PlayStation 4 developer CTurt has made available PS4 Playground, which essentially is PS4 tools and experiments using the WebKit Exploit with the help of SKFU, droogie, Xerpi, Hunger, Takezo, nas and Proxima.
Before getting into the PS4 WebKit Playground, to quickly recap: Back in November 2013 a PS4 WebKit Exploit surfaced, which nas predicted would be patched as it worked on PS4 Firmware 1.76 and below, and sure enough Sony blocked the PlayStation 4 WebKit Exploit in their PS4 Firmware 2.00 update.
Download: PS4-playground-gh-pages / PS4-Playground GIT / PS4 WebKit Playground Demo
Fast-forwarding to July 2015, from the ReadMe file: PS4-playground
A collection of PS4 tools and experiments using the WebKit exploit. This is for firmware 1.76 only at the moment.
Setup
A live demo can be tried here, without module dumping.
You should clone the repo and upload it your own server to have module dumping capabilities:
You can also download a zip of the latest source here.
Usage
Although this is this primarily a framework to help write and execute ROP chains, PS4-playground comes with several experiments for you to try.
After executing a test, you should either refresh the page, or close and reopen the browser entirely; running multiple experiments sequentially is not reliable.
Syscalls
Get Loaded Modules - Get a list of currently loaded modules
Dump Loaded Module - Dump a currently loaded module (use Get Loaded Modules to see all available)
Load Module - Load an additional module from this list:
Libraries on firmware 1.76
sprx / No. / Loadable
Load and Dump Module - Load an additional module and then dump it (see all available here)
Once you have dumped a module, you will need to run dir2bin.py to combine all chunks into a single binary.
Filesystem
Open /dev/ - Get a list of devices
Get Sandbox Directory - Get the name of the current sandbox directory (10 random characters which change each reboot)
Memory
Get Stack Protection - Get stack base, size, and protection
Get Stack Name - Get stack base, size, and name
Finally, don't forget to check out the Analysis of PS4's Security: The State of PlayStation 4 Hacking by CTurt!
Before getting into the PS4 WebKit Playground, to quickly recap: Back in November 2013 a PS4 WebKit Exploit surfaced, which nas predicted would be patched as it worked on PS4 Firmware 1.76 and below, and sure enough Sony blocked the PlayStation 4 WebKit Exploit in their PS4 Firmware 2.00 update.
Download: PS4-playground-gh-pages / PS4-Playground GIT / PS4 WebKit Playground Demo
Fast-forwarding to July 2015, from the ReadMe file: PS4-playground
A collection of PS4 tools and experiments using the WebKit exploit. This is for firmware 1.76 only at the moment.
Setup
A live demo can be tried here, without module dumping.
You should clone the repo and upload it your own server to have module dumping capabilities:
Code:
git clone git://github.com/CTurt/PS4-playground.git
Usage
Although this is this primarily a framework to help write and execute ROP chains, PS4-playground comes with several experiments for you to try.
After executing a test, you should either refresh the page, or close and reopen the browser entirely; running multiple experiments sequentially is not reliable.
Syscalls
- Get PID - Get process ID
- Get Login - Get login name and leak a kernel pointer
Get Loaded Modules - Get a list of currently loaded modules
Dump Loaded Module - Dump a currently loaded module (use Get Loaded Modules to see all available)
Load Module - Load an additional module from this list:
Libraries on firmware 1.76
sprx / No. / Loadable
Code:
libkernel
libcInternal 0x04 Yes
libSceFios2 0x03 Yes
lbSceNet
libSceIpmi
libSceMbus
