Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jul 8, 2020 at 12:43 AM       100,964       262            
Proceeding his PS4 ROP 8CC Port and the 7.02 PS4 Kernel Exploit (KEX) release, PlayStation 4 scene developer sleirsgoevy added a work-in-progress (WIP) port of the PS4 Webkit Bad_Hoist 6.XX Exploit by Fire30 to his Github repository noting it should work up to 6.72 but requires some minor changes and offset adjustments. :geek:

In related news, @zecoxao shared via Twitter a PS4 dump file pack including webkit, libc, libkernel, gadgets and syscalls from 6.72 Firmware and kernel, libc, libkernels and libSceWebkits decrypted from 7.00 Firmware which can also be found below. đź’—

Download: bad_hoist-master.zip / GIT / 6.72 Payload Ports / dumps_672.7z (41.41 MB) / 700.7z (46.84 MB) - 6.72 Contents:
Code:
gadgets.txt
libc.bin
libc.elf
libc-gadgets.txt
libkernel.bin
libkernel.elf
syscalls.txt
webkit-gadgets.txt
webkit.bin
webkit.elf
7.00 Contents:
Code:
80010002.elf
libc.sprx
libkernel.sprx
libkernel_sys.sprx
libkernel_web.sprx
libSceWebKit2.sprx
libSceWebKit2ForVideoService.sprx
libSceWebKit2Secure.sprx
:alert: As covered previously, it's recommended not to update your Firmware until a full PS4 6.72 jailbreak is publicly released. :alert:

And from the README.md: bad_hoist

This is an actually working implementation of Fire30's bad_hoist exploit.

Supported firmwares

This exploit has been tested and proven to be working on FW 6.51. This should work up to 6.72 with minor changes, however various offsets need to be adjusted.

ROP compiler setup

In order to run the ROP compiler you need to have dumps of WebKit, libc & libkernel.

Run make and follow instructions to obtain the dumps.

Dependencies: python3, gcc, ROPgadget

Assembly-like ROP format

This toolchain uses assembly-like ROP format that is briefly described below.
Code:
<label>:
Declare a label. Labels are global and should be valid Python identifiers.
Code:
<asm_instr>
Find a gadget that looks like asm_instr ; ret and insert its address. Will error out if the gadget is not found inside the dumps.

Note: after dumping you can find a dumps/gadgets.txt file.
Code:
# comment
For each line, every character after the first # is considered a comment.
Code:
db <expr>
(<expr>) must be a valid Python expression that evaluates to a collection of integers in range(256). The corresponding bytes will be written into the ropchain.

Examples: db 1, 2, 3, db bytes(256)
Code:
dq <expr>
<expr> must be a valid Python expression that evaluates to an integer. The integer will be written into the ropchain as a 64-bit little-endian value.
Code:
dp <expr>
Same as above, but <expr> should evaluate to an offset from the start of the ropchain. This will result in an absolute address being written.

For example, the commands
Code:
pop rsp
dp label_to_jump_to
will perform a jump.
Code:
$<expr>
<expr> should be a JavaScript expression that evaluates to an integer. The expression will be executed inside the exploited WebKit and the result will be written into the ropchain as a 64-bit little-endian value.

Example: $infloop_addr

Note: in JavaScript numbers only have 52-bit precision.
Code:
$$<expr>
<expr> will be inserted into the resulting JavaScript code literally.

If <expr> reads exactly pivot(ropchain);, the final pivot statement will be omitted.

Example:
Code:
$$function(some_params)
$${
...ropchain...
$$pivot(ropchain);
$$}
See examples of this language in the rop/ directory.

ROP compiler usage
Code:
usage: python3 rop/compiler.py <rop_source> <gadgets.txt> > <rop_js>
<rop_source> is the ropchain source code in the format described above.

<gadgets.txt> should point to dumps/gadgets.txt (or an alternative gadgets file in the same format).

<rop_js> is the resulting JavaScript file that should be executed.

Running ropchains

To run a compiled ROP chain, add the corresponding <script> tag to the end of index.html, then load that page in the PS4 web browser.

PS4 Webkit Bad_Hoist 6.72 Exploit Port WIP by Sleirsgoevy & 6.72 Dumps.jpg
 

Comments

Anubic

Member
Contributor
why is everyone so happy? hacking 6.72 was on hand in 2018, if not mistaken. a complete hack will be released at least a year later. There is a ready webkit 6.20. no one will release anything now. and you are already asking what you can play. You are very naive before 2021, but wait.
 

Anubic

Member
Contributor
This is how the system of current hackers works. you will all be happy now and the topic will die in a couple of days. No wonder everyone says they don’t need to be updated from 5.05 because again you will wait a very long time. remember my word.
 

eliuuuu7

Senior Member
Contributor
Verified
@Anubic
Remember it was $ony who approved this exploit to be public. this bug has already patched in 7.50 so there’s no point on holding it on.
Mostly of the consoles are updated to latest firmware since this bug has been around for dew months now and for $ony it doesn’t matter now if it’s made public.The only consoles not updated are ours , waiting for this exploit for 2 years now
 

Anubic

Member
Contributor
This is all true and I completely agree with you. the question is, will hackers want to implement everything quickly? All this can continue for a long time even with the permission of Sony's bloc.
 

eliuuuu7

Senior Member
Contributor
Verified
Well there are plenty of new developers who might show up in the scene now that exploit has been published and I think yes pretty soon we will see full exploit.
 

Anubic

Member
Contributor
there is simply no one else to create a full hack of 6.72 and so on. the hope is only on SpectorDev and then he can do everything for a year nowhere to rush. Do not rejoice ahead of time and do not reassure yourself with thoughts that tomorrow there will be something great. once again I repeat not in vain said sit on 5.05 as they know that in the near future nothing will happen. it all passed already.
 
Recent Articles
PS4HEN 2.1.3 with 7.51 FW Version Spoof 6.72 Port via Joonie86 / SiSTR0
Following PS4HEN v2.1.3, the PS4HEN v2.1.4 Fork, ESP8266 Xploit Host 2.84d and the PS4 6.72 Jailbreak Exploit Menu v5 updates, today PlayStation scene developers @Joonie (Joonie86) and SiSTR0 made...
PS4 PKG Sender v1.02 for PlayStation 4 Package Files by FrostySo
Proceeding the PS4 Package Sender 1.2 Update by @MODDEDWARFARE, this weekend PlayStation 4 developer FrostySo of FrostySo.Github.io shared on Twitter his own PS4 PKG Sender v1.0 followed by v1.01...
PSXHAX Member Verification & PS4 Fake PKG (FPKG) Sharing Guide
Since the 6.72 PS4JB release last month we've received several requests to make a detailed guide for getting Verified on PSXHAX and sharing PS4 Fake PKG (FPKG) backports / dumps with other...
State of Play August 2020 Features New Godfall PS5 Gameplay and More!
Following the last PlayStation State of Play event, the Godfall PS5 Reveal Trailer and the Godfall PS5 Box Art here's a recap of the latest State of Play for August 2020 featuring a new Godfall...
Top