Fail0verflow: Dumping a PS4 Kernel in “only” 6 Days
PS4_enthusiast over on the fail0verflow blog has posted a detailed explanation on how he was able to dump (and decrypt) the PS4 Kernel from userland (Webkit exploit).
The stunt leverages a vulnerability in the “crashdump” functionality of the console. The code that lets the PS4 log some information in case of a crash allows an attacker to leak a very small amount of kernel data (16 bytes per process). Additionally, flaws in the encryption process of the crashdump made it feasible to actually decrypt the data after it was dumped.
More interestingly than the exploit itself, is how ps4_enthusiast automated his system to dump the whole kernel. The hacker calculated that with such a tiny information leak, and given the size of the Kernel, it would require roughly 11 days (6 days after trimming some fat) to dump. He moved forward by automating PS4 crashes, reboots, and dumps to a hard drive, which itself was connected to the hacker’s PC, which was reconstructing the kernel, literally byte by byte.
The hacker states that one of the flaws he leveraged has been corrected around firmware 4.50, and decryption of the kernel is not possible anymore in recent firmware.
Check out the entire article at the source below.