Rumor: PS4 3.50 BD Live vulnerability allows execution of Linux? Not so fast…
Rumors originated on German scene site psxtools.de that some functionality of Blu Ray movies (BD Live) allows for execution of unencrypted code, and potentially even load Linux directly from the PS4.
Add a little bit of google translate in the mix, and the scene is going crazy thinking we have a new exploit up and running on 3.50, that just needs a bit of testing before it’s available publicly. So, err, let’s step back and breathe a little bit here.
I won’t pretend I can speak German better than you here, so I have to relate on Google translate on the original claims as well, here’s what I gather. The following is a personal translation of the original post on psxtools.de, helped by google translate.
This is a great vulnerability, it is unencrypted and the code is freely available. And it’s available on firmware 3.50. Therefore one can save anything on the PS4 and also run it!
So you can even boot Linux.
What you need
- Windows or Linux system
- charles web debugging proxy or burpsuite
- A film with BDLive (in my test it was by Universal Pictures) others will surely work. You can test yourself.
- Better to connect the PS4 with Lan.
With Charles proxy
Insert and start the movies, wait a bit and after about 1 minute the Charles interface should show a Universal Pictures bootloader file.
It looks like this:
- <? Xml version = “1.0” encoding = “utf-8”?>
- <Update version = “3” target title = “89”>
- <Status code>
- <Status code id = “100” type = “information”> Successful </ status code>
- </ Status codes>
- < resourceFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/boot.bin” fileSizeInBytes= “1234” localStorage= “common/boot.bin” >
- </ Resource file>
- < resourceFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/boot.xml” fileSizeInBytes= “1234” localStorage= “common/boot.xml” >
- </ Resource file>
- < resourceFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/v3.zip” fileSizeInBytes= “1234” localStorage= “v3.zip” >
- </ Resource file>
- </ Resources>
- < bumfFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/bumf.BMF” fileSizeInBytes= “1234” localStorage= “bumf.BMF” >
- </ BumfFile>
- </ Bumf>
- < busfFile uri= “http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/bumf.bsf” fileSizeInBytes= “1234” localStorage= “bumf.bsf” >
- </ BusfFile>
- </ BUSF>
- </ Update>
Copy it or save as a text file
Change the first line <resourcefile uri=”http://cdn.www.universalhidefclub.com/u/ContentServer/Universal/xxxxxxx/Package/xxxx-xxxx-xxxx-xxxx-xxxx/boot.bin” fileSizeInBytes = “1234” localStorage = “common / boot.bin”>
with for example <resourcefile uri = ” releases.ubuntu.com/14.04/ubuntu-14.04.4-desktop-amd64.iso ” fileSizeInBytes = “1234” localStorage = “common / boot.bin”>
with map local … Change the txt file
Now wait until the download is completed. You have to add a little code in the next line so that the boots or executes before that. As a result, almost everything will run on the PS4, because it is stored internally. One has the storage path.
I guess the next PS4 firmware update will remove BD Live support 🙂
Alright, so, let’s discuss this a bit.
First of all, the author of this post might be onto something, it would surely be interesting to see what one can do with this BD Live functionality. What the system actually does with the downloaded binaries needs to be looked into. So, this is not completely useless, but…
The statement that this could lead to load Linux is a quantum leap compared to the possibility to run “some bits” of code. The example the author gives above has obviously not been tested, otherwise he would have seen the many issues associated with it. Linux “as is”, in particular an ubuntu distrib, will not run out of the box on the PS4 (it is possible to run ubuntu on the PS4, but it requires a bit more work). You’d need the Fail0verflow patches, and, more importantly, a PS4 Jailbreak in order for the thing to run with the right privileges. That is, unless the BD Live functionality runs with root access, which sounds highly unlikely (but hey, worth checking).
I don’t think the original author, 00001234, is claiming he can actually boot Linux, he looks like an over-enthusiastic person who just found something interesting and drew the wrong conclusions. But some parts of this are lost in translation for me. If that person actually claims he was able to boot Linux on a 3.50 PS4, I can immediately say the example he gives is completely Fake. If, on the other hand, he just provides an example of how people could start looking into that vulnerability, and as an example suggests that people might be able to boot Linux from the PS4, then, he is wrong but might still be onto something: the BD Live functionality might be worth looking into.
Update: native German speakers have confirmed to me that 00001234 claims he got ubuntu booting (thanks @seadil_). In that case, I clearly call this a fake. It doesn’t mean looking into BD Live functionality is a bad idea though.
For those of you interested in digging into that kind of thing, you can also use SKFU Pr0xy instead of Charles. SKFU Pr0xy is free, while Charles has a limited free trial of 30 days.