PS4 Kernel Exploit, today PlayStation 4 developer CTurt announced he plans to completely stop further PS4 research.
This news comes just prior to him sharing an article outlining PS4 kernel exploitation earlier today here: Hacking the PS4, Part 3 / Kernel Exploit for 1.76 / PS4-BadIRET (Private Repo)
[Delevler] hello all
[Delevler] Came here to ask if the ps4 kernel exploit is some real threat or just some patched old firmware
[yifanlu] "threat" to whom?
[yifanlu] to sony, it's a real threat
[yifanlu] because it allows hackers to decrypt stuff and reverse it
[yifanlu] but yes, it's been patched since 2.x
[Delevler] so the person who recently said that he has "jailbraken" the ps4 just wanted to get famous or what
[yifanlu] I mean of course. we all know CTurt, right
[Delevler] oh he is here in chat , didnt notice
[CTurt] I am such an attention whore
[CTurt] I hate it
[CTurt] I need to behave myself
[yifanlu] but yeah, it's useful for us devs but not really to any users
[Delevler] heh sorry i didn't want to offend you but I just couldnt find appriorate words how to say it
[Delevler] I know it opens a new gate for the devs but I wanted to know if it's something like the ps3
[yifanlu] badiret has been patched in freebsd for a while now. they forgot to post a security advisory so
sony never ported the changes
[yifanlu] which is funny because sony chose to fork an old freebsd version and manually put patches in
[yifanlu] I mean yeah sure, you can run backup games if you can get it working
[hykem] You can decrypt anything but no keys though, guess we could call it a jailbreak without the k and add
it a d for decryption
[yifanlu] I mean that's pretty much the case on 3ds too
[yifanlu] we get a nice black box for decryption
[hykem] Yeah, but 3DS's jailbread is tastier
[HelsAngel] and fully 3d
[hykem] Anyway, with the current hardware crypto solutions, this will probably be the common case in the
[hykem] Extracting keys of any kind has become much more difficult
[Delevler] quantum computers?
[darkfader] NSA advisory: stick with current algorithms
[yifanlu] buzzword: sidechannel
[hykem] Side-channel attacks do quite well in some scenarios. Like that acoustic probing that led to RSA
[hykem] leakage eavesdrop*
[yifanlu] sidechannel is a bit more difficult on SoCs though, but nothing like a good challenge
[yifanlu] if we can find which pin powers the crypto engine (and not too many other things), I can probably
get you the 3ds keys
[CTurt] am I the only one who doesn't really care about encryption?
[yifanlu] for me, I consider getting the embedded keys as the ultimate flag
[yifanlu] once that's captured, we own the system completely
[yifanlu] so I always set that as my goal
[Delevler] wait i dont get it
[Delevler] can someone explain me how does all this work
[yifanlu] what part lol
[Delevler] to run for example a backup copy we need a key that is encrypted am i right
[hykem] yifanlu: My goal is the same, embedded keys are the last stage
[yifanlu] [1:01pm] hykem: You can decrypt anything but no keys though, guess we could call it a jailbreak
without the k and add it a d for decryption
[yifanlu] that's your answer
[hykem] Would be nice to see a successfull hardware attack on the 3DS
[hykem] Always been interested in it's hw crypto
[hykem] CTurt: Crypto is always the master challenge. It's fun to tear a system to pieces
[flatz] heh, my interest is crypto too
[CTurt] crypto is boring
[CTurt] the same algorithms everyone uses
[darkfader] disassembling then?
[flatz] but you need to reverse formats too
[yifanlu] yet... everyone seems to get it wrong
[flatz] also, obfuscation, etc
[yifanlu] although I wouldn't call finding the keys crypto. that's more system security
[flatz] nids is known for about 1.5 years
[flatz] yeah, yifanlu, you're right. so system security is my goal
[flatz] which includes keys, proprietary formats and other algorithms
[yifanlu] dat pfs
[CTurt] sceSblSsDecryptSealedKey banter
[hykem] Yeah, system security is a better description. Crypto itself is a collection of widely used and
[flatz] however sony likes to use custom algos too
[flatz] compression, encryption
[rck`d] picking the right tool for the job. Sometimes.
