS4 HENkaku Exploit for 3.55 OFW, FireKaku PS4 3.15 / 3.50 Ports, his PS4 Playground (WIP) for Firmware 3.55 and PS4 3.55 Syscalls PlayStation 4 developer @SpecterDev announced on Twitter he's currently working on converting Qwertyoruiopz's exploit to 3.55. :thumbup:

Here are some of the related Tweets for those following along:

:stop: Once again, if you are not on Sony's latest PlayStation 4 Firmware 4.50 already it's...
PS4 Jailbreaker Qwertyoruiopz Confirms 4.50 Kernel Read / Write Access!
Last week PlayStation 4 developer qwertyoruiopz made available a JailbreakMe PS4 4.0x Webkit exploit for OFW 3.55 through 4.07, and over this weekend he received an invite from the Rebug Team while sharing progress updates leading to confirmation of a 0day 4.50 kernel exploit obtaining R/W (Read / Write) access! :love:

His latest JailbreakMe PS4 4.0x (Mirror via @X41) update states the exploit supports all non-4.50 Firmware, but specifically targets 4.06 currently due to ROP gadgets being hardcoded.

To recap, those on PS4 1.76 Firmware were able to make use of the Kernel Exploit Source Code that progressed to a PS4 BadIRET PoC finally leading to the 1.76 PS4 Dlclose Exploit.

For those on PS4 Firmware 4.07 or below you can use the JailbreakMe PS4 4.0x Exploit to gain userland access, and users on System Software 4.50 can rest assured a 0day 4.50 kernel exploit also exists although there is no user-level entry point for 4.50 OFW reported publicly as of yet.

Also keep in mind PlayStation 4 scene developers may decide to hold off disclosing the 0day PS4 4.50 kernel exploit much like the PS4 Pro 0day Exploit that...
PS4 NIDs and PS3 NIDs Added to Hashcat Bruteforcer by Jarveson
Following the PS3 FNIDS Python Scripts by PlayStation developer @zecoxao, today he let us know on Twitter that jarveson added PS4 NIDs and PS3 NIDs to his Hashcat bruteforcer password recovery utility. :winkxf2:

Download: Hashcat v3.40 / PS4 NIDs / PS3 NIDs

Intended for developers, the NIDs can be used with the attack tool to determine PlayStation 4 and PlayStation 3 System Firmware function names.

From the README.md: hashcat

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms.

hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and OSX, and has facilities to help enable distributed password cracking.

PS4 NIDs

include/interface.h
Code:
@@ -1761,6 +1761,7 @@ int filezilla_server_parse_hash   (u8 *input_buf, u32 input_len, hash_t *hash_bu
 int netbsd_sha1crypt_parse_hash   (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED const hashconfig_t *hashconfig);
 int atlassian_parse_hash          (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED const hashconfig_t *hashconfig);
 int ps3_nid_parse_hash            (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED const hashconfig_t *hashconfig);
+int ps4_nid_parse_hash            (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED const hashconfig_t *hashconfig);
 
 /**
  * hook functions
src/interface.c
Code:
@@ -240,6 +240,7 @@ static const char HT_14900[] = "Skip32";
 static const char HT_15000[] = "FileZilla Server >= 0.9.55";
 static const char HT_15100[] = "Juniper/NetBSD sha1crypt";
 static const char HT_16110[] = "PS3 Function NIDs";
+static const char HT_16111[] = "PS4 Function NIDs";
 static const char HT_99999[] = "Plaintext";
 
 static const char HT_00011[] = "Joomla < 2.5.18"...
JailbreakMe PS4 4.0x: PS4 4.0x WebKit RCE Exploit by Qwertyoruiopz!
Following the PS4 Playground for Firmware 3.55 and PS4 3.55 File Browser, today PlayStation 4 developer qwertyoruiopz made available a PS4 4.0x WebKit RCE Exploit dubbed JailbreakMe PS4 4.0x with details via Twitter below! :biggrinxf2:

PS4 Link (click go 3 times): http://rce.party/ps4/ / local rce.rar (3 KB) via Nesterwork / Local RCE v2.rar (6 KB) via Nesterwork / Local rce v3.rar (12 KB) via Nesterwork

According to the developer's Tweets below, the bug used is a stack uninit read yielding UaF and the actual exploit does nothing but give you read/write/infoleak arbitrary JS object primitives.

He also confirmed the exploit won't work on PS4 4.50 as Sony updated WebKit past a vulnerable version unfortunately, but it's still an entry point for those on PlayStation 4 OFW 3.55 through 4.07. :thumbsupxf2:

C8MRP_eXkAAwFYE.jpgThat said, if you give it a try on a PlayStation 4 under 4.50 and receive a ffff000000000539 error prompt it's expected output for the exploit's success.

Spoiler: Related Twitter Tweets
PS4 Real Time Memory Editor for Linux on Retail Consoles by J0lama
Since his previous updates and with help from PlayStation 4 developer @theorywrong, today @j0lama let us know on his Blog of his PS4 Real Time Memory Editor for Linux on PlayStation 4 retail consoles! :lovexf2:

Download: PS4-Real-Time-Memory-Editor-master.zip / GIT

From the README.md: PS4-Real-Time-Memory-Editor

Introduction

PS4 Real Time Memory Editor for Linux for retail consoles.

Read/Write in a game memory to create mods like PS3 with tmapi and ccapi.

This version a little demo.

I will improve the system with a graphic interface and the possibility of read and write arrays. I will release a windows/linux library to work with this easily.

Thanks to TheoryWrong for answer my noob questions.

And from j0lama's WebSite to quote, roughly translated: #Real Time Memory Editor (Retail PS4)

Description

My main goal in PS4 was to develop a system that would allow me to edit the memory of the games that are running on the PS4 in order to be able to create modifications of the games and to cheat them.

This system is very similar to the one used in PS3 (ps3tmapi is the method used by the debug or ccapi consoles, developed by Enstone and allows to edit the memory of the games in retail consoles).

The system that I show you today is based on the call to the system ptrace and that in the PS4 corresponds to the syscall 26.

The system runs through the exploit of WebKit published by cTurt and allows random execution of codido.

Once we get code execution on the system, we raise privileges with the exploit dlclose discovered by cTurt and published by kR105. It is important to note that while the thread that raises privileges is running, there is a moment in which the direct writing in memory is activated that besides being used by the exploit also the use to disable Address Space Layout Randomization (ASLR), which is a method Which implement modern operating systems to "randomize" the memory zone where a process begins when it is...
Back
Top