Public DLClose Exploit - 1.76 Only

Discussion in 'PS4 - Hacking & Homebrew' started by SonyUSA, Mar 22, 2016.

  1. SonyUSA
    OP

    SonyUSA We're all mad here

    pip Contributor
    GBAtemp Patron
    SonyUSA is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,059
    2,149
    May 12, 2006
    United States
    ** Updates! **

    You can now execute DLClose directly from PS4-Playground and it will auto-load linux as long as you have the bzImage and initramfs on a FAT32 formatted USB stick plugged into your PS4!


    Grab these 2 files and throw them on FAT32 USB stick/drive
    http://kr105.com/ps4kerneltest/

    Fire up PS4-Playground and click Load! on the Linux Loader
    https://github.com/CTurt/PS4-playground


    [​IMG]


    Warning: Spoilers inside!
     
    Last edited by SonyUSA, Apr 3, 2016
  2. SonyUSA
    OP

    SonyUSA We're all mad here

    pip Contributor
    GBAtemp Patron
    SonyUSA is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,059
    2,149
    May 12, 2006
    United States
    Update! Yahoo! It works!

    Code:
    KXploit by Thunder07
    Patched up by balika011
    Special thanks to:
        Cturt, BigBoss and Twisted
        [+] Starting...
        [+] UID = 1
    mapping pointer = 200dac000
    Craft knote Structure
    fd = 3840
    queue created = 6600000f01
    queue created = 6700000f02
    queue created = 6800000f03
    queue created = 6900000f04
    queue created = 6a00000f05
    queue created = 6b00000f06
    queue created = 6c00000f07
    queue created = 6d00000f08
    queue created = 6e00000f09
    queue created = 6f00000f0a
    queue created = 7000000f0b
    queue created = 7100000f0c
    queue created = 7200000f0d
    queue created = 7300000f0e
    queue created = 7400000f0f
    queue created = 7500000f10
    queue created = 7600000f11
    queue created = 7700000f12
    queue created = 7800000f13
    queue created = 7900000f14
    queue created = 7a00000f15
    queue created = 7b00000f16
    queue created = 7c00000f17
    queue created = 7d00000f18
    queue created = 7e00000f19
    queue created = 7f00000f1a
    queue created = 8000000f1b
    queue created = 8100000f1c
    queue created = 8200000f1d
    queue created = 8300000f1e
    queue created = 8400000f1f
    queue created = 8500000f20
    queue created = 8600000f21
    queue created = 8700000f22
    queue created = 8800000f23
    queue created = 8900000f24
    queue created = 8a00000f25
    queue created = 8b00000f26
    queue created = 8c00000f27
    queue created = 8d00000f28
    queue created = 8e00000f29
    queue created = 8f00000f2a
    queue created = 9000000f2b
    queue created = 9100000f2c
    queue created = 9200000f2d
    queue created = 9300000f2e
    queue created = 9400000f2f
    queue created = 9500000f30
    queue created = 9600000f31
    queue created = 9700000f32
    queue created = 9800000f33
    queue created = 9900000f34
    queue created = 9a00000f35
    queue created = 9b00000f36
    queue created = 9c00000f37
    queue created = 9d00000f38
    queue created = 9e00000f39
    queue created = 9f00000f3a
    queue created = a000000f3b
    queue created = a100000f3c
    queue created = a200000f3d
    queue created = a300000f3e
    queue created = a400000f3f
    queue created = a500000f40
    queue created = a600000f41
    queue created = a700000f42
    queue created = a800000f43
    queue created = a900000f44
    queue created = aa00000f45
    queue created = ab00000f46
    queue created = ac00000f47
    queue created = ad00000f48
    queue created = ae00000f49
    queue created = af00000f4a
    queue created = b000000f4b
    queue created = b100000f4c
    queue created = b200000f4d
    queue created = b300000f4e
    queue created = b400000f4f
    queue created = b500000f50
    queue created = b600000f51
    queue created = b700000f52
    queue created = b800000f53
    queue created = b900000f54
    queue created = ba00000f55
    queue created = bb00000f56
    queue created = bc00000f57
    queue created = bd00000f58
    queue created = be00000f59
    queue created = bf00000f5a
    queue created = c000000f5b
    queue created = c100000f5c
    queue created = c200000f5d
    queue created = c300000f5e
    queue created = c400000f5f
    queue created = c500000f60
    queue created = c600000f61
    queue created = c700000f62
    queue created = c800000f63
    queue created = c900000f64
    m kernelAllocation:
    queue created = ca00000f65
    m2 kernelAllocation:
    queue created = cb00000f66
    Trigger sceKernelDeleteEqueue
    Calling sys_dynlib_prepare_dlclose
    moment of truth
    Trigger sceKernelDeleteEqueue
        [+] Entered kernel payload!
        [+] Rooted and Jailbroken!
        [+] Escaped from the sandbox!
        [+] Kernel patch success!
             Hi GBATemp!
    I'll attached a compiled version to the OP, keep in mind though, this doesn't -do- anything yet, and your receiving computer needs to be at 192.168.1.69 to receive any data over TCP!
     
  3. TR_mahmutpek

    TR_mahmutpek GBAtemp Advanced Fan

    Member
    637
    134
    Jul 28, 2015
    This means pkg installers (or like this thing) coming nearly? Also thank you for your achivement:D
     
  4. SonyUSA
    OP

    SonyUSA We're all mad here

    pip Contributor
    GBAtemp Patron
    SonyUSA is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,059
    2,149
    May 12, 2006
    United States
    Anything is possible now on <= 1.76, just nothing is made yet :P Also, I'm just reposting, I didn't do anything with it.
     
