PlayStation scene developer CelesteBlue  The PlayStation scene wiki has added recent information detailing a new layer of security implemented by Sony in the PS4. Scene developers also give hints at how this security can be bypassed in future exploits (and how it’s most likely already being bypassed in current exploits).

Update: Celesteblue has contacted us to clarify he is not behind the information. An anonymous source (who might be sleirsgoevy, as he was the first one to use the bypass) provided the initial explanation which Celesteblue has added to the wiki.

Unlike the article says, even though I edited the wiki page for it to be more readable, I am not the initial writer of the protection and bypass description. The writer is anonymous but he might be sleirsgoevy since he was the first to use it on PS4 FW 6.72.

— φ CelesteBlue φ (@CelesteBlue123) August 22, 2021

Is this a new exploit?

Absolutely not. But don’t expect certain sites to clearly tell you that, that would be bad for their hype 😉

What is PS4 CR0.WP Protection

From psdevwiki:

At least since firmware 6.51 Sony instrumented all instructions that write to the CR0 register with checks for attempts to clear CR0.WP (Write Protect), which is necessary for patching the kernel. This is what it looks like in 6.51 kernel:

  a1b79:       0f 22 c0                mov    cr0,rax
  a1b7c:       48 a9 00 00 01 00       test   rax,0x10000
  a1b82:       75 02                   jne    a1b86 <-- skip the next instruction if CR0.WP is not cleared
  a1b84:       0f 0b                   ud2    <-- #UD exception, causes a kernel panic
  a1b86:       c3                      ret 

Note that the check is after the write, to prevent a ROP gadget from pointing straight at the mov and skipping the verification.

What does PS4 CR0.WP Protection mean for PS4 Kernel exploits?

To rephrase: Around firmware 6.51, Sony have added an additional security that prevents exploits to patch the kernel (therefore, making it harder to run kernel exploits, then act on them).

Typically, a PS4 Jailbreak gets access to the kernel level of the firmware through an exploit, which usually means the hacker has gained full control of the system. The next step is to patch the firmware in RAM, in order to disable some protections of the firmware. This patching is what a HEN (Homebrew ENabler) usually does, removing signature checks to enable installing and running of unsigned packages, for example.

Patching the firmware means overwriting some of its code with different code. For that, the hack needs to write in protected memory, which is read only by default. Therefore, it is necessary beforehand to make some parts of the RAM writeable.

The CR0.WP protection means that it’s become a tad more difficult to enable write access, even after gaining control of the system. Simply, if the system detects an attempt to change protected memory into writable memory, it will cause a kernel panic, and shut down the PS4.

How does PS4 CR0.WP Protection impact future PS4 Jailbreaks?

Basically there is no huge impact for future hacks with this information. As CelesteBlue clearly stated, this was added around firmware 6.51, so, this protection is known, and has clearly already been bypassed since we enjoy Jailbroken PS4s up to firmware 7.55. The hacker gives more details on how this security can similarly be bypassed in future hacks:

Bypasses (in chronological order):

• Use an “unintended” mov to cr0 in the middle of another instruction (e.g. instruction “call $+0x220f1c” (e8 17 0f 22 00) contains an unintended “mov cr0, rax” (0f 22 00))
• Use kernel write to give your process JIT permissions, allocate JIT memory, and put entirely custom code there (avoids the problem altogether, as it is specific to ROP)
• Since the IDT is writable on FreeBSD and PS4, it is possible to overwrite an exception handler without clearing CR0.WP first. One can overwrite the handler of #UD with a gadget of their choice (a stack pivot, or a “add rsp, … ; ret”, or whatever else), and the UD2 instruction in the mitigation code will happily jump to it instead of the real handler, with CR0.WP cleared.

It is awesome to see this kind of information documented in the psdevwiki. Hopefully this will be helpful for people trying to understand existing PS4 Jailbreaks, and, who knows, write their own in the future.

Source: psdevwiki via HydrogenNGU & PSXHax