Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 4.05FW
https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit

Last synced: 2 months ago
JSON representation

A fully implemented kernel exploit for the PS4 on 4.05FW

Host: GitHub
URL: https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit
Owner: Cryptogenic
Created: 2017-12-27T07:21:10.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2018-03-05T18:47:18.000Z (almost 7 years ago)
Last Synced: 2024-08-03T17:22:11.494Z (5 months ago)
Language: JavaScript
Size: 24.4 KB
Stars: 536
Watchers: 58
Forks: 231
Open Issues: 3
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

Awesome-PS4-Jailbreak - PS4 4.05 Kernel Exploit

README

# PS4 4.05 Kernel Exploit
---
## Summary
In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival.

You can find fail0verflow's original write-up on the bug [here](https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/), you can find my technical write-up which dives more into implementation specifics [here](https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md).

## Patches Included
The following patches are made by default in the kernel ROP chain:
1) Disable kernel write protection
2) Allow RWX (read-write-execute) memory mapping
3) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.

## Notes
- This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
- I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
- A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
- An SDK is not provided in this release, however a barebones one to get started with may be released at a later date.
- I've released a sample payload [here](http://www.mediafire.com/file/n4boybw0e06h892/debug_settings.bin) that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.

## Contributors
I was not alone in this exploit's development, and would like to thank those who helped me along the way below.

- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
- [Flatz](https://twitter.com/flat_z)
- [CTurt](https://twitter.com/CTurtE)
- Anonymous