Can I Get a Technical Explanation for 9.00 Exploit?

[Kurt91]

I'm currently taking a Cybersecurity class at university, and we need to give some sort of presentation regarding something having to do with cybersecurity. (Detailed requirements, I know) I figured since I'm already vaguely familiar with modding a PS4, at least from the end-user perspective, this would be a pretty easy topic to use. Plus, I thought I could always ask around on this site for more information (hence, the thread)

While I'm not looking for an extremely thorough explanation to the extent of being able to set up my own host or try and replicate anything myself, could anybody either give me a brief explanation of what the exploit is doing to give access, or point me in the direction of somewhere I could get this information?

From how I understand it, "userland" is the access that a game/app has to use the console's resources, "kernal" means you have access to absolutely everything. The online part of the exploit intentionally crashes the PS4, and tricks it into using the payload in the USB to restart itself rather than the normal hard drive files. If I'm right on this so far, that's the total extent of my knowledge, and if I'm mistaken, then I knew even less about it that the small bit I thought I already understood.

 

[komabear]

Usually there are videos on youtube of hacking conventions that explain everything better. Here's one, I'm sure that there are other explaining that topic also!

 

[Tomato123]

I'm currently taking a Cybersecurity class at university, and we need to give some sort of presentation regarding something having to do with cybersecurity. (Detailed requirements, I know) I figured since I'm already vaguely familiar with modding a PS4, at least from the end-user perspective, this would be a pretty easy topic to use. Plus, I thought I could always ask around on this site for more information (hence, the thread)

While I'm not looking for an extremely thorough explanation to the extent of being able to set up my own host or try and replicate anything myself, could anybody either give me a brief explanation of what the exploit is doing to give access, or point me in the direction of somewhere I could get this information?

From how I understand it, "userland" is the access that a game/app has to use the console's resources, "kernal" means you have access to absolutely everything. The online part of the exploit intentionally crashes the PS4, and tricks it into using the payload in the USB to restart itself rather than the normal hard drive files. If I'm right on this so far, that's the total extent of my knowledge, and if I'm mistaken, then I knew even less about it that the small bit I thought I already understood.

These are probably the best you will get.

Userland: I don't think a public write-up was ever made about this, but it was a vulnerability with fontfaces in webkit. Implementation is here https://github.com/ChendoChap/pOOBs4/blob/main/webkit.js
Small proof of concept:

var fontFace1 = new FontFace("font1", "", {});
var fontFaceSet = new FontFaceSet([fontFace1]);
fontFace1.family = "font2";

Kernel: https://hackerone.com/reports/1340942 and implementation is here https://github.com/ChendoChap/pOOBs4/blob/main/kexploit.js

 

[Soggytoast111]

There's two stages to get jailbreak - app privilege and kernel privilege.

The first stage achieves arbitrary code execution in userland (app privilege) through a bug in Webkit's Javascript engine. Webkit is an open source web browser platform that is developed by Apple - Sony uses this as the PS4's web browser. The exploit is triggered when the web browser loads a page that has carefully crafted Javascript code.

The bug is called CVE-2021-30858

The second stage achieves arbitrary code execution with Kernel privilege through a bug in FreeBSD (the open source OS platform that the PS4's OS is built out of). The bug has to do with the filesystem (exFAT), and can be triggered by mounting a USB drive with a carefully crafted image that has certain invalid attributes. A user directly interfacing with the PS4 doesn't have enough control to fully leverage this bug for jailbreak - you need the ACE from stage 1 to control this process and fully exploit the kernel.

If you search for PS4 exFAT bug there is plenty of technical information about this.

Once you can execute code as Kernel, you can tell it to patch itself to disable all the protections that would normally prevent you from installing/running homebrew or pirated games. And that's jailbreak.

This was all recently achieved on PS5 as well (same concept, with a different set of bugs), but there is one extra layer of protection that hasn't been cracked yet. Unlike on PS4, the PS5 has a hypervisor that prevents the kernel from reading itself or patching itself. There is a lot of work being done right now to try to figure out a solution to this.