Tags:

Known PS4 Exploits - Modding

Bullet May 23, 2015

  1. Bu

    Bullet Guest

    So far some progress has been made towards the modding of the PS4 and it would appear that certain apps will be the way inside of Sonys next gen console.
    One app that was recently found to be exploitable was the VidNow App which when launched for the first time would launch a 5mb file known as 'vidzone_386_US.db.psarc'. The file would load into a 60TCP buffer.
    Because of the fact that no checks were made against the files size/hash/contents it was able to be exploited.
    A hotfix released by Sony soon fixed this exploit via content hashing the file whilst in transit, although it is still possible to reverse the patch and execute code. Currently the method of reversing the hotfix is unknown.

    Another exploit which allows the running of arbitrary code is done via an exploit in the SnagFilms App in the Playstation Store. This exploit will allow the execution of code in the programs memory before the payload finishes loading.
    With a small enough payload and/or a payload that load's without causing an exception in program memory you can most likely get code execution working without error.

    [​IMG]


    For some reason the system fails to perform any checks/verify certain sys library's before installing them. This allows you to replace those library files with your own binary. The system will install your packaged binary to the HDD as if it were a regular update. In order to run this binary, you need to meet all the requirements listed below.
    The PS4 does not check some of the files within certain sys libraries before installing them, allowing them to be replaced with binary files that will be installed to the systems HDD in the form of an update.

    Running your own code in sandbox requires 4 things:
    1.Disabling SHA-1 Checksums useSha1Checksums = "false" OR -Change SHA-1 checksums to match modified pkg
    2.Generate a valid signature/disable or bypass signature authentication Hash of container + Magic Number form signature -Hash can be computed from modified files -Magic Number = ???
    3.Repacking Containers Lib pkg not signed or encrypted. You can modify everything as long as you don't change the structure.
    4.Crafting proper binary Binary files in sandbox aren't signed or encrypted. If you use the proper version of the compiler (Get the ver info from the original binarys) you can craft a binary that's accepted as valid.
    Assuming you can get code running disabling sandboxing is trivial.

    Source: http://www.psdevwiki.com/ps4/
     
    May 23, 2015 #1
  2. du

    dufc1983 Newbie
    205/282

    Joined:
    Oct 21, 2011
    Messages:
    169
    Likes Received:
    15
    Trophy Points:
    0
    Console:
    Xbox
    Just a matter of time before full exploit happens :) thanks for sharing
     
    May 23, 2015 #2
  3. XxStarzxX

    XxStarzxX Banned! BANNED
    205/282

    Joined:
    Mar 3, 2012
    Messages:
    6,119
    Likes Received:
    1,136
    Trophy Points:
    205
    Gender:
    Male
    Location:
    XPG
    Console:
    Xbox One
    Great share B ;)
     
    May 23, 2015 #3

Share This Page

Close