Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Apr 12, 2019 at 2:42 AM       24,599       27            
Status
Not open for further replies.
Last fall PS4 developers saw PS4 Aux Hax 4: Belize (Southbridge) via HDMI CEC from fail0verflow which allowed hackers to get code exec on all PS4 southbridge versions using HDMI-CEC without requiring other parts of the system to be compromised, and following his recent GhidraPS4 ELF Loader / PS4FlashTool releases PlayStation 4 developer @g991 (aka goldfitzgerald on Twitter) has been examining the PS4 southbridge and shared some reverse-engineered code today. :fire:

He states, to quote: "Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge to change data for a correlation power analysis attack against the APU bootrom loading the second bootloader."

If you're a prospective PS4 developer, be sure to check out the Tweets below! (y)

Picture of the PlayStation 4 APU bootrom reading the second bootloader over PCIe, this is read from the system flash using SPI via the southbridge. The low spots are where the data is all 0xFF, where hamming distance between data lines/registers stays constant.
PS4 Southbridge Reverse-engineered Code Examination by Jogolden 2.png

PS4 Southbridge Reverse-engineered Code Examination by Jogolden 3.jpg

PS4 Southbridge Reverse-engineered Code Examination by Jogolden 4.jpg

If you look at a system flash dump, located at 0x200000 is this data. There is a main header and a header that switches between two other headers that are each associated with their own bootloader. I call these boot slots.
Here is some reversed code from the southbridge... this is where the data is read from the flash and sent over PCIe. This is the perfect place to modify the southbridge to change data for a correlation power analysis attack against the APU bootrom loading the second bootloader.
PS4 Southbridge Reverse-engineered Code Examination by Jogolden 5.png

Here is a better image of what is going on when the PlayStation 4 APU turns on. The southbridge reads the second bootloader from flash then sends it over PCIe to the APU bootrom, which decrypts and loads it. I deleted my old post because of some inaccuracies I discovered.
Also in the image, yellow is power consumption, green is APU reset, and the pink/mosi/miso is data on the SPI system flash lines.

Also making rounds on Twitter today for those interested in PS4 game mods:

PS4 FF7 BGM Texture Mod Test
PS4 Southbridge Reverse-engineered Code Examination by Jogolden.jpg
 

Comments

Status
Not open for further replies.

FFTHEWINNER

Staff Member
Moderator
Contributor
Verified
I think this wont be useful with the newer firmware stuff, but it WILL most likely be useful in making the console hardboot into a Jailbroken state, instead of having to use the webkit everytime you turn it on, which would be a GREAT thing,as i am quite tired of webkit crashes lol.
 

technodon

Member
Contributor
I followed a online tutorial and built a simple hello world opensource bootloader for virtual box. then split file size and rebuilt the iso with a php xampp script.. helloworld.iso.chunk018 can be modified and written while the virtual machine is running. :eek:

Spoiler
 
Status
Not open for further replies.
Recent Articles
Some of the PlayStation 4 E3 2019 PS4 Trailer Videos!
We've seen a Watch Dogs: Legion PS4, Marvel Avengers: A-Day PS4 and some Final Fantasy VIII Remastered & Final Fantasy VII Remake PS4 videos from E3 2019, and below are several more PlayStation 4...
Crash Team Racing: Nitro-Fueled Races to PS4 Next Week
CTR racers on your mark, get set, go... as Crash Team Racing: Nitro-Fueled speeds onto PlayStation 4 next week. šŸŽ šŸ Get ready to go fur-throttle in the fully-remastered and revved up to the max...
TurboGrafx-16 Mini, PC Engine Mini & PC Engine CoreGrafx Mini by Konami
A few months back we covered the Sega Genesis Mini reveal, and during E3 2019 Konami announced a TurboGrafx-16 Mini, PC Engine Mini and PC Engine CoreGrafx Mini on their official site for...
PS4 Firmware / System Software 6.80 Preview Program PUP and Features
As reported earlier this month, since their recent 6.71 PS4 OFW Update those enrolled in Sony's PlayStation Preview Program can now download and install the PS4 Firmware / System Software 6.80...
Top