Join Us and become a Member for a Verified Badge on Discord to access private areas with the latest PS4 FPKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Mar 10, 2016 at 11:09 PM       4,217       1      
Status
Not open for further replies.
It's not been long since the PS4 BadIRET Kernel Exploit source code surfaced amid PS4 Scene drama, and today PlayStation 4 developer BigBoss tweeted that he has a working PS4 BadIRET Proof-of-Concept (PoC) with LibPS4 / PS4Link / PS4SH among more recent PS3 developments below.


badiret with libps4, ps4link, ps4sh output.txt
Code:
log: [PS4][DEBUG]: [PS4LINK] commands listener received packet size (266)
log: [PS4][DEBUG]: [PS4LINK] Received command execpayload argc=0 argv=
log: [PS4][DEBUG]: [PS4LINK] execpayload command thread UID: 0x80D2A520
log: [PS4][DEBUG]: [PS4LINK] commands listener waiting for next command
log: [PS4][DEBUG]: Loaded on corer 7
log: [PS4][DEBUG]: Setting affinity return 0x00000000
log: [PS4][DEBUG]: xpageEntryHi = ffffffff833249a8
log: [PS4][DEBUG]: mmap codepe0 825fc000
log: [PS4][DEBUG]: mmap codepe1 1825fc000
log: [PS4][DEBUG]: mmap codepe2 2825fc000
log: [PS4][DEBUG]: mmap codepe3 3825fc000
log: [PS4][DEBUG]: mmap codepe4 4825fc000
log: [PS4][DEBUG]: mmap codepe5 5825fc000
log: [PS4][DEBUG]: prefault codepe0
log: [PS4][DEBUG]: prefault codepe1
log: [PS4][DEBUG]: prefault codepe2
log: [PS4][DEBUG]: prefault codepe3
log: [PS4][DEBUG]: prefault codepe4
log: [PS4][DEBUG]: prefault codepe5
log: [PS4][DEBUG]: mmap codepw 200868000
log: [PS4][DEBUG]: payload 93a3030b4
log: [PS4][DEBUG]: dir payload 93a3030b4
log: [PS4][DEBUG]: tramp  0xB4 0x30 0x30 0x3A 0x09 0x00 0x00 0x00
log: [PS4][DEBUG]: prefault criticalPayloadMessage
log: [PS4][DEBUG]: Loaded 2 on core 6
log: [PS4][DEBUG]: Setting affinity return 0x00000000
log: [PS4][DEBUG]: sysarch return 0
[+] Entered critical payload