[yifanlu] although crypto itself is pretty fun to do. Bleichenbacher's RSA attack is one of my favorite
attacks since it exploits both the implementation and the scheme itself
[hykem] flatz: True. A lot of other companies love to do this too. For some reason they always think they do
[hykem] yifanlu: Indeed. Once in a while we get see gems like that
[hykem] get to see*
[yifanlu] ugh. you guys didn't have to deal with azlr compression yet on ps4?
[flatz] just use qemu
[rck`d] never heard of that one, but I've dealt with plenty of terrible or strange compression schemes with
[flatz] yifanlu, it is LZRA
[flatz] similar to LZRC
[flatz] which was used in ps3
[hykem] Hate those custom compression algos
[yifanlu] it did have a hint of LZ in it
[hykem] Had to reverse 2 different ones in the past
[flatz] yes, you can find hykem tools
[flatz] which works on LZRC
[flatz] but LZRA seems to be older
[yifanlu] wait, did you have to deal with weird bit flippings after decompression? is that part of the scheme?
[hykem] Sony's custom algos are filled with hacks
[hykem] That's why you get to see those weird bit flips
[flatz] hykem, do you have links to your sources?
[hykem] Most of them were part of the EDGE platform they manage
[flatz] i've lost urls
[flatz] i was too lazy to reverse the algo, so i've just used qemu
[flatz] and it works
[hykem] LZRC (tpunix implemented it): https://github.com/Hykem/sign_np/blob/master/tlzrc.c
[hykem] UNK LZ: https://github.com/Hykem/psxtract/blob/master/Linux/lz.c
[hykem] UNK LZ: https://github.com/Hykem/make_npdata/blob/master/Linux/lz.c
[flatz] nice thx
[hykem] make_npdata is the PS3 one
[hykem] No prob
[hykem] psxtract uses an older one
[hykem] From the PSP age
[hykem] Could be LZRA, but they keep messing with this stuff
[flatz] unfortunately nope, they're not working on LZRA but have similar
[flatz] i don't think porting it to LZRA will be hard
[hykem] Probably not. I recall they had one version of it that was optimized for the PS3's SPU and then had
another unused one
[CTurt] does anyone know what firmware GTA 5 needs?
[CTurt] I need a game that needs an update higher than 1.76, but not too high
[Delevler] can i ask you guys one more question
[Delevler] every game has a different or the same one
[flatz] CTurt, if you have param.sfo, you can check there
[Joonie] let me check param.sof
[NiceShot] but isnt param.sfo inside encrypted packages? Can we decrypt psn pkgs?
[Joonie] no it's outside the pkg
[NiceShot] how do you get it, cause when I install ps4 games over proxy I only get the pkg files
[NiceShot] oh, wait with webkit you can grab them after installed right?
[NiceShot] if so forget what I am saying
[NiceShot] cause the only other way to grab param.sfo from discs is with special bluray drive
[flatz] NiceShot, sfo is stored on the disc
[Joonie] it's x:/BD/param.sfo
[Joonie] without it it wouldn't recognize disc
[Joonie] guess RIF key is the same for PSN version too
[flatz] i doubt
[Joonie] so then the same pkg but diff rif keys?
[flatz] are you sure pkg is the same?
[CTurt] does anyone know of a game that contains 2.00 update?
[Joonie] the name is the same
[flatz] well, if pkg is the same then rif key should be the same too
[Joonie] this is what's found in the disc
[Joonie] that's what I assume flatz
[flatz] CTurt, why do you need it?
[flatz] you can just install patch
[CTurt] well, I need to be able to test it...
