PS4 PlayStation 4 (PS4) Jailbreak? Cturt confirms possibility

[New Update below] - Dec 13: In the PlayStation 4 hacking scene there has been some developments over the past weeks. Recently cturt announced a Kernel Exploit in the PS4 firmware, this kernel exploit is actually patched in latest firmwares and will only run up to Ps4 firmware v1.76. However this kernel exploit, while patched in later firmware's is still a huge discovery and will prove to be very useful for the PS4 community. As developers will now have a closer look at the security and workings on the firmware with an angle they previously never had access to. Which has already produced some progress on a rumored PS4 Jailbreak [break]ss[/break] from valid sources in PS4 hacker Cturt & Others ( but beware there are many FAKE ps4 jailbreaks out there connected to alot of scams to land a quick buck or to infect your system with malware and viruses.).

​

Then today Cturt makes the groundbreaking announcement as the developer states "Just broke WebKit process out of a FreeBSD jail (cred->cr_prison = &prison0). Guess you could say the PS4 is now officially "jailbroken" :P" in a recent tweet, followed by another tweet that reads " Can successfully dump RAM from other processes (like SceShellUI) using ptrace! Next step: patching RAM...". While this "jailbreak" is only working upto v1.76 firmware at the moment it does not do many user's much good, but it does give hackers and developer more access to the system that is starting to show its holes in security. One can only hope developers and hackers can produce a jailbreak for later firmwares. These things happen in steps and these steps take some time, but it seems that the PS4 may not be as secure as one may imagine. Does this mean CFW and Homebrew on the PlayStation 4 (PS4)? Time will only tell and hopefully we see some more exciting news on the PS4 front in the coming weeks/months. Best advice for a PS4 owner awaiting, is to exercise patients as this will take some time if it even happens on later firmwares, but that possiablity is stronger today that it was several days ago. So there is progress and that is exciting to see in the PlayStation 4 Community.

---

Recent Tweets from Cturt
​

---

---

UPDATE

---

(Dec 14) Developer Cturt shows off some additional details as he shows the file system (root) and proceeses running that the hacker was able to capture the processes running in RAM. I

  [+] Entered shellcode
  [+] UID: 0, GID: 0
[DIR]: .
[DIR]: ..
[DIR]: adm
[DIR]: app_tmp
[DIR]: data
[DIR]: dev
[DIR]: eap_user
[DIR]: eap_vsh
[DIR]: hdd
[DIR]: host
[DIR]: hostapp
[FILE]: mini-syscore.elf
[DIR]: mnt
[DIR]: preinst
[DIR]: preinst2
[FILE]: safemode.elf
[FILE]: SceBootSplash.elf
[FILE]: SceSysAvControl.elf
[DIR]: system
[DIR]: system_data
[DIR]: system_ex
[DIR]: system_tmp
[DIR]: update
[DIR]: usb
[DIR]: user
  [+] PID 0, name: kernel, thread: mca taskq
  [+] PID 1, name: mini-syscore.elf, thread: SceRegSyncer
  [+] PID 2, name: SceHidAuth, thread: SceHidAuth
  [+] PID 3, name: hidMain, thread: hidMain
  [+] PID 4, name: SceCameraDriverMain, thread: SceCameraDriverM
  [+] PID 5, name: SceCameraSdma, thread: SceCameraSdma
  [+] PID 6, name: hdmiEvent, thread: hdmiEvent
  [+] PID 8, name: xpt_thrd, thread: xpt_thrd
  [+] PID 9, name: iccnvs, thread: iccnvs
  [+] PID 10, name: audit, thread: audit
  [+] PID 11, name: idle, thread: idle: cpu0
  [+] PID 12, name: intr, thread: irq273: xhci2
  [+] PID 13, name: geom, thread: g_notification
  [+] PID 14, name: yarrow, thread: yarrow
  [+] PID 15, name: usb, thread: usbus2
  [+] PID 16, name: md0, thread: md0
  [+] PID 17, name: icc_thermal, thread: icc_thermal
  [+] PID 18, name: sflash, thread: sflash
  [+] PID 19, name: sbram, thread: sbram
  [+] PID 20, name: trsw intr, thread: trsw intr
  [+] PID 21, name: trsw ctrl, thread: trsw ctrl
  [+] PID 22, name: SceBtDriver, thread: SceBtDriver
  [+] PID 23, name: pagedaemon0, thread: pagedaemon0
  [+] PID 24, name: pagedaemon1, thread: pagedaemon1
  [+] PID 25, name: vmdaemon, thread: vmdaemon
  [+] PID 26, name: bufdaemon, thread: bufdaemon
  [+] PID 27, name: syncer, thread: syncer
  [+] PID 28, name: vnlru, thread: vnlru
  [+] PID 29, name: softdepflush, thread: softdepflush
  [+] PID 31, name: SceSysAvControl.elf, thread: SceAvSettingPoll
  [+] PID 33, name: SceSysCore.elf, thread: SysCoreAppmgrWat
  [+] PID 34, name: orbis_audiod.elf, thread: AoutMonitorPid40
  [+] PID 35, name: GnmCompositor.elf, thread: CameraThread
  [+] PID 36, name: SceShellCore, thread: SceMsgMwSendMana
  [+] PID 38, name: SceShellUI, thread: SceWebReceiveQue
  [+] PID 39, name: MonoCompiler.elf, thread: MonoCompiler.elf
  [+] PID 40, name: SceAvCapture, thread: SceAvCaptureIpc
  [+] PID 41, name: SceGameLiveStreamin, thread: SceGlsStrmJobQue
  [+] PID 42, name: ScePartyDaemon, thread: SceMbusEventPoll
  [+] PID 43, name: SceVideoCoreServer, thread: SceVideoCoreServ
  [+] PID 44, name: SceRemotePlay, thread: SceRp-Httpd
  [+] PID 45, name: SceCloudClientDaemo, thread: SceCloudClientDa
  [+] PID 46, name: SceVdecProxy.elf, thread: proxy_ipmi_serve
  [+] PID 47, name: SceVencProxy.elf, thread: SceVencProxyIpmi
  [+] PID 48, name: fs_cleaner.elf, thread: fs_cleaner.elf
  [+] PID 49, name: SceSpkService, thread: SceSpkService
  [+] PID 50, name: WebProcess.self, thread: selectThread
  [+] PID 51, name: orbis-jsc-compiler., thread: SceFastMalloc
  [+] Triggering second kernel payload
  [+] Entered main payload

