Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Dec 27, 2017 at 4:03 AM       157      
Status
Not open for further replies.
Following the Adieu PS4 Kernel Exploit and his confirmation yesterday, today the PS4 scene is LIT AS F*CK for the holidays with the RELEASE of a fully implemented kernel exploit for PS4 v4.05 Firmware by @SpecterDev via Twitter alongside a debug_settings.bin Test Payload! :tree::santa: Howbow dah, Sony? :bananaman3::bananaman13:

Download: PS4-4.05-Kernel-Exploit-master.zip / GIT / Live Demo via @01cedric / Live Demo (Mirror #2) via @0x199 / Live Demo (Mirror #3) via @Red7s / Live Demo (Mirror #4) via @tunip3 / Live Demo (Mirror #5) via @EdiTzZMoDz / debug_settings.bin (16.23 KB Test Payload)
In addition, proceeding his PS4 Package (PKG) research today PlayStation 4 developer @flatz announced on Twitter that in a few days he'll share some of his recent work so that it can be backported from 4.55 to 4.05 for use on PS4 jailbroken consoles! <3:fire:

To quote from the README.md: PS4 4.05 Kernel Exploit

Summary

In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-backups mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.

You can find fail0verflow's original write-up on the bug here, you can find my technical write-up which dives more into implementation specifics here (this is still in progress and will be published within the next few days).

Patches Included

The following patches are made by default in the kernel ROP chain:
  1. Disable kernel write protection
  2. Allow RWX (read-write-execute) memory mapping
  3. Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
  4. Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
  5. Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.
Notes
  • This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
  • I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
  • A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
  • An *** is not provided in this release, however a barebones one to get started with may be released at a later date.
  • I've released a sample payload here that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.
Contributors

I was not alone in this exploit's development, and would like to thank those who helped me along the way below.
:idea: If anyone is seeking the official Sony PlayStation 4 v4.05 Firmware (OFW), here are some mirrors in order to Update to a Specific PS4 Firmware: Firmware.v4.05.PS4.iNTERNAL-PS4FW
  • PS4 OFW 4.05 Download Links: Darthsternie
  • PS4 OFW 4.05 PUP MD5 Hash: 203c76c97f7be5b881dd0c77c8edf385
:arrow: Those looking to buy a PS4 v4.05 console see the update HERE for a list of bundles most likely to be on 4.05 (or lower) when in new / unopened condition.

For those that prefer to Host Your Own PS4 Webkit Exploit Page see the guide, and below is a tutorial from tunip3 on:

:note: How to Install the Debug Settings or Run Other Payloads on Your PS4 v4.0.5

This guide will not mention how to access the browser. This guide uses Specter's 4.0.5 kernel exploit. You will need to find your PS4 IP on your local network. This guide will also work for linux just replace the nc.exe with nc
Code:
nc -w 3 [ps4 ip] 9020 < debug_settings.bin
Hope everyone had a Merry Christmas! Here's the 4.05 kernel exploit, fully implemented. Enjoy! Write-up coming soon!
After @SpecterDev released his exploit, i'll prepare stuff within a couple of days, someone need to backport it from 4.55 to 4.05, not hard to do. not sure if it will be a write-up or just snippets of code, let's see
I've also uploaded a test payload you can use after the kernel exploit runs that jailbreaks and patches the kernel to allow access to debug settings, just needs to be netcatted to the loader via port 9020.
[4.05] PS4 DEBUG SETTING BY SPECTER
PS4 4.05 PKG INSTALL
Someone told me this is not working yet. That is not correct. PKG installs fine. The problem is you would need a license file to play the content. PKG must be on root of USB just like on 1.76. Exciting times....
uart enabler for 4.05 :)
Code:
uint16_t *securityFlags = (uint64_t *)(kernel_base+0x2001516); *securityFlags = *securityFlags & ~(1 << 15); *(char *)(kernel_base + 0x186b0a0) = 0;
right, i only solder 1 wire (tx on ps4) and attach gnd wire to hdd cage, then using like 5$ uart to usb i listen on arduino(serial montor). very simple.
if anyone wants to continue trying to port the exploit to 3.55 you can use this, i was as far as trying to leak a good object, rop was working etc, just specters leak could never get a suitable object for the exploit on 3.55

Download: 3.55-specterPort.7z (16.48 KB) / PS4 Entrypoint 4.05 by IDC


Download: kernel_355_jig.7z (29.90 MB) / 355_modules.7z (9.83 MB)

Big THANKS to @ArthurBishop, @hyndrid, @Nesterwork, @ombus, @UmarDaBest559 and everyone else in the PSXHAX Shoutbox for this PS4 4.05 full kernel exploit news and let the jailbreaking begin! :D
PS4 4.05 Scene LIT AF, Kernel Exploit Now Released by SpecterDev!.jpg
 

Comments

You mean... This exploit can do more than writing numbers with a pencil...?
Unfortunately there is no public way to downgrade PS4's (excluding rollback for BETA Firmware) at the moment
Is it possible to update to a beta firmware to install and play disc games that require higher firmware and then rollback to 4.05?
 
You mean... This exploit can do more than writing numbers with a pencil...?
Couldn't resist :LOL:
Spoiler
To use PS4 Beta Firmware you have to be in Sony's BETA program, but they haven't started a new one since their last this past July.

If they came out with 5.50 BETA for example, your PS4 was registered in their program and you were on 4.05 then theoretically you could update to their current 5.50 BETA for playing games that required it and then rollback to 4.05 afterwards correct.
 
If you want to play games above 1.76 you could update to 4.05 now, but if you can hold off playing 1.76+ games a bit longer it's probably safest to wait until everything is ported to 4.05 first and then update. :cool:
 
I just updated from 3.55 to 4.05. I kept my ps4 in the box just for this day. Thanks so much @SpecterDev and those who have helped him!

This seems to go unnoticed though... those of you on 4.05 will soon have to figure this part out >>"This guide will not mention how to access the browser". This is key to launching the exploit... You cannot access the browser without being signed in to psn or on the latest firmware.

Happy Holidays everyone!!!
 
This seems to go unnoticed though... those of you on 4.05 will soon have to figure this part out >>"This guide will not mention how to access the browser". This is key to launching the exploit... You cannot access the browser without being signed in to psn or on the latest firmware.
Here are some related articles from the 1.76 era, the last has a GREAT video guide although the payloads will need to be ported (soon most likely):
 
Tried and tested, updated my 3.55 as did not work on 3.55..

Get charles proxy, set http proxy port in charles+ps4 network settings and do local redirect on manule page in settings (if ps4 not activated), will redirect to exploit page if local redirect is set correct to exploit folder.. Then you run netcat nc -w 3 PS4IP 9020 < debug_settings.bin.

I will see about making a video for setting PC up, if not one already!
when load exploit index.html show just 3 points in middle page ! ..... that it's big issue, any fix ?
It should auto start exploit if setup correct!!
 
Status
Not open for further replies.
Back
Top