
The First PS4 Kernel Exploit: Adieu - Aissen
https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/
======
DCKing
It's interesting to see that this is a vulnerability caused by PS4 specific
kernel modifications. I guess it's good news for FreeBSD users that PS4
jailbreaks do not imply vulnerabilities in FreeBSD.

Conversely, I'd imagine the PS4 jailbreak community is vigourously looking for
privilege escalations in FreeBSD, but no results so far. I wonder if anyone
familiar with it could shed some light on whether that's a correct way of
looking at it.

------
ninh
Sony appears to have patched it from firmware 4.06 and up. The adieu in the
title appears to refer to bidding a farewell to the exploit rather than a
codename for it ;-)

Great and insightful write-up nonetheless!

~~~
hd4
From what I've observed, this is where the unending cat-and-mouse game begins
for Sony.

~~~
ygjb
In fairness, it started back when Sony shipped their first piece of hardware
with technical measures to prevent users from consuming the media of their
choice :)

~~~
jarjoura
Naw, the homebrew/piracy groups have been around since the birth of the
console industry. It’s been an ongoing cat and mouse game for over 30 years at
least.

------
microcolonel
I guess it makes sense that the vulns would be in Sony's new kernel code, and
not in its FreeBSD ancestor.

------
nkg
Is it me or Sony has become good at protecting its software ? I remember a
time when every new console would be hacked within the year it was released.

~~~
TazeTSchnitzel
If anything the PS4 is a downgrade from the PS3 here. The PS3 ran everything
in a hypervisor.

~~~
emodendroket
I guess if people want this to happen they should goad George Hotz by telling
him he can't possibly beat the protection.

~~~
rjeli
George is banned from exploiting Sony products

~~~
mlrtime
Isn't everyone?

~~~
hmschreck
Not like he is. If memory serves, if he tries to break a Sony device again, he
faces massive fines, etc.

~~~
KGIII
Do you have a good link for some backstory on this one? I'm not sure how that
could even be possible in the legal frameworks.

~~~
icebraining
Terms of the settlement: [https://www.gamespot.com/articles/sony-hotz-
settlement-detai...](https://www.gamespot.com/articles/sony-hotz-settlement-
details-surface/1100-6308347/)

~~~
KGIII
Holy crap! Thanks!

That's insane. I'm not a gamer but it looks like they just published how to
"hack" the console and they were hit with that. That's crazy. In the span of a
minute, I can think of a dozen better solutions to this.

If I'm reading properly, they didn't even do anything that I'd call wrong.
They found an exploit and published it. I suppose the DMCA and "circumvention
tools" come into play - but that only points to the absurdity of the situation
(at least in my opinion).

~~~
icebraining
Sony threw everything at them: DMCA, CFAA, copyright, California Computer
Crime Law, even violating the PSN TOS.

~~~
KGIII
I support IP rights, as a general rule. However, they sure get abused. I'm
kind of annoyed about this, even though I have nothing to do with it.

If you break my system, thanks for letting us know. It'd be great if we could
pay you to help fix our system and make it more difficult to break in the
future.

I'd not take them to court. I'd try to hire them. Hell, I'd give them reward
money - even if they didn't want to be hired.

~~~
ChristianBundy
Intellectual property is theft.

~~~
marcoperaza
Would you think so if you poured your soul into writing a book, only to have
it copied and distributed without your permission, for someone else's profit?

~~~
emodendroket
It's not exactly like that doesn't happen under our current system.

------
faragon
Their PCI-Express bus hack is amazing.

------
K0nserv
Am I reading it correctly that it's possible to invoke syscalls from
Javascript? That seems like a monumentaly bad idea...

~~~
GranPC
No, that's just a library they made that uses a WebKit exploit to invoke a ROP
chain to run syscalls.

------
fenollp
> However, this turns out to be impossible (as far as I know) because of a
> side effect of the ps4 page size being changed to 0x4000 bytes (from the
> normal of 0x1000). It appears that in order to change the page size
> globally, the ps4 kernel developers opted to directly change the related
> macros. One of the many changes resulting from this is that the smallest
> actual amount of memory which malloc may give back to a caller becomes 0x40
> bytes. While this also results in tons of memory being completely wasted, it
> does serve to nullify certain exploitation techniques (likely completely by
> accident…).

This is pretty cool (and probably obvious to a lot of people) as a security
technique. Could this be done for consumer OSes? 64 bytes as the smallest
malloc-able size doesn't seem too bad for today's ultrabooks...

------
Kipters
Twiizers/fail0verflow work is amazing. I wonder why didn't even try with Xbox
though.

------
faustocarva
How huge is this?

~~~
bluehazed
This is an old exploit that has been since patched by Sony in firmware 4.07
(the last section of the article shows the fix).

