Category PS4 Jailbreaking       Thread starter kizabg       Start date Nov 5, 2018 at 8:07 AM       36,271       45            
Following Parts 1 through 3 of their PS4 Aux Hax covering hacking Aeolia, Syscon and DS4 today PlayStation 4 hackers fail0verflow shared documentation on PS4 Aux Hax 4 which uses HDMI (High-Definition Multimedia Interface) CEC (Consumer Electronics Control) to get code exec on all PS4 Belize southbridge versions (including PS4 Pro, etc) without requiring other parts of the system to be pwned! :notworthy:

According to Wikipedia, CEC is a feature of HDMI designed to allow users to command and control devices connected through HDMI by using only one remote control... and the bug is in the HDMI CEC code with the path reachable when HDMI-CEC is enabled and active. :ninja:

Be sure to check out the full PS4 Aux Hax 4: Belize via CEC documentation on their latest Blog Entry, and to quote in part:

"So, the overall process is like:
  1. Tap onto CEC-related i2c and irq lines and HDMI encoder power switch
  2. Power up PS4 and enter Rest Mode
  3. Wait for “EAP running” message from custom EAP kernel
  4. Induce the CEC RX interrupt
  5. Feed data to EMC such that it causes a stack buffer overflow
  6. Wait for EMC to copy SRAM to DDR3
  7. Dump copied SRAM out of UART
Of course, this is really EMC code exec, so the dumping is just something to do after the fact :)

This post outlines a way to dump EMC firmware and gain EMC code exec on any hardware revision. While the real root keys (in fuses and ROM) of EMC versions besides the first are still unknown, they could yet be recovered with side channel attacks, if someone really wanted them. Since this method is comparatively much more simple and more generic, it stands on its own as an interesting exploit.

As was hinted at, the CXD90046GG version of EMC employs slightly better security practices. The EMC ROM now wipes the SRAM space used as stack during initial key derivation, and some as-of-yet unknown method is used to unmap the ROM, mitigating it being dumped simply by reading from address 0x00000000. Again, it is likely the key material could still be recovered - if someone cares - but it’s interesting to see that such changes made their way into hardware between revisions."

PS4 Aux Hax 4 Belize (Southbridge) via HDMI CEC by Fail0verflow.jpg
 

Comments

Recent Articles
PS4 Exploit Host Menu Leeful Host v2 WIP Design Update and Demo
Following the PS4 X-Project Updates, Pure HEN Child Friendly Loader and X-Project GTA V Lotus Menu 1.03 Patch PlayStation 4 homebrew developer @Leeful recently shared on Twitter a work-in-progress...
PlayStation Store Offers September Savings, Up to 70% Off PSN Games
Just in time for fall, Sony's PlayStation Store September Savings sale is underway and offers discounts of up to 70% off select PS4, PS Vita and PS3 games through October 1st at 8 AM Pacific time...
NAO PS4 Control: NAO Robots with PS4 DualShock 4 Controller by Caiit
Proceeding the WiFi Rover for RPi DS4 PS4 Controller earlier this week, today developer Caiit committed on Github NAO PS4 Control which as the name implies allows you to control a NAO Robot with a...
A Breaking Bad Movie El Camino Hits Netflix on October 11, 2019
After watching Season 4 of the prequel Better Call Saul and realizing Season 5 won't arrive until 2020 🤬, it's nearly time to jump ahead as next month on October 11th Netflix (with a second run by...
Top