Hacking Public DLClose Exploit - 1.76 Only

SonyUSA · Mar 22, 2016

** Updates! **

You can now execute DLClose directly from PS4-Playground and it will auto-load linux as long as you have the bzImage and initramfs on a FAT32 formatted USB stick plugged into your PS4!

Grab these 2 files and throw them on FAT32 USB stick/drive
http://kr105.com/ps4kerneltest/

Fire up PS4-Playground and click Load! on the Linux Loader
https://github.com/CTurt/PS4-playground

I've included the source files below, and you'll need to change your IP in the source if you want debug output and compile it against the includes from the Open Source PS4-SDK (not the official one).

Update: Updated with completed code (For real real this time!)
PS4-dlclose-master.rar contains a ready-to-go version of the .bin file for use with PS4-Playground. Your PC MUST be at 192.168.1.69 for it to receive any TCP data to the listener included in the PS4Tools. The modified versions of the Wifi sender and Listener are from fx0day and give you the option to set the PS4's IP/port without having to recompile the code every time it changes.

Use TCPDump like this:
TCPdump 9023 log.bin

And use Wifi-Loader like this:
WIFI-Loader 192.168.0.14 9023 dlclose.bin
Change the IP to your PS4's IP, though!

SonyUSA · Mar 26, 2016

Update! Yahoo! It works!

Code:

KXploit by Thunder07
Patched up by balika011
Special thanks to:
    Cturt, BigBoss and Twisted
    [+] Starting...
    [+] UID = 1
mapping pointer = 200dac000
Craft knote Structure
fd = 3840
queue created = 6600000f01
queue created = 6700000f02
queue created = 6800000f03
queue created = 6900000f04
queue created = 6a00000f05
queue created = 6b00000f06
queue created = 6c00000f07
queue created = 6d00000f08
queue created = 6e00000f09
queue created = 6f00000f0a
queue created = 7000000f0b
queue created = 7100000f0c
queue created = 7200000f0d
queue created = 7300000f0e
queue created = 7400000f0f
queue created = 7500000f10
queue created = 7600000f11
queue created = 7700000f12
queue created = 7800000f13
queue created = 7900000f14
queue created = 7a00000f15
queue created = 7b00000f16
queue created = 7c00000f17
queue created = 7d00000f18
queue created = 7e00000f19
queue created = 7f00000f1a
queue created = 8000000f1b
queue created = 8100000f1c
queue created = 8200000f1d
queue created = 8300000f1e
queue created = 8400000f1f
queue created = 8500000f20
queue created = 8600000f21
queue created = 8700000f22
queue created = 8800000f23
queue created = 8900000f24
queue created = 8a00000f25
queue created = 8b00000f26
queue created = 8c00000f27
queue created = 8d00000f28
queue created = 8e00000f29
queue created = 8f00000f2a
queue created = 9000000f2b
queue created = 9100000f2c
queue created = 9200000f2d
queue created = 9300000f2e
queue created = 9400000f2f
queue created = 9500000f30
queue created = 9600000f31
queue created = 9700000f32
queue created = 9800000f33
queue created = 9900000f34
queue created = 9a00000f35
queue created = 9b00000f36
queue created = 9c00000f37
queue created = 9d00000f38
queue created = 9e00000f39
queue created = 9f00000f3a
queue created = a000000f3b
queue created = a100000f3c
queue created = a200000f3d
queue created = a300000f3e
queue created = a400000f3f
queue created = a500000f40
queue created = a600000f41
queue created = a700000f42
queue created = a800000f43
queue created = a900000f44
queue created = aa00000f45
queue created = ab00000f46
queue created = ac00000f47
queue created = ad00000f48
queue created = ae00000f49
queue created = af00000f4a
queue created = b000000f4b
queue created = b100000f4c
queue created = b200000f4d
queue created = b300000f4e
queue created = b400000f4f
queue created = b500000f50
queue created = b600000f51
queue created = b700000f52
queue created = b800000f53
queue created = b900000f54
queue created = ba00000f55
queue created = bb00000f56
queue created = bc00000f57
queue created = bd00000f58
queue created = be00000f59
queue created = bf00000f5a
queue created = c000000f5b
queue created = c100000f5c
queue created = c200000f5d
queue created = c300000f5e
queue created = c400000f5f
queue created = c500000f60
queue created = c600000f61
queue created = c700000f62
queue created = c800000f63
queue created = c900000f64
m kernelAllocation:
queue created = ca00000f65
m2 kernelAllocation:
queue created = cb00000f66
Trigger sceKernelDeleteEqueue
Calling sys_dynlib_prepare_dlclose
moment of truth
Trigger sceKernelDeleteEqueue
    [+] Entered kernel payload!
    [+] Rooted and Jailbroken!
    [+] Escaped from the sandbox!
    [+] Kernel patch success!
         Hi GBATemp!

I'll attached a compiled version to the OP, keep in mind though, this doesn't -do- anything yet, and your receiving computer needs to be at 192.168.1.69 to receive any data over TCP!

TR_mahmutpek · Mar 26, 2016

This means pkg installers (or like this thing) coming nearly? Also thank you for your achivement

SonyUSA · Mar 26, 2016

TR_mahmutpek said:
This means pkg installers (or like this thing) coming nearly? Also thank you for your achivement

Anything is possible now on <= 1.76, just nothing is made yet

Also, I'm just reposting, I didn't do anything with it.

