PS4 3.15 Firmware Entry Point for Testing from Zecoxao

Following the recent PS4 Dlclose Exploit for 1.76 Firmware, today I'd like to share a talk between zecoxao and Zer0xFF on finding an entry point for testing with PS4 Firmware 3.15 and also 3.50.

• http://2.83.228.148/totally_not_gachimuchi/

@zecoxao seems to be working on an entry point for the PS4 3.15 FW and wants some testers
1. Entry point:

<iframe></iframe><object onbeforeload="crash()">
    <script>
    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }

    function crash() {
        document.getElementsByTagName("iframe")[0].contentWindow.scrollX;
        document.open();
    }

    document.body.offsetLeft;
    setTimeout(function() {
        document.close();
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 1);
    </script>

2. Entry point:

<input id="t1" type="time">
    <script>
    var time1 = document.getElementById('t1');
    document.addEventListener('beforeload', function(event) {
        time1.value = time1.value ? '' : '23:59';
    }, true);

    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }
    setTimeout(function() {
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 100);
    time1.focus();
    </script>
    <embed src="data:text/html,PASS"></embed>

Also the the source code from the Webkit from Sony

• EDIT / Update by B7U3 C50SS & source files from zecoxao & and a file server for accessing the PS4 Tests page - via, pasha4ur:
• You may also crash test your PS4 browser ATM on any FW from zecoxao's Github Page.

3. Entry Point:

<script>
function inituaf() {
  for(var i=0; i<100; i++) {
    for(var j=0; j<32; j++) {
    }
  }
  try { CollectGarbage(); } catch(err) {
    try { window.gc(); } catch(err) {
      for(var i=0; i<100; i++) {
      }
    }
  }
}

function eventhandler2() {

  try { var00002 = document; } catch(err) { } //line 2
  try { var00003 = var00002; } catch(err) { } //line 3
  try { var00043 = 0; } catch(err) { } //line 45
  try { var00044 = var00003.getElementsByTagName("iframe")[var00043]; } catch(err) { } //line 46
  try { var00045 = var00044.contentWindow; } catch(err) { } //line 47
  try { var00063 = -1; } catch(err) { } //line 67
  try { var00064 = 0; } catch(err) { } //line 68
  try { var00045.scrollTo(var00063,var00064); } catch(err) { } //line 69
  try { var00002.write(); } catch(err) { } //line 185
}


</script>
><object onbeforeload="eventhandler2()"><iframe>

4. Entry Point:

<!DOCTYPE html>
<html>
<body>
<iframe></iframe>
<script>

var _gc;

function run()
{
    var iframe = document.getElementsByTagName('iframe')[0];
    iframe.contentDocument.documentElement.contentEditable = true;

    iframe.contentDocument.documentElement.addEventListener('focusout', function () {
        iframe.parentNode.removeChild(iframe);
    }, false);

    iframe.contentDocument.documentElement.focus();
}
document.addEventListener('DOMContentLoaded', run);
</script>
</body>
</html>

 

[mcmrc1]

On this site is also a PS3 exploit from 2013 for 4.31 firmware
https://www.exploit-db.com/

 

[DrPhuz]

On this site is also a PS3 exploit from 2013 for 4.31 firmware
https://www.exploit-db.com/

I saw one on there for a 4.21 usb exploit a long while ago. But that exploit wasnt patched until 4.46.

 

[PSXHAX]

I updated the OP with the latest tweets from zecoxao.

 

[B7U3 C50SS]

I updated the OP with the latest tweets from zecoxao.

Yeah man thanks. I've also added a link to my updated section. from one of the tweets you used from me in the shoutbox. it was zeco's github but i directly hyperlinked it for people to click on. so if people want to they can just sign on to psxhax on their ps4 browser and use this page to get to the resources fro crash testing exploiting and finding bugs.

 

[PSXHAX]

Great thinking, thanks @B7U3 C50SS!

 

[Fimo]

The next step is to dig the Cturt's tutorial:
https://cturt.github.io/ps4.html
"There are other possible reasons for this message to be displayed, such as executing an invalid instruction or an unimplemented system call, but a segmentation fault is the most common."

 

[Lan]

Hope to be about time something to happen in scene.

Sigh....i am very impatient.

 

[Fimo]

Hope to be about time something to happen in scene

Everybody can help:
1 - try to understand how is working the "1.76 PS4 Playground" (with the help of Curt's Tutorial)
http://cturt.github.io/PS4-playground/
2 - try to adapt it to one of the zecoxao's memory warning sample's code

 

[mcmrc1]

its not that easy ^^ its just a crash... now he must use the crash to entry the system and also find a new exploitable thing like dlclose because this doesnt work anymore...so its the beginning from start again ...

Or has anobody heard something else

 

[Fimo]

its not that easy ^^ its just a crash... now he must use the crash to entry the system and also find a new exploitable thing like dlclose because this doesnt work anymore...so its the beginning from start again ...

Or has anobody heard something else

What would you like to start from zero ?
The dlclose exploit still works on 2.xx FW (2.57?).
If this crash is a segmentation fault as used Cturt on 1.76 Webkit, why not reusing and update his PS4 Playground ? (just insert & replace the new java buggy code and adapt the poke/offsets)

I see 2 further steps:
Step 1 - Run the Playground with one of this bug then you will run Linux on 2.xx FW
Step 2 -Find a new kernel exloit on 3.xx that will allow to run Linux

Step by step ?