Exploit revealed by
@vpikhur
He made a presentation at the Recon Brussels hacking conference showing the exploit and a demo video.
Apparently his exploit uses a vulnerability on
sys_kldload.
He also relased the presentation slides later in the day
here.
Quoted by
wololo.net
According to the developer:
The custom Southbridge silicon, responsive for background downloads while main SoC is off, didn’t help to secure Playstation 4. We explain how a chain of exploits combined with hardware attacks will allow code to run in the context of the secure bootloader, extract private keys, and sign a custom kernel.
According to the hacker, the sys_kldload exploit still exists in firmware 5.00, potentially more recent firmwares as well.
The important point of the video above is that the hack persists after boot, demonstrating what is probably the very first custom firmware on the PS4
Sony changed their keys in 5.05, but apparently not the signing process.
The kernel bootloader contains the keys for Rest Mode kernel, which is why it was interesting to get access to it.
How the exploit works is shown in this video.
WHEN ETA??!?!?")=£)/