libSceRegMgr
libSceRtc
librt
libSceAvSetting 0x0b Yes
libSceVideoOut
libSceGnmDriver 0x0d Yes
libSceAudioOut 0x0e Yes
libSceAudioIn 0x0f Yes
libSceAjm 0x10 Yes
libScePad
libSceDbg
libSceNetCtl
libSceHttp 0x14 Yes
libSceSsl
libSceNpCommon 0x16 Yes
libSceNpManager
libSceNpWebApi 0x18 Yes
libSceSaveData 0x19 Yes
libSceSystemService
libSceUserService 0x1b Yes
libSceCommonDialog 0x1c Yes
libSceSysUtil 0x1d Yes
libScePerf
libSceCamera 0x1f Yes
libSceWebKit2ForVideoService 0x20 Yes
libSceOrbisCompatForVideoService 0x21 Yes
libSceDiscMap 0x22 Yes
libSceFiber 0x31 Yes
libSceUlt 0x32 Yes
libSceNgs2 0x33 Yes
libSceXml 0x34 Yes
libSceNpUtility
libSceVoice 0x36 Yes
libSceNpMatching2 0x37 Yes
libSceNpScoreRanking
libSceRudp 0x39 Yes
libSceNpTus
libSceFace
libSceSmart
libSceJson 0x3d Yes
libSceGameLiveStreaming 0x3e Yes
libSceCompanionUtil 0x3f Yes
libScePlayGo 0x40 Yes
libSceFont 0x41 Yes
libSceVideoRecording
libSceAudiodec
libSceJpegDec 0x44 Yes
libSceJpegEnc 0x45 Yes
libScePngDec 0x46 Yes
libScePngEnc 0x47 Yes
libSceVideodec 0x48 Yes
libSceMove 0x49 Yes
libScePadTracker 0x4b Yes
libSceDepth 0x4c Yes
libSceHand
libSceIme 0x4e Yes
libSceImeDialog 0x4f Yes
libSceVdecCore 0x50 Yes
libSceNpParty 0x51 Yes
libSceAvcap 0x52 Yes
libSceFontFt 0x53 Yes
libSceFreeTypeOt 0x54 Yes
libSceFreeTypeOl 0x55 Yes
libSceFreeTypeOptOl 0x56 Yes
libSceScreenShot 0x57 Yes
libSceNpAuth
libSceVoiceQos 0x59 Yes
libSceSysCore
libSceM4aacEnc
libSceAudiodecCpu 0x5c Yes
libSceCdlgUtilServer
libSceSulpha
libSceSaveDataDialog 0x5f Yes
libSceInvitationDialog 0x60 Yes
libSceKeyboard 0x61 Yes
libSceMsgDialog 0x63 Yes
libSceAvPlayer 0x64 Yes
libSceContentExport 0x65 Yes
libSceVisionManager
libSceAc3Enc
libSceAppInstUtil
libSceVencCore
libSceAudio3d 0x6a Yes
libSceNpCommerce 0x6b Yes
libSceHidControl 0x6c Yes
libSceMouse 0x6d Yes
libSceCompanionHttpd 0x6e Yes
libSceWebBrowserDialog 0x6f Yes
libSceErrorDialog 0x70 Yes
libSceNpTrophy
ulobjmgr 0x72 Yes
libSceVideoCoreInterface 0x73 Yes
libSceVideoCoreServerInterface
libSceNpSns
libSceNpSnsFacebookDialog 0x76 Yes
libSceMoveTracker 0x77 Yes
libSceNpProfileDialog 0x78 Yes
libSceNpFriendListDialog 0x79 Yes
libSceAppContent 0x7a Yes
libSceMarlin
libSceDtsEnc
libSceNpSignaling 0x7d Yes
libSceRemotePlay 0x7e Yes
libSceUsbd 0x7f Yes
libSceGameCustomDataDialog 0x80 Yes
libSceNpEulaDialog 0x81 Yes
libSceRandom 0x82 Yes
libSceDipsw
libSceS3DConversion
libSceOttvCapture
libSceBgft 0x86 Yes
libSceAudiodecCpuDdp 0x87 Yes
libSceAudiodecCpuM4aac 0x88 Yes
libSceAudiodecCpuDts
libSceAudiodecCpuDtsHdLbr 0x8a Yes
libSceAudiodecCpuDtsHdMa
libSceAudiodecCpuLpcm
libSceBemp2sys 0x8d Yes
libSceBeisobmf 0x8e Yes
libScePlayReady 0x8f Yes
libSceVideoNativeExtEssential 0x90 Yes
libSceZlib 0x91 Yes
libSceIduUtil 0x92 Yes
libScePsm 0x93 Yes
libSceDtcpIp 0x94 Yes
libSceKbEmulate 0x95 Yes
libSceAppChecker
libSceNpGriefReport 0x97 Yes
libSceContentSearch 0x98 Yes
libSceShareUtility 0x99 Yes
libSceWeb 0x9a Yes
libSceWebKit2
libSceDeci4h
libSceHeadTracker
libSceGameUpdate 0x9e Yes
libSceAutoMounterClient 0x9f Yes
libSceSystemGesture 0xa0 Yes
libSceVdecSavc 0xa1 Yes
libSceVdecSavc2 0xa2 Yes
libSceVideodec2 0xa3 Yes
libSceVdecwrap 0xa4 Yes
libSceConvertKeycode 0xa5 Yes
Once you have dumped a module, you will need to run dir2bin.py to combine all chunks into a single binary.
Filesystem
Open /dev/ - Get a list of devices
Get Sandbox Directory - Get the name of the current sandbox directory (10 random characters which change each reboot)
Memory
Get Stack Protection - Get stack base, size, and protection
Get Stack Name - Get stack base, size, and name
Finally, don't forget to check out the Analysis of PS4's Security: The State of PlayStation 4 Hacking by CTurt!