after this in we are in while(1) code on payload :) kernel execution achieved

sys_dynlib_prepare_dclose poc with clang libps4/ps4link/ps4sh output.txt
Code:
log: [PS4][INFO]: ready to have a lot of fun...
log: [PS4][DEBUG]: [PS4LINK] Server request thread UID: 0x80C43A20
log: [PS4][DEBUG]: [PS4LINK] Created ps4link_requests_sock: 85
log: [PS4][DEBUG]: [PS4LINK] Server command thread UID: 0x80C74FC0
log: [PS4][DEBUG]: [PS4LINK] bind to ps4link_requests_sock done
log: [PS4][DEBUG]: [PS4LINK] Command Thread Started.
log: [PS4][DEBUG]: [PS4LINK] Created ps4link_commands_sock: 86
log: [PS4][DEBUG]: [PS4LINK] Ready for connection 1
log: [PS4][DEBUG]: [PS4LINK] Waiting for connection
log: [PS4][DEBUG]: [PS4LINK] Command listener waiting for commands...
ps4sh> execpayload
log: [HOST][DEBUG]: [PS4SH] [PS4SH] argc=0 argv=
log: [PS4][DEBUG]: [PS4LINK] commands listener received packet size (266)
log: [PS4][DEBUG]: [PS4LINK] Received command execpayload argc=0 argv=
log: [PS4][DEBUG]: socket opened is now equeals fd 3840
log: [PS4][DEBUG]: Created event queue 0x0000000000000F01
log: [PS4][DEBUG]: Created event queue 0x0000000000000F02
log: [PS4][DEBUG]: Created event queue 0x0000000000000F03
log: [PS4][DEBUG]: Created event queue 0x0000000000000F04
log: [PS4][DEBUG]: Created event queue 0x0000000000000F05
log: [PS4][DEBUG]: Created event queue 0x0000000000000F06
log: [PS4][DEBUG]: Created event queue 0x0000000000000F07
log: [PS4][DEBUG]: Created event queue 0x0000000000000F08
log: [PS4][DEBUG]: Created event queue 0x0000000000000F09
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F10
log: [PS4][DEBUG]: Created event queue 0x0000000000000F11
log: [PS4][DEBUG]: Created event queue 0x0000000000000F12
log: [PS4][DEBUG]: Created event queue 0x0000000000000F13
log: [PS4][DEBUG]: Created event queue 0x0000000000000F14
log: [PS4][DEBUG]: Created event queue 0x0000000000000F15
log: [PS4][DEBUG]: Created event queue 0x0000000000000F16
log: [PS4][DEBUG]: Created event queue 0x0000000000000F17
log: [PS4][DEBUG]: Created event queue 0x0000000000000F18
log: [PS4][DEBUG]: Created event queue 0x0000000000000F19
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F20
log: [PS4][DEBUG]: Created event queue 0x0000000000000F21
log: [PS4][DEBUG]: Created event queue 0x0000000000000F22
log: [PS4][DEBUG]: Created event queue 0x0000000000000F23
log: [PS4][DEBUG]: Created event queue 0x0000000000000F24
log: [PS4][DEBUG]: Created event queue 0x0000000000000F25
log: [PS4][DEBUG]: Created event queue 0x0000000000000F26
log: [PS4][DEBUG]: Created event queue 0x0000000000000F27
log: [PS4][DEBUG]: Created event queue 0x0000000000000F28
log: [PS4][DEBUG]: Created event queue 0x0000000000000F29
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F30
log: [PS4][DEBUG]: Created event queue 0x0000000000000F31
log: [PS4][DEBUG]: Created event queue 0x0000000000000F32
log: [PS4][DEBUG]: Created event queue 0x0000000000000F33
log: [PS4][DEBUG]: Created event queue 0x0000000000000F34
log: [PS4][DEBUG]: Created event queue 0x0000000000000F35
log: [PS4][DEBUG]: Created event queue 0x0000000000000F36
log: [PS4][DEBUG]: Created event queue 0x0000000000000F37
log: [PS4][DEBUG]: Created event queue 0x0000000000000F38
log: [PS4][DEBUG]: Created event queue 0x0000000000000F39
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F40
log: [PS4][DEBUG]: Created event queue 0x0000000000000F41
log: [PS4][DEBUG]: Created event queue 0x0000000000000F42
log: [PS4][DEBUG]: Created event queue 0x0000000000000F43
log: [PS4][DEBUG]: Created event queue 0x0000000000000F44
log: [PS4][DEBUG]: Created event queue 0x0000000000000F45
log: [PS4][DEBUG]: Created event queue 0x0000000000000F46
log: [PS4][DEBUG]: Created event queue 0x0000000000000F47
log: [PS4][DEBUG]: Created event queue 0x0000000000000F48
log: [PS4][DEBUG]: Created event queue 0x0000000000000F49
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F50
log: [PS4][DEBUG]: Created event queue 0x0000000000000F51
log: [PS4][DEBUG]: Created event queue 0x0000000000000F52
log: [PS4][DEBUG]: Created event queue 0x0000000000000F53
log: [PS4][DEBUG]: Created event queue 0x0000000000000F54
log: [PS4][DEBUG]: Created event queue 0x0000000000000F55
log: [PS4][DEBUG]: Created event queue 0x0000000000000F56
log: [PS4][DEBUG]: Created event queue 0x0000000000000F57
log: [PS4][DEBUG]: Created event queue 0x0000000000000F58
log: [PS4][DEBUG]: Created event queue 0x0000000000000F59
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F60
log: [PS4][DEBUG]: Created event queue 0x0000000000000F61
log: [PS4][DEBUG]: Created event queue 0x0000000000000F62
log: [PS4][DEBUG]: Created event queue 0x0000000000000F63
log: [PS4][DEBUG]: Created event queue 0x0000000000000F64
log: [PS4][DEBUG]: Created event queue 0x0000000000000F65
log: [PS4][DEBUG]: m event queue created  0x00000F65
log: [PS4][DEBUG]: Created event queue 0x0000000000000F66
log: [PS4][DEBUG]: m2 event queue created  0x00000F66
log: [PS4][DEBUG]: sceKernelDeleteEqueue return: 0x00000000
log: [PS4][DEBUG]: mapping pointer 2017fc000
log: [PS4][DEBUG]: before SYS_dynlib_prepare_dlclose
log: [PS4][DEBUG]: SYS_dynlib_prepare_dlclose: -1
log: [PS4][DEBUG]: before sceKernelDeleteEqueue
after this payload is called from a trampoline code and a few messages calling sys_sendto on port 9023 are received so kernel execution is done
  [+] Entered critical payload
after  messages are received a wonderfull panic and console switch off
i suppose that panic is in knote_drop call i must figured out return address in stack to try to avoid that.
Also for PlayStation 3 owners, PS3 scene developer zecoxao recently patched the PS3 HDD GUI v1.3 for Arcade for those interested with additional details below:

