PS4 6.70 Research

Discussion in 'PS4 - Hacking & Homebrew' started by ryuutseku85, Nov 6, 2019.

  1. ryuutseku85
    OP

    ryuutseku85 Advanced Member

    Newcomer
    3
    Dec 14, 2015
    France
    Hi to everyone,

    i have for project to find a userland exploit for 6.70 (and why not 7.00), and want to find people who can help me with it.

    Why i want userland and not kernel?

    i don't wanna be like : " i don't want to do piracy" ofcourse i would love to play game without buying them but this type of research it's much for a learning process than openning the pandora's box.

    My goal is to look at the webkit ( or anything else valuable) and find a way to make a POC

    for those who want to give it a try and want to learn more from me, there is my background :

    -C/C++ dev since 2016 (for game and app)
    -PHP/CSS/HTML dev since 2018 (for website)
    -Learning java at this time
    -Python comes next

    -For those who have a wiiu, i am the dev of PACMAN WIIU
     
    CORE, KlariNoX, ItsmeAJ and 1 other person like this.
  2. ryuutseku85
    OP

    ryuutseku85 Advanced Member

    Newcomer
    3
    Dec 14, 2015
    France
    Before reading this post, remenber that i am learning thing and a noobs in this domain.

    hi to all,

    So, it's been 10 days since i start looking into the ps4 FW 6.70 to find something.

    What i learn :
    -The web navigator is Mozilla 5.0
    -the user agent is AppleWebKit/605.1.15
    -this one is vunerable to a LOT of thing already find but not port to ps4
    -i have to learn ROP

    Can someone explain me how can i set up my ps4 to connect to my pc (just need to set my pc ip to dns to use my pc as a "passerel" ) and have a debugger console on my computer to see what happen when i do something ?

    hope i will get somewhere, even if this take me month to search :)
    never give up
     
  3. Demix

    Demix Advanced Member

    Newcomer
    4
    Sep 5, 2018
    United States
    I am also just learning python and i 2 thought why not just edit 5.05 exploit. So what i have learned is ps4 runs on a virtual machine each time and before it starts it checks how many fuses are burnt and offcial code. Every time the ps4 is restarted it runs a new offcial code so thats why there is no custom rom
     
  4. KiiWii

    KiiWii Contributor

    pip Contributor
    18
    Nov 17, 2008
    United Kingdom
    Watch M0rph3us1987’s talk on PS4.

    Sploit dem apps.
     
    DinohScene likes this.
  5. ryuutseku85
    OP

    ryuutseku85 Advanced Member

    Newcomer
    3
    Dec 14, 2015
    France

    Hi,

    How did you learn that ? i am curios.

    Thanks for sharing this info



    Hi,
    OK this is very interresting, thanks a lot.
     
    KiiWii likes this.
  6. Demix

    Demix Advanced Member

    Newcomer
    4
    Sep 5, 2018
    United States
    From here, asking more than just when next hack. I suggested a nand wipe to downgrade and i was told the ps4 hax x amount of fuses that they burn each update with. Ive asked why no custom firmware like with psp and was told not possbile, which also explains why u need rehack ps4 each time
     
    Last edited by Demix, Nov 17, 2019
  7. MostlyUnharmful

    MostlyUnharmful GBAtemp Fan

    Member
    7
    Feb 8, 2018
    Italy
    According to our own @mathieulh — you must admit he has a pretty good record with his claims ^__^ — eFuses FW rollback prevention on PS4 is total bullshit...

    https://twitter.com/mathieulh/status/900686624438312961?lang=en
     
    KiiWii likes this.
  8. Demix

    Demix Advanced Member

    Newcomer
    4
    Sep 5, 2018
    United States
    If that is true then why cant you nand erase a ps4 and do a complete system restore from say img 5.05
     
  9. MostlyUnharmful

    MostlyUnharmful GBAtemp Fan

    Member
    7
    Feb 8, 2018
    Italy
    Really? It was given a reasonable explanation in the link above, if you were bothered to check:

    Downgrading is prevented using hashes in syscon's NVS, revocation lists (on ps4/ps vita) and stripping PUP header keys from existing modules

    P.S. NVS: non volatile storage

    Few people have analyzed the boot process of the PS4, if one of them claims that eFuses aren't used to prevent FW downgrade you should trust them or prove them wrong doing your own research.