[flatz] try with 1.76 game first
[Joonie] diablo3 has 1.71
[Joonie] the same name as one on PSN store too
[Joonie] hash matched
[Joonie] let me check sleeping dogs and witcher3
[Joonie] sleeping dogs has 1.75
[Joonie] also the same name on psnstore
[CTurt] I want a game that has 2.00
[CTurt] or above
[Joonie] oh my ps4 just came in
[Joonie] hoping 1.01
[HelsAngel] mgs5 is 2.51
[Joonie] checking witcher3 now
[Joonie] something seems changed
[Joonie] maybe 2.04?
[flatz] yes 2.04
[Joonie] let me open my box heheh
[flatz] changes app_ver="01.05"]
[flatz] - Gold will no longer reset beyond 65535
[flatz] from witcher
[Joonie] it's 3D
[Joonie] mfc December 2013
[Joonie] let me turn it on
[yifanlu] in b4 1.77
[yifanlu] first ever
[flatz] oh nice
[CTurt] 2.04 is a good firmware - but I don't want witcher 3
[Joonie] def not the launch edition
[Joonie] mine came with 1.01
[Joonie] in fact it was missing psn plus trial code
[Joonie] that when I knew it wasn't the launch edition
[CTurt] does anyone know what fw FIFA 15 comes with?
[CTurt] because it is cheap
[flatz] congrats, Joonie
[Joonie] Thanks z
[CTurt] anyone know what firmware borderlands comes with?
[hp-_] ps4 vita bundles which launched 2013 cant have sold good enough for them to restock with new fw
[hp-_] But they are expensive
[CTurt] No, I am looking for a disc with an update of firmware 2.00 - 2.03
[CTurt] preferably either a good game, or a cheap one
[Tyrant_] UP1001-CUSA01401_00-BORDERLANDSHDCOL Borderlands: The Handsome Collection
[hairo23] Download Link is no help I guess?
[hairo23] for FW 2.00 - 2.03
[Fox00] They need some ps4 to test'm from Argentina. if I can help in something. I have basic knowledge in
programming and I am advanced welding.
[Fox00] How is everything yifanlu
[CTurt] I want to change the title!
[CTurt] no fair
[naehrwert] well now that you've insulted crypto..
[roberto26] .hello. anyone Can send me a guide To jailbreak ps4?
[yifanlu] there isn't one
[roberto26] exists any Hack?
[yifanlu] not publically
[roberto26] Can you help me?
[yifanlu] with what?
[roberto26] Modding My ps4 with cfw
[yifanlu] there does not exist a cfw
[mysis] yes, you take out the ps4 hdd, put it into the computer...then run cmd with: format c:
[roberto26] I fo
[mysis] 100% means jailbroken.
[xboner] too bad format c: wouldnt work, since the ps4 isnt ntfs or fat, and its ext4
[xboner] now if you did diskpart delete volumenumber
[xboner] that would work
[saidelik-] anyone has hint to where buy PS4 with 1.76 fw?
[guepe] look at wololo
[kastor81] Sony is taking away from the sale
[saidelik-] guepe: any direct link? otherwise i'll browse the forum
[saidelike] wololo.net/2015/12/14/ps4-how-to-get-your-hands-on-a-ps4-with-a-firmware-below-1-76/ (if
anyone else interested)
[thexyz] now all these idiots will empty ps4 [= 1.76 stocks so that actual devs won't be able to buy them
[rck`d] heh, I've had a 1.76 ps4 since launch
[rck`d] or rather, I've kept one aside
[ZiL0G80] my was 1.05 as i remember now 1.76
[thexyz] that's super nice, CTurt
[thexyz] do you think it's ok to share though it'll probably enable piracy in 3,2,1..?
[CTurt] I did not share any code
[CTurt] or the offset required to get it working
[CTurt] or even a full example of just getting code execution
[CTurt] it is just an article about kernel exploitation, more generally for FreeBSD
[CTurt] it would be a lot of work for someone to get the exploit working, just from the info I posted
[thexyz] did you get any job offers?
[CTurt] a job would be cool though!
