PS4 hack: PS4 3.55 OFW unsigned code execution PoC released (webkit exploit)
Well, what a coincidence*. A couple hours after I explained the HENkaku Webkit exploit could probably be ported to the PS4, Developer Fire30 published said port on github. I can now humbly call myself the prophet of the scene (hey I didn’t choose that twitter avatar for nothing!). Joke aside, I haven’t tested the port myself, but several scene veterans have already confirmed this is the real thing.
What is this PS4 3.55 exploit, is this a PS4 jailbreak?
This is the Webkit exploit used in the recent HENkaku for PS Vita, ported to the latest PS4 firmware, firmware 3.55. This gives us user mode code execution on the PS4. This is cool, but keep in mind that this is just access in one process and such exploits are typically considered “useless” without an accompanying kernel exploit (which would be the point where it’s ok to call this a PS4 jailbreak). Without a kernel exploit, this will lead at best to minor user mode homebrews (which, don’t get me wrong, can be cool, but it not what people are looking for).
This however means that if anyone were to release a kernel exploit for the PS4 in the days or weeks to come (see below), firmware 3.55 will become the new gold firmware for PS4 hackers. Currently, only owners of a PS4 running firmware 1.76 can enjoy cool things such as Linux and Steam on their PS4. This could change soon.
The funny thing here is that firmware 3.55 is also known to be the “golden” firmware of PS3 hacking. The vita missed the mark by a few updates, with 3.60 being the “one” (come on team molecule, what took you so long?).
What’s next for PS4 3.55 users?
Again, for this to be truly useful for a broad audience, a Kernel exploit will need to be released for the PS4. I haven’t heard any rumors, let alone confirmed sources, of people willing to release such a thing in the near future. It is actually likely many hacking groups were already in possession of usermode exploits and waiting for a kernel exploit.
Nevertheless, staying on firmware 3.55 will probably be recommended for now for people who expect further hacks for their PS4. I wouldn’t be surprised if Sony take the time to patch this exploit in their upcoming firmware 4.0, for which the Beta is supposed to start this month.
Download and try the 3.55 PS4 Webkit exploit
You can download the PS4 3.55 exploit from the developer’s github here. You will need basic knowledge of setting up a local server in order to run the exploit. Additional notes from the readme:
PS4 3.55 Code Execution
This repo contains a PoC for getting code execution on ps4’s with firmware version 3.55 It uses the same webkit vulnerability as the henkaku project. So far there is basic ROP working and returning to normal execution is included. Next steps will be to map a jit page sucessfully and getting actual shellcode executed.
Usage
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
python fakedns.py -c dns.conf
then
python server.py
Debug output will come from this process.Navigate to the User’s Guide page on the PS4 and information about the exploit and all loaded modules should be printed out. This is an example of what running it will look like: https://gist.github.com/Fire30/2e0ea2d73d3a1f6f95d80aea77b75df8
There are a few notes:
- The exploit is not 100% reliable currently. It is more like 80% which is good enough for our purposes. So if it does not work on first try, try a few more times. Also doing to much allocating after the sort() is called can make it more unstable.
- The process will crash after the rop is done executing.
Acknowledgements
xyz – Much of the code is based off of his code used for the henkaku project
Anonymous contributor – WebKit vulnerability PoC
CTurt – I basically copied his JuSt-ROP idea
Source: Fire30 on twitter
* It is actually probably really a coincidence.
This is good stuff. I can’t wait to see what people can get running which will hopefully be shortly!
Also, first! :^)
He must have only scratched the surface with Henkaku on ps4, since people reverse engineering the exploit are thinking Henkaku actually used a kernel exploit on the Vita.
We’ll have to wait and see.
It was always rumored that the webkit could lead to kernel if exploited on the vita.
In case that’s not clear, the Vita kernel exploit is very unlikely to be reproduced on the PS4, completely different OSes
Yeah i already knew it wouldn’t be that easy, i don’t know too much about how these kernel exploits exactly work but i do know that it heavily relies on the OS it is executed on and the available resources.
I reckoned they are much the same OS. psvita is also based on FreeBSD.
You are correct, Vita is heavily based on FreeBSD.
It turns out it is not. Not nearly the level of the PS4 at least.
Vita runs on mobilinux
First
can we port henkaku for ps3 3k 4k consoles
no. and why would anyone bother messing with an encryption that can never be broken again?
ps3 gen is finished from what we see from the upcoming release for that reason if it enable the hombrew on ps3 3k 4k it would be a best option for old gen
ture wololo. this is not likely ethier but say ppl maybe find anothe exploit on the ps4 through this could happen tho
The Vita was the key :O
Just like the PSP for the PS3
Thank you
I wonder if this can be used on PS3 CECH 3k 4k.
I believe your quick solution is ODE.
I believe ODE can run a few homebrews but really limited to a few
OMG NOW WHAT TO DO
IM CONFUSED WHETHER TO BUY PS4 RIGHT NOW OR NOT, AS THE NEW NEW PS4 SLIM AND NEO ARE JUST TWO MONTHS AWAY FOR RELEASE.
there will not be so many deffrent between ps4 and ps4 neo and neo will be little more expensive
so buy it know
The neo is likely going to be released after sony patches this and anything else they find.
wow
Exciting times
I swear, every time I look into what has been happening with the PS4 scene I end up feeling like I am the only person who has any interest in seeing the save game encryption broken.
I fell you bro
Hope this exploit can get complete jailbreak for ps4 with 3.55. Like PS3 was jailbroken with 3.55. So 3.55 will become special number for playstation console(Bad is vita on 3.60 not 3.55 otherwise..). Guys make it happen .. XD
do you regurgitate everything you see?
