Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Apr 12, 2019 at 2:42 AM       30,099       27            
Status
Not open for further replies.
Last fall PS4 developers saw PS4 Aux Hax 4: Belize (Southbridge) via HDMI CEC from fail0verflow which allowed hackers to get code exec on all PS4 southbridge versions using HDMI-CEC without requiring other parts of the system to be compromised, and following his recent GhidraPS4 ELF Loader / PS4FlashTool releases PlayStation 4 developer @g991 (aka goldfitzgerald on Twitter) has been examining the PS4 southbridge and shared some reverse-engineered code today. :fire:

He states, to quote: "Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge to change data for a correlation power analysis attack against the APU bootrom loading the second bootloader."

If you're a prospective PS4 developer, be sure to check out the Tweets below! (y)

Picture of the PlayStation 4 APU bootrom reading the second bootloader over PCIe, this is read from the system flash using SPI via the southbridge. The low spots are where the data is all 0xFF, where hamming distance between data lines/registers stays constant.
PS4 Southbridge Reverse-engineered Code Examination by Jogolden 2.png

PS4 Southbridge Reverse-engineered Code Examination by Jogolden 3.jpg

PS4 Southbridge Reverse-engineered Code Examination by Jogolden 4.jpg

If you look at a system flash dump, located at 0x200000 is this data. There is a main header and a header that switches between two other headers that are each associated with their own bootloader. I call these boot slots.
Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge to change data for a correlation power analysis attack against the APU bootrom loading the second bootloader.
PS4 Southbridge Reverse-engineered Code Examination by Jogolden 5.png

Here is a better image of what is going on when the PlayStation 4 APU turns on. The southbridge reads the second bootloader from flash then sends it over PCIe to the APU bootrom, which decrypts and loads it. I deleted my old post because of some inaccuracies I discovered.
Also in the image, yellow is power consumption, green is APU reset, and the pink/mosi/miso is data on the SPI system flash lines.

Also making rounds on Twitter today for those interested in PS4 game mods:

PS4 FF7 BGM Texture Mod Test
PS4 Southbridge Reverse-engineered Code Examination by Jogolden.jpg
 
:idea: Reminder: Those without a Verified Badge yet on Discord to access the private areas we recommend Joining Us! Why? The waiting process takes a week for new Members, and there's a lot we're unable to share on public forums including the latest PS4 PKG Games. 🏴‍☠️

Comments

Status
Not open for further replies.

Synderella

Senior Member
Contributor
If I understand it correctly this could lead to somewhat of a coldboot solution, something maybe like ps3 trueblue thingy or even ps2 modchip. Can't see any software way to modify data at this entry point.

BUT most importantly thats it is truly another entry point and those drama queens on twitter can either a) post their solution while it still has bragging value or b) shove it up their ... cause noone will care about software glitch method that is easily patched by sony via new fw against hardware method which requires new revision of the console (hello ps3 superslim). We will have to wait patiently but its nice to see progress being done.

Feel free to correct me if I'm wrong cause its its my vision of the current events
 

madix

Member
Contributor
Looks like Synderella beat me to the post but yes, there maybe more of a future to this than another firmware exploit. But we will have to wait and see what comes out of it.
 
Status
Not open for further replies.
Recent Articles
PS4 Kernel Exploit (KEX) for 7.02 Firmware, Wait for Jailbreak Before Updating!
As promised last month, PlayStation 4 scene developer theflow0 just dropped the PS4 Kernel Exploit (KEX) for Firmware 7.02 and below which was patched by Sony in 7.50 PS4 OFW (Current OFW is 7.51)...
Ubisoft Forward: Assassin's Creed Valhalla & Watch Dogs: Legion PS4
In lieu of a traditional E3 2020 presentation as physical gaming shows are postponed due to the COVID-19 pandemic, Ubisoft will be hosting its first digital conference called Ubisoft Forward with...
Dark Chronicle (Dark Cloud 2) PS2 on PS4 Companion App by Halvardssm
Recently developer halvardssm made available a companion app script for the Dark Chronicle (also known as Dark Cloud 2 in North America) PS2 on PS4 action role-playing game (RPG) by Level-5 via...
PS5 Hacking-Themed Platformer Recompile Gameplay Trailer Video
Earlier this week we saw a first look at the PS5 hacking-themed indie platformer Recompile by Phigames, and below is a Recompile PlayStation 5 gameplay trailer video for sceners who can't wait to...
Top