CTurt publishes PS4 Kernel exploit technical details, decides to end hacking research on PS4
Developer CTurt dropped two bombs yesterday on twitter: a detailed explanation on his PS4 Kernel exploit, and an announce that he would stop all his work on PS4 hacking, effective immediately.
It’s been a roller coaster ride this week on the PS4, and sadly it doesn’t sound like we’re going to get a happy ending, at least not soon. CTurt announced yesterday on Twitter that he would stop his research on the PS4 Kernel exploit.
However, CTurt published a detailed explanation of the 1.76 PS4 Kernel exploit on his blog earlier today. That explanation is probably enough for people with the right set of skills (not, not you Liam Neeson!) to reproduce the exploit.
Don’t get me wrong, it does not look like it will be easy, and requires deep knowledge of FreeBSD, the x86 architecture, and reverse engineering in general. CTurt has intentionally not released the source code, out of fear that it could be used for malicious purposes. Nevertheless, the explanation is detailed enough that someone with enough motivation will be able to reproduce the PS4 Kernel exploit.
PS4 Kernel Exploit, the basics
The PS4 Kernel exploit relies on JIT access for code execution within Webkit, and then uses the BadIRET Linux/FreeBSD vulnerability to gain Kernel access. This is a very short summary of the whole process, which involves a bunch of manipulations from your typical Reverse Engineering toolkit, including kernel pointers corruption and NOP sled.
There’s an interesting bit on how the exploit relies heavily on page fault, and ends up in a dangerous zone, one page fault away from causing an automatic CPU crash.
If you are interested in the whole process, the best is to read CTurt’s article, of course.
Oh, and for the people who say this isn’t a Jailbreak, I’m sorry, but you just lost this round:
What’s coming up next for the PS4 scene?
There are a few things we can get from CTurt’s article, and the fact that he is apparently leaving the PS4 scene, before that scene is even born.
First of all, as I’ve mentioned above, his article contains enough information that the right people could be able to resume his work. It will be up to the PS4 hackers to decide if they’re up to the challenge, or if the PS4 scene will let its first release be a $100 DRMed device containing the exploit.
The Kernel exploit has apparently been patched in some 2.xx firmware, and not right after 1.76, unlike I initially assumed. The Webkit exploit however, which is used as the vector for code execution, was patched after 1.76. Theoretically, another userland exploit could be found on higher firmwares to trigger the kernel exploit, but CTurt explains in the article that JIT access is limited to a specific subset of apps on the PS4. This includes the browser of course, but games or apps (like Netflix) don’t have access to it.
It’s also really unclear to me why CTurt would stop his work at this point. He seems to explain that this is because many people are asking for Piracy, but honestly I’m a bit confused here. Compared to other scenes, I actually haven’t seen that much activity related to piracy asks, and I feel that the details he has revealed will be enough for people with less nice intents to resume the work anyway… so, yeah, I’m confused and wondering if CTurt is backing up because of some legal concerns (although he has told me in the past that he was not concerned about legal implications of his work)
What can Sony do about this exploit?
The exploit is already patched so this is at this point not critical for Sony to take any action. Nevertheless, if more hackers dig into this work, they could start finding more information that could be useful for the latest PS4 firmware. It’s already been confirmed that several groups of hackers are in possession of this exploit, although none of them seemed to be willing to release anything so far, either for fear of legal repercussions, or for other reasons.
CTurt is revealing some interesting information about the PS4 exploit. Although it’s already been patched, some of the things he’s doing along the way could be made more difficult by Sony in the future. It’s been mentioned before, and CTurt confirmed it, that the PS4 does not have ASLR on its Kernel functions. This, I believe, could be fixed with a firmware update at some point.
Sony could also decide that CTurt’s article reveals too much, and send a cease and desist asking him to take the article down. I’m just saying, especially considering he’s stated he would stop working on future PS4 exploits, ctrl+s in your browser while reading CTurt’s article might be a good idea.
As always, we’re in “wait & see” mode at this point, and we’ll be sure to keep our PS4 Jailbreak page updated with the latest events.
“Oh, and for the people who say this isn’t a Jailbreak, I’m sorry, but you just lost this round”
You’re probably just poking fun here, but Cturt isn’t using jailbreak in the traditional ios hacking sense – the process is in a FreeBSD jail – when you jail a process on FreeBSD it means it can’t access anything outside it’s jail, or folder. The jail contains everything that process needs to run or access. So jailbreaking in this sense is breaking that process out of its jail.
Bad explanation – I know. Just wanted to point that out. Jailbreaking in this sense means breaking that process out of its confined jail. Nothing more.
so what does “jailbreak” mean in any other context?
http://dictionary.reference.com/browse/jailbreak
idk, sounds like it’s a jailbreak in this sense and a jailbreak other senses also.
but if you want to say “jailbreaking is only iOS”, then you’d be guilty of trying to make crApple’s iOS sound above everything else there ever was. which it’s not.
