Hacking Couple of Questions

IwearHelmet4Bed

Well-Known Member
OP
Newcomer
Joined
Sep 6, 2018
Messages
58
Trophies
0
Age
36
XP
452
Country
United Kingdom
Excuse my ignorance, I’m not too clued up with things like this.
How do people start learning to exploit kernels on PS4. I know it’s not just a case of hooking a PS4 up to a computer, id imagine you’d have to do soldering etc to dump stuff off the PS4, FW etc.. so once you have things ready available, how do they actually find the kernel exploits?
Also another question, how are games signed by Sony? What makes a downloaded dumped game transferred to a system not work, is what I’m asking. Some sort of keys I take it?
Like I say I’m a total noob with things like this, any info would be greatly appreciated.
 

MostlyUnharmful

Well-Known Member
Member
Joined
Feb 8, 2018
Messages
408
Trophies
0
Age
40
XP
1,411
Country
Italy
I know it’s not just a case of hooking a PS4 up to a computer, id imagine you’d have to do soldering etc to dump stuff off the PS4, FW etc.. so once you have things ready available, how do they actually find the kernel exploits?

If you are starting from zero, you need a way to dump the "clear" firmware ("clear" as not encrypted) and that you can't do it desoldering the EEPROM and placing it on a reader. Fail0verflow a couple of years ago explained how they tapped the PCI Express bus to dump the FreeBSD kernel and the OS libraries (WebKit & Co.).

Today, with FW 5.05 and HEN+Mira finding and testing an exploit should be quite comfortable, as you could should have a debugger working via TCP/IP (to be honest I haven't verified, but that's what I recalled of one of the of the project's goal).

How to find an exploit? You need to get comfortable with the HW architecture you are targeting (in this case the APU is based on an AMD 8 core x86 CPU plus an integrated GPU based on the Radeon 7850), the C language and the architecture's Assembly. Then you need to find a defect that could be exploited to gain execution or increase privileges.

If you want to learn you can start from the basics, I think one of the first article/paper I read was "Smashing the stack for fun and profit" article on one of the early issues of the Phrack Zine, even if today exploiting buffer overflows directly it's quite rare if not impossible (awareness, mitigation techniques like ASLR, NX protection, stack canaries, better tools) but one should start somewhere...
 
Last edited by MostlyUnharmful, , Reason: grammar

IwearHelmet4Bed

Well-Known Member
OP
Newcomer
Joined
Sep 6, 2018
Messages
58
Trophies
0
Age
36
XP
452
Country
United Kingdom
If you are starting from zero, you need a way to dump the "clear" firmware ("clear" as not encrypted) and that you can't do it desoldering the EEPROM and placing it on a reader. Fail0verflow a couple of years ago explained how they tapped the PCI Express bus to dump the FreeBSD kernel and the OS libraries (WebKit & Co.).

Today, with FW 5.05 and HEN+Mira finding and testing an exploit should be quite comfortable, as you could have a debugger working via TCP/IP (to be honest I haven't verified, but that's what I recalled of one of the of the project's goal).

How to find an exploit? You need to get comfortable with the HW architecture you are targeting (in this case the APU is based on an AMD 8 core x86 CPU plus an integrated GPU based on the Radeon 7850), the C language and the architecture's Assembly. Then you need to find a defect that could be exploited to gain execution or increase privileges.

If you want to learn you can start from the basics, I think one of the first article/paper I read was "Smashing the stack for fun and profit" article on one of the early issues of the Phrack Zine, even if today exploiting buffer overflows directly it's quite rare if not impossible (awareness, mitigation techniques like ASLR, NX protection, stack canaries, better tools) but one should start somewhere...
Thank you very much for taking the time to explain things, appreciate it greatly.
 
General chit-chat
Help Users
  • SG854 @ SG854:
    Already saw a review and it sucks
    Gift
  • Gift
  • SG854 @ SG854:
    A bunch I different people I saw and laggy audio online play is a common occurrence
    Gift
  • SG854 @ SG854:
    Here's another video fog isn't being displayed properly on several games. Nintendo life also reported this. Water Temple in oot water reflection isn't emulated properly either the whole point of the gimmick of that room. Graphical glitches and poor emulation shouldn't be present at $30 bucks
    Gift
  • Gift
  • SG854 @ SG854:
    You can't save ghost data either in Mario Kart 64. Wasn't an issue on VC for Wii and Wii U.
    Gift
  • SG854 @ SG854:
    Even if they fix these issues I'm still not buying it. $30 for drip fed n64 games is fucking retarded. Their online service is still shit.
    Gift
  • Veho @ Veho:
    Youtube keeps pushing the Eternals trailer as the #1 recommendation. Fucking give it a rest already.
    Gift
  • Dakitten @ Dakitten:
    they really want you to know it is out there and is totes gonna be the bestest movie nobody ever asked for
    Gift
  • Dakitten @ Dakitten:
    until spider man a month afterward which will bury it into obscurity, anyways
    Gift
  • mthrnite @ mthrnite:
    We need some serious Warlock action if you ask me, not just random cocoons n'shit
    Gift
  • mthrnite @ mthrnite:
    Hulk+Warlock, that's what I want
    Gift
  • mthrnite @ mthrnite:
    wtf they turned eternals into a movie is beyond me
    Gift
  • mthrnite @ mthrnite:
    money woulda been better spent doing a decent Inhumans origin story
    Gift
  • Veho @ Veho:
    Hey mthrnite will you watch the new Dune?
    Gift
  • mthrnite @ mthrnite:
    yea it's sitting on the hard drive, gonna watch it with the boy
    Gift
  • mthrnite @ mthrnite:
    kinda wanna make him watch the lynch version first tho
    Gift
  • mthrnite @ mthrnite:
    you'll believe a very ugly man can fly!
    Gift
  • CORE @ CORE:
    It is all about the Spice...
    Gift
  • The Real Jdbye @ The Real Jdbye:
    @SG854 not only that look at how much you get on the sony side for around the same price
    Gift
  • The Real Jdbye @ The Real Jdbye:
    game pass costs more but you also get a huge amount of games and they're not drip fed
    Gift
  • The Real Jdbye @ The Real Jdbye:
    nintendo's offering was the worst deal but nobody cared because it was $20
    Gift
  • The Real Jdbye @ The Real Jdbye:
    now that it's $50, it's a really bad deal
    Gift
  • The Real Jdbye @ The Real Jdbye:
    also costing only $20 kinda excuses the poor online services a little bit, $50 demands better quality online
    Gift
  • The Real Jdbye @ The Real Jdbye:
    they should've just offered a better service to begin with and charged $50 from the beginning
    Gift
    The Real Jdbye @ The Real Jdbye: they should've just offered a better service to begin with and charged $50 from the beginning