Category PS4 Jailbreaking       Thread starter mcmrc1       Start date Dec 30, 2015 at 2:06 PM       8,081       33            
Status
Not open for further replies.
Following their recent updates, today PlayStation 4 hackers fail0verflow revealed Linux on PS4 running a Pokemon demo video from the Chaos Communication Congress (CCC) hacking conference!

ps4_jailbreak_NOP_command_southbridge_marvell.jpgBelow is their most recent tweet and further details from Wololo as follows:

  • The PS4 hack entry point runs through what seems to be a Webkit exploit. It is likely they are running the hack on a 1.76 PS4 because of that, but it is also very possible that their exploit runs on higher firmwares (and they’re just using the PS4 Webkit 1.76 entry point for convenience).

  • Fail0verflow hint at critical bugs in the southbridge of the GPU, but do not give more details on the exploit in their presentation, besides “NOP Command is broken on the GPU”.

  • We’re getting conflicting signals on that: it is also possible this is a software hack (a Kernel exploit in the PS4 firmware), running on top of the Webkit 1.76 exploit.

  • Assuming a new userland exploit (similar to the webkit one) was found on recent firmwares, this whole thing could run on recent PS4 firmwares without any hardware mod.
ps4_jailbreak_release.jpgThe original video and announce can be found on the CCC Relive page, the Fail0verflow part is at 1:31:30 in the video.

Check out the PS4 Linux Fai0verflow demo below!


Emulator_on_ps4-Pokemon_on_PS4.jpgFrom zecoxao on IRC: [zecoxao] http://pastie.org/private/diiuzokimhkb1pqjaagm4w
Code:
there was an early hw hack for ps4 that I know of
very affordable too
basically it relies on the ps4 using off the schelves gddr5
and using a "recent" pc gpu card
to dump the chips content
requires tons of soldering though
but a friend of mine did it
doesn't cost much more than the ps4, the gpu and the soldering iron
he used a fpga board to do the switch
but you can use anything else really
allows to dump even recent kernel/modules
thought you might want to know
you can't gain code execution this way btw
it's just for dumping data
yawns...
it requires patching the vbios of the gpu card (at least it did for his card)
cause it had a check on the modules manufacturer
can't have that eh ? xD
not the vbios on the ps4
the vbios of the GPU card
duh !
you are using the GPU card gddr controller, basically to read the content off the chips (more or less)
In summary, Linux for Sony's PlayStation 4 is likely to be released in the near future... but until a PS4 exploit is publicly available to run it most end-users will likely keep their consoles on 1.76 PS4 Firmware to be ready. :cool:

Finally, from marcan of Fail0verflow:

Console Hacking 2015: Liner Notes

If you’re here, you’ve probably heard about our lightning talk at the 32nd Chaos Communication Congress demoing Linux on a PS4. This post continues where the talk left off and clarifies a few aspects of what we’re doing, and why.

If you haven’t yet, please watch the talk (above) before reading the rest of this post:

Download: 32c3 Slides / 32c3-console-hacking-2015-slides.tar.gz

Two years ago, I said that the PS4 was not a particularly interesting device, being a glorified PC. What happened?

Essentially, two things: First, we’re hackers, and hacking consoles is fun after all. Second, it turned out that the PS4 isn’t really a PC (which makes it a more interesting target), while being enough of a PC to have some serious advantages. It’s hard enough to be interesting, and easy enough to be practical.

Let’s recap the (very simplified) history of game console hacks that we have been involved with:
  • On the Wii, we basically drove the entire homebrew community, from exploits to libraries to infrastructure. The community ended up being very large and productive, with lots of interesting releases. However, the people interested in game backups were always riding on the coattails of homebrew since relatively early on, and greatly benefited from it.

  • On the PS3, we tried releasing the exploits and letting others sort out the community. The result was that, for all practical purposes, the only users were those interested in backups. AsbestOS allowed Linux to work again, but since there was no GPU driver, and the CPU was underpowered and annoying to work with, there wasn’t that much interest beyond those who were already running OtherOS.

  • On the Wii U, we tried to get the community to display interest and work on Linux support before releasing the exploits. Although there were certainly several interested people, nobody with the right experience stepped up to actually make it a reality. Eventually others released exploits, and quickly a backups tool has become one of the primary use cases for them.
For the PS4, therefore, we’re yet again trying something new. It seems that the PS4 security architecture is rather straightforward and simple; the OS is based on FreeBSD, and the browser uses WebKit, both of which are open source. It is relatively easy to find exploits in both of them (all things considered), and that is all you need to chain into a Linux loader. However, as we found out, even though the hardware is certainly similar to a PC, it is not a PC, and Linux needs quite a bit of extra work to get running. Thus, we can add more value to the homebrew ecosystem by helping port Linux than by releasing exploits.

Of course, this also absolves us from responsibility for potentially enabling backups (and online play hacking and other undesirable outcomes), but we think it might even have a net positive effect: if we can get people interested in running Linux on the PS4 over using the native OS, we can redirect efforts away from reverse engineering the original software infrastructure (which is what the backups guys need, and they inevitably leech off of those efforts) to Linux (which is completely useless for backups).

