Following the recent PS4 Dlclose Exploit for 1.76 Firmware, today I'd like to share a talk between zecoxao and Zer0xFF on finding an entry point for testing with PS4 Firmware 3.15 and also 3.50.
@zecoxao seems to be working on an entry point for the PS4 3.15 FW and wants some testers
1. Entry point:
2. Entry point:
Also the the source code from the Webkit from Sony
4. Entry Point:
@zecoxao seems to be working on an entry point for the PS4 3.15 FW and wants some testers
1. Entry point:
Code:
<iframe></iframe><object onbeforeload="crash()">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
function crash() {
document.getElementsByTagName("iframe")[0].contentWindow.scrollX;
document.open();
}
document.body.offsetLeft;
setTimeout(function() {
document.close();
document.body.innerHTML = 'PASS if not crashed.';
testRunner.notifyDone();
}, 1);
</script>
Code:
<input id="t1" type="time">
<script>
var time1 = document.getElementById('t1');
document.addEventListener('beforeload', function(event) {
time1.value = time1.value ? '' : '23:59';
}, true);
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
setTimeout(function() {
document.body.innerHTML = 'PASS if not crashed.';
testRunner.notifyDone();
}, 100);
time1.focus();
</script>
<embed src="data:text/html,PASS"></embed>
- EDIT / Update by B7U3 C50SS & source files from zecoxao & and a file server for accessing the PS4 Tests page - via, pasha4ur:
- You may also crash test your PS4 browser ATM on any FW from zecoxao's Github Page.
Code:
<script>
function inituaf() {
for(var i=0; i<100; i++) {
for(var j=0; j<32; j++) {
}
}
try { CollectGarbage(); } catch(err) {
try { window.gc(); } catch(err) {
for(var i=0; i<100; i++) {
}
}
}
}
function eventhandler2() {
try { var00002 = document; } catch(err) { } //line 2
try { var00003 = var00002; } catch(err) { } //line 3
try { var00043 = 0; } catch(err) { } //line 45
try { var00044 = var00003.getElementsByTagName("iframe")[var00043]; } catch(err) { } //line 46
try { var00045 = var00044.contentWindow; } catch(err) { } //line 47
try { var00063 = -1; } catch(err) { } //line 67
try { var00064 = 0; } catch(err) { } //line 68
try { var00045.scrollTo(var00063,var00064); } catch(err) { } //line 69
try { var00002.write(); } catch(err) { } //line 185
}
</script>
><object onbeforeload="eventhandler2()"><iframe>
Code:
<!DOCTYPE html>
<html>
<body>
<iframe></iframe>
<script>
var _gc;
function run()
{
var iframe = document.getElementsByTagName('iframe')[0];
iframe.contentDocument.documentElement.contentEditable = true;
iframe.contentDocument.documentElement.addEventListener('focusout', function () {
iframe.parentNode.removeChild(iframe);
}, false);
iframe.contentDocument.documentElement.focus();
}
document.addEventListener('DOMContentLoaded', run);
</script>
</body>
</html>