
Fai0verflow: Linux on the PS4 [video] - slacka
https://www.youtube.com/watch?v=2A7V3GLWF6U
======
landr0id
"Hint: the NOP thing has nothing to do with exploits and everything to do with
[https://github.com/torvalds/linux/commit/0e16e4cfde70e1cf00f...](https://github.com/torvalds/linux/commit/0e16e4cfde70e1cf00f9fe3a8f601d10e73e0ec6)
"

[https://twitter.com/fail0verflow/status/682283793831587840](https://twitter.com/fail0verflow/status/682283793831587840)

So maybe the GPU firmware doesn't support the new packet?

------
anthk
Also , I forgot to say once USB support is completted , a huge array of HW
could be attached to the PS4, because these drivers on Linux are cross-
platform.

------
hnnew
This is what pwned sounds like.
[https://www.youtube.com/watch?v=2A7V3GLWF6U&t=76](https://www.youtube.com/watch?v=2A7V3GLWF6U&t=76)

------
mmastrac
There doesn't appear to be much info about this other than it's a Linux
'kexec-like' from a webkit bug that apparently triggers a kernel exploit.

Awesome job!

~~~
virtuallynathan
Some of this has been covered in other blogs:
[https://cturt.github.io/ps4.html](https://cturt.github.io/ps4.html)

~~~
mbilker
That blog detailed the WebKit exploit and how they used it to get information
about the PS4's base system.

The fail0verflow exploit takes it a step further to "kexec" the system into
linux where the linux system has direct access to the hardware.

------
vive-la-liberte
Typo in title (also present on YouTube).

Their name is fail0verflow.

~~~
padrikas
ironically

~~~
comboy
coincidentally

For irony they would need to be named something like FailDeficiency.

------
hitekker
Excellent demo. Furthermore, this scene in particular (at the 3 min 45 second
mark) really brings home the achievement:
[https://www.youtube.com/watch?v=2A7V3GLWF6U&t=225](https://www.youtube.com/watch?v=2A7V3GLWF6U&t=225)

~~~
anthk
The emulator? Not particularly difficult, once you have generic drivers for
audio and a framebuffer support. Is the same emulator you have on
Linux/Windows/OSX PC's . Just recompile and you are welcome.

~~~
hitekker
The achievement I was referring to was putting Linux on the PS4 so quickly
after the console was jail broken.

The emulator itself was a great visual demonstration of "the full linux
desktop experience" as opposed to listing "Can emulate video games" as a
bullet point.

------
nothis
I have no idea about this stuff, how far towards a jailbreak/softmod is this?
Could this exploit be locked out on quasi-everyone's PS4 via a simple PSN
Update?

~~~
jaykru
That they have gotten this unsigned code running means they have jailbroken
it. This WebKit exploit might be patched but there are almost certainly more
holes to be exploited.

------
joshschreuder
Is this using the previous firmware Webkit exploit or is it running on the
latest firmware? Either way, awesome work!

------
kevinaloys
Can someone tell me why it is technically challenging to run Linux on PS4 when
PS4 already runs Orbis OS which is a fork from FreeBSD?

~~~
StavrosK
It's technically challenging to run _anything_ on the PS4 because of code
signing.

------
xaduha
I don't have any idea what I'm talking about, but it is _mostly_ PC-like
architecture with _mostly_ FreeBSD running on it, right? Nothing really
interesting, unlike it was with Cell processor.

They are not even subsidizing the hardware anymore, as I understand it, they
sell it for about the same it costs to produce.

~~~
TillE
Looking at some component prices, you could probably assemble a passable
gaming PC for under $350, so at $300 for a PS4 it does seem likely that Sony
isn't losing money on console sales.

~~~
rdtsc
Was it is a loss leader when it was released, and now hardware has caught up?

~~~
CrazedGeek
According to one analysis, when it launched, the console cost $381 to
manufacture and was being sold for $400: [http://press.ihs.com/press-
release/design-supply-chain-media...](http://press.ihs.com/press-
release/design-supply-chain-media/sony-nears-breakeven-point-
playstation-4-hardware-costs)

------
shmerl
3D acceleration - WIP :)

So will PS4 users who complain that they can't play Witcher 1 & 2, be able to
play them on Linux there?-)

~~~
ekianjo
Witcher 1 is not available for Linux. And good luck running witcher 2 on the
super low end APU from AMD with mediocre Amd drivers.

~~~
SXX
According to publicly available information PS4 APU is comparable to 7790 and
this is how it's can perform on it:
[https://www.youtube.com/watch?v=Wf0qdt9HZCQ](https://www.youtube.com/watch?v=Wf0qdt9HZCQ)

Also since this test Gallium Nine only become better for running things in
Wine.

~~~
ekianjo
> PS4 APU is comparable to 7790

Yeah, but the APU drivers may not be comparable. That's one piece we won't
know until we see actual benchmarks with it, if they manage to get 3D
acceleration working.

~~~
SXX
True, but I mean if they (or someone else) will manage to adopt it for radeon
driver properly games like Witcher 2 will be playable.

------
anthk
Framebuffer and KMS working. I wonder if the radeon driver could be patched
among the Xorg one to get some 3D acceleration support.

