Hacking Couple of Questions

[IwearHelmet4Bed]

Excuse my ignorance, I’m not too clued up with things like this.
How do people start learning to exploit kernels on PS4. I know it’s not just a case of hooking a PS4 up to a computer, id imagine you’d have to do soldering etc to dump stuff off the PS4, FW etc.. so once you have things ready available, how do they actually find the kernel exploits?
Also another question, how are games signed by Sony? What makes a downloaded dumped game transferred to a system not work, is what I’m asking. Some sort of keys I take it?
Like I say I’m a total noob with things like this, any info would be greatly appreciated.

 

[MostlyUnharmful]

I know it’s not just a case of hooking a PS4 up to a computer, id imagine you’d have to do soldering etc to dump stuff off the PS4, FW etc.. so once you have things ready available, how do they actually find the kernel exploits?

If you are starting from zero, you need a way to dump the "clear" firmware ("clear" as not encrypted) and that you can't do it desoldering the EEPROM and placing it on a reader. Fail0verflow a couple of years ago explained how they tapped the PCI Express bus to dump the FreeBSD kernel and the OS libraries (WebKit & Co.).

Today, with FW 5.05 and HEN+Mira finding and testing an exploit should be quite comfortable, as you could should have a debugger working via TCP/IP (to be honest I haven't verified, but that's what I recalled of one of the of the project's goal).

How to find an exploit? You need to get comfortable with the HW architecture you are targeting (in this case the APU is based on an AMD 8 core x86 CPU plus an integrated GPU based on the Radeon 7850), the C language and the architecture's Assembly. Then you need to find a defect that could be exploited to gain execution or increase privileges.

If you want to learn you can start from the basics, I think one of the first article/paper I read was "Smashing the stack for fun and profit" article on one of the early issues of the Phrack Zine, even if today exploiting buffer overflows directly it's quite rare if not impossible (awareness, mitigation techniques like ASLR, NX protection, stack canaries, better tools) but one should start somewhere...

 

[IwearHelmet4Bed]

If you are starting from zero, you need a way to dump the "clear" firmware ("clear" as not encrypted) and that you can't do it desoldering the EEPROM and placing it on a reader. Fail0verflow a couple of years ago explained how they tapped the PCI Express bus to dump the FreeBSD kernel and the OS libraries (WebKit & Co.).

Today, with FW 5.05 and HEN+Mira finding and testing an exploit should be quite comfortable, as you could have a debugger working via TCP/IP (to be honest I haven't verified, but that's what I recalled of one of the of the project's goal).

How to find an exploit? You need to get comfortable with the HW architecture you are targeting (in this case the APU is based on an AMD 8 core x86 CPU plus an integrated GPU based on the Radeon 7850), the C language and the architecture's Assembly. Then you need to find a defect that could be exploited to gain execution or increase privileges.

If you want to learn you can start from the basics, I think one of the first article/paper I read was "Smashing the stack for fun and profit" article on one of the early issues of the Phrack Zine, even if today exploiting buffer overflows directly it's quite rare if not impossible (awareness, mitigation techniques like ASLR, NX protection, stack canaries, better tools) but one should start somewhere...

Thank you very much for taking the time to explain things, appreciate it greatly.