58 comments

[ 3.4 ms ] story [ 76.5 ms ] thread
I guess it makes sense that the vulns would be in Sony's new kernel code, and not in its FreeBSD ancestor.
How huge is this?
This is an old exploit that has been since patched by Sony in firmware 4.07 (the last section of the article shows the fix).
Sony appears to have patched it from firmware 4.06 and up. The adieu in the title appears to refer to bidding a farewell to the exploit rather than a codename for it ;-)

Great and insightful write-up nonetheless!

qwertyoruiopz[1] claims to have achieved kernel-level code execution on 5.00. It's probably not going to be released to the public anytime soon, but it's still not over for the PS4 homebrew scene.

[1]: https://twitter.com/qwertyoruiopz

From what I've observed, this is where the unending cat-and-mouse game begins for Sony.
In fairness, it started back when Sony shipped their first piece of hardware with technical measures to prevent users from consuming the media of their choice :)
Naw, the homebrew/piracy groups have been around since the birth of the console industry. It’s been an ongoing cat and mouse game for over 30 years at least.
Am I reading it correctly that it's possible to invoke syscalls from Javascript? That seems like a monumentaly bad idea...
No, that's just a library they made that uses a WebKit exploit to invoke a ROP chain to run syscalls.
Not directly. The exploit referred to by the title is a kernel exploit, but to execute the kernel exploit you need to be able to already run user code. They're using a Webkit exploit to run their user code.
It's interesting to see that this is a vulnerability caused by PS4 specific kernel modifications. I guess it's good news for FreeBSD users that PS4 jailbreaks do not imply vulnerabilities in FreeBSD.

Conversely, I'd imagine the PS4 jailbreak community is vigourously looking for privilege escalations in FreeBSD, but no results so far. I wonder if anyone familiar with it could shed some light on whether that's a correct way of looking at it.

Is it me or Sony has become good at protecting its software ? I remember a time when every new console would be hacked within the year it was released.
xbox one also hasn't been hacked.
(comment deleted)
I don’t know much about it, but some other users were implying that they now use freebsd when previously they rolled their own OS. If that’s the case, it makes sense.
PS3 was out for ~3 years before it was hacked.
It wasn't worth hacking the PS3 because of OtherOS. They removed it, it was hacked.
As far as I remember, as soon as it was hacked they removed OtherOS, not the other way around. This was like version 3.50 or something? Long time ago.
No, OtherOS only existed due to it allowing for different import tarifs. The CISO who told Kaz that he's a mad bro for wanting to remove OtherOS support was fired.
If anything the PS4 is a downgrade from the PS3 here. The PS3 ran everything in a hypervisor.
I guess if people want this to happen they should goad George Hotz by telling him he can't possibly beat the protection.
George is banned from exploiting Sony products
Isn't everyone?
Not like he is. If memory serves, if he tries to break a Sony device again, he faces massive fines, etc.
Do you have a good link for some backstory on this one? I'm not sure how that could even be possible in the legal frameworks.
Holy crap! Thanks!

That's insane. I'm not a gamer but it looks like they just published how to "hack" the console and they were hit with that. That's crazy. In the span of a minute, I can think of a dozen better solutions to this.

If I'm reading properly, they didn't even do anything that I'd call wrong. They found an exploit and published it. I suppose the DMCA and "circumvention tools" come into play - but that only points to the absurdity of the situation (at least in my opinion).

Sony threw everything at them: DMCA, CFAA, copyright, California Computer Crime Law, even violating the PSN TOS.
I support IP rights, as a general rule. However, they sure get abused. I'm kind of annoyed about this, even though I have nothing to do with it.

If you break my system, thanks for letting us know. It'd be great if we could pay you to help fix our system and make it more difficult to break in the future.

I'd not take them to court. I'd try to hire them. Hell, I'd give them reward money - even if they didn't want to be hired.

Intellectual property is theft.
Sure, inasmuch as taking labor without payment is slavery.
Would you think so if you poured your soul into writing a book, only to have it copied and distributed without your permission, for someone else's profit?
It's not exactly like that doesn't happen under our current system.
So everyone working on books, movies and computer games is a theft apparently.

Not everyone wants to give their work for free, dress in coloured cothles, sing about peace and love and grow tomatos in a community.

No. Intellectual property is a legal concept supported by a framework of laws and regulations. In itself it doesn't constitute theft. Exactly how the laws are used or abused matters. Intention is everything. From one end of the spectrum of having all your productions distributed everywhere rendering you unable to sell it even for a pittance to coming down massively with locked down systems and lawyers and costly lawsuits to intimidate and harass people into buying your product over and above its subjective value... we need a balance like everywhere else. Absolute statements rarely cut it.
(comment deleted)
We all don't know the details of the settlement, but we DO know George can sing about it. PoC's in rap would be nice.
Guy is too busy raging about self-driving car regulations and making ODBII dongles.
The hypervisor for the PS3 wasn't designed to be secure. It was reference hypervisor from IBM if I remember correctly and designed for scaling environments up and not security isolation. It was full of holes. At least FreeBSD starts out as battle tested verified OS of sorts unlike the PS3 Frenken-OS.
PS3 for the most time allowed people to legitimately run an other operating system on it, so these was less of an incentive to build ‘jailbreaks’ and cracks.
Psx, PS2, Wii, PSP have been hacked to their bone, it was a great time because of the community it had created. All these people focused on finding exploits and sharing the most obscure techniques to restore a bricked device! I don't see this anymore. Maybe they are mining bitcoins or playing Candy crush.
The Vita was harder to 'break' than the PS4, apparently. It's only recently been pwned.
In that time computing devices were rare.

Now everyone has a quite a powerful computer in their pocket.

If you want to make apps it's all there supported with a ton of documentation.

Keep in mind everything is online now. In the olden days you didn't need things like patches or firmware updates. Once a console was hacked you were golden.
Their PCI-Express bus hack is amazing.
Twiizers/fail0verflow work is amazing. I wonder why didn't even try with Xbox though.
> However, this turns out to be impossible (as far as I know) because of a side effect of the ps4 page size being changed to 0x4000 bytes (from the normal of 0x1000). It appears that in order to change the page size globally, the ps4 kernel developers opted to directly change the related macros. One of the many changes resulting from this is that the smallest actual amount of memory which malloc may give back to a caller becomes 0x40 bytes. While this also results in tons of memory being completely wasted, it does serve to nullify certain exploitation techniques (likely completely by accident…).

This is pretty cool (and probably obvious to a lot of people) as a security technique. Could this be done for consumer OSes? 64 bytes as the smallest malloc-able size doesn't seem too bad for today's ultrabooks...

Did PS4 even get much of a homebrew scene?