Ryan111 PlayStation 4 4.00 WebKit Development Update

All day PS4 dev @ryan111 (PS4Work Blog updates from him HERE and HERE) has been working on a PlayStation 4 4.0 jailbreak, and has come across a "command" in the web browser about: that gives you info about it.

Which reads:

AppVersion 5.0 (Playstation 4 4.00) AppleWebKit/537.78 (KHTML, like Gecko)
UserAgent Mozilla/5.0 (Playstation 4 4.0) AppleWebKit/537.78 (KHTML, like Gecko)
Language en-US
OnLine true

Now i did some research on this and this is what i came up with.

https://user-agents.me/useragent/mozilla50-macintosh-intel-mac-os-x-10_9_4-applewebkit537782-khtml-like-gecko-version706-safari537782

Which is about the WebKit and:

https://www.cvedetails.com/vulnerability-list/vendor_id-452/product_id-3264/version_id-112576/Mozilla-Firefox-5.0.html

Which are vulnerabilities for Mozilla 5.0.

Now im not sure if this has already been found but this is the first of me hearing it. Wanted to post this for people so they could know devs are working on a 4.0 JB and never give up hope.

Finally, below are some related Tweets from PlayStation 4 developer CTurt and the ReadMe file from the work-in-progress PS4 Playground 4.00 GIT via darkslake, to quote:

PS4 4.00 Unsigned Code Execution

This GitHub Repository contains all the necessary tools for getting PoC Unsigned Code Execution on a Sony PS4 System with firmwares 3.15, 3.50, 3.55 and 4.00-exploit-ps4.
This Exploit, is based-off Henkaku's WebKit Vulnerability for the Sony's PSVita. It includes basic ROP and is able to return to normal execution.

Pre-Requisites:

1. A PC
   1. Running Windows, macOS or Linux
   2. A already set up basic server where the PS4 User's Guide launcher will point for loading the payload
   3. Python 2.7.X
      • Python 3.X gives problems, since they included major changes on the syntax and on the libraries in comparison with 2.7
2. A Sony PlayStation 4
   1. Running the following firmwares:
      • 4.00
3. Internet Connection (PS4 and PC directly wired to the Router is the mostly preferred option)

Usage:

There are two different methods to execute the Exploit, but first let's clarify how we will know which one to use. If your PlayStation 4 has got an already set-up PlayStation Network Account on it, you should use method 1.

Else, if your PlayStation 4 -NEVER- had a PlayStation Network Account on it, you should use method 2. Probably you will ask why, it's pretty much easy to explain and understand:

When you buy a PS4, comes unactivated, meaning that nobody has entered SEN Account on it. (Method 2) Once you use a SEN Account on it, the PS4 becomes an activated console. (Method 1) This doesn't affect the actual payload, but you should take in mind which method use.

Method 1:

Run this command on the folder you've downloaded this repo:

python server.py

All the debug options will be outputted during the Exploit process. Navigate to your PS4's Web Browser and simply type on the adress bar, your PC's IP Adress. Wait until the exploit finishes, once it does, PS4 will return to it's normal state. An example of what will look like found HERE.

Method 2:

A dns.conf file which is present on the source, needs to be edited accordingly your local PC's IP Address. PlayStation 4's DNS Settings must be changed in order to point the PC's IP Address where the Exploit is located. Once you've edited the dns.conf file, simply run the next command on the folder where you downloaded this repo:

python fakedns.py -c dns.conf

And then:

python server.py

All the debug options will be outputted during the Exploit process. Once Python part is done, get into your PlayStation 4, navigate to the User's Guide page and wait until exploit finishes out. An example of what will look like found HERE.

Miscellaneous:

If you want to try the socket test, change the IP Address located at the bottom of the ps4sploit.html file with your computer's one and run this command:

netcat -l 0.0.0.0 8989 -v

You should see something like:

Listening on [0.0.0.0] (family 0, port 8989)
Connection from [192.168.1.72] port 8989 [tcp/sunwebadmins] accepted (family 2, sport 59389)
Hello From a PS4!

Notes about this exploit:

• Currently, the exploit does not work 100%, but is around 80% which is fine for our purposes.
• Although it is confirmed to work, sometimes will fail, just wait some seconds and re-run the payload.
• Performing too much memory allocation after sort() is called, can potentially lead to more instability and it may crash more.
• The process will crash after the ROP payload is done executing.
• This is only useful for researchers. There are many many more steps needed before this becomes useful to normal users.

