PS4 Rest mode exploit revealed by @vpikhur (5.xx firmware)
Hacker Volodymyr Pikhur has presented and exploit of the PS4’s Rest mode a couple days ago at the Recon Brussels hacking conference. Earlier today, he released the slides and a demo video of his work in action. The slides state he’s been sitting on the exploit for 2 years, and decided to disclose it since Sony does not have a bug bounty.
In the Video below, we can see the hacker running an FTP server, among other things, on the PS4 that was hacked in Rest mode.
According to the developer:
The custom Southbridge silicon, responsive for background downloads while main SoC is off, didn’t help to secure Playstation 4. We explain how a chain of exploits combined with hardware attacks will allow code to run in the context of the secure bootloader, extract private keys, and sign a custom kernel.
I unfortunately did not see the presentation itself, and it is unclear to me how much is being revealed in the slides, although it seems like it could be… a lot.
First of all, it appears the hacker is leveraging (and revealing) a not publicly known kernel exploit on the PS4, leveraging a vulnerability in sys_kldload. There is probably enough in the presentation for people to take this information some step further.
Additionally, the hacker did not stop at kernel access, but proceeded to do some hardware glitching in order to be able to extract the console’s kernel bootloader.
I have reached out to @vpikhur to get some details.
In the meantime, it is unclear whether the vulnerabilities he is describing have been patched in the latest Sony firmware, but his video showcases the kernel exploit running on firmware 5.00.
Update – I received some clarifications from @vpikhur, in particular:
- According to the hacker, the sys_kldload exploit still exists in firmware 5.00, potentially more recent firmwares as well.
- The important point of the video above is that the hack persists after boot, demonstrating what is probably the very first custom firmware on the PS4
- Sony changed their keys in 5.05, but apparently not the signing process.
- The kernel bootloader contains the keys for Rest Mode kernel, which is why it was interesting to get access to it.
Source: @vpikhur
First!!
since this is only now being revealed , i hope an exploit can be created up til at least the current firmware. ALSO FIRST 😛
well if it will take same time like for 4.xx jailbreak then maybe we can hunt PS4 on 5.xx in 2019…
neat
(last)
U third man.
YES YES YES
Did you also read the same thing I did? Leaked private keys that allow to create signed CFW kernel?
Megaton if true.
First?
Need to change my phone… It won’t load the full page at times
Go to die, la puto.
Sitting on it for 2 years? [shaking my head] Since then, two new models came out: Slim and Pro.
Does it apply to those models as well?
Probably. Usually firmware is the same across all hardware revisions – the only thing that would make a difference is if a hardware revision removed the entry-point that allows an exploit to work. Given that rest mode still exists in the Slim and Pro, then yes, this exploit very likely does work on those models too.
I PS4 5.00 not update
✌
I could see this happening from day 1. Rest mode is so broken it’s surprising it hasn’t being exploited yet. I really don’t see this exploit being fixed as it may brake rest mode in all sorts of games majorly, i can see more it being removed all together in the future.
you know it’s not 2013 right?
I wonder if his presentation was recorded in video. a recording would give us even more info.also, seems like this exploit can be mde into a jailbreak on its own,but i wonder how long it will take.
RELEASE IT! RELEASE IT NOW!! 😀
Seriously, Sony will now patch this if they haven’t already so what’s the harm in releasing it?
He…..did release it???
He is probably assuming that this exploit is analogous to a “backup” loader of sorts when one needs to be developed utilizing the exploit first.
He “released slides” and “presented it”.
He didn’t share the exploit.
So it will be released. In simple terms is the 5.00 fw hacked or not?
This exploit won’t be released anytime soon. I have no faith in the hacking scene anymore. They find these exploits and then sit on them for months to a year before they release it. In the meantime we all just have to wait and hope that it ever gets released as some of these hackers give up mid project and hand them over to someone else that’ll take another year Working on it.
So do something about it instead of b!tc#ing about it. You’re the reason the scene is what it is. People leave because people like you act like this.
Nope you’re the real problem in general. Aggressive, uncivilized, and just ignorant. I bet You do just as much as he does for the scene, get off your high horse.
The difference is he isn’t complaining about it and blaming the people who work hard to find these exploits. You aren’t entitled to someone else’s work.
ugh, that hurted…
True, but hackers always seek to be financed in some way, except for some. We are no longer in Geohot’s time to hack for hobby, unfortunately. I still hope, as always, that they will release new xploit for recent versions of the software.
Sony literally killed the scene after geohot lawsuit.
Nobody wants to be in jail now.
Now all the hackers fear sony and do everything sony wants them (i.e. spreading hype about possible hacks and never releasing them in time so people who did’nt want to buy a ps4, buy it and waits for hacks, which comes after it’s all done with actual firmware).
Scene is murdered for 8 years now. Sony won. Deal with it.
For now, only nintendo scene is alive and kicking only because nin is lasy about it’s legal suff and sells hardware with profit in large amount.
Great, another year I have to keep my system offline because they don’t release this *** while normal people still have the firmware. I guess I didn’t want to play new games anyways /s
so, are you saying that i shouldn’t update my PS4 Pro running firmware 4.70?
i just set it up and it automatically started downloading the 5.05 update…it’s ready to install…what to do, what to do…???
Cool, thanks for the article. Hopefully this goes places.
5.xx that means 5.05 is vulnerable too NICE!
or it means at the time of writing the author wasn’t aware to what extent this exploit reached
Have a Pro on 4.73, cant wait for this to be refined and released. Hopefully soon… keeping my fingers crossed. 🙂
Waoo hope realse soon exciting 5.00
fake!!!!!!!!!!!!!!!!!
Great !
Links to ps4 pkg games?
Hey guys, I have a question for you! I have a ps4 slim on 3.55, I have not tested this one more explicitly, I would like to play online again! it is now known this jailbreak, ask is update to the latest version or wartwn or buy new slim / pro, sunstay would also consider a ps3. ask for advice!
I speak German!
He knows da way!
CuZiMPr0 if your on 3.55 update to 4.05 then u can jailbreak your ps4
Now please for the PS Vita x.x
This likely will catch the attention of Sony and they will make a bounty for it even if they dont have a bounty policy right now. I wouldn’t hold my breath on this one, guys.
I’m on PlayStation 4 firmware is 5.00 I would love to play Gran Turismo 4 and all the PlayStation 2 games when you do come up with the pack can you please send it to me and if you do if you do have the Pack right now can you hook me up with it
elotrolado.net, esperamos ese exploit!!!xd
So if there is a DEV in the chat somewhere would it be possible to implament this by forcing the required files to install on the plastation and have it execute those files stored in the HDD for the exploit when the system calls the function for entering rest mode. If so would we need something like XEX menu to browse files and maybe later use unsigned code to launch the debug setting we already have in the current 5.05,4.55,4.05 jailbreaks. (this is just ideas I know some about exploiting systems but I focus on Androids which are nothing compared to PS4 so if this all is completely impossible then thank you for your time if you feel its a possibility then awsome would be nice to see a ful CFW that you don’t have to exploit every time your restart your PS4). Thank you for you time.