PS3 OFW PSID Dump Tool Tutorial and recent d0 / d1 pdb file findings PlayStation 3 developer @esc0rtd3w (Twitter) set up some new work-in-progress Github forks for a PS3 WebKitSploit and PS3 Playground port.
Download: ps3-webkitsploit-master.zip / PS3 WebKitSploit GIT / ps3-playground-master.zip / PS3 Playground GIT / Websploit.org / PS3 Playground Test Page / PS3 Webkit POC / PlayStation 3 Browser Investigation
The PS3 WebKitSploit is based on original PS4 code from Cryptogenic and qwertyoruiopz focusing on PS3 3.xx / 4.xx code execution, while the PS3 Playground WebKit exploit port is based on CTurt and Cryptogenics PS4 code.
From the README.md file, to quote: PS3 Playground
A collection of PS3 tools and experiments using the WebKit, Flash, and other options.
We are only testing on firmware 4.81 only at the moment.
THIS REPO IS FOR THE PUBLIC PS3 COMMUNITY TO EXPLORE AND TEST ON THEIR OWN
OUR TEAM IS CURRENTLY WORKING ON THIS PROJECT PRIVATELY AND WILL UPDATE WHEN FINISHED!
FOR A LIVE DEMO WITH PUBLIC TESTS TO TRY OUT, PLEASE VISIT: http://www.websploit.org/ps3/ps3-playground/test/
There are a lot of files here for reference and exploration.
Once more testing has been done, these will be cleaned up over time.
Inspired by original work from CTurt (https://github.com/CTurt/PS4-playground/) and Cryptogenic (https://github.com/Cryptogenic/PS4-Playground-3.55)
To quote from esc0rtd3w on the PS3 WebKitSploit project: I created a GitHub project forked from Cryptogenic, which was forked from the original qwertyoruiopz PS4 PoC.
I have started modifying the basic things. I have updated the syscalls to include ""sys_ss_get_console_id": 870" and ""sys_ss_get_open_psid": 872". I have not yet changed any of the ROP chain or the kernel and webkit module stuff. It only includes support for 3.55 and 4.81 for now. I have it detect the firmware version and change text to red or green if compatible, and updated some text.
This, of course does not yet actually exploit or do anything cool!!! But, should a good start to get webkit exploitation working on PS3. I will try to update it to include current exploits and any research i do will be added in note form.
With any luck, we can get Sony to update that ancient web browser in a 4.82 update!!!
And from esc0rtd3w on the PS3 Playground project, to quote: I made another fork from CTurts PS4 Playground.
I have started again the basic edits for the PS3. I will work on both just because I will be using code from each and will eventually merge everything into the playground repo... the name is just cooler
Finally, from the PS3 WebKitSploit README.md: PS3 3.xx/4.xx Code Execution
THIS IS CURRENTLY NOT WORKING AND IS A PLACEHOLDER FOR NOW
What is working:
Credits (original PS4 4.0x Code Execution)
- Detects Firmware Version and Displays It On Screen
Also from the PS3 Playground README.md: PS3 Playground
- qwertyoruiopz - The original exploit (http://rce.party/ps4/)
- SpecterDev - Edited original to support multiple firmwares (https://twitter.com/specterdev)
A collection of PS3 tools and experiments using the WebKit exploit. This is for firmware 3.55 and 4.81 only at the moment.
THIS IS NOT CURRENTLY WORKING AND IS A PLACEHOLDER!!!!
Based on original work from CTurt (https://github.com/CTurt/PS4-playground/) and Cryptogenic (https://github.com/Cryptogenic/PS4-Playground-3.55)
If anyone can lend him a hand on Github that would be much appreciated, and cheers to @B7U3 C50SS, @Bultra and @spyro2670 for the heads-up in the PSXHAX Shoutbox earlier today!