Download: ps3_hdd_gui_1.3_patched_for_arcade.7z (1.28 MB)

Code:
Boot Loader SE Version 4.7.8 (Build ID: 5300,50579, Build Date: 2015-
12-25_19:40:53)
*** Version: 478.001
Copyright(C) 2015 Sony Computer Entertainment Inc.All Rights Reserved
.
[INFO]: === eXtreme Data Rate Memory Subsystem ===
[INFO]: (Configured Memory Size per single XIO channel: 256 MBytes.)
[INFO]: XIO channel[0] is available.
[INFO]: XIO channel[1] is available.
[INFO]: ---> Total 512 MBytes are now in use.
[INFO]: SPU enable [0, 1, 2, 5, 6, 7] 11101111
[INFO]: BE:3.1, SB:DX3.2
SYSTEM_SHUTDOWN
Cell OS SDK4.7.8 001 (release build: r50579 20151225_194737)
Copyright 2015 Sony Computer Entertainment Inc.
revision: 50550
date:     Fri Dec 25 19:47:37 JST 2015
SYSTEM_BOOT
*** v4.7.8
CP v1.3.3
lv2(0): total memory size: 502MB
lv2(0): kern memory size:   18MB (heap:4160KB  page pool:9216KB)
lv2(0): user memory size:  468MB
lv2(2):
lv2(2): Cell OS Lv-2 32 bit version 4.7.8
lv2(2): Copyright 2011 Sony Computer Entertainment Inc.
lv2(2): All Rights Reserved.
lv2(2):
lv2(2): revision: 50579
lv2(2): build date: 2015/12/25 19:58:58
lv2(2): processor: Broadband Engine  Ver 0x0000  Rev 0x0201
lv2(2): PPU:0, Thread:0 is enabled.
lv2(2): PPU:0, Thread:1 is enabled.
lv2(2):
lv2(2): mounting HOSTFS in default mount point "/app_home" : OK
lv2(2): mounting HOSTFS in default mount point "/host_root" : OK
rsx:      b03 500/650 vpe:ff shd:7b  [GAB886100:1:2:17:f:5:3:f:2][16:
3:0:0:1:3:1][0:0:0]
lv2(2): Available physical SPUs: 6/7
lv2(2): mounting the flash file system : OK
lv2(2): creating the initial system process : OK
lv2(2): CP is available.
lv2(2): system software: system software mode (memsize=392MB)
lv2(2): creating the system software process : OK
lv2(2): sys_init: system software process set-up done.
lv2(2): creating the debug agent : BDemulator: disabled
lv2(2): OK
lv2(2): initial system process done.
===== Start agent =====
Debug Agent Version: 4.7.8 (62)
Reset parameter:  0x0000000000000000 - Reset the hardware gracefully
(lv1 + lv2 soft reset)
Boot parameter:   0x0000000000000015 - System software mode
    Memory size: 384MB (Tool mode)
    BD drive: Physical
    BD emulator speed: HDD/USB native
    BD emulator device: HDD
    File serving port: Dev Lan
    Network interface: Single
    Controllers auto-recognition: Disabled
System parameter: 0x0001000000000000
    Model: PS3 60GB HDD
    Rel. check mode: Development
Waiting for XMB to initialize
Debug Agent Version 4.7.8 (62) (Built - Dec 25 2015 20:40:30)
checking hard disk: done. (# of partition = 2)
mounting HDD in the mount point "/dev_hdd0" : OK
Fake Hdd Access Speed = 0
XMB initialization done
Game: game exec processID = [0x01010200]
cellSysmoduleLoadModule (CELL_SYSMODULE_FS) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_NET) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_NETCTL) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_HTTP) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_HTTP_UTIL) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_SSL) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_VDEC) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_ADEC) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_DMUX) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_PAMF) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_USBD) return CELL_OK
cellNetCtlInit ret = OK
cellNetCtlAddHandler ret = OK
cellNetCtlGetState ret = OK status = CELL_NET_CTL_STATE_Connecting

*** PS3AIO Initialize ***

Check USB Device Connection...
USB Device Offline -> DeviceId = -1

Wait USB Device Online...
Waiting for USJPCB Link ...
[02] - USJPCB Initializing
[01] - USJPCB Initializing

>>> USJPCB Timeout Error <<<
Download: PS3UPDAT.PUP.315.001.for.DEH.PASTA_v2.PUP.rar (132.3 MB)
PS4_Badiret_PoC.jpg
 

Comments

Status
Not open for further replies.
Top