Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Dec 27, 2017 at 4:03 AM       90,468       157            
Status
Not open for further replies.
Following the Adieu PS4 Kernel Exploit and his confirmation yesterday, today the PS4 scene is LIT AS F*CK for the holidays with the RELEASE of a fully implemented kernel exploit for PS4 v4.05 Firmware by @SpecterDev via Twitter alongside a debug_settings.bin Test Payload! :tree::santa: Howbow dah, Sony? :bananaman3::bananaman13:

Download: PS4-4.05-Kernel-Exploit-master.zip / GIT / Live Demo via @01cedric / Live Demo (Mirror #2) via @0x199 / Live Demo (Mirror #3) via @Red7s / Live Demo (Mirror #4) via @tunip3 / Live Demo (Mirror #5) via @EdiTzZMoDz / debug_settings.bin (16.23 KB Test Payload)
In addition, proceeding his PS4 Package (PKG) research today PlayStation 4 developer @flatz announced on Twitter that in a few days he'll share some of his recent work so that it can be backported from 4.55 to 4.05 for use on PS4 jailbroken consoles! <3:fire:

To quote from the README.md: PS4 4.05 Kernel Exploit

Summary

In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-backups mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.

You can find fail0verflow's original write-up on the bug here, you can find my technical write-up which dives more into implementation specifics here (this is still in progress and will be published within the next few days).

Patches Included

The following patches are made by default in the kernel ROP chain:
  1. Disable kernel write protection
  2. Allow RWX (read-write-execute) memory mapping
  3. Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
  4. Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
  5. Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.
Notes
  • This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
  • I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
  • A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
  • An *** is not provided in this release, however a barebones one to get started with may be released at a later date.
  • I've released a sample payload here that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.
Contributors

I was not alone in this exploit's development, and would like to thank those who helped me along the way below.
:idea: If anyone is seeking the official Sony PlayStation 4 v4.05 Firmware (OFW), here are some mirrors in order to Update to a Specific PS4 Firmware: Firmware.v4.05.PS4.iNTERNAL-PS4FW
  • PS4 OFW 4.05 Download Links: Darthsternie
  • PS4 OFW 4.05 PUP MD5 Hash: 203c76c97f7be5b881dd0c77c8edf385
:arrow: Those looking to buy a PS4 v4.05 console see the update HERE for a list of bundles most likely to be on 4.05 (or lower) when in new / unopened condition.

For those that prefer to Host Your Own PS4 Webkit Exploit Page see the guide, and below is a tutorial from tunip3 on:

:note: How to Install the Debug Settings or Run Other Payloads on Your PS4 v4.0.5

This guide will not mention how to access the browser. This guide uses Specter's 4.0.5 kernel exploit. You will need to find your PS4 IP on your local network. This guide will also work for linux just replace the nc.exe with nc
Code:
nc -w 3 [ps4 ip] 9020 < debug_settings.bin
Hope everyone had a Merry Christmas! Here's the 4.05 kernel exploit, fully implemented. Enjoy! Write-up coming soon!
After @SpecterDev released his exploit, i'll prepare stuff within a couple of days, someone need to backport it from 4.55 to 4.05, not hard to do. not sure if it will be a write-up or just snippets of code, let's see
I've also uploaded a test payload you can use after the kernel exploit runs that jailbreaks and patches the kernel to allow access to debug settings, just needs to be netcatted to the loader via port 9020.
[4.05] PS4 DEBUG SETTING BY SPECTER
PS4 4.05 PKG INSTALL
Someone told me this is not working yet. That is not correct. PKG installs fine. The problem is you would need a license file to play the content. PKG must be on root of USB just like on 1.76. Exciting times....
uart enabler for 4.05 :)
Code:
uint16_t *securityFlags = (uint64_t *)(kernel_base+0x2001516); *securityFlags = *securityFlags & ~(1 << 15); *(char *)(kernel_base + 0x186b0a0) = 0;
right, i only solder 1 wire (tx on ps4) and attach gnd wire to hdd cage, then using like 5$ uart to usb i listen on arduino(serial montor). very simple.
if anyone wants to continue trying to port the exploit to 3.55 you can use this, i was as far as trying to leak a good object, rop was working etc, just specters leak could never get a suitable object for the exploit on 3.55

