Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 19, 2017 at 1:31 AM       67      
Status
Not open for further replies.
Recently Volodymyr Pikhur has been working on a PS4 IPL AES + HMAC Key Recovery Project with help from nedos utilizing a Verilog FPGA (Field-Programmable Gate Array) to detect IPL (Initial Program Load) read and trigger capture board. :ninja:

PlayStation 4 hardware guys that favor FPGA's including @Chaos Kid will definitely take interest in this project, and here's to hoping we see some more on it in the future! <3

Below are some related Tweets from vpikhur including the demo video alongside some fresh PS4 MEMEs for developers:

Download: 175devkitipldecryptedbytwoconsoles.7z (259.92 KB)
Turns out the "debug key" that is used to hash "debug" firmwares from SMU effectively works on ALL retail versions of the PS4 smu firmware as well (the one on the wiki). Which means things are about to become VERY interesting...
this is the key
SMU HMAC Key (System Management Unit)
Code:
4D7E73210B677A832B9F293B496E7C3E
no, but you can probably dump your own keys/fuses with SMU code execution
the issue during all these years was, of course, endianess... book the endianess, to hell with it. anyway, now it's confirmed that the SMU key is potentially useful to run nasty code, provided that there is a way to reset available
Some more info
SMU is very privileged in PS4, not so privileged in PS5
samu has several keys, not just one. smu has only one used to hash the smu firmware. you can use this key to craft a payload, inject it together with its hash in smu firmware x86 memory, then reset smu and have some fun things happening
Why tho, people thinking it's about SAMU? But it's not like SMU is not a fairly well-known term, it'll come up what it is right away on a quick search :p
Want to own the SMU coprocessor in your AMD CPU/APU/possibly GPU? Extract the firmware signing HMAC key from the bootrom? Pre-Zen only, since its based on LM32 architecture features while Zen and later switched to Xtensa cores for their SMUs.
  • amd-lm32-smu-exploit - Generic exploit for all version 7 (maybe others) LM32-based AMD SMU's used in APUs (and probably works on GPUs too)
I don’t own an Xbox One and haven’t tested there. PS4’s APU/SMU has some oddities that prevents this attack in its current form (or I’m just making a stupid mistake somewhere).
PS4 only
write to smu's registers, in theory, if we achieve code exec, we can use it to read our perconsole and master keys
no. the private keys are never in the console. they also were never in ps3 and psp consoles, even though they were calculated due to sony's massive fail
Exploit lets you read/write to x86 DRAM physical and use the serial port. That would allow a 4 wire “modchip” (some uC with VCC, GND, RX, TX) to talk over UART to stubs injected in a patched SMU FW that perform patches usually done from a userland/WebKit kexploit.
There's not enough SRAM to hold all the patches needed, thus the requirement of a uC talking to SMU proxy stubs. Through limited testing (it's a PITA compared to just using Linux on a PC) on the PS4, the writes to some of the SMU BP regs are ignored/blocked. Maybe AMD got wise?
But we have the PS4 SMU bootrom and FW dumped via other means and can analyze it for other vulns that might allow code execution. I’m also working on a PCIe MITM like marcan did to better understand the boot process of PS4 over PCIe instead of the normal read from SPI flash.
From what I've heard at least some models of Xbox One include a PSP so that could make a coldboot SMU based attack impossible. Though there has been some excellent work on breaking PSP's security model already done:
seems smurw doesn't write the shellcode on ps4 to the sram... sadge :(
i get this instead of the actual shellcode that's supposed to be written:
Code:
reading shellcode memory
3f120: 2888842D
3f124: 7244062E
3f128: FEB2AF3E
3f12c: 75EF0559
3f130: 183AC358
3f134: F4B0B100
3f138: FC8C79BC
3f13c: 997EF94E
3f140: 34A92D80
3f144: 1C834C80
3f148: BF9A9BF9
3f14c: BFFEBB97
the exploits we have are useless against it
PS4 IPL AES + HMAC Key Recovery Project Demo by Vpikhur.jpg
 

Comments

where does it say "downgrade" <--- seriously that is such a poor question

READ "PS4 IPL AES + HMAC key recovery" <---- It's to retrieve keys using a fpga a project he been working on.....

go and tweet to him and ask "WILL THIS LEAD TO CFW" i know @UmarDaBest559 you will find out your answer.....
 
Some other MEME tweets today for PS4 Devs:

From Paste.Ubuntu.com:
Code:
<118>   getuid returns:0
<118>   getgid returns:0
<118>   getpid returns:20
<118>   [+] PID  0  NAME:                    kernel  THREAD:  ffs_trim taskq
<118>   [+] PID  1  NAME:                    minila  THREAD:          minila
<118>   [+] PID  2  NAME:              eap_watchdog  THREAD:    eap_watchdog
<118>   [-] PID  3 ----------------------------------------------------->    no process on this pid
<118>   [+] PID  4  NAME:                  xpt_thrd  THREAD:        xpt_thrd
<118>   [+] PID  5  NAME:                       md0  THREAD:             md0
<118>   [+] PID  6  NAME:                       md1  THREAD:             md1
<118>   [+] PID  7  NAME:                       md2  THREAD:             md2
<118>   [+] PID  8  NAME:                 trsw intr  THREAD:       trsw intr
<118>   [+] PID  9  NAME:                 trsw ctrl  THREAD:       trsw ctrl
<118>   [+] PID 10  NAME:                      idle  THREAD:            idle
<118>   [+] PID 11  NAME:                      intr  THREAD:   intr10: xhci1
<118>   [+] PID 12  NAME:                  ng_queue  THREAD:       ng_queue0
<118>   [+] PID 13  NAME:                      geom  THREAD:          g_down
<118>   [+] PID 14  NAME:                       usb  THREAD:          usbus1
<118>   [+] PID 15  NAME:                pagedaemon  THREAD:      pagedaemon
<118>   [+] PID 16  NAME:                  pagezero  THREAD:        pagezero
<118>   [+] PID 17  NAME:                 bufdaemon  THREAD:       bufdaemon
<118>   [+] PID 18  NAME:                    syncer  THREAD:          syncer
<118>   [+] PID 19  NAME:                     vnlru  THREAD:           vnlru
<118>   [+] PID 20  NAME:            SceEapCore.elf  THREAD:  SceEapCore.elf
 
Status
Not open for further replies.
Back
Top