Sunday, September 14, 2014

PS4 - The State of Things Part II: Environment Analysis

Sadly there's no blueprint of the PS4's filesystem as far as I know, so how would we know where we want to go? We need to collect as many information about the filesystem and it's environment as possible to even be able to determine our possible research targets and vulnerabilities.

For any PlayStation platform there are 3 good and legit ways to go for:

 Way 1: Open Source Software & Open Documentation

Any Open Source Software used on the PlayStation4 is listed at http://www.scei.co.jp/ps4-license/.
A quick look through them reveals that many licenses force SONY to distribute copies of the used software which for the PS4 are:

  • cairo
  • Mono VM
    • "For request, please send e-mail to: pss_opensource_info@scei.co.jp with “PS4 Mono LGPL Request” in the subject line. In the body of the e-mail include your name and e-mail address."
  • Webkit
  • FFmpeg
Since we do have the sources, we can go through em, look for bugs and/or compare public available exploits to see if they are patched; for example via http://www.exploit-db.com/.

Furthermore you can check the World Wide Web for public available documentation about the system, sites like http://develop.scee.net/ are very useful. Just as example you can find the content guidelines for the PS4 Webbrowser and a quite interesting presentation from 2013

Way 2: Hardware Analysis

Not exactly the stuff I like to do, but one of the most interesting and promising research fields I think.

For sure also the most expensive way to research. If your lucky enough to own or be able to purchase proper hardware for this case of research you have tons of possibilities. 

There's already a lot information about PS4 hardware research available in the PS4 Developer Wiki, including some dumps and more. 

Even if you do not have access to a fast enough logical analyzer there's cheap & good hardware for simple chip dumps. Also you could checkout other hardware interaction possibilities like UART (115200,n,8,1 in our case).

Way 3: Installed Software Analysis

Check the software on the target system for bugs which may lead to information leaks or similar. 

One of the best things which can happen at start is that you find a way for dumping parts of the memory which may reveal sensitive and useful information about the PS4 environment. 

A good example is the recently revealed exploit for the Wii U via it's Webbrowser & Webkit which quite early lead to memory dumps. Webkit is known to be a weak point on nearly every system!

The Result

A decent result will unveil you a good overview of how the system works, which processes are linked by each other, how the filesystem does look like and more.

Here's an example for the PlayStation4 filesystem: CLICK TO DOWNLOAD

The shown folders and files are based on our research until now. Some files and folders are missing and may be updated.



Part III of my "The State of Thing" articles will arrive soon!

- SK

Friday, September 12, 2014

PS4 - The State of Things Part I: TitleID's [#1 Update]

Yeah I'm still here! A lot of information was collected, analyzed and misused in the past months. I want to share an overview with you and I'll start with "Part I: TitleID's".


This post is not entirely about the PS4, it will include some information about the PSV as well.

Why are we interested in TitleID's?


Both the PS4 and the PSV use the known system of TitleID's to identify games and apps. Most of them are visible to you via either the Livearea on PSV or the menu of the PS4.

Some of them, on the other hand are only used as references for internal modules or similar and are therefore hidden. The most interesting ones are those which are linked with applications you shall not see and are just implemented for tests, were forgotten or exist for other unknown reasons. Do we want to find and start them? Yes, we do!

How do we find valid TitleID's?

Well, the best start is to look at the error reports of the consoles. Once a game or app crashes, a small error report is generated and you can view this information via the systems settings. You'll see that the TitleID is always with it.

NPXS19999 is the TitleID
Surely this will not lead us to any interesting hidden applications since those are most likely never active and can not be crashed without even knowing how to start them, but it will give us a good startpoint since the range of commonly used system ID's is huge (NPXS00000-NPXS9999). So now we need a way to test for valid ID's aka a possibility to launch games/apps by it's TitleID with bruteforcing.

How do we start apps/games by TitleID's?


PS VITA Method: [UPDATED]

[UPDATE]

For simplicity here's a small webform which will unlock the PKG Installer for your PS VITA: http://www.zload.net/pkg/ kindly hosted by The Zett. Just enter the E-Mail adress you use on your PSV and the script will send you the unlock E-Mail.

[/UPDATE]

On PlayStation VITA there are many ways to achieve our goal, so it's not important right now if one is public. I will show you the most simple one. Probably you have noticed the leak of information regarding a hidden PKG installer a few months ago - this was achieved by using this technique.

Simply as it is, the only thing you have to do is setup the E-Mail client application on your PlayStation VITA and write yourself an HTML E-Mail with the following content to receive the E-Mail on your PSV.

<a href="psgm:open?titleid=NPXS10031">OPEN PKG INSTALLER</a>

Open your E-Mail app and click the link and the PKG installer will start. You may want to replace the titleid parameter with any of your choice. I have a small list of tested TitleID's for PSV right here, feel free to add or modify information.

PS4 Method:

For the PlayStation 4 our method is a bit more complicated and requires a bit of RE knowledge for Android and/or iOS. I'll describe an example for Android:

Please grab a copy of the Metal Gear Solid V: GZ companion app for Android and save the APK on your PC. APK Downloader is useful here! ( It's a fantastic game, I'm rly sorry I had to use this one :( )

Now you'll need the APK-Multi-Tool. Setup the tool and place the MGS companion APK file in the "place-apk-here-for-modding" folder. Start the tool, via the "Script.bat" and choose option 9 to decompile the APK. You now have a decompiled copy of the APK in your "projects" folder.

Locate the "PS4Net$1.smali" source file in "/smali/jp/konami/mgsvgzapp/", open it and replace the MGS V: GZ TitleID's with one of your choice and save the file. Go back to the APK-Multi-Tool script and choose option 15 (assuming your Android phone connected in debugger mode).

