Debunking Rumors: Does the PS4 4.01 Jailbreak rely on vulnerabilities used in iOS 9 Trident/Pegasus exploits?
Growing rumors from (mostly) unverified sources have been claiming that the recently demonstrated PS4 4.01 Jailbreak relies on the same vulnerabilities as the iOS9 Pegasus spyware.
PS4 4.01 Jailbreak – What is known so far
The PS4 4.01 Jailbreak was demonstrated a few weeks ago by Chinese security researchers Chaitin Tech. Recently, Sony released firmware 4.06 which allegedly patches the exploit. Several PS3/PS4 hackers have implicitly confirmed the existence of the vulnerability and the fact that firmware 4.06 patches it.
It is extremely likely that this exploit uses a Webkit vulnerability as its first entry point to get code execution (“usermode”). Besides that, very little is publicly known about this PS4 exploit, but growing rumors state that it might rely on the same vulnerabilities that Apple patched for iOS in August this year.
iOS Trident/Pegasus attack and how it relates to the PS4 4.01 Jailbreak
In october, Security researchers Chatin Tech demonstrated a PS4 4.01 Jailbreak
The iOS exploits, known as “Trident” (or indirectly “pegasus”, the name of the spyware suite installed by the exploits), were allegedly used by governments to attack political dissidents. Pegasus relied on no less than 3 0-day vulnerabilities in iOS, which Apple patched after the attack was revealed to them by security Research lab Lookout inc.
How do the Pegasus exploits relate to the PS4? Many unverified claims that the 4.01 Jailbreak is related to Pegasus started bubbling up recently. It’s difficult to sort hoaxes and unverified claims on social networks from things that can be considered seriously.
Most of the (credible) rumors seem to originate from a tweet by security researcher Kevin Beaumont in September, who stated: “I suspect there’s a possibly they may also work on PlayStation 4 (oddly enough) to escape sandbox, still looking at it.”
@lorenzoFB I suspect there’s a possibly they may also work on PlayStation 4 (oddly enough) to escape sandbox, still looking at it.
— Kevin Beaumont (@GossiTheDog) September 1, 2016
Kevin Beaumont reiterated his belief in October when Chaitin Tech announced their 4.01 Jailbreak. Many of the other connected rumors we found don’t have enough evidence (or level of trust from their source) to be considered serious at this point.
I’m told this technique was indeed used to jailbreak PlayStation: https://t.co/5c6qnZ5LC6 https://t.co/ToUQZlRKlU
— Kevin Beaumont (@GossiTheDog) October 26, 2016
I contacted Kevin Beaumont who quickly replied to me that he believes the same Webkit exploit can be used to escape the Webkit sandbox, he said:
the iOS exploit included WebKit to kernel, and PS4 runs WebKit in the browser. A similar technique was used prior in much older firmware. At the time of the latest iOS exploit, Sony didn’t patch it.[…] If they can escape the browser into the kernel layer, they have root.
I tend to disagree with Kevin’s statement here, or rather, I don’t see a direct connection between “webkit exploit” and “kernel access”. Looking into details, the Trident exploits include one webkit exploit, which indeed can probably be used on PS4, but does not lead to kernel access, only to execution of arbitrary code within the webkit process. Further privilege escalation is required. The next steps of the iOS exploit rely on iOS specific things to get kernel access. I’m not saying similar things cannot be done on the PS4 (iOS has some parts of FreeBSD after all), but it seems to me that the conclusion takes a few shortcuts. Kevin has confirmed to me he hasn’t done the groundwork yet to confirm his educated guess.
I have contacted a few trusted hackers of the PS4 scene. One of them boldly told me the rumors are not true.
It’s getting clear to me that an educated guess from a (legit) twitter source escalated into a series of rumors that are mostly false. The PS4 4.01 Jailbreak does not appear to be based on the iOS Pegasus exploits.
The following PDF that explains how the Pegasus exploits work has been widely circulating along with the rumors, on various social media and scene websites. It’s an interesting read, whether or not you believe that it is connected to the PS4 recent jailbreak.
As far as I’m concerned, I have no doubt that the jailbreak is real (independently of what exploits are being used). But it’s all about understanding if “something” ever will be released. PS4 1.76, the only firmware known to run jailbreaks, is now out of financial reach from my perspective, so my plan is to buy a PS4 slim as my main gaming rig. and keep my current PS4 on firmware 4.01. Only the future will tell if this is a right move or not.
im still gonna leave my ps4 on 4.01 im getting me a new ps4 on black friday
get bro its goooooooooooood
I have 2.57 and I am waiting for jailbreak so I can update it. I will not need to buy a new ps4 on Black Friday. Don’t want to waste my money. You are waste your money. Silly!
I am focus on PS3 so its okay to wait a little bit longer. Money is a wise and save my money, really. Sorry about my English.
Standard rule of thumb for headlines that end in a question mark: The answer is “no.”
When can we start stealing the games?
We don’t need pirated games, just freedom to mod and hack (as a legit device owner), Sony need to understand this, then we don’t need to steal their games too!
Of course We need pirated games idiot
Well, that means no credit for game producers and all the artists and developers behind the scene, then you can’t expect higher quality and better games in the long run, 15~60 dollar isn’t that much if you have a job, idiot!
most ps4 games are craps
*** are you talking about?
in africa 60 dollar is a lot of money it will be good if a jailbreak will be released soon
We don´t, that would be an argue to PS Vita where the system is officially dead, but no with PS4 where you can enjoy online a lot, hack a device is not for piracy from a devs point of view, with the prices on flash sales or black Friday or deals on Amazon, or those shared accounts sold on ebay (primary and secondary), I do not understand how piracy could be a goal…if you say is because you are outside US and do not have a paypal account, then I think you are a kid and should ask daddy for help.
Exactly, I live in Iran and piracy is not even a crime!, we get physical PS4/Xbox games pretty expensive, but I am highly against piracy as a software developer.
I need rooted system with full access to OS (like Android), so I can install Linux, emulators, mods, hacks, even use PS4 to boost my PC. because I am power-user and I can’t deal with Sony’s blackbox, it’s not NSA/CIA/DOD database for **** sake, it’s a gaming console! 🙂
But CTurt said long ago that the browser runs as root: http://cturt.github.io/ps4.html
> “So the browser is executed as root! That was unexpected.”
If that’s true, they already have root access by controlling the webkit process, right?
Jailed processes have their default user as “root” under FreeBSD; It’s not the same as the actual root user. Security through obscurity(I guess not really since it’s listed in the manual…)
Hackers who found an exploit for PS4 but aren’t releasing should go and f*** themselves. They are the worst in the world and are the reason for anything bad that is happening on this planet.
In the old days, hackers used to keep all exploit info to themselves and give it to the man, not go and hand security info to mother companies!!!!
Actually it’s people with *** entitled attitudes like you that are the reason bad things are happening in the world. Why don’t you take some of your own advice and go f””” yourself? Or better yet, go make your own exploit and f”””””” release it for free!
The IOS exploit starts as web exploit so could be related and work in say way!