PS4 hack: PS4 3.55 OFW unsigned code execution PoC released (webkit exploit)
Well, what a coincidence*. A couple hours after I explained the HENkaku Webkit exploit could probably be ported to the PS4, Developer Fire30 published said port on github. I can now humbly call myself the prophet of the scene (hey I didn’t choose that twitter avatar for nothing!). Joke aside, I haven’t tested the port myself, but several scene veterans have already confirmed this is the real thing.
What is this PS4 3.55 exploit, is this a PS4 jailbreak?
This is the Webkit exploit used in the recent HENkaku for PS Vita, ported to the latest PS4 firmware, firmware 3.55. This gives us user mode code execution on the PS4. This is cool, but keep in mind that this is just access in one process and such exploits are typically considered “useless” without an accompanying kernel exploit (which would be the point where it’s ok to call this a PS4 jailbreak). Without a kernel exploit, this will lead at best to minor user mode homebrews (which, don’t get me wrong, can be cool, but it not what people are looking for).
This however means that if anyone were to release a kernel exploit for the PS4 in the days or weeks to come (see below), firmware 3.55 will become the new gold firmware for PS4 hackers. Currently, only owners of a PS4 running firmware 1.76 can enjoy cool things such as Linux and Steam on their PS4. This could change soon.
The funny thing here is that firmware 3.55 is also known to be the “golden” firmware of PS3 hacking. The vita missed the mark by a few updates, with 3.60 being the “one” (come on team molecule, what took you so long?).
What’s next for PS4 3.55 users?
Again, for this to be truly useful for a broad audience, a Kernel exploit will need to be released for the PS4. I haven’t heard any rumors, let alone confirmed sources, of people willing to release such a thing in the near future. It is actually likely many hacking groups were already in possession of usermode exploits and waiting for a kernel exploit.
Nevertheless, staying on firmware 3.55 will probably be recommended for now for people who expect further hacks for their PS4. I wouldn’t be surprised if Sony take the time to patch this exploit in their upcoming firmware 4.0, for which the Beta is supposed to start this month.
Download and try the 3.55 PS4 Webkit exploit
You can download the PS4 3.55 exploit from the developer’s github here. You will need basic knowledge of setting up a local server in order to run the exploit. Additional notes from the readme:
PS4 3.55 Code Execution
This repo contains a PoC for getting code execution on ps4’s with firmware version 3.55 It uses the same webkit vulnerability as the henkaku project. So far there is basic ROP working and returning to normal execution is included. Next steps will be to map a jit page sucessfully and getting actual shellcode executed.
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
python fakedns.py -c dns.conf
Debug output will come from this process.
Navigate to the User’s Guide page on the PS4 and information about the exploit and all loaded modules should be printed out. This is an example of what running it will look like: https://gist.github.com/Fire30/2e0ea2d73d3a1f6f95d80aea77b75df8
There are a few notes:
- The exploit is not 100% reliable currently. It is more like 80% which is good enough for our purposes. So if it does not work on first try, try a few more times. Also doing to much allocating after the sort() is called can make it more unstable.
- The process will crash after the rop is done executing.
xyz – Much of the code is based off of his code used for the henkaku project
Anonymous contributor – WebKit vulnerability PoC
CTurt – I basically copied his JuSt-ROP idea
Source: Fire30 on twitter
* It is actually probably really a coincidence.