Hacking PS4 6.70 Research

ryuutseku85 · Dec 6, 2019

Jonna said:
This is a super nice thread. No one saying to the OP "you fool, you're new, how could you possibly accomplish anything more than people with years of experience" nor the OP saying "this should be easy, why didn't they think of this, I'll get this done super quick."

Just a nice series of the OP trying to get somewhere with positivity of some progress, and every one else being encouraging with compliments and ideas. Very nice.

Hi,
Honestly it great to see that no one is decouraging me.

So where am i today ?
Not so far, because my work keeping me far away from my ps4... I Just manage thé retrieve thé fw_ver, and here i stop the hype of all noobs, no i don't get acess to thé console i only retrieve the user agent and use substring to get it.

My goal is to auto select the exploit to load depending on the fw

If i try to recreate the 6.20 exploit, is someone here willing to be my tester ? I put a warning on this : i never donne that before so it's at your own risk and i can't be blâme if something goes wrong.

See ya

KiiWii · Dec 6, 2019

ryuutseku85 said:
Hi,
Honestly it great to see that no one is decouraging me.

So where am i today ?
Not so far, because my work keeping me far away from my ps4... I Just manage thé retrieve thé fw_ver, and here i stop the hype of all noobs, no i don't get acess to thé console i only retrieve the user agent and use substring to get it.

My goal is to auto select the exploit to load depending on the fw

If i try to recreate the 6.20 exploit, is someone here willing to be my tester ? I put a warning on this : i never donne that before so it's at your own risk and i can't be blâme if something goes wrong.

See ya

user agent fw string is what we used in x-project to determine firmware.

Feel free to checkout the code implementation we came up with, all the source is in the HTML.

My unfinished project from October last year “KrakHEN” was exactly as you described, however I was working to make it a one-pager rather than page redirection; which is what LightningModz did on his site around December last year. I got so far and didn’t find time to finish it.

FWIW I have a Testkit, so feel free to send through anything you figure out

ryuutseku85 · Dec 11, 2019

Hi to all,

i try to recreate the 6.20 exploit by Specter but it's not simple since i have only a 6.70 PS4.

I have some questions:

1-The exploit is patched in 6.50 but the 6.00 and 6.70 FW webkit are 605.1.15 so why is this not working?
2-If i try to make myself a browser with this webkit , will i be able to run the exploit (i know not at this cause it's made for the ps4) i don't want to waste time on trying this if it's not possible.
3-I really don't understand the return oriented programming thing (i understand that we make a chain to launch our code by triggering gadget one after an other but not how we find those gadgets (by the way i am french with a good level of english , but i think learning something that i don't understand is not helpful) can someone explain me it , even if it's look a dumb question i prefer ask for help on this.

Thanks for the answers you are going to give me (i hope^^)

see ya!

MostlyUnharmful · Dec 11, 2019

ryuutseku85 said:
I have some questions:

1-The exploit is patched in 6.50 but the 6.00 and 6.70 FW webkit are 605.1.15 so why is this not working?

If I'm interpreting the question correctly, patching a vulnerability doesn't mean upgrading the application, they could have simply "cherry picked" the relevant modification and backported it to the WebKit version distributed with FW 6.20

2-If i try to make myself a browser with this webkit , will i be able to run the exploit (i know not at this cause it's made for the ps4) i don't want to waste time on trying this if it's not possible.

I suppose you can find a version of Chrome that has that vulnerability, usually it's the other way around, I mean usually a vulnerability is found for Chrome and then ported to PS4. In this case you should search the relevant CVE and eventual PoC.

3-I really don't understand the return oriented programming thing (i understand that we make a chain to launch our code by triggering gadget one after an other but not how we find those gadgets (by the way i am french with a good level of english , but i think learning something that i don't understand is not helpful) can someone explain me it , even if it's look a dumb question i prefer ask for help on this.