Acknowledgements

xyz - Much of the code is based off of his code used for the Henkaku project
Anonymous contributor - WebKit Vulnerability PoC
CTurt - I basically copied his JuSt-ROP idea
xerpi - Used his idea for the socket code
rck`d - Finding bugs such as not allocating any space for a stack on function calls
Maxton - 3.50 support and various cleanup
Thunder07 - 3.15 support darkslake - 4.00 support and various cleanup

Contributing

The code currently is a bit of a mess, so if you have any improvements feel free to send a pull request or make an issue. Also I am perfectly fine if you want to fork and create your own project.

final-4.00-exploit-ps4

 

[bodeg]

anyways I'm quiting cause people are just starting to piss me off you guys realize the reason people don't release stuff to you is because your first reaction with out proof is saying its fake anyways good luck with the scene and I hope you guys find something

Everytime someone asks you something technical, you do everything you can to avoid the question. example; '' I've send it to ... Ask them! ''.

Also, others don't get called out for fakers because they don't announce they have anything untill they have either, a lot of credibility or a proof of concept.

You have neither.

 

[Mason Norman]

Why even try with 4.00 or 4.01 3.55 would have the same vonurabilitys plus more development should be on 3.55 not 4.00 or 4.01

 

[raedoob]

anyways I'm quiting cause people are just starting to piss me off you guys realize the reason people don't release stuff to you is because your first reaction with out proof is saying its fake anyways good luck with the scene and I hope you guys find something

hello guys let say something i like to respect people who are working on ps4 to give as what we are dreaming about (ps4 jaillll) so you have to respect those people nice work ryan111 don't give up because this people if believe ur self just keep trying bro you do best like specter dev you all do best guys so please don't listen to bad words from those people best wishes ❤❤ keeeep up bro u have people believe u and the other real devs ^^

sorry for my bad English try my best ^^

 

[theorywrong]

STORE.DB is a file generated by os x system ,
I doesn't want to spit on your work. if is really true, thanks man, doesn't listen people, but if is a fake ... why not, lot of people make fake ... but is not great for the comunity.
Wait & See

 

[PSXHAX]

@VultraAID What's your opinion? You too, @PSXHAX

I just got online and read that @ryan111 is quitting so it doesn't look like my opinion matters now.

I also got a PM from @Carnavs saying he doesn't want to be a Staff Member any longer.. so let me tend to that hot mess.

Never a dull moment.. legit!

 

[theorywrong]

I just got online and read that @ryan111 is quitting so it doesn't look like my opinion matters now.

I also got a PM from @Carnavs saying he doesn't want to be a Staff Member any longer.. so let me tend to that hot mess.

Never a dull moment.. legit!

if you want to refined your opinion ^^ : https://ghostbin.com/paste/p2knx
(store.db of PS4Work Blog)

 

[ArthurBishop]

if it's a lie, i do not understand for what purpose. I know i repeat myself but this is sick.

Maybe soon we'll get something good, maybe tomorrow, maybe in a few months.

 

[PSXHAX]

if you want to refined your opinion ^^ : https://ghostbin.com/paste/p2knx
(store.db of PS4Work Blog)

Ok, when I go there I see:

null@null-Aspire-5733:~/Téléchargements$ strings store.db 8tsd /Volumes/TEST/.Spotlight-V100/Store-V2/F4C33924-851C-4B7E-A693-3654DC76C8EA/store.db 2mbd 2pbd _kMDXXXX___DUMMY _kMDXXXX___DUMMY _kMDXXXX___DUMMY _kMDXXXX___DUMMY _kMDXXXX___DUMMY _kMDXXXX___DUMMY JkMDItemContentTypeTree JkMDItemSupportFileType _kMDItemTimeMachinePath HkMDItemContentType _kMDItemGroupId HkMDItemPhysicalSize BkMDItemWhereFroms JkMDItemLanguages kMDItemKind kMDItemDisplayName kMDItemAttributeChangeDate _kStoreMetadataVersion kMDStoreProperties kMDStoreUUID kMDStoreAccumulatedSizes kMDItemDisplayName kMDItemKind @kMDItemInvisibleFileType L_kMDItemFinderLabel L_kMDItemContentChangeDate L_kMDItemCreationDate @kMDItemContentCreationDate L_kMDItemFileName L_kMDItemIsExtensionHidden L_kMDItemStaticInterestScore @kMDItemContentModificationDate HkMDItemLogicalSize L_kMDItemTextContentIndexExists L_kMDItemTextEncodingHint @kMDItemPixelHeight BkMDItemMediaTypes @kMDItemAudioChannelCount @kMDItemAudioBitRate @kMDItemDurationSeconds BkMDItemCodecs @kMDItemVideoBitRate @kMDItemTotalBitRate HkMDItemStreamable @kMDItemPixelWidth 2pbd public.message com.apple.mail.emlx com.apple.mail.eml com.microsoft.entourage.virtual.message com.apple.ichat.transcript public.contact public.vcard com.apple.addressbook.person com.apple.addressbook.group com.microsoft.entourage.virtual.contact com.microsoft.entourage.virtual.group com.apple.systempreference.prefpane public.font public.bookmark com.apple.safari.bookmark com.apple.safari.history public.to-do-item public.calendar-event com.apple.ical.bookmark com.apple.ical.bookmark.todo com.apple.ical.ics.event com.apple.ical.ics.todo com.microsoft.entourage.virtual.event com.microsoft.entourage.virtual.task public.movie com.apple.quicktime-movie public.mpeg-video public.mpeg-4 public.mpeg public.3gpp public.3gpp2 com.apple.application-bundle com.apple.application-file com.apple.dashboard-widget public.folder com.apple.mount-point public.audio public.mpeg-4-audio com.apple.protected-mpeg-4-audio com.adobe.pdf com.apple.localized-pdf-bundle public.presentation com.microsoft.powerpoint.ppt com.apple.keynote.key com.apple.iwork.keynote.key public.image com.apple.motion.project com.apple.iwork.pages.pages com.apple.iwork.pages.sffpage com.apple.iwork.pages.template com.apple.iwork.pages.sfftemplate public.rtf com.apple.rtfd com.apple.flat-rtfd com.microsoft.word.doc org.khronos.collada.digital-asset-exchange public.plain-text public.html public.xhtml public.shell-script public.source-code public.unix-executable com.apple.xcode.project com.apple.xcode.model com.apple.xcode.archive com.apple.xcode.docset com.apple.xcode.projectdata com.apple.xcode.dsym com.apple.xcode.configsettings com.apple.xcode.usersettings com.apple.xcode.strings-text com.apple.xcode.plugin com.apple.xcode.mom com.apple.property-list dyn.ah62d4rv4ge81a7dk dyn.ah62d4rv4ge80u5pbsa com.apple.dashcode.xml com.apple.dashcode.css com.apple.dashcode.javascript com.apple.dashcode.json com.apple.dashcode.manifest com.apple.interfacebuilder.document com.apple.interfacebuilder.document.cocoa com.apple.rez-source com.apple.iphone.developerprofile com.apple.iphone.mobileprovision com.apple.coreanimation-bundle com.apple.coreanimation-xml com.sun.java-class com.apple.scripting-definition com.apple.dt.document.workspace com.apple.dt.document.scheme com.apple.dt.ide.plug-in com.apple.dt.dvt.plug-in com.apple.dt.document.snapshot com.apple.dt.bundle.unit-test.objective-c com.apple.instruments.tracetemplate com.apple.quartzdebug.introspectiontrace com.apple.applescript.text-object com.apple.applescript.data-object com.apple.applescript.url-object com.apple.applescript.alias-object com.apple.symbol-export com.apple.mach-o-binary com.apple.mach-o-object com.apple.mach-o-executable com.apple.x11-mach-o-executable public.object-code com.microsoft.windows-executable com.microsoft.windows-dynamic-link-library com.sun.java-archive com.sun.web-application-archive com.apple.xcode.plugindata com.apple.iwork.numbers.sffnumbers com.apple.iwork.numbers.numbers com.apple.iwork.numbers.template com.microsoft.excel.xls org.openxmlformats.spreadsheetml.sheet public.spreadsheet public.xml com.apple.log com.apple.crashreport com.apple.spinreport com.apple.panicreport com.apple.shutdownstall com.apple.hangreport public.json public.log public.content Folder Carpeta Sloz Mappe Ordner Folder Carpeta Kansio Dossier Mapa Mappa Folder Cartella Folder Mappe katalog Pasta Pasta pt-PT Dosar Priec inok Mapp Klaso zh-Hans zh-Hant MDSystemFile public.directory public.item Document Document Dokument Dokument Dokument Document Documento Dokumentti Document Dokument Dokumentum Dokumen Documento Dokumen Dokument Document dokument Documento Documento pt-PT Document Dokument Dokument Belge i lie zh-Hans zh-Hant public.data public.executable dyn.ah62d46dzqm0gw23ssz1gw8brqz6gn25zsvu0e5dfhk2x425krq Unix Executable File Unix Arxiu executable d Unix Spustitelny soubor Unix Unix-arkiv, der kan udf Ausfu hrbare Unix-Datei Unix Unix Executable File Archivo ejecutable Unix Suoritettava Unix-tiedosto Fichier exe cutable Unix Unix Unix izvrs na datoteka Unix ve grehajthato File Dapat Dijalankan Unix File Unix Eseguibile Unix Unix Fail Unix Boleh Laku rbar Unix-fil Uitvoerbaar Unix-bestand plik wykonywalny UNIX Arquivo Executa vel Unix Ficheiro executa vel Unix pt-PT ier executabil Unix Unix Spustitel bor Unix Unix-ko rbar fil Unix Unix C labilir Dosyas Unix- p Thu c thi Unix Unix zh-Hans Unix zh-Hant dyn.ah62d46dzqm0gw23ssz1gw8brqz6gn25zsvu0e5dfhk2x43dbsu NSStringPboardType Document de text normal Prosty textovy dokument Alm. tekstdokument Reines Textdokument Plain Text Document Documento de texto normal Pelkka teksti -dokumentti Document format texte Dokument obic nog teksta Sima szo veges dokumentum Dokumen Teks Biasa Documento di solo testo Dokumen Teks Biasa Dokument med ren tekst Platte-tekstdocument dokument tekstowy (zwyk Documento de Texto Sem Formatac Documento de texto simples pt-PT Document text simplu Dokument s obyc ajny m textom Rent textdokument z Metin Belgesi i lie u Va n ba n Thua n tu zh-Hans zh-Hant public.text dyn.ah62d46dzqm0gw23ssz1gw8brqz6gn25zsvu0e5dfhk2x4653sq MPEG-4 movie MPEG-4 deo MPEG-4 Film MPEG-4 MPEG-4-film MPEG-4-Film MPEG-4 MPEG-4 movie deo MPEG-4 MPEG-4-elokuva Vide o MPEG-4 MPEG-4 MPEG-4 film MPEG-4 film Film MPEG-4 Filmato MPEG -4 MPEG-4 MPEG-4 Filem MPEG-4 MPEG4-film MPEG-4-film film MPEG-4 Filme MPEG -4 Filme MPEG-4 pt-PT film MPEG-4 MPEG-4 MPEG-4 film MPEG-4-film MPEG-4 MPEG-4 filmi MPEG-4 Phim MPEG-4 MPEG-4 zh-Hans MPEG-4 zh-Hant public.audiovisual-content Volume Volum Svazek Enhed Volume Volume Volumen Taltio Volume Glasnoc Volume Volume Volum Volum Volume wolumin Volume Volume pt-PT Volum Oddiel Volym Disk Bo zh-Hans zh-Hant public.volume 2pbd 2pbd 2pbd 2pbd 99P7 Ue&D \gqj< ]{G[ |1Pw ssF{ o8288 3Ndv bpNl VR*~Rm /?+$S [5t6 qcLe G8|T 2pbd 2pbd }/Nb c;IU }{~o\\ l.?{`2'r Nz:8 =MR2 I]\ |3g-" o{{={ yv`/v c jF 7ln7 65)o !&@\ ~cB] wn\w Q,|-x{ Q;$[qP