~~~
SXX
Considering that tweet it's totally possible:
[https://twitter.com/fail0verflow](https://twitter.com/fail0verflow)

Xorg changes not really required because AMD GPUs work just fine on top of
modesetting driver.

~~~
anthk
And what about MESA?

~~~
SXX
Mesa doesn't work directly with hardware, it's depend on DRM and kernel driver
interfaces. If they manage to get kernel driver to work then Mesa will just
work. It's very unlikely that any userspace changes needed.

------
m00dy
Actually, I was expecting more technical stuff relating to how they jailbreak
the system. PoC is also good though.

~~~
balls187
(from the video)

It looked like they found an exploit via whatever app renders the
userguide.html

Curious if they used a proxy to instead load a "malicious" page resulting in a
buffer-overflow.

~~~
SXX
They using normal webkit exploit there. Reason why they start it via
"userguide.html" it's because in any other case browser on PS4 can only be
used when you logged in on PSN.

Of course PSN require latest firmware to work while they using device with
Firmware 1.76. It's one of Sony measures to force people update firmware.

------
webkike
Wait wait wait, HDD support through USB? Are you serious? Any hardware
manufacturers care to explain why this might be the case?

~~~
brynet
The HDD is the only user-serviceable part in the PS4, perhaps USB was chosen
over PCIe SATA to make theoretical DMA attacks on the system more difficult?

~~~
magila
SATA doesn't give you direct access to the DMA engine, the host decides where
the data from the drive goes. If anything USB is probably more exploitable.

~~~
snuxoll
Well, the SATA controller has DMA access with the host. Of course, you have to
find some way to trick the controller into misbehaving, but it's possible.

------
jaimehrubiks
Would it be possible to achieve the opposite in some way?, I mean, dump the
kernel and build it on a pc on top of a compatible hardware? Let me know what
you think

~~~
derefr
As consoles get more and more powerful and introduce abstractions between the
game developer and the hardware (kernels, syscalls, platform runtime
libraries), I've figured it would only be a matter of time before we stop
trying to _emulate_ the way that console works, and instead begin to
_virtualize_ the console by writing API-compatible wrapper libraries.

Presuming developers just treat the PS4 as somewhat like we treat PCs: a
generic processor that can do "math stuff", and some black-box libraries for
{threading, graphics, audio, HID support, networking, ...}, then it becomes
_far_ easier to statically recompile a PS4 binary into a native PC binary:
just recompile the "math stuff" for your target architecture, and then replace
the linkages to libraries provided by the PS4 SDK, to libraries provided by
your virtualization wrapper.

In other words, basically do the equivalent of what Emscripten does to C
programs that expect to use OpenGL: compile the C to asm.js, and compile the
calls OpenGL into calls to WebGL.

~~~
vvanders
Talk to some game devs sometimes, they don't think of it like a PC at
all(which is why PC -> console is so hard and not vice versa).

I doubt we'll ever see this for titles that extract every ounce of performance
out of a platform.

~~~
derefr
Man, this is the fourth time today that someone's suggested that maybe I
should talk to a real game developer about something. I _am_ a game developer.
Just not a (modern) console game developer. But I did develop SNES games, way
back when!

My point was not that this might be possible _now_ ; but that, as console
CPU+GPU power approaches a certain threshold of "good enough; why would we
need more?", console makers will eventually decide to spend some of the
console's power not on fancier graphics, but on making development easier and
more portable by introducing at least one full black-box abstraction layer
above the hardware. When this happens, that layer can then be considered the
"source ABI" for transpilation.

Now, I haven't played with the XBO or PS4 SDKs, but I _have_ played with the
Wii U SDK—and it's exactly what I'm talking about. There's no hardware to
think about in the Cafe toolchain—no IO ports to peek and poke, no MSRs to
read off. There's just library APIs. It's nearly as abstract as Apple's tvOS
SDK.

~~~
pandaman
There had been library API on PS1, PS2 had been an exception with the DMA
chains and VU code exposed to developers but Xbox 1 and all later consoles
come with libraries and no poking into registers business. So you can already
try your idea by writing an Xbox 1 emulator (which is as much a PC as PS4 or
Xbone). Spoiler alert: these libraries are statically linked on top of
developers going around them all the time. Ultra High Level emulation seems to
work only on Nintendo consoles, see
[https://en.wikipedia.org/wiki/UltraHLE](https://en.wikipedia.org/wiki/UltraHLE)
[https://en.wikipedia.org/wiki/Dolphin_%28emulator%29](https://en.wikipedia.org/wiki/Dolphin_%28emulator%29)

------
atom_enger
Hackers gonna hack. Every generation of these consoles is a new challenge to
all the hackers out there. You've got to think that the engineers who designed
these systems eventually get "engineering syndrome" from staring at these
systems for years and eventually start to be blind about tiny problems.
Corporations put millions and millions of dollars behind the design of these
systems and a ragtag group of folks comes in here and owns everything you
worked to protect. I guess the only thing these hackers have over Sony is
time. More time than money..and a fresh pair of eyes.

Is there a future with an open gaming platform like the Steam Machine? Why do
developers choose a closed platform like PS4 vs the Steam Machine? What's
there to protect that they work so hard to guard it?

Beautiful work here. Keep on hacking.

