Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Aug 14, 2016 at 7:47 PM       17,712       24            
Just over a week back we reported on the 3.55 PS4 HENkaku Exploit, and since then PlayStation 4 developer Fire30 has been updating Github with FireKaku PS4 ports for both 3.15 and 3.50 Firmware as well. :D

Download: PS4-3.55-Code-Execution-PoC-master.zip / GIT / WhiteOverfl0w GIT

From the ReadMe file: PS4 3.55 Code Execution:

This repo contains a PoC for getting code execution on ps4's with firmware version 3.55 (Now with support for 3.15 and 3.50).

It uses the same webkit vulnerability as the henkaku project. So far there is basic ROP working and returning to normal execution is included.

I have also included some helper methods to make researching a tad easier. Currently the documentation is pretty poor but I will be updating it over time.

Usage:

You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run:
Code:
python fakedns.py -c dns.conf
then
Code:
python server.py
Debug output will come from this process.

Navigate to the User's Guide page on the PS4 and information about the exploit and all loaded modules should be printed out. This is an example of what running it will look like: https://gist.github.com/Fire30/2e0ea2d73d3a1f6f95d80aea77b75df8

If you want to try the socket test to work. Change the IP address at the bottom of ps4sploit.html to your computers and run a command such as netcat -l 0.0.0.0 8989 -v. You should see something like:
Code:
Listening on [0.0.0.0] (family 0, port 8989)
Connection from [192.168.1.72] port 8989 [tcp/sunwebadmins] accepted (family 2, sport 59389)
Hello From a PS4!
There are a few notes:
  • The exploit is not 100% reliable currently. It is more like 80% which is good enough for our purposes. So if it does not work on first try, try a few more times. Also doing to much allocating after the sort() is called can make it more unstable.
  • The process will crash after the rop is done executing.
  • This is really only useful for researchers. There are many many more steps needed before this will be useful to normal users.
Acknowledgements:

xyz - Much of the code is based off of his code used for the henkaku project
Anonymous contributor - WebKit vulnerability PoC
CTurt - I basically copied his JuSt-ROP idea
xerpi - Used his idea for the socket code
rck`d - Finding bugs such as not allocating any space for a stack on function calls Maxton - 3.50 support and various cleanup Thunder07 - 3.15 support

Contributing:

The code currently is a bit of a mess, so if you have any improvements feel free to send a pull request or make an issue. Also I am perfectly fine if you want to fork and create your own project.

Thanks to @Jeff in the PSXHAX.COM Shoutbox for the heads-up! :)
HENkaku PS4 Exploit.jpg

FireKaku PS4.jpg
 

Comments

STLcardsWS

Member
Contributor
LOL, not really anything i would consider exciting.

3.55 its already ported and it needs a kernel exploit to go along with it to be useful. So porting the HENkaku portion to lower firmwares makes little sense if any. Considering there nothing useful on those newly ported firmwares. Then, if an kernel exploit arises it would be for all current firmwares as Sony has no way of patching the unknown. So 3.55 would be the firmware to then exploit. Would make no sense to port to a lower firmware ...
 

PSXHAX

Staff Member
Moderator
Contributor
Verified
Most likely they are trying to get it working on as low of PS4 Firmware as possible, so those (including devs) who do update from their PS4 1.76 (or below) OFW to use it won't have to go all the way to Sony's latest 3.55 that includes more stability (aka security) fixes than previous versions. ;)
 

STLcardsWS

Member
Contributor
Most likely they are trying to get it working on as low of PS4 Firmware as possible, so those (including devs) who do update from their PS4 1.76 (or below) OFW to use it won't have to go all the way to Sony's latest 3.55 that includes more stability (aka security) fixes than previous versions. ;)
LOL, not likely that is the case at all.
 

PSXHAX

Staff Member
Moderator
Contributor
Verified
LOL, not likely that is the case at all.
Why else are developers backporting the HENkaku exploit?

They're investing time and effort for a reason (DUH)... so what is your opinion on why, if not the reason I gave? :p

Then, if an kernel exploit arises it would be for all current firmwares as Sony has no way of patching the unknown. So 3.55 would be the firmware to then exploit. Would make no sense to port to a lower firmware ...
This isn't completely accurate either, as PlayStation 4 kernel and user level exploits have been found, reported and patched internally at Sony throughout PS4 Firmware revisions... not only public exploits get patched, the majority discovered never even make it to the public's eyes before Sony puts the kibosh on them :D

So, for example, if Sony patched a kernel exploit in 3.50 then it would still be present in 3.15 for devs or anyone else who hasn't been tempted to update beyond 3.15 yet since HENkaku can be ran from it :)
 
Recent Articles
PS4 Kernel Fixup Script for IDA 7.0-7.2 Released by SocraticBliss
Following his PS4 Kernel Loaders and PS4 Name 2 NID Plugin, PlayStation 4 scene dev @SocraticBliss (Twitter) made available a PS4 Kernel Fixup Python Script (ps4_kernel_fixup.py) he's currently...
PlayStation Store Black Friday 2019 PSN Sale Begins Today!
We've seen the PlayStation Black Friday & Cyber Monday 2019 hardware deals, and today Sony unveiled their Black Friday 2019 PSN discounts offering savings up to 40% off on select PlayStation Store...
PlayStation VR Game Releases for the Holiday Season and Early 2020
With a PS VR 5-Game Bundle for $199 available this holiday season and Lost Ember by Mooneye Studios arriving today, here are some upcoming PlayStation VR game releases through early 2020 that...
Sony PS4 / PS3 Blu-ray Disc Drive Internals & Security by Oct0xor at 36c3
Last year they covered Exploiting PS4 Video Apps, and at the 36th annual Chaos Communication Congress (36c3) from December 27th to the 30th 2019 in Leipzig Germany scene developer @Octopus (aka...
Top