    TR_mahmutpek likes this.
  5. TR_mahmutpek

    TR_mahmutpek GBAtemp Advanced Fan

    Member
    637
    134
    Jul 28, 2015
    Time to buy new ps4 :D
     
  6. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,508
    1,155
    May 23, 2012
    Any idea which fw the dlclose exploit was patched at? I remember hearing it was somewhere between 2.00 and 2.50.
     
  7. SonyUSA
    OP

    SonyUSA We're all mad here

    pip Contributor
    GBAtemp Patron
    SonyUSA is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,059
    2,149
    May 12, 2006
    United States
    That sounds right, and I remember reading a day or two ago that newer webkit entrypoints (not through the browser, but some other PS4 function) was possible up to latest firmware, so it may open the window for people who are in that range! :3

    I know some people have to DNS redirect the user manual if they weren't on PSN with the PS4 before/when 1.76 was the current firmware to load .bin files, so maybe that's what they are referring to.
     
  8. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,508
    1,155
    May 23, 2012
    That'd be good, 1.76 being over a year and a half old means it'd be difficult to track one down these days. 2.04, maybe slightly less so. Of course, there's always the possibility of an exploit for more recent firmwares, but who knows how long that might take to become public, if ever.
     
  9. dpad_5678

    dpad_5678 GBAtemp's Memelord

    Member
    1,738
    1,285
    Nov 19, 2015
    United States
    The beginning of the PS4 Scene! :tpi:
     
  10. Angel_Rejects

    Angel_Rejects Newbie

    Newcomer
    6
    0
    Apr 1, 2015
    United States
    I'm trying to get dl close kernel exploit working using WiFi loader and tcpdump,but when I open the exploit using WiFi loader using the command in cmd ,it says not enough system memory after It says executing on the ps4 playland webkit what am I doing ?and I want to use tcpdump,but idk how to use it.i open the tcpdump using cmd and type in the command TCPdump 9023 log.bin it freezes the cmd.im on 1.76.im using ps4 playground using user redirect Google method
     
  11. SonyUSA
    OP

    SonyUSA We're all mad here

    pip Contributor
    GBAtemp Patron
    SonyUSA is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,059
    2,149
    May 12, 2006
    United States
    If your IP on your pc isnt 192.168.1.69 it wont be able to open the socket connection, if you are just trying to run it without doing anything else there isn't any point... :P
     
  12. Angel_Rejects

    Angel_Rejects Newbie

    Newcomer
    6
    0
    Apr 1, 2015
    United States
    How do you make the Ip of my computer 192.168.1.69?
     
  13. SonyUSA
    OP

    SonyUSA We're all mad here

    pip Contributor
    GBAtemp Patron
    SonyUSA is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,059
    2,149
    May 12, 2006
    United States
    If you don't know how to do that, you don't need to be running this exploit right now u_u;;
     
  14. SonyUSA
    OP

    SonyUSA We're all mad here

    pip Contributor
    GBAtemp Patron
    SonyUSA is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,059
    2,149
    May 12, 2006
    United States
    No, the system remembers what firmware it was.
     
    ArturDat3DS likes this.
  15. Jao Chu

    Jao Chu GBAtemp Advanced Maniac

    Member
    1,921
    1,211
    Aug 20, 2013
    straya m8
    What version firmware do brand new PS4's get shipped with? I might go and buy one tomorrow if their under 1.76
     
  16. azoreseuropa

    azoreseuropa GBAtemp Guru

    Member
    6,032
    928
    Nov 6, 2002
    Portugal
    Proud to be Portuguese but I am in USA.
    No, save your time. They are exploitable for recently firmwares.. 2.00 to 2.50 right now but possibly under 3.15 from some sources too. I have a 2.57. It is too early to say for now.
     
    TR_mahmutpek likes this.
  17. Jao Chu

    Jao Chu GBAtemp Advanced Maniac

    Member
    1,921
    1,211
    Aug 20, 2013
    straya m8
    But if i bought a PS4 tomorrow and left it in it's packaging, i'll have a better chance of having an exploitable firmware, since the code is out in the wild now, Sony will be working on patching the vulnerability....
     
  18. SonyUSA
    OP

    SonyUSA We're all mad here

    pip Contributor
    GBAtemp Patron
    SonyUSA is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,059
    2,149
    May 12, 2006
    United States
    All of the currently known (publicly) ways of accessing kernel have been patched already, so there isn't much point in hoarding a current firmware ps4...
     
  19. Jao Chu

    Jao Chu GBAtemp Advanced Maniac

    Member
    1,921
    1,211
    Aug 20, 2013
    straya m8
    Awesome! that's all i needed to know, so I'll find a low firmware second-hand unit then. Thanks :)
     
  20. azoreseuropa

    azoreseuropa GBAtemp Guru

    Member
    6,032
    928
    Nov 6, 2002
    Portugal
    Proud to be Portuguese but I am in USA.
    No, if you buy PS4 tomorrow.. the firmware will be the latest one and it won't be exploitable at all. Only lower will do. At least 3.15 or lower is a good opportunity since some sources mentions 3.15 or lower to have exploitable but nobody knows for sure. For now, 1.76 is the lowest firmware to be fact exploitable. I have 2.57 and I leave it alone. I believe it is an exploitable so just wait and see. :)