Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Mar 10, 2016 at 11:09 PM       3,679       1            
Status
Not open for further replies.
It's not been long since the PS4 BadIRET Kernel Exploit source code surfaced amid PS4 Scene drama, and today PlayStation 4 developer BigBoss tweeted that he has a working PS4 BadIRET Proof-of-Concept (PoC) with LibPS4 / PS4Link / PS4SH among more recent PS3 developments below.


badiret with libps4, ps4link, ps4sh output.txt
Code:
log: [PS4][DEBUG]: [PS4LINK] commands listener received packet size (266)
log: [PS4][DEBUG]: [PS4LINK] Received command execpayload argc=0 argv=
log: [PS4][DEBUG]: [PS4LINK] execpayload command thread UID: 0x80D2A520
log: [PS4][DEBUG]: [PS4LINK] commands listener waiting for next command
log: [PS4][DEBUG]: Loaded on corer 7
log: [PS4][DEBUG]: Setting affinity return 0x00000000
log: [PS4][DEBUG]: xpageEntryHi = ffffffff833249a8
log: [PS4][DEBUG]: mmap codepe0 825fc000
log: [PS4][DEBUG]: mmap codepe1 1825fc000
log: [PS4][DEBUG]: mmap codepe2 2825fc000
log: [PS4][DEBUG]: mmap codepe3 3825fc000
log: [PS4][DEBUG]: mmap codepe4 4825fc000
log: [PS4][DEBUG]: mmap codepe5 5825fc000
log: [PS4][DEBUG]: prefault codepe0
log: [PS4][DEBUG]: prefault codepe1
log: [PS4][DEBUG]: prefault codepe2
log: [PS4][DEBUG]: prefault codepe3
log: [PS4][DEBUG]: prefault codepe4
log: [PS4][DEBUG]: prefault codepe5
log: [PS4][DEBUG]: mmap codepw 200868000
log: [PS4][DEBUG]: payload 93a3030b4
log: [PS4][DEBUG]: dir payload 93a3030b4
log: [PS4][DEBUG]: tramp  0xB4 0x30 0x30 0x3A 0x09 0x00 0x00 0x00
log: [PS4][DEBUG]: prefault criticalPayloadMessage
log: [PS4][DEBUG]: Loaded 2 on core 6
log: [PS4][DEBUG]: Setting affinity return 0x00000000
log: [PS4][DEBUG]: sysarch return 0
[+] Entered critical payload

