chevron_left chevron_right
Login Register invert_colors photo_library


Upgrade your account to hide advertisements.

Thread Rating:
  • 0 Vote(s) - 0 Average


filter_list PS4 FW 4.05 Kernel Exploit
Author
Message
PS4 FW 4.05 Kernel Exploit #1
Summary

In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.

You can find fail0verflow's original write-up on the bug here, you can find my technical write-up which dives more into implementation specifics here (this is still in progress and will be published within the next few days).
Patches Included

The following patches are made by default in the kernel ROP chain:
  • Disable kernel write protection
  • Allow RWX (read-write-execute) memory mapping
  • Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
  • Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
  • Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.

Notes

This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
An SDK is not provided in this release, however a barebones one to get started with may be released at a later date.
I've released a sample payload here that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.

Contributors


I was not alone in this exploit's development, and would like to thank those who helped me along the way below.
  • qwertyoruiopz
  • Flatz
  • CTurt
  • Anonymous

Check out the code here - https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit
(This post was last modified: 12-28-2017, 08:22 AM by S3xySmurf.)
[Image: YmmIqHV.gif]
Donations: 1CCR21K2fnu2yAinUTFPsVdY7u4FkjNPs5

Reply






Users browsing this thread: 1 Guest(s)