[thexyz] well you might add a email or something, i'm not sure if it'd work but usually these articles get to
the top of hackernews and netsec/reverseengineering subreddits
[CTurt] I will do it later
[thexyz] but then sony also might sue you because they're dicks
[CTurt] well, it is always a concern
[CTurt] but I didn't post any PoC code
[CTurt] and removed a lot of details about private PS4 info
[CTurt] it is mostly just about FreeBSD exploitation
[CTurt] all they would be doing is confirming that my claims are legi
[egg] nice i knowed that your next post will be #3 ps4 article ill go reed it now tnx
[HelsAngel] thats a pretty cool read CTurt
[kastor81] we are surprised every day CTurt
[kastor81] good job!
[ZiL0G80] CTurt: hehe your writeup give me some info which i need to finish my badiret exploit(probbably) ,
good work thanks
[CTurt] you got it working on FreeBSD first?
[xerpi] I agree, nice writeup, but I'm not understanding something here:
[xerpi] mov rax, gs:0 ; rax = *gs (td)
[xerpi] inc dword [rax+0x3cc] ; td-]td_critnest++;
[xerpi] isn't this *(gs+0x3cc) instead of (*gs)+0x3cc ?
[thexyz] gs:0 is (*gs)
[xerpi] so mov rax, gs:0 is permorming a load?
[xerpi] like this mov rax, [gs:0] ?
[ZiL0G80] CTurt: i have crash now
[thexyz] like mov rax, [gs + 0]
[xerpi] * mov rax, (gs:0)
[thexyz] it's just different syntax. also you don't know the value of gs
[xerpi] thexyz, makes sense now, weird syntax
[xerpi] I thought mov rax, gs:0 == lea rax, (gs:0)
[thexyz] nope it's a load
[thexyz] not sure what kind of syntax you're using though
[xerpi] ok, thanks
[thexyz] oh best part is you don't know the value of 'gs' (where it points to)
[thexyz] so for example you can't do a read from gs:0 from within gdb
[thexyz] on linux
[xerpi] I guess the kernel changes it each time it does a userspace context switch, to make it point to the
thread private area
[CTurt] I'm feeling very paranoid right now
[CTurt] just deleted all of my emails
[CTurt] time to get off the internet!
[thexyz] eh i don't think sony would hire a hitman~
[flatz] ofc, jail is the solution
[kastor81] Flatz think anybody will ever get out of a CFW ps4?
[flatz] i don't think a regular user would take a benefit from that
[flatz] it's just useful for a developer
[thexyz] having kodi on ps4 would be great though
[kastor81] It is but the developer can also be done with a PC
[kastor81] the ps4 is to play
[flatz] nah, i meant ps4 specific things
[flatz] security, etc
[kastor81] surely it is good to find out what mounts ps4
[kastor81] However Sony has just thank the dev, because sales were up
[HelsAngel] sony says thanks with lawyers and lawsuits
[ZiL0G80] cturt left ps4 scene twitter.com/CTurtE/status/677613979750019072
[egg] there is also new article Kernel exploit for 1.76 https://cturt.github.io/articles.html but is nothing
[ZiL0G80] its private repo
[egg] and flatz and two more are not in thanks anymore https://cturt.github.io/ps4-3.html
[HelsAngel] what does that tweet say ZiL0G80? i dont use twitter and thats private now only to followers
[egg] he decided that he will completely stop with any further ps4 research
[HelsAngel] that sucks
[HelsAngel] you gonna take over where he stopped?
[HelsAngel] he was the only one sharing it this openly
[rw] nah i'd rather just sit around and talk crap about him. that'll show him! =D
[flatz] egg, it's not safe to be in the list
[unknown__] he at least released a great writeup about the exploit in part 3 of his exploit series
[unknown__] does anyone know if he expands on this
[unknown__] "With the help of flatz, I've been able to leverage ROP to setup memory in such a way that I can write my own code into it, and execute it."