The process jails you talk about are also present in iOS. It’s referred to as the Sandbox. You typically need to escape (break out of) the sandbox to do anything fun like a “Jailbreak”. (There are exceptions to this of course.)
The only real issue I see here is another “Gateway” occurring. Halting a minor evil to allow a greater evil does sound concerning.
Yep, exactly. PS4 piracy is no longer an “if”, it’s a “when”, and whether or not companies like Cobra and True Blue are going to get there first and make millions all over again.
“Winter is coming.”
😀
Thank you!
I don’t really see why they have to act about it the way they do.
I don’t support piracy, at all, but it’s inevitably going to happen as soon as a system opens up to unsigned code. They don’t have to deliver a backup loader or anything, but someone will at some point down the road, all they’re doing is delaying the inevitable and making the waiting longer for everyone, even those uninterested in backup loading. (I myself want to have the ps2 emulator opened up in order to play disc based games for example)
Or they could do what davee did and intentionally gimp it to not run images.
Chickhen 5.03 had added code by memory to shutdown attempts of “backup” loading.
But the research is already out. All someone with the intent Gateway had has to do now is finish the research and it looks like so many more people are getting in on the fun. Who’s going to be the next Gateway or better yet, who’s going to be the next Geohot/failoverflow?
lets wait and see, i have feeling that Failoverflow will gonna take the shot.
History repeated itself again why do people continue to hit these people up begging for things and not just wait for everything’s to play out damn. I know Half of them are damn script kiddies that don’t know ***. I hope this get put to good used and jailbreak cfw do come out one day I will be waiting but I guess I have to put my ps4 1.76 back in the closet for now.
RIP CTurt. God knows what sort of threats 50ny sent him for him to quit the scene and block his Twitter…
not threats, what kinds of checks did they send him 😉
Its also highly likely that sony has taken action due to the fact that with more revealed findings and research this could lead to ps4 mod chips much sooner then expected allowing players to pirate games and whatnot, all they need is to figure out how or when the ps4 does the security checks and how it boot a game and they could probably make something like the ps3’s blueray drive emulator.
Itssssss ovvvverrrr !!!!!!!
Wow. Interesting stuff. I read CTurt’s article (part 3 as linked in the blog post) and although I don’t claim to understand all of it I have a grasp of what was done to gain full access, and it clearly requires intimate knowledge of both x86 architecture and FreeBSD vulnerabilities. Impressive that Sony found and patched this out before it had even been found by hobby devs – they must have some skilled people on the security side of their team.
From the conclusion of CTurt’s article, I wouldn’t say he’s giving up, he states “I’ll probably take a long break from the PS4 first.” Probably being the key word here. Sounds likes he’s invested a lot of hours and just needs to step back for a while. Interesting that he name checks Yifan too, who masterminded the Rejuvenate exploit many of us currently enjoy on the Vita. Doesn’t look like he has been given a cease and desist by Sony or anything like that. I can’t access his Twitter feed because it’s protected, but going from just the article that’s what he’s saying.
CFW and home-brew seems a little closer than it did before, although the former might take longer than the latter. The foundations have been laid though, so I personally think it’s too early to write off the PS4 Jailbreak as over before it even started. From where I’m sitting as a semi-skilled observer, it’s being set in motion slowly but surely.
And CTurt, that’s fine work. I look forward to seeing what other skilled hackers come up with on the back of it.
This was based on a CVE. FreeBSD patched it and Sony just updated their codebase. Their engineers probably didn’t do the security leg work
It’s just a simple codebase update? Damn. I gave $ony too much credit! I assumed they found and patched the vulnerability themselves…
I doubt that Sony combes through FreeBSD for potential vulnerabilities. I’m sure that they do some work on that part, but its the collective work of the community thats mostly at work i think. We also dont know what security improvements that have been made after firmware 1.76.
The PS4 is my GOD
😉
Sad news. All the best.
See, this is what happens when words like “jailbreak” “custom firmware” and “piracy” start flying around. Now if you’re really lucky someone will figure the exploit out and make everyone pay for it. Hope no one went out a brought a 1.76 firmware PS4 just yet. Happy Holidays.
Total sham go figure.Holiday hackers will go to town on this and is the reason why he closed down the operation out of fear of being prosecuted.
What a *** ***
”Muh hacker code of honor”
You’re a *** hacker already what *** honor?
I think Sony contacted him and gave im money to stop or something like that. I dont see any reason why he would stop at this point. I mean he kept his ps4 on and old firmware and spent maybe months to find this exploit and now he stops? I cant believe this.
Cha ching!!