Download: 3.55-specterPort.7z (16.48 KB) / PS4 Entrypoint 4.05 by IDC


Download: kernel_355_jig.7z (29.90 MB) / 355_modules.7z (9.83 MB)

Big THANKS to @ArthurBishop, @hyndrid, @Nesterwork, @ombus, @UmarDaBest559 and everyone else in the PSXHAX Shoutbox for this PS4 4.05 full kernel exploit news and let the jailbreaking begin! :D
PS4 4.05 Scene LIT AF, Kernel Exploit Now Released by SpecterDev!.jpg
 

Comments

Status
Not open for further replies.

wwenze

Senior Member
Contributor
Yes it kinda did. The first Jailbreak was available for only 10% of people, the rest upgraded already. This time, at least 40% people have not updated past the exploit firmware. So it can't be considered a complete win but neither can it be a loss.

Anyway PSXHAX, do you have a compilation of all the game dumps upto now? Can't seem to find the game I was looking for.
40%? Maybe among people with necks long waiting for hacks. Probably <1% among the entire ownerbase. The PS4 forums that I frequent with their resident "experts" jerking each other off have no mention of the JB ever.
 

Donely

Console Games Service
Senior Member
Contributor
Verified
I installed CUSA01452 Giana Sisters - Twisted Dreams pkg on 4.05 but still requires the license... wait for flatz's method.




 

Samuze

Senior Member
Contributor
Verified
Samuze you and I were on 4.07 why u updated to 4.55 ?
Yes, I updated months ago, cause I needed to update the game (the last guardian), but I am not worried at all, cause I know, something will be released for higher firmwares, this just a matter of months again.....

Here is the statue of PS4 scene:
  • Firmware 1.76: Fully exploited, (public)
  • Firmware 3.55: Public exploitation of WebKit
  • Firmware 4.05: Fully exploited, (public)
  • Firmware 4.07: Public exploitation of WebKit
  • Firmware 4.50 - 4.55: Fully exploited privately
  • Firmware 5.00 - 5.01: Fully exploited privately
 

azoreseuropa

Senior Member
Contributor
Verified
I want them to keep 5.00 - 5.01 fully exploited remain privately until God of War release after. I hope that Sony didnt update until God of War release first. :D
 

Teufel123

Member
Contributor
hey guys^^ just registered here to ask some questions..

My PS4 is on 5.01 and i already know i can't run exploit on it ^^ So i try to sell my ps4 to buy new one with right firmware.

My Questions:

1. Should i even sell my ps4 or wait some months so maybe a exploit will come for 5.01?
2. i already saw many tutorials now on setup jailbreak.. but running backups isn't possible right now right? (if so i didnt find a tutorial to it)

that's all of my questions :)
 

Donely

Console Games Service
Senior Member
Contributor
Verified
As he said @azoreseuropa 5.01 fully exploited remain privately probably until God of War and other big titles release. For 4.05 jailbreak will soon the way to run pkg games without a license.
 

Donely

Console Games Service
Senior Member
Contributor
Verified
"PlayStation 4 developer @flatz announced that in a few days he'll share some of his recent work so that it can be backported from 4.55 to 4.05 for use on PS4 jailbroken consoles!"
 
Status
Not open for further replies.
Recent Articles
Star Wars Jedi: Fallen Order Joins New PS4 Game Releases Next Week
Explore the galaxy in the latest PlayStation 4 third-person action-adventure game Star Wars Jedi: Fallen Order from Respawn Entertainment arriving to PS4 next week on November 15th. Play as an...
Feel The Power of Pro with PlayStation 4 Pro Latest PS4 TV Spot!
Right behind their It's Time to Play! campaign and Black Friday Deals, Sony is ramping up PlayStation promotions for the holidays with the latest PS4 TV spot showcasing the Limited Edition PS4 Pro...
REPL4Y for Android PS4 Remote Play App Free Trial Version by Twist3d89
Proceeding his request for Beta Testers and the Chiaki Open Source PS4 Remote Play Client release, developer Twist3d89 has made available a free trial version of his REPL4Y for Android application...
Sony CEO Jim Ryan on the Next-Gen Transition to PlayStation 5
Since the leaked PS5 DevKit Prototype images surfaced last month PlayStation CEO Jim Ryan revealed several areas Sony must focus on for a successful transition to their next-generation PlayStation...
Top