M0rph3us1987 to Speak at 35c3 on Exploiting PS4 Video Apps (All FW)

Those on PlayStation 4 Firmware above 5.05 who are curious about PS4 exploits will be pleased to hear that following his PS4NES v1.01 update developer m0rph3us1987 is scheduled to speak at this month's 35c3 Chaos Communication Congress 2018 hacking event about exploiting PS4 Video Apps in order to run unsigned code regardless of the firmware version installed!

The 35th Chaos Communication Congress (35c3) 4-day event runs from December 27th to the 30th 2018 in Leipzig Germany with pre-sale tickets and additional details available for those interested in attending.

Download: Relive Exploiting PS4 Video Apps – 35C3 Streaming.mp4 (379 MB - Starts at 16:06)

To quote from the 35c3 Event Page, roughly translated: Exploiting PS4 Video Apps

• 2018-12-28, 12: 00-12: 50, Chaos West Stage (Live Stream - Relive)

"Video Apps on the PS4 are something wonderful. In this talk, I'll show you how to exploit them to run your own unsigned code (regardless of the firmware version installed). Step by step I show what problems I stood at the beginning of my entry into the PS4 scene and how I have these, in order to reach the goal, have solved.

Almost three years ago, my wife gave me a PS4 for my birthday. She could not have guessed that I would do anything with the console, just do not gamble. This talk will be about the project with which I set foot in the PS4 underground scene.

Step by step we will see what was needed to run unsigned code on a foreign / unknown system. I will explain the exploit and its steps in as much detail as possible, and thus show that software exploits are not magic but a consequence of logical processes."

Previously from Chaos Communication Congress events we've seen awesome PlayStation 4 hacking and homebrew demonstrations including Linux on PS4, PS4 Hardware Reversing, Steam on PS4, a GameCube / Wii Dolphin Emulator on PS4, Fail0verflow's PS4 Console Hacking progress alongside a Liverpool AMDGPU Port for PS4 Linux!

So far this year PlayStation 4 scene developers have brought us a PS4 Media Player 3.50 (VR) Patched for 5.05 / 5.07, YouTube NoPSN PKGs, Netflix and Plex NoPSN PKGs, a Crunchyroll NoPSN PKG and Littlstar NoPSN PKG... with the speech's focus being on exploiting PS4 video applications it will be interesting to see if Sharefactory is exploitable among other apps and to what extent on all PS4 Firmware versions.

• https://streaming.media.ccc.de/35c3/
• https://media.ccc.de/c/35c3

Here are some 35C3 Exploiting PS4 Video Apps Slides from @DEFAULTDNB and below is a Spanish translated video from @RetroGamer74, and here is a rough English translation summary via The Leash:

• His research is from 2015 (doesnt know if its fixed since then, video apps need PSN access, therefore "should" work on latest fw)

• No code available / Is not sure if all that said even still works today

• Exploits webkit version found in video apps (which is/was the same webkit version which allowed the 1.76 exploit)

• Video apps often didnt have any encryption, therefore it was easy for him tcpdump it all

• With 1.76 exploit he gained hexdumps

• Used same method as 1.76 method to gain userland code execution, but the video apps are more limited than the webbrowser. (Says it was/should be ok to trigger kexploit, but didnt say anything about it if he either did find a kexploit or used one)

And a similar English summary translation from @Wultra (aka C0rpVultra):

Part one:

• His research since 2015 (idk if it has been corrected since then, video applications need PSN access, so "should" work on the last fw)

• There is no code available / Not sure that everything that has been said even still works today

• Uses the version of webkit found in video applications (which was / was the same version of webkit, which allowed to use the exploit 1.76).

• Video applications often didn't have any encryption, so it was easy for him to tcpdump it all

Download: exploiting_ps4_video__apps.odp (4.4 MB - Slides)
Download: exploiting_ps4_video_apps_english.odp (1.1 MB - English Translated Slides)

Download: exploiting_ps4_video__apps.de.en.pdf (1.0 MB - English Translated Slides)

 

[Koh23]

English is not universal language, sorry.

Maybe in your part of the world is, but, for example,on my side, beside english, knowledge of german, italian, or even a french language is highly valued. It's considered as social intelligence if person can understand other language.

Back to the topic, from what i understood (my german is good, but not that good), there's some interesting stuff going on, but for end user, this is useless.

There will be benefits for us, but not sure what, when, and will it ever be public...

 

[demonfish]

I don't know what part of the world you are from but you are sadly mistaken... English is the universal language. Period...... Regardless where you are from.

I also speak many languages too. So your assumptions are also quite irrelevant too.

One thing I do agree with you. Back on topic.

Best Regards

 

[depaul]

Well congratulation Morpheus on your presentation today that was interesting.. you guys are genius

 

[kami7861]

Hey guys so nothing really concrete, i was under the impression that m0rph was going to release an all fw hack to allow unsigned code as it was stated! I just really hope something is released tonight or tmrw lol zecoxao what you think ?

 

[HARFOSHI]

So the main point is all of this is a big lie and won't work for new games like spider man and RR2
All the waiting is for nothing

Secret method my **s

 

[Datriax]

An exploit that requires PSN? Right, that should last a whole few hours, and end up with a typhoon of banned systems. lol No thanks.

 

[Marvin Freeman]

i hope it come out soon before Sony update again

 

[SYNT4X]

@SirSilvan83 While I agree with your statement, my disappointment was more about the practicality of burning the disclosed exploit/entry point.

Since the App requires PSN (server side authentication) to launch, once the exploit is patched (and it probably will be quickly) it will be completely useless once the current firmware's PSN access is unsupported, unlike exploits such as the Webkit exploit/entry point that can be launched with or without PSN access as long as the exploitable firmware is not updated.

Not trying to take away from the skill and patience required for m0rph3us's achievement. I probably would have just kept that entry point in my back pocket until something more functional was achieved.

 

[SSShowmik]

However there was a misleading information saying this would work on all firmwares. Was it even confirmed? The all fw exploit got everybodys hopes up. If psn is required, which is only available in latest fw, then that contradicts the fact that it will work on all firmwares.

 

[jimbo69jones]

@HARFOSHI There is no lie. People, as usual, have got out of control with their speculations and got it wrong AGAIN. The developer never promised games or 6.02 or any such thing, people have simply made that up.

Judging by comments been made today by other Devs, it sounds like they are utterly fed up with the whining of people asking for backups, as the whole purpose of their work is to enable homebrew development.

If you want those games, go buy them and quit moaning, because it's comments like these which are making the Devs abandon looking for newer kernel exploits. Cop on!