Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
Proceeding the OpenOrbis PS4 Toolchain release, developer John Tornblom recently shared a Tiny PS4 Shell small Telnet server PKG alongside a 7.55 Fork from therootlord for those in the PlayStation 4 Scene with a Jailbroken PS4 to send UNIX-like commands to their console for tasks such as decrypting PS4 SELF and SPRX files. :geek:

Download: IV0000-BREW00009_00-TELNETSHELL00000.pkg / tiny-ps4-shell-master.zip / GIT / 7.55 Fork GIT / tiny-ps4-shell payloads.rar (Compiled) via @Coco Jones (not working on 7.55 per Etherion)

Here's more from the README.md, as follows: Tiny PS4 Shell

Tiny-PS4-shell is a small telnet server for the PS4 with a couple of basic UNIX-like commands, e.g., cd, mkdir, stat, etc.

Building

Assuming you have the OpenOrbis PS4 Toolchain installed on you machine, tiny-ps4-shell can be compiled using the following two commands:
Code:
john@localhost:tiny-ps4-shell$ export OO_PS4_TOOLCHAIN=/path/to/open/orbis
john@localhost:tiny-ps4-shell$ make
You can also compile for POSIX-like systems:
Code:
john@localhost:tiny-ps4-shell$ make -f Makefile.posix
john@localhost:tiny-ps4-shell$ ./main_term.bin
Usage

Install the compiled pkg on a PS4 with homebrew and the kexec syscall enabled, launch the application, and telnet to the PS4 (port 2323). There are a handful of rudimentary commands available, e.g., cd, ls, and mkdir. Type help in a connected telnet shell for more information. Below are a couple of commands I have found useful.

To get a list of running processes:
Code:
/$ ps
     PID      PPID     PGID      SID    TTY    COMMAND
       0         0        0        0      -    kernel
       1         0        1        1  ttyu0    mini-syscore.elf
...
To obtain root permissions:
Code:
/$ setuid 0
To escape the initial jailed sandbox:
Code:
/$ jailbreak
To monitor kernel log:
Code:
/$ cat /dev/klog
To decrypt SELF and SPRX files:
Code:
/$  self2elf /mini-syscore.elf /mnt/usb0/mini-syscore.elf
Limitations

The login session is not attached to a TTY, so you cannot signal for, e.g., SIGINT with Ctrl+C. Furthermore, most of the commands are only partially implemented. If you find some limitation extra annoying, file a github issue and perhaps it will be addressed.

Reporting Bugs

If you encounter problems with tiny-ps4-shell, please file a github issue. If you plan on sending pull requests which affect more than a few lines of code, please file an issue before you start to work on you changes. This will allow us to discuss the solution properly before you commit time and effort.

License

Tiny-ps4-shell is licensed under the GPLv3+.
In theory it might be possible to replace the shell that get loaded by syscore on ps4. by editing registry values (0x7802c801, 0x7802c802) with 1 and the new path.

To be clear, you'd need an exploit chain that runs before syscore is loaded.

From syscore_pathcheck.c:
Code:
// Random code that checks then then runs the rest of the code
getIntReturn = sceRegMgrGetInt(0x7802c801,&lv_boot_disable);

// Rest of code...
regmgrReturn = sceRegMgrGetStr(0x7802c802,lv_shellcore_pathname,0x100);
tmp_regmgr_pathname = (char *)0x0;
if (regmgrReturn == 0) {
  tmp_regmgr_pathname = (char *)0x0;
  if (lv_shellcore_pathname[0] != '\0') {
    tmp_regmgr_pathname = lv_shellcore_pathname;
  }
}
shellpath_passed_to_spawn = "/system/vsh/SceShellCore.elf";
if (tmp_regmgr_pathname != (char *)0x0) {
  shellpath_passed_to_spawn = tmp_regmgr_pathname;
}

local_b8 = ZEXT816(0x455f0b); // not sure what this is...
execReturn = exec(&local_228,shellpath_passed_to_spawn,local_b8,DAT_00470048);
You could hook it sure, i was limited on how long of an post you can do on twitter, i was gonna explain that option as well.
in the future to avoid the limit while giving more detail, try something like this "by editing/hooking registry values (0x7802c801, 0x7802c802) with 1 and the new path."
It appears later in the code, if boot disable is enabled, then decid is spawned for added info and context. PS: do not try this, this is just research information.
Tiny PS4 Shell Small Telnet Server for PlayStation 4 by John Tornblom.jpg
 

Comments

@Coco Jones
your bins dont work on 7.55. a portscan shows no additional open ports.

Fortunately, john-tornblom released a very early compiled pkg version just a few hours ago. this is the first time i got kernel logging working. It never worked for me with mira on 7.55

there are some quirks but its easy and simply works:

Y0t6ZTa.jpeg

before you issue a command press enter 3 times like shown in the pic. otherwise the command will not work.

there's an error on the github readme. it is setuid 0, not seteuid 0.

direct link:
set telnet negotiation mode to passive to make your first command work instantly. no need to press enter 3 times.
 
Status
Not open for further replies.
Back
Top