Join Us and become a Member for a Verified Badge on Discord to access private areas with the latest PS4 FPKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Oct 29, 2016 at 12:45 AM       7,344       5      
Following the Chaitin Tech PS4 ROP Tool, 5lipper recently added PlayStation 4 Kaslr (Kernel Address Space Layout Randomization) 3.55, 4.00 and 4.01 Firmware support in fail0verflow's PS4 Kexec GIT. :pumpkin:

While that was done a few days ago and mentioned by @Fimo among others in the Shoutbox and on Twitter (below), today @RazorMC shared some additional details from the GIT via Hydrogen at NGU, to quote:

Hello NextGenUpdate, yesterday, a user named 5lipper, has now added extra support for kaslr on PS4 for firmwares: 3.55, 4.00, and 4.01. If you find it interesting, and useful. They have added it onto fail0verflow's PS4 Kexec GitHub.

To find it and use it, click here: Fail0verflow's PS4 Kexec GitHub

@@ -1,11 +1,8 @@
-CFLAGS := -march=btver2 -masm=intel -std=gnu11 -ffreestanding -fno-common \
+CFLAGS += -march=btver2 -masm=intel -std=gnu11 -ffreestanding -fno-common \
     -fPIC -fomit-frame-pointer -nostdlib -nostdinc \
     -fno-asynchronous-unwind-tables \
-    -Os -Wall -Werror -Wl,--build-id=none,-T,kexec.ld,--nmagic $(DO_NOT_REMAP_RWX)
+    -Os -Wall -Werror -Wl,--build-id=none,-T,kexec.ld,--nmagic
 SOURCES := kernel.c kexec.c linux_boot.c linux_thunk.S uart.c firmware.c
@@ -34,6 +34,14 @@ You may pass something other than NULL as `early_printf`. In that case, that
 function will be used for debug output during early symbol resolution, before
 printf is available.
+Since PS4 3.55(?), KASLR(Kernel Address Space Layout Randomization) is
+enabled by default, symtab also disappears in newer kernel, we have to
+hardcode offsets for some symbols. Currently we use the `early_printf`
+given by user to caculate the base address of kernel, then relocate all the
+symbols from the kernel base. You could enable this feature like this:
+    make CFLAG='-DPS4_4_00 -DKASLR -DNO_SYMTAB'
 If you do not want to call the syscall from userspace, you can pass the address
 of a function pointer as `sys_kexec_ptr`. `kexec_init` will write to it the
 address of `sys_kexec`, so you can invoke it manually (see kexec.h for
@@ -109,7 +109,7 @@ ssize_t firmware_extract(void *dest)
     u8 *p = dest;
     // Yeah, this calls it Starsha... Liverpool, Starsha, ThebeJ, whatever.
-    struct fw_info_t *info = kernel_resolve("Starsha_UcodeInfo");
+    struct fw_info_t *info = kern.Starsha_UcodeInfo;
     if (!info) {
         kern.printf("firmware_extract: Could not locate firmware table");
         return -1;
There's a lot more, but overall they are all there posted go check it out!

Kaslr 3.55, 4.00 & 4.01 by 5lipper in Fail0verflow PS4 Kexec GIT.png



Senior Member
So, if he did that, he must have something unpublic otherwise, how could he know that it works? So, he must have a working exploit :D, am I right?


Staff Member
Well, if I'm not mistaken 5lipper is from the Chaitin Tech team so that would explain how he was able to update f0f's GIT with it.

Meaning... we're still back to square one of figuring the rest out :LOL:


I am hopeful that something has been found the last days are really usable. for now have to wait and try to help a little :)
Pd: By the way, thanks for the mentíon @PSXHAX


Senior Member
So, if he did that, he must have something unpublic otherwise, how could he know that it works? So, he must have a working exploit :D, am I right?
That's why I did that spreadsheet yesterday, we have to read betweens the lines, I put a "?" about FailOverFlow: