Rumor: PS4 3.50 BD Live vulnerability allows execution of Linux? Not so fast…
Rumors originated on German scene site psxtools.de that some functionality of Blu Ray movies (BD Live) allows for execution of unencrypted code, and potentially even load Linux directly from the PS4.
Add a little bit of google translate in the mix, and the scene is going crazy thinking we have a new exploit up and running on 3.50, that just needs a bit of testing before it’s available publicly. So, err, let’s step back and breathe a little bit here.
I won’t pretend I can speak German better than you here, so I have to relate on Google translate on the original claims as well, here’s what I gather. The following is a personal translation of the original post on psxtools.de, helped by google translate.
This is a great vulnerability, it is unencrypted and the code is freely available. And it’s available on firmware 3.50. Therefore one can save anything on the PS4 and also run it!
So you can even boot Linux.What you need
- Windows or Linux system
- charles web debugging proxy or burpsuite
- A film with BDLive (in my test it was by Universal Pictures) others will surely work. You can test yourself.
- Better to connect the PS4 with Lan.
With Charles proxy
Insert and start the movies, wait a bit and after about 1 minute the Charles interface should show a Universal Pictures bootloader file.
It looks like this:
XML source
- <? Xml version = “1.0” encoding = “utf-8”?>
- <Update version = “3” target title = “89”>
- <Status code>
- <Status code id = “100” type = “information”> Successful </ status code>
- </ Status codes>
- <Resources>
- < resourceFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/boot.bin” fileSizeInBytes= “1234” localStorage= “common/boot.bin” >
- </ Resource file>
- < resourceFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/boot.xml” fileSizeInBytes= “1234” localStorage= “common/boot.xml” >
- </ Resource file>
- < resourceFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/v3.zip” fileSizeInBytes= “1234” localStorage= “v3.zip” >
- </ Resource file>
- </ Resources>
- <Bumf>
- < bumfFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/bumf.BMF” fileSizeInBytes= “1234” localStorage= “bumf.BMF” >
- </ BumfFile>
- </ Bumf>
- <BUSF>
- < busfFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/bumf.bsf” fileSizeInBytes= “1234” localStorage= “bumf.bsf” >
- </ BusfFile>
- </ BUSF>
- </ Update>
Copy it or save as a text file
Change the first line <resourcefile uri=”http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/boot.bin” fileSizeInBytes = “1234” localStorage = “common / boot.bin”>
with for example <resourcefile uri = ” releases.ubuntu.com/14.04/ubuntu-14.04.4-desktop-amd64.iso ” fileSizeInBytes = “1234” localStorage = “common / boot.bin”>
with map local … Change the txt file
Now wait until the download is completed. You have to add a little code in the next line so that the boots or executes before that. As a result, almost everything will run on the PS4, because it is stored internally. One has the storage path.I guess the next PS4 firmware update will remove BD Live support 🙂
Enjoy testing!
Alright, so, let’s discuss this a bit.
First of all, the author of this post might be onto something, it would surely be interesting to see what one can do with this BD Live functionality. What the system actually does with the downloaded binaries needs to be looked into. So, this is not completely useless, but…
The statement that this could lead to load Linux is a quantum leap compared to the possibility to run “some bits” of code. The example the author gives above has obviously not been tested, otherwise he would have seen the many issues associated with it. Linux “as is”, in particular an ubuntu distrib, will not run out of the box on the PS4 (it is possible to run ubuntu on the PS4, but it requires a bit more work). You’d need the Fail0verflow patches, and, more importantly, a PS4 Jailbreak in order for the thing to run with the right privileges. That is, unless the BD Live functionality runs with root access, which sounds highly unlikely (but hey, worth checking).
I don’t think the original author, 00001234, is claiming he can actually boot Linux, he looks like an over-enthusiastic person who just found something interesting and drew the wrong conclusions. But some parts of this are lost in translation for me. If that person actually claims he was able to boot Linux on a 3.50 PS4, I can immediately say the example he gives is completely Fake. If, on the other hand, he just provides an example of how people could start looking into that vulnerability, and as an example suggests that people might be able to boot Linux from the PS4, then, he is wrong but might still be onto something: the BD Live functionality might be worth looking into.
Update: native German speakers have confirmed to me that 00001234 claims he got ubuntu booting (thanks @seadil_). In that case, I clearly call this a fake. It doesn’t mean looking into BD Live functionality is a bad idea though.
For those of you interested in digging into that kind of thing, you can also use SKFU Pr0xy instead of Charles. SKFU Pr0xy is free, while Charles has a limited free trial of 30 days.
Fiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiirst *crying with joy*
seriously ?!
wait till ps4 neo
I am German and this is how I understand ths:
First of all, the publisher is not a coder, he found the “exploit” randomly. The more experienced members of psxtools weren’t able to test the exploit yet. He himself only found the theoretical flaw and concluded that running Lunix could be possible 😉 The only thing he successfully did was to run his own .iso file with a modified blu-ray.
All members on psxtools hope that someone tests the exploit , so the scene pros should just test it out 🙂
iam also german, and it actually think this is is just talking ***.
now he said, that his laptop died because of yesterdays rain… its al wet now and he has do dry, he will try to rescue the HDD later….
that smells like … u know what 😉
Wow interesting… i wonder if you can install a .pkg file with this method lol
in your dream dude
Even if a .pkg is installed it still requires the licenses to start.
he don’t say it could boot linux, he say he has booted linux successful with this method. I have asked to make a video, maybe it’s true.
no, he didn’t say he booted linux. He says he found a way in BDLive to run unsigned, unencryted downloaded code. I don’t think there is something interesting in this, because this guy sounds like a total noob. This was one of his first posts in that forum and even if you could run some unencrypted code in the CDLive VM, this will be a huge sandbox to escape from.
I’m german, and he said it !
Richtig mir ist es gelungen die ISO zu booten = right, I was able to boot the iso
anyway, fact is there is no real proof.
Das boot! DAS BOOTEN!!! OMFG
1st!
I am German. Some people think its fake because he dont explain how to mount the file and how to boot linux.
In this comment (https://psxtools.de/index.php/Thread/71421-PS4-Sicherheitsl%C3%BCcke-bei-BluRay-BDLive/?postID=664967#post664967) he claims that he could boot the iso, but he isn’t giving actual instructions how he did it. The moment he said that he could run an unmodified ubuntu on an ps4 he reveiled he’s faking it. It just would not run.
Sounds interesting, have quite a blu-ray collectiom too.
I’ll wait for more word on it however.
No comments loading? Oo
Hey there, I am german and I will translate it for you – also doing some comments on my own:
“Also großer geht die Sicherheitslücke kaum, es ist unverschlüsselt und der code ist frei erhältlich. Komisch ist das schon, dies auf die 3.50 ist. Damit kann man alles speichern auf der PS4 und ausführen auch !
Damit kann man sogar Linux booten.”
This is quite a huge security flaw – also not encrypted and the code is open source / free. Unbelieveable it is also working with 3.50. With this you can possibly save everything on your PS4 and also execute it. You can also boot linux on it.
//Sounds great, but also without a video or proof of the scene – late april fools?
“Was braucht man
1. Windows oder Linux System
2. charles web debugging proxy oder burpsuite
3. Ein Film mit BDLive (in meinen Test war es von Universal-Pictures) andere werden sicherlich auch gehen. Könnt Ihr ja selbst testen.
4. An besten PS4 mit Lan verbinden.”
What will you need:
1. Windows or Linux
2. Charles Proxy or burpsuite
3. Movie with BDLive
4. PS4 connected wired to LAN is recommended
//nothing special – proxy with the ability to redirect web requests and a bluray with this bdlive feature
“Beschrieben wird es für Charles
Nun den Film einlegen und starten, kurz warten bei Charles erscheint dann Universal-Pictures nach ca. 1 Minute ein Bootloader file.
Sieht dann so in etwa aus.”
Ill explain it with Charles Proxy. Start movie, wait for the Universal Pictures and boot file on Charles after 1 minute.
// I dont know what BDLive is, but a binary seems to be load from universal pictures (http and not https) regarding to this xml descriptor file
Part 2 is coming
“Ganz und gar nicht so nutzlos @ Gamers RS wenn man sich es genau ansieht. Führt die BDLive ja auch einen Code aus. Und dies noch unverschlüsselt wieso auch immer. Und dies erlaubt ein Download einzuleiten und dies speichert die PS4 noch ab.
Kennst du denn vielleicht ein anderen weg ?”
It is not useless if you look into it @ …
You can download whatever unencrypted file you want to your ps4 and run it. Do you know another way?
// In my opinion – if this is true – he has a point. If you can download and executed (limited) code.
What I dont understand is the possibilites. Can we run whatever Binary File we want (in usermode) – so we can further trigger a bsd kernel exploit?
Hi @ all 🙂
Yes, the original source is psxtools.de like GregoryRasputin mentioned. It´s an topic on our site (no News! only a topic).
The user who reported/dicovered this has registered on our site only a few day´s ago – so we don´t know him very well and also we don´t know if this is real. For me, i am very skeptical about this.
Maybe it´s possible to manipulate the BDLive fonktion and maybe it´s possible to download an linux image to the internal hdd of the PS4 but the point is: how will the image be mounted/started ?! thats the biggest question on that and thats the question this user has not answered right now.
besta regards
Fatman from psxtools.de
Sounds good i cant wait 😀
@ wololo
Did you continue reading, at one point that user states, that another line of code is needed for execution and more to this one user asked what that code looked like. That guy only said to look at copy.sh so I guess he meant this https://github.com/copy/v86 (https://copy.sh/v86/). Even if this all is a hoax, it is quite an elaborate one to point onto something like BDlive.
ps4 on 1.76 no bd http://www.ebay.co.uk/itm/231961652507?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1555.l2649
Well if this is true. Great how about getting some kAli on thier for more testing?