PS4 IPL AES + HMAC Key Recovery Project Demo by Vpikhur

Recently Volodymyr Pikhur has been working on a PS4 IPL AES + HMAC Key Recovery Project with help from nedos utilizing a Verilog FPGA (Field-Programmable Gate Array) to detect IPL (Initial Program Load) read and trigger capture board.

PlayStation 4 hardware guys that favor FPGA's including @Chaos Kid will definitely take interest in this project, and here's to hoping we see some more on it in the future!

Below are some related Tweets from vpikhur including the demo video alongside some fresh PS4 MEMEs for developers:

Download: 175devkitipldecryptedbytwoconsoles.7z (259.92 KB)
Turns out the "debug key" that is used to hash "debug" firmwares from SMU effectively works on ALL retail versions of the PS4 smu firmware as well (the one on the wiki). Which means things are about to become VERY interesting...
this is the key

• SMU_HMAC_Key

SMU HMAC Key (System Management Unit)

4D7E73210B677A832B9F293B496E7C3E

no, but you can probably dump your own keys/fuses with SMU code execution
the issue during all these years was, of course, endianess... book the endianess, to hell with it. anyway, now it's confirmed that the SMU key is potentially useful to run nasty code, provided that there is a way to reset available
Some more info

• ccc-final.pdf (225 KB)

SMU is very privileged in PS4, not so privileged in PS5
samu has several keys, not just one. smu has only one used to hash the smu firmware. you can use this key to craft a payload, inject it together with its hash in smu firmware x86 memory, then reset smu and have some fun things happening
Why tho, people thinking it's about SAMU? But it's not like SMU is not a fairly well-known term, it'll come up what it is right away on a quick search
Want to own the SMU coprocessor in your AMD CPU/APU/possibly GPU? Extract the firmware signing HMAC key from the bootrom? Pre-Zen only, since its based on LM32 architecture features while Zen and later switched to Xtensa cores for their SMUs.

• amd-lm32-smu-exploit - Generic exploit for all version 7 (maybe others) LM32-based AMD SMU's used in APUs (and probably works on GPUs too)

I don’t own an Xbox One and haven’t tested there. PS4’s APU/SMU has some oddities that prevents this attack in its current form (or I’m just making a stupid mistake somewhere).
PS4 only
write to smu's registers, in theory, if we achieve code exec, we can use it to read our perconsole and master keys
no. the private keys are never in the console. they also were never in ps3 and psp consoles, even though they were calculated due to sony's massive fail
Exploit lets you read/write to x86 DRAM physical and use the serial port. That would allow a 4 wire “modchip” (some uC with VCC, GND, RX, TX) to talk over UART to stubs injected in a patched SMU FW that perform patches usually done from a userland/WebKit kexploit.
There's not enough SRAM to hold all the patches needed, thus the requirement of a uC talking to SMU proxy stubs. Through limited testing (it's a PITA compared to just using Linux on a PC) on the PS4, the writes to some of the SMU BP regs are ignored/blocked. Maybe AMD got wise?
But we have the PS4 SMU bootrom and FW dumped via other means and can analyze it for other vulns that might allow code execution. I’m also working on a PCIe MITM like marcan did to better understand the boot process of PS4 over PCIe instead of the normal read from SPI flash.
From what I've heard at least some models of Xbox One include a PSP so that could make a coldboot SMU based attack impossible. Though there has been some excellent work on breaking PSP's security model already done:

• PSPReverse

• amd-lm32-smu-dumper

seems smurw doesn't write the shellcode on ps4 to the sram... sadge
i get this instead of the actual shellcode that's supposed to be written:

• Pastebin.com

reading shellcode memory
3f120: 2888842D
3f124: 7244062E
3f128: FEB2AF3E
3f12c: 75EF0559
3f130: 183AC358
3f134: F4B0B100
3f138: FC8C79BC
3f13c: 997EF94E
3f140: 34A92D80
3f144: 1C834C80
3f148: BF9A9BF9
3f14c: BFFEBB97

the exploits we have are useless against it

 

[FakeJailbreak]

the first to scream fake when everything is all in front of you. I've stated fpga many times for simple facts maybe be4 screaming fake look into it no?

fpga are hackers boards they allow access into a system and if you didn't notice the video showing spartan 6 being used for pipe and radio as in (transceiver)

"everything is all in front of me" ??

Sorry, I don't see NOTHING in this video. Only cable leaning on a PS4 main board (probably broken ), some other main board, other cable, a mouse, a keyboard and a monitor. Nothing that can prove a jailbreak, a key.

Until I'll see a cfw on MY ps4 (thanks to a real hacker), every videos or pictures, for me, are FAKE !!

 

[Chaos Kid]

"everything is all in front of me" ??

Sorry, I don't see NOTHING in this video. Only cable leaning on a PS4 main board (probably broken ), some other main board, other cable, a mouse, a keyboard and a monitor. Nothing that can prove a jailbreak, a key.

Until I'll see a cfw on MY ps4 (thanks to a real hacker), every videos or pictures, for me, are FAKE !!

