Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Dec 28, 2017 at 12:22 AM       4,494       7            
Following his Christmas Eve Confirmation and PS4 4.05 Kernel Exploit release, today PlayStation 4 developer @SpecterDev announced on Twitter that he published his "NamedObj" 4.05 Kernel Exploit Writeup as promised! :notworthy:

PS4 developers can check it out in it's entirety on Github, and below is a brief summary of the 1.76 changes and his conclusion to quote: "NamedObj" 4.05 Kernel Exploit Writeup

Changes Since 1.76

Some notable things have changed since 1.76 firmware, most notably the change where Sony fixed the bug where we could allocate RWX memory from an unprivileged process.

The process we hijack via the WebKit exploit no longer has RWX memory mapping permissions, as JiT is now properly handled by a seperate process. Calling sys_mmap() with the execute flag will succeed; however any attempt to actually execute this memory as code will result in an access violation. This means that our kernel exploit must be implemented entirely in ROP chains, no C payloads this time.

Another notable change is kernel ASLR (kASLR) is now enabled past 1.76.

Some newer system calls have also been implemented since 1.76. On 1.76, there were 85 custom system calls. On 4.05, we can see there are 120 custom system calls.

Sony has also removed system call 0, so we can no longer call any system call we like by specifying the call number in the rax register. We will have to use wrappers from the libkernel.sprx module provided to us to access system calls.


Conclusion

This exploit is quite an interesting exploit, though it did require a lot of guessing and would have been a lot more fun to work with should I have had a proper kernel debugger. To get a working object can be a long a grueling process depending on the leak you're using.

Overall this exploit is incredibly stable, in fact I ran it over 30 times and WebKit nor the Kernel crashed once. I learned a lot from implementing it, and I hope I helped others like myself who are interested in exploitation and hopefully others will learn some things from this write-up.


Special Thanks
  • CTurt
  • Flatz
  • qwertyoruiopz
  • other anonymous contributors
if anyone wants to continue trying to port the exploit to 3.55 you can use this, i was as far as trying to leak a good object, rop was working etc, just specters leak could never get a suitable object for the exploit on 3.55

Download: 3.55-specterPort.7z (16.48 KB) / PS4 Entrypoint 4.05 by IDC

Season's greetings to @ombus in the PSXHAX Shoutbox for the heads-up! :kitty:
PS4 NamedObj 4.05 Kernel Exploit Writeup Published by SpecterDev.jpg
 
:idea: Reminder: Those without a Verified Badge yet on Discord to access the private areas we recommend Joining Us! Why? The waiting process takes a week for new Members, and there's a lot we're unable to share on public forums including the latest PS4 PKG Games. 🏴‍☠️

Comments

PSXHAX

Staff Member
Moderator
Contributor
Verified
Not yet, but possible in the future... my guess is maybe 4.55 will be next in line but even that could be quite awhile. Time will tell. :unsure:
 
Recent Articles
PS4 Webkit Bad_Hoist 6.72 Exploit Port WIP by Sleirsgoevy & 6.72 Dumps
Proceeding his PS4 ROP 8CC Port and the 7.02 PS4 Kernel Exploit (KEX) release, PlayStation 4 scene developer sleirsgoevy added a work-in-progress (WIP) port of the PS4 Webkit Bad_Hoist 6.XX...
DiRT 5, Vampire: The Masquerade & Werewolf: The Apocalypse PS5 Trailers
Following the PS5 hacking-themed Recompile Gameplay footage, today we have some new PlayStation 5 video game trailers for off-roader DiRT 5, Vampire: The Masquerade - Swansong and Werewolf: The...
Sony Reveals PlayStation Now Games for July, 2020
Today Sony revealed the latest additions to their PlayStation Now video game streaming service for the month of July, featuring Watch Dogs 2, Street Fighter V and Hello Neighbor. :cool: According...
PS4 Kernel Exploit (KEX) for 7.02 Firmware, Wait for Jailbreak Before Updating!
As promised last month, PlayStation 4 scene developer theflow0 just dropped the PS4 Kernel Exploit (KEX) for Firmware 7.02 and below which was patched by Sony in 7.50 PS4 OFW (Current OFW is 7.51)...
Top