PS3 WebKitSploit and PS3 Playground WIP Github Forks by Esc0rtd3w

Following his PS3 OFW PSID Dump Tool Tutorial and recent d0 / d1 pdb file findings PlayStation 3 developer @esc0rtd3w (Twitter) set up some new work-in-progress Github forks for a PS3 WebKitSploit and PS3 Playground port.

Download: ps3-webkitsploit-master.zip / PS3 WebKitSploit GIT / ps3-playground-master.zip / PS3 Playground GIT / Websploit.org / PS3 Playground Test Page / PS3 Webkit POC / PlayStation 3 Browser Investigation

The PS3 WebKitSploit is based on original PS4 code from Cryptogenic and qwertyoruiopz focusing on PS3 3.xx / 4.xx code execution, while the PS3 Playground WebKit exploit port is based on CTurt and Cryptogenics PS4 code.

From the README.md file, to quote: PS3 Playground

A collection of PS3 tools and experiments using the WebKit, Flash, and other options.
We are only testing on firmware 4.81 only at the moment.

THIS REPO IS FOR THE PUBLIC PS3 COMMUNITY TO EXPLORE AND TEST ON THEIR OWN

OUR TEAM IS CURRENTLY WORKING ON THIS PROJECT PRIVATELY AND WILL UPDATE WHEN FINISHED!

FOR A LIVE DEMO WITH PUBLIC TESTS TO TRY OUT, PLEASE VISIT: http://www.websploit.org/ps3/ps3-playground/test/

There are a lot of files here for reference and exploration.

Once more testing has been done, these will be cleaned up over time.

CREDITS:

Inspired by original work from CTurt (https://github.com/CTurt/PS4-playground/) and Cryptogenic (https://github.com/Cryptogenic/PS4-Playground-3.55)

Spoiler: Original (Outdated) Information

If anyone can lend him a hand on Github that would be much appreciated, and cheers to @B7U3 C50SS, @Bultra and @spyro2670 for the heads-up in the PSXHAX Shoutbox earlier today!

 

[Punisher9]

gezzus im just going to say if your stupid enough to leave auto update on your ps3 your should not be on this forum cus if you dont update the exploit will still work use your brains people i mean seriously i know its hard and all but stop and think about what your saying.
with that said hi guys

 

[esc0rtd3w]

Esc0rtd3w its been awhile any progress worth mentioning and also i really hope you publish this soon because any mintue now sony will release a patch update for your webkit as they know all the entry points and how to patch them and i am not talking off my ass i have a friend that works with sony they are making an update he said they finished it and they just have to improve a couple of stuff so i hope you release this soon before they patch it and thanks.

They know all the entry points so please dont say anything if you dont know anything about the ps3 system if they patch the entry point then his exploit code wont do crap

so the false flag planting worked? haha

remember, we have more than 60 entry points in the private webkit testing page, as well as several other undisclosed system vulnerabilities. the public testing page is just that, public, for the community to test entry points on their own...... just sayin

if they make a patch or two in a firmware update for webkit, it won't matter, our code will still be usable.

That's a good joke... , They can't patch anything if they don't know what the code is that Esc0rtd3w and his team wrote.

we are still working on it...have been busy with life stuffs

 

[kevlion]

so the false flag planting worked? haha

remember, we have more than 60 entry points in the private webkit testing page, as well as several other undisclosed system vulnerabilities. the public testing page is just that, public, for the community to test entry points on their own...... just sayin

if they make a patch or two in a firmware update for webkit, it won't matter, our code will still be usable.




we are still working on it...have been busy with life stuffs

good to know that no matter what sony does it wont even matter

 

[DMTihtees]

we are still working on it...have been busy with life stuffs

I'm super new here and just got finished reading probably 80 pages worth of comments. That being said glad to see work on this is going.

If you end up getting things going i'll be glad to throw my self to the wind and help out any way I can.

 

[esc0rtd3w]

if $ony miraculously does fix all the bugs in a new update, this will actually be a good thing in the end, as we can have all the new patches on CFW as well. That being said...turn off auto updates

 

[JackEllisElway]

did you consider another doorway perhaps through hardware design of 3k/4k models in regards to hardware glitching?

https://www.blackhat.com/docs/eu-15/materials/eu-15-Giller-Implementing-Electrical-Glitching-Attacks.pdf

https://rdist.root.org/2007/05/24/hardware-design-and-glitch-attacks/

George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.

His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.

George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.

100 memory clock cycles is about 50 mhz give or take. if you take into account the actual hardware used in his attack. you will find theres lots to do.

for reference the actual article-> https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was-hacked/

 

[kountzero]

did you consider another doorway perhaps through hardware design of 3k/4k models in regards to hardware glitching?

https://www.blackhat.com/docs/eu-15/materials/eu-15-Giller-Implementing-Electrical-Glitching-Attacks.pdf

https://rdist.root.org/2007/05/24/hardware-design-and-glitch-attacks/

George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.

His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.

George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.

100 memory clock cycles is about 50 mhz give or take. if you take into account the actual hardware used in his attack. you will find theres lots to do.

for reference the actual article-> https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was-hacked/

Oh there is still life in the rgh dog yet. Wonder if that spare TX board would be usable with a mod lol

 

[JackEllisElway]

depends what you want to do. many ways in. you can dump games/keys at runtime

what geohot used is around 50mhz to send pulse. for glitch attack. the hw itself is a fine piece.

Oh there is still life in the rgh dog yet. Wonder if that spare TX board would be usable with a mod lol

be picky with boards it makes life easier. and dealing with low volt sh1t better to do things right the first time than end up with a paperweight

 

[JackEllisElway]

so the false flag planting worked? haha

remember, we have more than 60 entry points in the private webkit testing page, as well as several other undisclosed system vulnerabilities. the public testing page is just that, public, for the community to test entry points on their own...... just sayin

if they make a patch or two in a firmware update for webkit, it won't matter, our code will still be usable.



we are still working on it...have been busy with life stuffs

they kind of screwed themselves adding a data transfer utility, now if you explored dumping sh1t like idps and ftp capabilities

play around a bit as you can dump way more than that using dtu alone with 2 consoles to pull it off.

nice little bridged connection over tcp/ip stack. just thought i would make you aware of that.

 

[LightningMods]

A Glitch attack would need a custom Glitching Board because of the fact the PS3 doesnt have SPI,.. also your going to have to find the points like for CPU Reset ,.. anyways too much work easier just buying a jailbreakable model