~~~
DSMan195276
Something to keep in mind is that it's becoming a trend that companies sell
the systems at a loss (Notably, I think the only company that doesn't is
Nintendo). Especially for the beginning of it's life, this is only practical
if it's a closed system - Because if it wasn't, then they're essentially just
offering the hardware at a huge discount to people who have no intention of
buying any games, and the games is where they're going to make their revenue.

I don't know if Sony every actually said anything official, but I remember
that being part of the reason why the 'Other OS' feature was removed from the
PS3 - Places/People were buying them up and running Linux on them because they
were such a good deal for the hardware.

I wouldn't want to bet money on my predictions, but I would say that if
someone _does_ build a platform like the PS4 that's open and can run Steam, it
would cost a lot more for the consumer then the PS4 since it would probably be
priced closer to the actual value of the hardware - And that would put off a
lot of potential customers.

That said, there's an obvious chicken-and-egg problem in getting people to buy
the system, and getting developers to develop for it, but having a cheaper
system is definitely an advantage (Obviously, already being well-known to both
developers and consumers is probably even more important). Regardless, if they
had set the price of the PS4 at $1,000, it probably wouldn't be doing so hot
right now.

~~~
JohnBooty

       but I remember that being part of the reason why the  
       'Other OS' feature was removed from the PS3 - 
       Places/People were buying them up and running Linux on 
       them because they were such a good deal for the hardware.
    

Wait, really? The PS3 was outclassed by generic PC hardware pretty quickly,
and wasn't much faster than a netbook unless you were writing some seriously
multithreaded or PS3 GPU-specific code. I never heard of many people buying
them to run Linux and I don't remember any prominent open-source projects that
targeted the PS3.

The real danger (for Sony) in opening up their consoles is the risk of piracy.
That's a huge attack vector for hackers looking to defeat a console's copy
protection scheme(s).

Sony's biggest nightmare is a world where teenagers can easily copy games
because, as you say, that's where the real money is.

~~~
DSMan195276
Looking into it, it seems it was more specialized uses that people were using
them for, not just generic hardware - I remembered that point wrong. The fact
that they foot the bill for a lot of the hardware is still true though.

Being able to easily copy and run games is an entirely fair point, but I felt
it was separate from what I (And who I responded to) was getting at. An open-
hardware machine running steam still has DRM on the games - And it's a bit of
a given that most devs probably wouldn't want their games on platforms that
didn't at-least try to have this (Though there are notable exceptions). Having
open hardware, and having open software are really two different things, and
it's a distinction that's only really come apparent in the later gen systems.

In the past, game systems were fairly close to being basically embedded
systems, with the games running on the bare metal, so generally speaking
having open-hardware in such a situation makes piracy much easier, because the
only protections are in the hardware itself. Current gen systems actually have
full OS's and a kernel-mode user-mode split, like a regular PC. Even if the
hardware was open, without access to kernel-mode while the OS is running
piracy isn't possible. I will concede that opening the hardware possibly
creates an attack vector for the kernel though, so from that perspective it
really isn't something that they want to have to deal with - And they don't
gain anything from allowing it.

That said, if you look at Steam, AFAIK they have no real _big_ issues with
piracy. Why that's the case is debatable, but you can obviously make it work
without having to lock-down the hardware.

~~~
Alreadyobsolete
It's not even that far in the past that these games were running on bare
metal. The Nintendo Wii didn't have an OS running underneath the games, each
piece of software had access to the entire range of memory and CPU
unrestricted. I'm pretty sure the 3DS has a very minimal OS running underneath
software.

~~~
DSMan195276
Entirly true, it's kinda cool to see the evolution - Though it makes sense the
games would run bare metal, since that would give the best bang-for-your-buck,
and presumably it didn't matter at the time.

The 3DS actually has a somewhat complicated architecture - My understanding is
that it has a dual-core CPU, but one core is dedicated to running the OS
kernel, and the other is used for games. Thus, there is also a 'kernel-mode'
'user-mode' split in a way, because the core dedicated to running games
doesn't have full access to everything, and doesn't have full access to mess
with the other core. You can kinda see this in action when you note that the
3DS can only ever have one game running at a time, but certain home-screen
applications can be run while a regular game is suspended - Due to the
application running off of the OS kernel's core and not the game's core.

This also means that an exploit in a game doesn't automatically result in
full-system control - A separate exploit in the kernel is necessary to gain
full control over the system. This is completely different from the Wii's
setup as you noted - I'm not sure if the Wii had the OS running while games
did or not, but regardless since games ran with full privileges a single
exploit in a game resulted in full-system control.