Manual inspection, but you can find tools that can automate the search of widget, basically you dump a PS4 library, pass it to the tool, find the offsets, defeat the ASLR and find where the library is loaded, use the gadgets, ..., profit.

https://github.com/JonathanSalwan/ROPgadget
https://github.com/t00sh/rop-tool

ryuutseku85 · Dec 17, 2019

Hi to all,

So where am i ?

my research get me to a point that i need to fork:
1- Learning rop and hit my head against a wall ( really don't understand it i need to pratice it but i have nothing to make me)
2- trying to learn more about WEBKIT, i decide to try targetting the JSC(javascript core) and to do so i am trying to compile a debug version of the JSC but since i am on windows (yeah yeah i knox don't hit me please).

I going the second way and will get back to ROP later.

So i gonna research two thing , the first will be the commit of the PS4 6.70 to help me , cause if i get it and i can compile it , it will be much easier for me to work.
(At this time the compilation throw me a fu*****g update vswhere ....)

The second will be to learn more about exploitation.

I think i went to fast on this , i think of rop before exploitation and this is not the right way.

So what have i learn ?

From 6.00 >> 6.71 the webkit was 605.1.15 but the useragent was freeze for certain reason .
The 7.00 is 606.4.6.

thanks to Phrack i am learning some interresting things.

see ya

plasticos201194 · Jan 2, 2020

In case you want to check out the most recent WebKit Exploit for 6.XX to 6.72, you should visit Fire30 twitter.

cyfaws · Jan 2, 2020

Here is the exploit in question, hopefully there's something to learn from it.
https://github.com/Fire30/bad_hoist

Keep hacking away at it @ryuutseku85

RiPPERD · Jan 3, 2020

Jonna said:
This is a super nice thread. No one saying to the OP "you fool, you're new, how could you possibly accomplish anything more than people with years of experience" nor the OP saying "this should be easy, why didn't they think of this, I'll get this done super quick."

Just a nice series of the OP trying to get somewhere with positivity of some progress, and every one else being encouraging with compliments and ideas. Very nice.

very rare on this forum lol

good luck to the OP someone needs to do something.... the hackers always used to be 2 steps ahead of the companies... now they all about 5 years behind them lol... too much money and polotics involved now haha

ryuutseku85 · Jan 6, 2020

Hi to all ,

So where am i ?

i found something and currently exploiting it , but i have a probleme when i get the address of my leak obj ...

i use int64.js from saelo ( thanks a lot !!) and when i try to "add(0x10)" to it, i can't.
the error that i've got is : add is not a function .
so i decided to give it a go with the badhoist exploit and ... it's the same thing .

so if anyone has a clue ...

by the way i have succefully compile 600 to 700 webkit (and it's was a pleasure to learn that there is two thing in it ... the webkit and the javascriptcore that are not at the same version ...)

see ya !!!

plasticos201194 said:
In case you want to check out the most recent WebKit Exploit for 6.XX to 6.72, you should visit Fire30 twitter.

thanks for that but i see it to late XD

KiiWii · Jan 6, 2020

Nice @ryuutseku85

I hope you can leverage this to something bigger.

I found out that 5.05’s ioctls were removed post 5.55, so existing kex “should” work on 5.50-5.55: providing we can get full userland after webkit.

I think 5.5x exploiting should become the main focus for most, (if people genuinely want an achievable slightly higher kernel exploit) unless you’re able to find something newer that works on FBSD.

Keep us updated, and good luck :grog:

ryuutseku85 · Jan 6, 2020

KiiWii said:
Nice @ryuutseku85 I hope you can leverage this to something bigger.

I found out that 5.05’s ioctls were removed post 5.55, so existing kex “should” work on 5.50-5.55: providing we can get full userland after webkit.

I think 5.5x exploiting should become the main focus for most, (if people genuinely want an achievable slightly higher kernel exploit) unless you’re able to find something newer that works on FBSD.

Keep us updated, and good luck

Hi,
Sorry to say this, but i have only a 6.70 on my hand.
To be honest i am not thinking about kex for now, because as this threat mention it : i am learning and try to not give up in front of the task.
Have you any clues for my "add" problem ?

