Category PS4 Jailbreaking       Thread starter kizabg       Start date Nov 5, 2018 at 8:07 AM       37,611       45            
Following Parts 1 through 3 of their PS4 Aux Hax covering hacking Aeolia, Syscon and DS4 today PlayStation 4 hackers fail0verflow shared documentation on PS4 Aux Hax 4 which uses HDMI (High-Definition Multimedia Interface) CEC (Consumer Electronics Control) to get code exec on all PS4 Belize southbridge versions (including PS4 Pro, etc) without requiring other parts of the system to be pwned! :notworthy:

According to Wikipedia, CEC is a feature of HDMI designed to allow users to command and control devices connected through HDMI by using only one remote control... and the bug is in the HDMI CEC code with the path reachable when HDMI-CEC is enabled and active. :ninja:

Be sure to check out the full PS4 Aux Hax 4: Belize via CEC documentation on their latest Blog Entry, and to quote in part:

"So, the overall process is like:
  1. Tap onto CEC-related i2c and irq lines and HDMI encoder power switch
  2. Power up PS4 and enter Rest Mode
  3. Wait for “EAP running” message from custom EAP kernel
  4. Induce the CEC RX interrupt
  5. Feed data to EMC such that it causes a stack buffer overflow
  6. Wait for EMC to copy SRAM to DDR3
  7. Dump copied SRAM out of UART
Of course, this is really EMC code exec, so the dumping is just something to do after the fact :)

This post outlines a way to dump EMC firmware and gain EMC code exec on any hardware revision. While the real root keys (in fuses and ROM) of EMC versions besides the first are still unknown, they could yet be recovered with side channel attacks, if someone really wanted them. Since this method is comparatively much more simple and more generic, it stands on its own as an interesting exploit.

As was hinted at, the CXD90046GG version of EMC employs slightly better security practices. The EMC ROM now wipes the SRAM space used as stack during initial key derivation, and some as-of-yet unknown method is used to unmap the ROM, mitigating it being dumped simply by reading from address 0x00000000. Again, it is likely the key material could still be recovered - if someone cares - but it’s interesting to see that such changes made their way into hardware between revisions."

PS4 Aux Hax 4 Belize (Southbridge) via HDMI CEC by Fail0verflow.jpg
 

Comments

Recent Articles
PlayStation 5 User Interface (PS5 UI) Rumored Image Leak Surfaces
An image that is rumored to be a screenshot of the current PlayStation 5 User Interface (PS5 UI) has reportedly leaked by an Anonymous game studio employee on the popular 4Chan bulletin board. 🤩...
Frost4 (PS4 Frostbite Engine) Toolkit & GNMF (BA2) Tools by SockNastre
Recently developer SockNastre made available on Github both a Frost4 Toolkit for modifying the proprietary Frostbite engine on PS4 alongside some BethesdaArchive2 GNMF tools to read / write in...
Grand Theft Auto V (GTA V) ArabicGuy Mod Menu for PS4 2020 Demo
Following the ArabicGuy v1.1 GTA V Mod Menu by @RF0oDxM0Dz and the Ghosts 1.00 SilentShadowV3 Mod Menu, PlayStation 4 scene developer @CustomHooker shared on Twitter a new Grand Theft Auto V (GTA...
PS4: The Best Place to Play Showcases Exclusives in Latest TV Spot
Sony's latest PS4 promotional TV spot titled The Best Place to Play can be seen below, and spotlights some current and upcoming PlayStation 4 exclusive games including The Last of Us: Part II...
Top