Jump to content


Regular Member
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by wildcard

  1. Thats probably the issue, i just checked and its ps4dev repo not from psxdev, now i remember using psxdev libps4 i got loads of build errors for some reason and libps4 just worked fine. Ill look into what could be causing it to not compile and hopefully when it does it should make a valid ldr.js. Thanks! update: Okay i got psxdev/libps4 branch compiled but i had to use my vm of freebsd to do it and not ubuntu. Set my ip in the ps4link source and generated a ldr.js copied it over to my ubuntu vm and tried loading with that but still getting a out of memory error. Ill try from scratch tomorrow from your git instructions and see if i can get it going hopefully.
  2. Hey big boss thanks for fixing that, i have the generated ldr.js in the local/ldr folder with my pc ip on it and waiting on 18194 just like you mention in the new readme, but im getting an out of memory every time i reach stage 5 on elfldr. Ive got all the new files you put up on the git a couple hours ago, you got any advice on what could be the issue?
  3. whats the size of the usb stick? im just trying to think of anything now.
  4. oh and xtreme have you tried ejecting the usb from pc first, sometimes i got just white light or itd be blue flashing purple and wouldn't find the files till i had the usb ejected from my pc and ps4 couldnt mount it. also try unplugging and plugging it in when its stuck on blue for ages. Its weird that there is not purple led pulse on yours, even without the usb stick though i get a purple pulse, i think that is in the kexec code that marcan wrote.
  5. Wow thanks bigboss! So its safe to say that i can now dump hdd files as root pretty easily with ps4link now yeah? Hopefullly it works this time for me since after building the previous i had trouble getting a response with socat - tcp, node server.js and elfldr running on ps4..
  6. I was about to say to him the same thing but he got video output the first time so it couldn't be :/
  7. okay heres where i am at, i have better-initramfs made and running but im unsure of where to edit, do i edit init file in rescueshell running on ps4 using vim or do i set it to mount to /dev/sdb1 on making the initramfs? it says with fdisk ive got a sda of 298mb, a sdb of 3965mb, and a sdb1 listed as device boot (its a 4gb usb btw). im guessing its sdb1.. Do i need to put ps4-linux compiled on the usb as well to eventually install or does it do it via network?
  8. using kr105s files all i had to do was insert into top usb on fat32 format usb and press load linux on the playground no dlclose bin sent. So far just getting this screen.. http://postimg.org/image/n4qx8gqkp/ Okay now with kr105s files ive got a command line and its working with the keyboard i have plugged in no idea what to do now lol
  9. At first i thought it was an april fools joke lol but after seeing the source and finally testing it turned out to be a nice surprise. Thanks kr105! Just need to add the code for linux and good to go.
  10. ayyy kr105 posted a working method! Now we can see what we have been doing wrong/different. https://github.com/kR105/PS4-dlclose
  11. Thanks lezek20! With that i am now getting [+] Entered kernel payload! [+] Rooted and Jailbroken! [+] Escaped from the sandbox! but it ends there and if i use the asm("swapgs; sysretq;" :: "c"(shellcode)); like zer0 suggested i get out of memory, if i change it to iretq the ps4 is stuck on executing and shuts off. It also shuts it off without the return to userland method. Im not getting the kernel patch success message so the thread doesn't seem like it closes. I tried adding a getuid method inside the payload and tried inside the exploit tread function but when i do that it gets frozen on a queue. Anyone got any ideas? *trying your new post for the cred and proc struct im getting the same results which may suggest the creds are now being executed but something in them is off so it is still causing the thread to remain open? I wish there was a way to check if im true root but like i said if i use a getuid in the payload or in the thread i get stuck on a queue.
  12. ah yup, thanks! Now with that im returning to browser without memory error but the creds are wrong so its a kernel patch failed. You any closer to getting proc and ucred stucts setup correctly?
