The PS4 might get some attention again. After the last few weeks, where we saw multiple Homebrew Releases - such as a updated Linux Distribution for your PS4, various Homebrew Games for your PS4, Emulators for playing older Classics on your PS4 and other useful Homebrew Applications, which makes your PS4 more useful for you - today, Developer @SpecterDev released a new WebKit Exploit for a newer System Firmware, namely for System Firmware 6.20. Although this Exploit isn't a complete Kernel Exploit together with the fact that this Remote Code Execution Exploit has been already patched by Sony on the newest System Firmware 6.50 released a few days ago, it is still a useful method to tinker more with this specific System Firmware, as Developer @SpecterDev describes it with his own words, which you can see down below. This can be especially useful for Developers, who wants to tinker with older System Firmwares as well, such as for System Firmware 5.55 for instance. Maybe we can see a newer full Kernel Exploit for a newer System Firmware released sooner or later.
PS4 6.20 WebKit Code Execution PoC
This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.
Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.
Note: It's been patched in the 6.50 firmware update.
Files - Files in order by name alphabetically;
- index.html - Contains post-exploit code, going from arb. R/W -> code execution.
- rop.js - Contains a framework for ROP chains.
- syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
- wkexploit.js - Contains the heart of the WebKit exploit.
- This vulnerability was patched in 6.50 firmware!
- This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
- This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
- In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.
Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
- Fake DNS spoofing to redirect the manual page to the exploit page, or
- Using the web browser to navigate to the exploit page (not always possible).
- I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
- Chromium Bug Report - The Vulnerability.
- lokihardt - The vulnerability
- st4rk - Help with the exploit
- qwertyoruiop - WebKit School
- saelo - Phrack paper
Twitter: @SpecterDev (7th March 2019 - 8:29 pm) --> https://twitter.com/SpecterDev/status/1103739416554594304
Twitter: @SpecterDev (8th March 2019 - 7:26 pm) --> https://twitter.com/SpecterDev/status/1104085876831735808
PS4 PS4 6.20 WebKit Exploit Released by @SpecterDev (Patched for System Firmware 6.50)
By Roxanne on Mar 9, 2019 at 7:47 AM
[Update July 21th] HW Acceleration (RSX) Project Update by RenéRebeUPDATE (July 21) - Now the 19th Video Released >>> The next PS3 NVidia RSX accelerated X.org steps
(Original Article from Nov. 14) Is the PS3 a bit closer to gaining Hardware Acceleration (via RSX) in OtherOS (Linux) with a proper driver to enable the GPU chip? We are not there, but we may be getting closer to a reality. Earlier this year (back in April) we detailed some of the progress that the busy dev RenéRebe has made with unlocking the potential of the PlayStation 3's RSX chip and now today we have been greeted with a new video and what we can expect with this project as the developer starts to undertake the challenge of further unlocking one more component of the Ps3 hardware,. The developer has alot of videos on other intresting subjects in his diverse YouTube channel >>> (Bits and More) <<< many very informative video's..Continue reading
RPCS3 (PS3 Emulator) - May 2019 Progress Report - 1337 pl4y4bl3 ~ 1337 1n64m3 :)That can't be an accident. Following up after the impressive Progress Report last Month, where we learned that over >40% of all PS3 Game Titles are now fully "Playable", today the great Team behind the PS3 Emulator RPCS3 showcases their newest Progress Report for May 2019 with another milestone. If you are a long follower of their great Project or maybe you are even enjoying your PS3 Game Titles on your PC right now (because "why not"?), you will be already familiar with the fact that most of the Game Titles tested on RPCS3 will at least boot up, but then you will experience Graphical Glitches, huge Slow-Downs or even you aren't able to play a Game Title to the End, which is sad (Damn you "Narco Terror" and "The Expendables 2: Videogame" why you still aren't bootable? :P). This is why in the past, the "Ingame" Status comprised most Game Titles in every Compatibility List. But for the first Time since it's Initial Release, the "Playable" Category ties the first place together with the "Ingame" Category with both 1337 Game Titles each. This means whatever Game Title you choose to play via RPCS3, there is a 43.71% Chance that it will be at least "Ingame". That's impressive don't you think? Oh, and sorry for the leetspeak at the Title. I mean come on, we are talking about 1337 Game Titles fully "Playable".Continue reading
[UPDATE] PS3HEN v2.3.1 - View latest changes to the PS3 Exploit for SuperSlims & nonCFW modelsUPDATE (6-27-2019): Version 2.3.1 has been released.
See below for additional Details!
See also: The Great PS3 HEN All in One (AIO) Guide
Here is v2 of the latest PS3 Hack to hit the PS3 Scene with the recent release of PS3HEN. This exploit for nonCFW console's provides homebrew support and a number of Custom Firmware intangibles for those console that can not install a traditional CFW, with those being lat production PS3 Slim models and all of the SuperSlim Consoles. While this is a tremendous release and breakthrough the information behind PS3HEN has been lacking and has served more questions then answers that could be provided. This is due in the way this was delivered and presented. We paused the reporting this on the frontpage until we were pleased with the documentation. So we took it upon ourselves to get the ball rolling on a new PS3HEN F.A.Q. detailing various aspects and info that will be useful for PS3HEN user's. Also we have started forming the PS3HEN Homebrew & Plugin Compatibility Chart
Version 2.x.x has come with a number of new additions for a better experience. Some of the new changes provide full PS3ISO Support ,As well as full BDISO and DVDISO support has been added, plus new improvements to PS3HEN's stabiliContinue reading
Share This Page
- henkaku homebrew
- playstation 2
- playstation 2 resources
- playstation portable
- playstation portable cfw
- playstation portable resources
- playstation tv
- ps vita
- ps2 resources
- ps3 cfw
- ps3 han
- ps3 homebrew
- ps4 homebrew
- psp cfw
- psp resources
- pstv homebrew
- vita homebrew
- webman mod
- xmb mod
- User Record:
- Latest Member: