Category PS4 Jailbreaking       Thread starter kizabg       Start date Nov 5, 2018 at 8:07 AM       36,046       45            
Following Parts 1 through 3 of their PS4 Aux Hax covering hacking Aeolia, Syscon and DS4 today PlayStation 4 hackers fail0verflow shared documentation on PS4 Aux Hax 4 which uses HDMI (High-Definition Multimedia Interface) CEC (Consumer Electronics Control) to get code exec on all PS4 Belize southbridge versions (including PS4 Pro, etc) without requiring other parts of the system to be pwned! :notworthy:

According to Wikipedia, CEC is a feature of HDMI designed to allow users to command and control devices connected through HDMI by using only one remote control... and the bug is in the HDMI CEC code with the path reachable when HDMI-CEC is enabled and active. :ninja:

Be sure to check out the full PS4 Aux Hax 4: Belize via CEC documentation on their latest Blog Entry, and to quote in part:

"So, the overall process is like:
  1. Tap onto CEC-related i2c and irq lines and HDMI encoder power switch
  2. Power up PS4 and enter Rest Mode
  3. Wait for “EAP running” message from custom EAP kernel
  4. Induce the CEC RX interrupt
  5. Feed data to EMC such that it causes a stack buffer overflow
  6. Wait for EMC to copy SRAM to DDR3
  7. Dump copied SRAM out of UART
Of course, this is really EMC code exec, so the dumping is just something to do after the fact :)

This post outlines a way to dump EMC firmware and gain EMC code exec on any hardware revision. While the real root keys (in fuses and ROM) of EMC versions besides the first are still unknown, they could yet be recovered with side channel attacks, if someone really wanted them. Since this method is comparatively much more simple and more generic, it stands on its own as an interesting exploit.

As was hinted at, the CXD90046GG version of EMC employs slightly better security practices. The EMC ROM now wipes the SRAM space used as stack during initial key derivation, and some as-of-yet unknown method is used to unmap the ROM, mitigating it being dumped simply by reading from address 0x00000000. Again, it is likely the key material could still be recovered - if someone cares - but it’s interesting to see that such changes made their way into hardware between revisions."

PS4 Aux Hax 4 Belize (Southbridge) via HDMI CEC by Fail0verflow.jpg
 

Comments

Recent Articles
Red Dead Redemption 2 PS4 Models and Textures Tool by ID-Daemon
Following his Spider-Man PS4 Skeletal Models & Textures Tool release and the recent RDR2 PS4 Modding Demos data miner @iddaemon (aka ID-Daemon) shared details on his Red Dead Redemption 2 PS4...
3D Renders of Rumored PS5 / PlayStation 5 Development Kit Patent Design
Proceeding the rumored PS5 / PlayStation 5 DevKit Patent that surfaced earlier this week, today some artist renditions based on the Sony patent have surfaced for those seeking a closer look at the...
Latest PlayStation 4 Game Trailer Videos from Gamescom 2019
Earlier this week we saw a Call of Duty: Modern Warfare 2v2 Alpha PS4 trailer video from Gamescom 2019, and below is some more fresh PlayStation 4 video game footage from this year's Gamescom...
Chiaki: Free and Open Source PS4 Remote Play Client by Thestr4ng3r!
Last month we reported on a PS4 Remote Play open source client in development by thestr4ng3r, and today he released Chiaki... the first free and open source PS4 Remote Play client software for...
Top