PSXHAX.COM website and domain for sale. Contact Us with your offer!
PS4 WebKit Exploit Test for Use-After-Free (CVE-2021-30858) Vulnerability
As testing the previous Use-After-Free vulnerability (CVE-2021-1879) didn't favor the PlayStation 4 Scene, developer @Al Azif on Twitter retweeted another Use-After-Free vulnerability (CVE-2021-30858) by Anonymous via maddiestone that @Nazky on Twitter added to Github to try with PS4 WebKit revisions up to the most recent PS4 Firmware 9.00 in hopes of another userland entry point for Future PS4 Jailbreaking or improving the current PS4JB2 jailbreak exploit's stability. :geek:
Code:
THIS SITE IS A TEST FOR THE WEBKIT VULNERABILITY FOR THE PS4
CLICK OK
IF YOU DON'T SEE ANY 'API PATCHED' ERROR OR 'MEMORY ERROR'
ALERT OR ANY ERROR ALERT THAT'S MEAN IT'S NOT PATCH
Proof-of-Concept code of CVE-2021-30858 via maddiestone (Google Security Researcher):
Code:
var fontFace1 = new FontFace("font1", "", {});
var fontFaceSet = new FontFaceSet([fontFace1]);
fontFace1.family = "font2";

🍻 Cheers to...
PS4 CR0.WP Protection Kernel Security Bypass Detailed via CelesteBlue
In PS4Scene news this weekend, recently developer @CelesteBlue (Github / Twitter) detailed a PS4 CR0.WP Protection (Write Protect) Kernel Security Bypass applicable since at least PS4 OFW 6.51 on the PSDevWiki working exploits page. 🤩

This comes proceeding the PS4 Jailbreak 2 updates, latest GoldHEN v1.1 release, PS4 Synacktiv Presentation SSTIC 2021 Recap, PS4 / PS5 SMAP Bypass by m00nbsd and new PS4 Fake PKGs (FPKGs) for those interested.

Below are the technical details for scene devs from PSDevWiki.com, as follows: CR0.WP protection

At least since firmware 6.51 Sony instrumented all instructions that write to the CR0 register with checks for attempts to clear CR0.WP (Write Protect), which is necessary for patching the kernel. This is what it looks like in 6.51 kernel:
Code:
a1b79:       0f 22 c0                mov    cr0,rax
a1b7c:       48 a9 00 00 01 00       test   rax,0x10000
a1b82:       75 02                   jne    a1b86 <-- skip the next instruction if CR0.WP is not cleared
a1b84:       0f 0b                   ud2    <-- #UD exception, causes a kernel panic
a1b86:       c3                      ret
Note that the check is after the write, to prevent a ROP gadget from pointing straight at the mov and skipping the verification.

Bypasses (in chronological order):
  • Use...
You Got a Trophy: Jailbroken PS4 Synacktiv Presentation at SSTIC 2021
Proceeding the Talos WebSocket Vulnerability, their Pwners PS4 WebKit Exploit, the Synacktiv PS4 WebKit Port Fork with resulting PS4 WebKit / Kernel Exploit, the PS5 SMAP Bypass Vulnerability and this weekend's PS4 & PS5 Dev Kit Leaks 😍 security researchers abu_y0ussef and 0xdagger of Synacktiv recently held a You got a Trophy: Jailbroken PS4 presentation at SSTIC 2021 recapping their PS4Scene findings (PDF File / GIT) first unveiled at Black Hat Europe 2020 that includes a 3rd closing slide commenting on a Tweet by @sleirsgoevy (Twitter). 🐣

From the Presentation Page is a brief description, to quote roughly translated: You got a trophy: Jailbroken PS4 - Mehdi Talbi, Quentin Meffre on June 02, 2021 at 2:45 p.m. - 30 min.

The PlayStation 4 browser is arguably the most targeted attack surface for a console jailbreak. However, the hardening techniques enjoyed by current browsers coupled with the lack of debugging capability make it difficult to exploit bugs on the latest PS4 firmware.

This presentation details the...
GoldHEN v1.1 by SiSTR0 with PS4 7.55, 7.51, 7.50, 7.0X, 6.72 and 5.05 Payloads!
Following the initial release, today @Joonie made available to the PS4Scene via Twitter GoldHEN v1.1 by SiSTR0 featuring improved system performance (stability and FTP service) with FW 7.50 and 7.51 officially supported now... including PS4 7.55, 7.51, 7.50, 7.0X, 6.72 and 5.05 Payloads! 😍

Download: GoldHEN_v1.1.7z (32 KB - includes goldhen_1.1_755.bin, goldhen_1.1_751.bin, goldhen_1.1_750.bin, goldhen_1.1_702.bin, goldhen_1.1_672.bin and goldhen_1.1_505.bin) / 7.5x Live Demo / 6.72 Live Demo / 5.05 Live Demo via ps3120 / Al Azif's DNS with GoldHEN 1.1 / PS4 Official Firmware (OFW) Archives

To use, after Exploiting Your PS4 Console simply send the payload using the tools and following the guides all linked HERE in the article.

:alert: If you haven't read our stance on clone host menus do it now, spammers get banned from the forums as scene devs already confirmed the exploit code used is the same.

From the included README.md: # GoldHEN - PS4 Homebrew Enabler
Code:
```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  _________________  .____  ________    ___ ______________ _______
/  _____________...
PS4 Syscon Read-Write Helper for System Controller Dumps via Egycnq
Proceeding the PS4 Syscon NVS Dumps, PS4 Syscon Aux Hax, PS4 Syscon Firmware Decrypter, PS4 SysGlitch Tool with SysCon Pinout, PS4 Syscon Loader and PS4 / PS5 Unlimited Gameshare Method Patched recently @egycnq shared on Github a PS4 Syscon Read-Write Helper for System Controller Dumps Python script via Twitter for those seeking to dump, validate and convert their PlayStation 4 Syscon to Motorola s28 format for RL78 flashing without any external tools. :geek:

Download: SysconV1.py / Ps4-Syscon-Read-Write-Helper-main.zip / GIT / PS4 Syscon Research & Development Repository / PS4 Syscon Firmware Dumps Archive
Code:
# *************************************************************************
# Syscon.py - Read-Write Ps4 Syscon helper Script
# You can use this script to read Sony Ps4 syscon and validate it also produce 512kb firmware after that.
# You Still need stock RL78 for flashing the firmware.
# special thanks to VVildCard777 - Fail0verflow - droogie - juansbeck -Zecoxao - M4j0r - SSL - msalau
# Copyright (C) 2021 RedTeam - egycnq https://twitter.com/egycnq
# *************************************************************************
import subprocess
import filecmp
import serial
import os...
Back
Top