Definitely cashed out on this one!!
ofc sony sent him checks. ez money 😀
Must be on Sony’s payroll now. Farewell Cturd.!
Sounds like he’s taken a pay off from Sony or developing the hack someone else to sell. Maybe the hack is rubbish and cant progress any further. If a hack does come out he will get no credit at all. Isn’t this the reason why hackers do it like C4eva with the Xbox. He stated that he need to write a CFW and loader in previous posts . Now he’s stopping because he’s worried about piracy. What a joke. Think Cturt might be another fake
The guy spent hours finding this and released all the information on how to recreate it for free and all some people can do is *** about it? Figures. I guess they’re just butthurt they’re not getting the ability to play backups just yet lol.
Lol that Cturt guy is a ***
Beginning like a show. Ending like a joke…
It’s the better summary of this situation, 😉
A guy posted on youtube today things about Jailbreak Ps4, I talked to him and asked if Cturt would leave Ps4 hack scene and he said not that Cturt will not let the Ps4 jailbreak that is a joke, also said Lizard squad is working in a very Ps4 jailbreak, and also said the jailbreak Ps4 out in January or February I hope you enjoy the news, thank you
its all good people for the PS4 scene , as long as its an open source.
am looking to the bright side of the story
Smart Hacker Learned Lession From Geo.Well he is not looking for fame 😀 for sure 😀 cos he could give the pirates and all bad people what they want but…….gives tips,tricks instead smart wise + for him 🙂
other thing sony could contact him privatelly on social media saying stop or accept the concequences if futher steps will taken 😀
hope for jailbreak is there but needs to be more tricking sony who did it 😀
These comments are disappointing. If he had been paid off by Sony, he wouldn’t have basically posted a “how to” guide for anyone who has the skills to exploit it. It just wouldn’t make sense.
He doesn’t owe you anything, not even what he has already given you. Stop being dicks 🙁
U should stop being stupid. seriusly u dont even have a glimpse how world operates
@Cloud9 I think you’re the one being incredibly stupid here. @Cloudy is absolutely right. If Cturt wants to quit/have a break or whatever, then he can. Cturt doesn’t owe anything to YOU or us and he’s under NO obligation to share his knowledge with anyone. Quit being b.utthurt that you won’t be able to pirate sooner than you thought! Haha.
It’s crazy how this exploit got patched before the developers found the exploit.First time hearing a scenario like this.
what a *** ***….no *** to finish what he started..else dont start at all…*** monkey
Its not crazy @snowy_mario in fact, thats typically how it works..In Android for example many CVE are found and only made public after its patched.. Luckily in some cases the manufacturers dont patch things right away and those older firmwares are still exploitable.
Another Dev could finish the Ps4 jailbreak is what I think 🙂
Lol, more like Sony investigators came to his house.
And Ps4 jailbreak Lizard squad? He promised that 2015 would release the jailbreak 🙂
Lizard Squad consists merely of a bunch of pushovers and script kiddies performing DDOS attacks.
Don’t expect anything noteworthy to come from them.
LOL, that “lizard squad PS4 Jailbreak” was a fake created by some rumors site that had nothing to do with the scene. Can’t believe how many people thought this was real…
Because Kurt Ps4 not release the jailbreak? Sera that is afraid of sony? Will be that Sony paid him to keep quiet? What do you guys think about this? I will come some Ps4 jailbreak until the new year?
Because cturt Ps4 not release the jailbreak? Sera that is afraid of sony? Will be that Sony paid him to keep quiet? What do you guys think about this? I will come some Ps4 jailbreak until the new year?
Kinda seems fishy to me that he would work so hard, get so close and then “end research” , could this have anything to do with failoverflow I wonder..or an upcoming dongle release..jk
What if CTurt and crew know they are close to opening up the ps4 ( and they know that means piracy too) so that he/they decided to take a step back, publish what he/they know (without enabling piracy), pretend they are arguing amongst themselves, then come back in the new year with new alias’s to finish the job, as some way of protecting themselves against Sony.
Cool story anyway. 🙂
It ist, mglicher to sehen Sie Ihre Begeisterung bestimmt in the Artikel,
den Sie schreiben. The planet Hoffnungen auf noch leidenschaftlichere Schriftsteller as you wer haben keine Angst
to bringt up, wie sie glauben. Everyday gehen Sie danach Ihr heart und Seele.
If it doesn’t’ make sense to you, then don’t do it. Meditate and think nightly before you go to bed.
No wonder he previously some sales problems or challenges.
I read this post completely concerning the difference of latest and earlier technologies, it’s remarkable article.
It’s amazing in support of me to have a website, which is valuable in support of
my experience. thanks admin
Hi there, arter reading this awesome post i am also cheerful too share my experience here with mates.
Thank you CTurt for the work you’ve done ! 🙂