Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Dec 18, 2015 at 1:02 AM       11      
Status
Not open for further replies.
Following the PS4 Kernel Exploit, today PlayStation 4 developer CTurt announced he plans to completely stop further PS4 research.

This news comes just prior to him sharing an article outlining PS4 kernel exploitation earlier today here: Hacking the PS4, Part 3 / Kernel Exploit for 1.76 / PS4-BadIRET (Private Repo)

From IRC:
[Delevler] hello all
[yifanlu] hello
[Delevler] Came here to ask if the ps4 kernel exploit is some real threat or just some patched old firmware
garbage?
[yifanlu] "threat" to whom?
[yifanlu] to sony, it's a real threat
[yifanlu] because it allows hackers to decrypt stuff and reverse it
[yifanlu] but yes, it's been patched since 2.x
[Delevler] so the person who recently said that he has "jailbraken" the ps4 just wanted to get famous or what
[yifanlu] I mean of course. we all know CTurt, right ;)
[Delevler] oh he is here in chat , didnt notice
[CTurt] I am such an attention female dog
[CTurt] I hate it
[yifanlu] lol
[CTurt] I need to behave myself
[yifanlu] but yeah, it's useful for us devs but not really to any users
[Delevler] heh sorry i didn't want to offend you but I just couldnt find appriorate words how to say it
[Delevler] I know it opens a new gate for the devs but I wanted to know if it's something like the ps3
jailbreak
[yifanlu] badiret has been patched in freebsd for a while now. they forgot to post a security advisory so
sony never ported the changes
[yifanlu] which is funny because sony chose to fork an old freebsd version and manually put patches in
[yifanlu] I mean yeah sure, you can run backup games if you can get it working
[hykem] You can decrypt anything but no keys though, guess we could call it a jailbreak without the k and add
it a d for decryption
[hykem] Jailbread
[yifanlu] yum
[yifanlu] I mean that's pretty much the case on 3ds too
[yifanlu] we get a nice black box for decryption
[hykem] Yeah, but 3DS's jailbread is tastier
[HelsAngel] and fully 3d
[hykem] :p
[hykem] Anyway, with the current hardware crypto solutions, this will probably be the common case in the
future
[hykem] Extracting keys of any kind has become much more difficult
[Delevler] quantum computers?
[Delevler] heh
[darkfader] NSA advisory: stick with current algorithms :)
[yifanlu] buzzword: sidechannel
[hykem] Side-channel attacks do quite well in some scenarios. Like that acoustic probing that led to RSA
leakage
[hykem] leakage eavesdrop*
[yifanlu] sidechannel is a bit more difficult on SoCs though, but nothing like a good challenge
[yifanlu] if we can find which pin powers the crypto engine (and not too many other things), I can probably
get you the 3ds keys
[CTurt] am I the only one who doesn't really care about encryption?
[yifanlu] for me, I consider getting the embedded keys as the ultimate flag
[yifanlu] once that's captured, we own the system completely
[yifanlu] so I always set that as my goal
[Delevler] wait i dont get it
[Delevler] can someone explain me how does all this work
[yifanlu] what part lol
[Delevler] to run for example a backup copy we need a key that is encrypted am i right
[hykem] yifanlu: My goal is the same, embedded keys are the last stage
[yifanlu] [1:01pm] hykem: You can decrypt anything but no keys though, guess we could call it a jailbreak
without the k and add it a d for decryption
[yifanlu] that's your answer
[hykem] Would be nice to see a successfull hardware attack on the 3DS
[hykem] Always been interested in it's hw crypto
[hykem] CTurt: Crypto is always the master challenge. It's fun to tear a system to pieces
[flatz] heh, my interest is crypto too :)
[Delevler] brb
[CTurt] crypto is boring
[flatz] nah
[CTurt] the same algorithms everyone uses
[darkfader] disassembling then?
[flatz] but you need to reverse formats too
[yifanlu] yet... everyone seems to get it wrong
[flatz] also, obfuscation, etc
[yifanlu] although I wouldn't call finding the keys crypto. that's more system security
[darkfader] NIDs? ;)
[flatz] nids is known for about 1.5 years
[flatz] boring :)
[flatz] yeah, yifanlu, you're right. so system security is my goal
[flatz] which includes keys, proprietary formats and other algorithms
