Fail0verflow disclosed the details of a PS4 4.05 Kernel exploit a few weeks ago. Although I was expecting this to lead to a full release very quickly, the scene has not seen anything so far.
PS4 Developer SpecterDev, who revealed he had found the exploit independently a while ago, and also runs a blog where he writes about the inner workings of console exploits, was nice enough to answer some of my questions.
Wololo: Could you introduce yourself for those among our readers who don’t know you?
SpecterDev: I’m just a curious developer who got interested in exploitation and reverse engineering a little over a year ago. The PS4 seemed like a fun place to start and I got started by tinkering with stuff that was already released (most notably FireKaku) and released some projects for those like me who were interested in researching the PS4 such as Playground 3.55. I was lucky enough to have some friends experienced in exploit development guide me along the way to eventually developing a kernel exploit. While at the time I had this I could not disclose details, I did try to spread some knowledge and answer questions where I could about information on higher firmwares.
Wololo: I’ll start with the very obvious question. When Fail0verflow released details about the PS4 4.05 Kernel exploit, myself and lots of people on the scene were expecting a release to happen within days. The exploit is explained in details on Fail0verflow’s blog. What do you think explains that it’s taking (from a naive perspective) “so long” to see a release?
SpecterDev: Well, the 4.05 kernel exploit is very complex and involves a lot of moving parts. While the details f0f disclosed detailed how to arbitrarily free() any address, they did not go into detail on how you would go about obtaining the pointer to a good object to target, which is the most difficult part of the exploit by far. Finding a suitable object to leak while blind takes a lot of guessing and trial and error, making the exploit development a very time consuming process.
Wololo: That exploit was known for a long time, and has been patched by Sony a while ago, in firmware 4.06. Why was it kept secret for a while by multiple hackers?
SpecterDev: It was really just developers who had it not wanting to step on other people’s toes, f0f were the original devs who found the exploit, and many of us received help from either f0f or those who were assisted by f0f, so in respect for everyone involved, we didn’t want to disclose until f0f was ready to.
Wololo: Do you think your plans to release an implementation of the exploit have had an impact on other people willing to dig into it?
SpecterDev: I think they have in the way that some other developers have been asking for insight on how the exploit (or at least certain parts of it) work, and I think that’s cool. Provided I have the time I always try to answer these questions as best I can, as I remember when I was in a similar position not too long ago. [note from wololo: on that topic, we have a thread on /talk where you can ask your technical questions on the exploit]
Wololo: Speaking of your implementation, do you still plan on releasing it? If so, do you have a rough estimate of how far you are? What are the issues you’re dealing with when it comes to this implementation?
SpecterDev: Yes I do, I’m at that point of leaking a good object to ensure the exploit is stable. I do have a good object leaking as well as a trigger for code execution, it’s just a matter of how practical it is to implement into the exploit, which I am currently testing now. After I know the object can be used effectively in the exploit, things get much easier. I hope to get a release out soon (within the next week or so) – I’ve just been busy with real life stuff so with the exception of weekends, I don’t have a lot of time to work on the exploit during the week.
I’ll also be publishing a write-up for the kernel exploit when it is ready, in it I’ll break down how the exploit works step by step. My hope is it will not only be a nice read for security researchers interested in the PS4, but will also give those in the community without a background in infosec a bit more information on how big releases involving kernel exploits work behind the scenes. Maybe it will inspire some to look into software security where they otherwise would not have 😀
Wololo: How many people or groups do you think have access to kernel exploits on 5.xx PS4 firmwares?
SpecterDev: On higher firmwares I can’t say. Qwerty has kernel access on 5.xx firmware as he displayed on his Twitter, but as for other people and groups I’m not sure.
Wololo: What homebrew, tools, plugins would you like to see running on a hacked PS4?
SpecterDev: In terms of homebrew, I think emulators would be neat to have running on the PS4. But the coolest thing I found with PS3 was the custom games that homebrew developers created such as Neo Tanks. It allows people to get creative and make cool things and play it (and share it) on a platform which they otherwise would not be able to publish to.