
PS4-5.05-Kernel-Exploit: A fully implemented kernel exploit for the PS4 - axiomdata316
https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit
======
fokinsean
This is awesome, it reminds me of the security course I took in school where
we had to smash stacks and hunt for various buffer overflow exploits. It was
one of my favorite classes, but also one of the most difficult!

To me this is one of the most impressive fields of CS/Software Engineering
because of the skill required to understand and exploit full systems. Even
though I'm a software dev, reading this makes me feel very humbled and shows
how little I actually know.

Thanks for the read!

This is based off the below link which was posted in another comment. Much
more informative than the github repo imo.
[http://crack.bargains/02r0.pdf](http://crack.bargains/02r0.pdf)

~~~
KallDrexx
This type of stuff is also what does make me sad for not doing CS in college,
cause it requires a lot of work to learn in my free time yet super
interesting.

~~~
white-flame
I can guarantee you that most people who went through CS in college never had
a course like that.

------
saagarjha
> [http://crack.bargains/505k/](http://crack.bargains/505k/)

Sigh, of course qwertyoruiopz would choose a site like that…

~~~
Operyl
Probably goes without saying ... but don’t visit this in your actual browser
if you like using the back button.

------
buildbuildbuild
This annotated JavaScript describes the approach:

[https://github.com/kpwn/PS4-5.05-Kernel-
Exploit/blob/9e97c39...](https://github.com/kpwn/PS4-5.05-Kernel-
Exploit/blob/9e97c398342ed6499a00fce0c081f7bf1efaaef1/kernel.js)

------
yuchi
If you want to have a good laugh without owning and exploiting your PS4…

[https://github.com/Cryptogenic/PS4-5.05-Kernel-
Exploit/blob/...](https://github.com/Cryptogenic/PS4-5.05-Kernel-
Exploit/blob/master/userland.js#L410)

------
kbumsik
For me it is the first time to see a low-level exploit implementation written
in JS. Is the exploit done through a PS4's web browser? Quite interesting.

~~~
AntiRush
Yeah, it's pretty common on these platforms since it's a way to run code on an
otherwise locked down device.

A lot of console (and iphone) exploits tend to share similar webkit exploit
code. This ps4 exploit uses a ROP strategy from an earlier iOS exploit.

This is a pretty good overview (though from 2016) of the techniques used in
the browser based exploits:

[http://phrack.org/papers/attacking_javascript_engines.html](http://phrack.org/papers/attacking_javascript_engines.html)

~~~
nailer
Original iPhone cracks (for third party apps, before Apple allowed them) used
a website with a TIF image (TIFs have some executable code).

This one loops history.pushState() to trigger the leak, direct link to the
line:

[https://github.com/Cryptogenic/PS4-5.05-Kernel-
Exploit/blob/...](https://github.com/Cryptogenic/PS4-5.05-Kernel-
Exploit/blob/master/expl.js#L168)

~~~
saagarjha
JailbreakMe actually continued to work until iOS 4.3.3, though of course the
exploit used needed to be continually updated as Apple patched iOS:
[https://en.wikipedia.org/wiki/JailbreakMe](https://en.wikipedia.org/wiki/JailbreakMe)

------
djhworld
Is there an explanation of what this is exploiting?

~~~
AntiRush
It's a double free in bpf.

Here's some slides from the author (from last week) with a more in depth
explanation:

[http://crack.bargains/02r0.pdf](http://crack.bargains/02r0.pdf)

~~~
unwind
Thanks, that was a really epic read (and pretty close to line noise for me as
a security-agnostic person).

I even had to look up "bpf", it's the FreeBSD packet filtering[1] interface,
it's a character special device used to control the kernel's network
filtering.

[1]
[https://www.freebsd.org/cgi/man.cgi?bpf(4)](https://www.freebsd.org/cgi/man.cgi?bpf\(4\))

~~~
VectorLock
BPF in Linux has been expanded to let you run pieces of user supplied code in
the kernel. Its moved a bit away from the original definition of raw packet
filtering.

~~~
loeg
That's eBPF ("extended"). Unfortunately, "BPF" is commonly used to refer to
both.

------
subless
I wished I was smart enough to even implement half of what I just read and I
am a senior getting my BA in computer information systems with my focus being
networking and security :(

------
rusk
PS4 is such an amazing device, I wish I could do more with it!

~~~
Fnoord
Also its price hasn't increased compared to graphics cards (due to
cryptocurrency hype).

~~~
ryanlol
I would be rather surprised if the prices of graphics cards offering similar
performance as the PS4 had been significantly affected by cryptocurrency
mining.

~~~
dwyerm
It isn't the graphics that impress me, so much, as the fact that my PS4 can
actually send real 5.1 audio out to my home theater setup. It boggles my mind
with how difficult that seems to be on my gaming PC.

Sure, my PC can sling a zillion triangles per second, but it can't make one
stompy robot dinosaur shake my living room the way the PS4 can.

~~~
mastax
Does your PC not have digital optical audio out? Also any GPU made in the last
10 years should be able to do 7.1 over HDMI. If you have an Nvidia card make
sure to install the "HD Audio" component when you install the driver.

------
znpy
Unrelated, but does anybody know the current status of GNU/Linux on the PS4 ?

I am looking for some little box to replace my aging home server and the PS4
looks powerful but small enough for the job.

~~~
mastax
You can probably buy a better machine for that use case [1], unless you really
want a built in Blu-ray drive or lots of memory bandwidth.

[1]:
[https://www.pcengines.ch/apu3a4.htm](https://www.pcengines.ch/apu3a4.htm)

~~~
Fnoord
That machine, while great (PC Engines, their best offer, Coreboot, good value
for money), is designed to be a DIY router for running e.g. OPNSense.

You're probably better off with a NUC such as a Zotac or a Chinese knock off
(example [1]). Why? Because given it has more horsepower and native hardware
extensions for virtualization it can run VMs more efficiently.

[1] [https://www.gearbest.com/mini-
pc/pp_1698829.html?wid=1433363](https://www.gearbest.com/mini-
pc/pp_1698829.html?wid=1433363)

~~~
mastax
Yes, a NUC, a miniITX PC, a commercial NAS, etc. would work. There are a lot
of good options in this space.

I would note that the apu2 is more or less half of a PS4, ignoring the GPU
(which probably wouldn't work that well anyway?).

    
    
        PS4              | apu2c4
        8x 1.6GHz Jaguar | 4x 1.0 GHz Jaguar
        8GB GDDR5        | 4GB DDR3-1333
        SATA, USB 3.0    | mSATA, SATA, USB 2.0/3.0, SD
        1G Ethernet      | 3x 1G Ethernet
        BT 2.1, WiFi N   | N/A
        HDMI, SPDIF      | N/A

------
yedawg
I am so excited to test this. Praise the devs