[yifanlu] dat pfs
[CTurt] sceSblSsDecryptSealedKey banter
[hykem] Yeah, system security is a better description. Crypto itself is a collection of widely used and
accepted algorithms
[flatz] however sony likes to use custom algos too :)
[flatz] compression, encryption
[rck`d] picking the right tool for the job. Sometimes. :p
[yifanlu] although crypto itself is pretty fun to do. Bleichenbacher's RSA attack is one of my favorite
attacks since it exploits both the implementation and the scheme itself
[hykem] flatz: True. A lot of other companies love to do this too. For some reason they always think they do
it better
[hykem] yifanlu: Indeed. Once in a while we get see gems like that
[hykem] get to see*
[yifanlu] ugh. you guys didn't have to deal with azlr compression yet on ps4?
[flatz] just use qemu
[rck`d] never heard of that one, but I've dealt with plenty of terrible or strange compression schemes with
researching games
[flatz] yifanlu, it is LZRA
[flatz] similar to LZRC
[flatz] which was used in ps3
[hykem] Hate those custom compression algos
[yifanlu] it did have a hint of LZ in it
[hykem] Had to reverse 2 different ones in the past
[flatz] yes, you can find hykem tools
[flatz] which works on LZRC
[flatz] but LZRA seems to be older
[yifanlu] wait, did you have to deal with weird bit flippings after decompression? is that part of the scheme?
[hykem] Sony's custom algos are filled with hacks
[hykem] That's why you get to see those weird bit flips
[flatz] hykem, do you have links to your sources?
[hykem] Most of them were part of the EDGE platform they manage
[flatz] i've lost urls
[flatz] i was too lazy to reverse the algo, so i've just used qemu xD
[flatz] and it works
[hykem] LZRC (tpunix implemented it): https://github.com/Hykem/sign_np/blob/master/tlzrc.c
[hykem] UNK LZ: https://github.com/Hykem/psxtract/blob/master/Linux/lz.c
[hykem] UNK LZ: https://github.com/Hykem/make_npdata/blob/master/Linux/lz.c
[flatz] nice thx :)
[hykem] make_npdata is the PS3 one
[hykem] No prob :)
[yifanlu] cool
[hykem] psxtract uses an older one
[hykem] From the PSP age
[hykem] Could be LZRA, but they keep messing with this stuff
[flatz] unfortunately nope, they're not working on LZRA but have similar
[flatz] things
[flatz] i don't think porting it to LZRA will be hard
[hykem] Probably not. I recall they had one version of it that was optimized for the PS3's SPU and then had
another unused one
[CTurt] does anyone know what firmware GTA 5 needs?
[CTurt] I need a game that needs an update higher than 1.76, but not too high
[Delevler] can i ask you guys one more question
[Delevler] every game has a different or the same one
[flatz] CTurt, if you have param.sfo, you can check there
[Joonie] let me check param.sof
[Joonie] sfo*
[NiceShot] but isnt param.sfo inside encrypted packages? Can we decrypt psn pkgs?
[Joonie] no it's outside the pkg
[NiceShot] how do you get it, cause when I install ps4 games over proxy I only get the pkg files
[NiceShot] oh, wait with webkit you can grab them after installed right?
[NiceShot] if so forget what I am saying
[Joonie] http://www.mediafire.com/download/28bbt4jzwx2wxdp/PARAM.SFO
[NiceShot] cause the only other way to grab param.sfo from discs is with special bluray drive
[Joonie] 1.76
[Joonie] 00007601000076
[Joonie] CUSA00419
[flatz] NiceShot, sfo is stored on the disc
[Joonie] it's x:/BD/param.sfo
[Joonie] without it it wouldn't recognize disc
[Joonie] http://www.mediafire.com/download/waiw4y2w4jfwmw9/rif
[Joonie] UP1004-CUSA00419_00-GTAVDIGITALDOWNL.
[Joonie] https://store.playstation.com/#!/en-us/games/grand-theft-auto-v/cid=UP1004-CUSA00419_00-GTAVDIGITALDO
WNL
[Joonie] guess RIF key is the same for PSN version too
[flatz] i doubt :)
[Joonie] hmm
[Joonie] so then the same pkg but diff rif keys?
[flatz] are you sure pkg is the same?
[CTurt] does anyone know of a game that contains 2.00 update?
[Joonie] the name is the same
[Joonie] UP1004-CUSA00419_00-GTAVDIGITALDOWNL.
[flatz] well, if pkg is the same then rif key should be the same too
[Joonie] this is what's found in the disc
[Joonie] :)
[Joonie] that's what I assume flatz
[flatz] CTurt, why do you need it?
[flatz] you can just install patch xD
[CTurt] well, I need to be able to test it...
