Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 19, 2017 at 1:31 AM       67      
Status
Not open for further replies.
Recently Volodymyr Pikhur has been working on a PS4 IPL AES + HMAC Key Recovery Project with help from nedos utilizing a Verilog FPGA (Field-Programmable Gate Array) to detect IPL (Initial Program Load) read and trigger capture board. :ninja:

PlayStation 4 hardware guys that favor FPGA's including @Chaos Kid will definitely take interest in this project, and here's to hoping we see some more on it in the future! <3

Below are some related Tweets from vpikhur including the demo video alongside some fresh PS4 MEMEs for developers:

Download: 175devkitipldecryptedbytwoconsoles.7z (259.92 KB)
Turns out the "debug key" that is used to hash "debug" firmwares from SMU effectively works on ALL retail versions of the PS4 smu firmware as well (the one on the wiki). Which means things are about to become VERY interesting...
this is the key
SMU HMAC Key (System Management Unit)
Code:
4D7E73210B677A832B9F293B496E7C3E
no, but you can probably dump your own keys/fuses with SMU code execution
the issue during all these years was, of course, endianess... book the endianess, to hell with it. anyway, now it's confirmed that the SMU key is potentially useful to run nasty code, provided that there is a way to reset available
Some more info
SMU is very privileged in PS4, not so privileged in PS5
samu has several keys, not just one. smu has only one used to hash the smu firmware. you can use this key to craft a payload, inject it together with its hash in smu firmware x86 memory, then reset smu and have some fun things happening
Why tho, people thinking it's about SAMU? But it's not like SMU is not a fairly well-known term, it'll come up what it is right away on a quick search :p
Want to own the SMU coprocessor in your AMD CPU/APU/possibly GPU? Extract the firmware signing HMAC key from the bootrom? Pre-Zen only, since its based on LM32 architecture features while Zen and later switched to Xtensa cores for their SMUs.
  • amd-lm32-smu-exploit - Generic exploit for all version 7 (maybe others) LM32-based AMD SMU's used in APUs (and probably works on GPUs too)
I don’t own an Xbox One and haven’t tested there. PS4’s APU/SMU has some oddities that prevents this attack in its current form (or I’m just making a stupid mistake somewhere).
PS4 only
write to smu's registers, in theory, if we achieve code exec, we can use it to read our perconsole and master keys
no. the private keys are never in the console. they also were never in ps3 and psp consoles, even though they were calculated due to sony's massive fail
Exploit lets you read/write to x86 DRAM physical and use the serial port. That would allow a 4 wire “modchip” (some uC with VCC, GND, RX, TX) to talk over UART to stubs injected in a patched SMU FW that perform patches usually done from a userland/WebKit kexploit.
There's not enough SRAM to hold all the patches needed, thus the requirement of a uC talking to SMU proxy stubs. Through limited testing (it's a PITA compared to just using Linux on a PC) on the PS4, the writes to some of the SMU BP regs are ignored/blocked. Maybe AMD got wise?
But we have the PS4 SMU bootrom and FW dumped via other means and can analyze it for other vulns that might allow code execution. I’m also working on a PCIe MITM like marcan did to better understand the boot process of PS4 over PCIe instead of the normal read from SPI flash.
From what I've heard at least some models of Xbox One include a PSP so that could make a coldboot SMU based attack impossible. Though there has been some excellent work on breaking PSP's security model already done:
seems smurw doesn't write the shellcode on ps4 to the sram... sadge :(
i get this instead of the actual shellcode that's supposed to be written:
Code:
reading shellcode memory
3f120: 2888842D
3f124: 7244062E
3f128: FEB2AF3E
3f12c: 75EF0559
3f130: 183AC358
3f134: F4B0B100
3f138: FC8C79BC
3f13c: 997EF94E
3f140: 34A92D80
3f144: 1C834C80
3f148: BF9A9BF9
3f14c: BFFEBB97
the exploits we have are useless against it
PS4 IPL AES + HMAC Key Recovery Project Demo by Vpikhur.jpg
 

Comments

With all these devs working and releasing updates of their WIP, the scene is slowly starting to remove the attention on qwerty (and racer :p). People just need something to chew on while they wait.
 
Status
Not open for further replies.
Back
Top