Stay tuned for all the latest developments regarding this breakthrough on the PS4.
​

---

Source(s): Cturt Twitter / github.com/CTurt / wololo.net
​

 

for some reason, I'm reminded of the 7371 cutoff dash kernel for the 360 jtag. there was a mad rush to buy systems that hadn't been updated beyond that. I even have a couple systems that I jtagged in hopes of selling them for profit. well, we know how that turned out. :-/ I'm hoping this will lead to some sort of hack for later firmware, but it sounds like ram patching may only be viable on a lower firmware system. otherwise, how would have access at the kernel level? what's been decrypted is flowing through the ram, so cfw sounds unlikely at this point. just my speculation on how much access a user will have, but there's always a chance it could lead to something bigger. originally, the 3ds couldn't be hacked about ios 4.5 due to patched nvram, but now u can downgrade nvram without downgrading the system itself. this might be the first step in many that could lead to a hack usable by most owners. fingers crossed on this one. I don't have a system low enough firmware-wise.

 

oh, and by that, I mean a way to downgrade the web kit or whatever file(s) it's using. in the 3ds' case, it was the cubic ninja hack. however, there's another method, which seems more likely with the ps4 - go to certain url, click on link, ps4 glitches up, profit! the 3ds has a similar method with its flawed web kit. I've never done it personally though, just cubic ninja. :p

 

if you can freely patch RAM then a FW emulator is the way to go. In regrades to flashing, It has been shown that you can flash back to the same FW, so unless there are 'eFuses' somewhere a downgrade would only require the per console IDs/Keys.

 

if you can freely patch RAM then a FW emulator is the way to go. In regrades to flashing, It has been shown that you can flash back to the same FW, so unless there are 'eFuses' somewhere a downgrade would only require the per console IDs/Keys.

not sure, but the eFuses were blown on the 360 via software updates. a full hack on the ps4 will probably require some sort of glitch chip. there's a reason the 360's hacked kernel was original known as freeboot as it used a hypervisor from 4xxx firmware that allowed unsigned code despite being installable above that. the system forces that version of the hypervisor into memory. the same could be the case with this. this is what I meant when [MENTION=20]habib[/MENTION] mentioned a hex edit to the hypervisor of the ps3 could allow cfw on all systems. the 360 uses this notion actually. I'm just going based on my knowledge of the 360 and how the hacks actually work. it's not much different than the nvram/msets of the 3ds - the flaw in the code is isolated to one place, so downgrading that whether it's via a patch or replacing the file entirely allows a hack to work on later firmware.

 

Complete History Of Xbox 360 Dashboard Updates *LATEST 2.0.16203.0*

4552 is the vulnerability it'd seem. sounds a lot like what's happening here - a privilege escalation vulnerability. it's the basis of all main 360 hacks - jtag, rgh, rjtag. it's just the method of deployment.