after this in we are in while(1) code on payload :) kernel execution achieved

sys_dynlib_prepare_dclose poc with clang libps4/ps4link/ps4sh output.txt
Code:
log: [PS4][INFO]: ready to have a lot of fun...
log: [PS4][DEBUG]: [PS4LINK] Server request thread UID: 0x80C43A20
log: [PS4][DEBUG]: [PS4LINK] Created ps4link_requests_sock: 85
log: [PS4][DEBUG]: [PS4LINK] Server command thread UID: 0x80C74FC0
log: [PS4][DEBUG]: [PS4LINK] bind to ps4link_requests_sock done
log: [PS4][DEBUG]: [PS4LINK] Command Thread Started.
log: [PS4][DEBUG]: [PS4LINK] Created ps4link_commands_sock: 86
log: [PS4][DEBUG]: [PS4LINK] Ready for connection 1
log: [PS4][DEBUG]: [PS4LINK] Waiting for connection
log: [PS4][DEBUG]: [PS4LINK] Command listener waiting for commands...
ps4sh> execpayload
log: [HOST][DEBUG]: [PS4SH] [PS4SH] argc=0 argv=
log: [PS4][DEBUG]: [PS4LINK] commands listener received packet size (266)
log: [PS4][DEBUG]: [PS4LINK] Received command execpayload argc=0 argv=
log: [PS4][DEBUG]: socket opened is now equeals fd 3840
log: [PS4][DEBUG]: Created event queue 0x0000000000000F01
log: [PS4][DEBUG]: Created event queue 0x0000000000000F02
log: [PS4][DEBUG]: Created event queue 0x0000000000000F03
log: [PS4][DEBUG]: Created event queue 0x0000000000000F04
log: [PS4][DEBUG]: Created event queue 0x0000000000000F05
log: [PS4][DEBUG]: Created event queue 0x0000000000000F06
log: [PS4][DEBUG]: Created event queue 0x0000000000000F07
log: [PS4][DEBUG]: Created event queue 0x0000000000000F08
log: [PS4][DEBUG]: Created event queue 0x0000000000000F09
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F0F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F10
log: [PS4][DEBUG]: Created event queue 0x0000000000000F11
log: [PS4][DEBUG]: Created event queue 0x0000000000000F12
log: [PS4][DEBUG]: Created event queue 0x0000000000000F13
log: [PS4][DEBUG]: Created event queue 0x0000000000000F14
log: [PS4][DEBUG]: Created event queue 0x0000000000000F15
log: [PS4][DEBUG]: Created event queue 0x0000000000000F16
log: [PS4][DEBUG]: Created event queue 0x0000000000000F17
log: [PS4][DEBUG]: Created event queue 0x0000000000000F18
log: [PS4][DEBUG]: Created event queue 0x0000000000000F19
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F1F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F20
log: [PS4][DEBUG]: Created event queue 0x0000000000000F21
log: [PS4][DEBUG]: Created event queue 0x0000000000000F22
log: [PS4][DEBUG]: Created event queue 0x0000000000000F23
log: [PS4][DEBUG]: Created event queue 0x0000000000000F24
log: [PS4][DEBUG]: Created event queue 0x0000000000000F25
log: [PS4][DEBUG]: Created event queue 0x0000000000000F26
log: [PS4][DEBUG]: Created event queue 0x0000000000000F27
log: [PS4][DEBUG]: Created event queue 0x0000000000000F28
log: [PS4][DEBUG]: Created event queue 0x0000000000000F29
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F2F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F30
log: [PS4][DEBUG]: Created event queue 0x0000000000000F31
log: [PS4][DEBUG]: Created event queue 0x0000000000000F32
log: [PS4][DEBUG]: Created event queue 0x0000000000000F33
log: [PS4][DEBUG]: Created event queue 0x0000000000000F34
log: [PS4][DEBUG]: Created event queue 0x0000000000000F35
log: [PS4][DEBUG]: Created event queue 0x0000000000000F36
log: [PS4][DEBUG]: Created event queue 0x0000000000000F37
log: [PS4][DEBUG]: Created event queue 0x0000000000000F38
log: [PS4][DEBUG]: Created event queue 0x0000000000000F39
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F3F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F40
log: [PS4][DEBUG]: Created event queue 0x0000000000000F41
log: [PS4][DEBUG]: Created event queue 0x0000000000000F42
log: [PS4][DEBUG]: Created event queue 0x0000000000000F43
log: [PS4][DEBUG]: Created event queue 0x0000000000000F44
log: [PS4][DEBUG]: Created event queue 0x0000000000000F45
log: [PS4][DEBUG]: Created event queue 0x0000000000000F46
log: [PS4][DEBUG]: Created event queue 0x0000000000000F47
log: [PS4][DEBUG]: Created event queue 0x0000000000000F48
log: [PS4][DEBUG]: Created event queue 0x0000000000000F49
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F4F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F50
log: [PS4][DEBUG]: Created event queue 0x0000000000000F51
log: [PS4][DEBUG]: Created event queue 0x0000000000000F52
log: [PS4][DEBUG]: Created event queue 0x0000000000000F53
log: [PS4][DEBUG]: Created event queue 0x0000000000000F54
log: [PS4][DEBUG]: Created event queue 0x0000000000000F55
log: [PS4][DEBUG]: Created event queue 0x0000000000000F56
log: [PS4][DEBUG]: Created event queue 0x0000000000000F57
log: [PS4][DEBUG]: Created event queue 0x0000000000000F58
log: [PS4][DEBUG]: Created event queue 0x0000000000000F59
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5A
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5B
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5C
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5D
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5E
log: [PS4][DEBUG]: Created event queue 0x0000000000000F5F
log: [PS4][DEBUG]: Created event queue 0x0000000000000F60
log: [PS4][DEBUG]: Created event queue 0x0000000000000F61
log: [PS4][DEBUG]: Created event queue 0x0000000000000F62
log: [PS4][DEBUG]: Created event queue 0x0000000000000F63
log: [PS4][DEBUG]: Created event queue 0x0000000000000F64
log: [PS4][DEBUG]: Created event queue 0x0000000000000F65
log: [PS4][DEBUG]: m event queue created  0x00000F65
log: [PS4][DEBUG]: Created event queue 0x0000000000000F66
log: [PS4][DEBUG]: m2 event queue created  0x00000F66
log: [PS4][DEBUG]: sceKernelDeleteEqueue return: 0x00000000
log: [PS4][DEBUG]: mapping pointer 2017fc000
log: [PS4][DEBUG]: before SYS_dynlib_prepare_dlclose
log: [PS4][DEBUG]: SYS_dynlib_prepare_dlclose: -1
log: [PS4][DEBUG]: before sceKernelDeleteEqueue
after this payload is called from a trampoline code and a few messages calling sys_sendto on port 9023 are received so kernel execution is done
  [+] Entered critical payload
after  messages are received a wonderfull panic and console switch off
i suppose that panic is in knote_drop call i must figured out return address in stack to try to avoid that.
Also for PlayStation 3 owners, PS3 scene developer zecoxao recently patched the PS3 HDD GUI v1.3 for Arcade for those interested with additional details below:

Download: ps3_hdd_gui_1.3_patched_for_arcade.7z (1.28 MB)