Yes because I so excite to not read through everything.. XD my bad
What kind of homebrew is possible now? Emulators, Game Ports and Filemanager?
keep up to good work guys
Omg, read carefully! There is NO code execution! Just rop AND it will stay like that for … reasons :p
You cant just tell everyone that its staying that way so sony doesn’t release their neo console prepatched and “unhackable”?
You can’t just say so that Sony doesn’t release the neo console prepatched and “unhackable”?
yes there is code execution, you don’t even need an exploit to run code, javascript gets converted to code, and rop stands for Return Oriented Programming, privileges, jails and sandboxes stand in our way, this webkit exploit allows us to escape the javascript sandbox, next we need a kernel exploit to escalate privileges which in turn will allow us to escape the browser jail
Haha when 3.55 was released I Joked about it being the perfect Firmware for us. I think I won’t update to the 4.0 beta for now just in case someone will be able to find a kernel exploit. Or maybe I just get a second ps4 for less than 200€ and wait 😀
I would keep it at 3.55 and get the new ps4 neo if this leads anywhere 😛
3.55….I hate this number
And here i was thinking about selling my extra ps4 with 2 tb installed hmmm thanks to this im gonna keep it until a hack is released to enjoy homebrews and emus
what about 2.xx firmwares? I remember reading before that the BadIRET Kernel exploit could work on it but needed another exploit to load. I’m still on 2.01
hmm staying on 1.76 or update to 3.55 ?
this should mean that firmwares 1.76 all the way to 3.55 can be exploited with this however, we don’t which firmware a kernel exploit will be found for, could be a 2.xx firmware that gets lucky this time, personally i am staying on the firmware i have (2.50 i think, not looked for a while) and if and when 3.55 gets cracked wide open i’ll update then, if not then i’ll stay, unlike most people though i only want enough access to mess around with GTA:V can think of some cool things to do to that game
3.55 hacked again? Sony has REALLY bad luck with there firms around the 3.50.. The ps3, the vita had the 3.51 rejuvenate thing, now this, Lol.
Same question here … I stay 1.76 or should I update now to 3.55 ?
Wait for kernel access then update
I want Ps4 jailbreak 3.55 is my dream,wooooool:):):):):)
good news and good job wololo , keep up !
Without kernel exploit this is nothing as many were already in possession with this usermode exploit.
Kernel exploit would be much difficult to achieve and that too on firmware 3.55, it may even take years to call 3.55
as golden firmware. Cmon guys, neo will be released in oct so why get ur hands on this old ps4.
It is a good news for existing ps4 users (on firmware>1.76) but those who are still looking forward to buy,
should rather buy neo and wait for it to get a jailbreak.
So, it’s like the Wii U 5.3.2/5.5.0/5.5.1 exploit minus the kernel exploit?
How about a Web exploit for the PS3?! Likely they have similar vulnerability and this approach may be a means of avoiding hard-hack downgrade?
3.55 the firmware all hopefully will work on for any full hacks.
I am very eager to come a Ps4 jailbreak 3:55 or cfw hopefully come as fast as possible!
https://github.com/Cryptogenic/PS4-Playground-3.55 this has been cleaned up a little by Cryptogenic
Hi,
Just wondering could anyone give step by step instruction, I have ps4 with this version I don’t know if the script it self will put it on the usb drive or directly put in the web explorer of the ps4. kindly please help. Thanks
I tried the given instruction in the page of GitHub but I have this error.
C:\Users\Nymphetamine\Desktop\PS4-3.55-Code-Execution-PoC-master>python fakedns.py -c dns.conf
File “fakedns.py”, line 281
print “>> Built NONEFOUND response”
^
SyntaxError: Missing parentheses in call to ‘print’
SAME EVEN I REMOVE THE WORD PYTHON and have also the error in server like this.
C:\Users\Nymphetamine\Desktop\PS4-3.55-Code-Execution-PoC-master>python server.py
File “server.py”, line 33
print data_string
^
SyntaxError: Missing parentheses in call to ‘print’
I HAVE PYTHON IN WINDOWS AND XAMPP. but i have no luck i hope someone can provide complete details and step by step.. sorry for noob question. Thanks
You have Python 3 on you computer, but the script is written for Python 2. It would be easier for you to use Python 2, as there are more stuff that have been changed in Python 3 standart libraries (socket server packages and etc.).
Regarding your compilation issue, there have to be:
print (“>> Built NONEFOUND response")
print (data_string)
Hi, I have a question. I have a ps4 that is on OFW 3.50 and I have turned off its WIFI so I ensure that it doesn’t update if it somehow manages to go into rest mode. I have to ask, should I update to 3.55 or stay on 3.50? I know lower is better, however, in terms of the VITA you had to update to 3.18 to have that exploit.
So should I update to 3.55 or stay?
Do what i did, download the recovery and update files to your pc, just incase theres a break threw. You can update using usb threw safemode
magas23 from nextgenupdate com brought a good idea (he has deployed the webkit playground for PS4 3.55). So anybody can try the exploit on his own without python, webserver and other things. Anybody can fork https://github.com/Cryptogenic/PS4-Playground-3.55 with his/her own github account and setup Github Pages (https://help.github.com/articles/creating-project-pages-manually/). It’s super easy. After you setup GitHub pages go open it in web browser on your PS4. PROFIT.
For instance I just created one so you can skip that step and just go to https://haxep.github.io/PS4P/index.html directly from you PS4 web browser.
Thanks to Cryptogenic for working on PS4Playground that is based on Fire30’s for exploit port.
“355playground.netau.net” this link will just simplify what is available for the ps4 on 3.55 at this time.
Downloaded firmware files for 355 lol
please anyone send me step by step for 3.55 playground i,m so confused .. 🙁 .. what is xploit webkit nd redeye etc…. ?