[flatz] try with 1.76 game first
[CTurt] ok
[Joonie] diablo3 has 1.71
[Joonie] CUSA00242
[Joonie] UP0002-CUSA00242_00-D3ULTIMATEEVIL00
[Joonie] https://store.playstation.com/#!/en-us/games/diablo-iii-reaper-of-souls-ultimate-evil-edition/cid=UP0002-CUSA00242_00-D3ULTIMATEEVIL00
[Joonie] the same name as one on PSN store too
[Joonie] http://www.ps3devwiki.com/ps4/1.710.000
[Joonie] hash matched
[Joonie] 1.71
[Joonie] let me check sleeping dogs and witcher3
[Joonie] sleeping dogs has 1.75
[Joonie] 00007501000075
[Joonie] UP0082-CUSA01111_00-0000SLEEPINGDOGS
[Joonie] https://store.playstation.com/#!/en-us/games/sleeping-dogs-definitive-edition/cid=UP0082-CUSA01111_00-0000SLEEPINGDOGS
[Joonie] also the same name on psnstore
[Tyrant_] UP4497-CUSA00527_00-0000000000000002
[CTurt] I want a game that has 2.00
[CTurt] or above
[Joonie] oh my ps4 just came in
[Joonie] hoping 1.01
[Joonie] :)
[HelsAngel] mgs5 is 2.51
[Joonie] checking witcher3 now
[Joonie] ugg
[Joonie] something seems changed
[Joonie] maybe 2.04?
[Joonie] hmm
[Joonie] http://www.mediafire.com/download/wtcaxllk9ozwb9q/param.sfo
[flatz] yes 2.04
[Joonie] let me open my box heheh
[flatz] changes app_ver="01.05"]
[flatz] [![CDATA[
[flatz] - Gold will no longer reset beyond 65535
[flatz] lol
[flatz] from witcher
[Joonie] Flatz
[Joonie] it's 3D:)
[Joonie] mfc December 2013
[Joonie] let me turn it on
[yifanlu] in b4 1.77
[yifanlu] first ever
[Tyrant_] 3.56 xD
[flatz] oh nice
[CTurt] 2.04 is a good firmware - but I don't want witcher 3
[Joonie] 1.05
[Joonie] xD
[Joonie] def not the launch edition
[Joonie] mine came with 1.01
[Joonie] in fact it was missing psn plus trial code
[Joonie] that when I knew it wasn't the launch edition
[Joonie] xD
[CTurt] does anyone know what fw FIFA 15 comes with?
[CTurt] because it is cheap
[flatz] congrats, Joonie
[Joonie] http://www.mediafire.com/convkey/8470/r9y9rcfk6zi39rpzg.jpg
[Joonie] Thanks z :)
[CTurt] anyone know what firmware borderlands comes with?
[hp-_] ps4 vita bundles which launched 2013 cant have sold good enough for them to restock with new fw :p
[hp-_] But they are expensive
[CTurt] No, I am looking for a disc with an update of firmware 2.00 - 2.03
[CTurt] preferably either a good game, or a cheap one
[Tyrant_] UP1001-CUSA01401_00-BORDERLANDSHDCOL Borderlands: The Handsome Collection
[hairo23] Download Link is no help I guess?
[hairo23] for FW 2.00 - 2.03
[Fox00] hi
[yifanlu] hi
[Fox00] They need some ps4 to test'm from Argentina. if I can help in something. I have basic knowledge in
programming and I am advanced welding.
[Fox00] How is everything yifanlu
[naehrwert] !op
[naehrwert] plz :D
[naehrwert] woo
[naehrwert] better
[CTurt] I want to change the title!
[CTurt] no fair
[naehrwert] well now that you've insulted crypto..
[roberto26] .hello. anyone Can send me a guide To jailbreak ps4?
[yifanlu] nope
[yifanlu] there isn't one
[roberto26] exists any Hack?
[yifanlu] not publically
[roberto26] ok
[roberto26] Can you help me?
[yifanlu] with what?
[roberto26] Modding My ps4 with cfw
[yifanlu] there does not exist a cfw
[mysis] yes, you take out the ps4 hdd, put it into the computer...then run cmd with: format c:
[roberto26] I fo
[Al3x_10m] hahaaaha
[mysis] 100% means jailbroken.
[Joonie] lmao..
[xboner] too bad format c: wouldnt work, since the ps4 isnt ntfs or fat, and its ext4
[xboner] now if you did diskpart delete volumenumber
[xboner] that would work
[saidelik-] anyone has hint to where buy PS4 with 1.76 fw?
[guepe] look at wololo
[kastor81] Sony is taking away from the sale
[saidelik-] guepe: any direct link? otherwise i'll browse the forum
[saidelike] wololo.net/2015/12/14/ps4-how-to-get-your-hands-on-a-ps4-with-a-firmware-below-1-76/ (if
anyone else interested)
[thexyz] now all these idiots will empty ps4 [= 1.76 stocks so that actual devs won't be able to buy them
[rck`d] heh, I've had a 1.76 ps4 since launch
[rck`d] or rather, I've kept one aside
[ZiL0G80] my was 1.05 as i remember now 1.76 :)
[CTurt] yay
[CTurt] http://cturt.github.io/ps4-3.html
[thexyz] that's super nice, CTurt
[thexyz] do you think it's ok to share though it'll probably enable backups in 3,2,1..?
[CTurt] I did not share any code
[CTurt] or the offset required to get it working
[CTurt] or even a full example of just getting code execution
