Exploit revealed by @vpikhur
He made a presentation at the Recon Brussels hacking conference showing the exploit and a demo video.
Apparently his exploit uses a vulnerability on sys_kldload.
He also relased the presentation slides later in the day here.
Quoted by wololo.net
WHEN ETA??!?!?")=£)/
EDIT 1: Webkit Exploit released! here. It works up to 5.50 beta 3. (tried up to 5.05 myself)
Instructions with localhost
He made a presentation at the Recon Brussels hacking conference showing the exploit and a demo video.
Apparently his exploit uses a vulnerability on sys_kldload.
He also relased the presentation slides later in the day here.
Quoted by wololo.net
According to the developer:
The custom Southbridge silicon, responsive for background downloads while main SoC is off, didn’t help to secure Playstation 4. We explain how a chain of exploits combined with hardware attacks will allow code to run in the context of the secure bootloader, extract private keys, and sign a custom kernel.
According to the hacker, the sys_kldload exploit still exists in firmware 5.00, potentially more recent firmwares as well.
The important point of the video above is that the hack persists after boot, demonstrating what is probably the very first custom firmware on the PS4
Sony changed their keys in 5.05, but apparently not the signing process.
The kernel bootloader contains the keys for Rest Mode kernel, which is why it was interesting to get access to it.
How the exploit works is shown in this video.The custom Southbridge silicon, responsive for background downloads while main SoC is off, didn’t help to secure Playstation 4. We explain how a chain of exploits combined with hardware attacks will allow code to run in the context of the secure bootloader, extract private keys, and sign a custom kernel.
According to the hacker, the sys_kldload exploit still exists in firmware 5.00, potentially more recent firmwares as well.
The important point of the video above is that the hack persists after boot, demonstrating what is probably the very first custom firmware on the PS4
Sony changed their keys in 5.05, but apparently not the signing process.
The kernel bootloader contains the keys for Rest Mode kernel, which is why it was interesting to get access to it.
WHEN ETA??!?!?")=£)/
EDIT 1: Webkit Exploit released! here. It works up to 5.50 beta 3. (tried up to 5.05 myself)
Instructions with localhost
- Download install Node.js (LTS version): https://nodejs.org/en/
- In your start menu there should be a new program called "Node.js command prompt". Open that.
- The default directory will open to c:\Users\"YOUR_USER_NAME"\
- Download the zip from git hub and place it in your user directory mentioned in 3.
- Rename the folder something easy like "ps4" then run the command "cd ps4" without quotes
- Now run command "npm install" without quotes
- run command (without quotes): "npm start"
- Configure your ps4 DNS to point to the IP address of your computer
- Run a connection test to trigger a captive portal (I.E. like a screen you get when first logging into a coffee shop wifi or airport wifi. Basically any public wifi)
- FUCKIN PROFIT (I think)
Last edited by crossholo,