• Stars
    star
    534
  • Rank 83,095 (Top 2 %)
  • Language
    JavaScript
  • Created almost 7 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A fully implemented kernel exploit for the PS4 on 4.05FW

PS4 4.05 Kernel Exploit


Summary

In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.

You can find fail0verflow's original write-up on the bug here, you can find my technical write-up which dives more into implementation specifics here.

Patches Included

The following patches are made by default in the kernel ROP chain:

  1. Disable kernel write protection
  2. Allow RWX (read-write-execute) memory mapping
  3. Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
  4. Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
  5. Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.

Notes

  • This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
  • I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
  • A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
  • An SDK is not provided in this release, however a barebones one to get started with may be released at a later date.
  • I've released a sample payload here that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.

Contributors

I was not alone in this exploit's development, and would like to thank those who helped me along the way below.

More Repositories

1

PS5-IPV6-Kernel-Exploit

An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on <= 4.51FW
JavaScript
872
star
2

Exploit-Writeups

A collection where my current and future writeups for exploits/CTF will go
728
star
3

PS4-5.05-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 5.05FW
JavaScript
625
star
4

PS4-4.55-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 4.55FW
JavaScript
236
star
5

PS4-6.20-WebKit-Code-Execution-Exploit

A WebKit exploit using CVE-2018-4441 to obtain RCE on PS4 6.20.
HTML
197
star
6

REBot

A discord bot for reverse engineers and exploit developers.
Go
78
star
7

PS4-4.0x-Code-Execution-PoC

My edit of qwertyoruiopz 4.0x exploit PoC from http://rce.party/ps4
JavaScript
61
star
8

PS4-KHook

PS4 kernel hooking library / payload.
C
48
star
9

PS4-Playground-3.55

A 3.55 implementation of PS4 Playground (based on CTurt's 1.76 original)
HTML
44
star
10

idc_importer

A Binary Ninja plugin for importing IDC database dumps from IDA.
Python
38
star
11

PS5-SELF-Decrypter

A portable payload to decrypt PS5 SELF files from the filesystem to USB drive
C
38
star
12

PS4Console

A successor to PS4Playground, emulates a shell-like environment to interact with the PlayStation 4.
HTML
35
star
13

MD5-Magic-File-Generator

A project in Golang that will create prefix-based magic MD5 hashes for type juggling.
Go
18
star
14

JinxOS

JinxOS is a minimalist operating system written in C and ARM. The focus is to quickly and easily interface with connected hardware for education and testing purposes.
C
18
star
15

CPP-Easy-Socket

An easy to use, higher abstraction socket class for usage in C++.
C++
16
star
16

PS4-Package-Assessor-Java

Evaluates PS3/PS4 .PKG files and displays information about them in a clean manner.
JavaScript
13
star
17

Space-Invaders-C-

Space Invaders C++ is a project to help learn some of the basics of C++ like classes, MVC, pointers, loops, and libraries.
C++
10
star
18

IDA-ASP-Loader

Simple loader plugin for IDA to load AMD-SP or PSP firmware binaries.
Python
5
star
19

Battleship-Arduino

A battleship game coded with Arduino/C++ using an Arduino UNO and a 32x16 LED RGB Matrix
C++
4
star
20

FalconFramework

A free, simple PHP framework created by myself for web development projects
PHP
3
star
21

goflexpool

Unofficial golang binding for flexpool API.
Go
3
star
22

PS3-Update-List-Parser

A parser written in Java to parse ps3-updatelist.txt from playstation.net
Java
3
star
23

PHPBot-Xat

A semi-company ready light-weight, clean xat bot script coded in PHP.
PHP
2
star
24

BO3-Round-Modifiers

Source code for Round Modifiers BO3 zombies mod.
GSC
1
star
25

GSS-Interpreter

The General Server Script interpreter
C++
1
star