Hacking PS4 6.20 jailbreak

Kai0 · May 3, 2020

@KiiWii I do not want to put the tinfoil on

. Also this has not much to do with my comment.

What I have tried to write was, that if they fear $onY (or "getting slamed like Geohot") they could just release anonymously, so that noone can ever be sued (since noone "really" knows where the code/hax originally come from).
In other words: Let's say I (Kai0) have found a way to play "up2date" games with my "old" PS4 FW and want to publish it, I can make it publish under another name "X01QW" (or "an0n" or whatever, or to mock someone use an "known" hackername e.g. "Geohot"), so that noone will know that I (Kai0) have written that code. In that case noone could sue me (Kai0). The moment a code gets published someone will share it (dl and upload it) and then another user will do the same etc. etc. The orign cannot be traced back. Whatever is/was once online will be online forever (even though some links will be deleted or lost or down or whatever).

TR_mahmutpek · May 4, 2020

If only we can find the keys (especially master key) but nvm, no need to dreaming

Mo Poge · May 4, 2020

KiiWii said:
@Kai0 they could release privately, but I suspect they could be in cahoots with save wizard.

Get your tinfoil hat on:

Think about it: save wizard have keys to resign whatever firmware they want. Everytime there is an updated FW SW jump to it and a day or so later boom, supported.

They could be decapping, or they could have links. Either way they make money, perhaps their devs are one and the same person who has it in private.

Others like fire30 and theflow0 have hacking history, they are independents who have credentials and have publicly proven themselves (not necessarily around PS4 hax) in the past.

Maybe instead of folks concentrating on cracking PS4 fw, maybe they should look at cracking SaveWizard at getting keys from it? The security for it can't be as complex as the PS4 security.

mehrab2603 · May 4, 2020

I expect something to be released after TLoU 2 and Ghost of Tsushima come out as those are the last major titles on the PS4 and there is no compelling reason to hold off on releasing exploits anymore.

MasterJ360 · May 4, 2020

Mo Poge said:
Maybe instead of folks concentrating on cracking PS4 fw, maybe they should look at cracking SaveWizard at getting keys from it? The security for it can't be as complex as the PS4 security.

Save Wizard is server sided that already throws a wrench in trying to crack it. The price went down $10 less than what it used to be. If you have a good amount of ps4 games its worth it, heck theres a way for jailbroken ps4's to have the ability to dump save files now to use save wizard. There are PS4 trainers, but the problem with those are that they have few cheats and some of them are region/update specific also your favorite game may not have trainer support.

Mo Poge · May 4, 2020

MasterJ360 said:
Save Wizard is server sided that already throws a wrench in trying to crack it. The price went down $10 less than what it used to be. If you have a good amount of ps4 games its worth it, heck theres a way for jailbroken ps4's to have the ability to dump save files now to use save wizard. There are PS4 trainers, but the problem with those are that they have few cheats and some of them are region/update specific also your favorite game may not have trainer support.

I don't even care about cracking SaveWizard to be able to use it. More interested in how it works with the PS4 according to what @KiiWii in his last post.

With it being server side, could anything be gained by hex comparing a save before and after it goes through SaveWizard?

MasterJ360 · May 4, 2020

Mo Poge said:
I don't even care about cracking SaveWizard to be able to use it. More interested in how it works with the PS4 according to what @KiiWii in his last post.

With it being server side, could anything be gained by hex comparing a save before and after it goes through SaveWizard?

Only thing gained from that would be the values of the said codes which is something only valuable to coders, but you need to have access to their servers in order to do anything to your save file since it needs to be uploaded there first. You can hex edit/export encrypted saves through Advance mode, FF7 Remake has tons of custom cheats now which is how ppl are able to play as Red XIII.

godreborn · May 4, 2020

aren't saves encrypted, so hex comparing would be worthless?

KiiWii · May 4, 2020

godreborn said:
aren't saves encrypted, so hex comparing would be worthless?

Absolutely.

@Mo Poge

Don’t forget though there are plenty of keys on psdevwiki that haven’t REALLY been investigated properly.

There is a possibility that there is something there we can use, or methods to “ask Samu nicely” to at least do the dec/enc for us without having to crack anything.

godreborn · May 4, 2020

KiiWii said:
Absolutely.

@Mo Poge

Don’t forget though there are plenty of keys on psdevwiki that haven’t REALLY been investigated properly.

There is a possibility that there is something there we can use, or methods to “ask Samu nicely” to at least do the dec/enc for us without having to crack anything.

may also be compressed. I know that sony likes using zlib compression (78 DA in hex), but in an encrypted state, it wouldn't be capable of being decompressed. anyway, the ps3 and the vita both use zlib.

MostlyUnharmful · May 4, 2020

godreborn said:
aren't saves encrypted, so hex comparing would be worthless?

Yup, after the PS2 they start putting fucking DRM on the gamesaves, FFS!

To answer a few questions above, even if PS5 would be a different architecture than a PS4, from the fact that it's allegedly backward compatible, a working exploit could be useful even in a emulated environment/sandbox. I didn't followed PSP and Vita scene and I'm not bored enough right now to check, bud wasn't found a jailbreak on the Vita via the PSP emulator? (OK, I checked. First Google hit is "Trinity: PSP Emulator Escape, 2019 but I think I read something related much earlier).

