PS4 [Tutorial by zecoxao] How to "bypass" pfs protection entirely on PS4 Firmware 1.76

Discussion in 'PS4 News' started by STLcardsWS, Aug 14, 2016.

By STLcardsWS on Aug 14, 2016 at 12:15 PM
  1. 7,078

    STLcardsWS Administrator

    Sep 18, 2014
    Likes Received:
    Trophy Points:
    As we wait and see if any kernel exploit arises for use with the HENkaku (3.55 PS4 Port), Things are still moving forward on PS4 firmware 1.76. Which in turn Scene contributor @zecoxao has released a new Tutorial for PlayStation 4 , that will show how you can on PS4 firmware 1.76 "bypass" pfs protections completely.


    • Things needed:

      • Head on over to to read full Tutorial: Link

    Last edited by a moderator: Aug 14, 2016
    bitsbubba likes this.


Discussion in 'PS4 News' started by STLcardsWS, Aug 14, 2016.

    1. bguerville
      Another useful idea from flatz.
      Yet another step...

      Sent with Tapatalk
    2. atreyu187
      My my doesn't this look familiar seems the PS4 has quite a bit of similarities as the Vita. I will try this this evening with Infamous Second Son on my 1.76. This must have been what he was asking about yesterday on Twitter
    3. francesco2013
      Cant wait for the ps4 to be fully hacked like the ps3 and let PS3 Games Manager work on the PS4 :)

      Bguerville: I am not really up-to-date about it but how far are we from having the same we run on the PS3 on the PS4 ?
    4. kozarovv
    5. francesco2013
    6. bguerville
      Well Francesco, here is what I know about the situation.

      We already have at least 3 working webkit exploits (found on 1.76, 3.15 & 3.55) on the PS4 AFAIK including the latest henkaku webkit exploit (running from fw 3.15 to 3.55) but those aren't sufficient to take the system over. They allow for code execution though.

      In very general & simplified terms, a hack like CTurt's (& henkaku) relies on 2 stages.
      The 1st stage via webkit exploit is to get access to userland & the 2nd stage via kernel exploit is to get unrestricted access.
      Obviously it means that to perform this kind of hack you need to have 2 exploits (one webkit & one kernel) working in the same firmware.

      What we really need now is a kernel exploit working on PS4 3.55. The one used on 1.76 has been quickly patched by S#ny obviously. Once we have a working second stage, the full hack can be put in place & the PS4 will be ours to control just like in 1.76 with the CTurt dlclose kernel exploit.
      Launching the hack will be done in the same manner as the 1.76 Playground. Via the browser by means of a button/link or whatever on a page served by an appropriate local basic server emulating the PS4 User Guide...

      However that would not bring a cfw like we enjoy on the ps3... but it would open the door for most things including using someday maybe some kind of mamba for ps4 for instance.
      There would be more obstacles to contend with before eventually getting your PS4 games manager... like dealing with PFS to relate to this thread & flatz's work!
      All the needed ingredients would not appear overnight & some would need to be researched/developed of course but as I said the door would be open to get there.
      So to answer your question we are still quite far away from a working ps4 games manager... But getting closer...

      Finding a vulnerability in the modded mixture of NetBSD & FreeBSD kernel elements used by the ps4 in 3.55 & exploiting it is basically the last step required to pop that hood open on post 1.76 consoles!

      Many people out there have the skill-set to make such kernel exploit a reality & it's not that complicated IF you do possess those skills, it takes a lot of research time of course...

      Fairly recently, I was reading about the SETFKEY vulnerability in the FreeBSD keyboard driver which exposes its own ioctl. CTurt's findings again...
      FYI henkaku uses a vulnerability in the NetBSD ioctl module included in the Vita OS, that's their Kernel exploit! Unfortunately the ps4 doesn't use the NetBSD ioctl implementation but the one from FreeBSD which isn't vulnerable to the same exploit.

      If you are interested I suggest you read CTurt's notes for the 1.76 hack. He divided the hack into 3 parts.

      Part 1 & 2 are now completed for 3.55 too, by adapting the henkaku webkit exploit onto the PS4 (yes they use the same webkit version! [emoji6]). Look at this POC

      Now that we have code execution, we need Part 3 to finish the hack. Could this vulnerability help us do that?
      I think it could actually, even if not ideal.
      And if not, what other kernel vulnerabilities are there that we could take advantage of?
      There's bound to be more if CTurt alone can already find a few in a matter of months....
      Last edited: Sep 24, 2016
      Berion and francesco2013 like this.
    7. francesco2013
      Very cool man I am reading through everything thanks a million :)
    8. pinky
      this is y I'm staying on 3.55.
    9. atreyu187
      To bad CTurt now works for the security sector for the FreeBSD team patching vulnerabilities making a kernel exploit even harder since the guy that implemented the first one is now on the other side of the field.
      francesco2013 likes this.
    10. francesco2013
      Money :) And I guess very good ones :P

Share This Page