Younis
Administrator
Staff member
Administrator
Local Celebrity
Community Elite
Community Veteran
Determined Poster
Active Member
- Sep 27, 2013
- 2,071
- 2,634
- 743
On December 13, 2021, a trio of console hackers released the latest, ready-to-run kernel hack for the PlayStation 4 and PlayStation 4 Pro that works on firmware version 9.00 and earlier, and this will go down in history as the day the PlayStation 4 is finally busted wide open.
Now a large number of PS4 owners have the option to run homemade software and play unlicensed versions of games.
The "pOOBs4" jailbreak is hailed to PlayStation scene hackers/developers SpecterDev, ChendoChap, and Znullptr, with thanks to Sleirsgoevy for his WebKit browser breach and TheFloW for finding the real filesystem bug that allows this exploit to operate. A USB key with a specific file and network access is required for the jailbreak. The console is now free to accept a payload from a PC, such as the Mira Project custom firmware or the GoldHEN homebrew enabler, when it has finished running.
The first hint that something big was coming came last evening, when SpecterDev, a well-known PlayStation scene hacker/developer, posted a video of modified firmware running on a PlayStation 4 with firmware version 9.00.
It's a breakthrough, but there's a bummer: according to one of the guys involved in the jailbreak, SpecterDev, the jailbreak only works on PS4 firmware 9.00 or below, which isn't the most recent PS4 software available. The jailbreak does not appear to work if you've just updated to the recent firmware, 9.03.
Jailbreaking the PlayStation 4 is nothing fresh, but two aspects make this one unique.
It operates on firmware 9.00, which was released only last September. There has only been one major update since then (9.03), which was released on December 1. Most PS4 jailbreaks require the use of much lower firmware versions.
Second, the kernel hack seems to be compatible with the PlayStation 5. The attack sprang from a file system glitch that the flow used last month to pwn all of the PS5's root keys. They have not made a PS5 version yet.
If you want to play whatever you want on your PS4, go visit ChendoChap's GitHub page for details on how to do it. Please be aware that this will allow the PS4 to run illegal pirated software, so proceed with caution.
This project has an implementation for the PlayStation 4 running firmware 9.00 that uses to exploit a filesystem problem. While diffing the 9.00 and 9.03 kernels, the problem was detected. This will require a driver with an exFAT filesystem that has been patched. If you successfully trigger it, you'll be able to run arbitrary code as the kernel, permitting you to jailbreak and modify at the kernel level will start the standard payload launcher (on port 9020).
Patches Included
The following patches are applied to the kernel: Allow RWX (read-write-execute) memory mapping (map / protect) Syscall instruction allowed anywhere Dynamic Resolving (sys_dynlib_dlsym) allowed from any process Custom system call #11 (kexec()) to execute arbitrary code in kernel mode Allow unprivileged users to call setuid(0) successfully. Works as a status check doubles as a privilege escalation. (sys_dynlib_load_prx) patch Disable delayed panics from sysVeri
How to do that?
This exploit is unlike previous ones where they were based purely on software. Triggering the vulnerability requires plugging in a specially formatted USB device at just the right time. In the repository, you'll find a .img file. You can write this .img to a USB using something like Win32DiskImager.
When running the exploit on the PS4, wait until it reaches an alert with "Insert USB now. do not close the dialog until a notification pops, remove USB after closing it.". As the dialog states, insert the USB, and wait until the "disk format not supported" notification appears, then close out of the alert with "OK". It may take a minute for the exploit to run, and the spinning animation on the page might freeze - this is fine, let it continue until an error shows or it succeeds and displays "Awaiting payload".
Notes
You need to insert the USB when the alert pops up, then let it sit there for a bit until the ps4 storage notifications show up. Unplug the USB before a (re)boot cycle or you'll risk corrupting the kernel heap at boot. The browser might tempt you into closing the page prematurely, don't. The loading circle might freeze while the WebKit exploit is triggering, this means nothing. This bug works on certain PS5 firmware, however, there's no known strategy for exploiting it at the moment. Using this bug against the PS5 blind wouldn't be advised.
Source: https://github.com/ChendoChap/pOOBs4