Code:
Boot Loader SE Version 4.7.8 (Build ID: 5300,50579, Build Date: 2015-
12-25_19:40:53)
*** Version: 478.001
Copyright(C) 2015 Sony Computer Entertainment Inc.All Rights Reserved
.
[INFO]: === eXtreme Data Rate Memory Subsystem ===
[INFO]: (Configured Memory Size per single XIO channel: 256 MBytes.)
[INFO]: XIO channel[0] is available.
[INFO]: XIO channel[1] is available.
[INFO]: ---> Total 512 MBytes are now in use.
[INFO]: SPU enable [0, 1, 2, 5, 6, 7] 11101111
[INFO]: BE:3.1, SB:DX3.2
SYSTEM_SHUTDOWN
Cell OS ***4.7.8 001 (release build: r50579 20151225_194737)
Copyright 2015 Sony Computer Entertainment Inc.
revision: 50550
date:     Fri Dec 25 19:47:37 JST 2015
SYSTEM_BOOT
*** v4.7.8
CP v1.3.3
lv2(0): total memory size: 502MB
lv2(0): kern memory size:   18MB (heap:4160KB  page pool:9216KB)
lv2(0): user memory size:  468MB
lv2(2):
lv2(2): Cell OS Lv-2 32 bit version 4.7.8
lv2(2): Copyright 2011 Sony Computer Entertainment Inc.
lv2(2): All Rights Reserved.
lv2(2):
lv2(2): revision: 50579
lv2(2): build date: 2015/12/25 19:58:58
lv2(2): processor: Broadband Engine  Ver 0x0000  Rev 0x0201
lv2(2): PPU:0, Thread:0 is enabled.
lv2(2): PPU:0, Thread:1 is enabled.
lv2(2):
lv2(2): mounting HOSTFS in default mount point "/app_home" : OK
lv2(2): mounting HOSTFS in default mount point "/host_root" : OK
rsx:      b03 500/650 vpe:ff shd:7b  [GAB886100:1:2:17:f:5:3:f:2][16:
3:0:0:1:3:1][0:0:0]
lv2(2): Available physical SPUs: 6/7
lv2(2): mounting the flash file system : OK
lv2(2): creating the initial system process : OK
lv2(2): CP is available.
lv2(2): system software: system software mode (memsize=392MB)
lv2(2): creating the system software process : OK
lv2(2): sys_init: system software process set-up done.
lv2(2): creating the debug agent : BDemulator: disabled
lv2(2): OK
lv2(2): initial system process done.
===== Start agent =====
Debug Agent Version: 4.7.8 (62)
Reset parameter:  0x0000000000000000 - Reset the hardware gracefully
(lv1 + lv2 soft reset)
Boot parameter:   0x0000000000000015 - System software mode
    Memory size: 384MB (Tool mode)
    BD drive: Physical
    BD emulator speed: HDD/USB native
    BD emulator device: HDD
    File serving port: Dev Lan
    Network interface: Single
    Controllers auto-recognition: Disabled
System parameter: 0x0001000000000000
    Model: PS3 60GB HDD
    Rel. check mode: Development
Waiting for XMB to initialize
Debug Agent Version 4.7.8 (62) (Built - Dec 25 2015 20:40:30)
checking hard disk: done. (# of partition = 2)
mounting HDD in the mount point "/dev_hdd0" : OK
Fake Hdd Access Speed = 0
XMB initialization done
Game: game exec processID = [0x01010200]
cellSysmoduleLoadModule (CELL_SYSMODULE_FS) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_NET) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_NETCTL) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_HTTP) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_HTTP_UTIL) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_SSL) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_VDEC) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_ADEC) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_DMUX) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_PAMF) return CELL_OK
cellSysmoduleLoadModule (CELL_SYSMODULE_USBD) return CELL_OK
cellNetCtlInit ret = OK
cellNetCtlAddHandler ret = OK
cellNetCtlGetState ret = OK status = CELL_NET_CTL_STATE_Connecting

*** PS3AIO Initialize ***

Check USB Device Connection...
USB Device Offline -> DeviceId = -1

Wait USB Device Online...
Waiting for USJPCB Link ...
[02] - USJPCB Initializing
[01] - USJPCB Initializing

>>> USJPCB Timeout Error <<<
Download: PS3UPDAT.PUP.315.001.for.DEH.PASTA_v2.PUP.rar (132.3 MB)
PS4_Badiret_PoC.jpg
 

Comments

Status
Not open for further replies.
Status
Not open for further replies.
Recent Articles
Latest PlayStation 4 Game Trailer Videos from Gamescom 2019
Earlier this week we saw a Call of Duty: Modern Warfare 2v2 Alpha PS4 trailer video from Gamescom 2019, and below is some more fresh PlayStation 4 video game footage from this year's Gamescom...
Chiaki: Free and Open Source PS4 Remote Play Client by Thestr4ng3r!
Last month we reported on a PS4 Remote Play open source client in development by thestr4ng3r, and today he released Chiaki... the first free and open source PS4 Remote Play client software for...
Sony Patent Surfaces on Rumored PlayStation 5 / PS5 Development Kit Design
Although Sony's next-generation PlayStation 5 console isn't expected until the 2020 holiday season, today Andrew Marmo tweeted about a rumored Sony Interactive Entertainment patent...
CoD: Modern Warfare 2v2 Alpha Gamescom 2019 PS4 Trailer and Tips
The public Gamescom 2019 event runs from August 21st through the 24th, and during the weekend of August 23rd through the 25th gamers will be able to play the Call of Duty: Modern Warfare 2v2 Alpha...
Top