  13. Hey Zer0xFF Ive been using your source that you put on on your git, and have been playing with the cred structure based on what has been talked about here. I don't even think it is the cred that is causing the PS4 to crash. For example i have commented out the priv escalation and the struct ucred so the payload just prints entered payload this way i could test if the cred was causing trouble atal . Im still getting a crash. I wanted to find out if it is kernelFree(m2); so i put a printf("kernelFree happened\n"); just after and it doesn't reach that command. Im thinking that it could be the kernelFree function since if the payload just prints to the debug socket and nothing else, why would the ps4 shut down? The only changes i made is to payload and having it just do this.. void payload(struct knote *kn) { struct thread *td; asm volatile("mov %0, %%gs:0" : "=r"(td)); kprintf("\t[+] Entered kernel payload!\n"); } my last lines on TCP-Dump are moment of truth Trigger sceKernelDeleteEqueue [+] Entered kernel payload!
  14. Thats what i thought since they seemed to do the same thing. I tested out that dlclose bin too but i dont think you got my message. I did 5 dumps with it and got the same out put here. [+] Starting... [+] UID = 1 sock = fd queue created = 55 sock = fd // it does this next part like 25 times the same queue created = f00 sock = fd // then this m2 kernelAllocation: sock = fd queue created = f00 Trigger sceKernelDeleteEqueue Trigger sceKernelDeleteEqueue [-] Kernel patch failed!
  15. Zer0xFF with your 5fs binary im getting entered critical payload then shutting off. Been looking things up and gonna try some more combinations such as just iret instead of iretq since iretq is just for 64bit mode? at least thats how i gathered it. it would be great if we could get it to return to userland without crashing since i think it will be more fun to work with the ps4 OS then to run Linux since it will just be linux on ps4 rails without actually reversing the software. I don't think you can interact with the ps4 OS from Linux or could you? is there an accepted method such as: asm volatile ("swapgs; iret;" :: "c"(user_shellcode)); or asm volatile ("swapgs"); asm volatile ("iret;"); or does no one here know at this point.
  16. Zer0xFF upon testing the bin with firewall off/ port 9023 im consistently getting stuck on executing... and was able to press the ps button to home screen during entering critical payload which i dont think ive been able to do before. its not crashing the kernel but i dont have controller connection even when plugged in. ill have to test more tomorrow. Im on windows 7 running Charles to local playground files, and using Ubuntu vm for the PS4SDK fully compiled. Ive been compiling badiret.bin for a while now and been able to play with them for different results. I believe its my return to user land via the asm volatile using swapgs and systretq. just like on relys github. with iretq in place of sysretq i get infinite payload loop and with sysretq i get a out of memory error. my shellcode is just like in relys just with return 0 now and still haven't gotten it. ill have to test when i get the chance again. lol i could never get &prison0 working either and was looking into including a load of freebsd library! yeah umm f that lol. there must be a way to do in in the defines header. ive got the creds resolved but when i include them my ps4 crashes and shuts off but i havent tried it with the return 0 at the end of my payload idk. lol itll get there. same here on the kexec and ps4-linux, i think sonyUSA had some code on a pastebin i took note of for loading it. it was taken down but i copied it here. http://pastebin.com/dQ0gj3Ez
  17. ah got yah that makes more sense now. yeah i only tested it quick so it didnt occur to me to change my pc ip to the known debug ip. of all ips thats the one id guess too lol yeah ill test it now on it and let you know no need to compile me one.
  18. Nice to see some progress in here lol! nah i use playground locally and map it with charles proxy, its not the playground since i applied the fix that kr105 applied to the github. Its because my badiret.bin has a bad return to userland method, i used the one that was on relys github thats been uploaded here and still trying to get it working. That bin that you uploaded works just as its supposed to what did you use for your return, ive got the sidt code with the correct addresses for restoring idt but ive been using "asm volatile ("swapgs; sysretq;" :: "c"(user_shellcode));" ive tried it with iretq as well but im getting loop for executing critical payload. it might be my shell code since i use a return and not an exit() since gcc complains. Do i need to include a header for exit() or is there an alternative like a syscall for the ps4? Any advice would be greatly appreciated @Zer0xFF, this has been great fun and is getting me motivated to get back to learning c. *Just for clarity since you said you don't have the means to test it, your bin loads, executes, and returns to web browser without a crash. I don't know the ip so i wasn't able to see anything on the tcp-dump but it looks like it works fine. Nice job Zer0xFF!
