CTurt/PS4-playground CTurt/PS4-playground

  • This repository has been archived on 13/Oct/2019
  • Stars
    star
    251
  • Rank 161,862 (Top 4 %)
  • Language
    JavaScript
  • Created over 9 years ago
  • Updated about 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CTurt/PS4-playground
github

CTurt

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A set of PS4 experiments using the WebKit exploit

PS4-playground

A collection of PS4 tools and experiments using the WebKit exploit. This is for firmware 1.76 only at the moment.

Although initially just a framework to help write and execute ROP chains, the playground now allows for running unsigned binaries compiled with the PS4-SDK, and booting Linux from USB.

Setup

A live demo can be tried here.

You should clone the repo and upload it your own server if you wish to make changes:

git clone git://github.com/CTurt/PS4-playground.git

You can also download a zip of the latest source here.

Usage

After executing a test, you should either refresh the page, or close and reopen the browser entirely; running multiple experiments sequentially is not reliable. If you are using a web browser view in an app which isn't the Internet Browser, you can use the Refresh button under Misc to refresh the page.

Code Execution

Click "Go", and wait for the text "Stage: Waiting for payload..." to appear.

Send the desired binary over TCP to your PS4 on port 9023; you can use any standard networking tool to do this, or my custom Windows tool, WiFi-Loader

If you're on Linux, the easiest way is probably to use netcat:

nc -w 3 192.168.0.7 9023 < *.bin

After you have sent the binary, it will be executed automatically.

Linux loader

You need a FAT32 formatted USB drive plugged in on any PS4's USB port with the following files on the root directory:

bzImage : Kernel image that will be loaded. Recommended to use this sources to compile it.

initramfs.cpio.gz : The initial file system that gets loaded into memory during the Linux startup process. This one is recommended.

The file names must match with the above and you can have more files on the same USB drive. From there you can setup the environment to run from an NFS share or from an external drive via USB (recommended) and boot a complete distro!

Syscalls

Get PID - Get process ID

Get Login - Get login name and leak a kernel pointer

Modules

Get Loaded Modules - Get a list of currently loaded modules, index and ID

Dump Loaded Module - Dump a currently loaded module (use Get Loaded Modules to see all available)

Load Module - Load an additional module from this list

Once you have loaded a module, refresh the page, and you will be able to dump it.

Filesystem

Browse - File Browser

Get PSN username - Read your PSN username from account.dat

Get Sandbox Directory - Get the name of the current sandbox directory (10 random characters which change each reboot)

Memory

Get Stack Protection - Get stack base, size, and protection

Get Stack Name - Get stack base, size, and name

Socket

Send Message - Send a TCP message to the specified IP and port

Receiving data

File and memory dumps will be sent over TCP to the IP and port you specified.

You can use a simple tool like TCP-Dump to write the data to a file.

More Repositories

1

FreeDVDBoot

PlayStation 2 DVD Player Exploit
C
2,196
star
2

PS4-SDK

Open source PS4 SDK
C
1,021
star
3

Cinoop

Multiplatform Game Boy emulator
C
493
star
4

3DSController

C
214
star
5

JuSt-ROP

JavaScript ROP framework
JavaScript
133
star
6

PS2-Yabasic-Exploit

PS2 exploit for demo discs containing Yabasic that allows arbitrary code execution.
Assembly
72
star
7

GameBoy_GhidraSleigh

Ghidra Processor support for Nintendo Game Boy
60
star
8

cturt.github.io

HTML
50
star
9

shogihax

Remote code execution exploit against Morita Shogi 64 for Nintendo 64
C
47
star
10

CFW-Suite

Tools which can be used to create a custom firmware for the Nintendo DS
C
41
star
11

dsgmLib

C
36
star
12

LDFS

OpenGL Windowing System
C
26
star
13

TCP-Dump

Dumps TCP packets
C
19
star
14

NiFiCapture

Capture local wireless 802.11 traffic, 'NiFi', on Nintendo DS
C
14
star
15

WiFi-Loader

Send a file over TCP
C
12
star
16

dsgmDSWiFi

A fork of http://sourceforge.net/projects/devkitpro/files/dswifi/
C
12
star
17

PS4-Pong

Makefile
10
star
18

CTC

Lossless compression algorithm
C
9
star
19

DARA

Collection of save game exploits for FIFA games to run unsigned code on the DS
C
9
star
20

PS4-Loader

C
8
star
21

Exception

Small library for exception handling in C
C
7
star
22

HTTP

Simple HTTP server in C
C
6
star
23

CTC2

Lossless compression algorithm
C
6
star
24

IconExtractor

Extract the icon from a DS ROM
C
6
star
25

bin2u32

Makefile
5
star
26

Preoop

Experimental object orientation for C via the preprocessor
C
4
star
27

ARM-Pong

Makefile
3
star
28

HTTP-client

C
3
star
29

MD2Combiner

Combines all frames from two MD2s into one MD2
C
2
star
30

dsgmGfx

C#
1
star
31

GameOfLifeDS

Makefile
1
star