Now you can start the app on your phone, choose the main option and it will find your PS4 after you logged in PSN. Once started, normally the application would start Metal Gear Solid V: GZ, but now tries to start your TitleID if available.

The authentication system used for the secure communication between your phone and your PS4 is well done, but sadly not useful if we use a modification like this. Feel free to join the list of tested TitleID's for PS4.

For obvious reasons I made a small TitleID's launcher to test different ID's a lot faster.

XBOX ONE Method:

In the APK described in the PS4 method you might have noticed that there is code for the XBOX ONE version of the game as well. Nearly same system, have fun.


Stay tuned for Part II!

Best regards,

- SKFU

Thursday, November 14, 2013

PS4 - Game Dumps, HDMI Fail & more...

Sleeping sucks, you miss news of different timezones for sure. So, what did happen while I slept?

1) PS4 Game Dumps


According to an A9VG member, PS4 games can be dumped with a common PC Blu-Ray drive.

It seems that already a few games were dumped, inlcuding Killzone, Knack, Battlefield4 and AC4.

As soon as I get access to a disc or dump myself, I will do an analyse of the containing files.


For more details of the dumps, like game disc sizes and file structure please check out PS3Hax.

2) HDMI Fail

What happens if you force students to build your Next-Gen console under pressure? Well, they might return you faulty HDMI jacks.

IGN, Kotaku and many more individual users report that their PS4 video output stopped working. The console apparently is unusable for those who experienced it.

3) For those who already received a console

Sadly im still looking for a PS4 unit, if you can help me to get one contact me at skfu@skfu.xxx.


In case you got a unit for yourself, here are some examples of what has to be tested:

  • Before powering up the unit for first time, make a 1:1 dump of the HDD
    • Explore the HDD dump
  • Dump a game disc
    • Burn the dump to an empty BD
    • Check if the PS4 recognizes the disc
  • Check any files which can be transfered from PS4
    • Savegames, etc
  • Install a modified firmware
    • Use my PS4FwTool
    • Extract 2 firmwares
    • Rebuild a new firmware based on both output
    • Possible brick! Do at your own risk!
    • Recovery menu should bring you back in case of faulty firmware, but only do this if you actually are aware of the risk and know what you do!
  • Sniff anything
  • Modify the Companion Tool (iOS/Android)
    • Intercept game traffic between Companion Tool and PS4 game
  • etc.

Happy hacking,

- SKFU

Wednesday, November 13, 2013

PS4 US Launch Preparation

2 days left for the official PS4 launch in the USA. Sony pushing all necessary sites and files online.


1) PS4 Firmware Download

This time, SONY officially releases the firmware 1.5. Now what we know for sure are a few things:

The 0x01000000 in the SLB2 firmware container files is the SLB2 version, not the firmware version.

The prior firmware which was "leaked" is not the same as they released now. The current firmware has the version 01.501.000. The prior one had 2 different XML's files, so it's still unclear if it was 01.000.000, as the US update list said or 01.500.000, as the JP update list said.

Full MD5 list:

01.500.000 / 01.000.000 system: C64D11F839AC8628176941B99FD3670E
01.500.000 / 01.000.000 recovery: 6F4D6AFE98DD7297C70AA4D6E7E5482B

01.501.000 system: DF008B5601F4A214A3CC65030A02AC4A
01.501.000 recovery: CEDADA625478DB608D5878C019454380



2) PS4 Manuals

You can now checkout the official online manual HERE.





3) PS4 Open Source Software

The official PS4 open source page is HERE.




- SKFU

Thursday, November 7, 2013

Release: SKFU's Pr0xy

Recently I have read Wololo's article "Best PSP/Vita Homebrew for November 2013" and noticed that my quite old "SKFU's VITA Pr0xy" is still being used by many people.

Sadly I kinda' missed to release an updated version of my proxy software anytime. Thanks to the great feedback for my old proxy, here comes the very new one: "SKFU's Pr0xy".



I did remove the "VITA" from it's name since it changed a lot after the release of my old proxy server software, I don't want people to think it is a limited to PSV piece of software. It definitely is not!

But what it is and what it got:
  • The most user-friendly Windows Pr0xy
  • Keyword filter
  • Filter plugin support (users can create and share plugins)
  • Rules by traffic direction
  • Import & Export of rules
  • Blacklist
  • Raw data modification
  • Fast de-/encode
  • SSL Filter
  • DNS Lookup
  • and a lot more...

Downloads
Note: If you choose the ZIP archive, 
please make sure to have VC Redists and Apache with OpenSSL installed!



- SKFU

Sunday, November 3, 2013

Release: PS4 FW Tool 1.0.0

Heyho,

here comes SKFU's PS4 FW Tool 1.0.0:


Features:
  • Show PS4 firmware details
  • Unpack PS4 (SLB2 container) firmware
  • Pack PS4 (SLB2 container) firmware
Todo:
  • Unpack (inner) PUP
  • Pack (inner) PUP

Keep in mind that SLB2 files are the complete firmware files. SLB2 files contain PUP files. 

SONY just used the file extension ".PUP" for the actual SLB2 firmware files to make it less confusing for common users.

Download: CLICK


- SKFU

Tuesday, October 29, 2013

PlayStation 4 - Update File Analysis *UPDATED*

----------UPDATE----------
The update files were removed from the SONY update server. Since it is unclear if this was firmware version 1.00 or 1.50, let's hope there was some mistake made by SONY here which helps us in future :)
----------UPDATE END----------

Hey guys,

here comes a short analysis of the PlayStation4 update files. Available at:




Best regards,

- SKFU