  19. My bad, that sdk you uploaded was slightly different, i must have confused it with another. My old PS4-SDK was prior to 3 days ago when updates were made. badiret.bin just built with the correct IP. Getting entered critical payload now, thanks!
  20. True, but at least other devs have some more tools to work with, opens things up for those who are less skilled to learn more. Itll be interesting to see what happens in the next couple months. The compiled PS4SDK there is the same as mine, to even build badiret.bin libc and pthread from the sdk need to be statically linked? Atleast thats how i interpreted it.
  21. Oh wow, so SonyUSA got it working and built it from source, nice!. Yeah ive uploaded them to mega if you want to use them. tcp-dump(https://mega.nz/#!rVFxSRII!mrhq2xXyAlCtmscHz-BhhqcVOONHibBDR7Xn9zKahKs ) & WiFi-loader(http:// https://mega.nz/#!fMEWBCZC!Mrnx4IdT0_q1nM4VEKfwnwLsUydd1fbF7HyL2rutCSw) *WiFi-Loader is compiled to send file to so it wont work for anyone using it till it is written to support ip address input in some form. (either compiling it with your ip from source or using an alternate tool like netcat)
  22. eXtreme, i just got this working on my window 7 desktop. I used netcat on linux so i dont know if it will work on windows only because i havent tried it. However this is what worked for me. I used Cturt's tools WiFi-loader and TCP-dump from his github.https://github.com/CTurt/WiFi-Loader & https://github.com/CTurt/TCP-Dump but i always couldn't build them in windows since i had several environmental variables conflicting, until now. What i did was removed all env variables from PATH that had to do with building (Cygwin, mingw, etc) started fresh and reinstalled mingw with all gcc packages. Then i linked C:\MinGW\bin;C:\MinGW\msys\1.0\bin;C:\MinGW\mingw32\bin; into env variables. Open WiFi-loader source code, find "payload.bin" and change it to "badiret.bin" so it looks for that in the same directory it builds the exe. Run make on it from the make file directory. For TCP-Dump i ran make on it but it complained about socklen_t so i read that if you put #include <ws2tcpip.h> under <winsock.h> and <windows.h> in ifndef _linux_ then it will know what socklen_t is. It worked but then make complained about recursive variable LFLAGS in make file. I looked up a solution and simply put a : before = on line 23 of make file. It built! so try doing this to get these 2 tools working. You need to change the ip in index.html to the ip of your windows pc, run ipconfig and use that ip at port 9023 Now that you have TCP-Dump.exe and Wifi-loader.exe running by opening cmd in there respected folders and PS4 at playground with correct pc ip displayed. Start TCP-Dump.exe, itll say listening.. Select send message on playground and TCP-Dump will stop and say that it has written to a dump file. Should say hello from PS4! This is where i am right now, Ive gone and changed my IP in network settings to just as it says in badiret source code since i cant change and compile it. Ive started TCP-dump, it says listening, Ive disabled all firewalls to prevent any problems. Finally sent badiret.bin from WiFi-loader over after PS4 says waiting for exploit. I get Executing.. until it says out of memory, but not a peep from TCP-dump. Keeps on listening.. Trying to build badiret from source now, maybe ill try it a few more times to see if i can get a response. I know that badiret.bin must have some kind of interaction like explained with elfldr but haven't worked out how to do that yet.
