Category PS4 Jailbreaking       Thread starter kizabg       Start date Nov 5, 2018 at 8:07 AM       38,572       45            
Following Parts 1 through 3 of their PS4 Aux Hax covering hacking Aeolia, Syscon and DS4 today PlayStation 4 hackers fail0verflow shared documentation on PS4 Aux Hax 4 which uses HDMI (High-Definition Multimedia Interface) CEC (Consumer Electronics Control) to get code exec on all PS4 Belize southbridge versions (including PS4 Pro, etc) without requiring other parts of the system to be pwned! :notworthy:

According to Wikipedia, CEC is a feature of HDMI designed to allow users to command and control devices connected through HDMI by using only one remote control... and the bug is in the HDMI CEC code with the path reachable when HDMI-CEC is enabled and active. :ninja:

Be sure to check out the full PS4 Aux Hax 4: Belize via CEC documentation on their latest Blog Entry alongside the PS4 Southbridge Reverse-Engineered Code Examination, and to quote in part:

"So, the overall process is like:
  1. Tap onto CEC-related i2c and irq lines and HDMI encoder power switch
  2. Power up PS4 and enter Rest Mode
  3. Wait for “EAP running” message from custom EAP kernel
  4. Induce the CEC RX interrupt
  5. Feed data to EMC such that it causes a stack buffer overflow
  6. Wait for EMC to copy SRAM to DDR3
  7. Dump copied SRAM out of UART
Of course, this is really EMC code exec, so the dumping is just something to do after the fact :)

This post outlines a way to dump EMC firmware and gain EMC code exec on any hardware revision. While the real root keys (in fuses and ROM) of EMC versions besides the first are still unknown, they could yet be recovered with side channel attacks, if someone really wanted them. Since this method is comparatively much more simple and more generic, it stands on its own as an interesting exploit.

As was hinted at, the CXD90046GG version of EMC employs slightly better security practices. The EMC ROM now wipes the SRAM space used as stack during initial key derivation, and some as-of-yet unknown method is used to unmap the ROM, mitigating it being dumped simply by reading from address 0x00000000. Again, it is likely the key material could still be recovered - if someone cares - but it’s interesting to see that such changes made their way into hardware between revisions."

PS4 Aux Hax 4 Belize (Southbridge) via HDMI CEC by Fail0verflow.jpg
 

Comments

Recent Articles
Windbound Sails to PlayStation 4 on August 28th, PS4 Trailer Video
The forbidden islands are calling survival adventure fans eager to unravel the mystery as Windbound from 5 Lives Studios sets sail on PlayStation 4 this August 28th. 🌊 ⛵ 🔎 Prepare to explore...
PS Store Spring Sale Offers Savings Up to Half Off Select PSN Titles
The latest PlayStation Store sale is here featuring savings of up to 50% off select PS4 games and movies including Death Stranding, NBA 2K20, Dragon Ball Z: Kakarot and more! 🤩 PlayStation...
Rebug 4.86.1 LITE PS3 CFW with Cobra 8.2 and Toolbox 2.03.04
A few days back Sony released PS3 Firmware 4.86, and following their previous release today the Rebug Team made available Rebug 4.86.1 LITE (CEX) PS3 CFW with Cobra 8.2 and Toolbox 2.03.04 for...
Sony Unveils PlayStation Plus Free Games for April 2020
It's officially 4/20 all month, and today Sony officially unveiled the free PlayStation Plus games for April 2020 alongside a PS Plus preview trailer video below! 🌺🌼🌸 Headlining the free...
Top