[CTurt] it is just an article about kernel exploitation, more generally for FreeBSD
[CTurt] it would be a lot of work for someone to get the exploit working, just from the info I posted
[thexyz] hmm
[thexyz] did you get any job offers?
[CTurt] lol
[CTurt] no
[CTurt] a job would be cool though!
[thexyz] well you might add a email or something, i'm not sure if it'd work but usually these articles get to
the top of hackernews and netsec/reverseengineering subreddits
[CTurt] na
[CTurt] I will do it later
[thexyz] but then sony also might sue you because they're dicks
[CTurt] well, it is always a concern
[CTurt] but I didn't post any PoC code
[CTurt] and removed a lot of details about private PS4 info
[CTurt] it is mostly just about FreeBSD exploitation
[CTurt] all they would be doing is confirming that my claims are legi
[CTurt] t
[egg] nice i knowed that your next post will be #3 ps4 article :D ill go reed it now :D tnx
[HelsAngel] thats a pretty cool read CTurt
[kastor81] we are surprised every day CTurt
[kastor81] good job!
[andoma] indeed
[ZiL0G80] CTurt: hehe your writeup give me some info which i need to finish my badiret exploit(probbably) ,
good work thanks :)
[CTurt] you got it working on FreeBSD first?
[xerpi] I agree, nice writeup, but I'm not understanding something here:
[xerpi] mov rax, gs:0 ; rax = *gs (td)
[xerpi] inc dword [rax+0x3cc] ; td-]td_critnest++;
[xerpi] isn't this *(gs+0x3cc) instead of (*gs)+0x3cc ?
[thexyz] gs:0 is (*gs)
[xerpi] so mov rax, gs:0 is permorming a load?
[thexyz] yes
[xerpi] like this mov rax, [gs:0] ?
[ZiL0G80] CTurt: i have crash now
[thexyz] like mov rax, [gs + 0]
[xerpi] * mov rax, (gs:0)
[thexyz] it's just different syntax. also you don't know the value of gs
[xerpi] thexyz, makes sense now, weird syntax
[xerpi] I thought mov rax, gs:0 == lea rax, (gs:0)
[thexyz] nope it's a load
[thexyz] not sure what kind of syntax you're using though
[xerpi] ok, thanks :)
[thexyz] oh best part is you don't know the value of 'gs' (where it points to)
[thexyz] so for example you can't do a read from gs:0 from within gdb
[thexyz] on linux
[xerpi] I guess the kernel changes it each time it does a userspace context switch, to make it point to the
thread private area
[CTurt] I'm feeling very paranoid right now
[CTurt] just deleted all of my emails
[CTurt] time to get off the internet!
[thexyz] eh i don't think sony would hire a hitman~
[HelsAngel] yet
[flatz] ofc, jail is the solution :)
[kastor81] Flatz think anybody will ever get out of a CFW ps4?
[flatz] nah
[flatz] i don't think a regular user would take a benefit from that
[flatz] it's just useful for a developer
[thexyz] having kodi on ps4 would be great though
[kastor81] It is but the developer can also be done with a PC :)
[kastor81] the ps4 is to play :)
[flatz] nah, i meant ps4 specific things
[flatz] security, etc
[kastor81] surely it is good to find out what mounts ps4
[kastor81] However Sony has just thank the dev, because sales were up :)
[HelsAngel] sony says thanks with lawyers and lawsuits
[ZiL0G80] cturt left ps4 scene twitter.com/CTurtE/status/677613979750019072
[egg] there is also new article Kernel exploit for 1.76 https://cturt.github.io/articles.html but is nothing
there https://github.com/CTurt/PS4-BadIRET
[ZiL0G80] its private repo
[egg] and flatz and two more are not in thanks anymore https://cturt.github.io/ps4-3.html
[HelsAngel] what does that tweet say ZiL0G80? i dont use twitter and thats private now only to followers
[egg] http://hackinformer.com/wp-content/uploads/2015/12/cturt-ps4.png
[egg] he decided that he will completely stop with any further ps4 research
[HelsAngel] wow
[HelsAngel] that sucks
[egg] why
[HelsAngel] you gonna take over where he stopped?
[HelsAngel] he was the only one sharing it this openly
[rw] nah i'd rather just sit around and talk crap about him. that'll show him! =D
[flatz] egg, it's not safe to be in the list :)
[unknown__] he at least released a great writeup about the exploit in part 3 of his exploit series
[unknown__] does anyone know if he expands on this
[unknown__] "With the help of flatz, I've been able to leverage ROP to setup memory in such a way that I can write my own code into it, and execute it."

