Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
Proceeding his PS4 ROP 8CC Port and the 7.02 PS4 Kernel Exploit (KEX) release, PlayStation 4 scene developer sleirsgoevy added a work-in-progress (WIP) port of the PS4 Webkit Bad_Hoist 6.XX Exploit by Fire30 to his Github repository noting it should work up to 6.72 but requires some minor changes and offset adjustments. :geek:

In related news, @zecoxao shared via Twitter a PS4 dump file pack including webkit, libc, libkernel, gadgets and syscalls from 6.72 Firmware and kernel, libc, libkernels and libSceWebkits decrypted from 7.00 Firmware which can also be found below. 💗

Download: bad_hoist-master.zip / GIT / 6.72 Payload Ports / dumps_672.7z (41.41 MB) / 700.7z (46.84 MB) - 6.72 Contents:
Code:
gadgets.txt
libc.bin
libc.elf
libc-gadgets.txt
libkernel.bin
libkernel.elf
syscalls.txt
webkit-gadgets.txt
webkit.bin
webkit.elf
7.00 Contents:
Code:
80010002.elf
libc.sprx
libkernel.sprx
libkernel_sys.sprx
libkernel_web.sprx
libSceWebKit2.sprx
libSceWebKit2ForVideoService.sprx
libSceWebKit2Secure.sprx
:alert: As covered previously, it's recommended not to update your Firmware until a full PS4 6.72 jailbreak is publicly released. :alert:

And from the README.md: bad_hoist

This is an actually working implementation of Fire30's bad_hoist exploit.

Supported firmwares

This exploit has been tested and proven to be working on FW 6.51. This should work up to 6.72 with minor changes, however various offsets need to be adjusted.

ROP compiler setup

In order to run the ROP compiler you need to have dumps of WebKit, libc & libkernel.

Run make and follow instructions to obtain the dumps.

Dependencies: python3, gcc, ROPgadget

Assembly-like ROP format

This toolchain uses assembly-like ROP format that is briefly described below.
Code:
<label>:
Declare a label. Labels are global and should be valid Python identifiers.
Code:
<asm_instr>
Find a gadget that looks like asm_instr ; ret and insert its address. Will error out if the gadget is not found inside the dumps.

Note: after dumping you can find a dumps/gadgets.txt file.
Code:
# comment
For each line, every character after the first # is considered a comment.
Code:
db <expr>
(<expr>) must be a valid Python expression that evaluates to a collection of integers in range(256). The corresponding bytes will be written into the ropchain.

Examples: db 1, 2, 3, db bytes(256)
Code:
dq <expr>
<expr> must be a valid Python expression that evaluates to an integer. The integer will be written into the ropchain as a 64-bit little-endian value.
Code:
dp <expr>
Same as above, but <expr> should evaluate to an offset from the start of the ropchain. This will result in an absolute address being written.

For example, the commands
Code:
pop rsp
dp label_to_jump_to
will perform a jump.
Code:
$<expr>
<expr> should be a JavaScript expression that evaluates to an integer. The expression will be executed inside the exploited WebKit and the result will be written into the ropchain as a 64-bit little-endian value.

Example: $infloop_addr

Note: in JavaScript numbers only have 52-bit precision.
Code:
$$<expr>
<expr> will be inserted into the resulting JavaScript code literally.

If <expr> reads exactly pivot(ropchain);, the final pivot statement will be omitted.

Example:
Code:
$$function(some_params)
$${
...ropchain...
$$pivot(ropchain);
$$}
See examples of this language in the rop/ directory.

ROP compiler usage
Code:
usage: python3 rop/compiler.py <rop_source> <gadgets.txt> > <rop_js>
<rop_source> is the ropchain source code in the format described above.

<gadgets.txt> should point to dumps/gadgets.txt (or an alternative gadgets file in the same format).

<rop_js> is the resulting JavaScript file that should be executed.

Running ropchains

To run a compiled ROP chain, add the corresponding <script> tag to the end of index.html, then load that page in the PS4 web browser.

Use the following Ghidra script on a decrypted libkernel_sys.sprx loaded with GhidraOrbis to add mast1c0re support for other firmware versions (Dumps the `***/include/offsets/ps/libkernel/psx/xx.xx.hpp` file)
PS4 Webkit Bad_Hoist 6.72 Exploit Port WIP by Sleirsgoevy & 6.72 Dumps.jpg
 

Comments

A lot of people are adamant about not updating... Do you think it's a trap? I'm kinda concerned there isn't much enthusiasm about going to 6.72.

Do you think we are looking at possibly months before someone puts the hack together? Tomorrow, I'll be reinstalling all my 5.05 and under pkgs. Should be an all dayer.
 
This could go several different ways. I mean we could see someone take up 7.02 webkit. That is doubtful in my view. But I feel this is days/weeks not months away. Highly doubtful it is a trap as sony paid. From there basically you just birdman this situation I feel. You kinda just smile and rub your hands and wait. Personally not sure why you have to reinstall all your pkg tomorrow.

What I would do is just copy them to the root of a large HD. Once you get on 6.72 and are exploited THEN install them. It is hard to explain to you. But whatever HEN becomes available I would suggest making the installation with THAT hen. Just one less potential headache I feel. For those of us with large collections it's going to be hella nerve wracking. Thankfully I have a phat ps4 I can use as a guinea pig. I plan on sharing my experience to help others.
 
@UltraLex I'm guessing everything is gonna be chained to the drive and the exploit will be triggered having a disc in the drive with specific content on it for the exploit then you can remove it after its triggered.

Or option B which would be to have the files along side your games that reads its a disc with the files always there like they are a game disc while playing from the hard drive
 
What I will doing is using ps4 explorer app go in there in copy all my fpkg and my addon content with patches updates to my hard drive I have games on the ps4 460.7GB with my 2tb at 180GB now cause of using app2usb.. but question since my pkg from external and hard drive having half data do I need to just copy the rest to the hard drive from the ps4
 
Status
Not open for further replies.
Back
Top