Jump to content
  • 0

Is it possible to delete protected files on PS4?


MistyVermin
 Share

Question

So recently I have been messing with core bdj files on PS4 and finally was able to create a modified bdjstack.jar poc. The problem is, is that I cant delete the original bdjstack.jar to test out my modified version through ftp. When attempting to delete bdjstack.jar I get 550 error telling me I could not delete the file. Yes I understand what I could be doing is possibly dangerous and may brick my console but I am willing to take the risk. I just have no way of testing my modified version unless I can replace the old one and the only way for me to do that is to delete the old on and upload my modified version.

Link to comment
Share on other sites

17 answers to this question

Recommended Posts

  • 0
20 minutes ago, wildcard said:

 

hopefully it is just the ftp method lol, would that be in the ftp payload or would that be done in the ftp client?

 

 

I think i was not clear ...

 

Some folders you see at the root are mountpoints of encrypted partitions :

 

 

/dev/da0x4.crypt/=/system

/dev/da0x5.crypt/=/system_ex

dev/da0x9.crypt/=/system_data

/dev/da0x13.crypt/=/user

/dev/da0x14.crypt/=/eap_user

/dev/da0x12.crypt/=/update

/dev/da0x0.crypt/=/preinst

/dev/da0x1.crypt/=/preinst2

.....

 

 

Some are mounted in Read Only so you can't write in these dirs , it's not a ftp issue ...

 

If you mount a USB key in Read Only on linux you'll never be able to write on it , you need to mount with R/W rights ...

 

  • Upvote 2
Link to comment
Share on other sites

  • 0

I got the same thing when i tried to do what was mentioned in the other thread. There might be some other sand boxing for the filesystem or possibly a process that is running that preserves the file structure. The dlclose puts the process in root but the ftp is in userland as root, maybe if the ftp was running in kernel mode? If we had a loader that runs in kernel itd be interesting to see if testing with bdjstack.jar renaming works. Hitodama teased at it in his sdk..

https://github.com/ps4dev/elf-loader/blob/master/ps4/binary/kernel/source/main.c

Might not be hard to write one in C

 

I made a little image a while back as well that showed what folders i could add files to without the error you talked about, sadly only file sub directories seemed to be unprotected.

This was after running kR105s playground with the exploit + ftp initializer.

 

http://imgur.com/51aGHI4

  • Upvote 1
Link to comment
Share on other sites

  • 0
6 hours ago, wildcard said:

I got the same thing when i tried to do what was mentioned in the other thread. There might be some other sand boxing for the filesystem or possibly a process that is running that preserves the file structure. The dlclose puts the process in root but the ftp is in userland as root, maybe if the ftp was running in kernel mode? If we had a loader that runs in kernel itd be interesting to see if testing with bdjstack.jar renaming works. Hitodama teased at it in his sdk..

https://github.com/ps4dev/elf-loader/blob/master/ps4/binary/kernel/source/main.c

Might not be hard to write one in C

 

I made a little image a while back as well that showed what folders i could add files to without the error you talked about, sadly only file sub directories seemed to be unprotected.

This was after running kR105s playground with the exploit + ftp initializer.

 

http://imgur.com/51aGHI4

I know for a fact that it does sandbox these files as I have found the dvd player app with bdjstack inside a sandboxed direcory. I might be wrong but these files could possibly be protected and then sent into a sandbox directory for them to be ran there. Maybe we could possibly intercept the sending of applications into sandbox and inject our own modified files into it. Sadly I wouldn't even know where to begin on that and I believe having ftp running in kernel would be a much more reliable in the long run as a solution. 

EDIT: Also by the way thanks for the image of writable folders that's actually really useful for what I'm working on.

Edited by MistyVermin
Link to comment
Share on other sites

  • 0

Yes we need to either run ftp in kernel which can be done by crafting a ftp program and run it like a kernel payload, or find out where the filesystem rules are in say a kernel dump and the patch them like the other sand boxing restrictions were patched in the dlclose exploit. Im hoping its that simple though, and i could be wrong if there is some other process that checks file checksums or something and fixes the sand boxed files then even editing files in the filesystem via from kernel mode wouldnt solve this. Its weird there is the sandbox that bdj is loaded to and then in system_ex i beleive is where it is loaded from. Yet if i rename the file bdjstack.jar to something like testbdjstack.jar if i go up a folder then back in its changed back to bdjstack.jar, so some process or something has maybe a list of the directory. But idk if it has a checksum of every file since files change? unless after the ps4 edits a file it creates a new checksum to be logged? idk its all just speculation atm but i find it weird i can rename a file for one but then it is changed back.

 

Yeah for that image i only tested putting a file in one directory lower so i haven't tested deeper sub folders if they will except files but i assume say if /mnt accepts files then every directory lower will too ie. mnt/xxx/ mnt/xxx/xxx and so on.

