Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 4, 2017 at 11:48 PM       11,712       26            
Status
Not open for further replies.
Since the initial 1.76 PS4 Playground and 3.55 PS4 Playground for Firmware (WIP) PlayStation 4 developer zecoxao has been working with the help of bigboss, wildcard and droogie on porting the Dlclose Exploit to PS4 Firmware 1.01 in hopes of finding undiscovered bugs and vulnerabilities that may be exploitable! ;)

Download: PS4 Playground 1.01 (GIT) / SceShellCore.elf (8.97 MB)

According to @zecoxao, to quote: "Most offsets SHOULD be fine and most stuff is working BUT we do NOT have code exec working yet. if anyone knows why, please contact us :)"

From the README.md file: PS4-playground

A collection of PS4 tools and experiments using the WebKit exploit. This is for firmware 1.76/1.01 only at the moment.

Although initially just a framework to help write and execute ROP chains, the playground now allows for running unsigned binaries compiled, and booting Linux from USB.

Setup

A live demo can be tried here.

You should clone the repo and upload it your own server if you wish to make changes:
Code:
git clone git://github.com/CTurt/PS4-playground.git
You can also download a zip of the latest source here.

Usage

After executing a test, you should either refresh the page, or close and reopen the browser entirely; running multiple experiments sequentially is not reliable. If you are using a web browser view in an app which isn't the Internet Browser, you can use the Refresh button under Misc to refresh the page.

Code Execution

Click "Go", and wait for the text "Stage: Waiting for payload..." to appear.

Send the desired binary over TCP to your PS4 on port 9023; you can use any standard networking tool to do this, or my custom Windows tool, WiFi-Loader

If you're on Linux, the easiest way is probably to use netcat:
Code:
nc -w 3 192.168.0.7 9023 < *.bin
After you have sent the binary, it will be executed automatically.

Linux loader

You need a FAT32 formatted USB drive plugged in on any PS4's USB port with the following files on the root directory:
  • bzImage : Kernel image that will be loaded. Recommended to use this sources to compile it.
  • initramfs.cpio.gz : The initial file system that gets loaded into memory during the Linux startup process. This one is recommended.
The file names must match with the above and you can have more files on the same USB drive. From there you can setup the environment to run from an NFS share or from an external drive via USB (recommended) and boot a complete distro!

Syscalls
  • Get PID - Get process ID
  • Get Login - Get login name and leak a kernel pointer
Modules
  • Get Loaded Modules - Get a list of currently loaded modules, index and ID
  • Dump Loaded Module - Dump a currently loaded module (use Get Loaded Modules to see all available)
  • Load Module - Load an additional module from this list
  • Once you have loaded a module, refresh the page, and you will be able to dump it.
Filesystem
  • Browse - File Browser
  • Get PSN username - Read your PSN username from account.dat
  • Get Sandbox Directory - Get the name of the current sandbox directory (10 random characters which change each reboot)
Memory
  • Get Stack Protection - Get stack base, size, and protection
  • Get Stack Name - Get stack base, size, and name
Socket
  • Send Message - Send a TCP message to the specified IP and port
Receiving data
  • File and memory dumps will be sent over TCP to the IP and port you specified.
  • You can use a simple tool like TCP-Dump to write the data to a file.
Code:
*(uint16_t *)0xFFFFFFFF827E31EE = 0x9090; 
*(uint16_t *)0xFFFFFFFF827E31FD = 0x9090; 
*(uint16_t *)0xFFFFFFFF827E3202 = 0x9090;
Patches for decrypt_pup_header (1.76):
Code:
*(uint16_t *) 0xFFFFFFFF827C445C = 0x9090;
*(uint16_t *) 0xFFFFFFFF827C446B = 0x9090;
*(uint16_t *) 0xFFFFFFFF827C4470 = 0x9090;
Thanks to @ArthurBishop and @Bultra for the heads-up before the weekend in the PSXHAX Shoutbox! (y)
PS4 Playground Dlclose for Firmware 1.01 (WIP) Port by Zecoxao.jpg
 
:idea: Reminder: Those without a Verified Badge yet on Discord to access the private areas we recommend Joining Us! Why? The waiting process takes a week for new Members, and there's a lot we're unable to share on public forums including the latest PS4 PKG Games. 🏴‍☠️

Comments

Status
Not open for further replies.

PSXHAX

Staff Member
Moderator
Contributor
Verified
For end-users only looking at the Firmware version perhaps, but for PlayStation developers apparently not :love:

 

lobimagobi

Senior Member
Contributor
True hard work. Im proud of them. They did a great thing, ported exploit to very old firmware which NO ONE USES and NO ONE CARE instead of doing something useful. Wish them luck in their useless attempts to make something on 1.01 working in future.

Remember, do not even touch signature checks. No one cares for free games, everybody just want to cheat online in GTA and CoD and that millions of ppl begging for games are just liars, don't let them fool you. They are very rich and one game doesnt cost 1/10 of their income, trust me. True scene never dies.

Best regards
 

PSXHAX

Staff Member
Moderator
Contributor
Verified
It sounds like you want them to spend their time doing something useful for you, not something they consider useful for themselves or for scene devs like BigBoss. :unsure:

Good luck telling other people how to spend their freetime, the world doesn't usually work that way unless you're paying them to work for you. :ROFLMAO:
 

MadMan467

Senior Member
Contributor
If they're too stupid to do something useful for everyone instead then I will just wait for another guy who will do.
I wish us luck waiting. That will probably never happen though. :p

Remember, do not even touch signature checks. No one cares for free games, everybody just want to cheat online in GTA and CoD and that millions of ppl begging for games are just liars, don't let them fool you. They are very rich and one game doesnt cost 1/10 of their income, trust me. True scene never dies.
Are you serious about that or do you mean that ironically? :cautious: At least I give a crap about online gaming or cheating. I dont understand how people want both online capabilities AND a hacked console. IMO that are two things you cant have at the same time on the same console without problems.
 
Status
Not open for further replies.
Recent Articles
Nanospeed Gamer 1.0 The Videogame PS4 PKG by LapyGames
The PlayStation 4 homebrew keeps flowing from scene developer @Lapy, and following Super Console Wars 1.0 comes Nanospeed Gamer 1.0 The Videogame PS4 PKG by LapyGames (PayPal for supporting his...
OrbisSWU: The PS4 Update Tool Developer Research by TheoryWrong
As mentioned previously, following Fail0verflow's Documentation, the PS4 NoBD Updating Method, his PS4 Updater Toolkit release and the PS4 RL78 Syscon implementation PlayStation 4 scene developer...
Sony CEO Jim Ryan States PS5 Price Won't be the Lowest, Reflects Value
With their official PS5 Gaming Showcase set to be unveiled next week, Sony Interactive Entertainment president and CEO Jim Ryan revealed in an interview that the PlayStation 5 Price won't be the...
PlayStation 5 Unveiling Next Thursday, Limited Backwards Compatibility?!
Although not likely to be as next-gen as this PS5 Concept Video for the DualSense PS5 Controller, today Sony finally announced their next-generation PlayStation 5 console unveiling will take place...
Top