    Here another link that you surely would check: https://fail0verflow.com/blog/2018/ps4-syscon/
     
    DinohScene, Leeful and KiiWii like this.
  10. Demix

    Demix Advanced Member

    Newcomer
    4
    Sep 5, 2018
    United States
    Well just because ive read something doesnt mean i understood. I used my experience of nand erasing phone to reinstall any firmware and ive downgrade a psp with pandora battery and magic memory. I have no idea what a syscon is, header keys or modules. The educated guess i can make is the ps4 is exactly like the wii u, just needs a ps4 usb helper and rednand
     
    Last edited by Demix, Nov 19, 2019
    luckyguy88 likes this.
  11. smf

    smf GBAtemp Psycho!

    Member
    10
    Feb 23, 2009
    United Kingdom
    If you don't understand then how can you make an educated guess?

    ps4 is not exactly like wii u.

    There have been rumors of a successful downgrade, but it doesn't seem to help if you are already > 5.05
    Loading a later firmware from emunand on a 5.05 console might be possible.
    Exploiting later firmware is probably possible, although it's going to be getting harder.

    But there is nothing that suggests a permanent exploit is possible.

    You can already install games onto usb.
     
    KiiWii likes this.
  12. Demix

    Demix Advanced Member

    Newcomer
    4
    Sep 5, 2018
    United States
    Educated guess based in what ive been exposed to. You can put games on usb on xbox 360 but the only way to hack the counsle is jungle flash the drive or a modchip. If play stations can be software modded than xboxs never been softmodded. Another thing i been exposed to is only 1 or 2 people did all the work and they were upset with the lack of help. Wolo even states 1 person claimed to have decrypted 5.55 but refused to share it 2 or 3 years ago. Been hearing that if they expose their secret sony gonna patch and back to 0
     
  13. ryuutseku85
    OP

    ryuutseku85 Advanced Member

    Newcomer
    3
    Dec 14, 2015
    France
    Hi to everyone,

    so, where am i ?

    i have learned javascript to understand how the previous vulnerabilities works.
    I now get the direction of learning ROP to understand how to built one.
    I have found the source of the Webkit (6.00 and 6.70) and will look at it next week .

    So , yeah ... nothing done here already exiting but who know's , maybe i will find a vulnerabilitie... or not.


    see y'a!
     
    peteruk, KiiWii, Darksabre72 and 3 others like this.
  14. Darksabre72

    Darksabre72 Blue Falcon

    Member
    5
    Nov 26, 2016
    United States
    good luck :)
     
  15. KiiWii

    KiiWii Contributor

    pip Contributor
    18
    Nov 17, 2008
    United Kingdom
    excellent work.

    Though you don’t exactly need to find a new vuln (though you could), just an alternate way to break out of sandbox.

    Existing 5.05 sploit should work up to even 7.00 once out of sandbox: https://github.com/Cryptogenic/Expl....05 BPF Double Free Kernel Exploit Writeup.md
     
    peteruk and ryuutseku85 like this.
  16. KiiWii

    KiiWii Contributor

    pip Contributor
    18
    Nov 17, 2008
    United Kingdom
    hardware KBL mods exist in private too ;)

    apparently if your console has ever been lower than or equal to 5.05, a downgrade back to that should be viable using syscon.
     
    peteruk likes this.
  17. Demix

    Demix Advanced Member

    Newcomer
    4
    Sep 5, 2018
    United States
  18. ryuutseku85
    OP

    ryuutseku85 Advanced Member

    Newcomer
    3
    Dec 14, 2015
    France
    Hi, thanks for this i Will look at it.

    Can you explain me what is this sandbox please ?

    — Posts automatically merged - Please don't double post! —

    Yes indeed but... I do something
     
  19. IwearHelmet4Bed

    IwearHelmet4Bed Advanced Member

    Newcomer
    4
    Sep 6, 2018
    United Kingdom
    https://en.m.wikipedia.org/wiki/Sandbox_(software_development)

    That’s a definition of Sanbox.

    — Posts automatically merged - Please don't double post! —

    Is that what fail0verflow have been/are working on? I haven’t heard any updates on it yet.
     
  20. Jonna

    Jonna Some sort of musician.

    Member
    8
    May 15, 2015
    Canada
    Canada
    This is a super nice thread. No one saying to the OP "you fool, you're new, how could you possibly accomplish anything more than people with years of experience" nor the OP saying "this should be easy, why didn't they think of this, I'll get this done super quick."

    Just a nice series of the OP trying to get somewhere with positivity of some progress, and every one else being encouraging with compliments and ideas. Very nice.
     
Quick Reply
Draft saved Draft deleted
Loading...