Hacking PS4 6.70 Research

IndieDeveloper

IndieDeveloper

Active Member
Newcomer
Level 1
Joined
Mar 1, 2020
Messages
25
Trophies
0
Age
34
XP
77
Country
Italy
@KiiWii
You seem to me the best and very prepared. I did this thought.
An updated payload that applies the right patches to access the debug menu of system and escape sandbox should make the "0day" exploit work
 
  • Like
Reactions: KiiWii
KiiWii

KiiWii

Editorial Team
Editorial Team
Level 32
Joined
Nov 17, 2008
Messages
16,762
Trophies
3
Website
defaultdnb.github.io
XP
27,441
Country
United Kingdom
IndieDeveloper said:
What do you think
Click to expand...
It’s all well and good saying “updated”, but how you gonna do dat?

First you need to find a “STABLE” web->userland->kernel exploit chain for your chosen firmware, craft ROP/gadgets, dump kernel, finally then you can use this to find the offsets to port existing payloads (debug or hen etc) to work on the firmware you have kernel access to.

It’s so simple to say, or ask for. But without relevant skill set it’s very difficult to implement.
 
  • Like
Reactions: peteruk, Leeful and szape
IndieDeveloper

IndieDeveloper

Active Member
Newcomer
Level 1
Joined
Mar 1, 2020
Messages
25
Trophies
0
Age
34
XP
77
Country
Italy
KiiWii said:
It’s all well and good saying “updated”, but how you gonna do dat?

First you need to find a “STABLE” web->userland->kernel exploit chain for your chosen firmware, craft ROP/gadgets, dump kernel, finally then you can use this to find the offsets to port existing payloads (debug or hen etc) to work on the firmware you have kernel access to.

It’s so simple to say, or ask for. But without relevant skill set it’s very difficult to implement.
Click to expand...
thank you for your opinion. I don't want to imply it's easy, absolutely not. I wanted to know your opinion on this, instead of finding a new kernel exploit since in theory I thought that the existing one should work.
To find the necessary offsets you need kernel access, The chain always breaks without a kernel exploit on chosen firmware.
What I was thinking is to take advantage of the current kernel exploit, which should also work on newer firmware ( 6.XX -7.XX ?? ). Potentially there are many webkit exploits with userland access with ready-made ROPs, the problem would be the kernel exploit.
There must be a secondary road to update payload offsets for access to the system's debug menu, otherwise you are point and head
 
KiiWii

KiiWii

Editorial Team
Editorial Team
Level 32
Joined
Nov 17, 2008
Messages
16,762
Trophies
3
Website
defaultdnb.github.io
XP
27,441
Country
United Kingdom
IndieDeveloper said:
thank you for your opinion. I don't want to imply it's easy, absolutely not. I wanted to know your opinion on this, instead of finding a new kernel exploit since in theory I thought that the existing one should work.
To find the necessary offsets you need kernel access, The chain always breaks without a kernel exploit on chosen firmware.
What I was thinking is to take advantage of the current kernel exploit, which should also work on newer firmware ( 6.XX -7.XX ?? ). Potentially there are many webkit exploits with userland access with ready-made ROPs, the problem would be the kernel exploit.
There must be a secondary road to update payload offsets for access to the system's debug menu, otherwise you are point and head
Click to expand...

The current (5.05) kex won’t work on >5.50.

ROP is bespoke afaik. I don’t think there can be “pre made” ROP that will magically work on PS4s environment, even if it is FBSD based.

I have heard there is a 0day USB based exploit for dumping apps and kernel, but I don’t know how far along it is or how high it functions on.

Offsets are pretty important, otherwise you would be blindly poking around hoping to hit a needle in a haystack. We have a dumped decrypted kernel for 7.xx, but even if you did port offsets using this, we have no public exploit to implement these ported payloads, even for testing.

It’s a chicken or egg scenario.
 
  • Like
Reactions: peteruk and IndieDeveloper
IndieDeveloper

IndieDeveloper

Active Member
Newcomer
Level 1
Joined
Mar 1, 2020
Messages
25
Trophies
0
Age
34
XP
77
Country
Italy
KiiWii said:
The current (5.05) kex won’t work on >5.50.

ROP is bespoke afaik. I don’t think there can be “pre made” ROP that will magically work on PS4s environment, even if it is FBSD based.

I have heard there is a 0day USB based exploit for dumping apps and kernel, but I don’t know how far along it is or how high it functions on.

Offsets are pretty important, otherwise you would be blindly poking around hoping to hit a needle in a haystack. We have a dumped decrypted kernel for 7.xx, but even if you did port offsets using this, we have no public exploit to implement these ported payloads, even for testing.

It’s a chicken or egg scenario.
Click to expand...
Very lucid explanation, some interesting information.
I will continue my research thanks @KiiWii
 
  • Like
Reactions: KiiWii
schatzi24

schatzi24

Well-Known Member
Member
Level 11
Joined
Apr 25, 2018
Messages
506
Trophies
0
XP
2,580
Country
Italy
I will also search a PS4 with firmware 6.70 and i like the PS4 PRO Death Stranding in white and black.
Have this console a firmware under 7.02?
 
