Hacking PS4 6.70 Research

ryuutseku85

Well-Known Member
OP
Member
Joined
Dec 14, 2015
Messages
110
Trophies
0
Age
38
XP
406
Country
France
Hi to everyone,

i have for project to find a userland exploit for 6.70 (and why not 7.00), and want to find people who can help me with it.

Why i want userland and not kernel?

i don't wanna be like : " i don't want to do piracy" ofcourse i would love to play game without buying them but this type of research it's much for a learning process than openning the pandora's box.

My goal is to look at the webkit ( or anything else valuable) and find a way to make a POC

for those who want to give it a try and want to learn more from me, there is my background :

-C/C++ dev since 2016 (for game and app)
-PHP/CSS/HTML dev since 2018 (for website)
-Learning java at this time
-Python comes next

-For those who have a wiiu, i am the dev of PACMAN WIIU
 

ryuutseku85

Well-Known Member
OP
Member
Joined
Dec 14, 2015
Messages
110
Trophies
0
Age
38
XP
406
Country
France
Before reading this post, remenber that i am learning thing and a noobs in this domain.

hi to all,

So, it's been 10 days since i start looking into the ps4 FW 6.70 to find something.

What i learn :
-The web navigator is Mozilla 5.0
-the user agent is AppleWebKit/605.1.15
-this one is vunerable to a LOT of thing already find but not port to ps4
-i have to learn ROP

Can someone explain me how can i set up my ps4 to connect to my pc (just need to set my pc ip to dns to use my pc as a "passerel" ) and have a debugger console on my computer to see what happen when i do something ?

hope i will get somewhere, even if this take me month to search :)
never give up
 
  • Like
Reactions: lybrinth

Demix

Well-Known Member
Member
Joined
Sep 5, 2018
Messages
203
Trophies
0
Age
32
XP
952
Country
United States
I am also just learning python and i 2 thought why not just edit 5.05 exploit. So what i have learned is ps4 runs on a virtual machine each time and before it starts it checks how many fuses are burnt and offcial code. Every time the ps4 is restarted it runs a new offcial code so thats why there is no custom rom
 

ryuutseku85

Well-Known Member
OP
Member
Joined
Dec 14, 2015
Messages
110
Trophies
0
Age
38
XP
406
Country
France
I am also just learning python and i 2 thought why not just edit 5.05 exploit. So what i have learned is ps4 runs on a virtual machine each time and before it starts it checks how many fuses are burnt and offcial code. Every time the ps4 is restarted it runs a new offcial code so thats why there is no custom rom


Hi,

How did you learn that ? i am curios.

Thanks for sharing this info


Watch M0rph3us1987’s talk on PS4.

Sploit dem apps.


Hi,
OK this is very interresting, thanks a lot.
 
  • Like
Reactions: KiiWii

Demix

Well-Known Member
Member
Joined
Sep 5, 2018
Messages
203
Trophies
0
Age
32
XP
952
Country
United States
From here, asking more than just when next hack. I suggested a nand wipe to downgrade and i was told the ps4 hax x amount of fuses that they burn each update with. Ive asked why no custom firmware like with psp and was told not possbile, which also explains why u need rehack ps4 each time
 
Last edited by Demix,

MostlyUnharmful

Well-Known Member
Member
Joined
Feb 8, 2018
Messages
410
Trophies
0
Age
42
XP
1,446
Country
Italy
From here, asking more than just when next hack. I suggested a nand wipe to downgrade and i was told the ps4 hax x amount of fuses that they burn each update with. Ive asked why no custom firmware like with psp and was told not possbile, which also explains why u need rehack ps4 each time

According to our own @mathieulh — you must admit he has a pretty good record with his claims ^__^ — eFuses FW rollback prevention on PS4 is total bullshit...

https://twitter.com/mathieulh/status/900686624438312961?lang=en
 
  • Like
Reactions: KiiWii

Demix

Well-Known Member
Member
Joined
Sep 5, 2018
Messages
203
Trophies
0
Age
32
XP
952
Country
United States
If that is true then why cant you nand erase a ps4 and do a complete system restore from say img 5.05
 

MostlyUnharmful

Well-Known Member
Member
Joined
Feb 8, 2018
Messages
410
Trophies
0
Age
42
XP
1,446
Country
Italy
If that is true then why cant you nand erase a ps4 and do a complete system restore from say img 5.05

Really? It was given a reasonable explanation in the link above, if you were bothered to check:

Downgrading is prevented using hashes in syscon's NVS, revocation lists (on ps4/ps vita) and stripping PUP header keys from existing modules

P.S. NVS: non volatile storage

Few people have analyzed the boot process of the PS4, if one of them claims that eFuses aren't used to prevent FW downgrade you should trust them or prove them wrong doing your own research.