TR_mahmutpek · Mar 26, 2016

SonyUSA said:
Anything is possible now on <= 1.76, just nothing is made yet Also, I'm just reposting, I didn't do anything with it.

Time to buy new ps4

Vappy · Mar 26, 2016

Any idea which fw the dlclose exploit was patched at? I remember hearing it was somewhere between 2.00 and 2.50.

SonyUSA · Mar 26, 2016

Vappy said:
Any idea which fw the dlclose exploit was patched at? I remember hearing it was somewhere between 2.00 and 2.50.

That sounds right, and I remember reading a day or two ago that newer webkit entrypoints (not through the browser, but some other PS4 function) was possible up to latest firmware, so it may open the window for people who are in that range! :3

I know some people have to DNS redirect the user manual if they weren't on PSN with the PS4 before/when 1.76 was the current firmware to load .bin files, so maybe that's what they are referring to.

Vappy · Mar 26, 2016

SonyUSA said:
That sounds right, and I remember reading a day or two ago that newer webkit entrypoints (not through the browser, but some other PS4 function) was possible up to latest firmware, so it may open the window for people who are in that range! :3

That'd be good, 1.76 being over a year and a half old means it'd be difficult to track one down these days. 2.04, maybe slightly less so. Of course, there's always the possibility of an exploit for more recent firmwares, but who knows how long that might take to become public, if ever.

dpad_5678 · Mar 26, 2016

The beginning of the PS4 Scene!

Angel_Rejects · Mar 27, 2016

I'm trying to get dl close kernel exploit working using WiFi loader and tcpdump,but when I open the exploit using WiFi loader using the command in cmd ,it says not enough system memory after It says executing on the ps4 playland webkit what am I doing ?and I want to use tcpdump,but idk how to use it.i open the tcpdump using cmd and type in the command TCPdump 9023 log.bin it freezes the cmd.im on 1.76.im using ps4 playground using user redirect Google method

SonyUSA · Mar 28, 2016

If your IP on your pc isnt 192.168.1.69 it wont be able to open the socket connection, if you are just trying to run it without doing anything else there isn't any point...

Angel_Rejects · Mar 28, 2016

SonyUSA said:
If your IP on your pc isnt 192.168.1.69 it wont be able to open the socket connection, if you are just trying to run it without doing anything else there isn't any point...

How do you make the Ip of my computer 192.168.1.69?

SonyUSA · Mar 28, 2016

Angel_Rejects said:
How do you make the Ip of my computer 192.168.1.69?

If you don't know how to do that, you don't need to be running this exploit right now u_u;;

SonyUSA · Mar 28, 2016

ArturDat3DS said:
Could this downgrade work?
You replace your hard drive, download the 1.76 ps4update.pup, turn off your router, and it should install the 1.76 firmware , right?

No, the system remembers what firmware it was.

Deleted member 333767 · Mar 28, 2016

What version firmware do brand new PS4's get shipped with? I might go and buy one tomorrow if their under 1.76

spotanjo3 · Mar 28, 2016

Jao Chu said:
What version firmware do brand new PS4's get shipped with? I might go and buy one tomorrow if their under 1.76

No, save your time. They are exploitable for recently firmwares.. 2.00 to 2.50 right now but possibly under 3.15 from some sources too. I have a 2.57. It is too early to say for now.

Deleted member 333767 · Mar 28, 2016

azoreseuropa said:
No, save your time. They are exploitable for recently firmwares.. 2.00 to 2.50 right now but possibly under 3.15 from some sources too. I have a 2.57. It is too early to say for now.

But if i bought a PS4 tomorrow and left it in it's packaging, i'll have a better chance of having an exploitable firmware, since the code is out in the wild now, Sony will be working on patching the vulnerability....

SonyUSA · Mar 28, 2016

Jao Chu said:
But if i bought a PS4 tomorrow and left it in it's packaging, i'll have a better chance of having an exploitable firmware, since the code is out in the wild now, Sony will be working on patching the vulnerability....

All of the currently known (publicly) ways of accessing kernel have been patched already, so there isn't much point in hoarding a current firmware ps4...

Deleted member 333767 · Mar 28, 2016

SonyUSA said:
All of the currently known (publicly) ways of accessing kernel have been patched already, so there isn't much point in hoarding a current firmware ps4...

Awesome! that's all i needed to know, so I'll find a low firmware second-hand unit then. Thanks

spotanjo3 · Mar 28, 2016

Jao Chu said:
But if i bought a PS4 tomorrow and left it in it's packaging, i'll have a better chance of having an exploitable firmware, since the code is out in the wild now, Sony will be working on patching the vulnerability....

No, if you buy PS4 tomorrow.. the firmware will be the latest one and it won't be exploitable at all. Only lower will do. At least 3.15 or lower is a good opportunity since some sources mentions 3.15 or lower to have exploitable but nobody knows for sure. For now, 1.76 is the lowest firmware to be fact exploitable. I have 2.57 and I leave it alone. I believe it is an exploitable so just wait and see.

Hacking Public DLClose Exploit - 1.76 Only

We're all mad here

We're all mad here

medic

We're all mad here

medic

Well-Known Member

We're all mad here

Well-Known Member

Ape weak on own. Ape strong in unity.

Member

We're all mad here

Member

We're all mad here

We're all mad here

Well-Known Member

Well-Known Member

Well-Known Member

We're all mad here

Well-Known Member

Well-Known Member

Similar threads

Popular threads in this forum