Now, kexploit releases. Well, the common practice is never burn a 0-day, as you never know when you'll may need one.

IIRC, the exploit for FW 5.50 was released after it was patched, and that happened, again IIRC, because probably one of qwertyoruiop's console sent a crashdump or two to Sony servers. You can probably find a mention of it in one of his Tweets. The exploit for FW 4.05 I think was found first by the fail0werflow crew and independently by a Chinese security firm, that disclosed it to Sony...

godreborn · May 4, 2020

yes, what we're doing with the ps4 is bypassing pfs instead of defeating it. that's the nature of exploits now. instead of defeating the security, just find a way to get your foot in the door and let the system do the work. I think pfs is used with saves as well. the vita uses it as well with a folder named pfs. I'm not sure if the ps4 uses such a folder. it's part of both games and saves.

KiiWii · May 4, 2020

@MostlyUnharmful its a shame nothing has come from Morph3us talks, Octoxors talks and even Pikhurs “rest mode exploit” (the latter being patched already)

@godreborn keep an eye on xDPx PS4 tools repo on github.

godreborn · May 4, 2020

it kinda sucks that there are private exploits, but I do understand the desire to prevent piracy and protect against online cheating. I've thought about updating a few times just so that I can play final fantasy vii remake, but it's not worth it for one game. my system is rare, so it would be a shame to update an already limited edition system.

MostlyUnharmful · May 4, 2020

@KiiWii maybe something will materialize in 5~10 years, look at the Vita! (* ^ O ^ *)

godreborn · May 4, 2020

well, to be fair, the vita was asking for it. the system is nearly unplayable (the pstv even more so) in its original state.

Kai0 · May 4, 2020

KiiWii said:
Absolutely.

@Mo Poge

Don’t forget though there are plenty of keys on psdevwiki that haven’t REALLY been investigated properly.

There is a possibility that there is something there we can use, or methods to “ask Samu nicely” to at least do the dec/enc for us without having to crack anything.

Something like this: https://www.psdevwiki.com/ps4/Sealedkey_/_pfsSKKey
or maybe "1.1" or "1.2" from this: https://www.psdevwiki.com/ps4/Bugs_&_Vulnerabilities
syscon access is needed for clock or power slow down.

godreborn said:
it kinda sucks that there are private exploits, but I do understand the desire to prevent piracy and protect against online cheating.

Wait, wait, wait... how can you be so sure that there are private exploits? Can you sent some info/links please?
And if so, the reason for not releasing it, shouldn't be "the desire to prevent piracy and protect against online cheating", because the argument fails for any previous released exlpoit ever (for every console). It cannot be like "well, we've changed. we do not want to release exploits anymore, because we do not want people to use piracy and cheats". Because one of the most important reason of exploits (at least for endusers) is the piracy thing. Other parts are just nice to have (at least for endusers). And it was/is the same way since ever (for any/every console). Else there would not be a need for public releases. Devs could have fun privately with their own codes implementations and what not, but without the piracy thing. And we already now they can run their own codes (w/o piracy thing). So they would be satisfied for now. No need to make something public if the reason you have mentioned would be true. But guess what...

MostlyUnharmful · May 4, 2020

Kai0 said:
Wait, wait, wait... how can you be so sure that there are private exploits? Can you sent some info/links please?

We don't have direct proofs, only some indirect clues, like kernel dumps or decrypted kernels, for example the build string allegedly extracted from FW 6.50: https://twitter.com/fire30_/status/1104959566247276546?s=21

FWIK, to dump BSD/Linux kernels from a running system, i.e. accessing RAM kernel context, you need root privileges, so it probably was done using an unknown/private kexploit.

Now, about the reasons for not releasing an exploit, this depends always from the individuals, but again security researchers don't usually burn 0-days and FWIK Sony doesn't offer bounties.

So why risking getting sued by a corporation when, for a security researcher, is better claiming to have powned a console as it looks good in a CV (look for example at "vpikhur", he joined an Oracle security team after his "rest mode attack", coincidence?), that's why they go public about them. Also I think they have fun trolling all the whining kids... (* ^ v ^ *)

MasterJ360 · May 4, 2020

Online cheating isn't much of an excuse if they keep the k-exploit atleast 1-2 firmware's below the latest. Sure piracy will be frowned upon, but if thats whats truly holding back a release then why even bother mention it its in private? Just keep it to themselves without twitter followers knowing it exists, it would save them the hassle of others begging for one. I mean they shot themselves in the foot there b/c media attention is important. Piracy is bad, but homebrew emulation is ok? Theres a good amount of contradiction riding on that, b/c you still have to get the said roms illegally to work/patch on the ps4

Mo Poge · May 4, 2020

Thanks for educating me, guys. I obviously no little about cracking and even less so above PS4 save files! :rofl2:

But there must be a way to get at the pertinent info if there are kexploits in private.

Hacking PS4 6.20 jailbreak

Member

medic

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Welcome to the Machine

Editorial Team

Welcome to the Machine

Well-Known Member

Welcome to the Machine

Editorial Team

Welcome to the Machine

Well-Known Member

Welcome to the Machine

Member

Well-Known Member

Well-Known Member

Well-Known Member

Similar threads

Popular threads in this forum