RiPPERD

RiPPERD

Well-Known Member
Member
Level 8
Joined
Oct 17, 2018
Messages
334
Trophies
0
Age
37
XP
1,306
Country
United Kingdom
well now the whole world is on lockdown... maybe something big will happen in the ps4 scene? that would be good lol
 
  • Like
Reactions: KiiWii
RY0M43CH1Z3N

RY0M43CH1Z3N

Touching things and improving your world
Member
Level 9
Joined
Aug 16, 2017
Messages
593
Trophies
0
Location
Your Mind
Website
github.com
XP
1,918
Country
Spain
ryuutseku85 said:
Hi to all,

So where am i ?

i try to get the 6.70 Webkit cause since the begin i work with the 6.50 or 7.00.

Since i don't have any interrest in 6.50 cause i don't own one i let you my research i made with this .

Thanks to liveoverflow for his exelent series on it.

it seems like it was patch in the 6.70, so if you have an adress other than : "[*] 0x7ff8000000000000" it should work .


Thanks you for the support and see y'a all.
Click to expand...

Hello, i have a 6.50 PS4 to test things if you want me to try anything.
 
RY0M43CH1Z3N

RY0M43CH1Z3N

Touching things and improving your world
Member
Level 9
Joined
Aug 16, 2017
Messages
593
Trophies
0
Location
Your Mind
Website
github.com
XP
1,918
Country
Spain
  • Like
Reactions: RiPPERD

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking  Docker PPPwn

Cheapest way to read/write syscon PS4

Goldhen error CE-34706-0

Does PPPwn need a direct link between PC and PS4?

Jailbreak PS4 HDD

ERROR CODE: CE-38603-0 when trying to install Bloodborne on 11.00 JB

advise on what FW to choose for PS4 JB setup

Is there a way to autoload GoldHEN when opening up the browser? I'm using 5.05 :)

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    Crazy people actually spend $50 on that stuff
  • BigOnYa @ BigOnYa:
    Towelie runs my farm, he's awesome.
  • SylverReZ @ SylverReZ:
    @K3Nv2, Polly is still around from what I've heard.
  • K3Nv2 @ K3Nv2:
    @SylverReZ, is Pollys alt I knew it
  • BigOnYa @ BigOnYa:
    Yea I see him every once whi!e , incognito
  • SylverReZ @ SylverReZ:
    @K3Nv2, I'm not him. Keep looking.
     +1
  • K3Nv2 @ K3Nv2:
    Still don't know why he left unless someone really hurt his feelings
  • K3Nv2 @ K3Nv2:
    Don't know why people get so emotional online just get over it ffs
     +2
  • BigOnYa @ BigOnYa:
    He was the ass of gbatemp, everyone knocked on him, I honestly felt bad, even though I was guilty myself, but he egged it all on himself,
  • BigOnYa @ BigOnYa:
    But he still here, but under dif name, he pm me sometimes still even.
  • K3Nv2 @ K3Nv2:
    It's like they think we'll be in their bed pissing on it the next day
  • BigOnYa @ BigOnYa:
    I feel like gbatemp should make t-shirts or memorabilia to remember the lost ones. I bet the Polly shirts would sell out quick.
  • K3Nv2 @ K3Nv2:
    Nah that could actually bring lawsuits
  • K3Nv2 @ K3Nv2:
    Tempsuits
  • BigOnYa @ BigOnYa:
    PollySuits
  • BigOnYa @ BigOnYa:
    Your correct, Somebody would be guilty and there would be riots, then they storm the gbatemp capitol,
  • K3Nv2 @ K3Nv2:
    Online or not there are still certain rights that judges would have no issue handing out a warrant over
  • K3Nv2 @ K3Nv2:
    Just look at Kim dotcom
  • BigOnYa @ BigOnYa:
    Honestly I'm scared to, from you, but ok, lemme turn on vpn, virtual machine, private browser first
  • K3Nv2 @ K3Nv2:
    Remember that Alexa robot I gifted you
  • K3Nv2 @ K3Nv2:
    And that laptop Webcam you never tapped up
  • BigOnYa @ BigOnYa:
    That robot is here somewhere, I hear it moving around at night, but I haven't seen it for months.
  • BigOnYa @ BigOnYa:
    Oh that laptop I give to ancientboi, so you been watching him for months, and he's been watching you
  • K3Nv2 @ K3Nv2:
    Oh good more than enough material for the fbi
     +1
  • BigOnYa @ BigOnYa:
    Damn its 5 in morn, I gotta Go wake your mum and send her to work. Check ya later.
    BigOnYa @ BigOnYa: Damn its 5 in morn, I gotta Go wake your mum and send her to work. Check ya later.