Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Apr 12, 2019 at 2:42 AM       28,108       27            
Status
Not open for further replies.
Last fall PS4 developers saw PS4 Aux Hax 4: Belize (Southbridge) via HDMI CEC from fail0verflow which allowed hackers to get code exec on all PS4 southbridge versions using HDMI-CEC without requiring other parts of the system to be compromised, and following his recent GhidraPS4 ELF Loader / PS4FlashTool releases PlayStation 4 developer @g991 (aka goldfitzgerald on Twitter) has been examining the PS4 southbridge and shared some reverse-engineered code today. :fire:

He states, to quote: "Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge to change data for a correlation power analysis attack against the APU bootrom loading the second bootloader."

If you're a prospective PS4 developer, be sure to check out the Tweets below! (y)

Picture of the PlayStation 4 APU bootrom reading the second bootloader over PCIe, this is read from the system flash using SPI via the southbridge. The low spots are where the data is all 0xFF, where hamming distance between data lines/registers stays constant.
PS4 Southbridge Reverse-engineered Code Examination by Jogolden 2.png

PS4 Southbridge Reverse-engineered Code Examination by Jogolden 3.jpg

PS4 Southbridge Reverse-engineered Code Examination by Jogolden 4.jpg

If you look at a system flash dump, located at 0x200000 is this data. There is a main header and a header that switches between two other headers that are each associated with their own bootloader. I call these boot slots.
Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge to change data for a correlation power analysis attack against the APU bootrom loading the second bootloader.
PS4 Southbridge Reverse-engineered Code Examination by Jogolden 5.png

Here is a better image of what is going on when the PlayStation 4 APU turns on. The southbridge reads the second bootloader from flash then sends it over PCIe to the APU bootrom, which decrypts and loads it. I deleted my old post because of some inaccuracies I discovered.
Also in the image, yellow is power consumption, green is APU reset, and the pink/mosi/miso is data on the SPI system flash lines.

Also making rounds on Twitter today for those interested in PS4 game mods:

PS4 FF7 BGM Texture Mod Test
PS4 Southbridge Reverse-engineered Code Examination by Jogolden.jpg
 

Comments

Status
Not open for further replies.

Synderella

Senior Member
Contributor
If I understand it correctly this could lead to somewhat of a coldboot solution, something maybe like ps3 trueblue thingy or even ps2 modchip. Can't see any software way to modify data at this entry point.

BUT most importantly thats it is truly another entry point and those drama queens on twitter can either a) post their solution while it still has bragging value or b) shove it up their ... cause noone will care about software glitch method that is easily patched by sony via new fw against hardware method which requires new revision of the console (hello ps3 superslim). We will have to wait patiently but its nice to see progress being done.

Feel free to correct me if I'm wrong cause its its my vision of the current events
 

madix

Member
Contributor
Looks like Synderella beat me to the post but yes, there maybe more of a future to this than another firmware exploit. But we will have to wait and see what comes out of it.
 
Status
Not open for further replies.
Recent Articles
PS5 DualShock 5 (DS5) Controller Images Surface in Japanese Patent
Following Sony's New Controller Patent, PS5 Devkit Prototype Leak and recent PS5 Transition Update in preparation for the PlayStation 5 2020 Launch today some PS5 DualShock 5 (DS5) Controller...
PlayStation Black Friday & Cyber Monday 2019 Deals Revealed!
We've seen the 2019 Black Friday Ad Scans featuring a $199 PS4 Bundle with 3 Games or PSVR Bundle with 5 Games and today Sony revealed their official PlayStation Black Friday & Cyber Monday 2019...
PSPlay: PS4 Remote Play App for Android Devices by Grill2010
Hi, In case someone is interested, after PSJoy which I've released one year ago and following my RemotePlayPrototype open source research project I have developed a new Android app called PSPlay...
PS4 Open-world RPG Shenmue III Joins New Games Next Week
Next week Yu Suzuki's open-world RPG series returns in the legendary Shenmue III on PS4 among the new video game releases! šŸ•¹ PlayStation 4 fans can catch up with Ryo Hazuki in his ongoing quest...
Top