Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
In PS4Scene news this weekend, recently developer @CelesteBlue (Github / Twitter) detailed a PS4 CR0.WP Protection (Write Protect) Kernel Security Bypass applicable since at least PS4 OFW 6.51 on the PSDevWiki working exploits page. 🤩

This comes proceeding the PS4 Jailbreak 2 updates, latest GoldHEN v1.1 release, PS4 Synacktiv Presentation SSTIC 2021 Recap, PS4 / PS5 SMAP Bypass by m00nbsd and new PS4 Fake PKGs (FPKGs) for those interested.

Below are the technical details for scene devs from PSDevWiki.com, as follows: CR0.WP protection

At least since firmware 6.51 Sony instrumented all instructions that write to the CR0 register with checks for attempts to clear CR0.WP (Write Protect), which is necessary for patching the kernel. This is what it looks like in 6.51 kernel:
Code:
a1b79:       0f 22 c0                mov    cr0,rax
a1b7c:       48 a9 00 00 01 00       test   rax,0x10000
a1b82:       75 02                   jne    a1b86 <-- skip the next instruction if CR0.WP is not cleared
a1b84:       0f 0b                   ud2    <-- #UD exception, causes a kernel panic
a1b86:       c3                      ret
Note that the check is after the write, to prevent a ROP gadget from pointing straight at the mov and skipping the verification.

Bypasses (in chronological order):
  • Use an "unintended" mov to cr0 in the middle of another instruction (e.g. instruction "call $+0x220f1c" (e8 17 0f 22 00) contains an unintended "mov cr0, rax" (0f 22 00))
  • Use kernel write to give your process JIT permissions, allocate JIT memory, and put entirely custom code there (avoids the problem altogether, as it is specific to ROP)
  • Since the IDT is writable on FreeBSD and PS4, it is possible to overwrite an exception handler without clearing CR0.WP first. One can overwrite the handler of #UD with a gadget of their choice (a stack pivot, or a "add rsp, ... ; ret", or whatever else), and the UD2 instruction in the mitigation code will happily jump to it instead of the real handler, with CR0.WP cleared.
Cheers to @HydrogenNGU for passing along this news earlier via Twitter: 🍻

PS4 Jedi “MASTER” Key has been documented by Zecoxao.
Code:
Key: 9B03D4FB5FEC1A2373462C45E4BC72A6
This key decrypts DualShock4 Firmwares. Algorithm is AES-128-CBC. Zeroed IV.
this set of files should produce the necessary keys for the GP2040-CE PS4 Mode. You can quickly find it via google search but i've decided to put it here for you to use. This will make the device be able to skip 8 minute timeout
  • ds4-master-custom-lJArAqXq.zip (789.79 KB - includes ds4sig.bin, jedi_crypto.py, jedi_crypto-mod.py, jedi_flash-Aug_3_2013.bin, jedi_flash, Aug_3_2013.idc, jedi_tool.py and ps4nonce.bin via GodzIvan)
emulating ps4 controller without 8 minute timeout

From the included README.md:
Code:
# ds4
Tools for working with DualShock 4

With fw of controller, it is possible to do interesting things like:
 * flash custom fw to controller
 * learn how all aspects of controller works
 * implement native pairing on other host devices
 * present custom hardware as "official" DS4 to PS4

- GodzIvan -

Working ????
PS4 CR0.WP Protection Kernel Security Bypass Detailed via CelesteBlue.jpg
 

Comments

@mukasange sorry to be the Bearer of Bad News, but, its highly unlikely 6.72+ will get to the point of 5.05's stability, meaning, 5.05 will always be much more stable, why you may ask?, the exploit used in 6.72+ is just more unstable than the exploit used in 5.05.

also:
 
Status
Not open for further replies.
Back
Top