Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 19, 2017 at 1:31 AM       67      
Status
Not open for further replies.
Recently Volodymyr Pikhur has been working on a PS4 IPL AES + HMAC Key Recovery Project with help from nedos utilizing a Verilog FPGA (Field-Programmable Gate Array) to detect IPL (Initial Program Load) read and trigger capture board. :ninja:

PlayStation 4 hardware guys that favor FPGA's including @Chaos Kid will definitely take interest in this project, and here's to hoping we see some more on it in the future! <3

Below are some related Tweets from vpikhur including the demo video alongside some fresh PS4 MEMEs for developers:

Download: 175devkitipldecryptedbytwoconsoles.7z (259.92 KB)
Turns out the "debug key" that is used to hash "debug" firmwares from SMU effectively works on ALL retail versions of the PS4 smu firmware as well (the one on the wiki). Which means things are about to become VERY interesting...
this is the key
SMU HMAC Key (System Management Unit)
Code:
4D7E73210B677A832B9F293B496E7C3E
no, but you can probably dump your own keys/fuses with SMU code execution
the issue during all these years was, of course, endianess... book the endianess, to hell with it. anyway, now it's confirmed that the SMU key is potentially useful to run nasty code, provided that there is a way to reset available
Some more info
SMU is very privileged in PS4, not so privileged in PS5
samu has several keys, not just one. smu has only one used to hash the smu firmware. you can use this key to craft a payload, inject it together with its hash in smu firmware x86 memory, then reset smu and have some fun things happening
Why tho, people thinking it's about SAMU? But it's not like SMU is not a fairly well-known term, it'll come up what it is right away on a quick search :p
Want to own the SMU coprocessor in your AMD CPU/APU/possibly GPU? Extract the firmware signing HMAC key from the bootrom? Pre-Zen only, since its based on LM32 architecture features while Zen and later switched to Xtensa cores for their SMUs.
  • amd-lm32-smu-exploit - Generic exploit for all version 7 (maybe others) LM32-based AMD SMU's used in APUs (and probably works on GPUs too)
I don’t own an Xbox One and haven’t tested there. PS4’s APU/SMU has some oddities that prevents this attack in its current form (or I’m just making a stupid mistake somewhere).
PS4 only
write to smu's registers, in theory, if we achieve code exec, we can use it to read our perconsole and master keys
no. the private keys are never in the console. they also were never in ps3 and psp consoles, even though they were calculated due to sony's massive fail
Exploit lets you read/write to x86 DRAM physical and use the serial port. That would allow a 4 wire “modchip” (some uC with VCC, GND, RX, TX) to talk over UART to stubs injected in a patched SMU FW that perform patches usually done from a userland/WebKit kexploit.
There's not enough SRAM to hold all the patches needed, thus the requirement of a uC talking to SMU proxy stubs. Through limited testing (it's a PITA compared to just using Linux on a PC) on the PS4, the writes to some of the SMU BP regs are ignored/blocked. Maybe AMD got wise?
But we have the PS4 SMU bootrom and FW dumped via other means and can analyze it for other vulns that might allow code execution. I’m also working on a PCIe MITM like marcan did to better understand the boot process of PS4 over PCIe instead of the normal read from SPI flash.
From what I've heard at least some models of Xbox One include a PSP so that could make a coldboot SMU based attack impossible. Though there has been some excellent work on breaking PSP's security model already done:
seems smurw doesn't write the shellcode on ps4 to the sram... sadge :(
i get this instead of the actual shellcode that's supposed to be written:
Code:
reading shellcode memory
3f120: 2888842D
3f124: 7244062E
3f128: FEB2AF3E
3f12c: 75EF0559
3f130: 183AC358
3f134: F4B0B100
3f138: FC8C79BC
3f13c: 997EF94E
3f140: 34A92D80
3f144: 1C834C80
3f148: BF9A9BF9
3f14c: BFFEBB97
the exploits we have are useless against it
PS4 IPL AES + HMAC Key Recovery Project Demo by Vpikhur.jpg
 

Comments

Awwww man, sadly the Blade didnt enter the ps4-scene ...
Would have been soooo fun :) - Damn it :unsure:
 
i pray they are never any cfw nor backup loaders for anyone above 1.76 what WE dont need is CHILDREN WITH OMGHAX ONLINE screw each one of you ignorant pillocks look what you done to the ps3 scene online ruined it for everyone i hope who ever releases any jailbreak of cfw gets the maximum penalty and spends years in jail stupid nuggets have no need for any such thing even now days
 
i pray they are never any cfw nor backup loaders for anyone above 1.76 what WE dont need is CHILDREN WITH OMGHAX ONLINE screw each one of you ignorant pillocks look what you done to the ps3 scene online ruined it for everyone i hope who ever releases any jailbreak of cfw gets the maximum penalty and spends years in jail stupid nuggets have no need for any such thing even now days

Relax, dude. Posting a wall of text without any punctuation isn't going to make you less childish than those whom you complained about ^_^
 
There are a few things I wanna say. First I wanna ask, if this works and is real, then we will be real real close to CFW right?

Ok that aside what I really wanna say. For those who call things fake.......Ok, I get it, you're pissed, you're disappointed, you're desperate, you're frustrated. Yeah, I really really get it. I am one of those thousands or even millions of people who want for CFW to be ready to go to the store and buy the console ASAP. Who wouldn't want to after learning this awesome console gets its CFW after years of waiting. To the point that any news makes you jump from your seat, only to want to break your screen and smash the a-hole's face for posting fake bullsh!t? Yeah, I get all of that.

But let me say something, just dubbing everything as "fake" without any modicium or sample of genuine evidence, knowledge or comprobable information that can truly prove that whatever is presented is "fake", you're not helping anybody, you're informing nobody, and you're not improving things for anybody. All you're doing is sow chaos, confusion, and spread even more frustration on pile of all the described above since it leaves users, specially those ignorant of technical aspects, like me and likely many others, to doubt anything and everything without any ounce of reason to.

It is fine to be skeptical, it is fine to be on the defensive, but what isn't fine is to start misinformative, trolling agendas for the simple sake of either: a) Venting anger b) Being a smartass c) Following the masses. If you wanna play the "smart dude" for pointing out the fakes, then be a "smart dude" in proving the fakes with the way it should be, with evidence, with information and if possible with the opinion of relatable experts on the subject.

If you can't then simply STFU, you're not being any smarter for barking "fake" at every piece of photo, video or tweet, you're just being obedient cattle following the whims of the internet trolls and nothing else.
 
i pray they are never any cfw nor backup loaders for anyone above 1.76 what WE dont need is CHILDREN WITH OMGHAX ONLINE screw each one of you ignorant pillocks look what you done to the ps3 scene online ruined it for everyone i hope who ever releases any jailbreak of cfw gets the maximum penalty and spends years in jail stupid nuggets have no need for any such thing even now days
You are a rare kind of idiot...
 
Yes, I can't afford games in my country, they cost 8000TK, you wouldn't know that would you. You have stated your opinion and it's fine, just don't go around and being rude to everyone else. No offense intended.
 
Status
Not open for further replies.
Back
Top