PS3 WebKitSploit and PS3 Playground WIP Github Forks by Esc0rtd3w

Following his PS3 OFW PSID Dump Tool Tutorial and recent d0 / d1 pdb file findings PlayStation 3 developer @esc0rtd3w (Twitter) set up some new work-in-progress Github forks for a PS3 WebKitSploit and PS3 Playground port.

Download: ps3-webkitsploit-master.zip / PS3 WebKitSploit GIT / ps3-playground-master.zip / PS3 Playground GIT / Websploit.org / PS3 Playground Test Page / PS3 Webkit POC / PlayStation 3 Browser Investigation

The PS3 WebKitSploit is based on original PS4 code from Cryptogenic and qwertyoruiopz focusing on PS3 3.xx / 4.xx code execution, while the PS3 Playground WebKit exploit port is based on CTurt and Cryptogenics PS4 code.

From the README.md file, to quote: PS3 Playground

A collection of PS3 tools and experiments using the WebKit, Flash, and other options.
We are only testing on firmware 4.81 only at the moment.

THIS REPO IS FOR THE PUBLIC PS3 COMMUNITY TO EXPLORE AND TEST ON THEIR OWN

OUR TEAM IS CURRENTLY WORKING ON THIS PROJECT PRIVATELY AND WILL UPDATE WHEN FINISHED!

FOR A LIVE DEMO WITH PUBLIC TESTS TO TRY OUT, PLEASE VISIT: http://www.websploit.org/ps3/ps3-playground/test/

There are a lot of files here for reference and exploration.

Once more testing has been done, these will be cleaned up over time.

CREDITS:

Inspired by original work from CTurt (https://github.com/CTurt/PS4-playground/) and Cryptogenic (https://github.com/Cryptogenic/PS4-Playground-3.55)

Spoiler: Original (Outdated) Information

If anyone can lend him a hand on Github that would be much appreciated, and cheers to @B7U3 C50SS, @Bultra and @spyro2670 for the heads-up in the PSXHAX Shoutbox earlier today!

 

[k9mo]

@esc0rtd3w do you think we will be able to download full games on ofw 4.81 without a second cfw console and also do you think we will be able to stock those games and keep adding new ones without formatting the hdd like in backup injection.

 

[SomeAnonGuy]

Patience, young one. In time enough, we'll see. Damn good work @esc0rtd3w et al. Sounds like you have some very exciting stuff coming down the pipes.

 

[Jaroslav01]

I hope s0ny woudn't take that explo1t site down

 

[AhmadMoemen2003]

Why would it take care of a dead console already?
It has been stopped manufacturing and recently now new PS3 (only used) are sold.

 

[esc0rtd3w]

@esc0rtd3w do you think we will be able to download full games on ofw 4.81 without a second cfw console and also do you think we will be able to stock those games and keep adding new ones without formatting the hdd like in backup injection.

this is the reason that we tread so carefully because of posts like this!

THE GOAL OF THIS PROJECT IS NOT BLATANT backups! IT IS UNLOCKING THE SYSTEM, HOMEBREW, WITH POSSIBLE DOWNGRADE AND CFW OPTIONS!

If you choose to use it for backups that is your choice and some extra work is going to have to be done on your part for that to work.

 

[twostepmic]

@esc0rtd3w do you think we will be able to download full games on ofw 4.81 without a second cfw console and also do you think we will be able to stock those games and keep adding new ones without formatting the hdd like in backup injection.

SHAME ON YOU

 

[virtualghost4]

Hi everybody!
How can I collaborate on this project?

 

[B7U3 C50SS]

Hi everybody!
How can I collaborate on this project?

read the topic and feel free to try and go with the flow of the thread as it unfolds. we all can collaborate here! we only have to know how. And by how I mean in our own ways.

EDIT: I would also start by asking @esc0rtd3w how you could help out. he's the one managing the situation here.

 

[esc0rtd3w]

hmmm i guess for now, basically what i said to @virtualghost4 is that the private chat currently i would have to talk to everyone involved before sending invites, as i am quite sure we are leveraging some fairly unknown info surrounding the web browser and other areas

anyone interested can send a PM and i can for now send a link to the current skype chat for the PS3 Library Functions until i would be able to do anything else before asking all involved beforehand.

 

[LightningMods]

I'd like to say you're right on a reasonably made system... however, the history has shown me that the PS3 itself was anything but reasonably made. First and foremost, has it been accurately shown that the PS3 runs it's browser in user mode and not as a part of LV2? Unfortunately I do NOT have a Rebug or 3.55 unit, so I cannot test this myself.

Second of all. Things like Henkaku do NOT need the PS3 keys! Nobody has the Vita keys even still! It's completely unnecessary. The only thing having a Master Key does is allow you to sign your own executable! In other words, there's two approaches to each console lock:

Either you get the Master Key (which is normally near impossible, or what's called 'efficiently impossible' - basically, you can compute it technically, but it'll take you far, far, far longer than the span of several lifetimes. This is what they mean by 'impractical to brute force') or you can get access to and modify memory.)

In fact, if we had the master keys you do not NEED a Kexploit because the system itself would treat our code as authentic Sony code. In addition if you have a Kexploit you do not NEED a master key either. It just so happened that for the PS3, it was implemented in such a way that it was easy to get to after getting to kernel mode. That wasn't because it was needed - The standard User exploit ~ Kernel Exploit would work, and it DID work. That's what PSJailbreak was. An exploit that jumped to kernel mode and overwrote data in LV2 with a payload that took it over.

So here's what our line of thought should be.

First and foremost, we need to have a browser exploit.

Second, we need to check where we can read and write with this exploit.

Third, determine if it's necessary at this point for a LV2 Entrypoint. See, here's the thing with browser exploits. They work in different ways depending on the system around them.

If the PlayStation 3 is running an implementation of NX (No eXecute) to make mapped memory pages, you need ROP (return oriented programming). However, PS Freedom/PS Jailbreak, that old USB exploit, wouldn't have happened if it did. Because NX all but stops overflows since everything involving them usually occurs in non-executable space. Therefore, it's very possible the PS3 does NOT run NX pages.

If that's the case, simple things like buffer, heap, and stack overflows would work, forget about needing UAFs.

So what I'm basically saying is: Determine the level of permissions granted by owning the browser, and from there, worry about getting entry to LV2. The PS3 scene as you may have noticed is lacking in information horribly to what has changed since 3.55 regarding the PS3 security.

So in that sense, we need to evaluate before we start worrying or panicking about where to go next.

Edit: As for your thing of needing to edit USB to work, that's also false. HENKaku uses a chain of ROP loaders, preparing several payloads all in memory to exploit the console. Saying you need USB for it to work is completely false as that's like saying you needed Vita memory card access to use HENKaku: You didn't, it executed directly from the browser.

Meh i'm not a PS3 developer but i'm still going to post my crappy opinion, sorry. Random Persona seems to be right: Kernel access means we can execute any code on the system with full previleges, even patch existing functions.

So if the key cheking is done with software we control, we can easily bypass that with kernel access;

However if in the superslims the key checking is done by a separate hardware component, we do not control, that approves/disapproves firmwares and then writes it to the rom, i dont think traditional cfws for the superslims are an option (this is very unlikely, neither the fats or the slims work this way).

But i'm not a rapper.
Cheers !

Guys, Thanks for explaining it to the rest of the users that didnt understand, however these things we (Long time Console hacking enthusiast) already known about the things stated above .... what we need is exploits or hardware modifications