PS4_Hackers.jpg
 

Comments

I've read the whole story.. did he... chicken out? Omg. From the looks of it he's being scared. well he has every reason to be. his friends have to fix this situation. good god. x)
 
I've read the whole story.. did he... chicken out? Omg. From the looks of it he's being scared. well he has every reason to be. his friends have to fix this situation. good god. x)
You didn't get ready for use exploit and that is the reason that CTurt was scared?:D He explained much more than needed for later progress.
 
You didn't get ready for use exploit and that is the reason that CTurt was scared?:D He explained much more than needed for later progress.
dude.. he said.. he was deleting all of his emails if you read it again. and he was getting paranoid he even said it himself!! wth.. i know he'll come back eventually if he didn't already.
read the post. again and tell me that he doesn't seem like he was acting paranoid to you. he sure seemed like he was acting paranoid. agreed @pauline45 ?
 
Its a risk as a developer we all take for being part of a hacking community but he also cod have recieved threats aswel we don't always know the whole story what's going on behind closed doors
 
dude.. he said.. he was deleting all of his emails if you read it again. and he was getting paranoid he even said it himself!! wth.. i know he'll come back eventually if he didn't already.
read the post. again and tell me that he doesn't seem like he was acting paranoid to you. he sure seemed like he was acting paranoid. agreed @pauline45 ?
who knows if he is paranoid or not :cool:but why delete emails and such maybe big bro watching his links
 
who knows if he is paranoid or not :cool:but why delete emails and such maybe big bro watching his links
They have bin watching us the whole time nothing has changed in that respect but I can't blame them with there new baby and making huge profit of these units
 
Wow, he just was done. I guess he didnt feel right.
When there is a hole in security like that and wasn't abot condoning backups I honestly can't blame him he didn't wanna take the blame for a release that ended up condoning backups kinda puts you in a bad boat.
 
There will always be security issues on everything nomatter how good it is. It just takes the right person knowing how to exploite. The vita has one the ps4 has one so does xbox one it don't take rocket science but it does take some1 more then experienced to know how it works.

This is the stuff usually experienced Dev's know not just average programmers as most can only access small portions where experienced Dev's can see holes right thro security

Most of this stuff relies on mathematic equations and science finding security holes is easy is where the mathematic equation fits in that's tough. I was on google n found the new security measures that's gonna be used which looks tough to crack but reality is nothing is tough but don't make it easy either.
Sure Linux Cracks holes thro anything but you can apply Cracks overtop using there own security measures against itself but this takes a great knowledge and understanding of how the security is being used then the cracking begins
 
Status
Not open for further replies.
Back
Top