Linux on the PS4 actually makes a lot of sense, more than it ever did on any previous game console. It’s close enough to a PC that getting 3D acceleration working, while rather painful (as we’ve learned), seems entirely possible without undue amounts of effort (in a timeframe of months, not years), to the level needed for real indie games and even AAA titles, not just homebrew. And many thousands of indie and AAA games already run on Linux.

Yes, SteamOS on the PS4 should “just work” once the driver issues are sorted out. We demoed a silly GBA emulator because all we had was a 2D framebuffer, but the real fun is getting 3D games to run just like they do on a PC (we’ve tried some commercial indie games already and they do work fine, just painfully slow as they are using software rendering right now, of course).

Although the exploits used in our demo were our own work (we in fact had Linux booting, albeit in a very broken state, well before any PS4 exploits were publicly announced - porting Linux takes time), the fact that other teams have also been able to get kernel code execution proves the point that you really don’t need to depend on us for that aspect.

We also have no doubt that vulnerabilities in the latest firmware can be found without too much trouble. Incidentally, everything is pure software. Hardware stuff was only used for research. There is not much reason to resort to hardware-based exploits on an architecture like the PS4, with a very wide attack surface and mediocre isolation.

So, to the community: if you’re interested, we really think this is the way to go for the PS4. Write an exploit, point it to our loader, and you’ll get Linux (we’ll help you get it hooked up/debugged if needed). And if you want backups, as usual, go away.

As for release timeframes: right now, the code is in a pretty ugly state, and some components are not releasable (e.g. they contain a bit of code that has been directly reverse engineered from Sony modifications to FreeBSD and needs to be rewritten/cleanroomed). Our goal is to eventually get the patches upstreamed in the Linux kernel, but in the meantime we will open up a work-in-progress repo as soon as is practical. If you’re interested, want to contribute, and have access to a PS4 kernel level exploit, feel free to get in contact with us so we know who wants to help out.

For those curious: the current status of 3D support is that we can get the kernel driver to enable acceleration (with some issues), but command buffer execution is currently broken because GPUVM is not working properly (page flipping works, but nothing is rendered, as the command buffer itself triggers a GPU page fault). We’re actively working on debugging this. If you happen to work on the Radeon DRI driver or are familiar with it, we could use a hand here ;).

TL;DR: We’re working on Linux kernel patches, and are looking to get them upstreamed. We’re not releasing exploits - we’re certain other people will. Don’t ask us. And if you want free games, go away.
Linux_on_PS4.jpg
 

Comments

Status
Not open for further replies.

SorenAlke

Senior Member
Contributor
well they managed to take over sysadm
using the entrypoint thats provided from the webkit
but they could of jus used the same flaw in breaking the gpu driver
if nop is broken , then the stack itself is rwx so you can map the whole kernel
and break out of the jail using the hypervisor to load whatever you want in kernel space
so yes you can patch out any security checks for validation during runtime while debugging if you can freeze the kernel then unload it. you can also choose the configuation of what orbis loads and cannot load.
 

mcmrc1

Senior Member
Contributor
Verified
i think the hints from fail0verflow will give some devs good Information how to move on :) thx for that...the nop thing on gpu seems to be hardware related and cant be patched by sony...i have read this somewhere
 

Chaos Kid

Developer
Senior Member
Contributor
i think the hints from fail0verflow will give some devs good Information how to move on :) thx for that...the nop thing on gpu seems to be hardware related and cant be patched by sony...i have read this somewhere
That's because only amd holds the patent on it.

@SorenAlke that's actualy incorrect it's exposed only when it's attacked and you have to know how to attack it
 
Status
Not open for further replies.
Recent Articles
PS4 Android Application APK to Mod BO3 1.00 for 5.05 FW by MrNiato
Earlier this month we saw an All Clients Black Ops 3 (BO3) Zombie PS4 RTM Tool by PlayStation 4 homebrew developer @MrNiato, and today he shared on Twitter a PS4 Android Application to Mod BO3...
Pop Music Adventure Sayonara Wild Hearts Joins New PS4 Games Next Week
On September 19th next week included in the new PlayStation 4 video game releases is pop music adventure Sayonara Wild Hearts, which can be described as a dreamy, arcadey game that features...
Simple Wireless Rover for Raspberry Pi Controlled by PS4 DS4 via WiFi
Following the DJI Tello Drone and DeepRacer RC remote control PS4 DualShock 4 mods, recently Veilkrand on Github shared a Simple Wireless Rover for Raspberry Pi Controlled by PS4 DS4 via WiFi for...
Capcom Home Arcade Launches October 25th, Details and Trailer Video
Previously we covered the RetroEngine Sigma and Game Box Hero systems for emulation fans, and recently Capcom announced their Capcom Home Arcade launches this October 25th with pre-orders...
Top