 

not sure, but the eFuses were blown on the 360 via software updates. a full hack on the ps4 will probably require some sort of glitch chip. there's a reason the 360's hacked kernel was original known as freeboot as it used a hypervisor from 4xxx firmware that allowed unsigned code despite being installable above that. the system forces that version of the hypervisor into memory. the same could be the case with this. this is what I meant when [MENTION=20]habib[/MENTION] mentioned a hex edit to the hypervisor of the ps3 could allow cfw on all systems. the 360 uses this notion actually. I'm just going based on my knowledge of the 360 and how the hacks actually work. it's not much different than the nvram/msets of the 3ds - the flaw in the code is isolated to one place, so downgrading that whether it's via a patch or replacing the file entirely allows a hack to work on later firmware.

True, but they say they have full assess to ram 'after booot', so most of that stuff is irrelevant, the hacks are going to be like the 3ds/wiiu hacks, now you might not get auto-loading of patches and FW emulation, you will most likely have to load a webpage to trigger the patches.

 

Updated Article with latest information from Cturt. (filesystem & processes running in RAM)

 

True, but they say they have full assess to ram 'after booot', so most of that stuff is irrelevant, the hacks are going to be like the 3ds/wiiu hacks, now you might not get auto-loading of patches and FW emulation, you will most likely have to load a webpage to trigger the patches.

I wouldn't call it irrelevant. the normal updated hypervisor is still on the system, but the old one is replacing it upon bootup. that's y they named it "freeboot."

 

Does the black friday GTA5+Last of Us bundle comes pre-installed with 1.76? I hear it does even though it's a 11xx model.

 

I wouldn't call it irrelevant. the normal updated hypervisor is still on the system, but the old one is replacing it upon bootup. that's y they named it "freeboot."

wait, the system reboots after this hack? I thought they were going to patch RAM on the fly so to speak. My bad

 

I believe the boot sequence is interrupted on the 360. the point I was trying to make is that ur altering the way the system normally operates. the 360 uses a ram patching with dashlaunch since ram addresses change. u can hack any 360 dash kernel, but getting ur foot in the door is where the problem resides. the 4xxx exploit is still being used today on the latest dashboard except ur method of deployment (a glitch chip) has changed.

 

I believe the boot sequence is interrupted on the 360. the point I was trying to make is that ur altering the way the system normally operates. the 360 uses a ram patching with dashlaunch since ram addresses change. u can hack any 360 dash kernel, but getting ur foot in the door is where the problem resides. the 4xxx exploit is still being used today on the latest dashboard except ur method of deployment (a glitch chip) has changed.

I was talking about the PS4 the whole time lol, I should have realised u meant the 360 when you said freeboot.

 

well, I was comparing hacks since that might be a way to understand what's going on. it's extremely unlikely anything will be as easy as the ps3 scene's was where everything was done automatically in some way or another. it'll most likely be like the 3ds or the vita in which u have to exploit something without some sort of cfw or even like the 360 in which u have to build ur own. I think it's naive to believe it'll be so simple otherwise we'd have cfw on all ps3s. I'm not in a very good mood atm based on something unrelated, but that's y I've been so negative. I'm just being a realist about this. if all we're finding out now r the name of flash files....

 

Looks like he is stopping research on the PS4, wonder what happened?

 

Does the black friday GTA5+Last of Us bundle comes pre-installed with 1.76? I hear it does even though it's a 11xx model.

Did you find out if this was true?

 

Looks like he is stopping research on the PS4, wonder what happened?

more reasons. he made it for himself, I think the main reason is piracy. we know now how to jailbreak the ps4 but it will be very much work for other devs because he removed some infos and don't have released anything. some devs worked with him and helped, but there is no public jb yet.

 

I think the main reason is piracy.

Piracy is side effect of any attempt to running unsigned code. I don't believe that smart person like he, realized that at this moment. He need to know that when he start messing with PS4 security.

I don't know what happen ($ony "ask" him to abandon his work, or he scared that they do this, or anything else) but i'm almost sure that piracy warning is not reason.

 

Piracy is side effect of any attempt to running unsigned code. I don't believe that smart person like he, realized that at this moment. He need to know that when he start messing with PS4 security.

I don't know what happen ($ony "ask" him to abandon his work, or he scared that they do this, or anything else) but i'm almost sure that piracy warning is not reason.

i seen this coming myself.. He put the pieces needed now he does not want his name attached to it any longer. As this is where the scene takes two paths.

homebrew / System Hacks
piracy

 

i seen this coming myself.. He put the pieces needed now he does not want his name attached to it any longer. As this is where the scene takes two paths.

homebrew / System Hacks
piracy

I doubt he quit because of piracy concern.


Sent from my iPhone using Tapatalk

 

I doubt he quit because of piracy concern.

Who knows... but I would not dismiss it.

Sony I am sure has eyes and it's not a matter of if he condones piracy. But a matter if wants to be associated with it. Only he knows