And to show to everyone that i am not only taking there is à little picture

See ya

KiiWii · Jan 6, 2020

ryuutseku85 said:
Hi,
Sorry to say this, but i have only a 6.70 on my hand.
To be honest i am not thinking about kex for now, because as this threat mention it : i am learning and try to not give up in front of the task.
Have you any clues for my "add" problem ?

And to show to everyone that i am not only taking there is à little picture

See ya

Add() appends, are you using it mathematically?

TR_mahmutpek · Jan 6, 2020

Just an advice, if you found kernel exploit, dont release it. Dump newer games, so Sony cant patch it

Anyway, good work!

MostlyUnharmful · Jan 6, 2020

ryuutseku85 said:
so if anyone has a clue ...

Let's see, without a code snippet I suppose you are working with RAM addresses, so you are probably using a "BigInt" object — "Number" objects use an IEEE double precision floating point notation, not a good candidate for it — and according to MDN "The following operators may be used with BigInts (or object-wrapped BigInts): +, *, -, **, %." so:

Code:

a = BigInt(0x123456789);
4886718345n
a + 0x10n;
4886718361n

It's this what you are trying to do? As @KiiWii posted there are a few add() methods/functions for some specific objects like strings and sets, but for number types there are "operators" instead of methods. I'm going by memory and I used too much languages with different syntax and Javascript it's one where I'm less confident so double check my claims... ^__^;

P.S. MDN: Mozilla developers network

ryuutseku85 · Jan 6, 2020

So, i try to give it a go with badhoist and this is where crash:
function setup_obj_leaks() {
g_leaker.leak = false;
g_inline_obj.a = g_leaker;
g_leaker_addr = new Int64(g_confuse_obj["0a"][4], g_confuse_obj["0a"][5]).add(0x10);
debug_log("obj_leaker address @ " + g_leaker_addr);
}

If i use utils.js of fire the struct is not présent
So i get saleo's one but the int64.js are not the same, so i am guessing this is my mistake
But i have no clue how to make it work.

Honestly my head is hurting ^^

TR_mahmutpek said:
Just an advice, if you found kernel exploit, dont release it. Dump newer games, so Sony cant patch it

Anyway, good work!

I dont think i am capable of finding a kex, but thanks for thinking that i can

DaminouTav · Jan 6, 2020

I'm just following this post, and wish you luck, it's nice to see guys wanting to learn and share what he's doing

Thank you

MostlyUnharmful · Jan 6, 2020

Oh, I see, in int64.js they define an Int64 object with a few methods for integer operations.

I didn't want to debug Javascript today, but I nonetheless downloaded the Fire30 "bad_hoist" repository, but on the Chrome version I have here it doesn't trigger anything, on both Chrome and Firefox I only see a couple of the same error (expected as the JS bug was probably fixed last summer). Also, on a vulnerable browser I would expect it to crash a lot as you are trying to exploiting a vulnerability and you don't know the success rate or if it's yet coded to maximize trigger chances...

RiPPERD · Jan 6, 2020

glad to see this is still in progress, keep up the good work be good to see the "hackers" pull a goal back agaist pony

ryuutseku85 · Jan 7, 2020

Hi to all,

just to say hi and drop that here in case that make someone do something about it :

https://github.com/WebKit/webkit/commit/94fa7a86acbb632a282ab9581752661bb2b5b688

ryuutseku85 · Jan 24, 2020

Hi to all,

So where am i ?

i try to get the 6.70 Webkit cause since the begin i work with the 6.50 or 7.00.

Since i don't have any interrest in 6.50 cause i don't own one i let you my research i made with this .

Thanks to liveoverflow for his exelent series on it.

it seems like it was patch in the 6.70, so if you have an adress other than : "[*] 0x7ff8000000000000" it should work .

Thanks you for the support and see y'a all.

Hacking PS4 6.70 Research

Well-Known Member

Editorial Team

Well-Known Member

Well-Known Member

Well-Known Member

Member

Well-Known Member

Well-Known Member

Well-Known Member

Editorial Team

Well-Known Member

Attachments

Editorial Team

medic

Well-Known Member

Well-Known Member

Active Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Attachments

Similar threads

Popular threads in this forum