Proceeding the OpenOrbis PS4 Toolchain release, developer John Tornblom recently shared a Tiny PS4 Shell small Telnet server PKG alongside a 7.55 Fork from therootlord for those in the PlayStation 4 Scene with a Jailbroken PS4 to send UNIX-like commands to their console for tasks such as decrypting PS4 SELF and SPRX files.
Download: IV0000-BREW00009_00-TELNETSHELL00000.pkg / tiny-ps4-shell-master.zip / GIT / 7.55 Fork GIT / tiny-ps4-shell payloads.rar (Compiled) via @Coco Jones (not working on 7.55 per Etherion)
Here's more from the README.md, as follows: Tiny PS4 Shell
Tiny-PS4-shell is a small telnet server for the PS4 with a couple of basic UNIX-like commands, e.g., cd, mkdir, stat, etc.
Building
Assuming you have the OpenOrbis PS4 Toolchain installed on you machine, tiny-ps4-shell can be compiled using the following two commands:
You can also compile for POSIX-like systems:
Usage
Install the compiled pkg on a PS4 with homebrew and the kexec syscall enabled, launch the application, and telnet to the PS4 (port 2323). There are a handful of rudimentary commands available, e.g., cd, ls, and mkdir. Type help in a connected telnet shell for more information. Below are a couple of commands I have found useful.
To get a list of running processes:
To obtain root permissions:
To escape the initial jailed sandbox:
To monitor kernel log:
To decrypt SELF and SPRX files:
Limitations
The login session is not attached to a TTY, so you cannot signal for, e.g., SIGINT with Ctrl+C. Furthermore, most of the commands are only partially implemented. If you find some limitation extra annoying, file a github issue and perhaps it will be addressed.
Reporting Bugs
If you encounter problems with tiny-ps4-shell, please file a github issue. If you plan on sending pull requests which affect more than a few lines of code, please file an issue before you start to work on you changes. This will allow us to discuss the solution properly before you commit time and effort.
License
Tiny-ps4-shell is licensed under the GPLv3+.
In theory it might be possible to replace the shell that get loaded by syscore on ps4. by editing registry values (0x7802c801, 0x7802c802) with 1 and the new path.
To be clear, you'd need an exploit chain that runs before syscore is loaded.
From syscore_pathcheck.c:
You could hook it sure, i was limited on how long of an post you can do on twitter, i was gonna explain that option as well.
in the future to avoid the limit while giving more detail, try something like this "by editing/hooking registry values (0x7802c801, 0x7802c802) with 1 and the new path."
It appears later in the code, if boot disable is enabled, then decid is spawned for added info and context. PS: do not try this, this is just research information.
Download: IV0000-BREW00009_00-TELNETSHELL00000.pkg / tiny-ps4-shell-master.zip / GIT / 7.55 Fork GIT / tiny-ps4-shell payloads.rar (Compiled) via @Coco Jones (not working on 7.55 per Etherion)
Here's more from the README.md, as follows: Tiny PS4 Shell
Tiny-PS4-shell is a small telnet server for the PS4 with a couple of basic UNIX-like commands, e.g., cd, mkdir, stat, etc.
Building
Assuming you have the OpenOrbis PS4 Toolchain installed on you machine, tiny-ps4-shell can be compiled using the following two commands:
Code:
john@localhost:tiny-ps4-shell$ export OO_PS4_TOOLCHAIN=/path/to/open/orbis
john@localhost:tiny-ps4-shell$ make
Code:
john@localhost:tiny-ps4-shell$ make -f Makefile.posix
john@localhost:tiny-ps4-shell$ ./main_term.bin
Install the compiled pkg on a PS4 with homebrew and the kexec syscall enabled, launch the application, and telnet to the PS4 (port 2323). There are a handful of rudimentary commands available, e.g., cd, ls, and mkdir. Type help in a connected telnet shell for more information. Below are a couple of commands I have found useful.
To get a list of running processes:
Code:
/$ ps
PID PPID PGID SID TTY COMMAND
0 0 0 0 - kernel
1 0 1 1 ttyu0 mini-syscore.elf
...
Code:
/$ setuid 0
Code:
/$ jailbreak
Code:
/$ cat /dev/klog
Code:
/$ self2elf /mini-syscore.elf /mnt/usb0/mini-syscore.elf
The login session is not attached to a TTY, so you cannot signal for, e.g., SIGINT with Ctrl+C. Furthermore, most of the commands are only partially implemented. If you find some limitation extra annoying, file a github issue and perhaps it will be addressed.
Reporting Bugs
If you encounter problems with tiny-ps4-shell, please file a github issue. If you plan on sending pull requests which affect more than a few lines of code, please file an issue before you start to work on you changes. This will allow us to discuss the solution properly before you commit time and effort.
License
Tiny-ps4-shell is licensed under the GPLv3+.
In theory it might be possible to replace the shell that get loaded by syscore on ps4. by editing registry values (0x7802c801, 0x7802c802) with 1 and the new path.
To be clear, you'd need an exploit chain that runs before syscore is loaded.
From syscore_pathcheck.c:
Code:
// Random code that checks then then runs the rest of the code
getIntReturn = sceRegMgrGetInt(0x7802c801,&lv_boot_disable);
// Rest of code...
regmgrReturn = sceRegMgrGetStr(0x7802c802,lv_shellcore_pathname,0x100);
tmp_regmgr_pathname = (char *)0x0;
if (regmgrReturn == 0) {
tmp_regmgr_pathname = (char *)0x0;
if (lv_shellcore_pathname[0] != '\0') {
tmp_regmgr_pathname = lv_shellcore_pathname;
}
}
shellpath_passed_to_spawn = "/system/vsh/SceShellCore.elf";
if (tmp_regmgr_pathname != (char *)0x0) {
shellpath_passed_to_spawn = tmp_regmgr_pathname;
}
local_b8 = ZEXT816(0x455f0b); // not sure what this is...
execReturn = exec(&local_228,shellpath_passed_to_spawn,local_b8,DAT_00470048);
in the future to avoid the limit while giving more detail, try something like this "by editing/hooking registry values (0x7802c801, 0x7802c802) with 1 and the new path."
It appears later in the code, if boot disable is enabled, then decid is spawned for added info and context. PS: do not try this, this is just research information.