Here another link that you surely would check: https://fail0verflow.com/blog/2018/ps4-syscon/
 

Demix

Well-Known Member
Member
Joined
Sep 5, 2018
Messages
203
Trophies
0
Age
32
XP
952
Country
United States
Well just because ive read something doesnt mean i understood. I used my experience of nand erasing phone to reinstall any firmware and ive downgrade a psp with pandora battery and magic memory. I have no idea what a syscon is, header keys or modules. The educated guess i can make is the ps4 is exactly like the wii u, just needs a ps4 usb helper and rednand
 
Last edited by Demix,
  • Like
Reactions: luckyguy88

smf

Well-Known Member
Member
Joined
Feb 23, 2009
Messages
6,638
Trophies
2
XP
5,834
Country
United Kingdom
Well just because ive read something doesnt mean i understood. I used my experience of nand erasing phone to reinstall any firmware and ive downgrade a psp with pandora battery and magic memory. I have no idea what a syscon is, header keys or modules. The educated guess i can make is the ps4 is exactly like the wii u, just needs a ps4 usb helper and rednand

If you don't understand then how can you make an educated guess?

ps4 is not exactly like wii u.

There have been rumors of a successful downgrade, but it doesn't seem to help if you are already > 5.05
Loading a later firmware from emunand on a 5.05 console might be possible.
Exploiting later firmware is probably possible, although it's going to be getting harder.

But there is nothing that suggests a permanent exploit is possible.

You can already install games onto usb.
 
  • Like
Reactions: KiiWii

Demix

Well-Known Member
Member
Joined
Sep 5, 2018
Messages
203
Trophies
0
Age
32
XP
952
Country
United States
Educated guess based in what ive been exposed to. You can put games on usb on xbox 360 but the only way to hack the counsle is jungle flash the drive or a modchip. If play stations can be software modded than xboxs never been softmodded. Another thing i been exposed to is only 1 or 2 people did all the work and they were upset with the lack of help. Wolo even states 1 person claimed to have decrypted 5.55 but refused to share it 2 or 3 years ago. Been hearing that if they expose their secret sony gonna patch and back to 0
 

ryuutseku85

Well-Known Member
OP
Member
Joined
Dec 14, 2015
Messages
110
Trophies
0
Age
38
XP
406
Country
France
Hi to everyone,

so, where am i ?

i have learned javascript to understand how the previous vulnerabilities works.
I now get the direction of learning ROP to understand how to built one.
I have found the source of the Webkit (6.00 and 6.70) and will look at it next week .

So , yeah ... nothing done here already exiting but who know's , maybe i will find a vulnerabilitie... or not.


see y'a!
 

Darksabre72

Blue Falcon
Member
Joined
Nov 26, 2016
Messages
652
Trophies
0
XP
1,838
Country
United States
Hi to everyone,

so, where am i ?

i have learned javascript to understand how the previous vulnerabilities works.
I now get the direction of learning ROP to understand how to built one.
I have found the source of the Webkit (6.00 and 6.70) and will look at it next week .

So , yeah ... nothing done here already exiting but who know's , maybe i will find a vulnerabilitie... or not.


see y'a!
good luck :)
 

KiiWii

Editorial Team
Editorial Team
Joined
Nov 17, 2008
Messages
16,544
Trophies
3
Website
defaultdnb.github.io
XP
26,785
Country
United Kingdom
Hi to everyone,

so, where am i ?

i have learned javascript to understand how the previous vulnerabilities works.
I now get the direction of learning ROP to understand how to built one.
I have found the source of the Webkit (6.00 and 6.70) and will look at it next week .

So , yeah ... nothing done here already exiting but who know's , maybe i will find a vulnerabilitie... or not.


see y'a!

excellent work.