Is that a decrypted / unpacked store.db from the PS4Work Blog or someone else's.. yours?

if it's a lie, i do not understand for what purpose. I know i repeat myself but this is sick.

Maybe soon we'll get something good, maybe tomorrow, maybe in a few months.

Good question, or if not a lie it could be him not knowing what he's doing thinking he's making progress... I guess time will tell.

​

 

[INSANEMODE]

anyways I'm quiting cause people are just starting to piss me off you guys realize the reason people don't release stuff to you is because your first reaction with out proof is saying its fake anyways good luck with the scene and I hope you guys find something

If there is noproof, it doesn't exist/is fake, essentially. especially when the person that provides no proof gets mad that people think something is fake with no proof.

 

[raedoob]

All day PS4 dev @ryan111 (PS4Work Blog updates from him HERE and HERE) has been working on a PlayStation 4 4.0 jailbreak, and has come across a "command" in the web browser about: that gives you info about it.

thanks bro Carnavs this it could be prove to those people who dont believe @ryan111 great work devs we believing u keep up ^^

thanks bro Carnavs this it could be prove to those people who dont believe @ryan111 great work devs we believing u keep up ^^

another guy use this webkit on 3.50

thanks bro Carnavs this it could be prove to those people who dont believe @ryan111 great work devs we believing u keep up ^^


another guy use this webkit on 3.50

this is't