  23. Alright so this is how I believe you do it on windows: You start your proxy (Charles/skfu) have it set to map manuals.playstation.net to the ps4-playground. On ps4 make sure its loading the playground in landscape format, if it isn’t then it’s not using the css folder (suggesting js won’t be loaded either) and you need to edit the file structure to trick it to load (I just created document/gb/ps4/”ps4playgroundfiles”, was lazy and this way just worked). You should edit the index.html file to be the IP of your windows pc so you don’t have to keep setting it, and leave the port the same I think 9023. Use Cturt’s TCP-Dump on windows to check if your ps4 can send data over by using the send message button on playground. While TCP-Dump is listening to the ip you set in index.html you should get a dump file on windows reading hello from ps4. This confirms you can receive. Next push the go button on ps4 playground so it reads waiting for payload, then you can use wifi-loader to send badiret.bin over to ps4 ip via 9023 and it should say executing. All the while TCP-dump is listening. My PS4 says executing for about a min then returns out of memory, and I know the debug socket in the source code is a different ip so ive been trying to change my ip to that one since I cant build the badiret source (the word is that you need to link against #libpthread, and #BSD, ive yet to figure that out.) I’m hoping once my ip is the same as badiret debug socket, I will receive a dump saying its loading. But then I still don’t know how I’ll be able to interact with the kernel like send commands via a debug cmd or set them in source and compile them? This part is still not clear; the elfldr method from hitodama to my knowledge won’t work on windows, or will be a hassle to set up. I’m just using VMware on win7 running Ubuntu in bridged network so it’s like its own separate computer to my network. So in steps: 1. Config playground index.html to local setup 2. Run proxy and load playground via ps4/ test communication with hello message 3. Build/change windows IP to BADIRET debug socket 4. Send BADIRET.BIN/ receive data confirming its working 5. PROFIT and sweet decrypted flash?? Lol if only I hope this helps lol, I think it’s a lot simpler than I was trying before at least.
  24. Seeing as I haven’t seen anywhere else where other 1.76 owners are talking about getting this working, ill post this here. I’ve been trying this several different ways but due to lack of knowledge in C and program compiling I haven’t been able to work out exactly how the exploit is supposed to be interacted with. So far I’ve used both Cturt’s Playground, and the elfldr from hitodama. I have tried out both by mapping manual.playstation.net/ to their location via Charles proxy running on Ubuntu. However Playground loads up on my PS4, push okay for payload, I Socat/netcat the released pre-compiled badiret.bin to ps4 IP, PS4 says Executing, i start TCPDUMP on Ubuntu on Playground server IP? No confirmation it’s loaded via TCPDUMP with that IP. So I changed my Ubuntu IP to the one in the badiret source code, still no sign of “loaded to core” that the binary is supposed to send over. So I try elfldr. From the git hub; I point PS4 to local directory, loads up elfldr, reaches stage 5. On Ubuntu, load sever.js with node, Socat PS4 IP to start debug port like it shows in the example, then once connection accepted I Socat over badiret.bin via the 5053 port like it says on GITHUB. All the while TCPDUMP is running in background, the dump shows no confirmation it’s executed, just that its been sent. The PS4 shows it receives the file but returns out of memory/ Socat debug connection closes with no information on what happened. What I think could be the potential problem: · Playground doesn’t work with the debug connection method shown on elfldr that is needed, and im lacking an alternate method of interacting with the kernel like elfldr · Elfldr github says to run make in /ps4. So i do but can’t build due to multiple errors no matter which way I try it, even with libps4 built/setenv from the same git. Also all necessary prerequisites installed. · Leaked badiret source code like most are saying is incomplete, but the missing parts make it completely unusable, not just missing IDT restoring etc. Yet if the kernel state restoration isn’t coded into source then that’s why I’m getting out of memory?.. Maybe. · Possibly the public compiled Badiret.bin has been altered from the source code released, but I can’t check since I can’t build it either without several errors even with properly building PS4SDK and setting it as environmental variable. I have a feeling either I’m doing this completely wrong or the exploit is so unfinished its completely unusable lol or both.
  • Create New...