Though you don’t exactly need to find a new vuln (though you could), just an alternate way to break out of sandbox.

Existing 5.05 sploit should work up to even 7.00 once out of sandbox: https://github.com/Cryptogenic/Expl....05 BPF Double Free Kernel Exploit Writeup.md
 

KiiWii

Editorial Team
Editorial Team
Joined
Nov 17, 2008
Messages
16,544
Trophies
3
Website
defaultdnb.github.io
XP
26,785
Country
United Kingdom
There have been rumors of a successful downgrade, but it doesn't seem to help if you are already > 5.05
Loading a later firmware from emunand on a 5.05 console might be possible.
Exploiting later firmware is probably possible, although it's going to be getting harder.

But there is nothing that suggests a permanent exploit is possible.

hardware KBL mods exist in private too ;)

apparently if your console has ever been lower than or equal to 5.05, a downgrade back to that should be viable using syscon.
 
  • Like
Reactions: peteruk

Demix

Well-Known Member
Member
Joined
Sep 5, 2018
Messages
203
Trophies
0
Age
32
XP
952
Country
United States

ryuutseku85

Well-Known Member
OP
Member
Joined
Dec 14, 2015
Messages
110
Trophies
0
Age
38
XP
406
Country
France
excellent work.

Though you don’t exactly need to find a new vuln (though you could), just an alternate way to break out of sandbox.

Existing 5.05 sploit should work up to even 7.00 once out of sandbox: https://github.com/Cryptogenic/Exploit-Writeups/blob/master/FreeBSD/PS4 5.05 BPF Double Free Kernel Exploit Writeup.md

Hi, thanks for this i Will look at it.

Can you explain me what is this sandbox please ?

--------------------- MERGED ---------------------------

And it still far away till the end from finish

Yes indeed but... I do something
 

IwearHelmet4Bed

Well-Known Member
Newcomer
Joined
Sep 6, 2018
Messages
63
Trophies
0
Age
39
XP
639
Country
United Kingdom
Hi, thanks for this i Will look at it.

Can you explain me what is this sandbox please ?

--------------------- MERGED ---------------------------



Yes indeed but... I do something
https://en.m.wikipedia.org/wiki/Sandbox_(software_development)

That’s a definition of Sanbox.

--------------------- MERGED ---------------------------

hardware KBL mods exist in private too ;)

apparently if your console has ever been lower than or equal to 5.05, a downgrade back to that should be viable using syscon.
Is that what fail0verflow have been/are working on? I haven’t heard any updates on it yet.
 

Jonna

Some sort of musician.
Member
Joined
May 15, 2015
Messages
1,231
Trophies
1
Age
35
Location
Canada
Website
twitter.com
XP
3,111
Country
Canada
This is a super nice thread. No one saying to the OP "you fool, you're new, how could you possibly accomplish anything more than people with years of experience" nor the OP saying "this should be easy, why didn't they think of this, I'll get this done super quick."

Just a nice series of the OP trying to get somewhere with positivity of some progress, and every one else being encouraging with compliments and ideas. Very nice.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
  • Veho @ Veho:
    @AdRoz78 start a thread and post a photo of the chip.
    +2
  • Xdqwerty @ Xdqwerty:
    Yawn
  • S @ salazarcosplay:
    and good morning everyone
    +1
  • K3Nv2 @ K3Nv2:
    @BakerMan, his partner is Luke
  • Sicklyboy @ Sicklyboy:
    Sup nerds
    +1
  • Flame @ Flame:
    oh hi, Sickly
  • K3Nv2 @ K3Nv2:
    Oh hi flame
  • S @ salazarcosplay:
    @K3Nv2 what was your ps4 situation
  • S @ salazarcosplay:
    did you always have a ps4 you never updated
  • S @ salazarcosplay:
    or were you able to get new ps4 tracking it \
    as soon as the hack was announced
  • S @ salazarcosplay:
    or did you have to find a used one with the lower firm ware that was not updated
  • K3Nv2 @ K3Nv2:
    I got this ps4 at launch and never updated since 9.0
  • K3Nv2 @ K3Nv2:
    You got a good chance of buying a used one and asking the seller how often they used or even ask for a Pic of fw and telling them not to update
    K3Nv2 @ K3Nv2: You got a good chance of buying a used one and asking the seller how often they used or even ask...