 

EDIT: ah i was wrong with assumption, say if a restricted folder like system_ex is loaded under the mnt directory it cant be added to since the restrictions carry over. I just tested /mnt/sandbox/NPXS20001_0000/system_ex/app/NPXS20113/bdjstack

Edited by wildcard
Link to comment
Share on other sites

  • 0

Don't know where you try to write but renember that there are some mount points who are in Read Only , so you have to mount them with R/W permissions if you want to write with Ftp on these ...

 

Link to comment
Share on other sites

  • 0

you have tested it with the new FileNinja tool ? or maybe it's possible to add those mount function to the tool. I have no connection to my ps4 with the tool, so I can't test it.

Feel free to show your Mods @ PS4 etreme Modding - This is for the Modders

 

278.jpg

 

Link to comment
Share on other sites

  • 0
10 minutes ago, eXtreme said:

you have tested it with the new FileNinja tool ? or maybe it's possible to add those mount function to the tool. I have no connection to my ps4 with the tool, so I can't test it.

Correct me if i'm wrong but can't PS4 FileNinja only download files and not edit them in any way.

Link to comment
Share on other sites

  • 0

I think copy from console, edit and transfer back.

 

but perhaps I am wrong also.

Edited by eXtreme

Feel free to show your Mods @ PS4 etreme Modding - This is for the Modders

 

278.jpg

 

Link to comment
Share on other sites

  • 0
1 hour ago, fx0day said:

Don't know where you try to write but remember that there are some mount points who are in Read Only , so you have to mount them with R/W permissions if you want to write with Ftp on these ...

 

 

hopefully it is just the ftp method lol, would that be in the ftp payload or would that be done in the ftp client?

1 hour ago, eXtreme said:

you have tested it with the new FileNinja tool ? or maybe it's possible to add those mount function to the tool. I have no connection to my ps4 with the tool, so I can't test it.

Ive been using filezilla for my ftp, use fx0day's playground or add his bit to your own, you just connect to your ps4 ip with 1337 as the port and it works from there. It has the exploit bundled with the ftp enabling code.

 

Ive just tested FileNinja and i think i know what your issue maybe.. do you get a error that it cant connect to 9050 or something like that? It just happened to me and had to wait like a minute or two until code execution was finished. then i connected. Sadly its only got read access so ill stick with filezilla for now.

Edited by wildcard
  • Upvote 1
Link to comment
Share on other sites

  • 0

yes I get that error. will check it once again, thanks for info.

 

lol, you are right, now the tool works, thanks again. ok, now I see it's only copy from console.

Edited by eXtreme
  • Upvote 1

Feel free to show your Mods @ PS4 etreme Modding - This is for the Modders

 

278.jpg

 

Link to comment
Share on other sites

  • 0

I got excited there hoping it was that simple lol, that makes more sense now thanks. So basically to add files in or change them we need to edit whats inside those encrypted partitions. Not a sandboxing issue or a matter of running the ftp in kernel mode then. So just mounting with rw on them will suffice then.

Edited by wildcard
Link to comment
Share on other sites

  • 0
3 hours ago, fx0day said:

 

I think i was not clear ...

 

Some folders you see at the root are mountpoints of encrypted partitions :

 

 

/dev/da0x4.crypt/=/system

/dev/da0x5.crypt/=/system_ex

dev/da0x9.crypt/=/system_data

/dev/da0x13.crypt/=/user

/dev/da0x14.crypt/=/eap_user

/dev/da0x12.crypt/=/update

/dev/da0x0.crypt/=/preinst

/dev/da0x1.crypt/=/preinst2

.....

 

 

Some are mounted in Read Only so you can't write in these dirs , it's not a ftp issue ...

 

If you mount a USB key in Read Only on linux you'll never be able to write on it , you need to mount with R/W rights ...

 

Well if that's the case could we not just remount them in read write or am I missing something? Not saying that its just that simple but could we remount with a program running in kernel?

Edited by MistyVermin
Link to comment
Share on other sites

  • 0

Yes we could but we need the partition passphrase to remount the partition ;)

 

 

Link to comment
Share on other sites

  • 0
48 minutes ago, fx0day said:

Yes we could but we need the partition passphrase to remount the partition ;)

 

 

I'm no professional on how the ps4 handles encryption but how big could the "passphrase" be? Could it be theoretically possible to bruteforce this passphrase or is it too large for that kind of attack?

Link to comment
Share on other sites

  • 0

With some work now that we have a kernel exploit i think we can dump them ...

  • Upvote 1
Link to comment
Share on other sites

  • 0

What about files in /dev like sflash0s0x0.crypt, im assuming that that is a partition that can be mounted as well? Could finally get a glimpse of the flash decrypted then mabye... there is also sbram0.crypt in /dev which appears to be the ddr3 ram that mediacon is connected to (south bridge ram?) which is also a mountable partition then? correct me if im wrong.

Edited by wildcard
Link to comment
Share on other sites

  • 0

im sure minisyscore is responsible for mounting the fs!

 

load unencrypted mini-syscore.elf with IDA and find mount strings..

 

but it is very hard to reverse it without symbols

we need a specialist  :shy:

Edited by RjMan
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...