You obviously don't know what your looking at. yea a broken ps4 yet the guy is using a expensive setup states otherwise. those pmods attached are for flashing but yea it's broken as you stated or maybe start learning something be for making claims you don't know besides your (I want cfw) cries like a baby

 

[bombob]

You obviously don't know what your looking at. yea a broken ps4 yet the guy is using a expensive setup states otherwise. those pmods attached are for flashing but yea it's broken as you stated or maybe start learning something be for making claims you don't know besides your (I want cfw) cries like a baby

Why even bother answering those guys. All they want is to be handed a cfw on a gold platter. Even when the cfw comes out they will claim it fake and wait until someone else test it for them.

 

[Chaos Kid]

Why even bother answering those guys. All they want is to be handed a cfw on a gold platter. Even when the cfw comes out they will claim it fake and wait until someone else test it for them.

That's very true I'm quite done dealing with these guys they cry when they don't get there way. sounds like a bunch of kids who are inexperienced in hardware or have knowledge on what's going on. and the claim of A-8 > samu is a joke look here

​

 

[xxmcvapourxx]

Nobody has those keys except SONY. SAMU is a chip, a black box.

And if you can decrypt ISO's what will you do ? Your PS4 has to be jailbroken to install .pkg (in debug mode). FIFA and Mincecraft ISO's are decrypted and available for download.

Someone installed those 2 games on FW > 1.76 ? No

welcome back FIDO, see you didnt last long lol

 

[FakeJailbreak]

You obviously don't know what your looking at. yea a broken ps4 yet the guy is using a expensive setup states otherwise. those pmods attached are for flashing but yea it's broken as you stated or maybe start learning something be for making claims you don't know besides your (I want cfw) cries like a baby

Why even bother answering those guys. All they want is to be handed a cfw on a gold platter. Even when the cfw comes out they will claim it fake and wait until someone else test it for them.

Of course, I don't know what I'm looking, like 98 or maybe 99% of users of this forum, but everybody are tired to watch fake pictures (quertyoruiop) or videos (volodymyr ....... who was this ??, now is famous, with this video).

All are good to put cable and old main board over or near a disassembled Ps4, turn on a pc and write " I'M WORKING ON PS4 AND XBOX ONE " "YEAH, I'M THE BEST HACKER IN THE WORLD" "YEAH"

I don't cry .... I laugh when I see this tweet, and I like this forum for this, People who incite these fake hackers "Yeah !!! Good job !! You are the best !! " Very very very funny !!!

If a cfw will be released, ok, good, otherwise do you think I don't play with my Ps4 ?? Nooooo, you are wrong, my friend. I buy used (sometime new) games , I play and I resell. This is my "working jailbreak"

A real and serious hacker studies, discovers and publish OR SELLS, He is silent and remains anonymous , and sure, He doesn't make pictures or videos.

 

[Fernandez]

I had to register just to point out how dumb and inexperienced you are.

First of all - have you ever done a big DIY project before? Dabbled with electronics, programming? Now imagine doing something that only someone with a lot more technical knowledge can achieve. Only someone among a handful of people in the whole world - if that doesn't make you proud, then you're probably dead inside. And what do you want to do when you're proud and happy?

SHARE WITH THE WORLD, SO PEOPLE CAN APPRECIATE IT. Even if it's not finished. And what do you think happens when people discover a complicated hardware hack? They won't release it till they optimize it enough, so an internet "hacker hater" like you can install it by paying people to solder stuff for him. Do you really want to buy an FPGA board + other hardware that's a lot more expensive than a PS4 and cannot be re-used? I don't think you do.

Secondly - what the hell do you even know about hacking? How can you judge who is the real hacker or not? It's like a bunch of stupid hating kids calling themselves the wisest and reserving the right to point who to like and who to hate. People don't release stuff for various reasons, examples being:

a) it's worth loads of money (think like tens of thousands of dollars) UNLESS the public has it
b) it contains a world of knowledge about the system and if they release it, it will be patched and can now longer serve as such source
c) they fear a lawsuit (remember Geohot?)
d) they don't think it will be ethical in other people's hands for some reason

and many, many more. But they still want to brag about it because hacking is a great technical achievement and it's damn worth bragging about!

So, to sum it up: grow up, get a life, learn to appreciate other people for doing stuff that you don't know crap about and stop demanding things, but earn them yourself. Thank you for reading and see you in the next episode of Ranting with Fernandez.

 

[FakeJailbreak]

My dear Fernandez, i forget to write that I RESPECT ALL GUYS WHO WORK FOR PS4 SCENE. I RESPECT you, that surely know hardware better than me. I RESPECT Chaos kid, bombod, psxhax, for their work, opinion etc... BUT I hate people that post tweet or fake pics or videos without nothing. For me it's fake. I can't believe it. Sorry. I don't want enemies in This forum, but i write what i think about these "hackers". Thanks!

 

[bombob]

Nobody is anybody's enemy here. We all have the right to express our opinions,this is what forums are made for. But saying you respect and showing you respect someone's work are 2 different things. as @Fernandez said, when you do something from scratch that nobody before you have done,you feel the need to brag about it.

Sometimes you can get an advice from one picture or video you post. Like a wrong line of code,a wrong wire connection. There are knowledgeable people out there that are unable to buy hardware but are able to use it.

Calling everything fake is not helping. Not at all.

 

[FakeJailbreak]