CTurt publishes PS4 Kernel exploit technical details, decides to end hacking research on PS4
Developer CTurt dropped two bombs yesterday on twitter: a detailed explanation on his PS4 Kernel exploit, and an announce that he would stop all his work on PS4 hacking, effective immediately.
It’s been a roller coaster ride this week on the PS4, and sadly it doesn’t sound like we’re going to get a happy ending, at least not soon. CTurt announced yesterday on Twitter that he would stop his research on the PS4 Kernel exploit.
However, CTurt published a detailed explanation of the 1.76 PS4 Kernel exploit on his blog earlier today. That explanation is probably enough for people with the right set of skills (not, not you Liam Neeson!) to reproduce the exploit.
Don’t get me wrong, it does not look like it will be easy, and requires deep knowledge of FreeBSD, the x86 architecture, and reverse engineering in general. CTurt has intentionally not released the source code, out of fear that it could be used for malicious purposes. Nevertheless, the explanation is detailed enough that someone with enough motivation will be able to reproduce the PS4 Kernel exploit.
PS4 Kernel Exploit, the basics
The PS4 Kernel exploit relies on JIT access for code execution within Webkit, and then uses the BadIRET Linux/FreeBSD vulnerability to gain Kernel access. This is a very short summary of the whole process, which involves a bunch of manipulations from your typical Reverse Engineering toolkit, including kernel pointers corruption and NOP sled.
There’s an interesting bit on how the exploit relies heavily on page fault, and ends up in a dangerous zone, one page fault away from causing an automatic CPU crash.
If you are interested in the whole process, the best is to read CTurt’s article, of course.
Oh, and for the people who say this isn’t a Jailbreak, I’m sorry, but you just lost this round:
What’s coming up next for the PS4 scene?
There are a few things we can get from CTurt’s article, and the fact that he is apparently leaving the PS4 scene, before that scene is even born.
First of all, as I’ve mentioned above, his article contains enough information that the right people could be able to resume his work. It will be up to the PS4 hackers to decide if they’re up to the challenge, or if the PS4 scene will let its first release be a $100 DRMed device containing the exploit.
The Kernel exploit has apparently been patched in some 2.xx firmware, and not right after 1.76, unlike I initially assumed. The Webkit exploit however, which is used as the vector for code execution, was patched after 1.76. Theoretically, another userland exploit could be found on higher firmwares to trigger the kernel exploit, but CTurt explains in the article that JIT access is limited to a specific subset of apps on the PS4. This includes the browser of course, but games or apps (like Netflix) don’t have access to it.
It’s also really unclear to me why CTurt would stop his work at this point. He seems to explain that this is because many people are asking for Piracy, but honestly I’m a bit confused here. Compared to other scenes, I actually haven’t seen that much activity related to piracy asks, and I feel that the details he has revealed will be enough for people with less nice intents to resume the work anyway… so, yeah, I’m confused and wondering if CTurt is backing up because of some legal concerns (although he has told me in the past that he was not concerned about legal implications of his work)
What can Sony do about this exploit?
The exploit is already patched so this is at this point not critical for Sony to take any action. Nevertheless, if more hackers dig into this work, they could start finding more information that could be useful for the latest PS4 firmware. It’s already been confirmed that several groups of hackers are in possession of this exploit, although none of them seemed to be willing to release anything so far, either for fear of legal repercussions, or for other reasons.
CTurt is revealing some interesting information about the PS4 exploit. Although it’s already been patched, some of the things he’s doing along the way could be made more difficult by Sony in the future. It’s been mentioned before, and CTurt confirmed it, that the PS4 does not have ASLR on its Kernel functions. This, I believe, could be fixed with a firmware update at some point.
Sony could also decide that CTurt’s article reveals too much, and send a cease and desist asking him to take the article down. I’m just saying, especially considering he’s stated he would stop working on future PS4 exploits, ctrl+s in your browser while reading CTurt’s article might be a good idea.
As always, we’re in “wait & see” mode at this point, and we’ll be sure to keep our PS4 Jailbreak page updated with the latest events.