PSXHAX.COM website and domain for sale. Contact Us with your offer!
Fifa 15 for PS4 is Dumped and Decrypted with Precompiled Payload
Previously we reported on Decrypted PS4 Games and PKG Files, PS4 Package Updates and PS4 Tunables and now PlayStation 4 developer @zecoxao (Twitter) tweeted that Fifa 15 has been dumped and decrypted with a precompiled payload for developers available below! :thumbsupxf2:

Download: DumpFile (CUSA00722) (319.69 KB) / DumpFile (CUSA00564) (319.69 KB) / DumpFile (CUSA01110) (319.69 KB) / Fifa15_DumpFile_Payload.rar (149 KB - Mirror by Fosi of e✘treme-Modding)

According to notzecoxao, the files will the files will be output to /mnt/usb0 (rightmost port), and below are the related Tweets:

Thanks to @Figure03 for the news in the PSXHAX Shoutbox! :winkxf2:
5lipper of Chaitin Tech to Detail PS4 Hacking at Zer0Con Next Month
As we await word on the PS4 v4.50 Development Poll Results, following their ROP Tool and PS4 Kexec Syscall Implementation today PlayStation 4 developer 5lipper of Chaitin Tech was added to Zer0Con's schedule as a speaker on PS4 hacking! :notworthyxf2:

Zer0Con is a a conference for exploit developers and bug hunters that is being held April 13-14th in Seoul, Korea with registration now open through March 20th, 2017.

About Zer0Con: Zer0Con is POC’s NEW ‘CLOSED’ international security conference. It focuses on finding, analyzing, and exploiting vulnerabilities. Zer0Con aims to have high-level technical presentations but avoids the commercial ones. Zer0Con doesn’t pursue money, same as POC conference.

From the Speaker Section, to quote: PS4 Hacking

Game console is always an interesting target for hackers. Sony PlayStation 4, the most popular video game console, has sold more than 53 million units all over the world.

The last public PS4 jailbreak was targeting to version 1.76, which has been released more than two years.

However, Sony didn’t stop hardening the PS4 system. As more mitigation is introduced, PS4 jailbreaking is much more challenging.

In GeekPWN 2016, I have demonstrated booting a Linux system on latest PS4 console by exploiting multiple vulnerabilities through webkit to kernel.

In this talk, I'd like to...
PS4 IDPS / PSID Dump Code by TheoryWrong and 2much4u
Back in December we reported on the PS4 1.76 Kernel IDPS Address, and today PlayStation 4 developers @theorywrong (Twitter) with help from @2much4u (Twitter) shared some PS4 IDPS / PSID dump code for others to implement in their projects, while noting the IDPS is still missing some bytes at the end and is for 1.76 consoles. (y)

From the Pastebin, to quote:

Code:
int (*sceKernelGetIdPs)(void* ret);
int (*sceKernelGetOpenPsIdForSystem)(void* ret);

int kernel_lib = sceKernelLoadStartModule("libkernel.sprx", 0, NULL, 0, NULL, NULL);
sceKernelDlsym(kernel_lib, "sceKernelGetIdPs", &sceKernelGetIdPs);
sceKernelDlsym(kernel_lib, "sceKernelGetOpenPsIdForSystem", &sceKernelGetOpenPsIdForSystem);

void* idps = malloc(64);
void* psid = malloc(16);

sceKernelGetIdPs(idps); // Missing some byte at end
sceKernelGetOpenPsIdForSystem(psid);
From 3226:2143‏: IDPS/PSID/PSIDForSys all 16b on PS4. See kernel: FFFFFFFF82608090, FFFFFFFF82607FF0, FFFFFFFF82607F70.
a good way of searching for your console's partial idps and psid is to search for the string of bytes 2F B0 9F D1 DE 76 96 7D EB 94 7B 51 EC 82 78 1E in order to find your perconsole info (and remove it if necessary)
this is valid for all ps4 kernel dumps that contain partial idps. it's extremely useful to find the target id and spoof it to unlock extra debug features
i'm pretty sure you can't activate an offline account on older firmware

Thanks to both @HydrogenNGU and @raedoob for the heads up in the PSXHAX Shoutbox! :love:
PS4 Spoofer RTM / RTE Tool for PlayStation 4 1.76 by J0lama Coming
Following his DS4Lib 1.0 DualShock 4 USB Linux Library, today PlayStation 4 developer @j0lama announced on Twitter that a PS4 Spoofer RTM / RTE Tool is coming soon for 1.76 console owners! :love:

Previously we saw a PS4 1.76 Permanent Internet Browser Mod Payload, a PS4 Permanent Version Spoof and a PS4 1.76 Version String Spoof to stop the PlayStation 4 console from nagging to update.

As zecoxao notes though, the PKG Keys are different to change the Minimum Required Firmware for PS4 Games and you'll also need to spoof index.dat and X-Passphrase for PSN access.

That said, a PS4 Spoofer RTM / RTE Tool would be welcomed by PlayStation 4 1.76 developers as @Thisismrnameles mentioned on Twitter he was working on a spoof via payload, except every time the console restarted you would have to do it again.

:arrow: PS4 Real Time Memory Editor for Linux on Retail Consoles by J0lama

Thanks to @raedoob for passing along the news tip in the PSXHAX Shoutbox! (y)
PS4 Dev: Linux Kernel CVE-2017-6074 DCCP Double-Free Vulnerability
While most are still digesting the impact of #CloudBleed, @aimaim dropped by the PSXHAX Shoutbox this morning and shared news of this CVE-2017-6074 Linux Kernel DCCP double-free local root vulnerability (Proof-of-Concept by xairy) with us today! :ninja:

As was done with CVE-2016-1885, here's to hoping some more PlayStation 4 developers take a peek at it and see what possibilities (if any) it may present.

Until then, some quick observations in the PSXHAX Shoutbox from @xxmcvapourxx:
From @VultraAID:
  • that DLClose is for IPV6_RECVPKTINFO
  • nothing to do with a kernel, if i say
And a follow-up from @xxmcvapourxx:
  • no its kmalloc
  • you just need web crash find that memory
  • then find the offsets for vtable and gadgets
It was recently fixed on February 17, 2017, and to quote from the CVE-2017-6074: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability (local root)

Hi, This is an announcement about CVE-2017-6074 [1] which is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain kernel code execution from an unprivileged processes.

Fixed on Feb 17, 2017:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4

The oldest version that was checked is 2.6.18 (Sep 2006), which is vulnerable. However, the bug was introduced before that, probably in the first release with DCCP support (2.6.14, Oct 2005).

The kernel needs to be built with CONFIG_IP_DCCP for the vulnerability to be present. A lot of modern...
Back
Top